diff options
Diffstat (limited to 'meta/recipes-connectivity/bind')
-rw-r--r-- | meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch | 206 | ||||
-rw-r--r-- | meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch | 29 | ||||
-rw-r--r-- | meta/recipes-connectivity/bind/bind_9.11.19.bb (renamed from meta/recipes-connectivity/bind/bind_9.11.13.bb) | 7 |
3 files changed, 2 insertions, 240 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch deleted file mode 100644 index 8f00231919..0000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch +++ /dev/null | |||
@@ -1,206 +0,0 @@ | |||
1 | Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8616.patch] | ||
2 | CVE: CVE-2020-8616 | ||
3 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
4 | --- | ||
5 | diff --git a/lib/dns/adb.c b/lib/dns/adb.c | ||
6 | index 058495f6a5..6b8a9537f0 100644 | ||
7 | --- a/lib/dns/adb.c | ||
8 | +++ b/lib/dns/adb.c | ||
9 | @@ -404,14 +404,13 @@ static void log_quota(dns_adbentry_t *entry, const char *fmt, ...) | ||
10 | */ | ||
11 | #define FIND_WANTEVENT(fn) (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0) | ||
12 | #define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0) | ||
13 | -#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \ | ||
14 | - != 0) | ||
15 | -#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) \ | ||
16 | - != 0) | ||
17 | -#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0) | ||
18 | -#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0) | ||
19 | -#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list)) | ||
20 | -#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0) | ||
21 | +#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) != 0) | ||
22 | +#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) != 0) | ||
23 | +#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0) | ||
24 | +#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0) | ||
25 | +#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list)) | ||
26 | +#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0) | ||
27 | +#define FIND_NOFETCH(fn) (((fn)->options & DNS_ADBFIND_NOFETCH) != 0) | ||
28 | |||
29 | /* | ||
30 | * These are currently used on simple unsigned ints, so they are | ||
31 | @@ -3155,21 +3154,26 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, | ||
32 | * Listen to negative cache hints, and don't start | ||
33 | * another query. | ||
34 | */ | ||
35 | - if (NCACHE_RESULT(result) || AUTH_NX(result)) | ||
36 | + if (NCACHE_RESULT(result) || AUTH_NX(result)) { | ||
37 | goto fetch; | ||
38 | + } | ||
39 | |||
40 | - if (!NAME_FETCH_V6(adbname)) | ||
41 | + if (!NAME_FETCH_V6(adbname)) { | ||
42 | wanted_fetches |= DNS_ADBFIND_INET6; | ||
43 | + } | ||
44 | } | ||
45 | |||
46 | fetch: | ||
47 | if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) || | ||
48 | (WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname))) | ||
49 | + { | ||
50 | have_address = true; | ||
51 | - else | ||
52 | + } else { | ||
53 | have_address = false; | ||
54 | - if (wanted_fetches != 0 && | ||
55 | - ! (FIND_AVOIDFETCHES(find) && have_address)) { | ||
56 | + } | ||
57 | + if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address) && | ||
58 | + !FIND_NOFETCH(find)) | ||
59 | + { | ||
60 | /* | ||
61 | * We're missing at least one address family. Either the | ||
62 | * caller hasn't instructed us to avoid fetches, or we don't | ||
63 | @@ -3177,8 +3181,9 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, | ||
64 | * be acceptable so we have to launch fetches. | ||
65 | */ | ||
66 | |||
67 | - if (FIND_STARTATZONE(find)) | ||
68 | + if (FIND_STARTATZONE(find)) { | ||
69 | start_at_zone = true; | ||
70 | + } | ||
71 | |||
72 | /* | ||
73 | * Start V4. | ||
74 | diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h | ||
75 | index 63a13c4e41..edf6e54935 100644 | ||
76 | --- a/lib/dns/include/dns/adb.h | ||
77 | +++ b/lib/dns/include/dns/adb.h | ||
78 | @@ -207,6 +207,10 @@ struct dns_adbfind { | ||
79 | * lame for this query. | ||
80 | */ | ||
81 | #define DNS_ADBFIND_OVERQUOTA 0x00000400 | ||
82 | +/*% | ||
