Bug report from Royce M <royce@xchglabs.com>
Location: forward.c:713, edns0.c:421
With --add-subnet enabled, process_reply() passes the OPT record
length (~23 bytes) instead of the packet length to check_source().
All internal bounds checks fail, and the function always returns 1.
ECS source validation per RFC 7871 Section 9.2 is completely bypassed.
Resolves-Vulnerability: CVE-2026-4893
Resolves: RHEL-168333
(cherry picked from commit 7479b4aee6bc1ece02d0e6c9f5691d9a803dd2f3)
Bug reported bt Royce M <royce@xchglabs.com>
Location: helper.c:265-270
DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured,
the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes).
A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges.
Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed.
Resolves-Vulnerability: CVE-2026-4892
Resolves: RHEL-168316
(cherry picked from commit 80aacdfbba3f687d5586ab99e3fa7e0d952e90ac)
Handle invalid names correctly and refuse them without writing into too
small buffer. Contains upstream proposed basic fix.
Resolves-Vulnerability: CVE-2026-2291
Resolves: RHEL-148711
(cherry picked from commit f2182d5c6296fe676a449a2ff9bb65326a9339e7)
Use on RHEL part, too distant from Fedora anyway. Remove old plans and
use identical plans.fmf from c10s too.
Signed-off-by: Petr Menšík <pemensik@redhat.com>
Backport 3 changes from 2.85 to send again client-driven retries. Both
for known queries from new sources and for retries from known sources
too.
This should ensure enough queries are forwarded. It would restore
incoming queries would match forwarded queries again. That is difference
to 2.85, where that is not always needed.
Resolves: RHEL-6586
Avoid crashing on empty or . domains specified.
Upstream Changelog:
Fix crash on startup with a --synth-domain which has no prefix.
Introduced in 2.79. Thanks to Andreas Engel for the bug report.
Resolves: RHEL-15216
--local=/example/ and --address=/example/# create records, which contain
no address or just NULL address. Some people generate quite large
blocklists, which then can take quite long to walk through. Because it
uses linear algorithm, it gets quite slow.
Similar to upstream in 2.86, avoid walking through literal addresses or
local blocks. Speeds up significantly loading of 50k or more records.
Fixed regression caused by commit 73f4c86bcc
Resolves: rhbz#2233542
(cherry picked from commit 418de6681f)
When log-facility is used to create a new file, make that file also
writeable by root. Systemd strips the ability to write into this file
even when started by root. Allow root explicitly.
Resolves: rhbz#2207798
(cherry picked from commit cafac891ea)
Ensure correct domain entries are prepared also for DBus specified
domains. Initialize server_domain when adding new nameserver, no matter
what is its source. Do not wait for check_servers() to domain
initialization.
Resolves: rhbz#2186481
In case the server->serv_domain points to domain also when it is not the
last server used, ensure the reference to last_server is always reset.
Some records might reference the server_domain, but cannot ever become
last_server. Such as server=/example.com/#
Do proper check also for above case and do not delete used serv_domain
structure. Also do optimization to reuse common server domains and do
not create new entry to already existing one.
Do two step cleaning during nameservers cleanup stage. Should avoid any
invalid pointer present.
Resolves: rhbz#2186481
