[v9_11] remove unnecessary INSIST and prep 9.11.1rc2

author Evan Hunt <each@isc.org>

Thu, 23 Feb 2017 22:55:10 +0000 (14:55 -0800)

committer Evan Hunt <each@isc.org>

Thu, 23 Feb 2017 22:55:10 +0000 (14:55 -0800)
author Evan Hunt <each@isc.org>
Thu, 23 Feb 2017 22:55:10 +0000 (14:55 -0800)
committer Evan Hunt <each@isc.org>
Thu, 23 Feb 2017 22:55:10 +0000 (14:55 -0800)
diff --git a/CHANGES b/CHANGES

index 7aa6a7b7f16dcea160698a62947910cffbe67deb..c028cc4f18eb845b847a0f678a9f9cabf824b9d4 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
-       --- 9.11.1 released ---
+       --- 9.11.1rc2 released ---
+
+4578.  [security]      Some chaining (CNAME or DNAME) responses to upstream
+                       queries could trigger assertion failures.
+                       (CVE-2017-3137) [RT #44734]
  
  4575.  [security]      DNS64 with "break-dnssec yes;" can result in an
                         assertion failure. (CVE-2017-3136) [RT #44653]
diff --git a/README b/README

index aa36dc63b77da3f647e5d39a30870db081e87848..3f7b52679c1dc88d9ca9274fdc65673ea226e0ea 100644 (file)
--- a/README
+++ b/README
@@ -55,7 +55,8 @@ BIND 9.11.1
         
         BIND 9.11.1 is a maintenance release and addresses the security
         flaws disclosed in CVE-2016-6170, CVE-2016-8864, CVE-2016-9131,
-       CVE-2016-9147, CVE-2016-9778, CVE-2017-3135, CVE-2017-3136.
+       CVE-2016-9147, CVE-2016-9778, CVE-2017-3135, CVE-2017-3136, and
+       CVE-2017-3137.
  
  BIND 9.11.0
  
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml

index c5c06abafd89a1f90b3240266051d77e1581ff77..0140343b50d41632056e188b6d2ae893438908e3 100644 (file)
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -93,11 +93,18 @@
  
    <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
      <itemizedlist>
+      <listitem>
+       <para>
+         Some chaining (i.e., type CNAME or DNAME) responses to upstream
+         queries could trigger assertion failures. This flaw is disclosed
+         in CVE-2017-3137. [RT #44734]
+       </para>
+      </listitem>
        <listitem>
         <para>
           <command>dns64</command> with <command>break-dnssec yes;</command>
           can result in an assertion failure. This flaw is disclosed in
-         CVE-2017-3136.[RT #44653]
+         CVE-2017-3136. [RT #44653]
         </para>
        </listitem>
        <listitem>
diff --git a/lib/dns/api b/lib/dns/api

index e3ee1fe5d2d0cf19741e82bb3d8c8ed69eb5f3ab..4a04d6a3bfbec2ae946b432016e5bc613287f312 100644 (file)
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -7,5 +7,5 @@
  # 9.10: 140-149, 170-179
  # 9.11: 160-169
  LIBINTERFACE = 168
-LIBREVISION = 0
+LIBREVISION = 1
  LIBAGE = 0
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c

index 3b49795108b4cb14551116593ea9f1343d2ad56c..1552b53adb4957dee01e84590d7c77a5ec98e0f8 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -7005,15 +7005,15 @@ answer_response(fetchctx_t *fctx) {
                                         rdataset->attributes |=
                                                 DNS_RDATASETATTR_CACHE;
                                         rdataset->trust = dns_trust_answer;
-                                       if (chaining == 0) {
+                                       if (external) {
                                                 /*
-                                                * This data is "the" answer
-                                                * to our question only if
-                                                * we're not chaining (i.e.
-                                                * if we haven't followed
-                                                * a CNAME or DNAME).
+                                                * This data is outside of
+                                                * our query domain, and
+                                                * may not be cached.
                                                  */
-                                               INSIST(!external);
+                                               rdataset->attributes |=
+                                                   DNS_RDATASETATTR_EXTERNAL;
+                                       } else if (chaining == 0) {
                                                 /*
                                                  * Don't use found_cname here
                                                  * as we have just set it
@@ -7035,14 +7035,6 @@ answer_response(fetchctx_t *fctx) {
                                                 if (aa)
                                                         rdataset->trust =
                                                           dns_trust_authanswer;
-                                       } else if (external) {
-                                               /*
-                                                * This data is outside of
-                                                * our query domain, and
-                                                * may not be cached.
-                                                */
-                                               rdataset->attributes |=
-                                                   DNS_RDATASETATTR_EXTERNAL;
                                         }
  
                                         /*
@@ -7217,15 +7209,12 @@ answer_response(fetchctx_t *fctx) {
                                  * If we are not chaining or the first CNAME
                                  * is a synthesised CNAME before the DNAME.
                                  */
-                               if ((chaining == 0) ||
-                                   (chaining == 1U && synthcname))
+                               if (external) {
+                                       rdataset->attributes |=
+                                           DNS_RDATASETATTR_EXTERNAL;
+                               } else if ((chaining == 0) ||
+                                          (chaining == 1U && synthcname))
                                 {
-                                       /*
-                                        * This data is "the" answer to
-                                        * our question only if we're
-                                        * not chaining.
-                                        */
-                                       INSIST(!external);
                                         if (aflag == DNS_RDATASETATTR_ANSWER) {
                                                 have_answer = ISC_TRUE;
                                                 found_dname = ISC_TRUE;
@@ -7242,9 +7231,6 @@ answer_response(fetchctx_t *fctx) {
                                         if (aa)
                                                 rdataset->trust =
                                                   dns_trust_authanswer;
-                               } else if (external) {
-                                       rdataset->attributes |=
-                                           DNS_RDATASETATTR_EXTERNAL;
                                 }
                         }
  
diff --git a/version b/version

index 17e35d8f0ea23bfb6d65f952afcd70d774ca82c4..2e30c698369b2011143de5d8de1d5c3a61f546ce 100644 (file)
--- a/version
+++ b/version
@@ -6,6 +6,6 @@ DESCRIPTION=
  MAJORVER=9
  MINORVER=11
  PATCHVER=1
-RELEASETYPE=
-RELEASEVER=
+RELEASETYPE=rc
+RELEASEVER=2
  EXTENSIONS=
author	Evan Hunt <each@isc.org>
	Thu, 23 Feb 2017 22:55:10 +0000 (14:55 -0800)
committer	Evan Hunt <each@isc.org>
	Thu, 23 Feb 2017 22:55:10 +0000 (14:55 -0800)
CHANGES		patch \| blob \| blame \| history
README		patch \| blob \| blame \| history
doc/arm/notes.xml		patch \| blob \| blame \| history
lib/dns/api		patch \| blob \| blame \| history
lib/dns/resolver.c		patch \| blob \| blame \| history
version		patch \| blob \| blame \| history