BIND 9.18.3

2026-05-28 04:34:54 -04:00 · 2022-05-19 12:07:45 +02:00 · 2022-05-19 12:07:45 +02:00 · 4dde80f655
commit 4dde80f655
parent c00545a168 16aefa34b0
5 changed files with 101 additions and 20 deletions
--- a/6
+++ b/6
@ -7,6 +7,12 @@
 5888.	[bug]		Only write key files if the dnssec-policy keymgr has
 			changed the metadata. [GL #3302]

+	--- 9.18.3 released ---
+
+5886.	[security]	Fix a crash in DNS-over-HTTPS (DoH) code caused by
+			premature TLS stream socket object deletion.
+			(CVE-2022-1183) [GL #3216]
+
 5885.	[bug]		RPZ NSIP and NSDNAME rule processing didn't handle stub
 			and static-stub zones at or above the query name.  This
 			has now been addressed. [GL #3232]
--- a/doc/arm/notes.rst
+++ b/doc/arm/notes.rst
@ -34,6 +34,7 @@ https://www.isc.org/download/. There you will find additional
 information about each release, and source code.

 .. include:: ../notes/notes-current.rst
+.. include:: ../notes/notes-9.18.3.rst
 .. include:: ../notes/notes-9.18.2.rst
 .. include:: ../notes/notes-9.18.1.rst
 .. include:: ../notes/notes-9.18.0.rst
--- a/doc/notes/notes-9.18.3.rst
+++ b/doc/notes/notes-9.18.3.rst
@ -0,0 +1,70 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.3
+---------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- Previously, TLS socket objects could be destroyed prematurely, which
+  triggered assertion failures in :iscman:`named` instances serving
+  DNS-over-HTTPS (DoH) clients. This has been fixed.
+
+  ISC would like to thank Thomas Amgarten from arcade solutions ag for
+  bringing this vulnerability to our attention. (CVE-2022-1183)
+  :gl:`#3216`
+
+Known Issues
+~~~~~~~~~~~~
+
+- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT
+  be inspected when verifying a remote certificate while establishing a
+  DNS-over-TLS connection. Only ``subjectAltName`` must be checked
+  instead. Unfortunately, some quite old versions of cryptographic
+  libraries might lack the ability to ignore the ``Subject`` field. This
+  should have minimal production-use consequences, as most of the
+  production-ready certificates issued by certificate authorities will
+  have ``subjectAltName`` set. In such cases, the ``Subject`` field is
+  ignored. Only old platforms are affected by this, e.g. those supplied
+  with OpenSSL versions older than 1.1.1. :gl:`#3163`
+
+New Features
+~~~~~~~~~~~~
+
+- Catalog Zones schema version 2, as described in the
+  "DNS Catalog Zones" IETF draft version 5 document, is now supported by
+  :iscman:`named`. All of the previously supported BIND-specific catalog
+  zone custom properties (``primaries``, ``allow-query``, and
+  ``allow-transfer``), as well as the new Change of Ownership (``coo``)
+  property, are now implemented. Schema version 1 is still supported,
+  with some additional validation rules applied from schema version 2:
+  for example, the ``version`` property is mandatory, and a member zone
+  PTR RRset must not contain more than one record. In the event of a
+  validation error, a corresponding error message is logged to help with
+  diagnosing the problem. :gl:`#3221` :gl:`#3222` :gl:`#3223`
+  :gl:`#3224` :gl:`#3225`
+
+- Support DNS Extended Errors (:rfc:`8914`) ``Stale Answer`` and
+  ``Stale NXDOMAIN Answer`` when stale answers are returned from cache.
+  :gl:`#2267`
+
+- Add support for remote TLS certificate verification, both to
+  :iscman:`named` and :iscman:`dig`, making it possible to implement
+  Strict and Mutual TLS authentication, as described in :rfc:`9103`,
+  Section 9.3. :gl:`#3163`
+
+Bug Fixes
+~~~~~~~~~
+
+- Previously, CDS and CDNSKEY DELETE records were removed from the zone
+  when configured with the ``auto-dnssec maintain;`` option. This has
+  been fixed. :gl:`#2931`
--- a/lib/isc/netmgr/netmgr-int.h
+++ b/lib/isc/netmgr/netmgr-int.h
@ -972,6 +972,7 @@ struct isc_nmsocket {
 						    worker */
 		size_t n_listener_tls_ctx;
 		isc_nmsocket_t *tlslistener;
+		isc_nmsocket_t *tlssocket;
 		atomic_bool result_updated;
 		enum {
 			TLS_INIT,
--- a/lib/isc/netmgr/tlsstream.c
+++ b/lib/isc/netmgr/tlsstream.c
@ -214,7 +214,6 @@ tls_failed_read_cb(isc_nmsocket_t *sock, const isc_result_t result) {

 	if (destroy) {
 		isc__nmsocket_prep_destroy(sock);
-		isc__nmsocket_detach(&sock);
 	}
 }

