From e2014ba9e3b4236b0384ba17abfb2c9a155412f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 8 Sep 2022 11:11:30 +0200 Subject: [PATCH 01/18] Bound the amount of work performed for delegations Limit the amount of database lookups that can be triggered in fctx_getaddresses() (i.e. when determining the name server addresses to query next) by setting a hard limit on the number of NS RRs processed for any delegation encountered. Without any limit in place, named can be forced to perform large amounts of database lookups per each query received, which severely impacts resolver performance. The limit used (20) is an arbitrary value that is considered to be big enough for any sane DNS delegation. (cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a) --- lib/dns/resolver.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 8883008420..e7437656b6 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -211,6 +211,17 @@ */ #define NS_FAIL_LIMIT 4 #define NS_RR_LIMIT 5 +/* + * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in + * any NS RRset encountered, to avoid excessive resource use while processing + * large delegations. + */ +#define NS_PROCESSING_LIMIT 20 + +STATIC_ASSERT(NS_PROCESSING_LIMIT > NS_RR_LIMIT, + "The maximum number of NS RRs processed for each delegation " + "(NS_PROCESSING_LIMIT) must be larger than the large delegation " + "threshold (NS_RR_LIMIT)."); /* Hash table for zone counters */ #ifndef RES_DOMAIN_HASH_BITS @@ -3538,6 +3549,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { bool need_alternate = false; bool all_spilled = true; unsigned int no_addresses = 0; + unsigned int ns_processed = 0; FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); @@ -3728,6 +3740,11 @@ normal_nses: dns_rdata_reset(&rdata); dns_rdata_freestruct(&ns); + + if (++ns_processed >= NS_PROCESSING_LIMIT) { + result = ISC_R_NOMORE; + break; + } } if (result != ISC_R_NOMORE) { return (result); From 97a9f586c4702de709b284ecb22facee67d079ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 8 Sep 2022 11:11:30 +0200 Subject: [PATCH 02/18] Add CHANGES entry for GL #3394 (cherry picked from commit e802beedfc13be160d182635cecf6e01fc514d94) --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index e8ea8e1e60..059cc4a1b6 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5957. [security] Prevent excessive resource use while processing large + delegations. (CVE-2022-2795) [GL #3394] + 5956. [func] Make RRL code treat all QNAMEs that are subject to wildcard processing within a given zone as the same name. [GL #3459] From 7f6cb0d0cc26179fe6243c66fa810fd6a217d55a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 8 Sep 2022 11:11:30 +0200 Subject: [PATCH 03/18] Add release note for GL #3394 (cherry picked from commit 672072812cae9a346f6bc40ea5b1a81a5ca010ba) --- doc/notes/notes-current.rst | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 306a87ccbb..020cfd08ba 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -15,7 +15,14 @@ Notes for BIND 9.18.7 Security Fixes ~~~~~~~~~~~~~~ -- None. +- Previously, there was no limit to the number of database lookups + performed while processing large delegations, which could be abused to + severely impact the performance of :iscman:`named` running as a + recursive resolver. This has been fixed. (CVE-2022-2795) + + ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat + Bremler-Barr & Shani Stajnrod from Reichman University for bringing + this vulnerability to our attention. :gl:`#3394` Known Issues ~~~~~~~~~~~~ From 13333db69f9b9710a98c86f44276e01e95420fa0 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 16 Aug 2022 16:26:02 -0700 Subject: [PATCH 04/18] compression buffer was not reused correctly when the compression buffer was reused for multiple statistics requests, responses could grow beyond the correct size. this was because the buffer was not cleared before reuse; compressed data was still written to the beginning of the buffer, but then the size of used region was increased by the amount written, rather than set to the amount written. this caused responses to grow larger and larger, potentially reading past the end of the allocated buffer. (cherry picked from commit 47e9fa981e56a7a232f3219fe8a40525c79d748b) --- lib/isc/httpd.