|
 |
5fe83d |
From ba28f7a158f7b7f3f16a75270cee0b71059e7e79 Mon Sep 17 00:00:00 2001
|
|
|
5fe83d |
From: Petr Mensik <pemensik@redhat.com>
|
|
|
5fe83d |
Date: Tue, 18 Aug 2020 10:55:50 +0200
|
|
|
5fe83d |
Subject: [PATCH] Fix CVE-2020-8624
|
|
|
5fe83d |
|
|
|
5fe83d |
5481. [security] "update-policy" rules of type "subdomain" were
|
|
|
5fe83d |
incorrectly treated as "zonesub" rules, which allowed
|
|
|
5fe83d |
keys used in "subdomain" rules to update names outside
|
|
|
5fe83d |
of the specified subdomains. The problem was fixed by
|
|
|
5fe83d |
making sure "subdomain" rules are again processed as
|
|
|
5fe83d |
described in the ARM. (CVE-2020-8624) [GL #2055]
|
|
|
5fe83d |
---
|
|
|
5fe83d |
bin/named/zoneconf.c | 3 ++-
|
|
|
5fe83d |
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
5fe83d |
|
|
|
5fe83d |
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
|
|
|
5fe83d |
index 9bf5bfe..3aee3d2 100644
|
|
|
5fe83d |
--- a/bin/named/zoneconf.c
|
|
|
5fe83d |
+++ b/bin/named/zoneconf.c
|
|
|
5fe83d |
@@ -234,7 +234,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
|
|
|
5fe83d |
|
|
|
5fe83d |
str = cfg_obj_asstring(matchtype);
|
|
|
5fe83d |
CHECK(dns_ssu_mtypefromstring(str, &mtype));
|
|
|
5fe83d |
- if (mtype == dns_ssumatchtype_subdomain) {
|
|
|
5fe83d |
+ if (mtype == dns_ssumatchtype_subdomain &&
|
|
|
5fe83d |
+ strcasecmp(str, "zonesub") == 0) {
|
|
|
5fe83d |
usezone = ISC_TRUE;
|
|
|
5fe83d |
}
|
|
|
5fe83d |
|
|
|
5fe83d |
--
|
|
|
5fe83d |
2.26.2
|
|
|
5fe83d |
|