diff --git a/backport-Clone-the-message-buffer-before-forwarding-UPDATE-me.patch b/backport-Clone-the-message-buffer-before-forwarding-UPDATE-me.patch new file mode 100644 index 0000000000000000000000000000000000000000..1c70ec1a28c67ca0fb2b78abbf5b41aca4b2349a --- /dev/null +++ b/backport-Clone-the-message-buffer-before-forwarding-UPDATE-me.patch @@ -0,0 +1,28 @@ +From b485d95c661606e07dd99dbfbd366538694114b0 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Fri, 3 Jun 2022 16:55:56 +1000 +Subject: [PATCH] Clone the message buffer before forwarding UPDATE messages + +this prevents named forwarding a buffer that may have been over +written. + +(cherry picked from commit 7a42417d61b4273a5819899232e4342b2ae79f03) +--- + lib/ns/update.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/ns/update.c b/lib/ns/update.c +index 067ff990bdc..c4bde3d4eb2 100644 +--- a/lib/ns/update.c ++++ b/lib/ns/update.c +@@ -1671,6 +1671,7 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle, + CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone), + "update forwarding", zonename, true, + false)); ++ dns_message_clonebuffer(client->message); + CHECK(send_forward_event(client, zone)); + break; + default: +-- +GitLab + diff --git a/backport-Fix-fetch-context-use-after-free-bugs.patch b/backport-Fix-fetch-context-use-after-free-bugs.patch new file mode 100644 index 0000000000000000000000000000000000000000..1f3049236657fd3535b2d2172e52511c23ae59a6 --- /dev/null +++ b/backport-Fix-fetch-context-use-after-free-bugs.patch @@ -0,0 +1,95 @@ +From 6505056267dffada1d0fa326f318b241f4b64747 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= +Date: Fri, 8 Jul 2022 11:26:34 +0200 +Subject: [PATCH] Fix fetch context use-after-free bugs + +fctx_decreference() may call fctx_destroy(), which in turn may free the +fetch context by calling isc_mem_putanddetach(). This means that +whenever fctx_decreference() is called, the fetch context pointer should +be assumed to point to garbage after that call. Meanwhile, the +following pattern is used in several places in lib/dns/resolver.c: + + LOCK(&res->buckets[fctx->bucketnum].lock); + bucket_empty = fctx_decreference(fctx); + UNLOCK(&res->buckets[fctx->bucketnum].lock); + +Given that 'fctx' may be freed by the fctx_decreference() call, there is +no guarantee that the value of fctx->bucketnum will be the same before +and after the fctx_decreference() call. This can cause all kinds of +locking issues as LOCK() calls no longer match up with their UNLOCK() +counterparts. + +Fix by always using a helper variable to hold the bucket number when the +pattern above is used. + +Note that fctx_try() still uses 'fctx' after calling fctx_decreference() +(it calls fctx_done()). This is safe to do because the reference count +for 'fctx' is increased a few lines earlier and it also cannot be zero +right before that increase happens, so the fctx_decreference() call in +that particular location never invokes fctx_destroy(). Nevertheless, +use a helper variable for that call site as well, to retain consistency +and to prevent copy-pasted code from causing similar problems in the +future. +--- + lib/dns/resolver.