diff options
| author | CoprDistGit <infra@openeuler.org> | 2024-08-05 01:38:29 +0000 |
|---|---|---|
| committer | CoprDistGit <infra@openeuler.org> | 2024-08-05 01:38:29 +0000 |
| commit | 60e6ebff61b1c2f87ec78831b610b17fbd130ae3 (patch) | |
| tree | d14033338828a8a03b3562472148a3387b50215b /bind-9.16-CVE-2022-3094-2.patch | |
| parent | ad69e2cec05ad6d646c8b6e1355f0e18af3b7692 (diff) | |
automatic import of bindopeneuler24.03_LTS
Diffstat (limited to 'bind-9.16-CVE-2022-3094-2.patch')
| -rw-r--r-- | bind-9.16-CVE-2022-3094-2.patch | 266 |
1 files changed, 266 insertions, 0 deletions
diff --git a/bind-9.16-CVE-2022-3094-2.patch b/bind-9.16-CVE-2022-3094-2.patch new file mode 100644 index 0000000..fe6fb92 --- /dev/null +++ b/bind-9.16-CVE-2022-3094-2.patch @@ -0,0 +1,266 @@ +From 7fe2204a2e8952bf892e4a70fea2ef5167e1f509 Mon Sep 17 00:00:00 2001 +From: Evan Hunt <each@isc.org> +Date: Thu, 1 Sep 2022 16:22:46 -0700 +Subject: [PATCH] add a configuration option for the update quota + +add an "update-quota" option to configure the update quota. + +(cherry picked from commit f57758a7303ad0034ff2ff08eaaf2ef899630f19) +--- + bin/named/config.c | 1 + + bin/named/named.conf.rst | 9 +++++---- + bin/named/server.c | 1 + + bin/tests/system/checkconf/good.conf | 1 + + doc/arm/reference.rst | 7 ++++++- + doc/man/named.conf.5in | 9 +++++---- + doc/misc/master.zoneopt.rst | 2 +- + doc/misc/options | 1 + + doc/misc/options.active | 1 + + doc/misc/options.grammar.rst | 3 ++- + doc/misc/slave.zoneopt.rst | 2 +- + lib/isccfg/namedconf.c | 1 + + 12 files changed, 26 insertions(+), 12 deletions(-) + +diff --git a/bin/named/config.c b/bin/named/config.c +index 5fedee84d9..494147015f 100644 +--- a/bin/named/config.c ++++ b/bin/named/config.c +@@ -130,6 +130,7 @@ options {\n\ + transfers-out 10;\n\ + transfers-per-ns 2;\n\ + trust-anchor-telemetry yes;\n\ ++ update-quota 100;\n\ + \n\ + /* view */\n\ + allow-new-zones no;\n\ +diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst +index 27eed5ca3e..4c9f9a7370 100644 +--- a/bin/named/named.conf.rst ++++ b/bin/named/named.conf.rst +@@ -179,7 +179,7 @@ OPTIONS + answer-cookie boolean; + attach-cache string; + auth-nxdomain boolean; // default changed +- auto-dnssec ( allow | maintain | off ); ++ auto-dnssec ( allow | maintain | off );// deprecated + automatic-interface-scan boolean; + avoid-v4-udp-ports { portrange; ... }; + avoid-v6-udp-ports { portrange; ... }; +@@ -446,6 +446,7 @@ OPTIONS + trust-anchor-telemetry boolean; // experimental + try-tcp-refresh boolean; + update-check-ksk boolean; ++ update-quota integer; + use-alt-transfer-source boolean; + use-v4-udp-ports { portrange; ... }; + use-v6-udp-ports { portrange; ... }; +@@ -584,7 +585,7 @@ VIEW + * ) ] [ dscp integer ]; + attach-cache string; + auth-nxdomain boolean; // default changed +- auto-dnssec ( allow | maintain | off ); ++ auto-dnssec ( allow | maintain | off );// deprecated + cache-file quoted_string;// deprecated + catalog-zones { zone string [ default-masters [ port integer ] + [ dscp integer ] { ( remote-servers | ipv4_address [ port +@@ -859,7 +860,7 @@ VIEW + integer | * ) ] [ dscp integer ]; + alt-transfer-source-v6 ( ipv6_address | * ) [ port ( + integer | * ) ] [ dscp integer ]; +- auto-dnssec ( allow | maintain | off ); ++ auto-dnssec ( allow | maintain | off );// deprecated + check-dup-records ( fail | warn | ignore ); + check-integrity boolean; + check-mx ( fail | warn | ignore ); +@@ -977,7 +978,7 @@ ZONE + ] [ dscp integer ]; + alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer | + * ) ] [ dscp integer ]; +- auto-dnssec ( allow | maintain | off ); ++ auto-dnssec ( allow | maintain | off );// deprecated + check-dup-records ( fail | warn | ignore ); + check-integrity boolean; + check-mx ( fail | warn | ignore ); +diff --git a/bin/named/server.c b/bin/named/server.c +index 20443ff8a9..78a21d62a2 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -8542,6 +8542,7 @@ load_configuration(const char *filename, named_server_t *server, + configure_server_quota(maps, "tcp-clients", &server->sctx->tcpquota); + configure_server_quota(maps, "recursive-clients", + &server->sctx->recursionquota); ++ configure_server_quota(maps, "update-quota", &server->sctx->updquota); + + max = isc_quota_getmax(&server->sctx->recursionquota); + if (max > 1000) { +diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf +index b1f7059acf..0ecdb68e95 100644 +--- a/bin/tests/system/checkconf/good.conf ++++ b/bin/tests/system/checkconf/good.conf +@@ -75,6 +75,7 @@ options { + recursive-clients 3000; + serial-query-rate 100; + server-id none; ++ update-quota 200; + check-names primary warn; + check-names secondary ignore; + max-cache-size 20000000000000; +diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst +index 2603d60251..703663d0ba 100644 +--- a/doc/arm/reference.rst ++++ b/doc/arm/reference.rst +@@ -3151,6 +3151,11 @@ system. + value as ``tcp-keepalive-timeout``. This value can be updated at + runtime by using ``rndc tcp-timeouts``. + ++``update-quota`` ++ This is the maximum number of simultaneous DNS UPDATE messages that ++ the server will accept for updating local authoritiative zones or ++ forwarding to a primary server. The default is ``100``. ++ + .. _intervals: + + Periodic Task Intervals +@@ -6840,7 +6845,7 @@ Name Server Statistics Counters + ``UpdateQuota`` + This indicates the number of times a dynamic update or update + forwarding request was rejected because the number of pending +- requests exceeded the update quota. ++ requests exceeded ``update-quota``. + + ``RateDropped`` + This indicates the number of responses dropped due to rate limits. +diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in +index 4c46f47592..c87afa2881 100644 +--- a/doc/man/named.conf.5in ++++ b/doc/man/named.conf.5in +@@ -231,7 +231,7 @@ options { + answer\-cookie boolean; + attach\-cache string; + auth\-nxdomain boolean; // default changed +- auto\-dnssec ( allow | maintain | off ); ++ auto\-dnssec ( allow | maintain | off );// deprecated + automatic\-interface\-scan boolean; + avoid\-v4\-udp\-ports { portrange; ... }; + avoid\-v6\-udp\-ports { portrange; ... }; +@@ -498,6 +498,7 @@ options { + trust\-anchor\-telemetry boolean; // experimental + try\-tcp\-refresh boolean; + update\-check\-ksk boolean; ++ update\-quota integer; + use\-alt\-transfer\-source boolean; + use\-v4\-udp\-ports { portrange; ... }; + use\-v6\-udp\-ports { portrange; ... }; +@@ -668,7 +669,7 @@ view string [ class ] { + * ) ] [ dscp integer ]; + attach\-cache string; + auth\-nxdomain boolean; // default changed +- auto\-dnssec ( allow | maintain | off ); ++ auto\-dnssec ( allow | maintain | off );// deprecated + cache\-file quoted_string;// deprecated + catalog\-zones { zone string [ default\-masters [ port integer ] + [ dscp integer ] { ( remote\-servers | ipv4_address [ port +@@ -943,7 +944,7 @@ view string [ class ] { + integer | * ) ] [ dscp integer ]; + alt\-transfer\-source\-v6 ( ipv6_address | * ) [ port ( + integer | * ) ] [ dscp integer ]; +- auto\-dnssec ( allow | maintain | off ); ++ auto\-dnssec ( allow | maintain | off );// deprecated + check\-dup\-records ( fail | warn | ignore ); + check\-integrity boolean; + check\-mx ( fail | warn | ignore ); +@@ -1065,7 +1066,7 @@ zone string [ class ] { + ] [ dscp integer ]; + alt\-transfer\-source\-v6 ( ipv6_address | * ) [ port ( integer | + * ) ] [ dscp integer ]; +- auto\-dnssec ( allow | maintain | off ); ++ auto\-dnssec ( allow | maintain | off );// deprecated + check\-dup\-records ( fail | warn | ignore ); + check\-integrity boolean; + check\-mx ( fail | warn | ignore ); +diff --git a/doc/misc/master.zoneopt.rst b/doc/misc/master.zoneopt.rst +index 8fc7e1b4f0..346d59813e 100644 +--- a/doc/misc/master.zoneopt.rst ++++ b/doc/misc/master.zoneopt.rst +@@ -20,7 +20,7 @@ + also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; + alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; + alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; +- auto-dnssec ( allow | maintain | off ); ++ auto-dnssec ( allow | maintain | off ); // deprecated + check-dup-records ( fail | warn | ignore ); + check-integrity <boolean>; + check-mx ( fail | warn | ignore ); +diff --git a/doc/misc/options b/doc/misc/options +index f57399499a..0dbcf101e1 100644 +--- a/doc/misc/options ++++ b/doc/misc/options +@@ -404,6 +404,7 @@ options { + trust-anchor-telemetry <boolean>; // experimental + try-tcp-refresh <boolean>; + update-check-ksk <boolean>; ++ update-quota <integer>; + use-alt-transfer-source <boolean>; + use-id-pool <boolean>; // ancient + use-ixfr <boolean>; // obsolete +diff --git a/doc/misc/options.active b/doc/misc/options.active +index 5fc1ab29f4..eb75a86eae 100644 +--- a/doc/misc/options.active ++++ b/doc/misc/options.active +@@ -363,6 +363,7 @@ options { + trust-anchor-telemetry <boolean>; // experimental + try-tcp-refresh <boolean>; + update-check-ksk <boolean>; ++ update-quota <integer>; + use-alt-transfer-source <boolean>; + use-v4-udp-ports { <portrange>; ... }; + use-v6-udp-ports { <portrange>; ... }; +diff --git a/doc/misc/options.grammar.rst b/doc/misc/options.grammar.rst +index 438072c95c..beef35341a 100644 +--- a/doc/misc/options.grammar.rst ++++ b/doc/misc/options.grammar.rst +@@ -33,7 +33,7 @@ + answer-cookie <boolean>; + attach-cache <string>; + auth-nxdomain <boolean>; // default changed +- auto-dnssec ( allow | maintain | off ); ++ auto-dnssec ( allow | maintain | off ); // deprecated + automatic-interface-scan <boolean>; + avoid-v4-udp-ports { <portrange>; ... }; + avoid-v6-udp-ports { <portrange>; ... }; +@@ -300,6 +300,7 @@ + trust-anchor-telemetry <boolean>; // experimental + try-tcp-refresh <boolean>; + update-check-ksk <boolean>; ++ update-quota <integer>; + use-alt-transfer-source <boolean>; + use-v4-udp-ports { <portrange>; ... }; + use-v6-udp-ports { <portrange>; ... }; +diff --git a/doc/misc/slave.zoneopt.rst b/doc/misc/slave.zoneopt.rst +index cc72dcbf67..468a7f4d9a 100644 +--- a/doc/misc/slave.zoneopt.rst ++++ b/doc/misc/slave.zoneopt.rst +@@ -21,7 +21,7 @@ + also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; + alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; + alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; +- auto-dnssec ( allow | maintain | off ); ++ auto-dnssec ( allow | maintain | off ); // deprecated + check-names ( fail | warn | ignore ); + database <string>; + dialup ( notify | notify-passive | passive | refresh | <boolean> ); +diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c +index 45de0196bf..6e63d86816 100644 +--- a/lib/isccfg/namedconf.c ++++ b/lib/isccfg/namedconf.c +@@ -1267,6 +1267,7 @@ static cfg_clausedef_t options_clauses[] = { + { "transfers-out", &cfg_type_uint32, 0 }, + { "transfers-per-ns", &cfg_type_uint32, 0 }, + { "treat-cr-as-space", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT }, ++ { "update-quota", &cfg_type_uint32, 0 }, + { "use-id-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT }, + { "use-ixfr", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE }, + { "use-v4-udp-ports", &cfg_type_bracketed_portlist, 0 }, +-- +2.39.1 + |