diff options
| author | dougb <dougb@FreeBSD.org> | 2011-11-17 00:25:35 +0000 |
|---|---|---|
| committer | dougb <dougb@FreeBSD.org> | 2011-11-17 00:25:35 +0000 |
| commit | 446da3721f45347b47bb08332a2da8bc00b2a590 (patch) | |
| tree | aa4de14f8e91fd75c927a2e03a501d1904ea5da0 /contrib | |
| parent | 8e6c6b9b26e1b51e56ccbe3ff7d741ab0bcca9a6 (diff) | |
| download | FreeBSD-src-446da3721f45347b47bb08332a2da8bc00b2a590.zip FreeBSD-src-446da3721f45347b47bb08332a2da8bc00b2a590.tar.gz | |
Upgrade to BIND 9.8.1-P1 to address the following DDOS bug:
Recursive name servers are failing with an assertion:
INSIST(! dns_rdataset_isassociated(sigrdataset))
At this time it is not thought that authoritative-only servers
are affected, but information about this bug is evolving rapidly.
Because it may be possible to trigger this bug even on networks
that do not allow untrusted users to access the recursive name
servers (perhaps via specially crafted e-mail messages, and/or
malicious web sites) it is recommended that ALL operators of
recursive name servers upgrade immediately.
For more information see:
https://www.isc.org/software/bind/advisories/cve-2011-tbd
which will be updated as more information becomes available.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313
Diffstat (limited to 'contrib')
| -rw-r--r-- | contrib/bind9/CHANGES | 6 | ||||
| -rw-r--r-- | contrib/bind9/bin/named/query.c | 21 | ||||
| -rw-r--r-- | contrib/bind9/lib/dns/rbtdb.c | 6 | ||||
| -rw-r--r-- | contrib/bind9/version | 6 |
4 files changed, 21 insertions, 18 deletions
diff --git a/contrib/bind9/CHANGES b/contrib/bind9/CHANGES index 3e48dd6..dc0b2c6 100644 --- a/contrib/bind9/CHANGES +++ b/contrib/bind9/CHANGES @@ -1,3 +1,9 @@ + --- 9.8.1-P1 released --- + +3218. [security] Cache lookup could return RRSIG data associated with + nonexistent records, leading to an assertion + failure. [RT #26590] + --- 9.8.1 released --- --- 9.8.1rc1 released --- diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c index 9be178b..4945f47 100644 --- a/contrib/bind9/bin/named/query.c +++ b/contrib/bind9/bin/named/query.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.353.8.11 2011-06-09 03:14:03 marka Exp $ */ +/* $Id: query.c,v 1.353.8.11.4.1 2011-11-16 09:32:08 marka Exp $ */ /*! \file */ @@ -1393,11 +1393,9 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { goto addname; if (result == DNS_R_NCACHENXRRSET) { dns_rdataset_disassociate(rdataset); - /* - * Negative cache entries don't have sigrdatasets. - */ - INSIST(sigrdataset == NULL || - ! dns_rdataset_isassociated(sigrdataset)); + if (sigrdataset != NULL && + dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); } if (result == ISC_R_SUCCESS) { mname = NULL; @@ -1438,8 +1436,9 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { goto addname; if (result == DNS_R_NCACHENXRRSET) { dns_rdataset_disassociate(rdataset); - INSIST(sigrdataset == NULL || - ! dns_rdataset_isassociated(sigrdataset)); + if (sigrdataset != NULL && + dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); } if (result == ISC_R_SUCCESS) { mname = NULL; @@ -1889,10 +1888,8 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { goto setcache; if (result == DNS_R_NCACHENXRRSET) { dns_rdataset_disassociate(rdataset); - /* - * Negative cache entries don't have sigrdatasets. - */ - INSIST(! dns_rdataset_isassociated(sigrdataset)); + if (dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); } if (result == ISC_R_SUCCESS) { /* Remember the result as a cache */ diff --git a/contrib/bind9/lib/dns/rbtdb.c b/contrib/bind9/lib/dns/rbtdb.c index 9d66006..10525d9 100644 --- a/contrib/bind9/lib/dns/rbtdb.c +++ b/contrib/bind9/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.310.8.5 2011-06-08 23:02:42 each Exp $ */ +/* $Id: rbtdb.c,v 1.310.8.5.4.1 2011-11-16 09:32:08 marka Exp $ */ /*! \file */ @@ -5053,7 +5053,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, rdataset); if (need_headerupdate(found, search.now)) update = found; - if (foundsig != NULL) { + if (!NEGATIVE(found) && foundsig != NULL) { bind_rdataset(search.rbtdb, node, foundsig, search.now, sigrdataset); if (need_headerupdate(foundsig, search.now)) @@ -5685,7 +5685,7 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, } if (found != NULL) { bind_rdataset(rbtdb, rbtnode, found, now, rdataset); - if (foundsig != NULL) + if (!NEGATIVE(found) && foundsig != NULL) bind_rdataset(rbtdb, rbtnode, foundsig, now, sigrdataset); } diff --git a/contrib/bind9/version b/contrib/bind9/version index ede0ba0..249750e 100644 --- a/contrib/bind9/version +++ b/contrib/bind9/version @@ -1,4 +1,4 @@ -# $Id: version,v 1.53.8.9 2011-08-24 02:08:26 marka Exp $ +# $Id: version,v 1.53.8.9.6.1 2011-11-16 09:32:07 marka Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. @@ -6,5 +6,5 @@ MAJORVER=9 MINORVER=8 PATCHVER=1 -RELEASETYPE= -RELEASEVER= +RELEASETYPE=-P +RELEASEVER=1 |