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/isc/httpd.c b/lib/isc/httpd.c index a701fb2a84..14c9fbfe81 100644 --- a/lib/isc/httpd.c +++ b/lib/isc/httpd.c @@ -202,6 +202,8 @@ free_buffer(isc_mem_t *mctx, isc_buffer_t *buffer) { if (r.base != NULL) { isc_mem_put(mctx, r.base, r.length); } + + isc_buffer_initnull(buffer); } isc_result_t @@ -861,6 +863,7 @@ httpd_compress(isc_httpd_t *httpd) { inputlen = isc_buffer_usedlength(&httpd->bodybuffer); alloc_compspace(httpd, inputlen); + isc_buffer_clear(&httpd->compbuffer); isc_buffer_region(&httpd->compbuffer, &r); /* From 2312c45ff2c0ff28e9bc008417d4eb2ba62d34c9 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 16 Aug 2022 16:26:02 -0700 Subject: [PATCH 05/18] CHANGES and release notes for CVE-2022-2881 [GL #3493] (cherry picked from commit 430ee6c4271e68a2bbb8163ed0e1d2e37fbe3d5d) --- CHANGES | 7 +++++++ doc/notes/notes-current.rst | 5 +++++ 2 files changed, 12 insertions(+) diff --git a/CHANGES b/CHANGES index 059cc4a1b6..a8cf9b21e8 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,10 @@ +5958. [security] When an HTTP connection was reused to get + statistics from the stats channel, and zlib + compression was in use, each successive + response sent larger and larger blocks of memory, + potentially reading past the end of the allocated + buffer. (CVE-2022-2881) [GL #3493] + 5957. [security] Prevent excessive resource use while processing large delegations. (CVE-2022-2795) [GL #3394] diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 020cfd08ba..f0bd64c74c 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -24,6 +24,11 @@ Security Fixes Bremler-Barr & Shani Stajnrod from Reichman University for bringing this vulnerability to our attention. :gl:`#3394` +- When an HTTP connection was reused to request statistics from the + stats channel, the content length of successive responses could grow + in size past the end of the allocated buffer. This has been fixed. + (CVE-2022-2881) :gl:`#3493` + Known Issues ~~~~~~~~~~~~ From 73df5c80538970ee1fbc4fe3348109bdc281e197 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Thu, 18 Aug 2022 08:59:09 +0000 Subject: [PATCH 06/18] Fix memory leaks in DH code When used with OpenSSL v3.0.0+, the `openssldh_compare()`, `openssldh_paramcompare()`, and `openssldh_todns()` functions fail to cleanup the used memory on some error paths. Use `DST_RET` instead of `return`, when there is memory to be released before returning from the functions. (cherry picked from commit 73d6bbff4e1df583810126fe58eac39bb52bc0d9) --- lib/dns/openssldh_link.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c index d5dbc2e889..1a01c2b351 100644 --- a/lib/dns/openssldh_link.c +++ b/lib/dns/openssldh_link.c @@ -165,6 +165,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, static bool openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { + bool ret = true; #if OPENSSL_VERSION_NUMBER < 0x30000000L DH *dh1, *dh2; const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; @@ -214,18 +215,17 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 || BN_cmp(pub_key1, pub_key2) != 0) { - return (false); + DST_RET(false); } if (priv_key1 != NULL || priv_key2 != NULL) { - if (priv_key1 == NULL || priv_key2 == NULL) { - return (false); - } - if (BN_cmp(priv_key1, priv_key2) != 0) { - return (false); + if (priv_key1 == NULL || priv_key2 == NULL || + BN_cmp(priv_key1, priv_key2) != 0) { + DST_RET(false); } } +err: #if OPENSSL_VERSION_NUMBER >= 0x30000000L if (p1 != NULL) { BN_free(p1); @@ -253,11 +253,12 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { } #endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ - return (true); + return (ret); } static bool openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { + bool ret = true; #if OPENSSL_VERSION_NUMBER < 0x30000000L DH *dh1, *dh2; const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; @@ -295,9 +296,10 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) { - return (false); + DST_RET(false); } +err: #if OPENSSL_VERSION_NUMBER >= 0x30000000L if (p1 != NULL) { BN_free(p1); @@ -313,7 +315,7 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { } #endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ - return (true); + return (ret); } #if OPENSSL_VERSION_NUMBER < 0x30000000L @@ -675,6 +677,7 @@ uint16_fromregion(isc_region_t *region) { static isc_result_t openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { + isc_result_t ret = ISC_R_SUCCESS; #if OPENSSL_VERSION_NUMBER < 0x30000000L DH *dh; const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; @@ -716,7 +719,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { publen = BN_num_bytes(pub_key); dnslen = plen + glen + publen + 6; if (r.length < (unsigned int)dnslen) { - return (ISC_R_NOSPACE); + DST_RET(ISC_R_NOSPACE); } uint16_toregion(plen, &r); @@ -745,6 +748,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { isc_buffer_add(data, dnslen); +err: #if OPENSSL_VERSION_NUMBER >= 0x30000000L if (p != NULL) { BN_free(p); @@ -757,7 +761,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { } #endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ - return (ISC_R_SUCCESS); + return (ret); } static isc_result_t From 919e2d195fee43498230908c88aa09252fd61b85 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Thu, 18 Aug 2022 09:20:21 +0000 Subject: [PATCH 07/18] Add CHANGES note for [GL #3491] (cherry picked from commit 5b5f2353d4fbe94d699f9f43e94586d35504b7e8) --- CHANGES | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGES b/CHANGES index a8cf9b21e8..5456bcf7d2 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +5959. [security] Fix memory leaks in the DH code when using OpenSSL 3.0.0 + and later versions. The openssldh_compare(), + openssldh_paramcompare(), and openssldh_todns() + functions were affected. (CVE-2022-2906) [GL #3491] + 5958. [security] When an HTTP connection was reused to get statistics from the stats channel, and zlib compression was in use, each successive From 8ac3682c7e6fec976bee93d73f93f50cbfe3c8b5 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Thu, 18 Aug 2022 09:28:03 +0000 Subject: [PATCH 08/18] Add release note for [GL #3491] (cherry picked from commit 113e949b34909d7b0edd7089a09284ec4b13ce1a) --- doc/notes/notes-current.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index f0bd64c74c..34bddc1bc5 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -29,6 +29,10 @@ Security Fixes in size past the end of the allocated buffer. This has been fixed. (CVE-2022-2881) :gl:`#3493` +- Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that + could be externally triggered, when using TKEY records in DH mode with + OpenSSL 3.0.0 and later versions. (CVE-2022-2906) :gl:`#3491` + Known Issues ~~~~~~~~~~~~ From b9e2f3333d0d29deb3ef932aa7aeb28086f153bd Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 2 Sep 2022 16:50:39 +0200 Subject: [PATCH 09/18] Only refresh RRset once Don't attempt to resolve DNS responses for intermediate results. This may create multiple refreshes and can cause a crash. One scenario is where for the query there is a CNAME and canonical answer in cache that are both stale. This will trigger a refresh of the RRsets because we encountered stale data and we prioritized it over the lookup. It will trigger a refresh of both RRsets. When we start recursing, it will detect a recursion loop because the recursion parameters will eventually be the same. In 'dns_resolver_destroyfetch' the sanity check fails, one of the callers did not get its event back before trying to destroy the fetch. Move the call to 'query_refresh_rrset' to 'ns_query_done', so that it is only called once per client request. Another scenario is where for the query there is a stale CNAME in the cache that points to a record that is also in cache but not stale. This will trigger a refresh of the RRset (because we encountered stale data and we prioritized it over the lookup). We mark RRsets that we add to the message with DNS_RDATASETATTR_STALE_ADDED to prevent adding a duplicate RRset when a stale lookup and a normal lookup conflict with each other. However, the other non-stale RRset when following a CNAME chain will be added to the message without setting