[v9_11] fix rpz formerr loop

4531. [security] Some RPZ configurations could go into an infinite query loop when encountering responses with TTL=0. (CVE-2017-3140) [RT #45181]
2026-06-10 18:40:00 -04:00 · 2017-05-30 12:35:06 -07:00 · 2017-05-30 12:35:06 -07:00 · 3440cf9c60
commit 3440cf9c60
parent 9270a14461
5 changed files with 24 additions and 3 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+4531.	[security]	Some RPZ configurations could go into an infinite
+			query loop when encountering responses with TTL=0.
+			(CVE-2017-3140) [RT #45181]
+
 4530.	[bug]		"dyndb" is dependent on dlopen existing / being
 			enabled. [RT #45291]

--- a/7
+++ b/7
@ -222,6 +222,13 @@ disclosed in CVE-2016-6170, CVE-2016-8864, CVE-2016-9131, CVE-2016-9147,
 CVE-2016-9444, CVE-2016-9778, CVE-2017-3135, CVE-2017-3136, CVE-2017-3137
 and CVE-2017-3138.

+BIND 9.11.2
+
+BIND 9.11.1 is a maintenance release, and addresses the security flaw
+disclosed in CVE-2017-3140. It also addresses several bugs related to the
+use of an LMDB database to store data related to zones added via rndc
+addzone or catalog zones.
+
 Building BIND

 BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
--- a/README.md
+++ b/README.md
@ -234,6 +234,13 @@ flaws disclosed in CVE-2016-6170, CVE-2016-8864, CVE-2016-9131,
 CVE-2016-9147, CVE-2016-9444, CVE-2016-9778, CVE-2017-3135,
 CVE-2017-3136, CVE-2017-3137 and CVE-2017-3138.

+#### BIND 9.11.2
+
+BIND 9.11.1 is a maintenance release, and addresses the security flaw
+disclosed in CVE-2017-3140. It also addresses several bugs related to
+the use of an LMDB database to store data related to zones added via
+`rndc addzone` or catalog zones.
+
 ### <a name="build"/> Building BIND

 BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
--- a/bin/named/query.c
+++ b/bin/named/query.c
@ -8102,7 +8102,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		/*
 		 * If we have a zero ttl from the cache refetch it.
 		 */
-		if (!is_zone && event == NULL && rdataset->ttl == 0 &&
+		if (!is_zone && !resuming && rdataset->ttl == 0 &&
 		    RECURSIONOK(client))
 		{
 			if (dns_rdataset_isassociated(rdataset))
@ -8574,7 +8574,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		/*
 		 * If we have a zero ttl from the cache refetch it.
 		 */
-		if (!is_zone && event == NULL && rdataset->ttl == 0 &&
+		if (!is_zone && !resuming && rdataset->ttl == 0 &&
 		    RECURSIONOK(client))
 		{
 			if (dns_rdataset_isassociated(rdataset))
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@ -95,7 +95,10 @@
    <itemizedlist>
      <listitem>
 	<para>
-	  None.
+	  With certain RPZ configurations, a response with TTL 0
+	  could cause <command>named</command> to go into an infinite
+	  query loop. This flaw is disclosed in CVE-2017-3140.
+	  [RT #45181]
 	</para>
      </listitem>
    </itemizedlist>