diff --git a/backport-Clone-the-message-buffer-before-forwarding-UPDATE-me.patch b/backport-Clone-the-message-buffer-before-forwarding-UPDATE-me.patch new file mode 100644 index 0000000000000000000000000000000000000000..1c70ec1a28c67ca0fb2b78abbf5b41aca4b2349a --- /dev/null +++ b/backport-Clone-the-message-buffer-before-forwarding-UPDATE-me.patch @@ -0,0 +1,28 @@ +From b485d95c661606e07dd99dbfbd366538694114b0 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Fri, 3 Jun 2022 16:55:56 +1000 +Subject: [PATCH] Clone the message buffer before forwarding UPDATE messages + +this prevents named forwarding a buffer that may have been over +written. + +(cherry picked from commit 7a42417d61b4273a5819899232e4342b2ae79f03) +--- + lib/ns/update.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/ns/update.c b/lib/ns/update.c +index 067ff990bdc..c4bde3d4eb2 100644 +--- a/lib/ns/update.c ++++ b/lib/ns/update.c +@@ -1671,6 +1671,7 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle, + CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone), + "update forwarding", zonename, true, + false)); ++ dns_message_clonebuffer(client->message); + CHECK(send_forward_event(client, zone)); + break; + default: +-- +GitLab + diff --git a/backport-Fix-fetch-context-use-after-free-bugs.patch b/backport-Fix-fetch-context-use-after-free-bugs.patch new file mode 100644 index 0000000000000000000000000000000000000000..1f3049236657fd3535b2d2172e52511c23ae59a6 --- /dev/null +++ b/backport-Fix-fetch-context-use-after-free-bugs.patch @@ -0,0 +1,95 @@ +From 6505056267dffada1d0fa326f318b241f4b64747 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= +Date: Fri, 8 Jul 2022 11:26:34 +0200 +Subject: [PATCH] Fix fetch context use-after-free bugs + +fctx_decreference() may call fctx_destroy(), which in turn may free the +fetch context by calling isc_mem_putanddetach(). This means that +whenever fctx_decreference() is called, the fetch context pointer should +be assumed to point to garbage after that call. Meanwhile, the +following pattern is used in several places in lib/dns/resolver.c: + + LOCK(&res->buckets[fctx->bucketnum].lock); + bucket_empty = fctx_decreference(fctx); + UNLOCK(&res->buckets[fctx->bucketnum].lock); + +Given that 'fctx' may be freed by the fctx_decreference() call, there is +no guarantee that the value of fctx->bucketnum will be the same before +and after the fctx_decreference() call. This can cause all kinds of +locking issues as LOCK() calls no longer match up with their UNLOCK() +counterparts. + +Fix by always using a helper variable to hold the bucket number when the +pattern above is used. + +Note that fctx_try() still uses 'fctx' after calling fctx_decreference() +(it calls fctx_done()). This is safe to do because the reference count +for 'fctx' is increased a few lines earlier and it also cannot be zero +right before that increase happens, so the fctx_decreference() call in +that particular location never invokes fctx_destroy(). Nevertheless, +use a helper variable for that call site as well, to retain consistency +and to prevent copy-pasted code from causing similar problems in the +future. +--- + lib/dns/resolver.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 15297024c0e..154248ec891 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -4357,9 +4357,9 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) { + options, 0, fctx->qc, task, resume_qmin, fctx, + &fctx->qminrrset, NULL, &fctx->qminfetch); + if (result != ISC_R_SUCCESS) { +- LOCK(&fctx->res->buckets[fctx->bucketnum].lock); ++ LOCK(&res->buckets[bucketnum].lock); + RUNTIME_CHECK(!fctx_decreference(fctx)); +- UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock); ++ UNLOCK(&res->buckets[bucketnum].lock); + fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); + } + return; +@@ -6138,9 +6138,9 @@ cleanup_event: + dns_message_detach(&message); + isc_event_free(&event); + +- LOCK(&res->buckets[fctx->bucketnum].lock); ++ LOCK(&res->buckets[bucketnum].lock); + bucket_empty = fctx_decreference(fctx); +- UNLOCK(&res->buckets[fctx->bucketnum].lock); ++ UNLOCK(&res->buckets[bucketnum].lock); + if (bucket_empty) { + empty_bucket(res); + } +@@ -7528,6 +7528,7 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) { + dns_resolver_t *res; + fetchctx_t *fctx; + isc_result_t result; ++ uint32_t bucketnum; + bool bucket_empty; + dns_rdataset_t nameservers; + dns_fixedname_t fixed; +@@ -7538,6 +7539,7 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) { + fctx = event->ev_arg; + REQUIRE(VALID_FCTX(fctx)); + res = fctx->res; ++ bucketnum = fctx->bucketnum; + + UNUSED(task); + FCTXTRACE("resume_dslookup"); +@@ -7665,9 +7667,9 @@ cleanup: + if (dns_rdataset_isassociated(&nameservers)) { + dns_rdataset_disassociate(&nameservers); + } +- LOCK(&res->buckets[fctx->bucketnum].lock); ++ LOCK(&res->buckets[bucketnum].lock); + bucket_empty = fctx_decreference(fctx); +- UNLOCK(&res->buckets[fctx->bucketnum].lock); ++ UNLOCK(&res->buckets[bucketnum].lock); + if (bucket_empty) { + empty_bucket(res); + } +-- +GitLab + diff --git a/backport-Fix-rndc-dumpdb-expired-for-stuck-cache-contents.patch b/backport-Fix-rndc-dumpdb-expired-for-stuck-cache-contents.patch new file mode 100644 index 0000000000000000000000000000000000000000..eb1ab532d44d2ba7ec6629d63b09be1971e9c01f --- /dev/null +++ b/backport-Fix-rndc-dumpdb-expired-for-stuck-cache-contents.patch @@ -0,0 +1,107 @@ +From f8ad7501dcc3a4008764c5bdd78ae65622c8b905 Mon Sep 17 00:00:00 2001 +From: Matthijs Mekking +Date: Wed, 20 Jul 2022 11:22:01 +0200 +Subject: [PATCH] Fix rndc dumpdb -expired for stuck cache contents + +The command 'rndc dumpdb -expired' will include expired RRsets in the +output, but only for the RBTDB_VIRTUAL time (of 5 minutes). This means +that if there is a cache cleaning problem and contents are not cleaned +up, the rndc command has little diagnostic value. Fix this by including +all RRsets in the dumpdb output if the '-expired' flag is set. + +(cherry picked from commit 930ba2c914a0abc07fd087d663a7bfb57850d4ca) +--- + lib/dns/rbtdb.c | 43 +++++++------------------------------------ + 1 file changed, 7 insertions(+), 36 deletions(-) + +diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c +index 87944980ec0..75832e32085 100644 +--- a/lib/dns/rbtdb.c ++++ b/lib/dns/rbtdb.c +@@ -9102,15 +9102,10 @@ rdatasetiter_first(dns_rdatasetiter_t *iterator) { + dns_rbtnode_t *rbtnode = rbtiterator->common.node; + rbtdb_version_t *rbtversion = rbtiterator->common.version; + rdatasetheader_t *header, *top_next; +- rbtdb_serial_t serial; +- isc_stdtime_t now; ++ rbtdb_serial_t serial = 1; + +- if (IS_CACHE(rbtdb)) { +- serial = 1; +- now = rbtiterator->common.now; +- } else { ++ if (!IS_CACHE(rbtdb)) { + serial = rbtversion->serial; +- now = 0; + } + + NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, +@@ -9122,19 +9117,9 @@ rdatasetiter_first(dns_rdatasetiter_t *iterator) { + if (header->serial <= serial && !IGNORE(header)) { + /* + * Is this a "this rdataset doesn't exist" +- * record? Or is it too old in the cache? +- * +- * Note: unlike everywhere else, we +- * check for now > header->rdh_ttl instead +- * of ">=". This allows ANY and RRSIG +- * queries for 0 TTL rdatasets to work. ++ * record? + */ +- if (NONEXISTENT(header) || +- (now != 0 && +- (now - RBTDB_VIRTUAL) > +- header->rdh_ttl + +- rbtdb->serve_stale_ttl)) +- { ++ if (NONEXISTENT(header)) { + header = NULL; + } + break; +@@ -9166,22 +9151,17 