Projects
Mega:24.09
bind
Sign Up
Log In
Username
Password
We truncated the diff of some files because they were too big. If you want to see the full diff for every file,
click here
.
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 3
View file
_service:tar_scm:bind.spec
Changed
@@ -29,7 +29,7 @@ Name: bind License: MPLv2.0 Version: 9.18.21 -Release: 2 +Release: 3 Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -64,6 +64,11 @@ Patch6001:backport-CVE-2023-5517.patch Patch6002:backport-CVE-2023-5679.patch Patch6003:backport-CVE-2023-50387-CVE-2023-50868.patch +Patch6004:backport-CVE-2024-0760.patch +Patch6005:backport-optimize-the-slabheader-placement-for-certain-RRtypes.patch +Patch6006:backport-CVE-2024-1737.patch +Patch6007:backport-CVE-2024-1975.patch +Patch6008:backport-CVE-2024-4076.patch # Common patches %{?systemd_ordering} @@ -903,6 +908,12 @@ %endif %changelog +* Fri Aug 02 2024 chengyechun<chengyechun1@huawei.com> - 32:9.18.21-3 +- Type:CVE +- CVE:CVE-2024-0760,CVE-2024-1737,CVE-2024-1975,CVE-2024-4076 +- SUG:NA +- DESC:fix CVE-2024-0760,CVE-2024-1737,CVE-2024-1975,CVE-2024-4076 + * Tue Mar 19 2024 chengyechun<chengyechun1@huawei.com> - 32:9.18.21-2 - Type:CVE - CVE:CVE-2023-4408 CVE-2023-5517 CVE-2023-5679 CVE-2023-50387 CVE-2023-50868
View file
_service:tar_scm:backport-CVE-2024-0760.patch
Added
@@ -0,0 +1,981 @@ +From c33b3d26f695d342af3fa81ab404a366bb8ce873 Mon Sep 17 00:00:00 2001 +From: Artem Boldariev <artem@boldariev.com> +Date: Wed, 3 Jul 2024 13:58:32 +0300 +Subject: PATCH TCP/TLS DNS: unthrottle only when all input data processing + +This commit ensures that we restart reading only when all DNS data in +the input buffer is processed so the we will not get into the +situation when the buffer is overrun. + +Conflict:NA +Reference:https://downloads.isc.org/isc/bind9/9.18.28/patches/0001-CVE-2024-0760.patch + +--- + lib/isc/netmgr/netmgr-int.h | 27 +++++-- + lib/isc/netmgr/netmgr.c | 79 ++++++++++++++---- + lib/isc/netmgr/tcp.c | 71 +++++++++++++++- + lib/isc/netmgr/tcpdns.c | 59 +++++++++++++- + lib/isc/netmgr/tlsdns.c | 120 ++++++++++++++++++++------- + lib/ns/client.c | 156 +++++++++++++++++------------------- + lib/ns/include/ns/client.h | 6 +- + 7 files changed, 379 insertions(+), 139 deletions(-) + +diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h +index 6aca9ab..bc1ba73 100644 +--- a/lib/isc/netmgr/netmgr-int.h ++++ b/lib/isc/netmgr/netmgr-int.h +@@ -62,9 +62,10 @@ + #endif + + /* +- * The TCP receive buffer can fit one maximum sized DNS message plus its size, +- * the receive buffer here affects TCP, DoT and DoH. ++ * The TCP send and receive buffers can fit one maximum sized DNS message plus ++ * its size, the receive buffer here affects TCP, DoT and DoH. + */ ++#define ISC_NETMGR_TCP_SENDBUF_SIZE (sizeof(uint16_t) + UINT16_MAX) + #define ISC_NETMGR_TCP_RECVBUF_SIZE (sizeof(uint16_t) + UINT16_MAX) + + /* Pick the larger buffer */ +@@ -377,9 +378,10 @@ struct isc__nm_uvreq { + int magic; + isc_nmsocket_t *sock; + isc_nmhandle_t *handle; +- char tcplen2; /* The TCP DNS message length */ +- uv_buf_t uvbuf; /* translated isc_region_t, to be +- * sent or received */ ++ char tcplen2; /* The TCP DNS message length */ ++ uv_buf_t uvbuf; /* translated isc_region_t, to be ++ * sent or received */ ++ isc_region_t userbuf; + isc_sockaddr_t local; /* local address */ + isc_sockaddr_t peer; /* peer address */ + isc__nm_cb_t cb; /* callback */ +@@ -998,7 +1000,6 @@ struct isc_nmsocket { + TLS_STATE_ERROR, + TLS_STATE_CLOSING + } state; +- isc_region_t senddata; + ISC_LIST(isc__nm_uvreq_t) sendreqs; + bool