Commit Graph

23 Commits

Author SHA1 Message Date
Petr Menšík
aec75c660e Minor fix of reclimit test backport
Fix local rebuilds on Fedora. BIND 9.16 does not work well with fortify
source level 3. Fix also DEFAULT_HMAC not properly set in tests, failing
reclimit test. That was issue only of backport.

Resolves: RHEL-50591
2024-08-09 12:42:08 +02:00
Petr Menšík
16baeaf03b [9.16] chg: usr: Backport max-types-per-name to BIND 9.16
This aligns the fix for large number of RRs in RRSet with 9.18 and up
by backporting to `max-records-per-type` configuration option to
BIND 9.16.

Merge branch 'ondrej/max-types-per-rr-backport-9.16' into 'bind-9.16'

See merge request isc-projects/bind9!9178

Resolves: RHEL-50591
2024-08-08 00:53:41 +02:00
Petr Menšík
e0120bb883 [9.16] chg: usr: Backport max-records-per-type to BIND 9.16
This aligns the fix for large number of RRs in RRSet with 9.18 and up
by backporting to `max-records-per-type` configuration option to
BIND 9.16.

Merge branch 'ondrej/max-records-per-type-backport-9.16' into 'bind-9.16'

See merge request isc-projects/bind9!9177

Remove also custom environment feature, which is not necessary with
proper config options backported.

Increase rightmost version to become higher than _4 suffix.

Resolves: RHEL-50591
2024-08-08 00:53:33 +02:00
Petr Menšík
9c17975ebc Allow runtime customization of CVE-2024-1737 limits
Do not introduce new options into configuration file. But if limits are
hit in unexpected way, allow tuning them by environment variables
DNS_RDATASET_MAX_RECORDS and DNS_RBTDB_MAX_RTYPES. They accept number of
maximum records of types. Both defaults to 100.

These replaces max-records-per-type and max-types-per-name in later
versions. But can be configured only by environment and can be
configured only globally, not in each view or zone.

Related: RHEL-50591
2024-08-08 00:53:05 +02:00
Petr Menšík
195bb063de Resolve CVE-2024-4076
6403.	[security]	qctx-zversion was not being cleared when it should have
			been leading to an assertion failure if it needed to be
			reused. (CVE-2024-4076) [GL #4507]

Resolves: RHEL-50874
2024-08-08 00:51:50 +02:00
Petr Menšík
1f78a2c237 Resolve CVE-2024-1737
6400.	[security]	Excessively large rdatasets can slow down database
			query processing, so a limit has been placed on the
			number of records that can be stored per rdataset
			in a cache or zone database. This is configured
			with the new "max-records-per-type" option, and
			defaults to 100. (CVE-2024-1737)
			[GL #497] [GL #3405]

6401.	[security]	An excessively large number of rrtypes per owner can
			slow down database query processing, so a limit has been
			placed on the number of rrtypes that can be stored per
			owner (node) in a cache or zone database. This is
			configured with the new "max-rrtypes-per-name" option,
			and defaults to 100. (CVE-2024-1737)
			[GL #3403] [GL #4548]

Does not change db methods like 9.18 fix. It makes limits set at build
time and fixed numbers, but does not need adjusting db interface to set
new limits.

Resolves: RHEL-50591
2024-08-08 00:50:22 +02:00
Petr Menšík
5e6da87e62 Resolve CVE-2024-1975
6404.	[security]	Remove SIG(0) support from named as a countermeasure
			for CVE-2024-1975. [GL #4480]

Resolves: RHEL-50596
2024-08-08 00:42:13 +02:00
Petr Menšík
f5f3092a7a Add more explicit conflicts with previous bind version
Spec only change.

Resolves: RHEL-2208
2024-05-15 20:49:45 +02:00
Petr Menšík
221d0bd319 Stop crashes at masterformat system tests
Fix of CVE-2023-6516 has changed format of map file and masterformat has
started crashing. Adjust test values to pass cleanly.

; Resolves: CVE-2023-6516
Resolves: RHEL-25381
2024-04-04 15:52:17 +02:00
Petr Menšík
fdd3436a6d Downstream specific changes related to KeyTrap
Fix for CVE-2023-50387 introduced new additional thread. But because
isc_hp functions were removed from later bind 9.16 release, their
changes did not contain increase of hazard pointers max thread limit.
To prevent obscure memory corruption increase thread max size.

