packages/bind
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

同步openEuler-22.03-lts更新

Browse Source 
(cherry picked from commit 47cba74216ca5c11f5b275b36fd2ff2120f2c5bb)
This commit is contained in:
liweiganga 2022-12-12 11:46:37 +08:00 committed by openeuler-sync-bot
parent 4e3139b28f
commit ead5f8c87f
13 changed files with 1227 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

119
backport-0002-Fix-catalog-zone-reconfiguration-crash.patch Normal file
View File

@ -0,0 +1,119 @@
From 4b362a82ebf511d0915585bbe55bdb9b989f439a Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Mon, 11 Oct 2021 18:13:39 +0000
Subject: [PATCH] Fix catalog zone reconfiguration crash
The following scenario triggers a "named" crash:
1. Configure a catalog zone.
2. Start "named".
3. Comment out the "catalog-zone" clause.
4. Run `rndc reconfig`.
5. Uncomment the "catalog-zone" clause.
6. Run `rndc reconfig` again.
Implement the required cleanup of the in-memory catalog zone during
the first `rndc reconfig`, so that the second `rndc reconfig` could
find it in an expected state.
(cherry picked from commit 43ac2cd229813c04438e027c42c0b93b9661adda)
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/4b362a82ebf511d0915585bbe55bdb9b989f439a
---
bin/named/server.c | 2 ++
lib/dns/include/dns/zone.h | 20 ++++++++++++++++++++
lib/dns/win32/libdns.def.in | 2 ++
lib/dns/zone.c | 18 ++++++++++++++++++
4 files changed, 42 insertions(+)
diff --git a/bin/named/server.c b/bin/named/server.c
index 860ccae8a1..9c0f12f63f 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -6523,6 +6523,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
if (zone_is_catz) {
dns_zone_catz_enable(zone, view->catzs);
+ } else if (dns_zone_catz_is_enabled(zone)) {
+ dns_zone_catz_disable(zone);
}
/*
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index 08e2263c5b..33ab5c60fd 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -2605,6 +2605,26 @@ dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs);
* \li prior to calling, zone->catzs is NULL or is equal to 'catzs'
*/
+void
+dns_zone_catz_disable(dns_zone_t *zone);
+/*%<
+ * Disable zone as catalog zone, if it is one.
+ *
+ * Requires:
+ *
+ * \li 'zone' is a valid zone object
+ */
+
+bool
+dns_zone_catz_is_enabled(dns_zone_t *zone);
+/*%<
+ * Return a boolean indicating whether the zone is enabled as catalog zone.
+ *
+ * Requires:
+ *
+ * \li 'zone' is a valid zone object
+ */
+
void
dns_zone_catz_enable_db(dns_zone_t *zone, dns_db_t *db);
/*%<
diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
index 31f511103f..1e0f7cf64a 100644
--- a/lib/dns/win32/libdns.def.in
+++ b/lib/dns/win32/libdns.def.in
@@ -1173,8 +1173,10 @@ dns_xfrin_shutdown
dns_zone_addnsec3chain
dns_zone_asyncload
dns_zone_attach
+dns_zone_catz_disable
dns_zone_catz_enable
dns_zone_catz_enable_db
+dns_zone_catz_is_enabled
dns_zone_cdscheck
dns_zone_checknames
dns_zone_clearforwardacl
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 65a3aacab7..bc33e6ede8 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -1942,6 +1942,24 @@ dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
UNLOCK_ZONE(zone);
}
+void
+dns_zone_catz_disable(dns_zone_t *zone) {
+ REQUIRE(DNS_ZONE_VALID(zone));
+
+ LOCK_ZONE(zone);
+ if (zone->catzs != NULL) {
+ dns_catz_catzs_detach(&zone->catzs);
+ }
+ UNLOCK_ZONE(zone);
+}
+
+bool
+dns_zone_catz_is_enabled(dns_zone_t *zone) {
+ REQUIRE(DNS_ZONE_VALID(zone));
+
+ return (zone->catzs != NULL);
+}
+
/*
* If a zone is a catalog zone, attach it to update notification in database.
*/
--
2.27.0

162
backport-0003-Improve-the-logging-on-failed-TCP-accept.patch Normal file
View File

