Merge branch '4507-confidential-clear-zversion-v9_18' into 'v9.18.28-release'

[9.18] [CVE-2024-4076] serve-stale zversion crash See merge request isc-private/bind9!687
2026-06-11 10:01:15 -04:00 · 2024-06-10 17:27:54 +00:00 · 2024-06-10 17:27:54 +00:00 · 5b83419fa9
commit 5b83419fa9
parent 1e6cf868dd acfb8508a8
3 changed files with 9 additions and 0 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+6403.	[security]	qctx-zversion was not being cleared when it should have
+			been leading to an assertion failure if it needed to be
+			reused. (CVE-2024-4076) [GL #4507]
+
 6402.	[security]	Remove SIG(0) support from named as a countermeasure
 			for CVE-2024-1975. [GL #4480]

--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@ -39,6 +39,10 @@ Security Fixes
  Support for SIG(0) message validation was removed from this version of
  :iscman:`named`. :cve:`2024-1975` :gl:`#4480`

+- Due to a logic error, lookups that trigger serving stale data and require
+  lookups in local authoritative zone data may result in an assertion failure.
+  This has been fixed. :cve:`2024-4076` :gl:`#4507`
+
 - Named could trigger an assertion failure when looking up the NS
  records of parent zones as part of looking up DS records.  This
  has been fixed. :gl:`#4661`
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@ -5325,6 +5325,7 @@ qctx_freedata(query_ctx_t *qctx) {
 		ns_client_releasename(qctx->client, &qctx->zfname);
 		dns_db_detachnode(qctx->zdb, &qctx->znode);
 		dns_db_detach(&qctx->zdb);
+		qctx->zversion = NULL;
 	}

 	if (qctx->event != NULL && !qctx->client->nodetach) {