SHA256
1
0
forked from pool/bind
Dominique Leuenberger 2021-12-01 19:46:44 +00:00 committed by Git OBS Bridge
commit 0394b453e3
3 changed files with 112 additions and 13 deletions

73
bind-CVE-2021-25219.patch Normal file
View File

@ -0,0 +1,73 @@
diff --git a/bin/named/config.c b/bin/named/config.c
index 213c45cb33..0b28c8db7a 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -164,7 +164,7 @@ options {\n\
fetches-per-server 0;\n\
fetches-per-zone 0;\n\
glue-cache yes;\n\
- lame-ttl 600;\n"
+ lame-ttl 0;\n"
#ifdef HAVE_LMDB
" lmdb-mapsize 32M;\n"
#endif /* ifdef HAVE_LMDB */
diff --git a/bin/named/server.c b/bin/named/server.c
index ff04689685..0f001ba303 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -4840,8 +4840,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
result = named_config_get(maps, "lame-ttl", &obj);
INSIST(result == ISC_R_SUCCESS);
lame_ttl = cfg_obj_asduration(obj);
- if (lame_ttl > 1800) {
- lame_ttl = 1800;
+ if (lame_ttl > 0) {
+ cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+ "disabling lame cache despite lame-ttl > 0 as it "
+ "may cause performance issues");
+ lame_ttl = 0;
}
dns_resolver_setlamettl(view->resolver, lame_ttl);
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 0358241d95..40c416dcf1 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -10122,25 +10122,26 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) {
*/
static isc_result_t
rctx_lameserver(respctx_t *rctx) {
- isc_result_t result;
+ isc_result_t result = ISC_R_SUCCESS;
fetchctx_t *fctx = rctx->fctx;
resquery_t *query = rctx->query;
- if (fctx->res->lame_ttl == 0 || ISFORWARDER(query->addrinfo) ||
- !is_lame(fctx, query->rmessage))
- {
+ if (ISFORWARDER(query->addrinfo) || !is_lame(fctx, query->rmessage)) {
return (ISC_R_SUCCESS);
}
inc_stats(fctx->res, dns_resstatscounter_lame);
log_lame(fctx, query->addrinfo);
- result = dns_adb_marklame(fctx->adb, query->addrinfo, &fctx->name,
- fctx->type, rctx->now + fctx->res->lame_ttl);
- if (result != ISC_R_SUCCESS) {
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
- DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
- "could not mark server as lame: %s",
- isc_result_totext(result));
+ if (fctx->res->lame_ttl != 0) {
+ result = dns_adb_marklame(fctx->adb, query->addrinfo,
+ &fctx->name, fctx->type,
+ rctx->now + fctx->res->lame_ttl);
+ if (result != ISC_R_SUCCESS) {
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
+ "could not mark server as lame: %s",
+ isc_result_totext(result));
+ }
}
rctx->broken_server = DNS_R_LAME;
rctx->next_server = true;

View File

@ -1,3 +1,26 @@
-------------------------------------------------------------------
Mon Nov 8 09:01:21 UTC 2021 - Josef Möllers <josef.moellers@suse.com>
- Aligned SLE15-SP4 and Factory spec files.
[bind.spec]
-------------------------------------------------------------------
Thu Nov 4 08:28:45 UTC 2021 - Josef Möllers <josef.moellers@suse.com>
- Fixed CVE-2021-25219:
The lame-ttl option controls how long named caches certain types
of broken responses from authoritative servers (see the security
advisory for details). This caching mechanism could be abused by
an attacker to significantly degrade resolver performance. The
vulnerability has been mitigated by changing the default value of
lame-ttl to 0 and overriding any explicitly set value with 0,
effectively disabling this mechanism altogether. ISC's testing has
determined that doing that has a negligible impact on resolver
performance while also preventing abuse.
Administrators may observe more traffic towards servers issuing
certain types of broken responses than in previous BIND 9 releases.
[bsc#1192146, CVE-2021-25219, bind-CVE-2021-25219.patch]
-------------------------------------------------------------------
Mon Oct 18 09:55:18 UTC 2021 - Josef Möllers <josef.moellers@suse.com>

