diff options
| author | dougb <dougb@FreeBSD.org> | 2010-12-04 05:58:56 +0000 |
|---|---|---|
| committer | dougb <dougb@FreeBSD.org> | 2010-12-04 05:58:56 +0000 |
| commit | 63d4368df223bad2a05f63e74fc3c3d7ba334775 (patch) | |
| tree | f01f0fcdfd363df827bfbc878514d9fc94ccdca9 /contrib/bind9/bin | |
| parent | 0ff0fd520ddd39c32c55398023b24fe199cbc02b (diff) | |
| parent | d2262df647cb68b7a55a79623696e646c546774e (diff) | |
| download | FreeBSD-src-63d4368df223bad2a05f63e74fc3c3d7ba334775.zip FreeBSD-src-63d4368df223bad2a05f63e74fc3c3d7ba334775.tar.gz | |
Update to version 9.6-ESV-R3, the latest from ISC, which addresses
the following security vulnerabilities.
For more information regarding these issues please see:
http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories
1. Cache incorrectly allows ncache and rrsig for the same type
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613
Affects resolver operators whose servers are open to potential
attackers. Triggering the bug will cause the server to crash.
This bug applies even if you do not have DNSSEC enabled.
2. Key algorithm rollover
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614
Affects resolver operators who are validating with DNSSEC, and
querying zones which are in a key rollover period. The bug will
cause answers to incorrectly be marked as insecure.
Diffstat (limited to 'contrib/bind9/bin')
| -rw-r--r-- | contrib/bind9/bin/check/check-tool.c | 31 | ||||
| -rw-r--r-- | contrib/bind9/bin/check/check-tool.h | 9 | ||||
| -rw-r--r-- | contrib/bind9/bin/check/named-checkconf.c | 12 | ||||
| -rw-r--r-- | contrib/bind9/bin/check/named-checkzone.c | 11 | ||||
| -rw-r--r-- | contrib/bind9/bin/dig/host.c | 10 | ||||
| -rw-r--r-- | contrib/bind9/bin/named/client.c | 8 | ||||
| -rw-r--r-- | contrib/bind9/bin/named/include/named/query.h | 6 | ||||
| -rw-r--r-- | contrib/bind9/bin/named/query.c | 25 | ||||
| -rw-r--r-- | contrib/bind9/bin/named/server.c | 41 |
9 files changed, 103 insertions, 50 deletions
diff --git a/contrib/bind9/bin/check/check-tool.c b/contrib/bind9/bin/check/check-tool.c index e0a7208..396f105 100644 --- a/contrib/bind9/bin/check/check-tool.c +++ b/contrib/bind9/bin/check/check-tool.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check-tool.c,v 1.35.36.3 2009/01/20 02:03:18 marka Exp $ */ +/* $Id: check-tool.c,v 1.35.36.3.24.2 2010/09/07 23:46:25 tbox Exp $ */ /*! \file */ @@ -23,6 +23,10 @@ #include <stdio.h> +#ifdef _WIN32 +#include <Winsock2.h> +#endif + #include "check-tool.h" #include <isc/buffer.h> #include <isc/log.h> @@ -662,3 +666,26 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename, return (result); } + +#ifdef _WIN32 +void +InitSockets(void) { + WORD wVersionRequested; + WSADATA wsaData; + int err; + + wVersionRequested = MAKEWORD(2, 0); + + err = WSAStartup( wVersionRequested, &wsaData ); + if (err != 0) { + fprintf(stderr, "WSAStartup() failed: %d\n", err); + exit(1); + } +} + +void +DestroySockets(void) { + WSACleanup(); +} +#endif + diff --git a/contrib/bind9/bin/check/check-tool.h b/contrib/bind9/bin/check/check-tool.h index b0ba7e0..0128926 100644 --- a/contrib/bind9/bin/check/check-tool.h +++ b/contrib/bind9/bin/check/check-tool.