package/bind: security bump to version 9.11.6-P1
Fixes the following security issues:
- CVE-2018-5743: Limiting simultaneous TCP clients is ineffective
https://kb.isc.org/docs/cve-2018-5743
- CVE-2019-6467: An error in the nxdomain redirect feature can cause
BIND to exit with an INSIST assertion failure in query.c
https://kb.isc.org/docs/cve-2019-6467
- CVE-2019-6468: BIND Supported Preview Edition can exit with an
assertion failure if nxdomain-redirect is used
https://kb.isc.org/docs/cve-2019-6468
Add an upstream patch to fix building on architectures where bind does not
implement isc_atomic_*.
Upstream moved to a 2019 signing key, so update comment in .hash file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit fc8ace0938
)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
parent
5fcaff911d
commit
757f764547
@ -0,0 +1,133 @@
|
|||||||
|
From ef49780d30d3ddc5735cfc32561b678a634fa72f Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
|
||||||
|
Date: Wed, 17 Apr 2019 15:22:27 +0200
|
||||||
|
Subject: [PATCH] Replace atomic operations in bin/named/client.c with
|
||||||
|
isc_refcount reference counting
|
||||||
|
|
||||||
|
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
||||||
|
---
|
||||||
|
bin/named/client.c | 18 +++++++-----------
|
||||||
|
bin/named/include/named/interfacemgr.h | 5 +++--
|
||||||
|
bin/named/interfacemgr.c | 7 +++++--
|
||||||
|
3 files changed, 15 insertions(+), 15 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/bin/named/client.c b/bin/named/client.c
|
||||||
|
index 845326abc0..29fecadca8 100644
|
||||||
|
--- a/bin/named/client.c
|
||||||
|
+++ b/bin/named/client.c
|
||||||
|
@@ -402,12 +402,10 @@ tcpconn_detach(ns_client_t *client) {
|
||||||
|
static void
|
||||||
|
mark_tcp_active(ns_client_t *client, bool active) {
|
||||||
|
if (active && !client->tcpactive) {
|
||||||
|
- isc_atomic_xadd(&client->interface->ntcpactive, 1);
|
||||||
|
+ isc_refcount_increment0(&client->interface->ntcpactive, NULL);
|
||||||
|
client->tcpactive = active;
|
||||||
|
} else if (!active && client->tcpactive) {
|
||||||
|
- uint32_t old =
|
||||||
|
- isc_atomic_xadd(&client->interface->ntcpactive, -1);
|
||||||
|
- INSIST(old > 0);
|
||||||
|
+ isc_refcount_decrement(&client->interface->ntcpactive, NULL);
|
||||||
|
client->tcpactive = active;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -554,7 +552,7 @@ exit_check(ns_client_t *client) {
|
||||||
|
if (client->mortal && TCP_CLIENT(client) &&
|
||||||
|
client->newstate != NS_CLIENTSTATE_FREED &&
|
||||||
|
!ns_g_clienttest &&
|
||||||
|
- isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
|
||||||
|
+ isc_refcount_current(&client->interface->ntcpaccepting) == 0)
|
||||||
|
{
|
||||||
|
/* Nobody else is accepting */
|
||||||
|
client->mortal = false;
|
||||||
|
@@ -3328,7 +3326,6 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
|
||||||
|
isc_result_t result;
|
||||||
|
ns_client_t *client = event->ev_arg;
|
||||||
|
isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
|
||||||
|
- uint32_t old;
|
||||||
|
|
||||||
|
REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
|
||||||
|
REQUIRE(NS_CLIENT_VALID(client));
|
||||||
|
@@ -3348,8 +3345,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
|
||||||
|
INSIST(client->naccepts == 1);
|
||||||
|
client->naccepts--;
|
||||||
|
|
||||||
|
- old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
|
||||||
|
- INSIST(old > 0);
|
||||||
|
+ isc_refcount_decrement(&client->interface->ntcpaccepting, NULL);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* We must take ownership of the new socket before the exit
|
||||||
|
@@ -3480,8 +3476,8 @@ client_accept(ns_client_t *client) {
|
||||||
|
* quota is tcp-clients plus the number of listening
|
||||||
|
* interfaces plus 1.)
|
||||||
|
*/
|
||||||
|
- exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
|
||||||
|
- (client->tcpactive ? 1 : 0));
|
||||||
|
+ exit = (isc_refcount_current(&client->interface->ntcpactive) >
|
||||||
|
+ (client->tcpactive ? 1U : 0U));
|
||||||
|
if (exit) {
|
||||||
|
client->newstate = NS_CLIENTSTATE_INACTIVE;
|
||||||
|
(void)exit_check(client);
|
||||||
|
@@ -3539,7 +3535,7 @@ client_accept(ns_client_t *client) {
|
||||||
|
* listening for connections itself to prevent the interface
|
||||||
|
* going dead.