cycle; + isc_result_t pending_error; +@@ -1063,6 +1064,12 @@ struct isc_nmsocket { + */ + uint64_t write_timeout; + ++ /* ++ * Reading was throttled over TCP as the peer does not read the ++ * data we are sending back. ++ */ ++ bool reading_throttled; ++ + /*% outer socket is for 'wrapped' sockets - e.g. tcpdns in tcp */ + isc_nmsocket_t *outer; + +@@ -2265,6 +2272,14 @@ isc__nmsocket_readtimeout_cb(uv_timer_t *timer); + void + isc__nmsocket_writetimeout_cb(void *data, isc_result_t eresult); + ++/*%< ++ * ++ * Maximum number of simultaneous handles in flight supported for a single ++ * connected TCPDNS socket. This value was chosen arbitrarily, and may be ++ * changed in the future. ++ */ ++#define STREAM_CLIENTS_PER_CONN 23 ++ + #define UV_RUNTIME_CHECK(func, ret) \ + if (ret != 0) { \ + FATAL_ERROR("%s failed: %s\n", #func, uv_strerror(ret)); \ +diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c +index 2310b4b..f9e3b70 100644 +--- a/lib/isc/netmgr/netmgr.c ++++ b/lib/isc/netmgr/netmgr.c +@@ -49,8 +49,15 @@ + * How many isc_nmhandles and isc_nm_uvreqs will we be + * caching for reuse in a socket. + */ +-#define ISC_NM_HANDLES_STACK_SIZE 600 +-#define ISC_NM_REQS_STACK_SIZE 600 ++#define ISC_NM_HANDLES_STACK_SIZE 16 ++#define ISC_NM_REQS_STACK_SIZE 16 ++ ++/*% ++ * Same, but for UDP sockets which tend to need larger values as they ++ * process many requests per socket. ++ */ ++#define ISC_NM_HANDLES_STACK_SIZE_UDP 64 ++#define ISC_NM_REQS_STACK_SIZE_UDP 64 + + /*% + * Shortcut index arrays to get access to statistics counters. +@@ -1506,16 +1513,25 @@ void + isc___nmsocket_init(isc_nmsocket_t *sock, isc_nm_t *mgr, isc_nmsocket_type type, + isc_sockaddr_t *iface FLARG) { + uint16_t family; ++ size_t inactive_handles_stack_size = ISC_NM_HANDLES_STACK_SIZE; ++ size_t inactive_reqs_stack_size = ISC_NM_REQS_STACK_SIZE; + + REQUIRE(sock != NULL); + REQUIRE(mgr != NULL); + +- *sock = (isc_nmsocket_t){ .type = type, +- .fd = -1, +- .inactivehandles = isc_astack_new( +- mgr->mctx, ISC_NM_HANDLES_STACK_SIZE), +- .inactivereqs = isc_astack_new( +- mgr->mctx, ISC_NM_REQS_STACK_SIZE) }; ++ if (type == isc_nm_udpsocket) { ++ inactive_handles_stack_size = ISC_NM_HANDLES_STACK_SIZE_UDP; ++ inactive_reqs_stack_size = ISC_NM_REQS_STACK_SIZE_UDP; ++ } ++ ++ *sock = (isc_nmsocket_t){ ++ .type = type, ++ .fd = -1, ++ .inactivehandles = isc_astack_new(mgr->mctx, ++ inactive_handles_stack_size), ++ .inactivereqs = isc_astack_new(mgr->mctx, ++ inactive_reqs_stack_size) ++ }; + + ISC_LIST_INIT(sock->tls.sendreqs); + +@@ -2084,6 +2100,7 @@ isc__nmsocket_writetimeout_cb(void *data, isc_result_t eresult) { + + sock = req->sock; + ++ isc__nm_start_reading(sock); + isc__nmsocket_reset(sock); + } + +@@ -2093,7 +2110,6 @@ isc__nmsocket_readtimeout_cb(uv_timer_t *timer) { + + REQUIRE(VALID_NMSOCK(sock)); + REQUIRE(sock->tid == isc_nm_tid()); +- REQUIRE(atomic_load(&sock->reading)); + + if (atomic_load(&sock->client)) { + uv_timer_stop(timer); +@@ -2340,8 +2356,10 @@ processbuffer(isc_nmsocket_t *sock) { + * timers. If we do have a full message, reset the timer. + * + * Stop reading if this is a client socket, or if the server socket +- * has been set to sequential mode. In this case we'll be called again +- * later by isc__nm_resume_processing(). ++ * has been set to sequential mode, or the number of queries we are ++ * processing simultaneously has reached the clients-per-connection ++ * limit. In this case we'll be called again later by ++ * isc__nm_resume_processing(). + */ + isc_result_t + isc__nm_process_sock_buffer(isc_nmsocket_t *sock) { +@@ -2349,14 +2367,41 @@ isc__nm_process_sock_buffer(isc_nmsocket_t *sock) { + int_fast32_t ah = atomic_load(&sock->ah); + isc_result_t result = processbuffer(sock); + switch (result) { +- case ISC_R_NOMORE: ++ case ISC_R_NOMORE: { + /* + * Don't reset the timer until we have a + * full DNS message. + */ +- result = isc__nm_start_reading(sock); +- if (result != ISC_R_SUCCESS) { +- return (result); ++ ++ /* ++ * Restart reading if we have less data in the send ++ * queue than the send buffer size, this means that the ++ * TCP client has started reading some data again. ++ * Starting reading when we go under the limit instead ++ * of waiting for all data has been flushed allows ++ * faster recovery (in case there was a congestion and ++ * now there isn't). ++ */ ++ size_t write_queue_size = ++ uv_stream_get_write_queue_size( ++ &sock->uv_handle.stream); ++ if (write_queue_size < ISC_NETMGR_TCP_SENDBUF_SIZE) {
View file
_service:tar_scm:backport-CVE-2024-1737.patch
Added
@@ -0,0 +1,1500 @@ +From 39d3e2a8ecc1cb4dccefa3ddea477a2887989485 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org> +Date: Sat, 25 May 2024 11:46:56 +0200 +Subject: PATCH Add a limit to the number of RR types for single name + +Previously, the number of RR types for a single owner name was limited +only by the maximum number of the types (64k). As the data structure +that holds the RR types for the database node is just a linked list, and +there are places where we just walk through the whole list (again and +again), adding a large number of RR types for a single owner named with +would slow down processing of such name (database node). + +Add a configurable limit to cap the number of the RR types for a single +owner. This is enforced at the database (rbtdb, qpzone, qpcache) level +and configured with new max-types-per-name configuration option that +can be configured globally, per-view and per-zone. + +(cherry picked from commit 00d16211d6368b99f070c1182d8c76b3798ca1db) + +Conflict:Adaptation of the dns_db_settask Function Context +Reference:https://downloads.isc.org/isc/bind9/9.18.28/patches/0002-CVE-2024-1737.patch + + +--- + bin/named/config.c | 2 + + bin/named/server.c | 18 ++++ + bin/named/zoneconf.c | 16 +++ + bin/tests/system/doth/ns2/named.conf.in | 1 + + bin/tests/system/doth/ns3/named.conf.in | 1 + + bin/tests/system/doth/ns4/named.conf.in | 1 + + bin/tests/system/doth/ns5/named.conf.in | 1 + + bin/tests/system/dyndb/driver/db.c | 69 ++++++++---- + doc/arm/reference.rst | 30 ++++++ + doc/misc/mirror.zoneopt | 2 + + doc/misc/options | 4 + + doc/misc/primary.zoneopt | 2 + + doc/misc/redirect.zoneopt | 2 + + doc/misc/secondary.zoneopt | 2 + + doc/misc/static-stub.zoneopt | 2 + + doc/misc/stub.zoneopt | 2 + + lib/dns/cache.c | 24 +++++ + lib/dns/db.c | 18 ++++ + lib/dns/dnsrps.c | 2 + + lib/dns/include/dns/cache.h | 12 +++ + lib/dns/include/dns/db.h | 19 ++++ + lib/dns/include/dns/rdataslab.h | 6 +- + lib/dns/include/dns/view.h | 14 +++ + lib/dns/include/dns/zone.h | 39 +++++++ + lib/dns/rbtdb.c | 138 +++++++++++++++++++++--- + lib/dns/rdataslab.c | 14 ++- + lib/dns/sdb.c | 46 +++++--- + lib/dns/sdlz.c | 79 +++++++++----- + lib/dns/view.c | 21 ++++ + lib/dns/xfrin.c | 24 +---- + lib/dns/zone.c | 96 +++++++++++++---- + lib/isccfg/namedconf.c | 6 ++ + lib/ns/update.c | 15 ++- + 33 files changed, 602 insertions(+), 126 deletions(-) + +diff --git a/bin/named/config.c b/bin/named/config.c +index f95e433..af8637e 100644 +--- a/bin/named/config.c ++++ b/bin/named/config.c +@@ -233,8 +233,10 @@ options {\n\ + ixfr-from-differences false;\n\ + max-journal-size default;\n\ + max-records 0;\n\ ++ max-records-per-type 100;\n\ + max-refresh-time 2419200; /* 4 weeks */\n\ + max-retry-time 1209600; /* 2 weeks */\n\ ++ max-types-per-name 100;\n\ + max-transfer-idle-in 60;\n\ + max-transfer-idle-out 60;\n\ + max-transfer-time-in 120;\n\ +diff --git a/bin/named/server.c b/bin/named/server.c +index bfe6df3..8d7f56e 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -5563,6 +5563,24 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, + dns_resolver_setclientsperquery(view->resolver, cfg_obj_asuint32(obj), + max_clients_per_query); + ++ /* ++ * This is used for the cache and also as a default value ++ * for zone databases. ++ */ ++ obj = NULL; ++ result = named_config_get(maps, "max-records-per-type", &obj); ++ INSIST(result == ISC_R_SUCCESS); ++ dns_view_setmaxrrperset(view, cfg_obj_asuint32(obj)); ++ ++ /* ++ * This is used for the cache and also as a default value ++ * for zone databases. ++ */ ++ obj = NULL; ++ result = named_config_get(maps, "max-types-per-name", &obj); ++ INSIST(result == ISC_R_SUCCESS); ++ dns_view_setmaxtypepername(view, cfg_obj_asuint32(obj)); ++ + obj = NULL; + result = named_config_get(maps, "max-recursion-depth", &obj); + INSIST(result == ISC_R_SUCCESS); +diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c +index 44c2242..384a81e 100644 +--- a/bin/named/zoneconf.c ++++ b/bin/named/zoneconf.c +@@ -1083,6 +1083,22 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + dns_zone_setmaxrecords(zone, 0); + } + ++ obj = NULL; ++ result = named_config_get(maps, "max-records-per-type", &obj); ++ INSIST(result == ISC_R_SUCCESS && obj != NULL); ++ dns_zone_setmaxrrperset(mayberaw, cfg_obj_asuint32(obj)); ++ if (zone != mayberaw) { ++ dns_zone_setmaxrrperset(zone, 0); ++ } ++ ++ obj = NULL; ++ result = named_config_get(maps, "max-types-per-name", &obj); ++ INSIST(result == ISC_R_SUCCESS && obj != NULL); ++ dns_zone_setmaxtypepername(mayberaw, cfg_obj_asuint32(obj)); ++ if (zone != mayberaw) { ++ dns_zone_setmaxtypepername(zone, 0); ++ } ++ + if (raw != NULL && filename != NULL) { + #define SIGNED ".signed" + size_t signedlen = strlen(filename) + sizeof(SIGNED); +diff --git a/bin/tests/system/doth/ns2/named.conf.in b/bin/tests/system/doth/ns2/named.conf.in +index e533f47..f10dac5 100644 +--- a/bin/tests/system/doth/ns2/named.conf.in ++++ b/bin/tests/system/doth/ns2/named.conf.in +@@ -49,6 +49,7 @@ options { + ixfr-from-differences yes; + check-integrity no; + dnssec-validation yes; ++ max-records-per-type 0; + transfers-in 100; + transfers-out 100; + }; +diff --git a/bin/tests/system/doth/ns3/named.conf.in b/bin/tests/system/doth/ns3/named.conf.in +index cd1ab9c..cd9fc63 100644 +--- a/bin/tests/system/doth/ns3/named.conf.in ++++ b/bin/tests/system/doth/ns3/named.conf.in +@@ -44,6 +44,7 @@ options { + ixfr-from-differences yes; + check-integrity no; + dnssec-validation yes; ++ max-records-per-type 0; + }; + + zone "." { +diff --git a/bin/tests/system/doth/ns4/named.conf.in b/bin/tests/system/doth/ns4/named.conf.in +index c7c6c91..43b7c78 100644 +--- a/bin/tests/system/doth/ns4/named.conf.in ++++ b/bin/tests/system/doth/ns4/named.conf.in +@@ -52,6 +52,7 @@ options { + ixfr-from-differences yes; + check-integrity no; + dnssec-validation yes; ++ max-records-per-type 0; + }; + + zone "." { +diff --git a/bin/tests/system/doth/ns5/named.conf.in b/bin/tests/system/doth/ns5/named.conf.in +index 6808618..9323637 100644 +--- a/bin/tests/system/doth/ns5/named.conf.in ++++ b/bin/tests/system/doth/ns5/named.conf.in +@@ -40,6 +40,7 @@ options { + ixfr-from-differences yes; + check-integrity no; + dnssec-validation yes; ++ max-records-per-type 0; + }; + + zone "." { +diff --git a/bin/tests/system/dyndb/driver/db.c b/bin/tests/system/dyndb/driver/db.c +index 334fd54..d34d1e0 100644 +--- a/bin/tests/system/dyndb/driver/db.c ++++ b/bin/tests/system/dyndb/driver/db.c +@@ -563,28 +563,57 @@ hashsize(dns_db_t *db) { + * determine which implementation of dns_db_*() function to call. + */ + static dns_dbmethods_t sampledb_methods = { +- attach, detach, beginload, +- endload, dump, currentversion, +- newversion, attachversion, closeversion, +- findnode, find, findzonecut, +- attachnode, detachnode, expirenode, +- printnode, createiterator, findrdataset, +- allrdatasets, addrdataset, subtractrdataset, +- deleterdataset, issecure, nodecount, +- ispersistent, overmem, settask, +- getoriginnode, transfernode, getnsec3parameters, +- findnsec3node, setsigningtime, getsigningtime, +- resigned, isdnssec, getrrsetstats, ++ attach,
View file
_service:tar_scm:backport-CVE-2024-1975.patch
Added
@@ -0,0 +1,352 @@ +From bef3d2cca3552100bbe44790c8c1a4f5bef06798 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org> +Date: Thu, 16 May 2024 12:10:41 +0200 +Subject: PATCH Remove support for SIG(0) message verification + +Conflict:Case adaptation +Reference:https://downloads.isc.org/isc/bind9/9.18.28/patches/0003-CVE-2024-1975.patch + +--- + bin/tests/system/tsiggss/authsock.pl | 5 ++ + bin/tests/system/tsiggss/tests.sh | 12 ++-- + bin/tests/system/upforwd/tests.sh | 9 ++- + doc/arm/general.rst | 6 +- + doc/arm/intro-security.inc.rst | 2 +- + doc/arm/reference.rst | 4 +- + doc/arm/security.inc.rst | 4 +- + doc/arm/sig0.inc.rst | 16 +---- + lib/dns/message.c | 99 ++-------------------------- + lib/ns/client.c | 7 ++ + 10 files changed, 40 insertions(+), 124 deletions(-) + +diff --git a/bin/tests/system/tsiggss/authsock.pl b/bin/tests/system/tsiggss/authsock.pl +index 4c76bf8..972252a 100644 +--- a/bin/tests/system/tsiggss/authsock.pl ++++ b/bin/tests/system/tsiggss/authsock.pl +@@ -33,6 +33,10 @@ if (!defined($path)) { + exit(1); + } + ++# Enable output autoflush so that it's not lost when the parent sends TERM. ++select STDOUT; ++$| = 1; ++ + unlink($path); + my $server = IO::Socket::UNIX->new(Local => $path, Type => SOCK_STREAM, Listen => 8) or + die "unable to create socket $path"; +@@ -50,6 +54,7 @@ if ($timeout != 0) { + } + + while (my $client = $server->accept()) { ++ printf("accept()\n"); + $client->recv(my $buf, 8, 0); + my ($version, $req_len) = unpack('N N', $buf); + +diff --git a/bin/tests/system/tsiggss/tests.sh b/bin/tests/system/tsiggss/tests.sh +index c37f32e..004ad83 100644 +--- a/bin/tests/system/tsiggss/tests.sh ++++ b/bin/tests/system/tsiggss/tests.sh +@@ -117,7 +117,7 @@ status=$((status + ret)) + + echo_i "testing external update policy (CNAME) with auth sock ($n)" + ret=0 +-$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 >/dev/null 2>&1 & ++$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 >authsock.log 2>&1 & + sleep 1 + test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" || ret=1 + n=$((n + 1)) +@@ -131,17 +131,19 @@ n=$((n + 1)) + if "$ret" -ne 0 ; then echo_i "failed"; fi + status=$((status + ret)) + +-echo_i "testing external policy with SIG(0) key ($n)" ++echo_i "testing external policy with unsupported SIG(0) key ($n)" + ret=0 +-$NSUPDATE -k ns1/Kkey.example.nil.*.private <<END >/dev/null 2>&1 || ret=1 ++$NSUPDATE -d -k ns1/Kkey.example.nil.