@ -0,0 +1,162 @@
From 75c484e36d6d28da820bfcf530a28b4f785049a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Wed, 1 Dec 2021 17:41:20 +0100
Subject: [PATCH] Improve the logging on failed TCP accept
Previously, when TCP accept failed, we have logged a message with
ISC_LOG_ERROR level. One common case, how this could happen is that the
client hits TCP client quota and is put on hold and when resumed, the
client has already given up and closed the TCP connection. In such
case, the named would log:
TCP connection failed: socket is not connected
This message was quite confusing because it actually doesn't say that
it's related to the accepting the TCP connection and also it logs
everything on the ISC_LOG_ERROR level.
Change the log message to "Accepting TCP connection failed" and for
specific error states lower the severity of the log message to
ISC_LOG_INFO.
(cherry picked from commit 20ac73eb222e60395399b467b0a72015a4dd8845)
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/75c484e36d6d28da820bfcf530a28b4f785049a6
---
lib/isc/netmgr/netmgr-int.h | 3 +++
lib/isc/netmgr/netmgr.c | 27 +++++++++++++++++++++++++++
lib/isc/netmgr/tcp.c | 20 ++------------------
lib/isc/netmgr/tcpdns.c | 22 ++--------------------
4 files changed, 34 insertions(+), 38 deletions(-)
diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h
index f7b54f9..b4299d5 100644
--- a/lib/isc/netmgr/netmgr-int.h
+++ b/lib/isc/netmgr/netmgr-int.h
@@ -1576,4 +1576,7 @@ isc__nm_failed_read_cb(isc_nmsocket_t *sock, isc_result_t result, bool async);
void
isc__nmsocket_connecttimeout_cb(uv_timer_t *timer);
+void
+isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota);
+
#define STREAM_CLIENTS_PER_CONN 23
diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
index 3283eb6e4f..54042a9123 100644
--- a/lib/isc/netmgr/netmgr.c
+++ b/lib/isc/netmgr/netmgr.c
@@ -1967,6 +1967,33 @@ isc__nmsocket_connecttimeout_cb(uv_timer_t *timer) {
}
}
+void
+isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota) {
+ int level;
+
+ switch (result) {
+ case ISC_R_SUCCESS:
+ case ISC_R_NOCONN:
+ return;
+ case ISC_R_QUOTA:
+ case ISC_R_SOFTQUOTA:
+ if (!can_log_quota) {
+ return;
+ }
+ level = ISC_LOG_INFO;
+ break;
+ case ISC_R_NOTCONNECTED:
+ level = ISC_LOG_INFO;
+ break;
+ default:
+ level = ISC_LOG_ERROR;
+ }
+
+ isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_NETMGR,
+ level, "Accepting TCP connection failed: %s",
+ isc_result_totext(result));
+}
+
static void
isc__nmsocket_readtimeout_cb(uv_timer_t *timer) {
isc_nmsocket_t *sock = uv_handle_get_data((uv_handle_t *)timer);
diff --git a/lib/isc/netmgr/tcp.c b/lib/isc/netmgr/tcp.c
index 5cca9f5214..1b5e80d3a7 100644
--- a/lib/isc/netmgr/tcp.c
+++ b/lib/isc/netmgr/tcp.c
@@ -631,15 +631,7 @@ tcp_connection_cb(uv_stream_t *server, int status) {
result = accept_connection(ssock, quota);
done:
- if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) {
- if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) ||
- can_log_tcp_quota()) {
- isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
- ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
- "TCP connection failed: %s",
- isc_result_totext(result));
- }
- }
+ isc__nm_accept_connection_log(result, can_log_tcp_quota());
}
void
@@ -934,15 +926,7 @@ isc__nm_async_tcpaccept(isc__networker_t *worker, isc__netievent_t *ev0) {
REQUIRE(sock->tid == isc_nm_tid());
result = accept_connection(sock, ievent->quota);
- if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) {
- if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) ||
- can_log_tcp_quota()) {
- isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
- ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
- "TCP connection failed: %s",
- isc_result_totext(result));
- }
- }
+ isc__nm_accept_connection_log(result, can_log_tcp_quota());
}
static isc_result_t
diff --git a/lib/isc/netmgr/tcpdns.c b/lib/isc/netmgr/tcpdns.c
index 188790c8b4..b76dcbc66c 100644
--- a/lib/isc/netmgr/tcpdns.c
+++ b/lib/isc/netmgr/tcpdns.c
@@ -600,16 +600,7 @@ tcpdns_connection_cb(uv_stream_t *server, int status) {
result = accept_connection(ssock, quota);
done:
- if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) {
- if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) ||
- can_log_tcpdns_quota())
- {
- isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
- ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
- "TCP connection failed: %s",
- isc_result_totext(result));
- }
- }
+ isc__nm_accept_connection_log(result, can_log_tcpdns_quota());
}
void
@@ -905,16 +896,7 @@ isc__nm_async_tcpdnsaccept(isc__networker_t *worker, isc__netievent_t *ev0) {
REQUIRE(ievent->sock->tid == isc_nm_tid());
result = accept_connection(ievent->sock, ievent->quota);
- if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) {
- if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) ||
- can_log_tcpdns_quota())
- {
- isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
- ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
- "TCP connection failed: %s",
- isc_result_totext(result));
- }
- }
+ isc__nm_accept_connection_log(result, can_log_tcpdns_quota());
}
static isc_result_t
--
2.27.0

85
backport-0012-Separate-the-locked-parts-of-dns_zone_catz_enable-di.patch Normal file
View File

@ -0,0 +1,85 @@
From 885e44650b547cff88095d01769e303474582612 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Wed, 5 Jan 2022 09:38:36 +0000
Subject: [PATCH] Separate the locked parts of dns_zone_catz_enable/disable
functions
Separate the locked parts of dns_zone_catz_enable() and
dns_zone_catz_disable() functions into static functions. This will
let us perform those tasks from the other parts of the module while
the zone is locked, avoiding one pair of additional unlocking and
locking operations.
(cherry picked from commit 6b937ed5f67a13cf6ad6249380073a6e647d7897)
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/885e44650b547cff88095d01769e303474582612
---
lib/dns/zone.c | 28 +++++++++++++++++++++++-----
1 file changed, 23 insertions(+), 5 deletions(-)
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 2faf12519e..9205271574 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -871,6 +871,10 @@ static inline void
zone_attachdb(dns_zone_t *zone, dns_db_t *db);
static inline void
zone_detachdb(dns_zone_t *zone);
+static void
+zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs);
+static void
+zone_catz_disable(dns_zone_t *zone);
static isc_result_t
default_journal(dns_zone_t *zone);
static void
@@ -1930,28 +1934,42 @@ dns_zone_rpz_disable_db(dns_zone_t *zone, dns_db_t *db) {
zone->rpzs->zones[zone->rpz_num]);
}
-void
-dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
+static void
+zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
REQUIRE(DNS_ZONE_VALID(zone));
REQUIRE(catzs != NULL);
- LOCK_ZONE(zone);
INSIST(zone->catzs == NULL || zone->catzs == catzs);
dns_catz_catzs_set_view(catzs, zone->view);
if (zone->catzs == NULL) {
dns_catz_catzs_attach(catzs, &zone->catzs);
}
- UNLOCK_ZONE(zone);
}
void
-dns_zone_catz_disable(dns_zone_t *zone) {
+dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
REQUIRE(DNS_ZONE_VALID(zone));
LOCK_ZONE(zone);
+ zone_catz_enable(zone, catzs);
+ UNLOCK_ZONE(zone);
+}
+
+static void
+zone_catz_disable(dns_zone_t *zone) {
+ REQUIRE(DNS_ZONE_VALID(zone));
+
if (zone->catzs != NULL) {
dns_catz_catzs_detach(&zone->catzs);
}
+}
+
+void
+dns_zone_catz_disable(dns_zone_t *zone) {
+ REQUIRE(DNS_ZONE_VALID(zone));
+
+ LOCK_ZONE(zone);
+ zone_catz_disable(zone);
UNLOCK_ZONE(zone);
}
--
2.27.0

235
backport-0036-Check-if-key-metadata-is-modified-before-writing.patch Normal file
View File

@ -0,0 +1,235 @@
From c2e8c722980cd40e163f748e8502c9637ea55cf3 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 3 May 2022 12:28:31 +0200
Subject: [PATCH] Check if key metadata is modified before writing
Add a new parameter to the dst_key structure, mark a key modified if
dst_key_(un)set[bool,num,state,time] is called. Only write out key
files during a keymgr run if the metadata has changed.
(cherry picked from commit 1da91b3ab46b3d875213a473595e671d9ff9c76f)
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/c2e8c722980cd40e163f748e8502c9637ea55cf3
---
lib/dns/dst_api.c | 26 ++++++++++++++++++++++++++
lib/dns/dst_internal.h | 1 +
lib/dns/include/dst/dst.h | 20 ++++++++++++++++++++
lib/dns/keymgr.c | 17 ++++++++++++++++-
4 files changed, 63 insertions(+), 1 deletion(-)
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index ab371330f0..8873a041b8 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -490,6 +490,16 @@ dst_key_isexternal(dst_key_t *key) {
return (key->external);
}
+void
+dst_key_setmodified(dst_key_t *key, bool value) {
+ key->modified = value;
+}
+
+bool
+dst_key_ismodified(dst_key_t *key) {
+ return (key->modified);
+}
+
isc_result_t
dst_key_getfilename(dns_name_t *name, dns_keytag_t id, unsigned int alg,
int type, const char *directory, isc_mem_t *mctx,
@@ -637,6 +647,7 @@ dst_key_fromnamedfile(const char *filename, const char *dirname, int type,
(pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
{
RETERR(computeid(pubkey));
+ pubkey->modified = false;
*keyp = pubkey;
pubkey = NULL;
goto out;
@@ -690,6 +701,7 @@ dst_key_fromnamedfile(const char *filename, const char *dirname, int type,
RETERR(DST_R_INVALIDPRIVATEKEY);
}
+ key->modified = false;
*keyp = key;
key = NULL;
@@ -1047,6 +1059,8 @@ dst_key_setbool(dst_key_t *key, int type, bool value) {
REQUIRE(type <= DST_MAX_BOOLEAN);
isc_mutex_lock(&key->mdlock);
+ key->modified = key->modified || !key->boolset[type] ||
+ key->bools[type] != value;
key->bools[type] = value;
key->boolset[type] = true;
isc_mutex_unlock(&key->mdlock);
@@ -1058,6 +1072,7 @@ dst_key_unsetbool(dst_key_t *key, int type) {
REQUIRE(type <= DST_MAX_BOOLEAN);
isc_mutex_lock(&key->mdlock);
+ key->modified = key->modified || key->boolset[type];
key->boolset[type] = false;
isc_mutex_unlock(&key->mdlock);
}
@@ -1089,6 +1104,8 @@ dst_key_setnum(dst_key_t *key, int type, uint32_t value) {
REQUIRE(type <= DST_MAX_NUMERIC);
isc_mutex_lock(&key->mdlock);
+ key->modified = key->modified || !key->numset[type] ||
+ key->nums[type] != value;
key->nums[type] = value;
key->numset[type] = true;
isc_mutex_unlock(&key->mdlock);
@@ -1100,6 +1117,7 @@ dst_key_unsetnum(dst_key_t *key, int type) {
REQUIRE(type <= DST_MAX_NUMERIC);
isc_mutex_lock(&key->mdlock);
+ key->modified = key->modified || key->numset[type];
key->numset[type] = false;
isc_mutex_unlock(&key->mdlock);
}
@@ -1130,6 +1148,8 @@ dst_key_settime(dst_key_t *key, int type, isc_stdtime_t when) {
REQUIRE(type <= DST_MAX_TIMES);
isc_mutex_lock(&key->mdlock);
+ key->modified = key->modified || !key->timeset[type] ||
+ key->times[type] != when;
key->times[type] = when;
key->timeset[type] = true;
isc_mutex_unlock(&key->mdlock);
@@ -1141,6 +1161,7 @@ dst_key_unsettime(dst_key_t *key, int type) {
REQUIRE(type <= DST_MAX_TIMES);
isc_mutex_lock(&key->mdlock);
+ key->modified = key->modified || key->timeset[type];
key->timeset[type] = false;
isc_mutex_unlock(&key->mdlock);
}
@@ -1172,6 +1193,8 @@ dst_key_setstate(dst_key_t *key, int type, dst_key_state_t state) {
REQUIRE(type <= DST_MAX_KEYSTATES);
isc_mutex_lock(&key->mdlock);
+ key->modified = key->modified || !key->keystateset[type] ||
+ key->keystates[type] != state;
key->keystates[type] = state;
key->keystateset[type] = true;
isc_mutex_unlock(&key->mdlock);
@@ -1183,6 +1206,7 @@ dst_key_unsetstate(dst_key_t *key, int type) {
REQUIRE(type <= DST_MAX_KEYSTATES);
isc_mutex_lock(&key->mdlock);
+ key->modified = key->modified || key->keystateset[type];
key->keystateset[type] = false;
isc_mutex_unlock(&key->mdlock);
}
@@ -2747,4 +2771,6 @@ dst_key_copy_metadata(dst_key_t *to, dst_key_t *from) {
dst_key_unsetstate(to, i);
}
}
+
+ dst_key_setmodified(to, dst_key_ismodified(from));
}
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
index e26837bfe4..4933cfd5aa 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -147,6 +147,7 @@ struct dst_key {
bool inactive; /*%< private key not present as it is
* inactive */
bool external; /*%< external key */
+ bool modified; /*%< set to true if key file metadata has changed */
int fmt_major; /*%< private key format, major version
* */
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index d50761a63c..eab5501029 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -1107,6 +1107,26 @@ dst_key_isexternal(dst_key_t *key);
* 'key' to be valid.
*/
+void
+dst_key_setmodified(dst_key_t *key, bool value);
+/*%<
+ * If 'value' is true, this marks the key to indicate that key file metadata
+ * has been modified. If 'value' is false, this resets the value, for example
+ * after you have written the key to file.
+ *
+ * Requires:
+ * 'key' to be valid.
+ */
+
+bool
+dst_key_ismodified(dst_key_t *key);
+/*%<
+ * Check if the key file has been modified.
+ *
+ * Requires:
+ * 'key' to be valid.
+ */
+
bool
dst_key_haskasp(dst_key_t *key);
/*%<
diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index 965782b1f3..b01286575f 100644
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -1512,6 +1512,7 @@ transition:
/* It is safe to make the transition. */
dst_key_setstate(dkey->key, i, next_state);
dst_key_settime(dkey->key, keystatetimes[i], now);
+ INSIST(dst_key_ismodified(dkey->key));
changed = true;
}
}
@@ -2183,9 +2184,10 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring); dkey != NULL;
dkey = ISC_LIST_NEXT(dkey, link))
{
- if (!dkey->purge) {
+ if (dst_key_ismodified(dkey->key) && !dkey->purge) {
dns_dnssec_get_hints(dkey, now);
RETERR(dst_key_tofile(dkey->key, options, directory));
+ dst_key_setmodified(dkey->key, false);
}
}
@@ -2205,6 +2207,13 @@ failure:
}
}
+ if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) {
+ char namebuf[DNS_NAME_FORMATSIZE];
+ dns_name_format(origin, namebuf, sizeof(namebuf));
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+ DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(3),
+ "keymgr: %s done", namebuf);
+ }
return (result);
}
@@ -2282,6 +2291,9 @@ keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
dns_dnssec_get_hints(ksk_key, now);
result = dst_key_tofile(ksk_key->key, options, directory);
+ if (result == ISC_R_SUCCESS) {
+ dst_key_setmodified(ksk_key->key, false);
+ }
isc_dir_close(&dir);
return (result);
@@ -2582,6 +2594,9 @@ dns_keymgr_rollover(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
dns_dnssec_get_hints(key, now);
result = dst_key_tofile(key->key, options, directory);
+ if (result == ISC_R_SUCCESS) {
+ dst_key_setmodified(key->key, false);
+ }
isc_dir_close(&dir);
return (result);
--
2.27.0

76
backport-0037-Fix-CID-352776-Concurrent-data-access-violations.patch Normal file
View File

@ -0,0 +1,76 @@
From 7c42c04f3fa1c6b936debe48b435b9ef9da464bd Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Mon, 16 May 2022 19:00:47 +0200
Subject: [PATCH] Fix CID 352776: Concurrent data access violations
*** CID 352776: Concurrent data access violations (MISSING_LOCK)
/lib/dns/dst_api.c: 474 in dst_key_setmodified()
468 dst_key_isexternal(dst_key_t *key) {
469 return (key->external);
470 }
471
472 void
473 dst_key_setmodified(dst_key_t *key, bool value) {
>>> CID 352776: Concurrent data access violations (MISSING_LOCK)
>>> Accessing "key->modified" without holding lock
>>> "dst_key.mdlock". Elsewhere, "dst_key.modified" is accessed with
>>> "dst_key.mdlock" held 8 out of 11 times (8 of these accesses
>>> strongly imply that it is necessary).
474 key->modified = value;
475 }
476
477 bool
478 dst_key_ismodified(dst_key_t *key) {
479 return (key->modified);
(cherry picked from commit 1fa24d0afbc01d25d71446156758b3a945db5b5f)
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/7c42c04f3fa1c6b936debe48b435b9ef9da464bd
---
lib/dns/dst_api.c | 12 ++++++++++--
lib/dns/include/dst/dst.h | 2 +-
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 8873a041b8..e5a52aea37 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -492,12 +492,20 @@ dst_key_isexternal(dst_key_t *key) {
void
dst_key_setmodified(dst_key_t *key, bool value) {
+ isc_mutex_lock(&key->mdlock);
key->modified = value;
+ isc_mutex_unlock(&key->mdlock);
}
bool
-dst_key_ismodified(dst_key_t *key) {
- return (key->modified);
+dst_key_ismodified(const dst_key_t *key) {
+ bool modified;
+
+ isc_mutex_lock(&(((dst_key_t *)key)->mdlock));
+ modified = key->modified;
+ isc_mutex_unlock(&(((dst_key_t *)key)->mdlock));
+
+ return (modified);
}
isc_result_t
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index eab5501029..3185e9f91b 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -1119,7 +1119,7 @@ dst_key_setmodified(dst_key_t *key, bool value);
*/
bool
-dst_key_ismodified(dst_key_t *key);
+dst_key_ismodified(const dst_key_t *key);
/*%<
* Check if the key file has been modified.
*
--
2.27.0

70
backport-0037-Require-valid-key-for-dst_key-functions.patch Normal file
View File

@ -0,0 +1,70 @@
From d3147417c55cb1277cac42034198a3011c8f5cfb Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 17 May 2022 12:02:43 +0200
Subject: [PATCH] Require valid key for dst_key functions
Make sure that the key structure is valid when calling the following
functions:
- dst_key_setexternal
- dst_key_isexternal
- dst_key_setmodified
- dst_key_ismodified
This commit is adapted because 9.16 has a different approach
of deconsting the variable.
(cherry picked from commit 888ec4e0d407a9333017d6997a2be81a69658e1f)
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/d3147417c55cb1277cac42034198a3011c8f5cfb
---
lib/dns/dst_api.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index e5a52aea37..f5741a1af4 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -482,16 +482,22 @@ dst_key_tofile(const dst_key_t *key, int type, const char *directory) {
void
dst_key_setexternal(dst_key_t *key, bool value) {
+ REQUIRE(VALID_KEY(key));
+
key->external = value;
}
bool
dst_key_isexternal(dst_key_t *key) {
+ REQUIRE(VALID_KEY(key));
+
return (key->external);
}
void
dst_key_setmodified(dst_key_t *key, bool value) {
+ REQUIRE(VALID_KEY(key));
+
isc_mutex_lock(&key->mdlock);
key->modified = value;
isc_mutex_unlock(&key->mdlock);
@@ -500,10 +506,15 @@ dst_key_setmodified(dst_key_t *key, bool value) {
bool
dst_key_ismodified(const dst_key_t *key) {
bool modified;
+ dst_key_t *k;
- isc_mutex_lock(&(((dst_key_t *)key)->mdlock));
+ REQUIRE(VALID_KEY(key));
+
+ DE_CONST(key, k);
+
+ isc_mutex_lock(&k->mdlock);
modified = key->modified;
- isc_mutex_unlock(&(((dst_key_t *)key)->mdlock));
+ isc_mutex_unlock(&k->mdlock);
return (modified);
}
--
2.27.0

60
backport-CVE-2022-2795.patch Normal file
View File

@ -0,0 +1,60 @@
From bf2ea6d8525bfd96a84dad221ba9e004adb710a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
Date: Thu, 8 Sep 2022 11:11:30 +0200
Subject: [PATCH] Bound the amount of work performed for delegations
Limit the amount of database lookups that can be triggered in
fctx_getaddresses() (i.e. when determining the name server addresses to
query next) by setting a hard limit on the number of NS RRs processed
for any delegation encountered. Without any limit in place, named can
be forced to perform large amounts of database lookups per each query
received, which severely impacts resolver performance.
The limit used (20) is an arbitrary value that is considered to be big
enough for any sane DNS delegation.
(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
---
lib/dns/resolver.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index d2cf14bbc8b..73a0ee9f779 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -195,6 +195,12 @@
*/
#define NS_FAIL_LIMIT 4
#define NS_RR_LIMIT 5
+/*
+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
+ * any NS RRset encountered, to avoid excessive resource use while processing
+ * large delegations.
+ */
+#define NS_PROCESSING_LIMIT 20
/* Number of hash buckets for zone counters */
#ifndef RES_DOMAIN_BUCKETS
@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
bool need_alternate = false;
bool all_spilled = true;
unsigned int no_addresses = 0;
+ unsigned int ns_processed = 0;
FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
@@ -3902,6 +3909,11 @@ normal_nses:
dns_rdata_reset(&rdata);
dns_rdata_freestruct(&ns);
+
+ if (++ns_processed >= NS_PROCESSING_LIMIT) {
+ result = ISC_R_NOMORE;
+ break;
+ }
}
if (result != ISC_R_NOMORE) {
return (result);
--
GitLab

42
backport-CVE-2022-2881.patch Normal file
View File

@ -0,0 +1,42 @@
From 13333db69f9b9710a98c86f44276e01e95420fa0 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Tue, 16 Aug 2022 16:26:02 -0700
Subject: [PATCH] compression buffer was not reused correctly
when the compression buffer was reused for multiple statistics
requests, responses could grow beyond the correct size. this was
because the buffer was not cleared before reuse; compressed data
was still written to the beginning of the buffer, but then the size
of used region was increased by the amount written, rather than set
to the amount written. this caused responses to grow larger and
larger, potentially reading past the end of the allocated buffer.
(cherry picked from commit 47e9fa981e56a7a232f3219fe8a40525c79d748b)
---
lib/isc/httpd.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/isc/httpd.c b/lib/isc/httpd.c
index 776455a..e55330b 100644
--- a/lib/isc/httpd.c
+++ b/lib/isc/httpd.c
@@ -246,6 +246,8 @@ free_buffer(isc_mem_t *mctx, isc_buffer_t *buffer) {
if (r.length > 0) {
isc_mem_put(mctx, r.base, r.length);
}
+
+ isc_buffer_initnull(buffer);
}
static void
@@ -910,6 +912,7 @@ isc_httpd_compress(isc_httpd_t *httpd) {
if (result != ISC_R_SUCCESS) {
return (result);
}
+ isc_buffer_clear(&httpd->compbuffer);
isc_buffer_region(&httpd->compbuffer, &r);
/*
--
2.23.0

135
backport-CVE-2022-2906.patch Normal file
View File

@ -0,0 +1,135 @@
From 73df5c80538970ee1fbc4fe3348109bdc281e197 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Thu, 18 Aug 2022 08:59:09 +0000
Subject: [PATCH] Fix memory leaks in DH code
When used with OpenSSL v3.0.0+, the `openssldh_compare()`,
`openssldh_paramcompare()`, and `openssldh_todns()` functions
fail to cleanup the used memory on some error paths.
Use `DST_RET` instead of `return`, when there is memory to be
released before returning from the functions.
(cherry picked from commit 73d6bbff4e1df583810126fe58eac39bb52bc0d9)
---
lib/dns/openssldh_link.c | 45 +++++++++++++++++++++++-----------------
1 file changed, 26 insertions(+), 19 deletions(-)
diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
index 72b8209..ece97ea 100644
--- a/lib/dns/openssldh_link.c
+++ b/lib/dns/openssldh_link.c
@@ -68,6 +68,12 @@
"83655D23DCA3AD961C62F356208552BB9ED529077096966D" \
"670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"
+#define DST_RET(a) \
+ { \
+ ret = a; \
+ goto err; \
+ }
+
static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL;
#if !HAVE_DH_GET0_KEY
@@ -180,7 +186,8 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
static bool
openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
- DH *dh1, *dh2;
+ bool ret = true;
+ DH *dh1, *dh2;
const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL;
const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL;
const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
@@ -202,23 +209,24 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 ||
BN_cmp(pub_key1, pub_key2) != 0)
{
- return (false);
+ DST_RET(false);
}
if (priv_key1 != NULL || priv_key2 != NULL) {
- if (priv_key1 == NULL || priv_key2 == NULL) {
- return (false);
- }
- if (BN_cmp(priv_key1, priv_key2) != 0) {
- return (false);
+ if (priv_key1 == NULL || priv_key2 == NULL ||
+ BN_cmp(priv_key1, priv_key2) != 0) {
+ DST_RET(false);
}
}
- return (true);
+
+err:
+ return (ret);
}
static bool
openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
- DH *dh1, *dh2;
+ bool ret = true;
+ DH *dh1, *dh2;
const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
dh1 = key1->keydata.dh;
@@ -234,9 +242,11 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
DH_get0_pqg(dh2, &p2, NULL, &g2);
if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) {
- return (false);
+ DST_RET(false);
}
- return (true);
+
+err:
+ return (ret);
}
static int
@@ -386,7 +396,8 @@ uint16_fromregion(isc_region_t *region) {
static isc_result_t
openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
- DH *dh;
+ isc_result_t ret = ISC_R_SUCCESS;
+ DH *dh;
const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
isc_region_t r;
uint16_t dnslen, plen, glen, publen;
@@ -412,7 +423,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
publen = BN_num_bytes(pub_key);
dnslen = plen + glen + publen + 6;
if (r.length < (unsigned int)dnslen) {
- return (ISC_R_NOSPACE);
+ DST_RET(ISC_R_NOSPACE);
}
uint16_toregion(plen, &r);
@@ -441,7 +452,8 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
isc_buffer_add(data, dnslen);
- return (ISC_R_SUCCESS);
+err:
+ return (ret);
}
static isc_result_t
@@ -659,11 +671,6 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
DH *dh = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
isc_mem_t *mctx;
-#define DST_RET(a) \
- { \
- ret = a; \
- goto err; \
- }
UNUSED(pub);
mctx = key->mctx;
--
2.23.0