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check-tool.h,v 1.14 2007/06/18 23:47:17 tbox Exp $ */ +/* $Id: check-tool.h,v 1.14.628.2 2010/09/07 23:46:26 tbox Exp $ */ #ifndef CHECK_TOOL_H #define CHECK_TOOL_H @@ -43,6 +43,11 @@ isc_result_t dump_zone(const char *zonename, dns_zone_t *zone, const char *filename, dns_masterformat_t fileformat, const dns_master_style_t *style); +#ifdef _WIN32 +void InitSockets(void); +void DestroySockets(void); +#endif + extern int debug; extern isc_boolean_t nomerge; extern isc_boolean_t docheckmx; diff --git a/contrib/bind9/bin/check/named-checkconf.c b/contrib/bind9/bin/check/named-checkconf.c index eba0d93..7ed1043 100644 --- a/contrib/bind9/bin/check/named-checkconf.c +++ b/contrib/bind9/bin/check/named-checkconf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named-checkconf.c,v 1.46.222.2 2009/02/16 23:47:15 tbox Exp $ */ +/* $Id: named-checkconf.c,v 1.46.222.2.24.2 2010/09/07 23:46:26 tbox Exp $ */ /*! \file */ @@ -453,6 +453,10 @@ main(int argc, char **argv) { if (conffile == NULL || conffile[0] == '\0') conffile = NAMED_CONFFILE; +#ifdef _WIN32 + InitSockets(); +#endif + RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS); RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS); @@ -494,5 +498,9 @@ main(int argc, char **argv) { isc_mem_destroy(&mctx); +#ifdef _WIN32 + DestroySockets(); +#endif + return (exit_status); } diff --git a/contrib/bind9/bin/check/named-checkzone.c b/contrib/bind9/bin/check/named-checkzone.c index 0b49b51..1fa015a 100644 --- a/contrib/bind9/bin/check/named-checkzone.c +++ b/contrib/bind9/bin/check/named-checkzone.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named-checkzone.c,v 1.51.34.4 2009/11/10 20:01:41 each Exp $ */ +/* $Id: named-checkzone.c,v 1.51.34.4.10.2 2010/09/07 23:46:26 tbox Exp $ */ /*! \file */ @@ -419,6 +419,10 @@ main(int argc, char **argv) { if (isc_commandline_index + 2 != argc) usage(); +#ifdef _WIN32 + InitSockets(); +#endif + RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS); if (!quiet) RUNTIME_CHECK(setup_logging(mctx, errout, &lctx) @@ -453,5 +457,8 @@ main(int argc, char **argv) { isc_hash_destroy(); isc_entropy_detach(&ectx); isc_mem_destroy(&mctx); +#ifdef _WIN32 + DestroySockets(); +#endif return ((result == ISC_R_SUCCESS) ? 0 : 1); } diff --git a/contrib/bind9/bin/dig/host.c b/contrib/bind9/bin/dig/host.c index 8cd5b3d..1a7d174 100644 --- a/contrib/bind9/bin/dig/host.c +++ b/contrib/bind9/bin/dig/host.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: host.c,v 1.116.216.3 2009/09/08 23:28:20 marka Exp $ */ +/* $Id: host.c,v 1.116.216.3.10.2 2010/10/19 23:46:25 tbox Exp $ */ /*! \file */ @@ -625,7 +625,9 @@ pre_parse_args(int argc, char **argv) { case 'v': break; case 'w': break; case 'C': break; - case 'D': break; + case 'D': + debugging = ISC_TRUE; + break; case 'N': break; case 'R': break; case 'T': break; @@ -792,7 +794,7 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { ndots = atoi(isc_commandline_argument); break; case 'D': - debugging = ISC_TRUE; + /* Handled by pre_parse_args(). */ break; case '4': if (have_ipv4) { diff --git a/contrib/bind9/bin/named/client.c b/contrib/bind9/bin/named/client.c index ae5386c..a0e034a 100644 --- a/contrib/bind9/bin/named/client.c +++ b/contrib/bind9/bin/named/client.