*.private <<END >nsupdate.out${n} 2>&1 || true ++debug + server 10.53.0.1 ${PORT} + zone example.nil + update add fred.example.nil 120 cname foo.bar. + send + END + output=$($DIG $DIGOPTS +short cname fred.example.nil.) +- -n "$output" || ret=1 +- $ret -eq 0 || echo_i "failed" ++# update must have failed - SIG(0) signer is not supported ++ -n "$output" && ret=1 ++grep -F "signer=key.example.nil" authsock.log >/dev/null && ret=1 + n=$((n + 1)) + if "$ret" -ne 0 ; then echo_i "failed"; fi + status=$((status + ret)) +diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh +index 518eac6..d231d0f 100644 +--- a/bin/tests/system/upforwd/tests.sh ++++ b/bin/tests/system/upforwd/tests.sh +@@ -229,10 +229,12 @@ fi + n=$((n + 1)) + + if test -f keyname; then +- echo_i "checking update forwarding to with sig0 ($n)" ++ echo_i "checking update forwarding to with sig0 (expected to fail) ($n)" + ret=0 + keyname=$(cat keyname) +- $NSUPDATE -k $keyname.private -- - <<EOF ++ # SIG(0) is removed, update is expected to fail. ++ { ++ $NSUPDATE -k $keyname.private -- - <<EOF + local 10.53.0.1 + server 10.53.0.3 ${PORT} + zone example2 +@@ -240,8 +242,9 @@ if test -f keyname; then + update add unsigned.example2. 600 TXT Foo + send + EOF ++ } >nsupdate.out.$n 2>&1 && ret=1 + $DIG -p ${PORT} unsigned.example2 A @10.53.0.1 >dig.out.ns1.test$n +- grep "status: NOERROR" dig.out.ns1.test$n >/dev/null || ret=1 ++ grep "status: NOERROR" dig.out.ns1.test$n >/dev/null && ret=1 + if $ret != 0 ; then echo_i "failed"; fi + status=$((status + ret)) + n=$((n + 1)) +diff --git a/doc/arm/general.rst b/doc/arm/general.rst +index 5b65f6a..35f74b3 100644 +--- a/doc/arm/general.rst ++++ b/doc/arm/general.rst +@@ -379,10 +379,8 @@ Notes + .. #rfc1035_2 CLASS ANY queries are not supported. This is considered a + feature. + +-.. #rfc2931 When receiving a query signed with a SIG(0), the server is +- only able to verify the signature if it has the key in its local +- authoritative data; it cannot do recursion or validation to +- retrieve unknown keys. ++.. #rfc2931 Support for SIG(0) message verification was removed ++ as part of the mitigation of CVE-2024-1975. + + .. #rfc2874 Compliance is with loading and serving of A6 records only. + A6 records were moved to the experimental category by :rfc:`3363`. +diff --git a/doc/arm/intro-security.inc.rst b/doc/arm/intro-security.inc.rst +index 87db970..996e910 100644 +--- a/doc/arm/intro-security.inc.rst ++++ b/doc/arm/intro-security.inc.rst +@@ -47,7 +47,7 @@ or ports come preconfigured with local (loopback address) security preconfigured + If ``rndc`` is being invoked from a remote host, further configuration is required. + The ``nsupdate`` tool uses **Dynamic DNS (DDNS)** features and allows users to dynamically + change the contents of the zone file(s). ``nsupdate`` access and security may be controlled +-using ``named.conf`` :ref:`statements or using TSIG or SIG(0) cryptographic methods <dynamic_update_security>`. ++using ``named.conf`` :ref:`statements or via the TSIG cryptographic method <dynamic_update_security>`. + Clearly, if the remote hosts used for either ``rndc`` or DDNS lie within a network entirely + under the user's control, the security threat may be regarded as non-existent. Any implementation requirements, + therefore, depend on the site's security policy. +diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst +index 29e246b..157ab30 100644 +--- a/doc/arm/reference.rst ++++ b/doc/arm/reference.rst +@@ -7417,7 +7417,7 @@ the zone's filename, unless :any:`inline-signing` is enabled. + updates are allowed. It specifies a set of rules, in