diff options
3 files changed, 143 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind-9.16.16/CVE-2021-25219-1.patch b/meta/recipes-connectivity/bind/bind-9.16.16/CVE-2021-25219-1.patch new file mode 100644 index 0000000000..f63c333264 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind-9.16.16/CVE-2021-25219-1.patch | |||
@@ -0,0 +1,76 @@ | |||
1 | From 011e9418ce9bb25675de6ac8d47536efedeeb312 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org> | ||
3 | Date: Fri, 24 Sep 2021 09:35:11 +0200 | ||
4 | Subject: [PATCH] Disable lame-ttl cache | ||
5 | |||
6 | The lame-ttl cache is implemented in ADB as per-server locked | ||
7 | linked-list "indexed" with <qname,qtype>. This list has to be walked | ||
8 | every time there's a new query or new record added into the lame cache. | ||
9 | Determined attacker can use this to degrade performance of the resolver. | ||
10 | |||
11 | Resolver testing has shown that disabling the lame cache has little | ||
12 | impact on the resolver performance and it's a minimal viable defense | ||
13 | against this kind of attack. | ||
14 | |||
15 | CVE: CVE-2021-25219 | ||
16 | |||
17 | Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/8fe18c0566c41228a568157287f5a44f96d37662] | ||
18 | |||
19 | Signed-off-by: Mingli Yu <mingli.yu@windriver.com> | ||
20 | --- | ||
21 | bin/named/config.c | 2 +- | ||
22 | bin/named/server.c | 7 +++++-- | ||
23 | doc/arm/reference.rst | 6 +++--- | ||
24 | 3 files changed, 9 insertions(+), 6 deletions(-) | ||
25 | |||
26 | diff --git a/bin/named/config.c b/bin/named/config.c | ||
27 | index fa8473db7c..b6453b814e 100644 | ||
28 | --- a/bin/named/config.c | ||
29 | +++ b/bin/named/config.c | ||
30 | @@ -151,7 +151,7 @@ options {\n\ | ||
31 | fetches-per-server 0;\n\ | ||
32 | fetches-per-zone 0;\n\ | ||
33 | glue-cache yes;\n\ | ||
34 | - lame-ttl 600;\n" | ||
35 | + lame-ttl 0;\n" | ||
36 | #ifdef HAVE_LMDB | ||
37 | " lmdb-mapsize 32M;\n" | ||
38 | #endif /* ifdef HAVE_LMDB */ | ||
39 | diff --git a/bin/named/server.c b/bin/named/server.c | ||
40 | index 638703e8c2..35ad6a0b7f 100644 | ||
41 | --- a/bin/named/server.c | ||
42 | +++ b/bin/named/server.c | ||
43 | @@ -4806,8 +4806,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, | ||
44 | result = named_config_get(maps, "lame-ttl", &obj); | ||
45 | INSIST(result == ISC_R_SUCCESS); | ||
46 | lame_ttl = cfg_obj_asduration(obj); | ||
47 | - if (lame_ttl > 1800) { | ||
48 | - lame_ttl = 1800; | ||
49 | + if (lame_ttl > 0) { | ||
50 | + cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING, | ||
51 | + "disabling lame cache despite lame-ttl > 0 as it " | ||
52 | + "may cause performance issues"); | ||
53 | + lame_ttl = 0; | ||
54 | } | ||
55 | dns_resolver_setlamettl(view->resolver, lame_ttl); | ||
56 | |||
57 | diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst | ||
58 | index 3bc4439745..fea854f3d1 100644 | ||
59 | --- a/doc/arm/reference.rst | ||
60 | +++ b/doc/arm/reference.rst | ||
61 | @@ -3358,9 +3358,9 @@ Tuning | ||
62 | ^^^^^^ | ||
63 | |||
64 | ``lame-ttl`` | ||
65 | - This sets the number of seconds to cache a lame server indication. 0 | ||
66 | - disables caching. (This is **NOT** recommended.) The default is | ||
67 | - ``600`` (10 minutes) and the maximum value is ``1800`` (30 minutes). | ||
68 | + This is always set to 0. More information is available in the | ||
69 | + `security advisory for CVE-2021-25219 | ||
70 | + <https://kb.isc.org/docs/cve-2021-25219>`_. | ||
71 | |||
72 | ``servfail-ttl`` | ||
73 | This sets the number of seconds to cache a SERVFAIL response due to DNSSEC | ||
74 | -- | ||
75 | 2.17.1 | ||
76 | |||
diff --git a/meta/recipes-connectivity/bind/bind-9.16.16/CVE-2021-25219-2.patch b/meta/recipes-connectivity/bind/bind-9.16.16/CVE-2021-25219-2.patch new file mode 100644 index 0000000000..1217f7f186 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind-9.16.16/CVE-2021-25219-2.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From 117cf776a7add27ac6d236b4062258da0d068486 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org> | ||