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) { + dns_rbtnode_t *rbtnode = rbtiterator->common.node; + rbtdb_version_t *rbtversion = rbtiterator->common.version; + rdatasetheader_t *header, *top_next; +- rbtdb_serial_t serial; +- isc_stdtime_t now; + rbtdb_rdatatype_t type, negtype; + dns_rdatatype_t rdtype, covers; ++ rbtdb_serial_t serial = 1; + + header = rbtiterator->current; + if (header == NULL) { + return (ISC_R_NOMORE); + } + +- if (IS_CACHE(rbtdb)) { +- serial = 1; +- now = rbtiterator->common.now; +- } else { ++ if (!IS_CACHE(rbtdb)) { + serial = rbtversion->serial; +- now = 0; + } + + NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, +@@ -9207,17 +9187,8 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) { + /* + * Is this a "this rdataset doesn't + * exist" record? +- * +- * Note: unlike everywhere else, we +- * check for now > header->ttl instead +- * of ">=". This allows ANY and RRSIG +- * queries for 0 TTL rdatasets to work. + */ +- if (NONEXISTENT(header) || +- (now != 0 && +- (now - RBTDB_VIRTUAL) > +- header->rdh_ttl)) +- { ++ if (NONEXISTENT(header)) { + header = NULL; + } + break; +-- +GitLab + diff --git a/backport-Fix-tkey-buildquery-function-s-error-handling.patch b/backport-Fix-tkey-buildquery-function-s-error-handling.patch new file mode 100644 index 0000000000000000000000000000000000000000..666c931a8723f3ecd0a188435b6451a834ae50f0 --- /dev/null +++ b/backport-Fix-tkey-buildquery-function-s-error-handling.patch @@ -0,0 +1,38 @@ +From eb72c81e6ac422f2332c6e8410461b3c0c9067b2 Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan +Date: Mon, 15 Aug 2022 11:40:21 +0000 +Subject: [PATCH] Fix tkey.c:buildquery() function's error handling + +Add the missing cleanup code. + +(cherry picked from commit 4237ab9550eeaea7121e3e3392fd14c26b5150f0) +--- + lib/dns/tkey.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c +index 9259a513188..2ca78b8bd9b 100644 +--- a/lib/dns/tkey.c ++++ b/lib/dns/tkey.c +@@ -1019,6 +1019,18 @@ failure: + if (dynbuf != NULL) { + isc_buffer_free(&dynbuf); + } ++ if (rdata != NULL) { ++ dns_message_puttemprdata(msg, &rdata); ++ } ++ if (tkeylist != NULL) { ++ dns_message_puttemprdatalist(msg, &tkeylist); ++ } ++ if (tkeyset != NULL) { ++ if (dns_rdataset_isassociated(tkeyset)) { ++ dns_rdataset_disassociate(tkeyset); ++ } ++ dns_message_puttemprdataset(msg, &tkeyset); ++ } + return (result); + } + +-- +GitLab + diff --git a/backport-Increase-the-BUFSIZ-long-buffers.patch b/backport-Increase-the-BUFSIZ-long-buffers.patch new file mode 100644 index 0000000000000000000000000000000000000000..0024ff66c061b5cd9361620267ca5ea852d21ed9 --- /dev/null +++ b/backport-Increase-the-BUFSIZ-long-buffers.patch @@ -0,0 +1,123 @@ +From c1b8f5f30c602fd39f0f92523485587c3c32708d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Thu, 14 Jul 2022 13:48:45 +0200 +Subject: [PATCH] Increase the BUFSIZ-long buffers + +The BUFSIZ value varies between platforms, it could be 8K on Linux and +512 bytes on mingw. Make sure the buffers are always big enough for the +output data to prevent truncation of the output by appropriately +enlarging or sizing the buffers. + +(cherry picked from commit b19d932262e84608174cb89eeed32ae0212f8a87) +--- + bin/named/server.c | 7 ++++++- + bin/tests/system/feature-test.c | 13 +++++-------- + lib/dns/private.c | 3 ++- + lib/ns/client.c | 7 ++++++- + 4 files changed, 19 insertions(+), 11 deletions(-) + +diff --git a/bin/named/server.c b/bin/named/server.c +index d3595c37a19..c339cfbc54b 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -14582,7 +14582,12 @@ named_server_signing(named_server_t *server, isc_lex_t *lex, + result = dns_rdataset_next(&privset)) + { + dns_rdata_t priv = DNS_RDATA_INIT; +- char output[BUFSIZ]; ++ /* ++ * In theory, the output buffer could hold a full RDATA ++ * record which is 16-bit and then some text around ++ * it ++ */ ++ char output[UINT16_MAX + BUFSIZ]; + isc_buffer_t buf; + + dns_rdataset_current(&privset, &priv); +diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c +index 4f422323434..99e1b80bb1d 100644 +--- a/bin/tests/system/feature-test.c ++++ b/bin/tests/system/feature-test.c +@@ -11,6 +11,7 @@ + * information regarding copyright ownership. + */ + ++#include + #include + #include + #include +@@ -26,13 +27,9 @@ + #include + #endif /* ifdef WIN32 */ + +-#ifndef MAXHOSTNAMELEN +-#ifdef HOST_NAME_MAX +-#define MAXHOSTNAMELEN HOST_NAME_MAX +-#else /* ifdef HOST_NAME_MAX */ +-#define MAXHOSTNAMELEN 256 +-#endif /* ifdef HOST_NAME_MAX */ +-#endif /* ifndef MAXHOSTNAMELEN */ ++#ifndef _POSIX_HOST_NAME_MAX ++#define _POSIX_HOST_NAME_MAX 255 ++#endif + + static void + usage() { +@@ -86,7 +83,7 @@ main(int argc, char **argv) { + } + + if (strcmp(argv[1], "--gethostname") == 0) { +- char hostname[MAXHOSTNAMELEN]; ++ char hostname[_POSIX_HOST_NAME_MAX + 1]; + int n; + #ifdef WIN32 + /* From InitSocket() */ +diff --git a/lib/dns/private.c b/lib/dns/private.c +index 58deda095a9..cbf947f8ccc 100644 +--- a/lib/dns/private.c ++++ b/lib/dns/private.c +@@ -383,7 +383,8 @@ dns_private_totext(dns_rdata_t *private, isc_buffer_t *buf) { + } else if (private->length == 5) { + unsigned char alg = private->data[0]; + dns_keytag_t keyid = (private->data[2] | private->data[1] << 8); +- char keybuf[BUFSIZ], algbuf[DNS_SECALG_FORMATSIZE]; ++ char keybuf[DNS_SECALG_FORMATSIZE + BUFSIZ], ++ algbuf[DNS_SECALG_FORMATSIZE]; + bool del = private->data[3]; + bool complete = private->data[4]; + +diff --git a/lib/ns/client.c b/lib/ns/client.c +index bf60746642d..54c35986b85 100644 +--- a/lib/ns/client.c ++++ b/lib/ns/client.c +@@ -12,6 +12,7 @@ + */ + + #include ++#include + #include + + #include +@@ -64,6 +65,10 @@ + #include + #include + ++#ifndef _POSIX_HOST_NAME_MAX ++#define _POSIX_HOST_NAME_MAX 255 ++#endif ++ + /*** + *** Client + ***/ +@@ -918,7 +923,7 @@ isc_result_t + ns_client_addopt(ns_client_t *client, dns_message_t *message, + dns_rdataset_t **opt) { + unsigned char ecs[ECS_SIZE]; +- char nsid[BUFSIZ], *nsidp; ++ char nsid[_POSIX_HOST_NAME_MAX + 1], *nsidp = NULL; + unsigned char cookie[COOKIE_SIZE]; + isc_result_t result; + dns_view_t *view; +-- +GitLab + diff --git a/backport-Inherit-dnssec-policy-in-check-for-inline-signing.patch b/backport-Inherit-dnssec-policy-in-check-for-inline-signing.patch new file mode 100644 index 0000000000000000000000000000000000000000..59ccdc7b3858034fede0f14764c54733bf753e0e --- /dev/null +++ b/backport-Inherit-dnssec-policy-in-check-for-inline-signing.patch @@ -0,0 +1,67 @@ +From 0d5e0867df94c05b7523b89e0a4135c0cec728e1 Mon Sep 17 00:00:00 2001 +From: Matthijs Mekking +Date: Mon, 11 Jul 2022 10:30:44 +0200 +Subject: [PATCH] Inherit dnssec-policy in check for inline-signing + +When dnssec-policy is used, and the zone is not dynamic, BIND will +assume that the zone is inline-signed. But the function responsible +for this did not inherit the dnssec-policy option from the view or +options level, and thus never enabled inline-signing, while the zone +should have been. + +This is fixed by this commit. + +(cherry picked from commit 576b21b1682605a7d04e51c8a7721180f828b2d7) +--- + bin/named/zoneconf.