Prevent increased CPU load on large DNS messages

6315. [security] Speed up parsing of DNS messages with many different names. (CVE-2023-4408) [GL #4234] 6321. [security] Change 6315 inadvertently introduced regressions that could cause named to crash. [GL #4234] 6343. [bug] Fix case insensitive setting for isc_ht hashtable. Resolves: RHEL-25348 ; Resolves: CVE-2023-4408
2024-02-12 20:08:53 +01:00 · 2024-02-12 20:08:53 +01:00 · 6f864801ac
commit 6f864801ac
parent 8b3181e49e
2 changed files with 1741 additions and 1 deletions
--- a/bind-9.16-CVE-2023-4408.patch
+++ b/bind-9.16-CVE-2023-4408.patch
--- a/bind9.16.spec
+++ b/bind9.16.spec
@ -57,7 +57,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind9.16
 License:  MPLv2.0
 Version:  9.16.23
-Release:  0.16%{?dist}
+Release:  0.17%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@ -129,6 +129,7 @@ Patch187: bind-9.16-CVE-2022-3924.patch
 # https://gitlab.isc.org/isc-projects/bind9/commit/f1d9e9ee3859976f403914d20ad2a10855343702
 Patch188: bind-9.16-CVE-2023-2828.patch
 Patch189: bind-9.16-CVE-2023-3341.patch
+Patch194: bind-9.16-CVE-2023-4408.patch

 %{?systemd_ordering}
 Requires:       coreutils
@ -442,6 +443,7 @@ in HTML and PDF format.
 %patch187 -p1 -b .CVE-2022-3924
 %patch188 -p1 -b .CVE-2023-2828
 %patch189 -p1 -b .CVE-2023-3341
+%patch194 -p1 -b .CVE-2023-4408

 %if %{with PKCS11}
 %patch135 -p1 -b .config-pkcs11
@ -1161,6 +1163,9 @@ fi;
 %endif

 %changelog
+* Mon Feb 12 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-0.17
+- Prevent increased CPU load on large DNS messages (CVE-2023-4408)
+
 * Wed Sep 20 2023 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-0.16
 - Limit the amount of recursion possible in control channel (CVE-2023-3341)