In addition place at least few INSISTs to check this is catched before
random memory overwrites begins. It would be quite difficult to track
without any check.

Resolves: RHEL-25392
; Resolves: CVE-2023-50387
2024-02-21 20:57:49 +01:00
Petr Menšík
2c9b8bdea4 Add mctx attach/detach when creating/destroying a memory pool
This should make sure that the memory context is not destroyed
before the memory pool, which is using the context.

Related: RHEL-25392
; Related: CVE-2023-50387
2024-02-21 20:57:49 +01:00
Petr Menšík
dbd2761d7d Define variables used for test variants
Patch171 introduces undefined variables, which may fail some tests.
Define them to empty values. Also required python3-dns with SYSTEMTEST
feature enabled.

Related: RHEL-25348
; Related: CVE-2023-4408
2024-02-21 20:57:49 +01:00
Petr Menšík
3c702f170d Allow testing from more recent Fedora by skipping python rule
More recent python3 module ply does not accept statements used in
isc/policy.py, which generates parsetab.py. Allow to skip that target on
local only fedora builds.

Related: RHEL-25348
; Related: CVE-2023-4408
2024-02-21 20:57:49 +01:00
Petr Menšík
b038cc79ce Import tests for large DNS messages fix
Tests part of fixes of CVE-2023-4408.

Related: RHEL-25348
; Related: CVE-2023-4408
2024-02-21 20:57:49 +01:00
Petr Menšík
329c53c51c Prevent increased CPU consumption in DNSSEC validator
KeyTrap - Extreme CPU consumption in DNSSEC validator. Preparing an
NSEC3 closest encloser proof can exhaust CPU resources.

6322.	[security]	Specific DNS answers could cause a denial-of-service
			condition due to DNS validation taking a long time.
			(CVE-2023-50387) [GL #4424]

Resolves: RHEL-25403 RHEL-25392
; Resolves: CVE-2023-50868 CVE-2023-50387
2024-02-21 20:57:49 +01:00
Petr Menšík
2c1332b473 Specific recursive query patterns may lead to an out-of-memory condition
6319.	[security]	Query patterns that continuously triggered cache
			database maintenance could exhaust all available memory
			on the host running named. (CVE-2023-6516) [GL #4383]

Resolves: RHEL-25381
; Resolves: CVE-2023-6516
2024-02-21 20:57:48 +01:00
Petr Menšík
3fb3b2d2bd Prevent assertion failure if DNS64 and serve-stale is used
Enabling both DNS64 and serve-stale may cause an assertion failure
during recursive resolution.

6317.	[security]	Restore DNS64 state when handling a serve-stale timeout.
			(CVE-2023-5679) [GL #4334]

Resolves: RHEL-25370
; Resolves: CVE-2023-5679
2024-02-21 20:57:48 +01:00
Petr Menšík
b734ab50d3 Prevent assertion failure when nxdomain-redirect is used with
RFC 1918 reverse zones

6316.	[security]	Specific queries could trigger an assertion check with
			nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281]

Resolves: RHEL-25359
; Resolves: CVE-2023-5517
2024-02-21 20:57:48 +01:00
Petr Menšík
6f864801ac Prevent increased CPU load on large DNS messages
6315.	[security]	Speed up parsing of DNS messages with many different
			names. (CVE-2023-4408) [GL #4234]
6321.	[security]	Change 6315 inadvertently introduced regressions that
			could cause named to crash. [GL #4234]
6343.	[bug]		Fix case insensitive setting for isc_ht hashtable.

Resolves: RHEL-25348
; Resolves: CVE-2023-4408
2024-02-21 20:57:27 +01:00
Petr Menšík
8b3181e49e Fix CVE-2023-3341
6245.   [security]      Limit the amount of recursion that can be performed
                        by isccc_cc_fromwire. (CVE-2023-3341) [GL #4152]

Resolves: RHEL-5246
2023-09-20 16:29:27 +02:00
Petr Menšík
7daed14418 Fix CVE-2023-2828
6190.	[security]	Improve the overmem cleaning process to prevent the
			cache going over the configured limit. (CVE-2023-2828)
			[GL #4055]

Resolves: rhbz#2216654
2023-09-04 15:08:41 +02:00
CentOS Sources
f85e47fe2c Auto sync2gitlab import of bind9.16-9.16.23-0.14.el8.src.rpm 2023-02-28 18:12:03 +00:00
James Antill
29cf07efaf Import rpm: c8s 2023-02-27 12:22:46 -05:00