[v9_9_9_patch] remove unnecessary INSIST and prep 9.11.1rc2

author Evan Hunt <each@isc.org>

Thu, 23 Feb 2017 23:34:11 +0000 (15:34 -0800)

committer Evan Hunt <each@isc.org>

Thu, 23 Feb 2017 23:34:11 +0000 (15:34 -0800)
author Evan Hunt <each@isc.org>
Thu, 23 Feb 2017 23:34:11 +0000 (15:34 -0800)
committer Evan Hunt <each@isc.org>
Thu, 23 Feb 2017 23:34:11 +0000 (15:34 -0800)
diff --git a/CHANGES b/CHANGES

index 2c6fe7da141269adfc91ec226110dca33981de02..82ffab5c8472275444f7a7dbf03bc4b37864723c 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,9 @@
         --- 9.9.9-P7 released ---
  
+4578.  [security]      Some chaining (CNAME or DNAME) responses to upstream
+                       queries could trigger assertion failures.
+                       (CVE-2017-3137) [RT #44734]
+
  4575.  [security]      DNS64 with "break-dnssec yes;" can result in an
                         assertion failure. (CVE-2017-3136) [RT #44653]
  
diff --git a/README b/README

index 31488ef50ddf8b6413b0ac25590e1c520282e863..c7f0a70677424fce95c415ac2737cb418c7b3aa9 100644 (file)
--- a/README
+++ b/README
@@ -53,8 +53,8 @@ BIND 9
  
  BIND 9.9.9-P7
  
-       This version contains a fix for CVE-2017-3136, and updates
-       the built in trusted keys for the root zone.
+       This version contains fixes for CVE-2017-3136 and CVE-2017-3137,
+       and updates the built in trusted keys for the root zone.
  
  BIND 9.9.9-P6
  
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml

index 23413ab8635ce3b92e73f5ba8398c7390d050e1e..e68a049d92874517242a1929852a5637b24fca79 100644 (file)
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -98,11 +98,18 @@
  
    <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
      <itemizedlist>
+      <listitem>
+       <para>
+         Some chaining (i.e., type CNAME or DNAME) responses to upstream
+         queries could trigger assertion failures. This flaw is disclosed
+         in CVE-2017-3137. [RT #44734]
+       </para>
+      </listitem>
        <listitem>
         <para>
           <command>dns64</command> with <command>break-dnssec yes;</command>
           can result in an assertion failure. This flaw is disclosed in
-         CVE-2017-3136.[RT #44653]
+         CVE-2017-3136. [RT #44653]
         </para>
        </listitem>
        <listitem>
diff --git a/lib/dns/api b/lib/dns/api

index 9b31d25d322eda3dfad3e0cb05cfb5248b14df77..272e0e1797951a34066cbfc3cce31829f637e0c3 100644 (file)
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -7,5 +7,5 @@
  # 9.10: 140-149
  # 9.11: 160-169
  LIBINTERFACE = 172
-LIBREVISION = 5
+LIBREVISION = 6
  LIBAGE = 0
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c

index 14fe5432f0e95404cf51602379a5eba5d433080d..40c9db06f56f4de97a889b9a7fdc8d5a7c31a35d 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6661,15 +6661,15 @@ answer_response(fetchctx_t *fctx) {
                                         rdataset->attributes |=
                                                 DNS_RDATASETATTR_CACHE;
                                         rdataset->trust = dns_trust_answer;
-                                       if (chaining == 0) {
+                                       if (external) {
                                                 /*
-                                                * This data is "the" answer
-                                                * to our question only if
-                                                * we're not chaining (i.e.
-                                                * if we haven't followed
-                                                * a CNAME or DNAME).
+                                                * This data is outside of
+                                                * our query domain, and
+                                                * may not be cached.
                                                  */
-                                               INSIST(!external);
+                                               rdataset->attributes |=
+                                                   DNS_RDATASETATTR_EXTERNAL;
+                                       } else if (chaining == 0) {
                                                 /*
                                                  * Don't use found_cname here
                                                  * as we have just set it
@@ -6691,14 +6691,6 @@ answer_response(fetchctx_t *fctx) {
                                                 if (aa)
                                                         rdataset->trust =
                                                           dns_trust_authanswer;
-                                       } else if (external) {
-                                               /*
-                                                * This data is outside of
-                                                * our query domain, and
-                                                * may not be cached.
-                                                */
-                                               rdataset->attributes |=
-                                                   DNS_RDATASETATTR_EXTERNAL;
                                         }
  
                                         /*
@@ -6873,15 +6865,12 @@ answer_response(fetchctx_t *fctx) {
                                  * If we are not chaining or the first CNAME
                                  * is a synthesised CNAME before the DNAME.
                                  */
-                               if ((chaining == 0) ||
-                                   (chaining == 1U && synthcname))
+                               if (external) {
+                                       rdataset->attributes |=
+                                           DNS_RDATASETATTR_EXTERNAL;
+                               } else if ((chaining == 0) ||
+                                          (chaining == 1U && synthcname))
                                 {
-                                       /*
-                                        * This data is "the" answer to
-                                        * our question only if we're
-                                        * not chaining.
-                                        */
-                                       INSIST(!external);
                                         if (aflag == DNS_RDATASETATTR_ANSWER) {
                                                 have_answer = ISC_TRUE;
                                                 found_dname = ISC_TRUE;
@@ -6898,9 +6887,6 @@ answer_response(fetchctx_t *fctx) {
                                         if (aa)
                                                 rdataset->trust =
                                                   dns_trust_authanswer;
-                               } else if (external) {
-                                       rdataset->attributes |=
-                                           DNS_RDATASETATTR_EXTERNAL;
                                 }
                         }
author	Evan Hunt <each@isc.org>
	Thu, 23 Feb 2017 23:34:11 +0000 (15:34 -0800)
committer	Evan Hunt <each@isc.org>
	Thu, 23 Feb 2017 23:34:11 +0000 (15:34 -0800)
CHANGES		patch \| blob \| blame \| history
README		patch \| blob \| blame \| history
doc/arm/notes.xml		patch \| blob \| blame \| history
lib/dns/api		patch \| blob \| blame \| history
lib/dns/resolver.c		patch \| blob \| blame \| history