Fix CVE-2026-42534: Jostle logic bypass degrades resolution performance
More information can be found in the upstream's advisory: https://nlnetlabs.nl/downloads/unbound/CVE-2026-42534.txt Resolves-Vulnerability: CVE-2026-42534 Resolves: RHEL-187081
This commit is contained in:
parent
c2fe64e3f1
commit
dba36540fd
51
unbound-1.25.1-CVE-2026-42534.patch
Normal file
51
unbound-1.25.1-CVE-2026-42534.patch
Normal file
@ -0,0 +1,51 @@
|
||||
diff --git a/unbound-1.16.2/services/mesh.c b/unbound-1.16.2/services/mesh.c
|
||||
index 30bcf7c..0f5a2a3 100644
|
||||
--- a/unbound-1.16.2/services/mesh.c
|
||||
+++ b/unbound-1.16.2/services/mesh.c
|
||||
@@ -338,12 +338,14 @@ int mesh_make_new_space(struct mesh_area* mesh, sldns_buffer* qbuf)
|
||||
if(mesh->num_reply_states < mesh->max_reply_states)
|
||||
return 1;
|
||||
/* try to kick out a jostle-list item */
|
||||
- if(m && m->reply_list && m->list_select == mesh_jostle_list) {
|
||||
+ if(m && m->list_select == mesh_jostle_list) {
|
||||
/* how old is it? */
|
||||
struct timeval age;
|
||||
- timeval_subtract(&age, mesh->env->now_tv,
|
||||
- &m->reply_list->start_time);
|
||||
- if(timeval_smaller(&mesh->jostle_max, &age)) {
|
||||
+ if(m->has_first_reply_time)
|
||||
+ timeval_subtract(&age, mesh->env->now_tv,
|
||||
+ &m->first_reply_time);
|
||||
+ if(!m->has_first_reply_time ||
|
||||
+ timeval_smaller(&mesh->jostle_max, &age)) {
|
||||
/* its a goner */
|
||||
log_nametypeclass(VERB_ALGO, "query jostled out to "
|
||||
"make space for a new one",
|
||||
@@ -1690,6 +1692,10 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns,
|
||||
r->qid = qid;
|
||||
r->qflags = qflags;
|
||||
r->start_time = *s->s.env->now_tv;
|
||||
+ if(s->reply_list == NULL && !s->has_first_reply_time) {
|
||||
+ s->first_reply_time = r->start_time;
|
||||
+ s->has_first_reply_time = 1;
|
||||
+ }
|
||||
r->next = s->reply_list;
|
||||
r->qname = regional_alloc_init(s->s.region, qinfo->qname,
|
||||
s->s.qinfo.qname_len);
|
||||
diff --git a/unbound-1.16.2/services/mesh.h b/unbound-1.16.2/services/mesh.h
|
||||
index 3be9b63..8194994 100644
|
||||
--- a/unbound-1.16.2/services/mesh.h
|
||||
+++ b/unbound-1.16.2/services/mesh.h
|
||||
@@ -174,6 +174,12 @@ struct mesh_state {
|
||||
struct module_qstate s;
|
||||
/** the list of replies to clients for the results */
|
||||
struct mesh_reply* reply_list;
|
||||
+ /** if it has a first reply time */
|
||||
+ int has_first_reply_time;
|
||||
+ /** wall-clock time the first client reply was attached;
|
||||
+ * used by mesh_make_new_space() so duplicate retransmits
|
||||
+ * cannot reset jostle aging. */
|
||||
+ struct timeval first_reply_time;
|
||||
/** the list of callbacks for the results */
|
||||
struct mesh_cb* cb_list;
|
||||
/** set of superstates (that want this state's result)
|
||||
@ -90,6 +90,9 @@ Patch11: unbound-1.25.1-CVE-2026-40622-test.patch
|
||||
Patch12: unbound-1.25.1-CVE-2026-44390.patch
|
||||
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-41292.diff
|
||||
Patch13: unbound-1.25.1-CVE-2026-41292.patch
|
||||
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42534.diff
|
||||
Patch14: unbound-1.25.1-CVE-2026-42534.patch
|
||||
|
||||
|
||||
BuildRequires: gdb
|
||||
BuildRequires: gcc, make
|
||||
@ -202,6 +205,7 @@ pushd %{pkgname}
|
||||
%patch11 -p2 -b .CVE-2026-40622-test
|
||||
%patch12 -p2 -b .CVE-2026-44390
|
||||
%patch13 -p2 -b .CVE-2026-41292
|
||||
%patch14 -p2 -b .CVE-2026-42534
|
||||
|
||||
# copy common doc files - after here, since it may be patched
|
||||
cp -pr doc pythonmod libunbound ../
|
||||
@ -472,6 +476,7 @@ popd
|
||||
- Fix CVE-2026-40622 (RHEL-184832)
|
||||
- Fix CVE-2026-44390 (RHEL-186680)
|
||||
- Fix CVE-2026-41292 (RHEL-187346)
|
||||
- Fix CVE-2026-42534 (RHEL-187081)
|
||||
|
||||
* Mon May 25 2026 Fedor Vorobev <fvorobev@redhat.com> - 1.16.2-5.11
|
||||
- Fix CVE-2026-42944 (RHEL‑177909)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user