diff --git a/SOURCES/bind-9.11-CVE-2021-25214.patch b/SOURCES/bind-9.11-CVE-2021-25214.patch new file mode 100644 index 0000000..83f445b --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2021-25214.patch @@ -0,0 +1,44 @@ +From 4eff09c6b1e524b0efc393ee948b5c4cdf16ccb8 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Wed, 3 Feb 2021 11:10:20 +1100 +Subject: [PATCH] Check SOA owner names in zone transfers + +An IXFR containing SOA records with owner names different than the +transferred zone's origin can result in named serving a version of that +zone without an SOA record at the apex. This causes a RUNTIME_CHECK +assertion failure the next time such a zone is refreshed. Fix by +immediately rejecting a zone transfer (either an incremental or +non-incremental one) upon detecting an SOA record not placed at the apex +of the transferred zone. +--- + lib/dns/xfrin.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c +index 3a3f407289..0ba82e4974 100644 +--- a/lib/dns/xfrin.c ++++ b/lib/dns/xfrin.c +@@ -477,6 +477,20 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, uint32_t ttl, + dns_rdatatype_ismeta(rdata->type)) + FAIL(DNS_R_FORMERR); + ++ /* ++ * Immediately reject the entire transfer if the RR that is currently ++ * being processed is an SOA record that is not placed at the zone ++ * apex. ++ */ ++ if (rdata->type == dns_rdatatype_soa && ++ !dns_name_equal(&xfr->name, name)) { ++ char namebuf[DNS_NAME_FORMATSIZE]; ++ dns_name_format(name, namebuf, sizeof(namebuf)); ++ xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'", ++ namebuf); ++ FAIL(DNS_R_NOTZONETOP); ++ } ++ + redo: + switch (xfr->state) { + case XFRST_SOAQUERY: +-- +2.26.3 + diff --git a/SPECS/bind.spec b/SPECS/bind.spec index e2c34f2..9a65216 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -64,7 +64,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.4 -Release: 26%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.5 +Release: 26%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.7 Epoch: 32 Url: http://www.isc.org/products/BIND/ # @@ -179,6 +179,8 @@ Patch192: bind98-rh1769876.patch Patch193: bind-9.11-rh1889902.patch Patch194: bind-9.11-CVE-2020-8625.patch Patch195: bind-9.11-CVE-2021-25215.patch +# https://gitlab.isc.org/isc-projects/bind9/commit/dfadbc9d7b485b1af62d77ad6c309792bbaabfdf +Patch196: bind-9.11-CVE-2021-25214.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -551,6 +553,7 @@ are used for building ISC DHCP. %patch193 -p1 -b .rh1889902 %patch194 -p1 -b .CVE-2020-8625 %patch195 -p1 -b .CVE-2021-25215 +%patch196 -p1 -b .CVE-2021-25214 # Override upstream builtin keys cp -fp %{SOURCE29} bind.keys @@ -1532,6 +1535,12 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Tue Jul 13 2021 Petr Menšík - 32:9.11.4-26.P2.7 +- Apply again patch 172, got removed by mistake + +* Mon May 17 2021 Petr Menšík - 32:9.11.4-26.P2.6 +- Insufficient IXFR checks could lead to assertion failure (CVE-2021-25214) + * Tue Apr 27 2021 Petr Menšík - 32:9.11.4-26.P2.5 - Possible assertion failure on DNAME processing (CVE-2021-25215)