83 | + * Don't perform a fetch even if there are no address records available. | ||
84 | + */ | ||
85 | +#define DNS_ADBFIND_NOFETCH 0x00000800 | ||
86 | |||
87 | /*% | ||
88 | * The answers to queries come back as a list of these. | ||
89 | diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c | ||
90 | index 7c44478a26..0a40859d08 100644 | ||
91 | --- a/lib/dns/resolver.c | ||
92 | +++ b/lib/dns/resolver.c | ||
93 | @@ -172,6 +172,14 @@ | ||
94 | #define DEFAULT_MAX_QUERIES 75 | ||
95 | #endif | ||
96 | |||
97 | +/* | ||
98 | + * After NS_FAIL_LIMIT attempts to fetch a name server address, | ||
99 | + * if the number of addresses in the NS RRset exceeds NS_RR_LIMIT, | ||
100 | + * stop trying to fetch, in order to avoid wasting resources. | ||
101 | + */ | ||
102 | +#define NS_FAIL_LIMIT 4 | ||
103 | +#define NS_RR_LIMIT 5 | ||
104 | + | ||
105 | /* Number of hash buckets for zone counters */ | ||
106 | #ifndef RES_DOMAIN_BUCKETS | ||
107 | #define RES_DOMAIN_BUCKETS 523 | ||
108 | @@ -3130,8 +3138,7 @@ sort_finds(dns_adbfindlist_t *findlist, unsigned int bias) { | ||
109 | static void | ||
110 | findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port, | ||
111 | unsigned int options, unsigned int flags, isc_stdtime_t now, | ||
112 | - bool *overquota, bool *need_alternate) | ||
113 | -{ | ||
114 | + bool *overquota, bool *need_alternate, unsigned int *no_addresses) { | ||
115 | dns_adbaddrinfo_t *ai; | ||
116 | dns_adbfind_t *find; | ||
117 | dns_resolver_t *res; | ||
118 | @@ -3219,7 +3226,12 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port, | ||
119 | find->result_v6 != DNS_R_NXDOMAIN) || | ||
120 | (res->dispatches6 == NULL && | ||
121 | find->result_v4 != DNS_R_NXDOMAIN))) | ||
122 | + { | ||
123 | *need_alternate = true; | ||
124 | + } | ||
125 | + if (no_addresses != NULL) { | ||
126 | + (*no_addresses)++; | ||
127 | + } | ||
128 | } else { | ||
129 | if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) { | ||
130 | if (overquota != NULL) | ||
131 | @@ -3270,6 +3282,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { | ||
132 | dns_rdata_ns_t ns; | ||
133 | bool need_alternate = false; | ||
134 | bool all_spilled = true; | ||
135 | + unsigned int no_addresses = 0; | ||
136 | |||
137 | FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); | ||
138 | |||
139 | @@ -3437,20 +3450,28 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { | ||
140 | * Extract the name from the NS record. | ||
141 | */ | ||
142 | result = dns_rdata_tostruct(&rdata, &ns, NULL); | ||
143 | - if (result != ISC_R_SUCCESS) | ||
144 | + if (result != ISC_R_SUCCESS) { | ||
145 | continue; | ||
146 | + } | ||
147 | |||
148 | - findname(fctx, &ns.name, 0, stdoptions, 0, now, | ||
149 | - &overquota, &need_alternate); | ||
150 | + if (no_addresses > NS_FAIL_LIMIT && | ||
151 | + dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT) | ||
152 | + { | ||
153 | + stdoptions |= DNS_ADBFIND_NOFETCH; | ||
154 | + } | ||
155 | + findname(fctx, &ns.name, 0, stdoptions, 0, now, &overquota, | ||
156 | + &need_alternate, &no_addresses); | ||
157 | |||
158 | - if (!overquota) | ||
159 | + if (!overquota) { | ||
160 | all_spilled = false; | ||
161 | + } | ||
162 | |||
163 | dns_rdata_reset(&rdata); | ||
164 | dns_rdata_freestruct(&ns); | ||
165 | } | ||
166 | - if (result != ISC_R_NOMORE) | ||
167 | + if (result != ISC_R_NOMORE) { | ||
168 | return (result); | ||
169 | + } | ||
170 | |||
171 | /* | ||
172 | * Do we need to use 6 to 4? | ||
173 | @@ -3465,7 +3486,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { | ||
174 | if (!a->isaddress) { | ||
175 | findname(fctx, &a->_u._n.name, a->_u._n.port, | ||
176 | stdoptions, FCTX_ADDRINFO_FORWARDER, | ||
177 | - now, NULL, NULL); | ||
178 | + now, NULL, NULL, NULL); | ||
179 | continue; | ||
180 | } | ||
181 | if (isc_sockaddr_pf(&a->_u.addr) != family) | ||
182 | @@ -3827,16 +3827,14 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) { | ||
183 | } | ||
184 | } | ||
185 | |||
186 | - if (dns_name_countlabels(&fctx->domain) > 2) { | ||
187 | - result = isc_counter_increment(fctx->qc); | ||
