[v9_10] remove unnecessary INSIST and prep 9.10.5rc2

4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
			queries could trigger assertion failures.
			(CVE-2017-3137) [RT #44734]

(cherry picked from commit a1365a0042db8c1cd0ee4dbd0c91ce65ae09e098)
(cherry picked from commit 559cbe04e73cf601784a371e09554c20407a6c7b)

diff --git a/CHANGES b/CHANGES
index 91a2d5189039bf440a8d97a00f5a2729ece2e930..c393cc23958a5bb0f3921a32caaefa3bf4e99453 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
-       --- 9.10.5 released ---
+       --- 9.10.5rc2 released ---
+
+4578.  [security]      Some chaining (CNAME or DNAME) responses to upstream
+                       queries could trigger assertion failures.
+                       (CVE-2017-3137) [RT #44734]
 
 4575.  [security]      DNS64 with "break-dnssec yes;" can result in an
                        assertion failure. (CVE-2017-3136) [RT #44653]

diff --git a/README b/README
index c7b51736fa83ea839443e4ac5c151be853f70a59..6b108a8554514a64d1d2274b57daf6b17651b7aa 100644 (file)
--- a/README
+++ b/README
@@ -56,7 +56,7 @@ BIND 9.10.5
        BIND 9.10.5 is a maintenance release and addresses the security
        flaws disclosed in CVE-2016-2775, CVE-2016-2776, CVE-2016-6170,
        CVE-2016-8864, CVE-2016-9131, CVE-2016-9147, CVE-2016-9444,
-       CVE-2017-3135, and CVE-2017-3136,
+       CVE-2017-3135, CVE-2017-3136, and CVE-2017-3137.
 
 BIND 9.10.4
 

diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 99de352058eac97b730abfccd186b800a908e19d..8f5fcd43abc79ad92fa0c4eb5167bd2304b59ed3 100644 (file)
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -69,11 +69,18 @@
 
   <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
     <itemizedlist>
+      <listitem>
+       <para>
+         Some chaining (i.e., type CNAME or DNAME) responses to upstream
+         queries could trigger assertion failures. This flaw is disclosed
+         in CVE-2017-3137. [RT #44734]
+       </para>
+      </listitem>
       <listitem>
        <para>
          <command>dns64</command> with <command>break-dnssec yes;</command>
          can result in an assertion failure. This flaw is disclosed in
-         CVE-2017-3136.[RT #44653]
+         CVE-2017-3136. [RT #44653]
        </para>
       </listitem>
       <listitem>

diff --git a/lib/dns/api b/lib/dns/api
index 6d12ddc1f931dc4d519e3da00552658c5bb5ddd5..b4a644a0e05d322417756fa8067fb37ce29e8d20 100644 (file)
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -7,5 +7,5 @@
 # 9.10: 140-149, 170-179
 # 9.11: 160-169
 LIBINTERFACE = 170
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 0

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index db9f5714cb381ca36a1628bc5ddac777a315e51e..6833b953c6b224021e03b33c827fdef438d6e372 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6946,15 +6946,15 @@ answer_response(fetchctx_t *fctx) {
                                        rdataset->attributes |=
                                                DNS_RDATASETATTR_CACHE;
                                        rdataset->trust = dns_trust_answer;
-                                       if (chaining == 0) {
+                                       if (external) {
                                                /*
-                                                * This data is "the" answer
-                                                * to our question only if
-                                                * we're not chaining (i.e.
-                                                * if we haven't followed
-                                                * a CNAME or DNAME).
+                                                * This data is outside of
+                                                * our query domain, and
+                                                * may not be cached.
                                                 */
-                                               INSIST(!external);
+                                               rdataset->attributes |=
+                                                   DNS_RDATASETATTR_EXTERNAL;
+                                       } else if (chaining == 0) {
                                                /*
                                                 * Don't use found_cname here
                                                 * as we have just set it
@@ -6976,14 +6976,6 @@ answer_response(fetchctx_t *fctx) {
                                                if (aa)
                                                        rdataset->trust =
                                                          dns_trust_authanswer;
-                                       } else if (external) {
-                                               /*
-                                                * This data is outside of
-                                                * our query domain, and
-                                                * may not be cached.
-                                                */
-                                               rdataset->attributes |=
-                                                   DNS_RDATASETATTR_EXTERNAL;
                                        }
 
                                        /*
@@ -7158,15 +7150,12 @@ answer_response(fetchctx_t *fctx) {
                                 * If we are not chaining or the first CNAME
                                 * is a synthesised CNAME before the DNAME.
                                 */
-                               if ((chaining == 0) ||
-                                   (chaining == 1U && synthcname))
+                               if (external) {
+                                       rdataset->attributes |=
+                                           DNS_RDATASETATTR_EXTERNAL;
+                               } else if ((chaining == 0) ||
+                                          (chaining == 1U && synthcname))
                                {
-                                       /*
-                                        * This data is "the" answer to
-                                        * our question only if we're
-                                        * not chaining.
-                                        */
-                                       INSIST(!external);
                                        if (aflag == DNS_RDATASETATTR_ANSWER) {
                                                have_answer = ISC_TRUE;
                                                found_dname = ISC_TRUE;
@@ -7183,9 +7172,6 @@ answer_response(fetchctx_t *fctx) {
                                        if (aa)
                                                rdataset->trust =
                                                  dns_trust_authanswer;
-                               } else if (external) {
-                                       rdataset->attributes |=
-                                           DNS_RDATASETATTR_EXTERNAL;
                                }
                        }
 

diff --git a/version b/version
index 990eb5193527275c25d1f3c5c0f2c7871c993aeb..9428afc4dbd1d1f66c024315467917ea82475a55 100644 (file)
--- a/version
+++ b/version
@@ -6,6 +6,6 @@ DESCRIPTION=
 MAJORVER=9
 MINORVER=10
 PATCHVER=5
-RELEASETYPE=
-RELEASEVER=
+RELEASETYPE=rc
+RELEASEVER=2
 EXTENSIONS=