From: W.C.A. Wijngaards Date: Wed, 20 May 2026 12:58:26 +0000 (+0200) Subject: - Fix in depth for serve-expired responses from cachedb, that it X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=9ce52de6c1051f0b0a75c0f4381faaea05bd6772;p=thirdparty%2Funbound.git - Fix in depth for serve-expired responses from cachedb, that it does not store bogus. Thanks to Qifan Zhang, Palo Alto Networks, for the report. --- diff --git a/cachedb/cachedb.c b/cachedb/cachedb.c index c062d8274..8d5a4a3df 100644 --- a/cachedb/cachedb.c +++ b/cachedb/cachedb.c @@ -401,6 +401,12 @@ prep_data(struct module_qstate* qstate, struct sldns_buffer* buf) FLAGS_GET_RCODE(qstate->return_msg->rep->flags) != LDNS_RCODE_YXDOMAIN) return 0; + /* Do not persist data the validator has not yet seen, or has rejected. + * Otherwise an expired blob could maybe reach clients via + * serve-expired. */ + if(qstate->env->need_to_validate && + qstate->return_msg->rep->security == sec_status_bogus) + return 0; /* We don't store the reply if its TTL is 0. This is probably coming * from upstream and it is not meant to be stored. */ if(qstate->return_msg->rep->ttl == 0) diff --git a/doc/Changelog b/doc/Changelog index 4ab7c95bc..58b865435 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -35,6 +35,9 @@ - Unit test for CVE-2026-42959. - Unit test for CVE-2026-40622. - Unit test for CVE-2026-42960. + - Fix in depth for serve-expired responses from cachedb, that it + does not store bogus. Thanks to Qifan Zhang, Palo Alto Networks, + for the report. 18 May 2026: Wouter - Fix for mixed class referrals, the resolver uses the query