3 | Date: Mon, 15 Nov 2021 16:26:52 +0800 | ||
4 | Subject: [PATCH] Enable lame response detection even with disabled lame cache | ||
5 | |||
6 | Previously, when lame cache would be disabled by setting lame-ttl to 0, | ||
7 | it would also disable lame answer detection. In this commit, we enable | ||
8 | the lame response detection even when the lame cache is disabled. This | ||
9 | enables stopping answer processing early rather than going through the | ||
10 | whole answer processing flow. | ||
11 | |||
12 | CVE: CVE-2021-25219 | ||
13 | |||
14 | Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/e4931584a34bdd0a0d18e4d918fb853bf5296787] | ||
15 | |||
16 | Signed-off-by: Mingli Yu <mingli.yu@windriver.com> | ||
17 | --- | ||
18 | lib/dns/resolver.c | 23 ++++++++++++----------- | ||
19 | 1 file changed, 12 insertions(+), 11 deletions(-) | ||
20 | |||
21 | diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c | ||
22 | index 50fadc0..9291bd4 100644 | ||
23 | --- a/lib/dns/resolver.c | ||
24 | +++ b/lib/dns/resolver.c | ||
25 | @@ -10217,25 +10217,26 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) { | ||
26 | */ | ||
27 | static isc_result_t | ||
28 | rctx_lameserver(respctx_t *rctx) { | ||
29 | - isc_result_t result; | ||
30 | + isc_result_t result = ISC_R_SUCCESS; | ||
31 | fetchctx_t *fctx = rctx->fctx; | ||
32 | resquery_t *query = rctx->query; | ||
33 | |||
34 | - if (fctx->res->lame_ttl == 0 || ISFORWARDER(query->addrinfo) || | ||
35 | - !is_lame(fctx, query->rmessage)) | ||
36 | - { | ||
37 | + if (ISFORWARDER(query->addrinfo) || !is_lame(fctx, query->rmessage)) { | ||
38 | return (ISC_R_SUCCESS); | ||
39 | } | ||
40 | |||
41 | inc_stats(fctx->res, dns_resstatscounter_lame); | ||
42 | log_lame(fctx, query->addrinfo); | ||
43 | - result = dns_adb_marklame(fctx->adb, query->addrinfo, &fctx->name, | ||
44 | - fctx->type, rctx->now + fctx->res->lame_ttl); | ||
45 | - if (result != ISC_R_SUCCESS) { | ||
46 | - isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, | ||
47 | - DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR, | ||
48 | - "could not mark server as lame: %s", | ||
49 | - isc_result_totext(result)); | ||
50 | + if (fctx->res->lame_ttl != 0) { | ||
51 | + result = dns_adb_marklame(fctx->adb, query->addrinfo, | ||
52 | + &fctx->name, fctx->type, | ||
53 | + rctx->now + fctx->res->lame_ttl); | ||
54 | + if (result != ISC_R_SUCCESS) { | ||
55 | + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, | ||
56 | + DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR, | ||
57 | + "could not mark server as lame: %s", | ||
58 | + isc_result_totext(result)); | ||
59 | + } | ||
60 | } | ||
61 | rctx->broken_server = DNS_R_LAME; | ||
62 | rctx->next_server = true; | ||
63 | -- | ||
64 | 2.17.1 | ||
65 | |||
diff --git a/meta/recipes-connectivity/bind/bind_9.16.16.bb b/meta/recipes-connectivity/bind/bind_9.16.16.bb index b152598402..4bfdeca9ce 100644 --- a/meta/recipes-connectivity/bind/bind_9.16.16.bb +++ b/meta/recipes-connectivity/bind/bind_9.16.16.bb | |||
@@ -18,6 +18,8 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \ | |||
18 | file://bind-ensure-searching-for-json-headers-searches-sysr.patch \ | 18 | file://bind-ensure-searching-for-json-headers-searches-sysr.patch \ |
19 | file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \ | 19 | file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \ |
20 | file://0001-avoid-start-failure-with-bind-user.patch \ | 20 | file://0001-avoid-start-failure-with-bind-user.patch \ |
21 | file://CVE-2021-25219-1.patch \ | ||
22 | file://CVE-2021-25219-2.patch \ | ||
21 | " | 23 | " |
22 | 24 | ||
23 | SRC_URI[sha256sum] = "6c913902adf878e7dc5e229cea94faefc9d40f44775a30213edd08860f761d7b" | 25 | SRC_URI[sha256sum] = "6c913902adf878e7dc5e229cea94faefc9d40f44775a30213edd08860f761d7b" |