[v9_10] fix rpz formerr loop

4531.	[security]	Some RPZ configurations could go into an infinite
			query loop when encountering responses with TTL=0.
			(CVE-2017-3140) [RT #45181]

(cherry picked from commit 3440cf9c60cd5d35634e7f274fd3eccbba2173a5)

diff --git a/CHANGES b/CHANGES
index f3c93a99745bf51eb2d653ce516a438a6eba9282..3ebd6404265cf9cd1d195fad3bc70929a7089a25 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4531.  [security]      Some RPZ configurations could go into an infinite
+                       query loop when encountering responses with TTL=0.
+                       (CVE-2017-3140) [RT #45181]
+
 4629.  [bug]           dns_client_startupdate could not be called with a
                        running client. [RT #45277]
 

diff --git a/README b/README
index 1c699cece5efb0b938df3952fbaad5afee34088a..82eb15e37082c19a335155bbe16932c3c7220c22 100644 (file)
--- a/README
+++ b/README
@@ -261,6 +261,11 @@ disclosed in CVE-2016-2775, CVE-2016-2776, CVE-2016-6170, CVE-2016-8864,
 CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2017-3135, CVE-2017-3136,
 CVE-2017-3137, and CVE-2017-3138.
 
+BIND 9.10.6
+
+BIND 9.10.6 is a maintenance release, and addresses the security flaw
+disclosed in CVE-2017-3140.
+
 Building BIND
 
 BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX

diff --git a/README.md b/README.md
index f02202603fb1e2ea5927a1ff4af36cfe4cd82144..06a342aa9c35b33325e886d8e7cc582d88de1610 100644 (file)
--- a/README.md
+++ b/README.md
@@ -275,6 +275,11 @@ disclosed in CVE-2016-2775, CVE-2016-2776, CVE-2016-6170, CVE-2016-8864,
 CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2017-3135, CVE-2017-3136,
 CVE-2017-3137, and CVE-2017-3138.
 
+#### BIND 9.10.6
+
+BIND 9.10.6 is a maintenance release, and addresses the security flaw
+disclosed in CVE-2017-3140.
+
 ### <a name="build"/> Building BIND
 
 BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX

diff --git a/bin/named/query.c b/bin/named/query.c
index d1bcb5c8c6e12ca2fbfa1b7bc5fedfc9bf647561..962cf2cd3f287f65c9c8bb5a33a263791b91b9c7 100644 (file)
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -7651,7 +7651,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
                /*
                 * If we have a zero ttl from the cache refetch it.
                 */
-               if (!is_zone && event == NULL && rdataset->ttl == 0 &&
+               if (!is_zone && !resuming && rdataset->ttl == 0 &&
                    RECURSIONOK(client))
                {
                        if (dns_rdataset_isassociated(rdataset))
@@ -8093,7 +8093,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
                /*
                 * If we have a zero ttl from the cache refetch it.
                 */
-               if (!is_zone && event == NULL && rdataset->ttl == 0 &&
+               if (!is_zone && !resuming && rdataset->ttl == 0 &&
                    RECURSIONOK(client))
                {
                        if (dns_rdataset_isassociated(rdataset))

diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 3f1c6d8cfd8e0d9f05e172e4cb9669b3cb0e7708..14fe88d4075c3bfdd49daa9ce93ddd449c74f757 100644 (file)
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -71,7 +71,10 @@
     <itemizedlist>
       <listitem>
        <para>
-         None.
+         With certain RPZ configurations, a response with TTL 0
+         could cause <command>named</command> to go into an infinite
+         query loop. This flaw is disclosed in CVE-2017-3140.
+         [RT #45181]
        </para>
       </listitem>
     </itemizedlist>