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 15297024c0e..154248ec891 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -4357,9 +4357,9 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) { + options, 0, fctx->qc, task, resume_qmin, fctx, + &fctx->qminrrset, NULL, &fctx->qminfetch); + if (result != ISC_R_SUCCESS) { +- LOCK(&fctx->res->buckets[fctx->bucketnum].lock); ++ LOCK(&res->buckets[bucketnum].lock); + RUNTIME_CHECK(!fctx_decreference(fctx)); +- UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock); ++ UNLOCK(&res->buckets[bucketnum].lock); + fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); + } + return; +@@ -6138,9 +6138,9 @@ cleanup_event: + dns_message_detach(&message); + isc_event_free(&event); + +- LOCK(&res->buckets[fctx->bucketnum].lock); ++ LOCK(&res->buckets[bucketnum].lock); + bucket_empty = fctx_decreference(fctx); +- UNLOCK(&res->buckets[fctx->bucketnum].lock); ++ UNLOCK(&res->buckets[bucketnum].lock); + if (bucket_empty) { + empty_bucket(res); + } +@@ -7528,6 +7528,7 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) { + dns_resolver_t *res; + fetchctx_t *fctx; + isc_result_t result; ++ uint32_t bucketnum; + bool bucket_empty; + dns_rdataset_t nameservers; + dns_fixedname_t fixed; +@@ -7538,6 +7539,7 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) { + fctx = event->ev_arg; + REQUIRE(VALID_FCTX(fctx)); + res = fctx->res; ++ bucketnum = fctx->bucketnum; + + UNUSED(task); + FCTXTRACE("resume_dslookup"); +@@ -7665,9 +7667,9 @@ cleanup: + if (dns_rdataset_isassociated(&nameservers)) { + dns_rdataset_disassociate(&nameservers); + } +- LOCK(&res->buckets[fctx->bucketnum].lock); ++ LOCK(&res->buckets[bucketnum].lock); + bucket_empty = fctx_decreference(fctx); +- UNLOCK(&res->buckets[fctx->bucketnum].lock); ++ UNLOCK(&res->buckets[bucketnum].lock); + if (bucket_empty) { + empty_bucket(res); + } +-- +GitLab + diff --git a/backport-Fix-rndc-dumpdb-expired-for-stuck-cache-contents.patch b/backport-Fix-rndc-dumpdb-expired-for-stuck-cache-contents.patch new file mode 100644 index 0000000000000000000000000000000000000000..eb1ab532d44d2ba7ec6629d63b09be1971e9c01f --- /dev/null +++ b/backport-Fix-rndc-dumpdb-expired-for-stuck-cache-contents.patch @@ -0,0 +1,107 @@ +From f8ad7501dcc3a4008764c5bdd78ae65622c8b905 Mon Sep 17 00:00:00 2001 +From: Matthijs Mekking +Date: Wed, 20 Jul 2022 11:22:01 +0200 +Subject: [PATCH] Fix rndc dumpdb -expired for stuck cache contents + +The command 'rndc dumpdb -expired' will include expired RRsets in the +output, but only for the RBTDB_VIRTUAL time (of 5 minutes). This means +that if there is a cache cleaning problem and contents are not cleaned +up, the rndc command has little diagnostic value. Fix this by including +all RRsets in the dumpdb output if the '-expired' flag is set. + +(cherry picked from commit 930ba2c914a0abc07fd087d663a7bfb57850d4ca) +--- + lib/dns/rbtdb.c | 43 +++++++------------------------------------ + 1 file changed, 7 insertions(+), 36 deletions(-) + +diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c +index 87944980ec0..75832e32085 100644 +--- a/lib/dns/rbtdb.c ++++ b/lib/dns/rbtdb.c +@@ -9102,15 +9102,10 @@ rdatasetiter_first(dns_rdatasetiter_t *iterator) { + dns_rbtnode_t *rbtnode = rbtiterator->common.node; + rbtdb_version_t *rbtversion = rbtiterator->common.version; + rdatasetheader_t *header, *top_next; +- rbtdb_serial_t serial; +- isc_stdtime_t now; ++ rbtdb_serial_t serial = 1; + +- if (IS_CACHE(rbtdb)) { +- serial = 1; +- now = rbtiterator->common.now; +- } else { ++ if (!IS_CACHE(rbtdb)) { + serial = rbtversion->serial; +- now = 0; + } + + NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, +@@ -9122,19 +9117,9 @@ rdatasetiter_first(dns_rdatasetiter_t *iterator) { + if (header->serial <= serial && !IGNORE(header)) { + /* + * Is this a "this rdataset doesn't exist" +- * record? Or is it too old in the cache? +- * +- * Note: unlike everywhere else, we +- * check for now > header->rdh_ttl instead +- * of ">=". This allows ANY and RRSIG +- * queries for 0 TTL rdatasets to work. ++ * record? + */ +- if (NONEXISTENT(header) || +- (now != 0 && +- (now - RBTDB_VIRTUAL) > +- header->rdh_ttl + +- rbtdb->serve_stale_ttl)) +- { ++ if (NONEXISTENT(header)) { + header = NULL; + } + break; +@@ -9166,22 +9151,17 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) { + dns_rbtnode_t *rbtnode = rbtiterator->common.node; + rbtdb_version_t *rbtversion = rbtiterator->common.version; + rdatasetheader_t *header, *top_next; +- rbtdb_serial_t serial; +- isc_stdtime_t now; + rbtdb_rdatatype_t type, negtype; + dns_rdatatype_t rdtype, covers; ++ rbtdb_serial_t serial = 1; + + header = rbtiterator->current; + if (header == NULL) { + return (ISC_R_NOMORE); + } + +- if (IS_CACHE(rbtdb)) { +- serial = 1; +- now = rbtiterator->common.now; +- } else { ++ if (!IS_CACHE(rbtdb)) { + serial = rbtversion->serial; +- now = 0; + } + + NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, +@@ -9207,17 +9187,8 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) { + /* + * Is this a "this rdataset doesn't + * exist" record? +- * +- * Note: unlike everywhere else, we +- * check for now > header->ttl instead +- * of ">=". This allows ANY and RRSIG +- * queries for 0 TTL rdatasets to work. + */ +- if (NONEXISTENT(header) || +- (now != 0 && +- (now - RBTDB_VIRTUAL) > +- header->rdh_ttl)) +- { ++ if (NONEXISTENT(header)) { + header = NULL; + } + break; +-- +GitLab + diff --git a/backport-Fix-tkey-buildquery-function-s-error-handling.patch b/backport-Fix-tkey-buildquery-function-s-error-handling.patch new file mode 100644 index 0000000000000000000000000000000000000000..666c931a8723f3ecd0a188435b6451a834ae50f0 --- /dev/null +++ b/backport-Fix-tkey-buildquery-function-s-error-handling.patch @@ -0,0 +1,38 @@ +From eb72c81e6ac422f2332c6e8410461b3c0c9067b2 Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan +Date: Mon, 15 Aug 2022 11:40:21 +0000 +Subject: [PATCH] Fix tkey.c:buildquery() function's error handling + +Add the missing cleanup code. + +(cherry picked from commit 4237ab9550eeaea7121e3e3392fd14c26b5150f0) +--- + lib/dns/tkey.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c +index 9259a513188..2ca78b8bd9b 100644 +--- a/lib/dns/tkey.c ++++ b/lib/dns/tkey.c +@@ -1019,6 +1019,18 @@ failure: + if (dynbuf != NULL) { + isc_buffer_free(&dynbuf); + } ++ if (rdata != NULL) { ++ dns_message_puttemprdata(msg, &rdata); ++ } ++ if (tkeylist != NULL) { ++ dns_message_puttemprdatalist(msg, &tkeylist); ++ } ++ if (tkeyset != NULL) { ++ if (dns_rdataset_isassociated(tkeyset)) { ++ dns_rdataset_disassociate(tkeyset); ++ } ++ dns_message_puttemprdataset(msg, &tkeyset); ++ } + return (result); + } + +-- +GitLab + diff --git a/backport-Increase-the-BUFSIZ-long-buffers.patch