that attribute, because it is not stale. This is a variant of the bug in #2594. The fix covered the same crash but for stale-answer-client-timeout > 0. Fix this by clearing all RRsets from the message before refreshing. This requires the refresh to happen after the query is send back to the client. (cherry picked from commit d939d2ecde5639d11acd6eac33a997b3e3c78b02) --- lib/ns/include/ns/query.h | 1 + lib/ns/query.c | 42 ++++++++++++++++++++++++--------------- 2 files changed, 27 insertions(+), 16 deletions(-) diff --git a/lib/ns/include/ns/query.h b/lib/ns/include/ns/query.h index e4e0fc69bc..37e55671c2 100644 --- a/lib/ns/include/ns/query.h +++ b/lib/ns/include/ns/query.h @@ -148,6 +148,7 @@ struct query_ctx { bool authoritative; /* authoritative query? */ bool want_restart; /* CNAME chain or other * restart needed */ + bool refresh_rrset; /* stale RRset refresh needed */ bool need_wildcardproof; /* wildcard proof needed */ bool nxrewrite; /* negative answer from RPZ */ bool findcoveringnsec; /* lookup covering NSEC */ diff --git a/lib/ns/query.c b/lib/ns/query.c index 42679ce288..b31d78e400 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -5829,7 +5829,6 @@ query_lookup(query_ctx_t *qctx) { bool dbfind_stale = false; bool stale_timeout = false; bool stale_found = false; - bool refresh_rrset = false; bool stale_refresh_window = false; uint16_t ede = 0; @@ -6027,8 +6026,7 @@ query_lookup(query_ctx_t *qctx) { "%s stale answer used, an attempt to " "refresh the RRset will still be made", namebuf); - refresh_rrset = STALE(qctx->rdataset); - qctx->client->nodetach = refresh_rrset; + qctx->refresh_rrset = STALE(qctx->rdataset); ns_client_extendederror( qctx->client, ede, "stale data prioritized over lookup"); @@ -6072,17 +6070,6 @@ query_lookup(query_ctx_t *qctx) { result = query_gotanswer(qctx, result); - if (refresh_rrset) { - /* - * If we reached this point then it means that we have found a - * stale RRset entry in cache and BIND is configured to allow - * queries to be answered with stale data if no active RRset - * is available, i.e. "stale-anwer-client-timeout 0". But, we - * still need to refresh the RRset. - */ - query_refresh_rrset(qctx); - } - cleanup: return (result); } @@ -8102,11 +8089,14 @@ query_addanswer(query_ctx_t *qctx) { /* * On normal lookups, clear any rdatasets that were added on a - * lookup due to stale-answer-client-timeout. + * lookup due to stale-answer-client-timeout. Do not clear if we + * are going to refresh the RRset, because the stale contents are + * prioritized. */ if (QUERY_STALEOK(&qctx->client->query) && - !QUERY_STALETIMEOUT(&qctx->client->query)) + !QUERY_STALETIMEOUT(&qctx->client->query) && !qctx->refresh_rrset) { + CCTRACE(ISC_LOG_DEBUG(3), "query_clear_stale"); query_clear_stale(qctx->client); /* * We can clear the attribute to prevent redundant clearing @@ -11864,9 +11854,29 @@ ns_query_done(query_ctx_t *qctx) { /* * Client may have been detached after query_send(), so * we test and store the flag state here, for safety. + * If we are refreshing the RRSet, we must not detach from the client + * in the query_send(), so we need to override the flag. */ + if (qctx->refresh_rrset) { + qctx->client->nodetach = true; + } nodetach = qctx->client->nodetach; query_send(qctx->client); + + if (qctx->refresh_rrset) { + /* + * If we reached this point then it means that we have found a + * stale RRset entry in cache and BIND is configured to allow + * queries to be answered with stale data if no active RRset + * is available, i.e. "stale-anwer-client-timeout 0". But, we + * still need to refresh the RRset. To prevent adding duplicate + * RRsets, clear the RRsets from the message before doing the + * refresh. + */ + message_clearrdataset(qctx->client->message, 0); + query_refresh_rrset(qctx); + } + if (!nodetach) { qctx->detach_client = true; } From 55946cebb61aec1760d7a8e501d25ce0fbe86351 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 5 Sep 2022 11:32:59 +0200 Subject: [PATCH 10/18] Add CHANGES entry for 3517 (cherry picked from commit e3949029657e18e3bef5ec6d1a381d4c37b016b0) --- CHANGES | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGES b/CHANGES index 5456bcf7d2..0020275c33 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +5960. [security] Fix serve-stale crash that could happen when + stale-answer-client-timeout was set to 0 and there was + a stale CNAME in the cache for an incoming query. + (CVE-2022-3080) [GL #3517] + 5959. [security] Fix memory leaks in the DH code when using OpenSSL 3.0.0 and later versions. The openssldh_compare(), openssldh_paramcompare(), and openssldh_todns() From 175e4e963b5cc15072d07d734f73468f210b401b Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 5 Sep 2022 11:34:57 +0200 Subject: [PATCH 11/18] Add release notes for #3517 (cherry picked from commit 97c6c3712eeb9e8d6463749a1f70350e68b7b1b3) --- doc/notes/notes-current.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 34bddc1bc5..71c725493a 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -33,6 +33,12 @@ Security Fixes could be externally triggered, when using TKEY records in DH mode with OpenSSL 3.0.0 and later versions. (CVE-2022-2906) :gl:`#3491` +- :iscman:`named` running as a resolver with the + :any:`stale-answer-client-timeout` option set to ``0`` could crash + with an assertion failure, when there was a stale CNAME in the cache + for the incoming query. This has been fixed. (CVE-2022-3080) + :gl:`#3517` + Known Issues ~~~~~~~~~~~~ From 7c0028cfad2ae5fdf82c4d02d3b8b3a1e96dc6ec Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 11 Aug 2022 15:28:13 +1000 Subject: [PATCH 12/18] Free ctx on invalid siglen (cherry picked from commit 6ddb480a84836641a0711768a94122972c166825) --- lib/dns/openssleddsa_link.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c index 2f599647da..fa8d51b1ef 100644 --- a/lib/dns/openssleddsa_link.c +++ b/lib/dns/openssleddsa_link.c @@ -234,11 +234,11 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) { } #endif /* if HAVE_OPENSSL_ED448 */ if (siglen == 0) { - return (ISC_R_NOTIMPLEMENTED); + DST_RET(ISC_R_NOTIMPLEMENTED); } if (sig->length != siglen) { - return (DST_R_VERIFYFAILURE); + DST_RET(DST_R_VERIFYFAILURE); } isc_buffer_usedregion(buf, &tbsreg); From 79655301ab3e8885c8bf8dbe14ec7297c9a3ff70 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 12 Aug 2022 10:31:59 +1000 Subject: [PATCH 13/18] Add CHANGES note for [GL #3487] (cherry picked from commit b3277f2e10ad9309818d461ed851d0ee77e49712) --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index 0020275c33..459639686b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5962. [security] Fix memory leak in EdDSA verify processing. + (CVE-2022-38178) [GL #3487] + 5960. [security] Fix serve-stale crash that could happen when stale-answer-client-timeout was set to 0 and there was a stale CNAME in the cache for an incoming query. From 06e13c5a8d488ee1106e1637642913dd8fa2d9a6 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 12 Aug 2022 10:33:04 +1000 Subject: [PATCH 14/18] Add release note for [GL #3487] (cherry picked from commit e6cb1de20b5edea502918a2b6ea41444e7d2e170) --- doc/notes/notes-current.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 71c725493a..079f27b3a2 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -39,6 +39,10 @@ Security Fixes for the incoming query. This has been fixed. (CVE-2022-3080) :gl:`#3517` +- Memory leaks were fixed that could be externally triggered in the + DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) + :gl:`#3487` + Known Issues ~~~~~~~~~~~~ From 364bdb5ec875f70f82b98e39edf64a6699165c90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 8 Sep 2022 14:03:54 +0200 Subject: [PATCH 15/18] Prepare release notes for BIND 9.18.7 --- doc/arm/notes.rst | 2 +- doc/notes/{notes-current.rst => notes-9.18.7.rst} | 15 --------------- 2 files changed, 1 insertion(+), 16 deletions(-) rename doc/notes/{notes-current.rst => notes-9.18.7.rst} (96%) diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 3485631ec6..ade9a081e7 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -33,7 +33,7 @@ The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code. -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.18.7.rst .. include:: ../notes/notes-9.18.6.rst .. include:: ../notes/notes-9.18.5.rst .. include:: ../notes/notes-9.18.4.rst diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-9.18.7.rst similarity index 96% rename from doc/notes/notes-current.rst rename to doc/notes/notes-9.18.7.rst index 079f27b3a2..01a1749e53 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-9.18.7.rst @@ -43,21 +43,6 @@ Security Fixes DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) :gl:`#3487` -Known Issues -~~~~~~~~~~~~ - -- None. - -New Features -~~~~~~~~~~~~ - -- None. - -Removed Features -~~~~~~~~~~~~~~~~ - -- None. - Feature Changes ~~~~~~~~~~~~~~~ From 212c9f123929ef8e050afda4b11e8342ccad7a12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 8 Sep 2022 14:03:54 +0200 Subject: [PATCH 16/18] Tweak and reword release notes --- doc/notes/notes-9.18.7.rst | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/doc/notes/notes-9.18.7.rst b/doc/notes/notes-9.18.7.rst index 01a1749e53..e54297278e 100644 --- a/doc/notes/notes-9.18.7.rst +++ b/doc/notes/notes-9.18.7.rst @@ -50,23 +50,24 @@ Feature Changes subject to wildcard processing within a given zone as the same name, to prevent circumventing the limits enforced by RRL. :gl:`#3459` -- Zones using ``dnssec-policy`` now require dynamic DNS or - ``inline-signing`` to be configured explicitly :gl:`#3381`. +- Zones using :any:`dnssec-policy` now require dynamic DNS or + :any:`inline-signing` to be configured explicitly. :gl:`#3381` -- When reconfiguring ``dnssec-policy`` from using NSEC with an NSEC-only DNSKEY - algorithm (e.g. RSASHA1) to a policy that uses NSEC3, BIND will no longer fail - to sign the zone, but keep using NSEC for a little longer until the offending - DNSKEY records have been removed from the zone, then switch to using NSEC3. - :gl:`#3486` +- When reconfiguring :any:`dnssec-policy` from using NSEC with an + NSEC-only DNSKEY algorithm (e.g. RSASHA1) to a policy that uses NSEC3, + BIND 9 no longer fails to sign the zone; instead, it keeps using NSEC + until the offending DNSKEY records have been removed from the zone, + then switches to using NSEC3. :gl:`#3486` -- Implement a backwards compatible approach for encoding the internationalized - domain names (IDN) in dig, and convert the domain to IDNA2008 form, and if - that fails try the IDNA2003 conversion. :gl:`#3485` +- A backward-compatible approach was implemented for encoding + internationalized domain names (IDN) in :iscman:`dig` and converting + the domain to IDNA2008 form; if that fails, BIND tries an IDNA2003 + conversion. :gl:`#3485` Bug Fixes ~~~~~~~~~ -- Fix a serve-stale bug, where BIND would try to return stale data from cache - for lookups that received duplicate queries or queries that would be dropped. - This bug resulted in premature SERVFAIL responses, and has now been resolved. - :gl:`#2982` +- A serve-stale bug was fixed, where BIND would try to return stale data + from cache for lookups that received duplicate queries or queries that + would be dropped. This bug resulted in premature SERVFAIL responses, + and has now been resolved. :gl:`#2982` From 3d55ae3d2ffa65e882411fa4882a533da5fafb1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 8 Sep 2022 14:39:47 +0200 Subject: [PATCH 17/18] Add a CHANGES marker --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 459639686b..cccb6c3f61 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ + --- 9.18.7 released --- + 5962. [security] Fix memory leak in EdDSA verify processing. (CVE-2022-38178) [GL #3487] From 85a6eb108e884467c4b3af414140d6b033a89a62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 8 Sep 2022 14:39:47 +0200 Subject: [PATCH 18/18] Update BIND version for release --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 1e10d5756b..14dd461b8f 100644 --- a/configure.ac +++ b/configure.ac @@ -17,7 +17,7 @@ m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 18)dnl m4_define([bind_VERSION_PATCH], 7)dnl -m4_define([bind_VERSION_EXTRA], -dev)dnl +m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Stable Release)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl m4_define([bind_PKG_VERSION], [[bind_VERSION_MAJOR.bind_VERSION_MINOR.bind_VERSION_PATCH]bind_VERSION_EXTRA])dnl