[v9_10_4_patch] remove unnecessary INSIST and prep 9.10.4-P7

author Evan Hunt <each@isc.org>

Thu, 23 Feb 2017 23:31:55 +0000 (15:31 -0800)

committer Evan Hunt <each@isc.org>

Thu, 23 Feb 2017 23:34:25 +0000 (15:34 -0800)
author Evan Hunt <each@isc.org>
Thu, 23 Feb 2017 23:31:55 +0000 (15:31 -0800)
committer Evan Hunt <each@isc.org>
Thu, 23 Feb 2017 23:34:25 +0000 (15:34 -0800)
diff --git a/CHANGES b/CHANGES

index ab4fdfa72290a82724ea25919a8cbe2cce0093d3..5a18254593bb1c0cbece4a3dbefcab4ab2fc16e5 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,9 @@
         --- 9.10.4-P7 released ---
  
+4578.  [security]      Some chaining (CNAME or DNAME) responses to upstream
+                       queries could trigger assertion failures.
+                       (CVE-2017-3137) [RT #44734]
+
  4575.  [security]      DNS64 with "break-dnssec yes;" can result in an
                         assertion failure. (CVE-2017-3136) [RT #44653]
  
diff --git a/README b/README

index c7ff008684ea20f7ff7b137b428dccb8395750c8..20d7d698b2dc57bbd13f9bd8dbddfae9050e3328 100644 (file)
--- a/README
+++ b/README
@@ -53,8 +53,8 @@ BIND 9
  
  BIND 9.10.4-P7
  
-       This version contains a fix for CVE-2017-3136, and updates
-       the built in trusted keys for the root zone.
+       This version contains fixes for CVE-2017-3136 and CVE-2017-3137,
+       and updates the built in trusted keys for the root zone.
  
  BIND 9.10.4-P6
  
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml

index f3b46e67c7c3a13e1e2ecc56128535cbcf2128e9..d34a8f7f8f98f64e8376a65eccfa94fac88c4fdb 100644 (file)
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -100,11 +100,18 @@
  
    <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
      <itemizedlist>
+      <listitem>
+       <para>
+         Some chaining (i.e., type CNAME or DNAME) responses to upstream
+         queries could trigger assertion failures. This flaw is disclosed
+         in CVE-2017-3137. [RT #44734]
+       </para>
+      </listitem>
        <listitem>
         <para>
           <command>dns64</command> with <command>break-dnssec yes;</command>
           can result in an assertion failure. This flaw is disclosed in
-         CVE-2017-3136.[RT #44653]
+         CVE-2017-3136. [RT #44653]
         </para>
        </listitem>
        <listitem>
diff --git a/lib/dns/api b/lib/dns/api

index 2bbf23e8c44a7bd5b545ae8a89f32a45e20b9c5e..8fa2c191077362da3b04d791732feb6e863ec9de 100644 (file)
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -6,5 +6,5 @@
  # 9.9-sub: 130-139, 150-159
  # 9.10: 140-149, 160-169
  LIBINTERFACE = 165
-LIBREVISION = 5
+LIBREVISION = 6
  LIBAGE = 0
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c

index c51667f30651b8e6c40c01ab3462aa8efed47a8a..2f9fe702a327a18a3aa84a4d4aa280c140b6b0ee 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6942,15 +6942,15 @@ answer_response(fetchctx_t *fctx) {
                                         rdataset->attributes |=
                                                 DNS_RDATASETATTR_CACHE;
                                         rdataset->trust = dns_trust_answer;
-                                       if (chaining == 0) {
+                                       if (external) {
                                                 /*
-                                                * This data is "the" answer
-                                                * to our question only if
-                                                * we're not chaining (i.e.
-                                                * if we haven't followed
-                                                * a CNAME or DNAME).
+                                                * This data is outside of
+                                                * our query domain, and
+                                                * may not be cached.
                                                  */
-                                               INSIST(!external);
+                                               rdataset->attributes |=
+                                                   DNS_RDATASETATTR_EXTERNAL;
+                                       } else if (chaining == 0) {
                                                 /*
                                                  * Don't use found_cname here
                                                  * as we have just set it
@@ -6972,14 +6972,6 @@ answer_response(fetchctx_t *fctx) {
                                                 if (aa)
                                                         rdataset->trust =
                                                           dns_trust_authanswer;
-                                       } else if (external) {
-                                               /*
-                                                * This data is outside of
-                                                * our query domain, and
-                                                * may not be cached.
-                                                */
-                                               rdataset->attributes |=
-                                                   DNS_RDATASETATTR_EXTERNAL;
                                         }
  
                                         /*
@@ -7154,15 +7146,12 @@ answer_response(fetchctx_t *fctx) {
                                  * If we are not chaining or the first CNAME
                                  * is a synthesised CNAME before the DNAME.
                                  */
-                               if ((chaining == 0) ||
-                                   (chaining == 1U && synthcname))
+                               if (external) {
+                                       rdataset->attributes |=
+                                           DNS_RDATASETATTR_EXTERNAL;
+                               } else if ((chaining == 0) ||
+                                          (chaining == 1U && synthcname))
                                 {
-                                       /*
-                                        * This data is "the" answer to
-                                        * our question only if we're
-                                        * not chaining.
-                                        */
-                                       INSIST(!external);
                                         if (aflag == DNS_RDATASETATTR_ANSWER) {
                                                 have_answer = ISC_TRUE;
                                                 found_dname = ISC_TRUE;
@@ -7179,9 +7168,6 @@ answer_response(fetchctx_t *fctx) {
                                         if (aa)
                                                 rdataset->trust =
                                                   dns_trust_authanswer;
-                               } else if (external) {
-                                       rdataset->attributes |=
-                                           DNS_RDATASETATTR_EXTERNAL;
                                 }
                         }
author	Evan Hunt <each@isc.org>
	Thu, 23 Feb 2017 23:31:55 +0000 (15:31 -0800)
committer	Evan Hunt <each@isc.org>
	Thu, 23 Feb 2017 23:34:25 +0000 (15:34 -0800)
CHANGES		patch \| blob \| blame \| history
README		patch \| blob \| blame \| history
doc/arm/notes.xml		patch \| blob \| blame \| history
lib/dns/api		patch \| blob \| blame \| history
lib/dns/resolver.c		patch \| blob \| blame \| history