diff --git a/SOURCES/bind-9.11-CVE-2018-5745-testfix.patch b/SOURCES/bind-9.11-CVE-2018-5745-testfix.patch new file mode 100644 index 0000000..f4dd863 --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2018-5745-testfix.patch @@ -0,0 +1,455 @@ +From aea8a7bab922a8793f6c50af30bdfa424a7f706d Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Thu, 5 Sep 2019 20:24:25 +0200 +Subject: [PATCH] Fix mkeys test changes backported +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Squashed commit of the following: + +commit a6cbd45fcfe2b1dc5339da72eed0ffeb27afdf81 +Author: Petr Mensik +Date: Thu Sep 5 20:01:21 2019 +0200 + + Backport fixes to mkeys test + + It relied on some features backported in more recent versions, but not + present in our version. Make test pass with current features. Fixes some + mistakes when backporting original upstream commits. + +commit be97d4d9d9f9568aa497e618ffbe2aba0841d035 +Author: Michał Kępień +Date: Tue Mar 26 10:51:16 2019 +0100 + + Add "-r $RANDFILE" where it is missing + + If the path to the source of random data is not passed explicitly to + dnssec-keygen or dnssec-signzone and the --with-randomdev compile-time + switch is not used, the aforementioned utilities will hang if the + default source of random data (/dev/random) runs out of entropy. Use + "-r $RANDFILE" to prevent that from happening in affected system tests. + + (cherry picked from commit 59e1329e9b3aff72d8e36db8d0ca980d540decb3) + +commit fd651e87b9bddcae7ef894b165d209a9693dc204 +Author: Matthijs Mekking +Date: Thu Dec 20 15:23:07 2018 +0100 + + Remove dig_with_opts + + (cherry picked from commit bb2c242c396d3c6893eb6a27e59af5a3b53452bc) + +commit 84264e082ffe0c5439a0c789ceb7f8308d1b9b7e +Author: Matthijs Mekking +Date: Wed Dec 19 10:16:10 2018 +0100 + + Replace DSA with Reserved algorithm + + (cherry picked from commit 17cdde1e56abae5c3bf5256ecbdacbd8cbef05b6) + (cherry picked from commit 0e9a8da68c89cb99b1892e8b0705b71c92532844) + +commit e335f239aca4bdbf8160fe9bc1ef3cfba15ae06f +Author: Matthijs Mekking +Date: Tue Dec 18 12:14:04 2018 +0100 + + Allow unsupported alg in zone /w dnssec-signzone + + dnssec-signzone should sign a zonefile that contains a DNSKEY record + with an unsupported algorithm. Current behavior is that it will + fail, hitting a fatal error. The fix detects unsupported algorithms + and will not try to add it to the keylist. + + Also when determining the maximum iterations for NSEC3, don't take + into account DNSKEY records in the zonefile with an unsupported + algorithm. + + (cherry picked from commit 1dd11fc754baf396bb3040527087b14f0678dd83) + (cherry picked from commit 040e132f1692ce8bb1ac83032ee761b3278f0272) + +commit a1c345c8ab39201fe6e0cd7f19696d6a2f8b5522 +Author: Matthijs Mekking +Date: Tue Dec 18 12:10:05 2018 +0100 + + Add dnssec-signzone tests with unsupported alg + + dnssec-signzone should sign a zonefile that contains a DNSKEY record + with an unsupported algorithm. + + (cherry picked from commit 6d976b37c1b2b2c4bcede89252cf26b6f170c142) + (cherry picked from commit 8619318a1e6207e487438a93bd7a620967091347) + (cherry picked from commit 9f81119c0256378683c20e8e01a874378cabfcbc) +--- + bin/tests/system/dnssec/clean.sh | 4 ++ + bin/tests/system/dnssec/ns2/example.db.in | 5 ++- + .../ns3/dnskey-unsupported-2.example.db.in | 27 ++++++++++++ + .../ns3/dnskey-unsupported.example.db.in | 27 ++++++++++++ + bin/tests/system/dnssec/ns3/named.conf.in | 10 +++++ + bin/tests/system/dnssec/ns3/sign.sh | 42 ++++++++++++++++++- + .../dnssec/ns3/unsupported-algorithm.key | 1 + + bin/tests/system/dnssec/tests.sh | 20 +++++++++ + bin/tests/system/dupsigs/ns1/reset_keys.sh | 2 + + bin/tests/system/mkeys/ns6/setup.sh | 2 +- + bin/tests/system/mkeys/setup.sh | 2 + + bin/tests/system/mkeys/tests.sh | 6 +-- + lib/dns/dnssec.c | 8 ++++ + lib/dns/include/dns/dnssec.h | 2 +- + lib/dns/nsec3.c | 11 ++++- + 15 files changed, 161 insertions(+), 8 deletions(-) + create mode 100644 bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in + create mode 100644 bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in + create mode 100644 bin/tests/system/dnssec/ns3/unsupported-algorithm.key + +diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh +index 1873c4b586..0fcff23797 100644 +--- a/bin/tests/system/dnssec/clean.sh ++++ b/bin/tests/system/dnssec/clean.sh +@@ -55,6 +55,10 @@ rm -f ns3/future.example.db ns3/trusted-future.key + rm -f ns3/inline.example.db.signed + rm -f ns3/kskonly.example.db + rm -f ns3/lower.example.db ns3/upper.example.db ns3/upper.example.db.lower ++rm -f ./ns3/dnskey-unsupported.example.db ++rm -f ./ns3/dnskey-unsupported.example.db.tmp ++rm -f ./ns3/dnskey-unsupported-2.example.db ++rm -f ./ns3/dnskey-unsupported-2.example.db.tmp + rm -f ns3/multiple.example.db ns3/nsec3-unknown.example.db ns3/nsec3.example.db + rm -f ns3/nsec3.nsec3.example.db + rm -f ns3/nsec3.optout.example.db +diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in +index 0b831ec94e..6afffe00f3 100644 +--- a/bin/tests/system/dnssec/ns2/example.db.in ++++ b/bin/tests/system/dnssec/ns2/example.db.in +@@ -97,6 +97,9 @@ ns.optout-unknown A 10.53.0.3 + dnskey-unknown NS ns.dnskey-unknown + ns.dnskey-unknown A 10.53.0.3 + ++dnskey-unsupported NS ns.dnskey-unsupported ++ns.dnskey-unsupported A 10.53.0.3 ++ + dnskey-nsec3-unknown NS ns.dnskey-nsec3-unknown + ns.dnskey-nsec3-unknown A 10.53.0.3 + +@@ -111,7 +114,7 @@ ns.rsasha256 A 10.53.0.3 + rsasha512 NS ns.rsasha512 + ns.rsasha512 A 10.53.0.3 + +-kskonly NS ns.kskonly ++kskonly NS ns.kskonly + ns.kskonly A 10.53.0.3 + + update-nsec3 NS ns.update-nsec3 +diff --git a/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in +new file mode 100644 +index 0000000000..c9e7c2b3da +--- /dev/null ++++ b/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in +@@ -0,0 +1,27 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, You can obtain one at http://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 300 ; 5 minutes ++@ IN SOA mname1. . ( ++ 2000042407 ; serial ++ 20 ; refresh (20 seconds) ++ 20 ; retry (20 seconds) ++ 1814400 ; expire (3 weeks) ++ 3600 ; minimum (1 hour) ++ ) ++ NS ns ++ns A 10.53.0.3 ++ ++a A 10.0.0.1 ++b A 10.0.0.2 ++d A 10.0.0.4 ++z A 10.0.0.26 ++a.a.a.a A 10.0.0.3 ++*.e A 10.0.0.6 ++child NS ns2.example. +diff --git a/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in +new file mode 100644 +index 0000000000..c9e7c2b3da +--- /dev/null ++++ b/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in +@@ -0,0 +1,27 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, You can obtain one at http://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 300 ; 5 minutes ++@ IN SOA mname1. . ( ++ 2000042407 ; serial ++ 20 ; refresh (20 seconds) ++ 20 ; retry (20 seconds) ++ 1814400 ; expire (3 weeks) ++ 3600 ; minimum (1 hour) ++ ) ++ NS ns ++ns A 10.53.0.3 ++ ++a A 10.0.0.1 ++b A 10.0.0.2 ++d A 10.0.0.4 ++z A 10.0.0.26 ++a.a.a.a A 10.0.0.3 ++*.e A 10.0.0.6 ++child NS ns2.example. +diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in +index 14ebbc8ea8..6aa5d5350d 100644 +--- a/bin/tests/system/dnssec/ns3/named.conf.in ++++ b/bin/tests/system/dnssec/ns3/named.conf.in +@@ -150,6 +150,16 @@ zone "dnskey-unknown.example" { + file "dnskey-unknown.example.db.signed"; + }; + ++zone "dnskey-unsupported.example" { ++ type master; ++ file "dnskey-unsupported.example.db.signed"; ++}; ++ ++zone "dnskey-unsupported-2.example" { ++ type master; ++ file "dnskey-unsupported-2.example.db.signed"; ++}; ++ + zone "dnskey-nsec3-unknown.example" { + type master; + nsec3-test-zone yes; +diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh +index f95a6b7ea8..99e9b4958f 100644 +--- a/bin/tests/system/dnssec/ns3/sign.sh ++++ b/bin/tests/system/dnssec/ns3/sign.sh +@@ -12,6 +12,12 @@ + SYSTEMTESTTOP=../.. + . $SYSTEMTESTTOP/conf.sh + ++# Default algorithm for testing ++# In more recent versions set in conf.sh, include here for backward copatibility ++DEFAULT_ALGORITHM=RSASHA256 ++DEFAULT_ALGORITHM_NUMBER=8 ++DEFAULT_BITS=1280 ++ + zone=secure.example. + infile=secure.example.db.in + zonefile=secure.example.db +@@ -193,7 +199,7 @@ cat $infile $keyname.key >$zonefile + $SIGNER -P -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + + # +-# A zone with a unknown DNSKEY algorithm. ++# A zone that is signed with an unknown DNSKEY algorithm. + # Algorithm 7 is replaced by 100 in the zone and dsset. + # + zone=dnskey-unknown.example. +@@ -211,6 +217,40 @@ awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { prin + DSFILE=dsset-`echo ${zone} |sed -e "s/\.$//g"`$TP + $DSFROMKEY -A -f ${zonefile}.signed $zone > $DSFILE + ++# ++# A zone that is signed with an unsupported DNSKEY algorithm (3). ++# Algorithm 7 is replaced by 255 in the zone and dsset. ++# ++zone=dnskey-unsupported.example. ++infile=dnskey-unsupported.example.db.in ++zonefile=dnskey-unsupported.example.db ++ ++keyname=$("$KEYGEN" -q -r $RANDFILE -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") ++ ++cat "$infile" "$keyname.key" > "$zonefile" ++ ++"$SIGNER" -P -3 - -r $RANDFILE -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1 ++ ++awk '$4 == "DNSKEY" { $7 = 255; print } $4 == "RRSIG" { $6 = 255; print } { print }' ${zonefile}.tmp > ${zonefile}.signed ++ ++DSFILE="dsset-$(echo ${zone} |sed -e "s/\\.$//g")$TP" ++$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" ++ ++# ++# A zone with a published unsupported DNSKEY algorithm (Reserved). ++# Different from above because this key is not intended for signing. ++# ++zone=dnskey-unsupported-2.example. ++infile=dnskey-unsupported-2.example.db.in ++zonefile=dnskey-unsupported-2.example.db ++ ++ksk=$("$KEYGEN" -f KSK -q -r $RANDFILE -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") ++zsk=$("$KEYGEN" -q -r $RANDFILE -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") ++ ++cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile" ++ ++"$SIGNER" -P -3 - -r $RANDFILE -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1 ++ + # + # A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U). + # Algorithm 7 is replaced by 100 in the zone and dsset. +diff --git a/bin/tests/system/dnssec/ns3/unsupported-algorithm.key b/bin/tests/system/dnssec/ns3/unsupported-algorithm.key +new file mode 100644 +index 0000000000..cc8bb9a51d +--- /dev/null ++++ b/bin/tests/system/dnssec/ns3/unsupported-algorithm.key +@@ -0,0 +1 @@ ++dnskey-unsupported-2.example. IN DNSKEY 257 3 255 BJ0eV4dQC0pihdFXiVdlXjPDkzbv4fC+opEvK0RaDU7LLwFXPAi6DOc6tm7vcSr5Tgdnpoal3S4WqHuVw6I1pzy5mPPIZ3OpLSY/QeOyGc2QRAZtOXxiGxERHRjyAk7emlgGscM0Vty2oJVYRgTPX0lTwKX/V2H+mjEgp7u3tyG3cj5XBUQ8J0KUoqkrn1ZKrizH27aWiDaBUvqxJUcotaDhnydkNtcHoQIedm2b4qbyTQsdRkddJiSWxpveEcj3AMdt2PjU6Q4rgSWOc5ylPnW/O+GqqCEAkalGSF7ud0Nl3FVVR9iGwV/73FHzpBLawfkcHaODFmKRjzGqok8giKCih2vdNsxlx7gdJWJIPYYx/ZqNGc2ewzuAnnleJpZdXFo8uL3HYk6Pl51sSkfVUmcn/SM+ ;{id = 38688 (ksk), size = 768b} +diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh +index b1907c73a5..fdbfbdb779 100644 +--- a/bin/tests/system/dnssec/tests.sh ++++ b/bin/tests/system/dnssec/tests.sh +@@ -3347,6 +3347,26 @@ n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + ++echo_i "checking that unsupported DNSKEY algorithm validates as insecure ($n)" ++ret=0 ++$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported.example A > dig.out.ns3.test$n ++$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unsupported.example A > dig.out.ns4.test$n ++grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 ++grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 ++grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 ++n=$((n+1)) ++test "$ret" -eq 0 || echo_i "failed" ++status=$((status+ret)) ++ ++echo_i "checking that unsupported DNSKEY algorithm is in DNSKEY RRset ($n)" ++ret=0 ++$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported-2.example DNSKEY > dig.out.test$n ++grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 ++grep "dnskey-unsupported-2\.example\..*IN.*DNSKEY.*257 3 255" dig.out.test$n > /dev/null || ret=1 ++n=$((n+1)) ++test "$ret" -eq 0 || echo_i "failed" ++status=$((status+ret)) ++ + echo_i "check that a lone non matching CDNSKEY record is rejected ($n)" + ret=0 + ( +diff --git a/bin/tests/system/dupsigs/ns1/reset_keys.sh b/bin/tests/system/dupsigs/ns1/reset_keys.sh +index f03503f762..42ce8ac20b 100644 +--- a/bin/tests/system/dupsigs/ns1/reset_keys.sh ++++ b/bin/tests/system/dupsigs/ns1/reset_keys.sh +@@ -22,6 +22,8 @@ timetodnssec() { + } + + KEYDIR=keys/signing.test ++KEYGEN="$KEYGEN -r $RANDFILE" ++ + KSK=`$KEYGEN -a RSASHA256 -b 1024 -K $KEYDIR -q -f KSK $zone` + + ZSK0=`$KEYGEN -a RSASHA256 -b 1024 -K $KEYDIR -q $zone` +diff --git a/bin/tests/system/mkeys/ns6/setup.sh b/bin/tests/system/mkeys/ns6/setup.sh +index 5ba1647da5..6f196c20db 100644 +--- a/bin/tests/system/mkeys/ns6/setup.sh ++++ b/bin/tests/system/mkeys/ns6/setup.sh +@@ -16,7 +16,7 @@ zone=. + zonefile=root.db + + # an RSA key +-rsakey=`$KEYGEN -a rsasha256 -qfk rsasha256.` ++rsakey=`$KEYGEN -a rsasha256 -b 2048 -r $RANDFILE -qfk rsasha256.` + + # a key with unsupported algorithm + unsupportedkey=Kunknown.