From: Evan Hunt Date: Thu, 23 Feb 2017 22:55:10 +0000 (-0800) Subject: [v9_11] remove unnecessary INSIST and prep 9.11.1rc2 X-Git-Tag: v9.11.1rc2~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=559cbe04e73cf601784a371e09554c20407a6c7b;p=thirdparty%2Fbind9.git [v9_11] remove unnecessary INSIST and prep 9.11.1rc2 4578. [security] Some chaining (CNAME or DNAME) responses to upstream queries could trigger assertion failures. (CVE-2017-3137) [RT #44734] (cherry picked from commit a1365a0042db8c1cd0ee4dbd0c91ce65ae09e098) --- diff --git a/CHANGES b/CHANGES index 7aa6a7b7f16..c028cc4f18e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ - --- 9.11.1 released --- + --- 9.11.1rc2 released --- + +4578. [security] Some chaining (CNAME or DNAME) responses to upstream + queries could trigger assertion failures. + (CVE-2017-3137) [RT #44734] 4575. [security] DNS64 with "break-dnssec yes;" can result in an assertion failure. (CVE-2017-3136) [RT #44653] diff --git a/README b/README index aa36dc63b77..3f7b52679c1 100644 --- a/README +++ b/README @@ -55,7 +55,8 @@ BIND 9.11.1 BIND 9.11.1 is a maintenance release and addresses the security flaws disclosed in CVE-2016-6170, CVE-2016-8864, CVE-2016-9131, - CVE-2016-9147, CVE-2016-9778, CVE-2017-3135, CVE-2017-3136. + CVE-2016-9147, CVE-2016-9778, CVE-2017-3135, CVE-2017-3136, and + CVE-2017-3137. BIND 9.11.0 diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index c5c06abafd8..0140343b50d 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -93,11 +93,18 @@
Security Fixes + + + Some chaining (i.e., type CNAME or DNAME) responses to upstream + queries could trigger assertion failures. This flaw is disclosed + in CVE-2017-3137. [RT #44734] + + dns64 with break-dnssec yes; can result in an assertion failure. This flaw is disclosed in - CVE-2017-3136.[RT #44653] + CVE-2017-3136. [RT #44653] diff --git a/lib/dns/api b/lib/dns/api index e3ee1fe5d2d..4a04d6a3bfb 100644 --- a/lib/dns/api +++ b/lib/dns/api @@ -7,5 +7,5 @@ # 9.10: 140-149, 170-179 # 9.11: 160-169 LIBINTERFACE = 168 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 0 diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 3b49795108b..1552b53adb4 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -7005,15 +7005,15 @@ answer_response(fetchctx_t *fctx) { rdataset->attributes |= DNS_RDATASETATTR_CACHE; rdataset->trust = dns_trust_answer; - if (chaining == 0) { + if (external) { /* - * This data is "the" answer - * to our question only if - * we're not chaining (i.e. - * if we haven't followed - * a CNAME or DNAME). + * This data is outside of + * our query domain, and + * may not be cached. */ - INSIST(!external); + rdataset->attributes |= + DNS_RDATASETATTR_EXTERNAL; + } else if (chaining == 0) { /* * Don't use found_cname here * as we have just set it @@ -7035,14 +7035,6 @@ answer_response(fetchctx_t *fctx) { if (aa) rdataset->trust = dns_trust_authanswer; - } else if (external) { - /* - * This data is outside of - * our query domain, and - * may not be cached. - */ - rdataset->attributes |= - DNS_RDATASETATTR_EXTERNAL; } /* @@ -7217,15 +7209,12 @@ answer_response(fetchctx_t *fctx) { * If we are not chaining or the first CNAME * is a synthesised CNAME before the DNAME. */ - if ((chaining == 0) || - (chaining == 1U && synthcname)) + if (external) { + rdataset->attributes |= + DNS_RDATASETATTR_EXTERNAL; + } else if ((chaining == 0) || + (chaining == 1U && synthcname)) { - /* - * This data is "the" answer to - * our question only if we're - * not chaining. - */ - INSIST(!external); if (aflag == DNS_RDATASETATTR_ANSWER) { have_answer = ISC_TRUE; found_dname = ISC_TRUE; @@ -7242,9 +7231,6 @@ answer_response(fetchctx_t *fctx) { if (aa) rdataset->trust = dns_trust_authanswer; - } else if (external) { - rdataset->attributes |= - DNS_RDATASETATTR_EXTERNAL; } } diff --git a/version b/version index 17e35d8f0ea..2e30c698369 100644 --- a/version +++ b/version @@ -6,6 +6,6 @@ DESCRIPTION= MAJORVER=9 MINORVER=11 PATCHVER=1 -RELEASETYPE= -RELEASEVER= +RELEASETYPE=rc +RELEASEVER=2 EXTENSIONS=