which each rule + either grants or denies permission for one or more names in the zone to + be updated by one or more identities. Identity is determined by the key +- that signed the update request, using either TSIG or SIG(0). In most ++ that signed the update request, using TSIG. In most + cases, :any:`update-policy` rules only apply to key-based identities. There + is no way to specify update permissions based on the client source address. + +@@ -7474,7 +7474,7 @@ the zone's filename, unless :any:`inline-signing` is enabled. + field. Details for each rule type are described below. + + The ``identity`` field must be set to a fully qualified domain name. In +- most cases, this represents the name of the TSIG or SIG(0) key that ++ most cases, this represents the name of the TSIG key that + must be used to sign the update request. If the specified name is a + wildcard, it is subject to DNS wildcard expansion, and the rule may + apply to multiple identities. When a TKEY exchange has been used to +diff --git a/doc/arm/security.inc.rst b/doc/arm/security.inc.rst +index 878fa37..8fc65d3 100644 +--- a/doc/arm/security.inc.rst ++++ b/doc/arm/security.inc.rst +@@ -85,7 +85,7 @@ Limiting access to the server by outside parties can help prevent + spoofing and denial of service (DoS) attacks against the server. + + ACLs match clients on the basis of up to three characteristics: 1) The +-client's IP address; 2) the TSIG or SIG(0) key that was used to sign the ++client's IP address; 2) the TSIG key that was used to sign the + request, if any; and 3) an address prefix encoded in an EDNS + Client-Subnet option, if any. + +@@ -126,7 +126,7 @@ and no queries at all from the networks specified in ``bogusnets``. + + In addition to network addresses and prefixes, which are matched against + the source address of the DNS request, ACLs may include ``key`` +-elements, which specify the name of a TSIG or SIG(0) key. ++elements, which specify the name of a TSIG key. + + When BIND 9 is built with GeoIP support, ACLs can also be used for + geographic access restrictions. This is done by specifying an ACL +diff --git a/doc/arm/sig0.inc.rst b/doc/arm/sig0.inc.rst +index 048dbea..6e6fc32 100644 +--- a/doc/arm/sig0.inc.rst ++++ b/doc/arm/sig0.inc.rst +@@ -12,17 +12,5 @@ + SIG(0) + ------ + +-BIND partially supports DNSSEC SIG(0) transaction signatures as +-specified in :rfc:`2535` and :rfc:`2931`. SIG(0) uses public/private keys to +-authenticate messages. Access control is performed in the same manner as with +-TSIG keys; privileges can be granted or denied in ACL directives based +-on the key name. +-
View file
_service:tar_scm:backport-CVE-2024-4076.patch
Added
@@ -0,0 +1,34 @@ +From 9cfd20cd90fab4c97fe91f68555b7a2e05b808e8 Mon Sep 17 00:00:00 2001 +From: Mark Andrews <marka@isc.org> +Date: Tue, 16 Jan 2024 14:25:27 +1100 +Subject: PATCH Clear qctx->zversion + +Clear qctx->zversion when clearing qctx->zrdataset et al in +lib/ns/query.c:qctx_freedata. The uncleared pointer could lead to +an assertion failure if zone data needed to be re-saved which could +happen with stale data support enabled. + +(cherry picked from commit 179fb3532ab8d4898ab070b2db54c0ce872ef709) + +Conflict:NA +Reference:https://downloads.isc.org/isc/bind9/9.18.28/patches/0004-CVE-2024-4076.patch + +--- + lib/ns/query.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/ns/query.c b/lib/ns/query.c +index 40e1232..7884514 100644 +--- a/lib/ns/query.c ++++ b/lib/ns/query.c +@@ -5323,6 +5323,7 @@ qctx_freedata(query_ctx_t *qctx) { + ns_client_releasename(qctx->client, &qctx->zfname); + dns_db_detachnode(qctx->zdb, &qctx->znode); + dns_db_detach(&qctx->zdb); ++ qctx->zversion = NULL; + } + + if (qctx->event != NULL && !qctx->client->nodetach) { +-- +2.33.0 +