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c +index 7a414201709..d1d45d818bc 100644 +--- a/bin/named/zoneconf.c ++++ b/bin/named/zoneconf.c +@@ -2171,6 +2171,7 @@ named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig, + const cfg_obj_t *updatepolicy = NULL; + bool zone_is_dynamic = false; + bool inline_signing = false; ++ bool dnssec_policy = false; + + (void)cfg_map_get(config, "options", &options); + +@@ -2222,16 +2223,23 @@ named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig, + * inline-signing. + */ + signing = NULL; +- if (!inline_signing && !zone_is_dynamic && +- cfg_map_get(zoptions, "dnssec-policy", &signing) == ISC_R_SUCCESS && +- signing != NULL) +- { +- if (strcmp(cfg_obj_asstring(signing), "none") != 0) { +- inline_signing = true; +- dns_zone_log(zone, ISC_LOG_DEBUG(1), +- "inline-signing: " +- "implicitly through dnssec-policy"); +- } ++ res = cfg_map_get(zoptions, "dnssec-policy", &signing); ++ if (res != ISC_R_SUCCESS && voptions != NULL) { ++ res = cfg_map_get(voptions, "dnssec-policy", &signing); ++ } ++ if (res != ISC_R_SUCCESS && options != NULL) { ++ res = cfg_map_get(options, "dnssec-policy", &signing); ++ } ++ if (res == ISC_R_SUCCESS) { ++ dnssec_policy = (strcmp(cfg_obj_asstring(signing), "none") != ++ 0); ++ } ++ ++ if (!inline_signing && !zone_is_dynamic && dnssec_policy) { ++ inline_signing = true; ++ dns_zone_log(zone, ISC_LOG_DEBUG(1), ++ "inline-signing: " ++ "implicitly through dnssec-policy"); + } + + return (inline_signing); +-- +GitLab + diff --git a/backport-Reject-zones-with-TTL-higher-than-dnssec-policy-max.patch b/backport-Reject-zones-with-TTL-higher-than-dnssec-policy-max.patch new file mode 100644 index 0000000000000000000000000000000000000000..3fb43686d42999520bce1395c8a71ed7a46daf53 --- /dev/null +++ b/backport-Reject-zones-with-TTL-higher-than-dnssec-policy-max.patch @@ -0,0 +1,80 @@ +From 111b215987a1cccc2e55a0fea4d8621103d9de9f Mon Sep 17 00:00:00 2001 +From: Matthijs Mekking +Date: Wed, 13 Jul 2022 10:28:59 +0200 +Subject: [PATCH] Reject zones with TTL higher than dnssec-policy max-zone-ttl + +Reject loading of zones with TTL higher than the max-zone-ttl +from the dnssec-policy. + +With this change, any zone with a dnssec-policy in use will ignore +the max-zone-ttl option in zone/view/options. +--- + bin/named/zoneconf.c | 38 +++++++++++++++++--------------------- + 1 file changed, 17 insertions(+), 21 deletions(-) + +diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c +index d1d45d818bc..c918d0ac248 100644 +--- a/bin/named/zoneconf.c ++++ b/bin/named/zoneconf.c +@@ -897,6 +897,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + dns_stats_t *dnssecsignstats; + dns_zonestat_level_t statlevel = dns_zonestat_none; + int seconds; ++ dns_ttl_t maxttl = 0; /* unlimited */ + dns_zone_t *mayberaw = (raw != NULL) ? raw : zone; + isc_dscp_t dscp; + +@@ -1060,27 +1061,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + } + } + +- obj = NULL; +- result = named_config_get(maps, "max-zone-ttl", &obj); +- if (result == ISC_R_SUCCESS && masterformat == dns_masterformat_map) { +- isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, +- NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, +- "zone '%s': 'max-zone-ttl' is not compatible " +- "with 'masterfile-format map'", +- zname); +- return (ISC_R_FAILURE); +- } else if (result == ISC_R_SUCCESS) { +- dns_ttl_t maxttl = 0; /* unlimited */ +- +- if (cfg_obj_isduration(obj)) { +- maxttl = cfg_obj_asduration(obj); +- } +- dns_zone_setmaxttl(zone, maxttl); +- if (raw != NULL) { +- dns_zone_setmaxttl(raw, maxttl); +- } +- } +- + obj = NULL; + result = named_config_get(maps, "max-records", &obj); + INSIST(result == ISC_R_SUCCESS && obj != NULL); +@@ -1534,6 +1514,22 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + dns_zone_setjournalsize(zone, journal_size); + } + ++ if (use_kasp) { ++ maxttl = dns_kasp_zonemaxttl(dns_zone_getkasp(zone)); ++ } else { ++ obj = NULL; ++ result = named_config_get(maps, "max-zone-ttl", &obj); ++ if (result == ISC_R_SUCCESS) { ++ if (cfg_obj_isduration(obj)) { ++ maxttl = cfg_obj_asduration(obj); ++ } ++ } ++ } ++ dns_zone_setmaxttl(zone, maxttl); ++ if (raw != NULL) { ++ dns_zone_setmaxttl(raw, maxttl); ++ } ++ + /* + * Configure update-related options. These apply to + * primary servers only. +-- +GitLab + diff --git a/backport-disassociate-rdatasets-when-cleaning-up.patch b/backport-disassociate-rdatasets-when-cleaning-up.patch new file mode 100644 index 0000000000000000000000000000000000000000..3baa3f5546c6771f38b351c222de44beae74fec8 --- /dev/null +++ b/backport-disassociate-rdatasets-when-cleaning-up.patch @@ -0,0 +1,31 @@ +From f2855facbeb19c51befed1c858f4d28b8306f886 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Tue, 21 Dec 2021 12:44:17 +1100 +Subject: [PATCH] disassociate rdatasets when cleaning up + +free_namelist could be passed names with associated rdatasets +when handling errors. These need to be disassociated before +calling dns_message_puttemprdataset. + +(cherry picked from commit 745d5edc3a8ca6f232b2d700ae076c2caee2bfc5) +--- + lib/dns/tkey.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c +index e6e44526a9c..9259a513188 100644 +--- a/lib/dns/tkey.c ++++ b/lib/dns/tkey.c +@@ -226,6 +226,9 @@ free_namelist(dns_message_t *msg, dns_namelist_t *namelist) { + while (!ISC_LIST_EMPTY(name->list)) { + set = ISC_LIST_HEAD(name->list); + ISC_LIST_UNLINK(name->list, set, link); ++ if (dns_rdataset_isassociated(set)) { ++ dns_rdataset_disassociate(set); ++ } + dns_message_puttemprdataset(msg, &set); + } + dns_message_puttempname(msg, &name); +-- +GitLab + diff --git a/backport-dont-enabled-serve-stale-on-duplicate-queries.patch b/backport-dont-enabled-serve-stale-on-duplicate-queries.patch new file mode 100644 index 0000000000000000000000000000000000000000..58917c624e9a2e3adf58e12547c9e2d1f675f8ca --- /dev/null +++ b/backport-dont-enabled-serve-stale-on-duplicate-queries.patch @@ -0,0 +1,36 @@ +From dd7dde5743715dc0dec2defbb92b1a8637977bf9 Mon Sep 17 00:00:00 2001 +From: Matthijs Mekking +Date: Tue, 2 Aug 2022 14:21:40 +0200 +Subject: [PATCH] Don't enable serve-stale on duplicate queries + +When checking if we should enable serve-stale, add an early out case +when the result is an error signalling a duplicate query or a query +that would be dropped. + +(cherry picked from commit 059a4c2f4d9d3cff371842f43208d021509314fa) +--- + lib/ns/query.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/ns/query.c b/lib/ns/query.c +index d0f025dbb9a..1bf36fea283 100644 +--- a/lib/ns/query.c ++++ b/lib/ns/query.c +@@ -7230,6 +7230,14 @@ query_usestale(query_ctx_t *qctx, isc_result_t result) { + return (false); + } + ++ if (result == DNS_R_DUPLICATE || result == DNS_R_DROP) { ++ /* ++ * Don't enable serve-stale if the result signals a duplicate ++ * query or query that is being dropped. ++ */ ++ return (false); ++ } ++ + qctx_clean(qctx); + qctx_freedata(qctx); + +-- +GitLab + diff --git a/bind-9.16.37.tar.xz b/bind-9.16.37.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..29818fbfa466f16b3eb0711754dd48cd703f47bf Binary files /dev/null and b/bind-9.16.37.tar.xz differ diff --git a/bind-9.16.37.tar.xz.asc b/bind-9.16.37.tar.xz.asc new file mode 100644 index 0000000000000000000000000000000000000000..8ce1fd0e0129212bce00eda8117d3ff4a46bb63d --- /dev/null +++ b/bind-9.16.37.