|
||||||
|
*/
|
||||||
|
- isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
|
||||||
|
+ isc_refcount_increment0(&client->interface->ntcpaccepting, NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h
|
||||||
|
index 3535ef22a8..6e10f210fd 100644
|
||||||
|
--- a/bin/named/include/named/interfacemgr.h
|
||||||
|
+++ b/bin/named/include/named/interfacemgr.h
|
||||||
|
@@ -45,6 +45,7 @@
|
||||||
|
#include <isc/magic.h>
|
||||||
|
#include <isc/mem.h>
|
||||||
|
#include <isc/socket.h>
|
||||||
|
+#include <isc/refcount.h>
|
||||||
|
|
||||||
|
#include <dns/result.h>
|
||||||
|
|
||||||
|
@@ -75,11 +76,11 @@ struct ns_interface {
|
||||||
|
/*%< UDP dispatchers. */
|
||||||
|
isc_socket_t * tcpsocket; /*%< TCP socket. */
|
||||||
|
isc_dscp_t dscp; /*%< "listen-on" DSCP value */
|
||||||
|
- int32_t ntcpaccepting; /*%< Number of clients
|
||||||
|
+ isc_refcount_t ntcpaccepting; /*%< Number of clients
|
||||||
|
ready to accept new
|
||||||
|
TCP connections on this
|
||||||
|
interface */
|
||||||
|
- int32_t ntcpactive; /*%< Number of clients
|
||||||
|
+ isc_refcount_t ntcpactive; /*%< Number of clients
|
||||||
|
servicing TCP queries
|
||||||
|
(whether accepting or
|
||||||
|
connected) */
|
||||||
|
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
|
||||||
|
index d9f6df5802..135533be6b 100644
|
||||||
|
--- a/bin/named/interfacemgr.c
|
||||||
|
+++ b/bin/named/interfacemgr.c
|
||||||
|
@@ -386,8 +386,8 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
|
||||||
|
* connections will be handled in parallel even though there is
|
||||||
|
* only one client initially.
|
||||||
|
*/
|
||||||
|
- ifp->ntcpaccepting = 0;
|
||||||
|
- ifp->ntcpactive = 0;
|
||||||
|
+ isc_refcount_init(&ifp->ntcpaccepting, 0);
|
||||||
|
+ isc_refcount_init(&ifp->ntcpactive, 0);
|
||||||
|
|
||||||
|
ifp->nudpdispatch = 0;
|
||||||
|
|
||||||
|
@@ -618,6 +618,9 @@ ns_interface_destroy(ns_interface_t *ifp) {
|
||||||
|
|
||||||
|
ns_interfacemgr_detach(&ifp->mgr);
|
||||||
|
|
||||||
|
+ isc_refcount_destroy(&ifp->ntcpactive);
|
||||||
|
+ isc_refcount_destroy(&ifp->ntcpaccepting);
|
||||||
|
+
|
||||||
|
ifp->magic = 0;
|
||||||
|
isc_mem_put(mctx, ifp, sizeof(*ifp));
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.11.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
# Verified from https://ftp.isc.org/isc/bind9/9.11.5-P4/bind-9.11.5-P4.tar.gz.asc
|
# Verified from https://ftp.isc.org/isc/bind9/9.11.6-P1/bind-9.11.6-P1.tar.gz.asc
|
||||||
# with key BE0E9748B718253A28BB89FFF1B11BF05CF02E57
|
# with key 156890685EA0DF6A1371EF2017CC5DB1F0088407
|
||||||
sha256 7e8c08192bcbaeb6e9f2391a70e67583b027b90e8c4bc1605da6eb126edde434 bind-9.11.5-P4.tar.gz
|
sha256 58ace2abb4d048b67abcdef0649ecd6cbd3b0652734a41a1d34f942d5500f8ef bind-9.11.6-P1.tar.gz
|
||||||
sha256 cd02c93b8dcda794f55dfd1231828d69633072a98eee4874f9cf732d22d9dcde COPYRIGHT
|
sha256 cd02c93b8dcda794f55dfd1231828d69633072a98eee4874f9cf732d22d9dcde COPYRIGHT
|
||||||
|
@ -4,7 +4,7 @@
|
|||||||
#
|
#
|
||||||
################################################################################
|
################################################################################
|
||||||
|
|
||||||
BIND_VERSION = 9.11.5-P4
|
BIND_VERSION = 9.11.6-P1
|
||||||
BIND_SITE = https://ftp.isc.org/isc/bind9/$(BIND_VERSION)
|
BIND_SITE = https://ftp.isc.org/isc/bind9/$(BIND_VERSION)
|
||||||
# bind does not support parallel builds.
|
# bind does not support parallel builds.
|
||||||
BIND_MAKE = $(MAKE1)
|
BIND_MAKE = $(MAKE1)
|
||||||
|
Loading…
Reference in New Issue
Block a user