From 34afcc9148f31a3d42356b87a340ec8e21414e62 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 23 2021 14:38:57 +0000 Subject: import bind-9.11.4-26.P2.el7_9.8 --- diff --git a/SOURCES/bind-9.11-rh2011220.patch b/SOURCES/bind-9.11-rh2011220.patch new file mode 100644 index 0000000..ef80fd5 --- /dev/null +++ b/SOURCES/bind-9.11-rh2011220.patch @@ -0,0 +1,56 @@ +From 26c4f3e1c9bcba6f61c44af4bfa7c585bfe43f0b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= +Date: Mon, 24 Sep 2018 19:33:16 +0200 +Subject: [PATCH] Prevent a race after zone load + +Zone loading happens in a different task (zone->loadtask) than other +zone actions (zone->task). Thus, when zone_postload() is called in the +context of zone->loadtask, it may cause zone maintenance to be queued in +zone->task and another thread can then execute zone_maintenance() before +zone_postload() gets a chance to finish its work in the first thread. +This would not be a problem if zone_maintenance() accounted for this +possibility by locking the zone before checking the state of its +DNS_ZONEFLG_LOADPENDING flag. However, the zone is currently not locked +before the state of that flag is checked, which may prevent zone +maintenance from happening despite zone_postload() scheduling it. Fix +by locking the zone in zone_maintenance() before checking the state of +the zone's DNS_ZONEFLG_LOADPENDING flag. + +(cherry picked from commit 56003e9f9f72c8be67d553f4dbd16eba849ca864) +--- + lib/dns/zone.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/lib/dns/zone.c b/lib/dns/zone.c +index 42a1811..f2ae6f3 100644 +--- a/lib/dns/zone.c ++++ b/lib/dns/zone.c +@@ -10005,12 +10005,6 @@ zone_maintenance(dns_zone_t *zone) { + REQUIRE(DNS_ZONE_VALID(zone)); + ENTER; + +- /* +- * Are we pending load/reload? +- */ +- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING)) +- return; +- + /* + * Configuring the view of this zone may have + * failed, for example because the config file +@@ -10019,7 +10013,11 @@ zone_maintenance(dns_zone_t *zone) { + * to do further maintenance on it. + */ + LOCK_ZONE(zone); +- viewok = (zone->view != NULL && zone->view->adb != NULL); ++ /* ++ * Are we pending load/reload? ++ */ ++ viewok = (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING) && ++ zone->view != NULL && zone->view->adb != NULL); + UNLOCK_ZONE(zone); + if (!viewok) { + return; +-- +2.31.1 + diff --git a/SPECS/bind.spec b/SPECS/bind.spec index 9a65216..90ea9e4 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -64,7 +64,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.4 -Release: 26%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.7 +Release: 26%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.8 Epoch: 32 Url: http://www.isc.org/products/BIND/ # @@ -181,6 +181,7 @@ Patch194: bind-9.11-CVE-2020-8625.patch Patch195: bind-9.11-CVE-2021-25215.patch # https://gitlab.isc.org/isc-projects/bind9/commit/dfadbc9d7b485b1af62d77ad6c309792bbaabfdf Patch196: bind-9.11-CVE-2021-25214.patch +Patch197: bind-9.11-rh2011220.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -554,6 +555,7 @@ are used for building ISC DHCP. %patch194 -p1 -b .CVE-2020-8625 %patch195 -p1 -b .CVE-2021-25215 %patch196 -p1 -b .CVE-2021-25214 +%patch197 -p1 -b .rh2011220 # Override upstream builtin keys cp -fp %{SOURCE29} bind.keys @@ -1535,6 +1537,9 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Thu Oct 14 2021 Petr Menšík - 32:9.11.4-26.P2.8 +- Prevent a race after zone load (#2011220) + * Tue Jul 13 2021 Petr Menšík - 32:9.11.4-26.P2.7 - Apply again patch 172, got removed by mistake