diff --git a/.bind.metadata b/.bind.metadata index 9cfc411..1d11ff5 100644 --- a/.bind.metadata +++ b/.bind.metadata @@ -1,3 +1,3 @@ d7be390e6c2546f37a7280e1975e1cd134565f62 SOURCES/bind-9.9.4.tar.gz -096a128b9272f1f2bb22ad0dfe62df24455f6f67 SOURCES/config-14.tar.bz2 +ad9ddfde8fa124143142f1a70f88d310c0373c3d SOURCES/config-15.tar.bz2 d3c4943f2f2aa1f7c51487af02ff3a52ca51a6d9 SOURCES/geoip-testing-data.tar.xz diff --git a/.gitignore b/.gitignore index 4a26baf..379555a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/bind-9.9.4.tar.gz -SOURCES/config-14.tar.bz2 +SOURCES/config-15.tar.bz2 SOURCES/geoip-testing-data.tar.xz diff --git a/SOURCES/bind.keys b/SOURCES/bind.keys new file mode 100644 index 0000000..db22d4b --- /dev/null +++ b/SOURCES/bind.keys @@ -0,0 +1,69 @@ +# The bind.keys file is used to override the built-in DNSSEC trust anchors +# which are included as part of BIND 9. As of the current release, the only +# trust anchors it contains are those for the DNS root zone ("."), and for +# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors +# for any other zones MUST be configured elsewhere; if they are configured +# here, they will not be recognized or used by named. +# +# The built-in trust anchors are provided for convenience of configuration. +# They are not activated within named.conf unless specifically switched on. +# To use the built-in root key, set "dnssec-validation auto;" in +# named.conf options. To use the built-in DLV key, set +# "dnssec-lookaside auto;". Without these options being set, +# the keys in this file are ignored. +# +# This file is NOT expected to be user-configured. +# +# These keys are current as of Feburary 2017. If any key fails to +# initialize correctly, it may have expired. In that event you should +# replace this file with a current version. The latest version of +# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys. + +managed-keys { + # ISC DLV: See https://www.isc.org/solutions/dlv for details. + # + # NOTE: The ISC DLV zone is being phased out as of February 2017; + # the key will remain in place but the zone will be otherwise empty. + # Configuring "dnssec-lookaside auto;" to activate this key is + # harmless, but is no longer useful and is not recommended. + dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 + brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ + 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 + ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk + Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM + QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt + TDN0YUuWrBNh"; + + # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml + # for current trust anchor information. + # + # These keys are activated by setting "dnssec-validation auto;" + # in named.conf. + # + # This key (19036) is to be phased out starting in 2017. It will + # remain in the root zone for some time after its successor key + # has been added. It will remain this file until it is removed from + # the root zone. + . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF + FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX + bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD + X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz + W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS + Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq + QxA+Uk1ihz0="; + + # This key (20326) is to be published in the root zone in 2017. + # Servers which were already using the old key (19036) should + # roll seamlessly to this new one via RFC 5011 rollover. Servers + # being set up for the first time can use the contents of this + # file as initializing keys; thereafter, the keys in the + # managed key database will be trusted and maintained + # automatically. + . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN + R1AkUTV74bU="; +}; diff --git a/SOURCES/bind99-CVE-2017-3142+3143.patch b/SOURCES/bind99-CVE-2017-3142+3143.patch new file mode 100644 index 0000000..a0190f4 --- /dev/null +++ b/SOURCES/bind99-CVE-2017-3142+3143.patch @@ -0,0 +1,497 @@ +diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c +index 00a0080..336c4da 100644 +--- a/lib/dns/dnssec.c ++++ b/lib/dns/dnssec.c +@@ -982,6 +982,8 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg, + mctx = msg->mctx; + + msg->verify_attempted = 1; ++ msg->verified_sig = 0; ++ msg->sig0status = dns_tsigerror_badsig; + + if (is_response(msg)) { + if (msg->query.base == NULL) +@@ -1076,6 +1078,7 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg, + } + + msg->verified_sig = 1; ++ msg->sig0status = dns_rcode_noerror; + + dst_context_destroy(&ctx); + dns_rdata_freestruct(&sig); +diff --git a/lib/dns/message.c b/lib/dns/message.c +index 1417067..0621175 100644 +--- a/lib/dns/message.c ++++ b/lib/dns/message.c +@@ -3052,12 +3052,19 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer) { + + result = dns_rdata_tostruct(&rdata, &tsig, NULL); + INSIST(result == ISC_R_SUCCESS); +- if (msg->tsigstatus != dns_rcode_noerror) ++ if (msg->verified_sig && ++ msg->tsigstatus == dns_rcode_noerror && ++ tsig.error == dns_rcode_noerror) ++ { ++ result = ISC_R_SUCCESS; ++ } else if ((!msg->verified_sig) || ++ (msg->tsigstatus != dns_rcode_noerror)) ++ { + result = DNS_R_TSIGVERIFYFAILURE; +- else if (tsig.error != dns_rcode_noerror) ++ } else { ++ INSIST(tsig.error != dns_rcode_noerror); + result = DNS_R_TSIGERRORSET; +- else +- result = ISC_R_SUCCESS; ++ } + dns_rdata_freestruct(&tsig); + + if (msg->tsigkey == NULL) { +diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c +index 3239bff..7b91d1e 100644 +--- a/lib/dns/tsig.c ++++ b/lib/dns/tsig.c +@@ -941,11 +941,20 @@ dns_tsig_sign(dns_message_t *msg) { + isc_buffer_putuint48(&otherbuf, tsig.timesigned); + } + +- if (key->key != NULL && tsig.error != dns_tsigerror_badsig) { ++ if ((key->key != NULL) && ++ (tsig.error != dns_tsigerror_badsig) && ++ (tsig.error != dns_tsigerror_badkey)) ++ { + unsigned char header[DNS_MESSAGE_HEADERLEN]; + isc_buffer_t headerbuf; + isc_uint16_t digestbits; + ++ /* ++ * If it is a response, we assume that the request MAC ++ * has validated at this point. This is why we include a ++ * MAC length > 0 in the reply. ++ */ ++ + ret = dst_context_create3(key->key, mctx, + DNS_LOGCATEGORY_DNSSEC, + ISC_TRUE, &ctx); +@@ -953,7 +962,7 @@ dns_tsig_sign(dns_message_t *msg) { + return (ret); + + /* +- * If this is a response, digest the query signature. ++ * If this is a response, digest the request's MAC. + */ + if (response) { + dns_rdata_t querytsigrdata = DNS_RDATA_INIT; +@@ -1083,6 +1092,17 @@ dns_tsig_sign(dns_message_t *msg) { + dst_context_destroy(&ctx); + digestbits = dst_key_getbits(key->key); + if (digestbits != 0) { ++ /* ++ * XXXRAY: Is this correct? What is the ++ * expected behavior when digestbits is not an ++ * integral multiple of 8? It looks like bytes ++ * should either be (digestbits/8) or ++ * (digestbits+7)/8. ++ * ++ * In any case, for current algorithms, ++ * digestbits are an integral multiple of 8, so ++ * it has the same effect as (digestbits/8). ++ */ + unsigned int bytes = (digestbits + 1) / 8; + if (response && bytes < querytsig.siglen) + bytes = querytsig.siglen; +@@ -1196,6 +1216,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, + REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey)); + + msg->verify_attempted = 1; ++ msg->verified_sig = 0; ++ msg->tsigstatus = dns_tsigerror_badsig; + + if (msg->tcp_continuation) { + if (tsigkey == NULL || msg->querytsig == NULL) +@@ -1294,19 +1316,6 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, + key = tsigkey->key; + + /* +- * Is the time ok? +- */ +- if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) { +- msg->tsigstatus = dns_tsigerror_badtime; +- tsig_log(msg->tsigkey, 2, "signature has expired"); +- return (DNS_R_CLOCKSKEW); +- } else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) { +- msg->tsigstatus = dns_tsigerror_badtime; +- tsig_log(msg->tsigkey, 2, "signature is in the future"); +- return (DNS_R_CLOCKSKEW); +- } +- +- /* + * Check digest length. + */ + alg = dst_key_alg(key); +@@ -1315,31 +1324,19 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, + return (ret); + if (alg == DST_ALG_HMACMD5 || alg == DST_ALG_HMACSHA1 || + alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || +- alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) { +- isc_uint16_t digestbits = dst_key_getbits(key); ++ alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) ++ { + if (tsig.siglen > siglen) { +- tsig_log(msg->tsigkey, 2, "signature length to big"); ++ tsig_log(msg->tsigkey, 2, "signature length too big"); + return (DNS_R_FORMERR); + } + if (tsig.siglen > 0 && +- (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2))) { ++ (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2))) ++ { + tsig_log(msg->tsigkey, 2, + "signature length below minimum"); + return (DNS_R_FORMERR); + } +- if (tsig.siglen > 0 && digestbits != 0 && +- tsig.siglen < ((digestbits + 1) / 8)) { +- msg->tsigstatus = dns_tsigerror_badtrunc; +- tsig_log(msg->tsigkey, 2, +- "truncated signature length too small"); +- return (DNS_R_TSIGVERIFYFAILURE); +- } +- if (tsig.siglen > 0 && digestbits == 0 && +- tsig.siglen < siglen) { +- msg->tsigstatus = dns_tsigerror_badtrunc; +- tsig_log(msg->tsigkey, 2, "signature length too small"); +- return (DNS_R_TSIGVERIFYFAILURE); +- } + } + + if (tsig.siglen > 0) { +@@ -1451,34 +1448,92 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, + + ret = dst_context_verify(ctx, &sig_r); + if (ret == DST_R_VERIFYFAILURE) { +- msg->tsigstatus = dns_tsigerror_badsig; + ret = DNS_R_TSIGVERIFYFAILURE; + tsig_log(msg->tsigkey, 2, + "signature failed to verify(1)"); + goto cleanup_context; +- } else if (ret != ISC_R_SUCCESS) ++ } else if (ret != ISC_R_SUCCESS) { + goto cleanup_context; +- +- dst_context_destroy(&ctx); ++ } + } else if (tsig.error != dns_tsigerror_badsig && + tsig.error != dns_tsigerror_badkey) { +- msg->tsigstatus = dns_tsigerror_badsig; + tsig_log(msg->tsigkey, 2, "signature was empty"); + return (DNS_R_TSIGVERIFYFAILURE); + } + +- msg->tsigstatus = dns_rcode_noerror; ++ /* ++ * Here at this point, the MAC has been verified. Even if any of ++ * the following code returns a TSIG error, the reply will be ++ * signed and