From: Evan Hunt Date: Tue, 30 May 2017 19:55:27 +0000 (-0700) Subject: [v9_9_10_patch] fix rpz formerr loop X-Git-Tag: v9.9.10-P1~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ea4826f9b21ccb91cce6c2aabdbe0f807f9441b0;p=thirdparty%2Fbind9.git [v9_9_10_patch] fix rpz formerr loop 4531. [security] Some RPZ configurations could go into an infinite query loop when encountering responses with TTL=0. (CVE-2017-3140) [RT #45181] (cherry picked from commit 3440cf9c60cd5d35634e7f274fd3eccbba2173a5) (cherry picked from commit 5e618a7edcee615b1085b221e28b6abae2dc9602) --- diff --git a/CHANGES b/CHANGES index 61b56f48757..3f342389131 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +4531. [security] Some RPZ configurations could go into an infinite + query loop when encountering responses with TTL=0. + (CVE-2017-3140) [RT #45181] + --- 9.9.10 released --- --- 9.9.10rc3 released --- diff --git a/README b/README index 2dc939cdc8f..5281db6c581 100644 --- a/README +++ b/README @@ -51,6 +51,11 @@ BIND 9 For up-to-date release notes and errata, see http://www.isc.org/software/bind9/releasenotes +BIND 9.9.10-P1 + + This version contains a fix for the security flaw + disclosed in CVE-2017-3140. + BIND 9.9.10 BIND 9.9.10 is a maintenance release and addresses the security diff --git a/bin/named/query.c b/bin/named/query.c index 5e002d26f3d..e9d1bae564c 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -7004,7 +7004,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) /* * If we have a zero ttl from the cache refetch it. */ - if (!is_zone && event == NULL && rdataset->ttl == 0 && + if (!is_zone && !resuming && rdataset->ttl == 0 && RECURSIONOK(client)) { if (dns_rdataset_isassociated(rdataset)) @@ -7426,7 +7426,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) /* * If we have a zero ttl from the cache refetch it. */ - if (!is_zone && event == NULL && rdataset->ttl == 0 && + if (!is_zone && !resuming && rdataset->ttl == 0 && RECURSIONOK(client)) { if (dns_rdataset_isassociated(rdataset)) diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 3392e21fc70..a954cfc4315 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -21,15 +21,16 @@
Introduction - This document summarizes significant changes since the last - production release of BIND on the corresponding major release - branch. - Please see the CHANGES file for a further list of bug fixes and - other changes. + This document summarizes changes since BIND 9.9.10: + + + BIND 9.9.10-P1 addresses the security issue described in + CVE-2017-3140.
+
Download The latest versions of BIND 9 software can always be found at @@ -73,237 +74,10 @@ - rndc "" could trigger an assertion failure - in named. This flaw is disclosed in - (CVE-2017-3138). [RT #44924] - - - - - Some chaining (i.e., type CNAME or DNAME) responses to upstream - queries could trigger assertion failures. This flaw is disclosed - in CVE-2017-3137. [RT #44734] - - - - - dns64 with break-dnssec yes; - can result in an assertion failure. This flaw is disclosed in - CVE-2017-3136. [RT #44653] - - - - - If a server is configured with a response policy zone (RPZ) - that rewrites an answer with local data, and is also configured - for DNS64 address mapping, a NULL pointer can be read - triggering a server crash. This flaw is disclosed in - CVE-2017-3135. [RT #44434] - - - - - named could mishandle authority sections - with missing RRSIGs, triggering an assertion failure. This - flaw is disclosed in CVE-2016-9444. [RT #43632] - - - - - named mishandled some responses where - covering RRSIG records were returned without the requested - data, resulting in an assertion failure. This flaw is - disclosed in CVE-2016-9147. [RT #43548] - - - - - named incorrectly tried to cache TKEY - records which could trigger an assertion failure when there was - a class mismatch. This flaw is disclosed in CVE-2016-9131. - [RT #43522] - - - - - It was possible to trigger assertions when processing - responses containing answers of type DNAME. This flaw is - disclosed in CVE-2016-8864. [RT #43465] - - - - - Added the ability to specify the