View file
_service:tar_scm:backport-optimize-the-slabheader-placement-for-certain-RRtypes.patch
Added
@@ -0,0 +1,98 @@ +From 8ef414a7f38a04cfc11df44adaedaf3126fa3878 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org> +Date: Mon, 29 Jan 2024 16:36:30 +0100 +Subject: PATCH Optimize the slabheader placement for certain RRTypes + +Mark the infrastructure RRTypes as "priority" types and place them at +the beginning of the rdataslab header data graph. The non-priority +types either go right after the priority types (if any). + +(cherry picked from commit 3ac482be7fd058d284e89873021339579fad0615) + +Conflict:NA +Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/8ef414a7f38a04cfc11df44adaedaf3126fa3878 + +--- + lib/dns/rbtdb.c | 44 ++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 42 insertions(+), 2 deletions(-) + +diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c +index 7793be8..bc0f8d8 100644 +--- a/lib/dns/rbtdb.c ++++ b/lib/dns/rbtdb.c +@@ -906,6 +906,30 @@ set_ttl(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, dns_ttl_t newttl) { + } + } + ++static bool ++prio_type(rbtdb_rdatatype_t type) { ++ switch (type) { ++ case dns_rdatatype_soa: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa): ++ case dns_rdatatype_a: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_a): ++ case dns_rdatatype_aaaa: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_aaaa): ++ case dns_rdatatype_nsec: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec): ++ case dns_rdatatype_nsec3: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec3): ++ case dns_rdatatype_ns: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ns): ++ case dns_rdatatype_ds: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds): ++ case dns_rdatatype_cname: ++ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname): ++ return (true); ++ } ++ return (false); ++} ++ + /*% + * These functions allow the heap code to rank the priority of each + * element. It returns true if v1 happens "sooner" than v2. +@@ -6167,6 +6191,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename, + rbtdb_changed_t *changed = NULL; + rdatasetheader_t *topheader = NULL, *topheader_prev = NULL; + rdatasetheader_t *header = NULL, *sigheader = NULL; ++ rdatasetheader_t *prioheader = NULL; + unsigned char *merged = NULL; + isc_result_t result; + bool header_nx; +@@ -6313,6 +6338,9 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename, + for (topheader = rbtnode->data; topheader != NULL; + topheader = topheader->next) + { ++ if (prio_type(topheader->type)) { ++ prioheader = topheader; ++ } + if (topheader->type == newheader->type || + topheader->type == negtype) + { +@@ -6679,9 +6707,21 @@ find_header: + /* + * No rdatasets of the given type exist at the node. + */ +- newheader->next = rbtnode->data; + newheader->down = NULL; +- rbtnode->data = newheader; ++ ++ if (prio_type(newheader->type)) { ++ /* This is a priority type, prepend it */ ++ newheader->next = rbtnode->data; ++ rbtnode->data = newheader; ++ } else if (prioheader != NULL) { ++ /* Append after the priority headers */ ++ newheader->next = prioheader->next; ++ prioheader->next = newheader; ++ } else { ++ /* There were no priority headers */ ++ newheader->next = rbtnode->data; ++ rbtnode->data = newheader; ++ } + } + } + +-- +2.33.0 +
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2