rpms / bind

Clone
Source Code
GIT

Files

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   c7
  2.   SOURCES
  3.   bind-9.11-CVE-2020-8624.patch
Blob Blame History Raw 
From ba28f7a158f7b7f3f16a75270cee0b71059e7e79 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 18 Aug 2020 10:55:50 +0200
Subject: [PATCH] Fix CVE-2020-8624

5481.	[security]	"update-policy" rules of type "subdomain" were
			incorrectly treated as "zonesub" rules, which allowed
			keys used in "subdomain" rules to update names outside
			of the specified subdomains. The problem was fixed by
			making sure "subdomain" rules are again processed as
			described in the ARM. (CVE-2020-8624) [GL #2055]
---
 bin/named/zoneconf.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 9bf5bfe..3aee3d2 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -234,7 +234,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
 
 		str = cfg_obj_asstring(matchtype);
 		CHECK(dns_ssu_mtypefromstring(str, &mtype));
-		if (mtype == dns_ssumatchtype_subdomain) {
+		if (mtype == dns_ssumatchtype_subdomain &&
+		    strcasecmp(str, "zonesub") == 0) {
 			usezone = ISC_TRUE;
 		}
 
-- 
2.26.2

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation