svn commit: r285258 - in releng: 8.4 8.4/contrib/bind9/lib/dns 8.4/sys/conf 9.3 9.3/contrib/bind9/lib/dns 9.3/sys/conf
Xin LI
delphij at FreeBSD.org
Tue Jul 7 21:44:05 UTC 2015
Author: delphij
Date: Tue Jul 7 21:44:01 2015
New Revision: 285258
URL: https://svnweb.freebsd.org/changeset/base/285258
Log:
Fix BIND resolver remote denial of service when validating.
Security: CVE-2015-4620
Security: FreeBSD-SA-15:11.bind
Approved by: so
Modified:
releng/8.4/UPDATING
releng/8.4/contrib/bind9/lib/dns/validator.c
releng/8.4/sys/conf/newvers.sh
releng/9.3/UPDATING
releng/9.3/contrib/bind9/lib/dns/validator.c
releng/9.3/sys/conf/newvers.sh
Modified: releng/8.4/UPDATING
==============================================================================
--- releng/8.4/UPDATING Tue Jul 7 21:43:23 2015 (r285257)
+++ releng/8.4/UPDATING Tue Jul 7 21:44:01 2015 (r285258)
@@ -15,6 +15,9 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
debugging tools present in HEAD were left in place because
sun4v support still needs work to become production ready.
+20150707: p33 FreeBSD-SA-15:11.bind
+ Fix BIND resolver remote denial of service when validating.
+
20150630: p32 FreeBSD-EN-15:08.sendmail [revised]
Improvements to sendmail TLS/DH interoperability. [EN-15:08]
Modified: releng/8.4/contrib/bind9/lib/dns/validator.c
==============================================================================
--- releng/8.4/contrib/bind9/lib/dns/validator.c Tue Jul 7 21:43:23 2015 (r285257)
+++ releng/8.4/contrib/bind9/lib/dns/validator.c Tue Jul 7 21:44:01 2015 (r285258)
@@ -1841,7 +1841,6 @@ compute_keytag(dns_rdata_t *rdata, dns_r
*/
static isc_boolean_t
isselfsigned(dns_validator_t *val) {
- dns_fixedname_t fixed;
dns_rdataset_t *rdataset, *sigrdataset;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdata_t sigrdata = DNS_RDATA_INIT;
@@ -1892,7 +1891,7 @@ isselfsigned(dns_validator_t *val) {
result = dns_dnssec_verify2(name, rdataset, dstkey,
ISC_TRUE, mctx, &sigrdata,
- dns_fixedname_name(&fixed));
+ NULL);
dst_key_free(&dstkey);
if (result != ISC_R_SUCCESS)
continue;
Modified: releng/8.4/sys/conf/newvers.sh
==============================================================================
--- releng/8.4/sys/conf/newvers.sh Tue Jul 7 21:43:23 2015 (r285257)
+++ releng/8.4/sys/conf/newvers.sh Tue Jul 7 21:44:01 2015 (r285258)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="8.4"
-BRANCH="RELEASE-p32"
+BRANCH="RELEASE-p33"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/9.3/UPDATING
==============================================================================
--- releng/9.3/UPDATING Tue Jul 7 21:43:23 2015 (r285257)
+++ releng/9.3/UPDATING Tue Jul 7 21:44:01 2015 (r285258)
@@ -11,6 +11,9 @@ handbook:
Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running portupgrade.
+20150707: p19 FreeBSD-SA-15:11.bind
+ Fix BIND resolver remote denial of service when validating.
+
20150630: p18 FreeBSD-EN-15:08.sendmail [revised]
FreeBSD-EN-15:09.xlocale
Modified: releng/9.3/contrib/bind9/lib/dns/validator.c
==============================================================================
--- releng/9.3/contrib/bind9/lib/dns/validator.c Tue Jul 7 21:43:23 2015 (r285257)
+++ releng/9.3/contrib/bind9/lib/dns/validator.c Tue Jul 7 21:44:01 2015 (r285258)
@@ -1406,7 +1406,6 @@ compute_keytag(dns_rdata_t *rdata, dns_r
*/
static isc_boolean_t
isselfsigned(dns_validator_t *val) {
- dns_fixedname_t fixed;
dns_rdataset_t *rdataset, *sigrdataset;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdata_t sigrdata = DNS_RDATA_INIT;
@@ -1462,8 +1461,7 @@ isselfsigned(dns_validator_t *val) {
result = dns_dnssec_verify3(name, rdataset, dstkey,
ISC_TRUE,
val->view->maxbits,
- mctx, &sigrdata,
- dns_fixedname_name(&fixed));
+ mctx, &sigrdata, NULL);
dst_key_free(&dstkey);
if (result != ISC_R_SUCCESS)
continue;
Modified: releng/9.3/sys/conf/newvers.sh
==============================================================================
--- releng/9.3/sys/conf/newvers.sh Tue Jul 7 21:43:23 2015 (r285257)
+++ releng/9.3/sys/conf/newvers.sh Tue Jul 7 21:44:01 2015 (r285258)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="9.3"
-BRANCH="RELEASE-p18"
+BRANCH="RELEASE-p19"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
More information about the svn-src-all
mailing list