+255+00000 +diff --git a/bin/tests/system/mkeys/setup.sh b/bin/tests/system/mkeys/setup.sh +index 100a86959b..79c877f85d 100644 +--- a/bin/tests/system/mkeys/setup.sh ++++ b/bin/tests/system/mkeys/setup.sh +@@ -21,6 +21,8 @@ copy_setports ns1/named1.conf.in ns1/named.conf + copy_setports ns2/named.conf.in ns2/named.conf + copy_setports ns3/named.conf.in ns3/named.conf + copy_setports ns5/named.conf.in ns5/named.conf ++copy_setports ns6/named.conf.in ns6/named.conf ++copy_setports ns7/named.conf.in ns7/named.conf + + cp ns5/named1.args ns5/named.args + +diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh +index b8410902d7..3533dbadbb 100644 +--- a/bin/tests/system/mkeys/tests.sh ++++ b/bin/tests/system/mkeys/tests.sh +@@ -297,7 +297,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + echo_i "reinitialize trust anchors" +-$PERL $SYSTEMTESTTOP/stop.pl --use-rndc . ns2 ++$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} . ns2 + rm -f ns2/managed-keys.bind* + nextpart ns2/named.run > /dev/null + $PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns2 +@@ -714,10 +714,10 @@ status=`expr $status + $ret` + + echo_i "reinitialize trust anchors, add unsupported algorithm ($n)" + ret=0 +-$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns6 ++$PERL $SYSTEMTESTTOP/stop.pl --port ${CONTROLPORT} . ns6 + rm -f ns6/managed-keys.bind* + nextpart ns6/named.run > /dev/null +-$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns6 ++$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns6 + # log when an unsupported algorithm is encountered during startup + wait_for_log "skipping managed key for 'unsupported\.': algorithm is unsupported" ns6/named.run + if [ $ret != 0 ]; then echo_i "failed"; fi +diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c +index 1045f8ff21..984f28be26 100644 +--- a/lib/dns/dnssec.c ++++ b/lib/dns/dnssec.c +@@ -1681,6 +1681,14 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin, + result = dns_rdataset_next(&keys)) { + dns_rdata_reset(&rdata); + dns_rdataset_current(&keys, &rdata); ++ ++ /* Skip unsupported algorithms */ ++ REQUIRE(rdata.type == dns_rdatatype_key || ++ rdata.type == dns_rdatatype_dnskey); ++ REQUIRE(rdata.length > 3); ++ if (!dst_algorithm_supported(rdata.data[3])) ++ goto skip; ++ + RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey)); + dst_key_setttl(pubkey, keys.ttl); + +diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h +index 75e32202a9..9a638852d7 100644 +--- a/lib/dns/include/dns/dnssec.h ++++ b/lib/dns/include/dns/dnssec.h +@@ -299,7 +299,7 @@ dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory, + /*%< + * Search 'directory' for K* key files matching the name in 'origin'. + * Append all such keys, along with use hints gleaned from their +- * metadata, onto 'keylist'. ++ * metadata, onto 'keylist'. Skip any unsupported algorithms. + * + * Requires: + *\li 'keylist' is not NULL +diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c +index 37b6a8a7fe..0729886c9f 100644 +--- a/lib/dns/nsec3.c ++++ b/lib/dns/nsec3.c +@@ -1801,8 +1801,17 @@ dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version, + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&rdataset)) { + dns_rdata_t rdata = DNS_RDATA_INIT; +- + dns_rdataset_current(&rdataset, &rdata); ++ ++ /* Skip unsupported algorithms when ++ * calculating the maximum iterations. ++ */ ++ REQUIRE(rdata.type == dns_rdatatype_key || ++ rdata.type == dns_rdatatype_dnskey); ++ REQUIRE(rdata.length > 3); ++ if (!dst_algorithm_supported(rdata.data[3])) ++ continue; ++ + isc_buffer_init(&buffer, rdata.data, rdata.length); + isc_buffer_add(&buffer, rdata.length); + CHECK(dst_key_fromdns(dns_db_origin(db), rdataset.rdclass, +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-CVE-2018-5745.patch b/SOURCES/bind-9.11-CVE-2018-5745.patch new file mode 100644 index 0000000..1ea50c6 --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2018-5745.patch @@ -0,0 +1,474 @@ +From c705a3eac69286b47a70b851aa5dd9119d04512f Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Tue, 23 Jul 2019 16:43:55 +0200 +Subject: [PATCH] Fix CVE-2018-5745 + +Squashed commit of the following: + +commit c38e1dd10567e246bb802d889c3b2d2d286c7616 +Author: Evan Hunt +Date: Fri Dec 21 17:24:47 2018 -0800 + + use algorithm 255 for both unsupported keys + + (cherry picked from commit de8b2d4a6a97bb2ddf19024918581e70512ebc41) + +commit caf8a62270c850fbc59cfa6bb9dcedb2ef7228c2 +Author: Matthijs Mekking +Date: Wed Dec 19 18:45:43 2018 +0100 + + Add tests for mkeys with unsupported algorithm + + These tests check if a key with an unsupported algorithm in + managed-keys is ignored and when seeing an algorithm rollover to + an unsupported algorithm, the new key will be ignored too. + + (cherry picked from commit 144cb53d0ae3aa5e6e3123720b603f9ab2bd1fa9) + (cherry picked from commit 8c2a8ca50946449bf26a7e0843cc5e54e36071ae) + +commit 634655f38385595fb9a35e93ec3a72ed4c48bda6 +Author: Matthijs Mekking +Date: Wed Dec 19 18:47:43 2018 +0100 + + Update keyfetch_done compute_tag check + + If in keyfetch_done the compute_tag fails (because for example the + algorithm is not supported), don't crash, but instead ignore the + key. + + (cherry picked from commit b1d5411569ae10830b63f07560091193646cc739) + (cherry picked from commit 8f64928e2eb9395d8cdcd62183a1eaec3b1c5256) + +commit e5cb28c3f3df4c37d528665e67fb460cc1662259 +Author: Matthijs Mekking +Date: Wed Dec 12 14:06:10 2018 +0100 + + Don't free key in compute_tag in case of failure + + If `dns_dnssec_keyfromrdata` failed we don't need to call + `dst_key_free` because no `dstkey` was created. Doing so + nevertheless will result in an assertion failure. + + This can happen if the key uses an unsupported algorithm. + + (cherry picked from commit 7a1ca39b950b7d5230b605ac60f15a1cb94e3d69) + (cherry picked from commit acae423ef4274c5535da324da78ce1441628d5f6) +--- + bin/tests/system/mkeys/README | 3 + + bin/tests/system/mkeys/clean.sh | 2 + + bin/tests/system/mkeys/ns1/root.db | 20 +++---- + bin/tests/system/mkeys/ns1/sign.sh | 7 ++- + bin/tests/system/mkeys/ns1/unsupported.key | 1 + + bin/tests/system/mkeys/ns6/named.args | 1 + + bin/tests/system/mkeys/ns6/named.conf.in | 43 +++++++++++++++ + bin/tests/system/mkeys/ns6/setup.sh | 30 ++++++++++ + .../system/mkeys/ns6/unsupported-managed.key | 1 + + bin/tests/system/mkeys/ns7/named.conf.in | 50 +++++++++++++++++ + bin/tests/system/mkeys/setup.sh | 1 + + bin/tests/system/mkeys/tests.sh | 55 +++++++++++++++++++ + lib/dns/include/dst/dst.h | 3 +- + lib/dns/zone.c | 27 ++++++++- + 14 files changed, 229 insertions(+), 15 deletions(-) + create mode 100644 bin/tests/system/mkeys/ns1/unsupported.key + create mode 100644 bin/tests/system/mkeys/ns6/named.args + create mode 100644 bin/tests/system/mkeys/ns6/named.conf.in + create mode 100644 bin/tests/system/mkeys/ns6/setup.sh + create mode 100644 bin/tests/system/mkeys/ns6/unsupported-managed.key + create mode 100644 bin/tests/system/mkeys/ns7/named.conf.in + +diff --git a/bin/tests/system/mkeys/README