b/backport-Increase-the-BUFSIZ-long-buffers.patch new file mode 100644 index 0000000000000000000000000000000000000000..0024ff66c061b5cd9361620267ca5ea852d21ed9 --- /dev/null +++ b/backport-Increase-the-BUFSIZ-long-buffers.patch @@ -0,0 +1,123 @@ +From c1b8f5f30c602fd39f0f92523485587c3c32708d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Thu, 14 Jul 2022 13:48:45 +0200 +Subject: [PATCH] Increase the BUFSIZ-long buffers + +The BUFSIZ value varies between platforms, it could be 8K on Linux and +512 bytes on mingw. Make sure the buffers are always big enough for the +output data to prevent truncation of the output by appropriately +enlarging or sizing the buffers. + +(cherry picked from commit b19d932262e84608174cb89eeed32ae0212f8a87) +--- + bin/named/server.c | 7 ++++++- + bin/tests/system/feature-test.c | 13 +++++-------- + lib/dns/private.c | 3 ++- + lib/ns/client.c | 7 ++++++- + 4 files changed, 19 insertions(+), 11 deletions(-) + +diff --git a/bin/named/server.c b/bin/named/server.c +index d3595c37a19..c339cfbc54b 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -14582,7 +14582,12 @@ named_server_signing(named_server_t *server, isc_lex_t *lex, + result = dns_rdataset_next(&privset)) + { + dns_rdata_t priv = DNS_RDATA_INIT; +- char output[BUFSIZ]; ++ /* ++ * In theory, the output buffer could hold a full RDATA ++ * record which is 16-bit and then some text around ++ * it ++ */ ++ char output[UINT16_MAX + BUFSIZ]; + isc_buffer_t buf; + + dns_rdataset_current(&privset, &priv); +diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c +index 4f422323434..99e1b80bb1d 100644 +--- a/bin/tests/system/feature-test.c ++++ b/bin/tests/system/feature-test.c +@@ -11,6 +11,7 @@ + * information regarding copyright ownership. + */ + ++#include + #include + #include + #include +@@ -26,13 +27,9 @@ + #include + #endif /* ifdef WIN32 */ + +-#ifndef MAXHOSTNAMELEN +-#ifdef HOST_NAME_MAX +-#define MAXHOSTNAMELEN HOST_NAME_MAX +-#else /* ifdef HOST_NAME_MAX */ +-#define MAXHOSTNAMELEN 256 +-#endif /* ifdef HOST_NAME_MAX */ +-#endif /* ifndef MAXHOSTNAMELEN */ ++#ifndef _POSIX_HOST_NAME_MAX ++#define _POSIX_HOST_NAME_MAX 255 ++#endif + + static void + usage() { +@@ -86,7 +83,7 @@ main(int argc, char **argv) { + } + + if (strcmp(argv[1], "--gethostname") == 0) { +- char hostname[MAXHOSTNAMELEN]; ++ char hostname[_POSIX_HOST_NAME_MAX + 1]; + int n; + #ifdef WIN32 + /* From InitSocket() */ +diff --git a/lib/dns/private.c b/lib/dns/private.c +index 58deda095a9..cbf947f8ccc 100644 +--- a/lib/dns/private.c ++++ b/lib/dns/private.c +@@ -383,7 +383,8 @@ dns_private_totext(dns_rdata_t *private, isc_buffer_t *buf) { + } else if (private->length == 5) { + unsigned char alg = private->data[0]; + dns_keytag_t keyid = (private->data[2] | private->data[1] << 8); +- char keybuf[BUFSIZ], algbuf[DNS_SECALG_FORMATSIZE]; ++ char keybuf[DNS_SECALG_FORMATSIZE + BUFSIZ], ++ algbuf[DNS_SECALG_FORMATSIZE]; + bool del = private->data[3]; + bool complete = private->data[4]; + +diff --git a/lib/ns/client.c b/lib/ns/client.c +index bf60746642d..54c35986b85 100644 +--- a/lib/ns/client.c ++++ b/lib/ns/client.c +@@ -12,6 +12,7 @@ + */ + + #include ++#include + #include + + #include +@@ -64,6 +65,10 @@ + #include + #include + ++#ifndef _POSIX_HOST_NAME_MAX ++#define _POSIX_HOST_NAME_MAX 255 ++#endif ++ + /*** + *** Client + ***/ +@@ -918,7 +923,7 @@ isc_result_t + ns_client_addopt(ns_client_t *client, dns_message_t *message, + dns_rdataset_t **opt) { + unsigned char ecs[ECS_SIZE]; +- char nsid[BUFSIZ], *nsidp; ++ char nsid[_POSIX_HOST_NAME_MAX + 1], *nsidp = NULL; + unsigned char cookie[COOKIE_SIZE]; + isc_result_t result; + dns_view_t *view; +-- +GitLab + diff --git a/backport-Inherit-dnssec-policy-in-check-for-inline-signing.patch b/backport-Inherit-dnssec-policy-in-check-for-inline-signing.patch new file mode 100644 index 0000000000000000000000000000000000000000..59ccdc7b3858034fede0f14764c54733bf753e0e --- /dev/null +++ b/backport-Inherit-dnssec-policy-in-check-for-inline-signing.patch @@ -0,0 +1,67 @@ +From 0d5e0867df94c05b7523b89e0a4135c0cec728e1 Mon Sep 17 00:00:00 2001 +From: Matthijs Mekking +Date: Mon, 11 Jul 2022 10:30:44 +0200 +Subject: [PATCH] Inherit dnssec-policy in check for inline-signing + +When dnssec-policy is used, and the zone is not dynamic, BIND will +assume that the zone is inline-signed. But the function responsible +for this did not inherit the dnssec-policy option from the view or +options level, and thus never enabled inline-signing, while the zone +should have been. + +This is fixed by this commit. + +(cherry picked from commit 576b21b1682605a7d04e51c8a7721180f828b2d7) +--- + bin/named/zoneconf.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c +index 7a414201709..d1d45d818bc 100644 +--- a/bin/named/zoneconf.c ++++ b/bin/named/zoneconf.c +@@ -2171,6 +2171,7 @@ named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig, + const cfg_obj_t *updatepolicy = NULL; + bool zone_is_dynamic = false; + bool inline_signing = false; ++ bool dnssec_policy = false; + + (void)cfg_map_get(config, "options", &options); + +@@ -2222,16 +2223,23 @@ named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig, + * inline-signing. + */ + signing = NULL; +- if (!inline_signing && !zone_is_dynamic && +- cfg_map_get(zoptions, "dnssec-policy", &signing) == ISC_R_SUCCESS && +- signing != NULL) +- { +- if (strcmp(cfg_obj_asstring(signing), "none") != 0) { +- inline_signing = true; +- dns_zone_log(zone, ISC_LOG_DEBUG(1), +- "inline-signing: " +- "implicitly through dnssec-policy"); +- } ++ res = cfg_map_get(zoptions, "dnssec-policy", &signing); ++ if (res != ISC_R_SUCCESS && voptions != NULL) { ++ res = cfg_map_get(voptions, "dnssec-policy", &signing); ++ } ++ if (res != ISC_R_SUCCESS && options != NULL) { ++ res = cfg_map_get(options, "dnssec-policy", &signing); ++ } ++ if (res == ISC_R_SUCCESS) { ++ dnssec_policy = (strcmp(cfg_obj_asstring(signing), "none") != ++ 0); ++ } ++ ++ if (!inline_signing && !zone_is_dynamic && dnssec_policy) { ++ inline_signing = true; ++ dns_zone_log(zone, ISC_LOG_DEBUG(1), ++ "inline-signing: " ++ "implicitly through dnssec-policy"); + } + + return (inline_signing); +-- +GitLab + diff --git a/backport-Reject-zones-with-TTL-higher-than-dnssec-policy-max.patch b/backport-Reject-zones-with-TTL-higher-than-dnssec-policy-max.patch new file mode 100644 index 0000000000000000000000000000000000000000..3fb43686d42999520bce1395c8a71ed7a46daf53 --- /dev/null +++ b/backport-Reject-zones-with-TTL-higher-than-dnssec-policy-max.patch @@ -0,0 +1,80 @@ +From 111b215987a1cccc2e55a0fea4d8621103d9de9f Mon Sep 17 00:00:00 