2 files changed, 34 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch
new file mode 100644
index 0000000000..9cffe358bf
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch
@@ -0,0 +1,33 @@
+From a73c3d30de7fe98af9e4dc0e490f732a48412380 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Wed, 29 Jul 2020 23:36:03 +1000
+Subject: [PATCH] bind: Update-policy 'subdomain' was incorrectly treated as
+ 'zonesub'
+resulting in names outside the specified subdomain having the wrong
+restrictions for the given key.
+Upstream-Status: Backport
+CVE: CVE-2020-8624
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ bin/named/zoneconf.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
+index e237bdb..4898447 100644
+--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
+@@ -237,7 +237,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
+ 
+                str = cfg_obj_asstring(matchtype);
+                CHECK(dns_ssu_mtypefromstring(str, &mtype));
+-               if (mtype == dns_ssumatchtype_subdomain) {
+               if (mtype == dns_ssumatchtype_subdomain &&
+                   strcasecmp(str, "zonesub") == 0) {
+                        usezone = true;
+                }
+ 
+-- 
+1.9.1
diff --git a/meta/recipes-connectivity/bind/bind_9.11.19.bb b/meta/recipes-connectivity/bind/bind_9.11.19.bb
index aed1a73317..d4467b0b48 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.19.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.19.bb
@@ -20,6 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
           file://0001-avoid-start-failure-with-bind-user.patch \
           file://CVE-2020-8622.patch \
           file://CVE-2020-8623.patch \
+           file://CVE-2020-8624.patch \
           "
 SRC_URI[sha256sum] = "0dee554a4caa368948b32da9a0c97b516c19103bc13ff5b3762c5d8552f52329"

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch new file mode 100644 index 0000000000..9cffe358bf --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch
@@ -0,0 +1,33 @@
		1	From a73c3d30de7fe98af9e4dc0e490f732a48412380 Mon Sep 17 00:00:00 2001
		2	From: Mark Andrews <marka@isc.org>
		3	Date: Wed, 29 Jul 2020 23:36:03 +1000
		4	Subject: [PATCH] bind: Update-policy 'subdomain' was incorrectly treated as
		5	'zonesub'
		6
		7	resulting in names outside the specified subdomain having the wrong
		8	restrictions for the given key.
		9
		10	Upstream-Status: Backport
		11	CVE: CVE-2020-8624
		12	Signed-off-by: Li Zhou <li.zhou@windriver.com>
		13	---
		14	bin/named/zoneconf.c \| 3 ++-
		15	1 file changed, 2 insertions(+), 1 deletion(-)
		16
		17	diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
		18	index e237bdb..4898447 100644
		19	--- a/bin/named/zoneconf.c
		20	+++ b/bin/named/zoneconf.c
		21	@@ -237,7 +237,8 @@ configure_zone_ssutable(const cfg_obj_t zconfig, dns_zone_t zone,
		22
		23	str = cfg_obj_asstring(matchtype);
		24	CHECK(dns_ssu_mtypefromstring(str, &mtype));
		25	- if (mtype == dns_ssumatchtype_subdomain) {
		26	+ if (mtype == dns_ssumatchtype_subdomain &&
		27	+ strcasecmp(str, "zonesub") == 0) {
		28	usezone = true;
		29	}
		30
		31	--
		32	1.9.1
		33


diff --git a/meta/recipes-connectivity/bind/bind_9.11.19.bb b/meta/recipes-connectivity/bind/bind_9.11.19.bb index aed1a73317..d4467b0b48 100644 --- a/meta/recipes-connectivity/bind/bind_9.11.19.bb +++ b/meta/recipes-connectivity/bind/bind_9.11.19.bb
@@ -20,6 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
20	file://0001-avoid-start-failure-with-bind-user.patch \	20	file://0001-avoid-start-failure-with-bind-user.patch \
21	file://CVE-2020-8622.patch \	21	file://CVE-2020-8622.patch \
22	file://CVE-2020-8623.patch \	22	file://CVE-2020-8623.patch \
		23	file://CVE-2020-8624.patch \
23	"	24	"
24		25
25	SRC_URI[sha256sum] = "0dee554a4caa368948b32da9a0c97b516c19103bc13ff5b3762c5d8552f52329"	26	SRC_URI[sha256sum] = "0dee554a4caa368948b32da9a0c97b516c19103bc13ff5b3762c5d8552f52329"