b/bin/tests/system/mkeys/README +index 700e6c21ca..257ef5406f 100644 +--- a/bin/tests/system/mkeys/README ++++ b/bin/tests/system/mkeys/README +@@ -16,3 +16,6 @@ ns3 is a validator with a broken key in managed-keys. + + ns5 is a validator which is prevented from getting a response from the + root server, causing key refresh queries to fail. ++ ++ns6 is a validator which has unsupported algorithms, one at start up, ++one because of an algorithm rollover. +diff --git a/bin/tests/system/mkeys/clean.sh b/bin/tests/system/mkeys/clean.sh +index 17bd50f273..844d813eb4 100644 +--- a/bin/tests/system/mkeys/clean.sh ++++ b/bin/tests/system/mkeys/clean.sh +@@ -11,6 +11,7 @@ + + rm -f */K* */*.signed */trusted.conf */*.jnl */*.bk + rm -f dsset-. ns1/dsset-. ++rm -f ns1/zone.key + rm -f ns*/named.lock + rm -f */managed-keys.bind* */named.secroots + rm -f */managed.conf ns1/managed.key ns1/managed.key.id +@@ -19,3 +20,4 @@ rm -f dig.out* delv.out* rndc.out* signer.out* + rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp + rm -f */named.conf + rm -f ns5/named.args ++rm -f ns7/view1.mkeys ns7/view2.mkeys +diff --git a/bin/tests/system/mkeys/ns1/root.db b/bin/tests/system/mkeys/ns1/root.db +index 6ba922af09..0070f13942 100644 +--- a/bin/tests/system/mkeys/ns1/root.db ++++ b/bin/tests/system/mkeys/ns1/root.db +@@ -8,16 +8,16 @@ + ; information regarding copyright ownership. + + $TTL 20 +-. IN SOA gson.nominum.com. a.root.servers.nil. ( +- 2000042100 ; serial +- 600 ; refresh +- 600 ; retry +- 1200 ; expire +- 2 ; minimum +- ) +-. NS a.root-servers.nil. +-a.root-servers.nil. A 10.53.0.1 ++. IN SOA gson.nominum.com. a.root.servers.nil. ( ++ 2000042100 ; serial ++ 600 ; refresh ++ 600 ; retry ++ 1200 ; expire ++ 2 ; minimum ++ ) ++. NS a.root-servers.nil. ++a.root-servers.nil. A 10.53.0.1 + + ; no delegation + +-example. TXT "This is a test." ++example. TXT "This is a test." +diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh +index ccc7889ad9..e5e7ec05d6 100644 +--- a/bin/tests/system/mkeys/ns1/sign.sh ++++ b/bin/tests/system/mkeys/ns1/sign.sh +@@ -25,13 +25,18 @@ keyfile_to_managed_keys $keyname > managed.conf + cp managed.conf ../ns2/managed.conf + cp managed.conf ../ns5/managed.conf + +-# Configure a trusted key statement (used by delv) ++# Configure a trusted key statement (used by delv). + keyfile_to_trusted_keys $keyname > trusted.conf + ++# Prepare an unsupported algorithm key. ++unsupportedkey=Kunknown.+255+00000 ++cp unsupported.key "${unsupportedkey}.key" ++ + # + # Save keyname and keyid for managed key id test. + # + echo "$keyname" > managed.key ++echo "$zskkeyname" > zone.key + keyid=`expr $keyname : 'K\.+00.+\([0-9]*\)'` + keyid=`expr $keyid + 0` + echo "$keyid" > managed.key.id +diff --git a/bin/tests/system/mkeys/ns1/unsupported.key b/bin/tests/system/mkeys/ns1/unsupported.key +new file mode 100644 +index 0000000000..7435d03b63 +--- /dev/null ++++ b/bin/tests/system/mkeys/ns1/unsupported.key +@@ -0,0 +1 @@ ++. IN DNSKEY 257 3 255 BJiXuidPHuGIne8GlCBLG+Oq/FZruQd2s3uBo+SxY16NUP/Vwl8MctMK62KsblDU1gIJAdEMVep2tsOkuSm0bIbJ8NBex+N9rSvzH2YJlDCT9QnNfv4q5RRTcVA3lk9nkmWHo6zcAT33yuS+THOCSznOMCJRq8JGZ6xqMJLv9FucuK6CCe6QBAZ5e98dpyGTWQLu7AERKKFqda9YCk3KQfdzx/HZ4SpQpRLncIXvGm1PIMT8Ar95NB/BsFJGwr5ZTaQtRYOXf2DD7wD3pfMsTJCdZyC0J0EtGBG109I+Oou1cswUfqZLXip/aV3eaBAUqLcZpg8P8vAbrvEq4uMS4OMZeXL6nu0irrdS1Pqmax8RsC+x3fg9EBH3QmHroJZtiU5h+0x4qApp7HE4Z5zFRuxIp9iB +diff --git a/bin/tests/system/mkeys/ns6/named.args b/bin/tests/system/mkeys/ns6/named.args +new file mode 100644 +index 0000000000..02f8f670f6 +--- /dev/null ++++ b/bin/tests/system/mkeys/ns6/named.args +@@ -0,0 +1 @@ ++-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=5/10/20 +diff --git a/bin/tests/system/mkeys/ns6/named.conf.in b/bin/tests/system/mkeys/ns6/named.conf.in +new file mode 100644 +index 0000000000..8d76f7f2e7 +--- /dev/null ++++ b/bin/tests/system/mkeys/ns6/named.conf.in +@@ -0,0 +1,43 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++// NS6 ++ ++options { ++ query-source address 10.53.0.6; ++ notify-source 10.53.0.6; ++ transfer-source 10.53.0.6; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.6; }; ++ listen-on-v6 { none; }; ++ recursion yes; ++ notify no; ++ dnssec-enable yes; ++ dnssec-validation yes; ++ trust-anchor-telemetry no; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++zone "." { ++ type hint; ++ file "../../common/root.hint"; ++}; ++ ++include "managed.conf"; +diff --git a/bin/tests/system/mkeys/ns6/setup.sh b/bin/tests/system/mkeys/ns6/setup.sh +new file mode 100644 +index 0000000000..5ba1647da5 +--- /dev/null ++++ b/bin/tests/system/mkeys/ns6/setup.sh +@@ -0,0 +1,30 @@ ++#!/bin/sh -e ++# ++# Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++# ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, You can obtain one at http://mozilla.org/MPL/2.0/. ++# ++# See the COPYRIGHT file distributed with this work for additional ++# information regarding copyright ownership. ++ ++SYSTEMTESTTOP=../.. ++. $SYSTEMTESTTOP/conf.sh ++ ++zone=. ++zonefile=root.db ++ ++# an RSA key ++rsakey=`$KEYGEN -a rsasha256 -qfk rsasha256.` ++ ++# a key with unsupported algorithm ++unsupportedkey=Kunknown.+255+00000 ++cp unsupported-managed.key "${unsupportedkey}.key" ++ ++# root key ++rootkey=`cat ../ns1/managed.key` ++cp "../ns1/${rootkey}.key" . ++ ++# Configure the resolving server with a managed trusted key. ++keyfile_to_managed_keys $unsupportedkey $rsakey $rootkey > managed.conf +diff --git a/bin/tests/system/mkeys/ns6/unsupported-managed.key b/bin/tests/system/mkeys/ns6/unsupported-managed.key +new file mode 100644 +index 0000000000..be872a00f0 +--- /dev/null ++++ b/bin/tests/system/mkeys/ns6/unsupported-managed.key +@@ -0,0 +1 @@ ++unsupported. IN DNSKEY 257 3 255 BOOVAhiJDPqhfU7+yGXjhetrtC/rtjmwO1yo52BUHUd8R4hQ/ZPdYCVvQlvNkRxDblPkFM5YRXkesS30pJSoNYrg+djbMNumJrLG+lbhFIc/ahTjlYOxb1zm2z00ubHju/1uGBifiRvKWSK0Vr0u6NtS4PKZfsnXt+piSHiRAHSfkjGHwqPYYKh9EUW12kJmIzlMaM6WYl+gJOvL+f8VqNLtvsMPT6OPK/3h/Dnfnxyeudp/jzAnNDDiTgX2XfzIXB4UwxtzIOGaHLnprpNf3zoBm0kyaEdSQQ/qKkpCOqjBasYEHRjVz3RncPUkdLr7PQuPBfFDr3SUMMJqufJrO4IJjtD4cCBT7K1i39Jg471nEzU1vkPzxF+Rw1QHT4nZaXbltf3BEZGS4Knoe9XPwi5KjGW6 +diff --git a/bin/tests/system/mkeys/ns7/named.conf.in b/bin/tests/system/mkeys/ns7/named.conf.in +new file mode 100644 +index 0000000000..a9aba00733 +--- /dev/null ++++ b/bin/tests/system/mkeys/ns7/named.conf.in +@@ -0,0 +1,50 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++// NS7 ++ ++options { ++ query-source address 10.53.0.7; ++ notify-source 10.53.0.7; ++ transfer-source 10.53.0.7; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.7; }; ++ listen-on-v6 { none; }; ++ recursion yes; ++ notify no; ++ dnssec-enable yes; ++ dnssec-validation auto; ++ bindkeys-file "managed.conf"; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++view view1 { ++ zone "." { ++ type hint; ++ file "../../common/root.hint"; ++ }; ++}; ++ ++view view2 { ++ zone "." { ++ type hint; ++ file "../../common/root.hint"; ++ }; ++}; +diff --git a/bin/tests/system/mkeys/setup.sh b/bin/tests/system/mkeys/setup.sh +index bd3169f9b6..100a86959b 100644 +--- a/bin/tests/system/mkeys/setup.sh ++++ b/bin/tests/system/mkeys/setup.sh +@@ -25,3 +25,4 @@ copy_setports ns5/named.conf.in ns5/named.conf + cp ns5/named1.args ns5/named.args + + ( cd ns1 && $SHELL sign.sh ) ++( cd ns6 && $SHELL setup.sh ) +diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh +index f65f49e98d..b8410902d7 100644 +--- a/bin/tests/system/mkeys/tests.sh ++++ b/bin/tests/system/mkeys/tests.sh +@@ -701,6 +701,8 @@ rm -f ns1/root.db.signed.jnl + nextpart ns5/named.run > /dev/null + mkeys_reconfig_on 1 + wait_for_log "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run ++#mkeys_secroots_on 5 ++#grep '; managed' ns5/named.secroots > /dev/null || ret=1 + # ns1 should not longer REFUSE queries from ns5, so managed keys should be + # correctly refreshed and resolving should succeed + $DIG $DIGOPTS +noauth example. @10.53.0.5 txt > dig.out.ns5.b.test$n || ret=1 +@@ -710,5 +712,58 @@ grep "status: NOERROR" dig.out.ns5.b.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + ++echo_i "reinitialize trust anchors, add unsupported algorithm ($n)" ++ret=0 ++$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns6 ++rm -f ns6/managed-keys.bind* ++nextpart ns6/named.run > /dev/null ++$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns6 ++# log when an unsupported algorithm is encountered during startup ++wait_for_log "skipping managed key for 'unsupported\.': algorithm is unsupported" ns6/named.run ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo_i "skipping unsupported algorithm in managed-keys ($n)" ++ret=0 ++mkeys_status_on 6 > rndc.out.$n 2>&1 ++# there should still be only two keys listed (for . and rsasha256.) ++count=`grep -c "keyid: " rndc.out.$n` ++[ "$count" -eq 2 ] || ret=1 ++# two lines indicating trust status ++count=`grep -c "trust" rndc.out.$n` ++[ "$count" -eq 2 ] || ret=1 ++ ++n=`expr $n + 1` ++echo_i "introduce unsupported algorithm rollover in authoritative zone ($n)" ++ret=0 ++cp ns1/root.db ns1/root.db.orig ++ksk=`cat ns1/managed.key` ++zsk=`cat ns1/zone.key` ++cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >> ns1/root.db ++grep "\..*IN.*DNSKEY.*257 3 255" ns1/root.db > /dev/null || ret=1 ++$SIGNER -K ns1 -N unixtime -o . ns1/root.db $ksk $zsk > /dev/null 2>/dev/null || ret=1 ++grep "DNSKEY.*257 3 255" ns1/root.db.signed > /dev/null || ret=1 ++cp ns1/root.db.orig ns1/root.db ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=`expr $status + $ret` ++ ++n=`expr $n + 1` ++echo_i "skipping unsupported algorithm in rollover ($n)" ++ret=0 ++mkeys_reload_on 1 ++mkeys_refresh_on 6 ++mkeys_status_on 6 > rndc.out.$n 2>&1 ++# there should still be only two keys listed (for . and rsasha256.) ++count=`grep -c "keyid: " rndc.out.$n` ++[ "$count" -eq 2 ] || ret=1 ++# two lines indicating trust status ++count=`grep -c "trust" rndc.out.$n` ++[ "$count" -eq 2 ] || ret=1 ++# log when an unsupported algorithm is encountered during rollover ++wait_for_log "Cannot compute tag for key in zone \.: algorithm is unsupported" ns6/named.run ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=`expr $status + $ret` ++ + echo_i "exit status: $status" + [ $status -eq 0 ] || exit 1 +diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h +index e8c1a3c287..91f4a6e300 100644 +--- a/lib/dns/include/dst/dst.h ++++ b/lib/dns/include/dst/dst.h +@@ -67,8 +67,7 @@ typedef struct dst_context dst_context_t; + #define DST_ALG_HMACSHA512 165 /* XXXMPA */ + #define DST_ALG_INDIRECT 252 + #define DST_ALG_PRIVATE 254 +-#define DST_ALG_EXPAND 255 +-#define DST_MAX_ALGS 255 ++#define DST_MAX_ALGS 256 + + /*% A buffer of this size is large enough to hold any key */ + #define DST_KEY_MAXSIZE 1280 +diff --git a/lib/dns/zone.c b/lib/dns/zone.c +index 055b2417eb..96c98d585c 100644 +--- a/lib/dns/zone.c ++++ b/lib/dns/zone.c +@@ -3903,9 +3903,10 @@ compute_tag(dns_name_t *name, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx, + dns_rdatatype_dnskey, dnskey, &buffer); + + result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey); +- if (result == ISC_R_SUCCESS) ++ if (result == ISC_R_SUCCESS) { + *tag = dst_key_id(dstkey); +- dst_key_free(&dstkey); ++ dst_key_free(&dstkey); ++ } + + return (result); + } +@@ -9364,6 +9365,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { + + dns_keydata_todnskey(&keydata, &dnskey, NULL); + result = compute_tag(keyname, &dnskey, mctx, &keytag); ++ if (result != ISC_R_SUCCESS) { ++ /* ++ * Skip if we cannot compute the key tag. ++ * This may happen if the algorithm is unsupported ++ */ ++ dns_zone_log(zone, ISC_LOG_ERROR, ++ "Cannot compute tag for key in zone %s: %s " ++ "(skipping)", ++ namebuf, dns_result_totext(result)); ++ continue; ++ } + RUNTIME_CHECK(result == ISC_R_SUCCESS); + + /* +@@ -9475,6 +9487,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { + continue; + + result = compute_tag(keyname, &dnskey, mctx, &keytag); ++ if (result != ISC_R_SUCCESS) { ++ /* ++ * Skip if we cannot compute the key tag. ++ * This may happen if the algorithm is unsupported ++ */ ++ dns_zone_log(zone, ISC_LOG_ERROR, ++ "Cannot compute tag for key in zone %s: %s " ++ "(skipping)", ++ namebuf, dns_result_totext(result)); ++ continue; ++ } + RUNTIME_CHECK(result == ISC_R_SUCCESS); + + revoked = ISC_TF(dnskey.flags & DNS_KEYFLAG_REVOKE); +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-CVE-2019-6465.patch b/SOURCES/bind-9.11-CVE-2019-6465.patch new file mode 100644 index 0000000..0657aa3 --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2019-6465.patch @@ -0,0 +1,100 @@ +From 3824a600a51188c713e900115d6af129b54706df Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Wed, 6 Feb 2019 11:35:21 -0800 +Subject: [PATCH] denied axfr requests were not effective for writable DLZ + zones + +(cherry picked from commit d9077cd0038e59726e1956de18b4b7872038a283) +(cherry picked from commit 34348d9ee4db15307c6c42db294419b4df569f76) +--- + bin/named/xfrout.c | 8 ++++---- + bin/tests/system/dlzexternal/driver.c | 18 +++++++++++++++--- + bin/tests/system/dlzexternal/tests.sh | 16 ++++++++++++---- + 3 files changed, 31 insertions(+), 11 deletions(-) + +diff --git a/bin/named/xfrout.c b/bin/named/xfrout.c +index c531e0acef..f6e57d889e 100644 +--- a/bin/named/xfrout.c ++++ b/bin/named/xfrout.c +@@ -803,12 +803,12 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { + result = dns_zt_find(client->view->zonetable, question_name, 0, NULL, + &zone); + +- if (result != ISC_R_SUCCESS) { ++ if (result != ISC_R_SUCCESS || dns_zone_gettype(zone) == dns_zone_dlz) { + /* +- * Normal zone table does not have a match. +- * Try the DLZ database ++ * The normal zone table does not have a match, or this is ++ * marked in the zone table as a DLZ zone. Check the DLZ ++ * databases for a match. + */ +- // Temporary: only searching the first DLZ database + if (! ISC_LIST_EMPTY(client->view->dlz_searched)) { + result = dns_dlzallowzonexfr(client->view, + question_name, +diff --git a/bin/tests/system/dlzexternal/driver.c b/bin/tests/system/dlzexternal/driver.c +index 37a62622da..dfa7847984 100644 +--- a/bin/tests/system/dlzexternal/driver.c ++++ b/bin/tests/system/dlzexternal/driver.c +@@ -542,10 +542,22 @@ dlz_lookup(const char *zone, const char *name, void *dbdata, + */ + isc_result_t + dlz_allowzonexfr(void *dbdata, const char *name, const char *client) { +- UNUSED(client); ++ isc_result_t result; ++ ++ result = dlz_findzonedb(dbdata, name, NULL, NULL); ++ if (result != ISC_R_SUCCESS) { ++ return (result); ++ } + +- /* Just say yes for all our zones */ +- return (dlz_findzonedb(dbdata, name, NULL, NULL)); ++ /* ++ * Exception for 10.53.0.5 so we can test that allow-transfer ++ * is effective. ++ */ ++ if (strcmp(client, "10.53.0.5") == 0) { ++ return (ISC_R_NOPERM); ++ } ++ ++ return (ISC_R_SUCCESS); + } + + /* +diff --git a/bin/tests/system/dlzexternal/tests.sh b/bin/tests/system/dlzexternal/tests.sh +index 87dd13b10e..1754aaa57c 100644 +--- a/bin/tests/system/dlzexternal/tests.sh ++++ b/bin/tests/system/dlzexternal/tests.sh +@@ -108,15 +108,23 @@ test_update testdc1.alternate.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1 + status=`expr $status + $ret` + + newtest "testing AXFR from DLZ drivers" +-$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.ns1.test$n +-lines=`cat dig.out.ns1.test$n | wc -l` ++$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.example.ns1.test$n ++lines=`cat dig.out.example.ns1.test$n | wc -l` + [ ${lines:-0} -eq 4 ] || ret=1 +-$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.ns1.test$n +-lines=`cat dig.out.ns1.test$n | wc -l` ++$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n ++lines=`cat dig.out.alternate.ns1.test$n | wc -l` + [ ${lines:-0} -eq 5 ] || ret=1 + [ "$ret" -eq 0 ] || echo_i "failed" + status=`expr $status + $ret` + ++newtest "testing AXFR denied from DLZ drivers" ++$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil > dig.out.example.ns1.test$n ++grep "; Transfer failed" dig.out.example.ns1.test$n > /dev/null || ret=1 ++$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n ++grep "; Transfer failed" dig.out.alternate.ns1.test$n > /dev/null || ret=1 ++[ "$ret" -eq 0 ] || echo_i "failed" ++status=`expr $status + $ret` ++ + newtest "testing unsearched/unregistered DLZ zone is not found" + $DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n + grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1 +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-rh1732883.patch b/SOURCES/bind-9.11-rh1732883.patch new file mode 100644 index 0000000..5afea78 --- /dev/null +++ b/SOURCES/bind-9.11-rh1732883.patch @@ -0,0 +1,181 @@ +diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h +index 246aefb..0007543 100644 +--- a/lib/isc/include/isc/result.h ++++ b/lib/isc/include/isc/result.h +@@ -83,9 +83,9 @@ + #define ISC_R_UNSET 61 /*%< unset */ + #define ISC_R_MULTIPLE 62 /*%< multiple */ + #define ISC_R_WOULDBLOCK 63 /*%< would block */ +- ++#define ISC_R_TIMESHIFTED 64 /*%< system time changed */ + /*% Not a result code: the number of results. */ +-#define ISC_R_NRESULTS 64 ++#define ISC_R_NRESULTS 66 + + ISC_LANG_BEGINDECLS + +diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h +index 332dc0c..f81967d 100644 +--- a/lib/isc/include/isc/util.h ++++ b/lib/isc/include/isc/util.h +@@ -233,6 +233,10 @@ + * Time + */ + #define TIME_NOW(tp) RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS) ++#ifdef CLOCK_BOOTTIME ++#define TIME_MONOTONIC(tp) RUNTIME_CHECK(isc_time_boottime((tp)) == ISC_R_SUCCESS) ++#endif ++ + + /*% + * Misc +diff --git a/lib/isc/result.c b/lib/isc/result.c +index a707c32..6776fc6 100644 +--- a/lib/isc/result.c ++++ b/lib/isc/result.c +@@ -99,6 +99,7 @@ static const char *description[ISC_R_NRESULTS] = { + "unset", /*%< 61 */ + "multiple", /*%< 62 */ + "would block", /*%< 63 */ ++ "time changed", /*%< 64 */ + }; + + static const char *identifier[ISC_R_NRESULTS] = { +@@ -166,6 +167,7 @@ static const char *identifier[ISC_R_NRESULTS] = { + "ISC_R_UNSET", + "ISC_R_MULTIPLE", + "ISC_R_WOULDBLOCK", ++ "ISC_R_TIMESHIFTED", + }; + + #define ISC_RESULT_RESULTSET 2 +diff --git a/lib/isc/unix/app.c b/lib/isc/unix/app.c +index bace2bd..e9814d2 100644 +--- a/lib/isc/unix/app.c ++++ b/lib/isc/unix/app.c +@@ -441,15 +441,51 @@ isc__app_ctxonrun(isc_appctx_t *ctx0, isc_mem_t *mctx, isc_task_t *task, + static isc_result_t + evloop(isc__appctx_t *ctx) { + isc_result_t result; ++ isc_time_t now; ++#ifdef CLOCK_BOOTTIME ++ isc_time_t monotonic; ++ isc_uint64_t diff = 0; ++#else ++ isc_time_t prev; ++ TIME_NOW(&prev); ++#endif ++ ++ ++ + + while (!ctx->want_shutdown) { + int n; +- isc_time_t when, now; ++ isc_time_t when; ++ + struct timeval tv, *tvp; + isc_socketwait_t *swait; + isc_boolean_t readytasks; + isc_boolean_t call_timer_dispatch = ISC_FALSE; + ++ isc_uint64_t us; ++ ++#ifdef CLOCK_BOOTTIME ++ // TBD macros for following three lines ++ TIME_NOW(&now); ++ TIME_MONOTONIC(&monotonic); ++ // INSIST(now.seconds > monotonic.seconds) ++ us = isc_time_microdiff (&now, &monotonic); ++ if (us < diff){ ++ us = diff - us; ++ if (us > 1000000){ // ignoring shifts less than one second ++ return ISC_R_TIMESHIFTED; ++ }; ++ diff = isc_time_microdiff (&now, &monotonic); ++ } else { ++ diff = isc_time_microdiff (&now, &monotonic); ++ // not implemented ++ } ++#else ++ TIME_NOW(&now); ++ if (isc_time_compare (&now, &prev) < 0) ++ return ISC_R_TIMESHIFTED; ++ TIME_NOW(&prev); ++#endif + /* + * Check the reload (or suspend) case first for exiting the + * loop as fast as possible in case: +@@ -474,9 +510,10 @@ evloop(isc__appctx_t *ctx) { + if (result != ISC_R_SUCCESS) + tvp = NULL; + else { +- isc_uint64_t us; ++ + + TIME_NOW(&now); ++ + us = isc_time_microdiff(&when, &now); + if (us == 0) + call_timer_dispatch = ISC_TRUE; +diff --git a/lib/isc/unix/include/isc/time.h b/lib/isc/unix/include/isc/time.h +index 75e24b9..de8b399 100644 +--- a/lib/isc/unix/include/isc/time.h ++++ b/lib/isc/unix/include/isc/time.h +@@ -129,6 +129,26 @@ isc_time_isepoch(const isc_time_t *t); + *\li 't' is a valid pointer. + */ + ++#ifdef CLOCK_BOOTTIME ++isc_result_t ++isc_time_boottime(isc_time_t *t); ++/*%< ++ * Set 't' to monotonic time from previous boot ++ * it's not affected by system time change. It also ++ * includes the time system was suspended ++ * ++ * Requires: ++ *\li 't' is a valid pointer. ++ * ++ * Returns: ++ * ++ *\li Success ++ *\li Unexpected error ++ * Getting the time from the system failed. ++ */ ++#endif /* CLOCK_BOOTTIME */ ++ ++ + isc_result_t + isc_time_now(isc_time_t *t); + /*%< +diff --git a/lib/isc/unix/time.c b/lib/isc/unix/time.c +index 2210240..d7613b8 100644 +--- a/lib/isc/unix/time.c ++++ b/lib/isc/unix/time.c +@@ -496,3 +496,25 @@ isc_time_formatISO8601ms(const isc_time_t *t, char *buf, unsigned int len) { + t->nanoseconds / NS_PER_MS); + } + } ++ ++ ++#ifdef CLOCK_BOOTTIME ++isc_result_t ++isc_time_boottime(isc_time_t *t) { ++ struct timespec ts; ++ ++ char strbuf[ISC_STRERRORSIZE]; ++ ++ if (clock_gettime (CLOCK_BOOTTIME, &ts) != 0){ ++ isc__strerror(errno, strbuf, sizeof(strbuf)); ++ UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf); ++ return (ISC_R_UNEXPECTED); ++ } ++ ++ t->seconds = ts.tv_sec; ++ t->nanoseconds = ts.tv_nsec; ++ ++ return (ISC_R_SUCCESS); ++ ++}; ++#endif diff --git a/SOURCES/bind-9.11-rh1743572-2.patch b/SOURCES/bind-9.11-rh1743572-2.patch new file mode 100644 index 0000000..a46c8ec --- /dev/null +++ b/SOURCES/bind-9.11-rh1743572-2.patch @@ -0,0 +1,29 @@ +From 908b71224037745db3d1420a37e99ee9cbb3b3b3 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Thu, 12 Dec 2019 16:05:25 +0100 +Subject: [PATCH] Terminate query if both setup_lookup and next_origin failed + +That happens in case searched name plus search domain is too long and no +shorted origin would follow. +--- + bin/dig/dighost.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c +index 6302a98..ed9625e 100644 +--- a/bin/dig/dighost.c ++++ b/bin/dig/dighost.c +@@ -2053,6 +2053,10 @@ start_lookup(void) { + do_lookup(current_lookup); + else if (next_origin(current_lookup)) + check_next_lookup(current_lookup); ++ else { ++ cancel_lookup(current_lookup); ++ check_next_lookup(current_lookup); ++ } + } else { + check_if_done(); + } +-- +2.21.0 + diff --git a/SOURCES/bind-9.11-rh1743572.patch b/SOURCES/bind-9.11-rh1743572.patch new file mode 100644 index 0000000..23690e4 --- /dev/null +++ b/SOURCES/bind-9.11-rh1743572.patch @@ -0,0 +1,76 @@ +From ba56e64560c5907e99186116623f2899b8520b68 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Wed, 2 Oct 2019 14:00:13 +0200 +Subject: [PATCH] Revert "3640. [bug] ndots was not being checked + when searching. Only" + +This reverts commit 8afea636ab0c07399aa3e2410b2cfbd41099df98. + +Revert is only partial. Absolute names does not search. Name with dots +tries first absolute, then relative with search appended. +--- + bin/dig/dighost.c | 8 +++----- + bin/dig/nslookup.c | 3 ++- + bin/dig/nslookup.docbook | 2 +- + 3 files changed, 6 insertions(+), 7 deletions(-) + +diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c +index d46379ddc2..30b19b3121 100644 +--- a/bin/dig/dighost.c ++++ b/bin/dig/dighost.c +@@ -2273,14 +2273,12 @@ next_origin(dig_lookup_t *oldlookup) { + return (ISC_FALSE); + + /* +- * Check for a absolute name or ndots being met. ++ * Check for a absolute name. + */ + name = dns_fixedname_initname(&fixed); + result = dns_name_fromstring2(name, oldlookup->textname, NULL, + 0, NULL); +- if (result == ISC_R_SUCCESS && +- (dns_name_isabsolute(name) || +- (int)dns_name_countlabels(name) > ndots)) ++ if (result == ISC_R_SUCCESS && dns_name_isabsolute(name)) + return (ISC_FALSE); + + if (oldlookup->origin == NULL && !oldlookup->need_search) +@@ -4215,7 +4213,7 @@ recv_done(isc_task_t *task, isc_event_t *event) { + } else if (l->sendcookie && msg->opt != NULL) + process_opt(l, msg); + if (!l->doing_xfr || l->xfr_q == query) { +- if (msg->rcode == dns_rcode_nxdomain && ++ if (msg->rcode != dns_rcode_noerror && + (l->origin != NULL || l->need_search)) { + if (!next_origin(query->lookup) || showsearch) { + dighost_printmessage(query, msg, ISC_TRUE); +diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c +index 89a615bf1c..5c8aa51a48 100644 +--- a/bin/dig/nslookup.c ++++ b/bin/dig/nslookup.c +@@ -472,7 +472,8 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { + dns_name_format(query->lookup->name, + nametext, sizeof(nametext)); + printf("** server can't find %s: %s\n", +- nametext, rcode_totext(msg->rcode)); ++ (msg->rcode != dns_rcode_nxdomain) ? nametext : ++ query->lookup->textname, rcode_totext(msg->rcode)); + debug("returning with rcode == 0"); + + /* the lookup failed */ +diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook +index 86a09c658e..e3e8869e33 100644 +--- a/bin/dig/nslookup.docbook ++++ b/bin/dig/nslookup.docbook +@@ -412,7 +412,7 @@ nslookup -query=hinfo -timeout=10 + + + Set the number of dots (label separators) in a domain +- that will disable searching. Absolute names always ++ that will reverse order of searching. Absolute names always + stop searching. + + +-- +2.20.1 + diff --git a/SOURCES/bind-9.11-rh1753259.patch b/SOURCES/bind-9.11-rh1753259.patch new file mode 100644 index 0000000..8bf9f47 --- /dev/null +++ b/SOURCES/bind-9.11-rh1753259.patch @@ -0,0 +1,34 @@ +From f968f649e7e57eb097fb766be805a2d976d2dcc6 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Wed, 27 Nov 2019 16:06:12 +0100 +Subject: [PATCH] Disable listening on IPV6 by default + +If configuration file does not mention listen-on-v6, for backward +compatibility assume none; Upstream changed default value to any; but +previous RHEL7 version did not have it. +--- + bin/named/server.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/bin/named/server.c b/bin/named/server.c +index 93f9417..eac467f 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -7781,11 +7781,13 @@ load_configuration(const char *filename, ns_server_t *server, + ns_g_mctx, AF_INET6, + &listenon); + } else if (!ns_g_lwresdonly) { ++ isc_boolean_t enable; + /* + * Not specified, use default. + */ ++ enable = ISC_TF(isc_net_probeipv4() != ISC_R_SUCCESS); + CHECK(ns_listenlist_default(ns_g_mctx, listen_port, +- -1, ISC_TRUE, &listenon)); ++ -1, enable, &listenon)); + } + if (listenon != NULL) { + ns_interfacemgr_setlistenon6(server->interfacemgr, +-- +2.20.1 + diff --git a/SOURCES/bind-9.11.4-CVE-2019-6477.patch b/SOURCES/bind-9.11.4-CVE-2019-6477.patch new file mode 100644 index 0000000..0a7e554 --- /dev/null +++ b/SOURCES/bind-9.11.4-CVE-2019-6477.patch @@ -0,0 +1,157 @@ +From c3314d0fa0756d39cab1e9d9e3cf2e36dd6273da Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Mon, 18 Nov 2019 16:44:58 +0100 +Subject: [PATCH] Limit number of queries per TCP connection + +5306. [security] Set a limit on the number of