WILL always include the request MAC in the digest ++ * computation. ++ */ ++ ++ /* ++ * Is the time ok? ++ */ ++ if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) { ++ msg->tsigstatus = dns_tsigerror_badtime; ++ tsig_log(msg->tsigkey, 2, "signature has expired"); ++ ret = DNS_R_CLOCKSKEW; ++ goto cleanup_context; ++ } else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) { ++ msg->tsigstatus = dns_tsigerror_badtime; ++ tsig_log(msg->tsigkey, 2, "signature is in the future"); ++ ret = DNS_R_CLOCKSKEW; ++ goto cleanup_context; ++ } ++ ++ if ( ++#ifndef PK11_MD5_DISABLE ++ alg == DST_ALG_HMACMD5 || ++#endif ++ alg == DST_ALG_HMACSHA1 || ++ alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || ++ alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) ++ { ++ isc_uint16_t digestbits = dst_key_getbits(key); ++ ++ /* ++ * XXXRAY: Is this correct? What is the expected ++ * behavior when digestbits is not an integral multiple ++ * of 8? It looks like bytes should either be ++ * (digestbits/8) or (digestbits+7)/8. ++ * ++ * In any case, for current algorithms, digestbits are ++ * an integral multiple of 8, so it has the same effect ++ * as (digestbits/8). ++ */ ++ if (tsig.siglen > 0 && digestbits != 0 && ++ tsig.siglen < ((digestbits + 1) / 8)) ++ { ++ msg->tsigstatus = dns_tsigerror_badtrunc; ++ tsig_log(msg->tsigkey, 2, ++ "truncated signature length too small"); ++ ret = DNS_R_TSIGVERIFYFAILURE; ++ goto cleanup_context; ++ } ++ if (tsig.siglen > 0 && digestbits == 0 && ++ tsig.siglen < siglen) ++ { ++ msg->tsigstatus = dns_tsigerror_badtrunc; ++ tsig_log(msg->tsigkey, 2, "signature length too small"); ++ ret = DNS_R_TSIGVERIFYFAILURE; ++ goto cleanup_context; ++ } ++ } + + if (tsig.error != dns_rcode_noerror) { ++ msg->tsigstatus = tsig.error; + if (tsig.error == dns_tsigerror_badtime) +- return (DNS_R_CLOCKSKEW); ++ ret = DNS_R_CLOCKSKEW; + else +- return (DNS_R_TSIGERRORSET); ++ ret = DNS_R_TSIGERRORSET; ++ goto cleanup_context; + } + ++ msg->tsigstatus = dns_rcode_noerror; + msg->verified_sig = 1; +- +- return (ISC_R_SUCCESS); ++ ret = ISC_R_SUCCESS; + + cleanup_context: + if (ctx != NULL) +@@ -1503,6 +1558,8 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { + isc_uint16_t addcount, id; + isc_boolean_t has_tsig = ISC_FALSE; + isc_mem_t *mctx; ++ unsigned int siglen; ++ unsigned int alg; + + REQUIRE(source != NULL); + REQUIRE(msg != NULL); +@@ -1510,12 +1567,16 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { + REQUIRE(msg->tcp_continuation == 1); + REQUIRE(msg->querytsig != NULL); + ++ msg->verified_sig = 0; ++ msg->tsigstatus = dns_tsigerror_badsig; ++ + if (!is_response(msg)) + return (DNS_R_EXPECTEDRESPONSE); + + mctx = msg->mctx; + + tsigkey = dns_message_gettsigkey(msg); ++ key = tsigkey->key; + + /* + * Extract and parse the previous TSIG +@@ -1548,7 +1609,8 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { + * Do the key name and algorithm match that of the query? + */ + if (!dns_name_equal(keyname, &tsigkey->name) || +- !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)) { ++ !