2001 +From: Matthijs Mekking +Date: Wed, 13 Jul 2022 10:28:59 +0200 +Subject: [PATCH] Reject zones with TTL higher than dnssec-policy max-zone-ttl + +Reject loading of zones with TTL higher than the max-zone-ttl +from the dnssec-policy. + +With this change, any zone with a dnssec-policy in use will ignore +the max-zone-ttl option in zone/view/options. +--- + bin/named/zoneconf.c | 38 +++++++++++++++++--------------------- + 1 file changed, 17 insertions(+), 21 deletions(-) + +diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c +index d1d45d818bc..c918d0ac248 100644 +--- a/bin/named/zoneconf.c ++++ b/bin/named/zoneconf.c +@@ -897,6 +897,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + dns_stats_t *dnssecsignstats; + dns_zonestat_level_t statlevel = dns_zonestat_none; + int seconds; ++ dns_ttl_t maxttl = 0; /* unlimited */ + dns_zone_t *mayberaw = (raw != NULL) ? raw : zone; + isc_dscp_t dscp; + +@@ -1060,27 +1061,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + } + } + +- obj = NULL; +- result = named_config_get(maps, "max-zone-ttl", &obj); +- if (result == ISC_R_SUCCESS && masterformat == dns_masterformat_map) { +- isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, +- NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, +- "zone '%s': 'max-zone-ttl' is not compatible " +- "with 'masterfile-format map'", +- zname); +- return (ISC_R_FAILURE); +- } else if (result == ISC_R_SUCCESS) { +- dns_ttl_t maxttl = 0; /* unlimited */ +- +- if (cfg_obj_isduration(obj)) { +- maxttl = cfg_obj_asduration(obj); +- } +- dns_zone_setmaxttl(zone, maxttl); +- if (raw != NULL) { +- dns_zone_setmaxttl(raw, maxttl); +- } +- } +- + obj = NULL; + result = named_config_get(maps, "max-records", &obj); + INSIST(result == ISC_R_SUCCESS && obj != NULL); +@@ -1534,6 +1514,22 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + dns_zone_setjournalsize(zone, journal_size); + } + ++ if (use_kasp) { ++ maxttl = dns_kasp_zonemaxttl(dns_zone_getkasp(zone)); ++ } else { ++ obj = NULL; ++ result = named_config_get(maps, "max-zone-ttl", &obj); ++ if (result == ISC_R_SUCCESS) { ++ if (cfg_obj_isduration(obj)) { ++ maxttl = cfg_obj_asduration(obj); ++ } ++ } ++ } ++ dns_zone_setmaxttl(zone, maxttl); ++ if (raw != NULL) { ++ dns_zone_setmaxttl(raw, maxttl); ++ } ++ + /* + * Configure update-related options. These apply to + * primary servers only. +-- +GitLab + diff --git a/backport-disassociate-rdatasets-when-cleaning-up.patch b/backport-disassociate-rdatasets-when-cleaning-up.patch new file mode 100644 index 0000000000000000000000000000000000000000..3baa3f5546c6771f38b351c222de44beae74fec8 --- /dev/null +++ b/backport-disassociate-rdatasets-when-cleaning-up.patch @@ -0,0 +1,31 @@ +From f2855facbeb19c51befed1c858f4d28b8306f886 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Tue, 21 Dec 2021 12:44:17 +1100 +Subject: [PATCH] disassociate rdatasets when cleaning up + +free_namelist could be passed names with associated rdatasets +when handling errors. These need to be disassociated before +calling dns_message_puttemprdataset. + +(cherry picked from commit 745d5edc3a8ca6f232b2d700ae076c2caee2bfc5) +--- + lib/dns/tkey.