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.259.12.3 2009/01/29 22:40:33 jinmei Exp $ */ +/* $Id: client.c,v 1.259.12.3.24.2 2010/09/29 23:46:31 tbox Exp $ */ #include <config.h> @@ -1859,13 +1859,13 @@ client_request(isc_task_t *task, isc_event_t *event) { client->view->recursionacl, ISC_TRUE) == ISC_R_SUCCESS && ns_client_checkaclsilent(client, NULL, - client->view->queryacl, + client->view->cacheacl, ISC_TRUE) == ISC_R_SUCCESS && ns_client_checkaclsilent(client, &client->interface->addr, client->view->recursiononacl, ISC_TRUE) == ISC_R_SUCCESS && ns_client_checkaclsilent(client, &client->interface->addr, - client->view->queryonacl, + client->view->cacheonacl, ISC_TRUE) == ISC_R_SUCCESS) ra = ISC_TRUE; diff --git a/contrib/bind9/bin/named/include/named/query.h b/contrib/bind9/bin/named/include/named/query.h index 500b577..3f019a3 100644 --- a/contrib/bind9/bin/named/include/named/query.h +++ b/contrib/bind9/bin/named/include/named/query.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.h,v 1.40 2007/06/19 23:46:59 tbox Exp $ */ +/* $Id: query.h,v 1.40.626.2 2010/09/29 23:46:31 tbox Exp $ */ #ifndef NAMED_QUERY_H #define NAMED_QUERY_H 1 @@ -71,6 +71,8 @@ struct ns_query { #define NS_QUERYATTR_SECURE 0x0200 #define NS_QUERYATTR_NOAUTHORITY 0x0400 #define NS_QUERYATTR_NOADDITIONAL 0x0800 +#define NS_QUERYATTR_CACHEACLOKVALID 0x1000 +#define NS_QUERYATTR_CACHEACLOK 0x2000 isc_result_t ns_query_init(ns_client_t *client); diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c index 73ed1a6..0ba708b 100644 --- a/contrib/bind9/bin/named/query.c +++ b/contrib/bind9/bin/named/query.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.313.20.16.10.2 2010/06/26 23:46:14 tbox Exp $ */ +/* $Id: query.c,v 1.313.20.16.10.3 2010/09/29 00:03:32 marka Exp $ */ /*! \file */ @@ -820,17 +820,15 @@ query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, return (DNS_R_REFUSED); dns_db_attach(client->view->cachedb, &db); - if ((client->query.attributes & - NS_QUERYATTR_QUERYOKVALID) != 0) { + if ((client->query.attributes & NS_QUERYATTR_CACHEACLOKVALID) != 0) { /* - * We've evaluated the view's queryacl already. If - * NS_QUERYATTR_QUERYOK is set, then the client is + * We've evaluated the view's cacheacl already. If + * NS_QUERYATTR_CACHEACLOK is set, then the client is * allowed to make queries, otherwise the query should * be refused. */ check_acl = ISC_FALSE; - if ((client->query.attributes & - NS_QUERYATTR_QUERYOK) == 0) + if ((client->query.attributes & NS_QUERYATTR_CACHEACLOK) == 0) goto refuse; } else { /* @@ -844,16 +842,15 @@ query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")]; result = ns_client_checkaclsilent(client, NULL, - client->view->queryacl, + client->view->cacheacl, ISC_TRUE); if (result == ISC_R_SUCCESS) { /* - * We were allowed by the default - * "allow-query" ACL. Remember this so we - * don't have to check again. + * We were allowed by the "allow-query-cache" ACL. + * Remember this so we don't have to check again. */ client->query.attributes |= - NS_QUERYATTR_QUERYOK; + NS_QUERYATTR_CACHEACLOK; if (log && isc_log_wouldlog(ns_g_lctx, ISC_LOG_DEBUG(3))) { @@ -876,9 +873,9 @@ query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, } /* * We've now evaluated the view's