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)) ++ { + msg->tsigstatus = dns_tsigerror_badkey; + ret = DNS_R_TSIGVERIFYFAILURE; + tsig_log(msg->tsigkey, 2, +@@ -1557,27 +1619,40 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { + } + + /* +- * Is the time ok? ++ * Check digest length. + */ +- isc_stdtime_get(&now); +- +- if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) { +- msg->tsigstatus = dns_tsigerror_badtime; +- tsig_log(msg->tsigkey, 2, "signature has expired"); +- ret = DNS_R_CLOCKSKEW; +- goto cleanup_querystruct; +- } else if (now + msg->timeadjust < +- tsig.timesigned - tsig.fudge) { +- msg->tsigstatus = dns_tsigerror_badtime; +- tsig_log(msg->tsigkey, 2, +- "signature is in the future"); +- ret = DNS_R_CLOCKSKEW; ++ alg = dst_key_alg(key); ++ ret = dst_key_sigsize(key, &siglen); ++ if (ret != ISC_R_SUCCESS) + goto cleanup_querystruct; ++ if ( ++#ifndef PK11_MD5_DISABLE ++ alg == DST_ALG_HMACMD5 || ++#endif ++ alg == DST_ALG_HMACSHA1 || ++ alg == DST_ALG_HMACSHA224 || ++ alg == DST_ALG_HMACSHA256 || ++ alg == DST_ALG_HMACSHA384 || ++ alg == DST_ALG_HMACSHA512) ++ { ++ if (tsig.siglen > siglen) { ++ tsig_log(tsigkey, 2, ++ "signature length too big"); ++ ret = DNS_R_FORMERR; ++ goto cleanup_querystruct; ++ } ++ if (tsig.siglen > 0 && ++ (tsig.siglen < 10 || ++ tsig.siglen < ((siglen + 1) / 2))) ++ { ++ tsig_log(tsigkey, 2, ++ "signature length below minimum"); ++ ret = DNS_R_FORMERR; ++ goto cleanup_querystruct; ++ } + } + } + +- key = tsigkey->key; +- + if (msg->tsigctx == NULL) { + ret = dst_context_create3(key, mctx, + DNS_LOGCATEGORY_DNSSEC, +@@ -1670,10 +1745,12 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { + sig_r.length = tsig.siglen; + if (tsig.siglen == 0) { + if (tsig.error != dns_rcode_noerror) { +- if (tsig.error == dns_tsigerror_badtime) ++ msg->tsigstatus = tsig.error; ++ if (tsig.error == dns_tsigerror_badtime) { + ret = DNS_R_CLOCKSKEW; +- else ++ } else { + ret = DNS_R_TSIGERRORSET; ++ } + } else { + tsig_log(msg->tsigkey, 2, + "signature is empty"); +@@ -1684,29 +1761,111 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { + + ret = dst_context_verify(msg->tsigctx, &sig_r); + if (ret == DST_R_VERIFYFAILURE) { +- msg->tsigstatus = dns_tsigerror_badsig; + tsig_log(msg->tsigkey, 2, + "signature failed to verify(2)"); + ret = DNS_R_TSIGVERIFYFAILURE; + goto cleanup_context; ++ } else if (ret != ISC_R_SUCCESS) { ++ goto cleanup_context; + } +- else if (ret != ISC_R_SUCCESS) ++ ++ /* ++ * Here at this point, the MAC has been verified. Even ++ * if any of the following code returns a TSIG error, ++ * the reply will be signed and WILL always include the ++ * request MAC in the digest computation. ++ */ ++ ++ /* ++ * Is the time ok? ++ */ ++ isc_stdtime_get(&now); ++ ++ if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) { ++ msg->tsigstatus = dns_tsigerror_badtime; ++ tsig_log(msg->tsigkey, 2, "signature has expired"); ++ ret = DNS_R_CLOCKSKEW; ++ goto cleanup_context; ++ } else if (now + msg->timeadjust < ++ tsig.timesigned - tsig.fudge) ++ { ++ msg->tsigstatus = dns_tsigerror_badtime; ++ tsig_log(msg->tsigkey, 2, ++ "signature is in the future"); ++ ret = DNS_R_CLOCKSKEW; + goto cleanup_context; ++ } + +- dst_context_destroy(&msg->tsigctx); ++ alg = dst_key_alg(key); ++ ret = dst_key_sigsize(key, &siglen); ++ if (ret != ISC_R_SUCCESS) ++ goto cleanup_context; ++ if ( ++#ifndef PK11_MD5_DISABLE ++ alg == DST_ALG_HMACMD5 || ++#endif ++ alg == DST_ALG_HMACSHA1 || ++ alg == DST_ALG_HMACSHA224 || ++ alg == DST_ALG_HMACSHA256 || ++ alg == DST_ALG_HMACSHA384 || ++ alg == DST_ALG_HMACSHA512) ++ { ++ isc_uint16_t digestbits = dst_key_getbits(key); ++ ++ /* ++ * XXXRAY: Is this correct? What is the ++ * expected behavior when digestbits is not an ++ * integral multiple of 8? It