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE2ZzOr4eXRwFPA41jGC4jV5Ri76oFAmPFaWcACgkQGC4jV5Ri +76oXaw/+OCf5ZKRNIM4Gr2nbdDSPNhHblFmOdAAgwX8929uZaiciJDV3UvPXsIZw +76XsGcECe8Ri6gq7xU8bUsNC7O8eiT2n0mtDAFdJDt9LyQeJVi/UwidzYXRjSukf +nQJYz2kBR/eO07JozqLS1oOm7bM7NmDdbMPgTk7qyKUkd8lXeph74gUo8X8LtVJV +03xwdYOPFO8mJtebq8i9pullVeE5AMc3qZW/FnNkgHcLZATXWE1K4ie1uw6YynWv +j/P87WdUKER4kXWg4030+isKaj4jeIevBKCdDxS2ZZvlN1ioK2+XKvyGyIouB6bF +BW3z6ndtZ353r40ajdliEa2eZdMlI9kPUzaMgRWnynyG8u3wkLSZoWuZJiSXiSJI +ccuT9c/O0kQQdbyqtWaY7CwJnG2pSCzRjWBpifHKOnCBCzCYrS0PIO0gsV88JZeg +p37mZBrwUQ7FaxXs3BRiYi0JNLDdhpBnSM1MbD1Q0KuH8Ndb/gBHV9p3BlpbLAuj +RGEvgDWEY97VEzkTLO7G+2BIh3TZAYtyHgO7TSuxyEor8FeQsVBawFOS9ZHTU+U6 +38ghgFBV5Svqs2R9Ri/xcPEaaKjqgDb+6KVaAIpvnHwW28yiHZj8Fwzj0T2ojC/r +53uz/dHpW9gXerWSH7gDsd4kjAJKZEC7x84CNwMpZ4kn6CkhQVE= +=DAsV +-----END PGP SIGNATURE----- diff --git a/bind.spec b/bind.spec index 8f6667d341b72fbd69fefb3d30304ab016226e43..45c52c93754b3a118727b7c57d4634e65aa8c248 100644 --- a/bind.spec +++ b/bind.spec @@ -29,8 +29,8 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Name: bind License: MPLv2.0 -Version: 9.16.23 -Release: 12 +Version: 9.16.37 +Release: 1 Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -76,93 +76,6 @@ Patch157:bind-9.11-fips-tests.patch # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/2689 Patch164:bind-9.11-rh1666814.patch -Patch6000: CVE-2022-0396.patch -Patch6001: CVE-2021-25220.patch -Patch6002: CVE-2022-2795.patch -Patch6003: CVE-2022-38177.patch -Patch6004: CVE-2022-38178.patch -Patch6005: CVE-2022-3080.patch -Patch6006: CVE-2022-2881.patch -Patch6007: CVE-2022-2906.patch - -Patch6008:backport-0001-Do-not-convert-ISC_R_NOSPACE-to-DNS_R_SERVFAIL-too-e.patch -Patch6009:backport-0001-Exercise-ISC_R_NOSPACE-path-in-dns_sdlz_putrr.patch -Patch6010:backport-0002-Fix-catalog-zone-reconfiguration-crash.patch -Patch6011:backport-0002-Add-a-regression-test.patch -Patch6012:backport-0003-Improve-the-logging-on-failed-TCP-accept.patch -Patch6013:backport-0004-Stop-leaking-mutex-in-nmworker-and-cond-in-nm-socket.patch -Patch6014:backport-0005-Address-memory-leak-when-processing-dnssec-policy-cl.patch -Patch6015:backport-0005-Report-duplicate-dnssec-policy-names.patch -Patch6016:backport-0006-Prevent-a-shutdown-race-in-catz_create_chg_task.patch -Patch6017:backport-0007-Fix-bug-introduced-by-763-related-to-offline-keys.patch -Patch6018:backport-0007-Only-warn-if-we-could-not-delete-signature.patch -Patch6019:backport-0007-Update-autosign-test.patch -Patch6020:backport-0007-Replace-RSASHA1-in-autosign-test-with-default-alg.patch -Patch6021:backport-0008-On-shutdown-return-ISC_R_SHUTTINGDOWN-from-isc_taskm.patch -Patch6022:backport-0009-Remove-taskmgr-excl_lock-fix-the-locking-for-taskmgr.patch -Patch6023:backport-0010-add-UV_ENOTSUP-to-isc___nm_uverr2result.patch -Patch6024:backport-0011-rndc-add-an-extra-task-reference.patch -Patch6025:backport-0012-Separate-the-locked-parts-of-dns_zone_catz_enable-di.patch -Patch6026:backport-0012-Add-a-system-test-for-view-reverting-after-a-failed-.patch -Patch6027:backport-0012-Fix-a-memory-leak-in-dns_dlzcreate.patch -Patch6028:backport-0012-Fix-invalid-control-port-number-in-the-catz-system-t.patch -Patch6029:backport-0012-Improve-the-view-configuration-error-handling-and-re.patch -Patch6030:backport-0012-Improve-the-zones-view-reverting-logic-when-a-zone-i.patch -Patch6031:backport-0013-Add-log-message-when-hard-quota-is-reached-in-TCP-ac.patch -Patch6032:backport-0014-Update-writetimeout-to-be-T_IDLE-in-netmgr_test.c.patch -Patch6033:backport-0014-Rename-sock-timer-to-sock-read_timer.patch -Patch6034:backport-0014-Add-TCP-TCPDNS-and-TLSDNS-write-timer.patch -Patch6035:backport-0014-Add-TCP-write-timeout-system-test.patch -Patch6036:backport-0014-Add-isc_nmhandle_setwritetimeout-function.patch -Patch6037:backport-0015-Fix-more-ns_statscounter_recursclients-underflows.patch -Patch6038:backport-0016-Properly-free-up-enqueued-netievents-in-nm_destroy.patch -Patch6039:backport-0017-Delay-isc__nm_uvreq_t-deallocation-to-connection-cal.patch -Patch6040:backport-0018-Handle-TCP-sockets-in-isc__nmsocket_reset.patch -Patch6041:backport-0019-Use-unsigned-arithmetic-when-shifting-by-24.patch -Patch6042:backport-0020-Grow-the-lex-token-buffer-in-one-more-place.patch -Patch6043:backport-0021-Add-test-configurations-with-invalid-dnssec-policy-c.patch -Patch6044:backport-0021-Check-dnssec-policy-key-roles-for-validity.patch -Patch6045:backport-0022-Add-network-manager-based-timer-API.patch -Patch6046:backport-0022-Change-single-write-timer-to-per-send-timers.patch -Patch6048:backport-0022-On-shutdown-reset-the-established-TCP-connections.patch -Patch6049:backport-0023-Log-not-authoritative-for-update-zone-more-clearly.patch -Patch6050:backport-0024-Prevent-arithmetic-overflow-of-i-in-master.c-generat.patch -Patch6051:backport-0024-update-shell-syntax.patch -Patch6052:backport-0024-add-a-system-test-for-GENERATE-with-an-integer-overf.patch -Patch6053:backport-0025-Test-CDS-DELETE-persists-after-zone-sign.patch -Patch6054:backport-0025-Update-dns_dnssec_syncdelete-function.patch -Patch6055:backport-0026-Check-that-pending-negative-cache-entries-for-DS-can.patch -Patch6056:backport-0026-Update-the-rdataset-trust-field-in-ncache.c-rdataset.patch -Patch6057:backport-0027-Prevent-memory-bloat-caused-by-a-jemalloc-quirk.patch -Patch6058:backport-0028-Ensure-diff-variable-is-not-read-uninitialized.patch -Patch6059:backport-0029-Initialize-printed-buffer.patch -Patch6060:backport-0030-Additional-safety-check-for-negative-array-index.patch -Patch6061:backport-0031-Fix-dig-nssearch-race-between-recv_done-and-send_don.patch -Patch6062:backport-0032-Process-the-delegating-NS-RRset-when-checking-rpz-ru.patch -Patch6063:backport-0032-Allow-DNS_RPZ_POLICY_ERROR-to-be-converted-to-a-stri.patch -Patch6064:backport-0032-Add-test-cases-using-static-and-static-stub-zones.patch -Patch6065:backport-0032-Check-the-cache-as-well-when-glue-NS-are-returned-pr.patch -Patch6066:backport-0032-Process-learned-records-as-well-as-glue.patch -Patch6067:backport-0033-Lock-the-trampoline-when-attaching.patch -Patch6068:backport-0034-prevent-a-possible-buffer-overflow-in-configuration-.patch -Patch6069:backport-0035-Add-lower-bound-checks-to-fetchlimit-test.patch -Patch6070:backport-0035-Disable-EDNS-for-the-fetchlimit-test-server.patch -Patch6071:backport-0035-Fix-the-fetches-per-server-quota-calculation.patch -Patch6072:backport-0036-Check-if-key-metadata-is-modified-before-writing.patch -Patch6073:backport-0036-Add-kasp-test-for-3302.patch -Patch6074:backport-0037-Fix-CID-352776-Concurrent-data-access-violations.patch -Patch6075:backport-0037-Don-t-process-DNSSEC-related-and-ZONEMD-records-in-c.patch -Patch6076:backport-0037-Require-valid-key-for-dst_key-functions.patch -Patch6077:backport-0038-Do-not-cancel-processing-record-datasets-in-catalog-.patch -Patch6078:backport-0039-corrected-the-opcode-param-to-opcode_totext.patch -Patch6079:backport-0040-make-the-fix-more-complete.patch -Patch6080:backport-0041-Gracefully-handle-uv_read_start-failures.patch -Patch6081:backport-0042-Fix-a-race-between-resolver-query-timeout-and-valida.patch -Patch6082:backport-0042-Remove-resolver.c-maybe_destroy.patch -Patch6083:backport-0043-Check-for-overflow-in-GENERATE-computations.patch -Patch6084:backport-0043-Tighten-GENERATE-directive-parsing.patch -Patch6085:backport-0044-Add-UV_RUNTIME_CHECK-macro-to-print-uv_strerror.patch -Patch6086:backport-0045-Move-setting-the-sock-write_timeout-to-the-async_-se.patch Patch9000:bugfix-limit-numbers-of-test-threads.patch @@ -1174,6 +1087,15 @@ fi; %endif %changelog +* Tue Feb 07 2023 zhanghao - 32:9.16.37-1 +- DESC:update to 9.16.37 + +* Wed Dec 28 2022 huangyu - 32:9.16.23-13 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC: backport some patches from community + * Sat Nov 26 2022 jiangheng - 32:9.16.23-12 - Type:bugfix - CVE:NA