svn commit: r285258 - in releng: 8.4 8.4/contrib/bind9/lib/dns 8.4/sys/conf 9.3 9.3/contrib/bind9/lib/dns 9.3/sys/conf

Xin LI delphij at FreeBSD.org
Tue Jul 7 21:44:05 UTC 2015 

Author: delphij
Date: Tue Jul  7 21:44:01 2015
New Revision: 285258
URL: https://svnweb.freebsd.org/changeset/base/285258

Log:
  Fix BIND resolver remote denial of service when validating.
  
  Security:	CVE-2015-4620
  Security:	FreeBSD-SA-15:11.bind
  Approved by:	so

Modified:
  releng/8.4/UPDATING
  releng/8.4/contrib/bind9/lib/dns/validator.c
  releng/8.4/sys/conf/newvers.sh
  releng/9.3/UPDATING
  releng/9.3/contrib/bind9/lib/dns/validator.c
  releng/9.3/sys/conf/newvers.sh

Modified: releng/8.4/UPDATING
==============================================================================
--- releng/8.4/UPDATING	Tue Jul  7 21:43:23 2015	(r285257)
+++ releng/8.4/UPDATING	Tue Jul  7 21:44:01 2015	(r285258)
@@ -15,6 +15,9 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
 	debugging tools present in HEAD were left in place because
 	sun4v support still needs work to become production ready.
 
+20150707:	p33	FreeBSD-SA-15:11.bind
+	Fix BIND resolver remote denial of service when validating.
+
 20150630:	p32	FreeBSD-EN-15:08.sendmail [revised]
 
 	Improvements to sendmail TLS/DH interoperability. [EN-15:08]

Modified: releng/8.4/contrib/bind9/lib/dns/validator.c
==============================================================================
--- releng/8.4/contrib/bind9/lib/dns/validator.c	Tue Jul  7 21:43:23 2015	(r285257)
+++ releng/8.4/contrib/bind9/lib/dns/validator.c	Tue Jul  7 21:44:01 2015	(r285258)
@@ -1841,7 +1841,6 @@ compute_keytag(dns_rdata_t *rdata, dns_r
  */
 static isc_boolean_t
 isselfsigned(dns_validator_t *val) {
-	dns_fixedname_t fixed;
 	dns_rdataset_t *rdataset, *sigrdataset;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdata_t sigrdata = DNS_RDATA_INIT;
@@ -1892,7 +1891,7 @@ isselfsigned(dns_validator_t *val) {
 
 			result = dns_dnssec_verify2(name, rdataset, dstkey,
 						    ISC_TRUE, mctx, &sigrdata,
-						    dns_fixedname_name(&fixed));
+						    NULL);
 			dst_key_free(&dstkey);
 			if (result != ISC_R_SUCCESS)
 				continue;

Modified: releng/8.4/sys/conf/newvers.sh
==============================================================================
--- releng/8.4/sys/conf/newvers.sh	Tue Jul  7 21:43:23 2015	(r285257)
+++ releng/8.4/sys/conf/newvers.sh	Tue Jul  7 21:44:01 2015	(r285258)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="8.4"
-BRANCH="RELEASE-p32"
+BRANCH="RELEASE-p33"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/9.3/UPDATING
==============================================================================
--- releng/9.3/UPDATING	Tue Jul  7 21:43:23 2015	(r285257)
+++ releng/9.3/UPDATING	Tue Jul  7 21:44:01 2015	(r285258)
@@ -11,6 +11,9 @@ handbook:
 Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running portupgrade.
 
+20150707:	p19	FreeBSD-SA-15:11.bind
+	Fix BIND resolver remote denial of service when validating.
+
 20150630:	p18	FreeBSD-EN-15:08.sendmail [revised]
 			FreeBSD-EN-15:09.xlocale
 

Modified: releng/9.3/contrib/bind9/lib/dns/validator.c
==============================================================================
--- releng/9.3/contrib/bind9/lib/dns/validator.c	Tue Jul  7 21:43:23 2015	(r285257)
+++ releng/9.3/contrib/bind9/lib/dns/validator.c	Tue Jul  7 21:44:01 2015	(r285258)
@@ -1406,7 +1406,6 @@ compute_keytag(dns_rdata_t *rdata, dns_r
  */
 static isc_boolean_t
 isselfsigned(dns_validator_t *val) {
-	dns_fixedname_t fixed;
 	dns_rdataset_t *rdataset, *sigrdataset;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdata_t sigrdata = DNS_RDATA_INIT;
@@ -1462,8 +1461,7 @@ isselfsigned(dns_validator_t *val) {
 			result = dns_dnssec_verify3(name, rdataset, dstkey,
 						    ISC_TRUE,
 						    val->view->maxbits,
-						    mctx, &sigrdata,
-						    dns_fixedname_name(&fixed));
+						    mctx, &sigrdata, NULL);
 			dst_key_free(&dstkey);
 			if (result != ISC_R_SUCCESS)
 				continue;

Modified: releng/9.3/sys/conf/newvers.sh
==============================================================================
--- releng/9.3/sys/conf/newvers.sh	Tue Jul  7 21:43:23 2015	(r285257)
+++ releng/9.3/sys/conf/newvers.sh	Tue Jul  7 21:44:01 2015	(r285258)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="9.3"
-BRANCH="RELEASE-p18"
+BRANCH="RELEASE-p19"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

More information about the svn-src-all mailing list