looks like bytes ++ * should either be (digestbits/8) or ++ * (digestbits+7)/8. ++ * ++ * In any case, for current algorithms, ++ * digestbits are an integral multiple of 8, so ++ * it has the same effect as (digestbits/8). ++ */ ++ if (tsig.siglen > 0 && digestbits != 0 && ++ tsig.siglen < ((digestbits + 1) / 8)) ++ { ++ msg->tsigstatus = dns_tsigerror_badtrunc; ++ tsig_log(msg->tsigkey, 2, ++ "truncated signature length " ++ "too small"); ++ ret = DNS_R_TSIGVERIFYFAILURE; ++ goto cleanup_context; ++ } ++ if (tsig.siglen > 0 && digestbits == 0 && ++ tsig.siglen < siglen) ++ { ++ msg->tsigstatus = dns_tsigerror_badtrunc; ++ tsig_log(msg->tsigkey, 2, ++ "signature length too small"); ++ ret = DNS_R_TSIGVERIFYFAILURE; ++ goto cleanup_context; ++ } ++ } ++ ++ if (tsig.error != dns_rcode_noerror) { ++ msg->tsigstatus = tsig.error; ++ if (tsig.error == dns_tsigerror_badtime) ++ ret = DNS_R_CLOCKSKEW; ++ else ++ ret = DNS_R_TSIGERRORSET; ++ goto cleanup_context; ++ } + } + + msg->tsigstatus = dns_rcode_noerror; +- return (ISC_R_SUCCESS); ++ msg->verified_sig = 1; ++ ret = ISC_R_SUCCESS; + + cleanup_context: +- dst_context_destroy(&msg->tsigctx); ++ if (msg->tsigctx != NULL) ++ dst_context_destroy(&msg->tsigctx); + + cleanup_querystruct: + dns_rdata_freestruct(&querytsig); + + return (ret); +- + } + + isc_result_t diff --git a/SOURCES/trusted-key.key b/SOURCES/trusted-key.key index ea07836..df2fd0d 100644 --- a/SOURCES/trusted-key.key +++ b/SOURCES/trusted-key.key @@ -1 +1,2 @@ . 3600 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= +. 3600 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= diff --git a/SPECS/bind.spec b/SPECS/bind.spec index 28a3d5d..ce97592 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -25,7 +25,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: ISC Version: 9.9.4 -Release: 38%{?PATCHVER}%{?PREVER}%{?dist}.3 +Release: 50%{?PATCHVER}%{?PREVER}%{?dist}.1 Epoch: 32 Url: http://www.isc.org/products/BIND/ Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -38,7 +38,10 @@ Source7: bind-9.3.1rc1-sdb_tools-Makefile.in Source8: dnszone.schema Source12: README.sdb_pgsql Source25: named.conf.sample -Source28: config-14.tar.bz2 +Source28: config-15.tar.bz2 +# Up-to-date bind.keys from upstream +# Fetch a new one from page https://www.isc.org/bind-keys +Source29: bind.keys Source30: ldap2zone.c Source31: ldap2zone.1 Source32: named-sdb.8 @@ -125,6 +128,8 @@ Patch175:bind99-rt44318.patch Patch176:bind99-CVE-2017-3136.patch # ISC 4578 Patch177:bind99-CVE-2017-3137.patch +# ISC 4643 +Patch178: bind99-CVE-2017-3142+3143.patch # Native PKCS#11 functionality from 9.10 Patch150:bind-9.9-allow_external_dnskey.patch @@ -422,6 +427,10 @@ tar -xf %{SOURCE48} -C bin/tests/system/geoip/data %patch175 -p1 -b .rt44318 %patch176 -p1 -b .CVE-2017-3136 %patch177 -p1 -b .CVE-2017-3137 +%patch178 -p1 -b .CVE-2017-3142+3143 + +# Override upstream builtin keys +cp -fp %{SOURCE29} bind.keys %if %{PKCS11} cp -r bin/named{,-pkcs11} @@ -1101,6 +1110,15 @@ rm -rf ${RPM_BUILD_ROOT} %endif %changelog +* Fri Jun 30 2017 Petr Menšík - 32:9.9.4-50.1 +- Bump again above RHEL-7.4 + +* Thu Jun 29 2017 Petr Menšík - 32:9.9.4-38.5 +- Fix CVE-2017-3142 and CVE-2017-3143 + +* Thu Jun 01 2017 Petr Menšík - 32:9.9.4-38.4 +- Update root servers and trust anchor (#1459649) + * Wed Apr 12 2017 Petr Menšík - 32:9.9.4-38.3 - Fix CVE-2017-3136 (ISC change 4575) - Fix CVE-2017-3137 (ISC change 4578)