diff --git a/bind-9.20-CVE-2025-8677-dual-signing.patch b/bind-9.20-CVE-2025-8677-dual-signing.patch new file mode 100644 index 0000000..40ad87e --- /dev/null +++ b/bind-9.20-CVE-2025-8677-dual-signing.patch @@ -0,0 +1,36 @@ +From 5126c74ec19f56294cbfdc312f75778d8f249e59 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Mon, 3 Nov 2025 22:03:54 +0100 +Subject: [PATCH] Do not abort key search on unsupported algorithm + +When supported and unsupported algorithm rrsig is present, some keys may +return unsupported algorithm error. Continue to next key without +counting this to validation failures. + +(cherry picked from commit 38ddff3336e08983a4c0b5f3ea4eb35bb0f6ac81) +--- + lib/dns/validator.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/lib/dns/validator.c b/lib/dns/validator.c +index 15e177e4d7..a9db844c27 100644 +--- a/lib/dns/validator.c ++++ b/lib/dns/validator.c +@@ -1163,7 +1163,13 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) { + goto done; + } + dst_key_free(&val->key); +- } else { ++ } else if (result != DST_R_UNSUPPORTEDALG) { ++ /* Unsupported alg happens when RRset is signed by both ++ * supported and unsupported alg. */ ++ validator_log(val, ISC_LOG_DEBUG(3), ++ "select_signing_key alg %d keyid %d: %s", ++ siginfo->algorithm, siginfo->keyid, ++ isc_result_totext(result)); + break; + } + dns_rdata_reset(&rdata); +-- +2.51.1 + diff --git a/bind9.18.spec b/bind9.18.spec index f045f69..bd86e29 100644 --- a/bind9.18.spec +++ b/bind9.18.spec @@ -77,7 +77,7 @@ License: MPL-2.0 AND ISC AND MIT AND BSD-3-Clause AND BSD-2-Clause # ./lib/isc/tm.c BSD-2-clause and/or MPL-2.0 # ./lib/isccfg/parser.c BSD-2-clause and/or MPL-2.0 Version: 9.18.29 -Release: 6%{?dist} +Release: 7%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -139,6 +139,8 @@ Patch223: bind-9.18-CVE-2025-8677.patch Patch224: bind-9.18-CVE-2025-40778.patch # https://gitlab.isc.org/isc-projects/bind9/commit/8330b49fb90bfeae14b47b7983e9459cc2bbaffe Patch225: bind-9.18-CVE-2025-40780.patch +# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11194 +Patch226: bind-9.20-CVE-2025-8677-dual-signing.patch %{?systemd_ordering} Requires: coreutils @@ -986,6 +988,9 @@ fi; %endif %changelog +* Fri Oct 31 2025 Petr Menšík - 32:9.18.29-7 +- Fix upstream reported regression in recent CVE fix (CVE-2025-8677) + * Thu Oct 23 2025 Petr Menšík - 32:9.18.29-6 - Refuse malformed DNSKEY records (CVE-2025-8677) - Address various spoofing attacks (CVE-2025-40778)