- Fix in depth for serve-expired responses from cachedb, that it

  does not store bogus. Thanks to Qifan Zhang, Palo Alto Networks,
  for the report.

diff --git a/cachedb/cachedb.c b/cachedb/cachedb.c
index c062d8274a62db3bd004e9ce6a0fcf73f18efc6a..8d5a4a3dfebd7780a67892ebd1759a365a4a8920 100644 (file)
--- a/cachedb/cachedb.c
+++ b/cachedb/cachedb.c
@@ -401,6 +401,12 @@ prep_data(struct module_qstate* qstate, struct sldns_buffer* buf)
           FLAGS_GET_RCODE(qstate->return_msg->rep->flags) !=
                LDNS_RCODE_YXDOMAIN)
                return 0;
+       /* Do not persist data the validator has not yet seen, or has rejected.
+        * Otherwise an expired blob could maybe reach clients via
+        * serve-expired. */
+       if(qstate->env->need_to_validate &&
+               qstate->return_msg->rep->security == sec_status_bogus)
+               return 0;
        /* We don't store the reply if its TTL is 0. This is probably coming
         * from upstream and it is not meant to be stored. */
        if(qstate->return_msg->rep->ttl == 0)

diff --git a/doc/Changelog b/doc/Changelog
index 4ab7c95bcf7093f44f6b1a88dadd6b21e122dd47..58b86543516b68012dfd1c5e48bdb2c699a9593d 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -35,6 +35,9 @@
        - Unit test for CVE-2026-42959.
        - Unit test for CVE-2026-40622.
        - Unit test for CVE-2026-42960.
+       - Fix in depth for serve-expired responses from cachedb, that it
+         does not store bogus. Thanks to Qifan Zhang, Palo Alto Networks,
+         for the report.
 
 18 May 2026: Wouter
        - Fix for mixed class referrals, the resolver uses the query