188 | - if (result != ISC_R_SUCCESS) { | ||
189 | - isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, | ||
190 | - DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), | ||
191 | - "exceeded max queries resolving '%s'", | ||
192 | - fctx->info); | ||
193 | - fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); | ||
194 | - return; | ||
195 | - } | ||
196 | + result = isc_counter_increment(fctx->qc); | ||
197 | + if (result != ISC_R_SUCCESS) { | ||
198 | + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, | ||
199 | + DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), | ||
200 | + "exceeded max queries resolving '%s'", | ||
201 | + fctx->info); | ||
202 | + fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); | ||
203 | + return; | ||
204 | } | ||
205 | |||
206 | bucketnum = fctx->bucketnum; | ||
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch deleted file mode 100644 index d8769c45cc..0000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch +++ /dev/null | |||
@@ -1,29 +0,0 @@ | |||
1 | Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8617.patch] | ||
2 | CVE: CVE-2020-8617 | ||
3 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
4 | --- | ||
5 | diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c | ||
6 | index b597a18d49..6357a3a486 100644 | ||
7 | --- a/lib/dns/tsig.c | ||
8 | +++ b/lib/dns/tsig.c | ||
9 | @@ -1427,8 +1424,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, | ||
10 | goto cleanup_context; | ||
11 | } | ||
12 | msg->verified_sig = 1; | ||
13 | - } else if (tsig.error != dns_tsigerror_badsig && | ||
14 | - tsig.error != dns_tsigerror_badkey) { | ||
15 | + } else if (!response || (tsig.error != dns_tsigerror_badsig && | ||
16 | + tsig.error != dns_tsigerror_badkey)) | ||
17 | + { | ||
18 | tsig_log(msg->tsigkey, 2, "signature was empty"); | ||
19 | return (DNS_R_TSIGVERIFYFAILURE); | ||
20 | } | ||
21 | @@ -1484,7 +1482,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, | ||
22 | } | ||
23 | } | ||
24 | |||
25 | - if (tsig.error != dns_rcode_noerror) { | ||
26 | + if (response && tsig.error != dns_rcode_noerror) { | ||
27 | msg->tsigstatus = tsig.error; | ||
28 | if (tsig.error == dns_tsigerror_badtime) | ||
29 | ret = DNS_R_CLOCKSKEW; | ||
diff --git a/meta/recipes-connectivity/bind/bind_9.11.13.bb b/meta/recipes-connectivity/bind/bind_9.11.19.bb index 8f2d702dcb..276173e09f 100644 --- a/meta/recipes-connectivity/bind/bind_9.11.13.bb +++ b/meta/recipes-connectivity/bind/bind_9.11.19.bb | |||
@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.isc.org/sw/bind/" | |||
3 | SECTION = "console/network" | 3 | SECTION = "console/network" |
4 | 4 | ||
5 | LICENSE = "ISC & BSD" | 5 | LICENSE = "ISC & BSD" |
6 | LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=8f17f64e47e83b60cd920a1e4b54419e" | 6 | LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=bf39058a7f64b2a934ce14dc9ec1dd45" |
7 | 7 | ||
8 | DEPENDS = "openssl libcap zlib" | 8 | DEPENDS = "openssl libcap zlib" |
9 | 9 | ||
@@ -18,12 +18,9 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ | |||
18 | file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \ | 18 | file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \ |
19 | file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \ | 19 | file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \ |
20 | file://0001-avoid-start-failure-with-bind-user.patch \ | 20 | file://0001-avoid-start-failure-with-bind-user.patch \ |
21 | file://CVE-2020-8616.patch \ | ||
22 | file://CVE-2020-8617.patch \ | ||
23 | " | 21 | " |
24 | 22 | ||
25 | SRC_URI[md5sum] = "17de0d024ab1eac377f1c2854dc25057" | 23 | SRC_URI[sha256sum] = "0dee554a4caa368948b32da9a0c97b516c19103bc13ff5b3762c5d8552f52329" |
26 | SRC_URI[sha256sum] = "fd3f3cc9fcfcdaa752db35eb24598afa1fdcc2509d3227fc90a8631b7b400f7d" | ||
27 | 24 | ||
28 | UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/" | 25 | UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/" |
29 | # stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4 | 26 | # stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4 |