146
backport-CVE-2022-3080.patch Normal file
View File

@ -0,0 +1,146 @@
From 3f68e2ad838b3c12a725ccb1082a54b0e8b69562 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Fri, 2 Sep 2022 16:50:39 +0200
Subject: [PATCH] Only refresh RRset once
Don't attempt to resolve DNS responses for intermediate results. This
may create multiple refreshes and can cause a crash.
One scenario is where for the query there is a CNAME and canonical
answer in cache that are both stale. This will trigger a refresh of
the RRsets because we encountered stale data and we prioritized it over
the lookup. It will trigger a refresh of both RRsets. When we start
recursing, it will detect a recursion loop because the recursion
parameters will eventually be the same. In 'dns_resolver_destroyfetch'
the sanity check fails, one of the callers did not get its event back
before trying to destroy the fetch.
Move the call to 'query_refresh_rrset' to 'ns_query_done', so that it
is only called once per client request.
Another scenario is where for the query there is a stale CNAME in the
cache that points to a record that is also in cache but not stale. This
will trigger a refresh of the RRset (because we encountered stale data
and we prioritized it over the lookup).
We mark RRsets that we add to the message with
DNS_RDATASETATTR_STALE_ADDED to prevent adding a duplicate RRset when
a stale lookup and a normal lookup conflict with each other. However,
the other non-stale RRset when following a CNAME chain will be added to
the message without setting that attribute, because it is not stale.
This is a variant of the bug in #2594. The fix covered the same crash
but for stale-answer-client-timeout > 0.
Fix this by clearing all RRsets from the message before refreshing.
This requires the refresh to happen after the query is send back to
the client.
(cherry picked from commit d939d2ecde5639d11acd6eac33a997b3e3c78b02)
---
lib/ns/include/ns/query.h | 1 +
lib/ns/query.c | 42 ++++++++++++++++++++++++---------------
2 files changed, 27 insertions(+), 16 deletions(-)
diff --git a/lib/ns/include/ns/query.h b/lib/ns/include/ns/query.h
index 142ef8c6c1d..be0dadd5099 100644
--- a/lib/ns/include/ns/query.h
+++ b/lib/ns/include/ns/query.h
@@ -147,6 +147,7 @@ struct query_ctx {
bool authoritative; /* authoritative query? */
bool want_restart; /* CNAME chain or other
* restart needed */
+ bool refresh_rrset; /* stale RRset refresh needed */
bool need_wildcardproof; /* wildcard proof needed */
bool nxrewrite; /* negative answer from RPZ */
bool findcoveringnsec; /* lookup covering NSEC */
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 5c2701eb718..98cfffe8c36 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5737,7 +5737,6 @@ query_lookup(query_ctx_t *qctx) {
bool dbfind_stale = false;
bool stale_timeout = false;
bool stale_found = false;
- bool refresh_rrset = false;
bool stale_refresh_window = false;
CCTRACE(ISC_LOG_DEBUG(3), "query_lookup");
@@ -5921,8 +5920,7 @@ query_lookup(query_ctx_t *qctx) {
"%s stale answer used, an attempt to "
"refresh the RRset will still be made",
namebuf);
- refresh_rrset = STALE(qctx->rdataset);
- qctx->client->nodetach = refresh_rrset;
+ qctx->refresh_rrset = STALE(qctx->rdataset);
}
} else {
/*
@@ -5960,17 +5958,6 @@ query_lookup(query_ctx_t *qctx) {
result = query_gotanswer(qctx, result);
- if (refresh_rrset) {
- /*
- * If we reached this point then it means that we have found a
- * stale RRset entry in cache and BIND is configured to allow
- * queries to be answered with stale data if no active RRset
- * is available, i.e. "stale-anwer-client-timeout 0". But, we
- * still need to refresh the RRset.
- */
- query_refresh_rrset(qctx);
- }
-
cleanup:
return (result);
}
@@ -7760,11 +7747,14 @@ query_addanswer(query_ctx_t *qctx) {
/*
* On normal lookups, clear any rdatasets that were added on a
- * lookup due to stale-answer-client-timeout.
+ * lookup due to stale-answer-client-timeout. Do not clear if we
+ * are going to refresh the RRset, because the stale contents are
+ * prioritized.
*/
if (QUERY_STALEOK(&qctx->client->query) &&
- !QUERY_STALETIMEOUT(&qctx->client->query))
+ !QUERY_STALETIMEOUT(&qctx->client->query) && !qctx->refresh_rrset)
{
+ CCTRACE(ISC_LOG_DEBUG(3), "query_clear_stale");
query_clear_stale(qctx->client);
/*
* We can clear the attribute to prevent redundant clearing
@@ -11478,9 +11468,29 @@ ns_query_done(query_ctx_t *qctx) {
/*
* Client may have been detached after query_send(), so
* we test and store the flag state here, for safety.
+ * If we are refreshing the RRSet, we must not detach from the client
+ * in the query_send(), so we need to override the flag.
*/
+ if (qctx->refresh_rrset) {
+ qctx->client->nodetach = true;
+ }
nodetach = qctx->client->nodetach;
query_send(qctx->client);
+
+ if (qctx->refresh_rrset) {
+ /*
+ * If we reached this point then it means that we have found a
+ * stale RRset entry in cache and BIND is configured to allow
+ * queries to be answered with stale data if no active RRset
+ * is available, i.e. "stale-anwer-client-timeout 0". But, we
+ * still need to refresh the RRset. To prevent adding duplicate
+ * RRsets, clear the RRsets from the message before doing the
+ * refresh.
+ */
+ message_clearrdataset(qctx->client->message, 0);
+ query_refresh_rrset(qctx);
+ }
+
if (!nodetach) {
qctx->detach_client = true;
}
--
GitLab

