From 26e2e4ba3af34e286a0dc2473b25375f167c47c4 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 23 2021 02:57:25 +0000 Subject: import bind-9.11.26-4.el8_4 --- diff --git a/SOURCES/bind-9.11-CVE-2021-25215.patch b/SOURCES/bind-9.11-CVE-2021-25215.patch new file mode 100644 index 0000000..4f62a10 --- /dev/null +++ b/SOURCES/bind-9.11-CVE-2021-25215.patch @@ -0,0 +1,40 @@ +From 6fc38d1c75ce5a6172267e6ca162c4fdc09657ad Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Tue, 27 Apr 2021 10:56:12 +0200 +Subject: [PATCH 2/2] CVE-2021-25215 + +5616. [security] named crashed when a DNAME record placed in the ANSWER + section during DNAME chasing turned out to be the final + answer to a client query. (CVE-2021-25215) [GL #2540] +--- + bin/named/query.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/bin/named/query.c b/bin/named/query.c +index a95f5ad..11a888e 100644 +--- a/bin/named/query.c ++++ b/bin/named/query.c +@@ -9301,10 +9301,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) + if (noqname != NULL) + query_addnoqnameproof(client, noqname); + /* +- * We shouldn't ever fail to add 'rdataset' +- * because it's already in the answer. ++ * 'rdataset' will only be non-NULL here if the ANSWER section ++ * of the message to be sent to the client already contains an ++ * RRset with the same owner name and the same type as ++ * 'rdataset'. This should never happen, with one exception: ++ * when chasing DNAME records, one of the DNAME records placed ++ * in the ANSWER section may turn out to be the final answer to ++ * the client's query, but we have no way of knowing that until ++ * now. In such a case, 'rdataset' will be freed later, so we ++ * do not need to free it here. + */ +- INSIST(rdataset == NULL); ++ INSIST(rdataset == NULL || qtype == dns_rdatatype_dname); + } + + addauth: +-- +2.26.3 + diff --git a/SPECS/bind.spec b/SPECS/bind.spec index 12a5ad1..3279f66 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -68,7 +68,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.11.26 -Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Release: 4%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -155,6 +155,7 @@ Patch175:bind-9.11-json-c.patch Patch177:bind-9.11-serve-stale.patch Patch178:bind-9.11-dhcp-time-monotonic.patch Patch179:bind-9.11-CVE-2020-8625.patch +Patch180:bind-9.11-CVE-2021-25215.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -550,6 +551,7 @@ are used for building ISC DHCP. %patch177 -p1 -b .serve-stale %patch178 -p1 -b .time-monotonic %patch179 -p1 -b .CVE-2020-8625 +%patch180 -p1 -b .CVE-2021-25215 mkdir lib/dns/tests/testdata/dstrandom cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data @@ -1601,6 +1603,9 @@ rm -rf ${RPM_BUILD_ROOT} %endif %changelog +* Tue Apr 27 2021 Petr Menšík - 32:9.11.26-4 +- Possible assertion failure on DNAME processing (CVE-2021-25215) + * Mon Feb 15 2021 Petr Menšík - 32:9.11.26-3 - Fix off-by-one bug in ISC SPNEGO implementation (CVE-2020-8625)