maximum number of records - permitted in a zone (). - This provides a mechanism to block overly large zone - transfers, which is a potential risk with slave zones from - other parties, as described in CVE-2016-6170. - [RT #42143] - - - - - It was possible to trigger an assertion when rendering a - message using a specially crafted request. This flaw is - disclosed in CVE-2016-2776. [RT #43139] - - - - - Calling getrrsetbyname() with a non- - absolute name could trigger an infinite recursion bug in - lwresd or named with - lwres configured if, when combined with - a search list entry from resolv.conf, - the resulting name is too long. This flaw is disclosed in - CVE-2016-2775. [RT #42694] - - - -
- -
Feature Changes - - - - The ISC DNSSEC Lookaside Validation (DLV) service is scheduled - to be disabled in 2017. A warning is now logged when - named is configured to use this service, - either explicitly or via . - [RT #42207] - - - - - If an ACL is specified with an address prefix in which the - prefix length is longer than the address portion (for example, - 192.0.2.1/8), named will now log a warning. - In future releases this will be a fatal configuration error. - [RT #43367] - - - -
- -
Bug Fixes - - - - A synthesized CNAME record appearing in a response before the - associated DNAME could be cached, when it should not have been. - This was a regression introduced while addressing CVE-2016-8864. - [RT #44318] - - - - - named could deadlock if multiple changes - to NSEC/NSEC3 parameters for the same zone were being processed - at the same time. [RT #42770] - - - - - named could trigger an assertion when - sending NOTIFY messages. [RT #44019] - - - - - Windows installs were failing due to triggering UAC without - the installation binary being signed. - - - - - A change in the internal binary representation of the RBT database - node structure enabled a race condition to occur (especially when - BIND was built with certain compilers or optimizer settings), - leading to inconsistent database state which caused random - assertion failures. [RT #42380] - - - - - Referencing a nonexistent zone in a response-policy - statement could cause an assertion failure during configuration. - [RT #43787] - - - - - rndc addzone could cause a crash - when attempting to add a zone with a type other than - master or slave. - Such zones are now rejected. [RT #43665] - - - - - named could hang when encountering log - file names with large apparent gaps in version number (for - example, when files exist called "logfile.0", "logfile.1", - and "logfile.1482954169"). This is now handled correctly. - [RT #38688] - - - - - If a zone was updated while named was - processing a query for nonexistent data, it could return - out-of-sync NSEC3 records causing potential DNSSEC validation - failure. [RT #43247] - - - - - named could crash when loading a zone - which had RRISG records whose expiry fields were far enough - apart to cause an integer overflow when comparing them. - [RT #40571] - - - - - The arpaname command was not installed into - the correct prefix/bin - directory. [RT #42910] - - - - - When receiving a response from an authoritative server with - a TTL value of zero, named> will now only use - that response once, to answer the currently active clients that - were waiting for it. Previously, such response could be cached - and reused for up to one second. [RT #42142] - - - - - Corrected a bug in the rndc control channel - that could allow a read past the end of a buffer, crashing - named. Thanks to Lian Yihan for reporting - this error. - - - - - Reverted a change to the query logging format that was - inadvertently backported from the 9.11 branch. [RT #43238] - - - -
- -
Maintenance - - - - The built-in root hints have been updated to include - IPv6 addresses for B.ROOT-SERVERS.NET (2001:500:84::b), - E.ROOT-SERVERS.NET (2001:500:a8::e) and - G.ROOT-SERVERS.NET (2001:500:12::d0d). + With certain RPZ configurations, a response with TTL 0 + could cause named to go into an infinite + query loop. This flaw is disclosed in CVE-2017-3140. + [RT #45181]