query ACL, and - * the NS_QUERYATTR_QUERYOK attribute is now valid. + * the NS_QUERYATTR_CACHEACLOKVALID attribute is now valid. */ - client->query.attributes |= NS_QUERYATTR_QUERYOKVALID; + client->query.attributes |= NS_QUERYATTR_CACHEACLOKVALID; if (result != ISC_R_SUCCESS) goto refuse; diff --git a/contrib/bind9/bin/named/server.c b/contrib/bind9/bin/named/server.c index 8f67786..5fbe043 100644 --- a/contrib/bind9/bin/named/server.c +++ b/contrib/bind9/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.520.12.11.10.1 2010/03/03 22:06:36 marka Exp $ */ +/* $Id: server.c,v 1.520.12.11.10.4 2010/11/16 22:42:03 marka Exp $ */ /*! \file */ @@ -1132,6 +1132,14 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, dns_acache_setcachesize(view->acache, max_acache_size); } + CHECK(configure_view_acl(vconfig, config, "allow-query", actx, + ns_g_mctx, &view->queryacl)); + + if (view->queryacl == NULL) { + CHECK(configure_view_acl(NULL, ns_g_config, "allow-query", actx, + ns_g_mctx, &view->queryacl)); + } + /* * Configure the zones. */ @@ -1606,13 +1614,13 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, * configured in named.conf. */ CHECK(configure_view_acl(vconfig, config, "allow-query-cache", - actx, ns_g_mctx, &view->queryacl)); + actx, ns_g_mctx, &view->cacheacl)); CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on", - actx, ns_g_mctx, &view->queryonacl)); - if (view->queryonacl == NULL) + actx, ns_g_mctx, &view->cacheonacl)); + if (view->cacheonacl == NULL) CHECK(configure_view_acl(NULL, ns_g_config, "allow-query-cache-on", actx, - ns_g_mctx, &view->queryonacl)); + ns_g_mctx, &view->cacheonacl)); if (strcmp(view->name, "_bind") != 0) { CHECK(configure_view_acl(vconfig, config, "allow-recursion", actx, ns_g_mctx, @@ -1628,14 +1636,14 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, * "allow-recursion" inherits from "allow-query-cache" if set, * otherwise from "allow-query" if set. */ - if (view->queryacl == NULL && view->recursionacl != NULL) - dns_acl_attach(view->recursionacl, &view->queryacl); - if (view->queryacl == NULL && view->recursion) + if (view->cacheacl == NULL && view->recursionacl != NULL) + dns_acl_attach(view->recursionacl, &view->cacheacl); + if (view->cacheacl == NULL && view->recursion) CHECK(configure_view_acl(vconfig, config, "allow-query", - actx, ns_g_mctx, &view->queryacl)); + actx, ns_g_mctx, &view->cacheacl)); if (view->recursion && - view->recursionacl == NULL && view->queryacl != NULL) - dns_acl_attach(view->queryacl, &view->recursionacl); + view->recursionacl == NULL && view->cacheacl != NULL) + dns_acl_attach(view->cacheacl, &view->recursionacl); /* * Set default "allow-recursion", "allow-recursion-on" and @@ -1651,16 +1659,13 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, "allow-recursion-on", actx, ns_g_mctx, &view->recursiononacl)); - if (view->queryacl == NULL) { + if (view->cacheacl == NULL) { if (view->recursion) CHECK(configure_view_acl(NULL, ns_g_config, "allow-query-cache", actx, - ns_g_mctx, &view->queryacl)); - else { - if (view->queryacl != NULL) - dns_acl_detach(&view->queryacl); - CHECK(dns_acl_none(ns_g_mctx, &view->queryacl)); - } + ns_g_mctx, &view->cacheacl)); + else + CHECK(dns_acl_none(ns_g_mctx, &view->cacheacl)); } /* |