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c +index e6e44526a9c..9259a513188 100644 +--- a/lib/dns/tkey.c ++++ b/lib/dns/tkey.c +@@ -226,6 +226,9 @@ free_namelist(dns_message_t *msg, dns_namelist_t *namelist) { + while (!ISC_LIST_EMPTY(name->list)) { + set = ISC_LIST_HEAD(name->list); + ISC_LIST_UNLINK(name->list, set, link); ++ if (dns_rdataset_isassociated(set)) { ++ dns_rdataset_disassociate(set); ++ } + dns_message_puttemprdataset(msg, &set); + } + dns_message_puttempname(msg, &name); +-- +GitLab + diff --git a/backport-dont-enabled-serve-stale-on-duplicate-queries.patch b/backport-dont-enabled-serve-stale-on-duplicate-queries.patch new file mode 100644 index 0000000000000000000000000000000000000000..58917c624e9a2e3adf58e12547c9e2d1f675f8ca --- /dev/null +++ b/backport-dont-enabled-serve-stale-on-duplicate-queries.patch @@ -0,0 +1,36 @@ +From dd7dde5743715dc0dec2defbb92b1a8637977bf9 Mon Sep 17 00:00:00 2001 +From: Matthijs Mekking +Date: Tue, 2 Aug 2022 14:21:40 +0200 +Subject: [PATCH] Don't enable serve-stale on duplicate queries + +When checking if we should enable serve-stale, add an early out case +when the result is an error signalling a duplicate query or a query +that would be dropped. + +(cherry picked from commit 059a4c2f4d9d3cff371842f43208d021509314fa) +--- + lib/ns/query.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/ns/query.c b/lib/ns/query.c +index d0f025dbb9a..1bf36fea283 100644 +--- a/lib/ns/query.c ++++ b/lib/ns/query.c +@@ -7230,6 +7230,14 @@ query_usestale(query_ctx_t *qctx, isc_result_t result) { + return (false); + } + ++ if (result == DNS_R_DUPLICATE || result == DNS_R_DROP) { ++ /* ++ * Don't enable serve-stale if the result signals a duplicate ++ * query or query that is being dropped. ++ */ ++ return (false); ++ } ++ + qctx_clean(qctx); + qctx_freedata(qctx); + +-- +GitLab + diff --git a/bind.spec b/bind.spec index e87e86f47b6552f28518876d763d08c8346824a4..b681a0e8a67e146c74a6e993a8b678a0be76c3c9 100644 --- a/bind.spec +++ b/bind.spec @@ -30,7 +30,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.16.23 -Release: 12 +Release: 13 Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -157,6 +157,15 @@ Patch6083:backport-0043-Check-for-overflow-in-GENERATE-computations.patch Patch6084:backport-0043-Tighten-GENERATE-directive-parsing.patch Patch6085:backport-0044-Add-UV_RUNTIME_CHECK-macro-to-print-uv_strerror.patch Patch6086:backport-0045-Move-setting-the-sock-write_timeout-to-the-async_-se.patch +Patch6087:backport-Clone-the-message-buffer-before-forwarding-UPDATE-me.patch +Patch6088:backport-disassociate-rdatasets-when-cleaning-up.patch +Patch6089:backport-dont-enabled-serve-stale-on-duplicate-queries.patch +Patch6090:backport-Fix-fetch-context-use-after-free-bugs.patch +Patch6091:backport-Fix-rndc-dumpdb-expired-for-stuck-cache-contents.patch +Patch6092:backport-Fix-tkey-buildquery-function-s-error-handling.patch +Patch6093:backport-Increase-the-BUFSIZ-long-buffers.patch +Patch6094:backport-Inherit-dnssec-policy-in-check-for-inline-signing.patch +Patch6095:backport-Reject-zones-with-TTL-higher-than-dnssec-policy-max.patch Patch6002:backport-CVE-2022-2795.patch Patch6003:backport-CVE-2022-3080.patch @@ -1173,6 +1182,12 @@ fi; %endif %changelog +* Wed Dec 28 2022 huangyu - 32:9.16.23-13 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC: backport some patches from community + * Sat Nov 26 2022 jiangheng - 32:9.16.23-12 - Type:bugfix - CVE:NA