@ -416,21 +415,7 @@ tls_do_bio(isc_nmsocket_t *sock, isc_region_t *received_data,
 				send_data->cb.send(send_data->handle, result,
 						   send_data->cbarg);
 				send_data = NULL;
-				/* This situation might occur only when SSL
-				 * shutdown was already sent (see
-				 * tls_send_outgoing()), and we are in the
-				 * process of shutting down the connection (in
-				 * this case tls_senddone() will be called), but
-				 * some code tries to send data over the
-				 * connection and called isc_tls_send(). The
-				 * socket will be detached there, in
-				 * tls_senddone().*/
-				if (sent_shutdown || received_shutdown) {
-					return;
-				} else {
-					isc__nmsocket_detach(&sock);
-					return;
-				}
+				return;
 			}
 		}

@ -634,6 +619,12 @@ tlslisten_acceptcb(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) {
 	tlssock->read_timeout = atomic_load(&handle->sock->mgr->init);
 	tlssock->tid = tid;

+	/*
+	 * Hold a reference to tlssock in the TCP socket: it will
+	 * detached in isc__nm_tls_cleanup_data().
+	 */
+	handle->sock->tlsstream.tlssocket = tlssock;
+
 	result = initialize_tls(tlssock, true);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	/* TODO: catch failure code, detach tlssock, and log the error */
@ -834,7 +825,7 @@ tls_close_direct(isc_nmsocket_t *sock) {
 		isc__nmsocket_detach(&sock->listener);
 	}

-	/* further cleanup performed in isc__nm_tls_cleanup_data() */
+	/* Further cleanup performed in isc__nm_tls_cleanup_data() */
 	atomic_store(&sock->closed, true);
 	atomic_store(&sock->active, false);
 	sock->tlsstream.state = TLS_CLOSED;
@ -958,6 +949,12 @@ tcp_connected(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) {
 	isc_nmhandle_attach(handle, &tlssock->outerhandle);
 	atomic_store(&tlssock->active, true);

+	/*
+	 * Hold a reference to tlssock in the TCP socket: it will
+	 * detached in isc__nm_tls_cleanup_data().
+	 */
+	handle->sock->tlsstream.tlssocket = tlssock;
+
 	tls_do_bio(tlssock, NULL, NULL, false);
 	return;
 error:
@ -1025,8 +1022,9 @@ void
 isc__nm_tls_cleanup_data(isc_nmsocket_t *sock) {
 	if (sock->type == isc_nm_tcplistener &&
 	    sock->tlsstream.tlslistener != NULL) {
-		REQUIRE(VALID_NMSOCK(sock->tlsstream.tlslistener));
 		isc__nmsocket_detach(&sock->tlsstream.tlslistener);
+	} else if (sock->type == isc_nm_tlslistener) {
+		tls_cleanup_listener_tlsctx(sock);
 	} else if (sock->type == isc_nm_tlssocket) {
 		if (sock->tlsstream.ctx != NULL) {
 			isc_tlsctx_free(&sock->tlsstream.ctx);
@ -1037,8 +1035,13 @@ isc__nm_tls_cleanup_data(isc_nmsocket_t *sock) {
 			sock->tlsstream.bio_out = NULL;
 			sock->tlsstream.bio_in = NULL;
 		}
-	} else if (sock->type == isc_nm_tlslistener) {
-		tls_cleanup_listener_tlsctx(sock);
+	} else if (sock->type == isc_nm_tcpsocket &&
+		   sock->tlsstream.tlssocket != NULL) {
+		/*
+		 * The TLS socket can't be destroyed until its underlying TCP
+		 * socket is, to avoid possible use-after-free errors.
+		 */
+		isc__nmsocket_detach(&sock->tlsstream.tlssocket);
 	}
 }