[v9_9] remove unnecessary INSIST and prep 9.11.1rc2

author Evan Hunt <each@isc.org>

Thu, 23 Feb 2017 23:26:55 +0000 (15:26 -0800)

committer Evan Hunt <each@isc.org>

Thu, 23 Feb 2017 23:26:55 +0000 (15:26 -0800)
author Evan Hunt <each@isc.org>
Thu, 23 Feb 2017 23:26:55 +0000 (15:26 -0800)
committer Evan Hunt <each@isc.org>
Thu, 23 Feb 2017 23:26:55 +0000 (15:26 -0800)
diff --git a/CHANGES b/CHANGES

index c8fc3df60706919250d1372526a718a6a40da753..c07a382da1d4d50cc86386a981d8cac348a0fff3 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
-       --- 9.9.10 released ---
+       --- 9.9.10rc2 released ---
+
+4578.  [security]      Some chaining (CNAME or DNAME) responses to upstream
+                       queries could trigger assertion failures.
+                       (CVE-2017-3137) [RT #44734]
  
  4575.  [security]      DNS64 with "break-dnssec yes;" can result in an
                         assertion failure. (CVE-2017-3136) [RT #44653]
diff --git a/README b/README

index 42056c2ceb894153da1bffeb9f2aa2be1cb38e21..dbee412bb88800337cde58aefc50aca6d70d584e 100644 (file)
--- a/README
+++ b/README
@@ -56,7 +56,7 @@ BIND 9.9.10
         BIND 9.9.10 is a maintenance release and addresses the security
         flaws disclosed in CVE-2016-2775, CVE-2016-2776, CVE-2016-6170,
         CVE-2016-8864, CVE-2016-9131, CVE-2016-9147, CVE-2016-9444,
-       CVE-2017-3135, and CVE-2017-3136.
+       CVE-2017-3135, CVE-2017-3136, and CVE-2017-3137.
  
  BIND 9.9.91
  
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml

index fe63ec0ca9782262196ca16a1c2f0306b2b6620d..248a9310b3c27563d897b8ca5cf51dbd2e6cdabd 100644 (file)
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -71,11 +71,18 @@
  
    <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
      <itemizedlist>
+      <listitem>
+       <para>
+         Some chaining (i.e., type CNAME or DNAME) responses to upstream
+         queries could trigger assertion failures. This flaw is disclosed
+         in CVE-2017-3137. [RT #44734]
+       </para>
+      </listitem>
        <listitem>
         <para>
           <command>dns64</command> with <command>break-dnssec yes;</command>
           can result in an assertion failure. This flaw is disclosed in
-         CVE-2017-3136.[RT #44653]
+         CVE-2017-3136. [RT #44653]
         </para>
        </listitem>
        <listitem>
diff --git a/lib/dns/api b/lib/dns/api

index 44bd6286910342e4973ae1f60bab8aa6f56e5a94..6caa8afca520254d3fd168b4e4ba528c95afdefb 100644 (file)
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -7,5 +7,5 @@
  # 9.10: 140-149, 170-179
  # 9.11: 160-169
  LIBINTERFACE = 173
-LIBREVISION = 0
+LIBREVISION = 1
  LIBAGE = 0
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c

index c3f714c1425d0afe23bbd4d082f6cb3f8741bf46..9d82afa4c226ec6460bd06c7c821821248b70878 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6661,15 +6661,15 @@ answer_response(fetchctx_t *fctx) {
                                         rdataset->attributes |=
                                                 DNS_RDATASETATTR_CACHE;
                                         rdataset->trust = dns_trust_answer;
-                                       if (chaining == 0) {
+                                       if (external) {
                                                 /*
-                                                * This data is "the" answer
-                                                * to our question only if
-                                                * we're not chaining (i.e.
-                                                * if we haven't followed
-                                                * a CNAME or DNAME).
+                                                * This data is outside of
+                                                * our query domain, and
+                                                * may not be cached.
                                                  */
-                                               INSIST(!external);
+                                               rdataset->attributes |=
+                                                   DNS_RDATASETATTR_EXTERNAL;
+                                       } else if (chaining == 0) {
                                                 /*
                                                  * Don't use found_cname here
                                                  * as we have just set it
@@ -6691,14 +6691,6 @@ answer_response(fetchctx_t *fctx) {
                                                 if (aa)
                                                         rdataset->trust =
                                                           dns_trust_authanswer;
-                                       } else if (external) {
-                                               /*
-                                                * This data is outside of
-                                                * our query domain, and
-                                                * may not be cached.
-                                                */
-                                               rdataset->attributes |=
-                                                   DNS_RDATASETATTR_EXTERNAL;
                                         }
  
                                         /*
@@ -6873,15 +6865,12 @@ answer_response(fetchctx_t *fctx) {
                                  * If we are not chaining or the first CNAME
                                  * is a synthesised CNAME before the DNAME.
                                  */
-                               if ((chaining == 0) ||
-                                   (chaining == 1U && synthcname))
+                               if (external) {
+                                       rdataset->attributes |=
+                                           DNS_RDATASETATTR_EXTERNAL;
+                               } else if ((chaining == 0) ||
+                                          (chaining == 1U && synthcname))
                                 {
-                                       /*
-                                        * This data is "the" answer to
-                                        * our question only if we're
-                                        * not chaining.
-                                        */
-                                       INSIST(!external);
                                         if (aflag == DNS_RDATASETATTR_ANSWER) {
                                                 have_answer = ISC_TRUE;
                                                 found_dname = ISC_TRUE;
@@ -6898,9 +6887,6 @@ answer_response(fetchctx_t *fctx) {
                                         if (aa)
                                                 rdataset->trust =
                                                   dns_trust_authanswer;
-                               } else if (external) {
-                                       rdataset->attributes |=
-                                           DNS_RDATASETATTR_EXTERNAL;
                                 }
                         }
  
diff --git a/version b/version

index 4d215515a934de21297a87c8183eaa336251af7c..63a5eaad2b78f6557152208521a7a4e471fc2b02 100644 (file)
--- a/version
+++ b/version
@@ -6,6 +6,6 @@ DESCRIPTION="(Extended Support Version)"
  MAJORVER=9
  MINORVER=9
  PATCHVER=10
-RELEASETYPE=
-RELEASEVER=
+RELEASETYPE=rc
+RELEASEVER=2
  EXTENSIONS=
author	Evan Hunt <each@isc.org>
	Thu, 23 Feb 2017 23:26:55 +0000 (15:26 -0800)
committer	Evan Hunt <each@isc.org>
	Thu, 23 Feb 2017 23:26:55 +0000 (15:26 -0800)
CHANGES		patch \| blob \| blame \| history
README		patch \| blob \| blame \| history
doc/arm/notes.xml		patch \| blob \| blame \| history
lib/dns/api		patch \| blob \| blame \| history
lib/dns/resolver.c		patch \| blob \| blame \| history
version		patch \| blob \| blame \| history