rpms/bind9.18
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix regression in upstream CVE-2025-8677 fix

Browse Source 
https://gitlab.isc.org/isc-projects/bind9/-/issues/5570
https://gitlab.isc.org/isc-projects/bind9/-/issues/5622

Resolves: RHEL-123329
This commit is contained in:
Petr Menšík 2025-10-31 17:47:07 +01:00
parent c5512bd8f1
commit 24fc81e1c8
2 changed files with 42 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
bind-9.20-CVE-2025-8677-dual-signing.patch Normal file
View File

@ -0,0 +1,36 @@
From 5126c74ec19f56294cbfdc312f75778d8f249e59 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Mon, 3 Nov 2025 22:03:54 +0100
Subject: [PATCH] Do not abort key search on unsupported algorithm
When supported and unsupported algorithm rrsig is present, some keys may
return unsupported algorithm error. Continue to next key without
counting this to validation failures.
(cherry picked from commit 38ddff3336e08983a4c0b5f3ea4eb35bb0f6ac81)
---
lib/dns/validator.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 15e177e4d7..a9db844c27 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1163,7 +1163,13 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) {
goto done;
}
dst_key_free(&val->key);
- } else {
+ } else if (result != DST_R_UNSUPPORTEDALG) {
+ /* Unsupported alg happens when RRset is signed by both
+ * supported and unsupported alg. */
+ validator_log(val, ISC_LOG_DEBUG(3),
+ "select_signing_key alg %d keyid %d: %s",
+ siginfo->algorithm, siginfo->keyid,
+ isc_result_totext(result));
break;
}
dns_rdata_reset(&rdata);
--
2.51.1

7
bind9.18.spec
View File

@ -77,7 +77,7 @@ License: MPL-2.0 AND ISC AND MIT AND BSD-3-Clause AND BSD-2-Clause
# ./lib/isc/tm.c BSD-2-clause and/or MPL-2.0
# ./lib/isccfg/parser.c BSD-2-clause and/or MPL-2.0
Version: 9.18.29
Release: 6%{?dist}
Release: 7%{?dist}
Epoch: 32
Url: https://www.isc.org/downloads/bind/
#
@ -139,6 +139,8 @@ Patch223: bind-9.18-CVE-2025-8677.patch
Patch224: bind-9.18-CVE-2025-40778.patch
# https://gitlab.isc.org/isc-projects/bind9/commit/8330b49fb90bfeae14b47b7983e9459cc2bbaffe
Patch225: bind-9.18-CVE-2025-40780.patch
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11194
Patch226: bind-9.20-CVE-2025-8677-dual-signing.patch
%{?systemd_ordering}
Requires: coreutils
@ -986,6 +988,9 @@ fi;
%endif
%changelog
* Fri Oct 31 2025 Petr Menšík <pemensik@redhat.com> - 32:9.18.29-7
- Fix upstream reported regression in recent CVE fix (CVE-2025-8677)
* Thu Oct 23 2025 Petr Menšík <pemensik@redhat.com> - 32:9.18.29-6
- Refuse malformed DNSKEY records (CVE-2025-8677)
- Address various spoofing attacks (CVE-2025-40778)