25
backport-CVE-2022-38177.patch Normal file
View File

@ -0,0 +1,25 @@
From 5b2282afff760b1ed3471f6666bdfe8e1d34e590 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 11 Aug 2022 15:15:34 +1000
Subject: [PATCH] Free eckey on siglen mismatch
---
lib/dns/opensslecdsa_link.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
index 1f16ca70738..5ee4342b387 100644
--- a/lib/dns/opensslecdsa_link.c
+++ b/lib/dns/opensslecdsa_link.c
@@ -230,7 +230,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
}
if (sig->length != siglen) {
- return (DST_R_VERIFYFAILURE);
+ DST_RET(DST_R_VERIFYFAILURE);
}
if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen)) {
--
GitLab

31
backport-CVE-2022-38178.patch Normal file
View File

@ -0,0 +1,31 @@
From 1af23378ebb11da2eb0f412e4563d6c4165fbd3d Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 11 Aug 2022 15:28:13 +1000
Subject: [PATCH] Free ctx on invalid siglen
(cherry picked from commit 6ddb480a84836641a0711768a94122972c166825)
---
lib/dns/openssleddsa_link.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
index b5ab3b3d8a2..12fdf650eb6 100644
--- a/lib/dns/openssleddsa_link.c
+++ b/lib/dns/openssleddsa_link.c
@@ -236,11 +236,11 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
}
#endif /* if HAVE_OPENSSL_ED448 */
if (siglen == 0) {
- return (ISC_R_NOTIMPLEMENTED);
+ DST_RET(ISC_R_NOTIMPLEMENTED);
}
if (sig->length != siglen) {
- return (DST_R_VERIFYFAILURE);
+ DST_RET(DST_R_VERIFYFAILURE);
}
isc_buffer_usedregion(buf, &tbsreg);
--
GitLab

42
bind.spec
View File

@ -30,7 +30,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: MPLv2.0
Version: 9.16.23
Release: 9
Release: 11
Epoch: 32
Url: https://www.isc.org/downloads/bind/
#
@ -81,6 +81,19 @@ Patch164:bind-9.11-rh1666814.patch
Patch6000:backport-CVE-2022-0396.patch
Patch6001:backport-CVE-2021-25220.patch
Patch6002:backport-CVE-2022-2795.patch
Patch6003:backport-CVE-2022-3080.patch
Patch6004:backport-CVE-2022-38177.patch
Patch6005:backport-CVE-2022-38178.patch
Patch6006:backport-CVE-2022-2906.patch
Patch6007:backport-CVE-2022-2881.patch
Patch6008:backport-0002-Fix-catalog-zone-reconfiguration-crash.patch
Patch6009:backport-0003-Improve-the-logging-on-failed-TCP-accept.patch
Patch6010:backport-0012-Separate-the-locked-parts-of-dns_zone_catz_enable-di.patch
Patch6011:backport-0036-Check-if-key-metadata-is-modified-before-writing.patch
Patch6012:backport-0037-Fix-CID-352776-Concurrent-data-access-violations.patch
Patch6013:backport-0037-Require-valid-key-for-dst_key-functions.patch
Patch9000:bugfix-limit-numbers-of-test-threads.patch
%{?systemd_ordering}
@ -379,6 +392,18 @@ in HTML and PDF format.
%patch9000 -p1
%patch6000 -p1
%patch6001 -p1
%patch6002 -p1
%patch6003 -p1
%patch6004 -p1
%patch6005 -p1
%patch6006 -p1
%patch6007 -p1
%patch6008 -p1
%patch6009 -p1
%patch6010 -p1
%patch6011 -p1
%patch6012 -p1
%patch6013 -p1
%if %{with PKCS11}
%patch135 -p1 -b .config-pkcs11
@ -1101,6 +1126,21 @@ fi;
%endif
%changelog
* Thu Sep 29 2022 huangyu <huangyu106@huawei.com> - 32:9.16.23-11
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC: Fix catalog zone reconfiguration crash
Improve the logging on failed TCP accept
Separate the locked parts of dns_zone_catz_enable-di
Check if key-metadata is modified before writing
Fix CID-352776 Concurrent data access violations
Require valid key for dst_key functions
* Wed Sep 28 2022 huangyu <huangyu106@huawei.com> - 32:9.16.23-10
- DESC:fix CVE-2022-2881 CVE-2022-2906 CVE-2022-2795 CVE-2022-38177 CVE-2022-38178
CVE-2022-3080
* Wed Aug 31 2022 yangchenguang <yangchenguang@uniontech.com> - 32:9.16.23-9
- DESC: fix downgrade bind-utils conflict bind-dnssec-doc