From 5b2e7d0b2e4f6269568d8e2508a211a99b79cac4 Mon Sep 17 00:00:00 2001 From: delphij Date: Tue, 7 Jul 2015 21:44:01 +0000 Subject: [PATCH] Fix BIND resolver remote denial of service when validating. Security: CVE-2015-4620 Security: FreeBSD-SA-15:11.bind Approved by: so git-svn-id: svn://svn.freebsd.org/base/releng/9.3@285258 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- UPDATING | 3 +++ contrib/bind9/lib/dns/validator.c | 4 +--- sys/conf/newvers.sh | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/UPDATING b/UPDATING index 0f6bb6b90..4fe2f45de 100644 --- a/UPDATING +++ b/UPDATING @@ -11,6 +11,9 @@ handbook: Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20150707: p19 FreeBSD-SA-15:11.bind + Fix BIND resolver remote denial of service when validating. + 20150630: p18 FreeBSD-EN-15:08.sendmail [revised] FreeBSD-EN-15:09.xlocale diff --git a/contrib/bind9/lib/dns/validator.c b/contrib/bind9/lib/dns/validator.c index d7982caa7..0c0f7b0c0 100644 --- a/contrib/bind9/lib/dns/validator.c +++ b/contrib/bind9/lib/dns/validator.c @@ -1406,7 +1406,6 @@ compute_keytag(dns_rdata_t *rdata, dns_rdata_dnskey_t *key) { */ static isc_boolean_t isselfsigned(dns_validator_t *val) { - dns_fixedname_t fixed; dns_rdataset_t *rdataset, *sigrdataset; dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_t sigrdata = DNS_RDATA_INIT; @@ -1462,8 +1461,7 @@ isselfsigned(dns_validator_t *val) { result = dns_dnssec_verify3(name, rdataset, dstkey, ISC_TRUE, val->view->maxbits, - mctx, &sigrdata, - dns_fixedname_name(&fixed)); + mctx, &sigrdata, NULL); dst_key_free(&dstkey); if (result != ISC_R_SUCCESS) continue; diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index bc28979bf..38b99c433 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.3" -BRANCH="RELEASE-p18" +BRANCH="RELEASE-p19" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi -- 2.42.0