concurrently served + pipelined TCP queries. (CVE-2019-6477) [GL #1264] +--- + bin/named/client.c | 73 ++++++++++++++++++++------------ + bin/named/include/named/client.h | 5 ++- + 2 files changed, 50 insertions(+), 28 deletions(-) + +diff --git a/bin/named/client.c b/bin/named/client.c +index f21a77ba52..23f70edaff 100644 +--- a/bin/named/client.c ++++ b/bin/named/client.c +@@ -98,7 +98,15 @@ + #define SEND_BUFFER_SIZE 4096 + #define RECV_BUFFER_SIZE 4096 + ++#define TCP_CLIENTS_PER_CONN 23 ++/*%< ++ * Number of simultaneous ns_clients_t (queries in flight) for one ++ * TCP connection. The number was arbitrarily picked and might be ++ * changed in the future. ++ */ ++ + #ifdef ISC_PLATFORM_USETHREADS ++ + #define NMCTXS 100 + /*%< + * Number of 'mctx pools' for clients. (Should this be configurable?) +@@ -333,7 +341,7 @@ tcpconn_init(ns_client_t *client, isc_boolean_t force) { + */ + tconn = isc_mem_allocate(ns_g_mctx, sizeof(*tconn)); + +- isc_refcount_init(&tconn->refs, 1); ++ isc_refcount_init(&tconn->clients, 1); /* Current client */ + tconn->tcpquota = quota; + quota = NULL; + tconn->pipelined = ISC_FALSE; +@@ -350,14 +358,14 @@ tcpconn_init(ns_client_t *client, isc_boolean_t force) { + */ + static void + tcpconn_attach(ns_client_t *source, ns_client_t *target) { +- int refs; ++ int old_clients; + + REQUIRE(source->tcpconn != NULL); + REQUIRE(target->tcpconn == NULL); + REQUIRE(source->tcpconn->pipelined); + +- isc_refcount_increment(&source->tcpconn->refs, &refs); +- INSIST(refs > 1); ++ isc_refcount_increment(&source->tcpconn->clients, &old_clients); ++ INSIST(old_clients > 1); + target->tcpconn = source->tcpconn; + } + +@@ -370,15 +378,15 @@ tcpconn_attach(ns_client_t *source, ns_client_t *target) { + static void + tcpconn_detach(ns_client_t *client) { + ns_tcpconn_t *tconn = NULL; +- int refs; ++ int old_clients; + + REQUIRE(client->tcpconn != NULL); + + tconn = client->tcpconn; + client->tcpconn = NULL; + +- isc_refcount_decrement(&tconn->refs, &refs); +- if (refs == 0) { ++ isc_refcount_decrement(&tconn->clients, &old_clients); ++ if (old_clients == 0) { + isc_quota_detach(&tconn->tcpquota); + isc_mem_free(ns_g_mctx, tconn); + } +@@ -2629,28 +2637,39 @@ client_request(isc_task_t *task, isc_event_t *event) { + /* + * Pipeline TCP query processing. + */ +- if (TCP_CLIENT(client) && +- client->message->opcode != dns_opcode_query) +- { +- client->tcpconn->pipelined = ISC_FALSE; +- } +- if (TCP_CLIENT(client) && client->tcpconn->pipelined) { +- /* +- * We're pipelining. Replace the client; the +- * replacement can read the TCP socket looking +- * for new messages and this one can process the +- * current message asynchronously. +- * +- * There will now be at least three clients using this +- * TCP socket - one accepting new connections, +- * one reading an existing connection to get new +- * messages, and one answering the message already +- * received. +- */ +- result = ns_client_replace(client); +- if (result != ISC_R_SUCCESS) { ++ if (TCP_CLIENT(client)) { ++ if (client->message->opcode != dns_opcode_query) { + client->tcpconn->pipelined = ISC_FALSE; + } ++ ++ /* ++ * Limit the maximum number of simultaneous pipelined ++ * queries on TCP connection to TCP_CLIENTS_PER_CONN. ++ */ ++ if ((isc_refcount_current(&client->tcpconn->clients) ++ > TCP_CLIENTS_PER_CONN)) ++ { ++ client->tcpconn->pipelined = ISC_FALSE; ++ } ++ ++ if (client->tcpconn->pipelined) { ++ /* ++ * We're pipelining. Replace the client; the ++ * replacement can read the TCP socket looking ++ * for new messages and this one can process the ++ * current message asynchronously. ++ * ++ * There will now be at least three clients using this ++ * TCP socket - one accepting new connections, ++ * one reading an existing connection to get new ++ * messages, and one answering the message already ++ * received. ++ */ ++ result = ns_client_replace(client); ++ if (result != ISC_R_SUCCESS) { ++ client->tcpconn->pipelined = ISC_FALSE; ++ } ++ } + } + + dns_opcodestats_increment(ns_g_server->opcodestats, +diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h +index 0f54d2267b..86437ade22 100644 +--- a/bin/named/include/named/client.h ++++ b/bin/named/include/named/client.h +@@ -77,7 +77,10 @@ + + /*% reference-counted TCP connection object */ + typedef struct ns_tcpconn { +- isc_refcount_t refs; ++ isc_refcount_t clients; /* Number of clients using ++ * this connection. Conn can ++ * be freed if goes to 0 ++ */ + isc_quota_t *tcpquota; + isc_boolean_t pipelined; + } ns_tcpconn_t; +-- +2.20.1 + diff --git a/SPECS/bind.spec b/SPECS/bind.spec index 62616c6..b684a5e 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -64,7 +64,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.4 -Release: 9%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 16%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ # @@ -153,6 +153,14 @@ Patch166:bind-9.11-rh1685940.patch Patch167:bind-9.11-CVE-2018-5743.patch Patch168:bind-9.11-CVE-2018-5743-atomic.patch Patch169:bind-9.11-CVE-2019-6471.patch +Patch170:bind-9.11-CVE-2018-5745.patch +Patch171:bind-9.11-CVE-2019-6465.patch +Patch172:bind-9.11-rh1732883.patch +Patch173: bind-9.11-CVE-2018-5745-testfix.patch +Patch174: bind-9.11-rh1743572.patch +Patch175: bind-9.11.4-CVE-2019-6477.patch +Patch176: bind-9.11-rh1753259.patch +Patch177: bind-9.11-rh1743572-2.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -500,6 +508,14 @@ are used for building ISC DHCP. %patch167 -p1 -b .CVE-2018-5743 %patch168 -p1 -b .CVE-2018-5743-atomic %patch169 -p1 -b .CVE-2019-6471 +%patch170 -p1 -b .CVE-2018-5745 +%patch171 -p1 -b .CVE-2019-6465 +%patch172 -p1 -b .rh1732883 +%patch173 -p1 -b .CVE-2018-5745-testfix +%patch174 -p1 -b .rh1743572 +%patch175 -p1 -b .CVE-2019-6477 +%patch176 -p1 -b .rh1753259 +%patch177 -p1 -b .rh1743572 # Override upstream builtin keys cp -fp %{SOURCE29} bind.keys @@ -1474,6 +1490,28 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Thu Dec 12 2019 Petr Menšík - 32:9.11.4-16.P2 +- Finish dig query when name is too long (#1743572) + +* Wed Nov 27 2019 Petr Menšík - 32:9.11.4-15.P2 +- Stop listening on IPv6 by default (#1753259) + +* Tue Nov 19 2019 Petr Menšík - 32:9.11.4-14.P2 +- Limit number of queries per TCP connection (CVE-2019-6477) + +* Wed Oct 02 2019 Petr Menšík - 32:9.11.4-13.P2 +- Revert not searching names with dot (#1743572) + +* Thu Sep 05 2019 Petr Menšík - 32:9.11.4-12.P2 +- Fix mkeys test validating CVE-2018-5745 fix + +* Tue Aug 6 2019 Pavel Zhukov - 32:9.11.4-11.P2 +- Use monotonic time in export library (#1093803) + +* Wed Jul 17 2019 Petr Menšík - 32:9.11.4-10.P2 +- Fix CVE-2018-5745 +- Fix CVE-2019-6465 + * Wed Jun 19 2019 Petr Menšík - 32:9.11.4-9.P2 - Fix CVE-2019-6471