View File

@ -17,6 +17,7 @@
%define _buildshell /bin/bash
%define VENDOR SUSE
%if 0%{?suse_version} >= 1500
%define with_systemd 1
@ -51,21 +52,22 @@ Summary: Domain Name System (DNS) Server (named)
License: MPL-2.0
Group: Productivity/Networking/DNS/Servers
URL: https://www.isc.org/bind/
Source0: https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.tar.xz
Source: https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.tar.xz
Source1: https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.tar.xz.sha512.asc
Source2: vendor-files.tar.bz2
# from http://www.isc.org/about/openpgp/ ... changes yearly apparently.
Source4: %{name}.keyring
Source3: %{name}.keyring
Source9: ftp://ftp.internic.net/domain/named.root
Source40: dnszone-schema.txt
Source60: dlz-schema.txt
# configuation file for systemd-tmpfiles
# configuration file for systemd-tmpfiles
Source70: bind.conf
# configuation file for systemd-sysusers
Source72: named.conf
Patch52: named-bootconf.diff
Patch56: bind-ldapdump-use-valid-host.patch
Patch68: bind-fix-build-with-older-sphinx.patch
Patch69: bind-CVE-2021-25219.patch
BuildRequires: libcap-devel
BuildRequires: libmysqlclient-devel
BuildRequires: libopenssl-devel
@ -121,19 +123,22 @@ System implementation of the Domain Name System (DNS) protocols. This
includes also the BIND Administrator Reference Manual (ARM).
%package utils
Summary: Utilities to query and test DNS
Summary: Libraries for "bind" and utilities to query and test DNS
# Needed for dnssec parts
Group: Productivity/Networking/DNS/Utilities
Requires: python3-bind = %{version}
Provides: bind9-utils
Provides: bindutil
Provides: dns_utils
Obsoletes: bind-devel < %{version}
Obsoletes: bind9-utils < %{version}
Obsoletes: bindutil < %{version}
Obsoletes: libirs-devel < %{version}
%description utils
This package includes the utilities "host", "dig", and "nslookup" used to
test and query the Domain Name System (DNS). The Berkeley Internet
test and query the Domain Name System (DNS) and also the libraries rquired
for the base "bind" package. The Berkeley Internet
Name Domain (BIND) DNS server is found in the package named bind.
%package -n python3-bind
@ -169,7 +174,7 @@ for file in docu/README* config/{README,named.conf} sysconfig/named-named; do
done
popd
%if 0%{?sle_version} >= 150000 && 0%{?sle_version} <= 150300
%if 0%{?sle_version} >= 150000 && 0%{?sle_version} <= 150400
# the Administration Reference Manual doesn't build with Leap/SLES due to an way too old Sphinx package
# that is missing sphinx.util.docutils.ReferenceRole.
# patch68 disables this extension, and here, we're removing the :gl: tags in the notes
@ -197,7 +202,7 @@ export LDFLAGS="-pie"
--with-pic \
--disable-openssl-version-check \
--with-tuning=large \
--with-geoip \
--with-maxminddb \
--with-dlopen \
--with-gssapi=yes \
--disable-isc-spnego \
@ -218,7 +223,7 @@ for d in arm; do
make -C doc/${d} SPHINXBUILD=sphinx-build doc
done
%if %{with_systemd}
%sysusers_generate_pre %{SOURCE72} named named.conf
%sysusers_generate_pre %{SOURCE72} named
%endif
%install
@ -254,8 +259,8 @@ mv vendor-files/config/rndc-access.conf %{buildroot}/%{_sysconfdir}/named.d
%if %{with_systemd}
for file in named; do
install -D -m 0644 vendor-files/system/${file}.service %{buildroot}%{_unitdir}/${file}.service
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" -i %{buildroot}%{_unitdir}/${file}.service
install -m 0755 vendor-files/system/${file}.prep %{buildroot}%{_libexecdir}/bind/${file}.prep
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" -i %{buildroot}%{_unitdir}/${file}.service
install -m 0755 vendor-files/system/${file}.prep %{buildroot}%{_libexecdir}/bind/${file}.prep
ln -s /sbin/service %{buildroot}%{_sbindir}/rc${file}
done
install -D -m 0644 %{SOURCE70} %{buildroot}%{_prefix}/lib/tmpfiles.d/bind.conf
@ -290,7 +295,6 @@ for file in vendor-files/docu/README*; do
basename=$( basename ${file})
cp -a ${file} %{buildroot}/%{_defaultdocdir}/bind/${basename}.%{VENDOR}
done
mkdir -p vendor-files/config/ISC-examples
cp -a bin/tests/*.conf* vendor-files/config/ISC-examples
for d in arm; do
@ -315,7 +319,6 @@ install -m 644 %{SOURCE72} %{buildroot}%{_sysusersdir}/
%pre -f named.pre
%service_add_pre named.service
%else
%pre
%{GROUPADD_NAMED}
%{USERADD_NAMED}
@ -338,7 +341,7 @@ install -m 644 %{SOURCE72} %{buildroot}%{_sysusersdir}/
%else
%{fillup_and_insserv -nf named}
if [ -x %{_bindir}/systemctl ]; then
# make sure systemctl knows about the service even though it's not a systemd service
# make sure systemctl knows about the service
# Without this, systemctl status named would return
# Unit named.service could not be found.
# until systemctl daemon-reload has been executed