From 8d563f1e2b6aad6db9284cc7b8129e7f3a1ffc52 Mon Sep 17 00:00:00 2001 From: jiangheng Date: Mon, 15 Nov 2021 17:07:39 +0800 Subject: [PATCH] fix CVE-2021-25219 --- CVE-2021-25219.patch | 69 ++++++++++++++++++++++++++++++++++++++++++++ bind.spec | 10 ++++++- 2 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-25219.patch diff --git a/CVE-2021-25219.patch b/CVE-2021-25219.patch new file mode 100644 index 0000000..d6c545f --- /dev/null +++ b/CVE-2021-25219.patch @@ -0,0 +1,69 @@ +Conflict: NA +Reference : https://downloads.isc.org/bind9/cur/9.11/patches/CVE-2021-25219.patch +diff --git a/bin/named/config.c b/bin/named/config.c +index fbd2f2126c..d24e4f8a26 100644 +--- a/bin/named/config.c ++++ b/bin/named/config.c +@@ -175,7 +175,7 @@ options {\n\ + #if defined(HAVE_GEOIP) || defined(HAVE_GEOIP2) + " geoip-use-ecs yes;\n" + #endif +-" lame-ttl 600;\n" ++" lame-ttl 0;\n" + #ifdef HAVE_LMDB + " lmdb-mapsize 32M;\n" + #endif +diff --git a/bin/named/server.c b/bin/named/server.c +index 6ff95e3bcc..9826588e6d 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -3987,8 +3987,12 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, + result = ns_config_get(maps, "lame-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + lame_ttl = cfg_obj_asuint32(obj); +- if (lame_ttl > 1800) +- lame_ttl = 1800; ++ if (lame_ttl > 0) { ++ cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING, ++ "disabling lame cache despite lame-ttl > 0 as it " ++ "may cause performance issues"); ++ lame_ttl = 0; ++ } + dns_resolver_setlamettl(view->resolver, lame_ttl); + + /* +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 8175f7918b..b34cb12b73 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -8489,18 +8489,20 @@ resquery_response(isc_task_t *task, isc_event_t *event) { + /* + * Is the server lame? + */ +- if (res->lame_ttl != 0 && !ISFORWARDER(query->addrinfo) && +- is_lame(fctx)) { ++ if (!ISFORWARDER(query->addrinfo) && is_lame(fctx)) { + inc_stats(res, dns_resstatscounter_lame); + log_lame(fctx, query->addrinfo); +- result = dns_adb_marklame(fctx->adb, query->addrinfo, +- &fctx->name, fctx->type, +- now + res->lame_ttl); +- if (result != ISC_R_SUCCESS) +- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, +- DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR, +- "could not mark server as lame: %s", +- isc_result_totext(result)); ++ if (res->lame_ttl != 0) { ++ result = dns_adb_marklame(fctx->adb, query->addrinfo, ++ &fctx->name, fctx->type, ++ now + res->lame_ttl); ++ if (result != ISC_R_SUCCESS) { ++ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, ++ DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR, ++ "could not mark server as lame: %s", ++ isc_result_totext(result)); ++ } ++ } + broken_server = DNS_R_LAME; + keep_trying = true; + FCTXTRACE("lame server"); diff --git a/bind.spec b/bind.spec index 2da988c..0854a0a 100644 --- a/bind.spec +++ b/bind.spec @@ -19,7 +19,7 @@ Name: bind Summary: Domain Name System (DNS) Server (named) License: MPLv2.0 Version: 9.11.21 -Release: 8 +Release: 9 Epoch: 32 Url: http://www.isc.org/products/BIND/ Source0: https://ftp.isc.org/isc/bind9/9.11.21/bind-%{version}.tar.gz @@ -163,6 +163,7 @@ Patch194: Fix_the_difference_at_the_macro_definition_using_clock_gettime_instead Patch195: CVE-2020-8625.patch Patch196: CVE-2021-25214.patch Patch197: CVE-2021-25215.patch +Patch198: CVE-2021-25219.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -369,6 +370,7 @@ are used for building ISC DHCP. %patch195 -p1 %patch196 -p1 %patch197 -p1 +%patch198 -p1 mkdir lib/dns/tests/testdata/dstrandom cp -a %{SOURCE29} lib/dns/tests/testdata/dstrandom/random.data @@ -1154,6 +1156,12 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Mon Nov 15 2021 jiangheng - 9.11.21-9 +- Type:CVE +- ID:NA +- SUG:NA +- DESC:fix CVE-2021-25219 + * Sat Jul 24 2021 jiangheng - 9.11.21-8 - Type:bugfix - ID:NA -- Gitee