diff --git a/CVE-2021-25214.patch b/CVE-2021-25214.patch new file mode 100644 index 0000000000000000000000000000000000000000..00eccf8d03fdf0f9de3b8bb330f61962897cae67 --- /dev/null +++ b/CVE-2021-25214.patch @@ -0,0 +1,36 @@ +From 813a1d0f943f7b4ecf43c449a08762a8d8557a45 Mon Sep 17 00:00:00 2001 +From: UNKNOWN <> +Date: Tue, 27 Apr 2021 12:02:53 +0800 +Subject: [PATCH v2 1/2] Fix CVE-2021-25214 + +Conflict:NA +Reference:https://downloads.isc.org/isc/bind9/private/40732ca6e4fcc9d0/patches/CVE-2021-25214.patch + + +diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c +index 558f40c..bae6d41 100644 +--- a/lib/dns/xfrin.c ++++ b/lib/dns/xfrin.c +@@ -474,6 +474,20 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, isc_uint32_t ttl, + dns_rdatatype_ismeta(rdata->type)) + FAIL(DNS_R_FORMERR); + ++ /* ++ * Immediately reject the entire transfer if the RR that is currently ++ * being processed is an SOA record that is not placed at the zone ++ * apex. ++ */ ++ if (rdata->type == dns_rdatatype_soa && ++ !dns_name_equal(&xfr->name, name)) { ++ char namebuf[DNS_NAME_FORMATSIZE]; ++ dns_name_format(name, namebuf, sizeof(namebuf)); ++ xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'", ++ namebuf); ++ FAIL(DNS_R_NOTZONETOP); ++ } ++ + redo: + switch (xfr->state) { + case XFRST_SOAQUERY: +-- +1.8.3.1 diff --git a/CVE-2021-25215.patch b/CVE-2021-25215.patch new file mode 100644 index 0000000000000000000000000000000000000000..bbd3c4acb2714fb508af8c0f7b154096a245e7e1 --- /dev/null +++ b/CVE-2021-25215.patch @@ -0,0 +1,36 @@ +From c42cc79ef9a23d8273b273bb86a1c8c9995b28a0 Mon Sep 17 00:00:00 2001 +From: UNKNOWN <> +Date: Tue, 27 Apr 2021 12:12:24 +0800 +Subject: [PATCH v2 2/2] Fix CVE-2021-25215 + +Conflict:NA +Reference:https://downloads.isc.org/isc/bind9/private/40732ca6e4fcc9d0/patches/CVE-2021-25215.patch + + +diff --git a/bin/named/query.c b/bin/named/query.c +index 6e988f5..2e7700a 100644 +--- a/bin/named/query.c ++++ b/bin/named/query.c +@@ -9092,10 +9092,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) + if (noqname != NULL) + query_addnoqnameproof(client, noqname); + /* +- * We shouldn't ever fail to add 'rdataset' +- * because it's already in the answer. ++ * 'rdataset' will only be non-NULL here if the ANSWER section ++ * of the message to be sent to the client already contains an ++ * RRset with the same owner name and the same type as ++ * 'rdataset'. This should never happen, with one exception: ++ * when chasing DNAME records, one of the DNAME records placed ++ * in the ANSWER section may turn out to be the final answer to ++ * the client's query, but we have no way of knowing that until ++ * now. In such a case, 'rdataset' will be freed later, so we ++ * do not need to free it here. + */ +- INSIST(rdataset == NULL); ++ INSIST(rdataset == NULL || qtype == dns_rdatatype_dname); + } + + addauth: +-- +1.8.3.1 diff --git a/bind.spec b/bind.spec index 06ac18f0e9f014f6a054093acd9db0f591e6d061..59f3df07d32268fa618b1ac60e6471e42c543f2c 100644 --- a/bind.spec +++ b/bind.spec @@ -21,7 +21,7 @@ Name: bind Summary: Domain Name System (DNS) Server (named) License: MPLv2.0 Version: 9.11.21 -Release: 5 +Release: 6 Epoch: 32 Url: http://www.isc.org/products/BIND/ Source0: https://ftp.isc.org/isc/bind9/9.11.21/bind-%{version}.tar.gz @@ -171,6 +171,8 @@ Patch192: CVE-2020-8623.patch Patch193: CVE-2020-8624.patch Patch194: Fix_the_difference_at_the_macro_definition_using_clock_gettime_instead_of_gettimeofda.patch Patch195: CVE-2020-8625.patch +Patch196: CVE-2021-25214.patch +Patch197: CVE-2021-25215.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch Patch12: bind-9.10-sdb.patch @@ -374,6 +376,8 @@ are used for building ISC DHCP. %patch193 -p1 %patch194 -p1 %patch195 -p1 +%patch196 -p1 +%patch197 -p1 mkdir lib/dns/tests/testdata/dstrandom cp -a %{SOURCE29} lib/dns/tests/testdata/dstrandom/random.data @@ -1187,6 +1191,12 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Wed May 26 2021 jiangheng - 9.11.21-6 +- Type:CVE +- ID:NA +- SUG:NA +- DESC:fix CVE-2021-25214 CVE-2021-25215 + * Fri Mar 12 2021 yanan - 9.11.21-5 - Type:enhancement - ID:NA