!44 fix CVE-2021-25214 CVE-2021-25215

From: @jiangheng12
Reviewed-by: @wangxp006
Signed-off-by: @wangxp006

backport-CVE-2021-25214.patch

@@ -0,0 +1,36 @@
+From 813a1d0f943f7b4ecf43c449a08762a8d8557a45 Mon Sep 17 00:00:00 2001
+From: UNKNOWN <>
+Date: Tue, 27 Apr 2021 12:02:53 +0800
+Subject: [PATCH v2 1/2] Fix CVE-2021-25214
+
+Conflict:NA
+Reference:https://downloads.isc.org/isc/bind9/private/40732ca6e4fcc9d0/patches/CVE-2021-25214.patch
+
+
+diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
+index 558f40c..bae6d41 100644
+--- a/lib/dns/xfrin.c
++++ b/lib/dns/xfrin.c
+@@ -474,6 +474,20 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, isc_uint32_t ttl,
+ 	    dns_rdatatype_ismeta(rdata->type))
+ 		FAIL(DNS_R_FORMERR);
+ 
++	/*
++	 * Immediately reject the entire transfer if the RR that is currently
++	 * being processed is an SOA record that is not placed at the zone
++	 * apex.
++	 */
++	if (rdata->type == dns_rdatatype_soa &&
++	    !dns_name_equal(&xfr->name, name)) {
++		char namebuf[DNS_NAME_FORMATSIZE];
++		dns_name_format(name, namebuf, sizeof(namebuf));
++		xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'",
++			  namebuf);
++		FAIL(DNS_R_NOTZONETOP);
++	}
++
+  redo:
+ 	switch (xfr->state) {
+ 	case XFRST_SOAQUERY:
+-- 
+1.8.3.1

backport-CVE-2021-25215.patch

@@ -0,0 +1,36 @@
+From c42cc79ef9a23d8273b273bb86a1c8c9995b28a0 Mon Sep 17 00:00:00 2001
+From: UNKNOWN <>
+Date: Tue, 27 Apr 2021 12:12:24 +0800
+Subject: [PATCH v2 2/2] Fix CVE-2021-25215
+
+Conflict:NA
+Reference:https://downloads.isc.org/isc/bind9/private/40732ca6e4fcc9d0/patches/CVE-2021-25215.patch
+
+
+diff --git a/bin/named/query.c b/bin/named/query.c
+index 6e988f5..2e7700a 100644
+--- a/bin/named/query.c
++++ b/bin/named/query.c
+@@ -9092,10 +9092,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
+ 		if (noqname != NULL)
+ 			query_addnoqnameproof(client, noqname);
+ 		/*
+-		 * We shouldn't ever fail to add 'rdataset'
+-		 * because it's already in the answer.
++		 * 'rdataset' will only be non-NULL here if the ANSWER section
++		 * of the message to be sent to the client already contains an
++		 * RRset with the same owner name and the same type as
++		 * 'rdataset'.  This should never happen, with one exception:
++		 * when chasing DNAME records, one of the DNAME records placed
++		 * in the ANSWER section may turn out to be the final answer to
++		 * the client's query, but we have no way of knowing that until
++		 * now.  In such a case, 'rdataset' will be freed later, so we
++		 * do not need to free it here.
+ 		 */
+-		INSIST(rdataset == NULL);
++		INSIST(rdataset == NULL || qtype == dns_rdatatype_dname);
+ 	}
+ 
+  addauth:
+-- 
+1.8.3.1

bind.spec

@@ -19,7 +19,7 @@ Name:           bind
 Summary:        Domain Name System (DNS) Server (named)
 License:        MPLv2.0
 Version:        9.11.21
-Release:        10
+Release:        11
 Epoch:          32
 Url:            https://www.isc.org/downloads/bind/
 Source0:        https://ftp.isc.org/isc/bind9/9.11.21/bind-%{version}.tar.gz
@@ -161,6 +161,8 @@ Patch192: CVE-2020-8623.patch
 Patch193: CVE-2020-8624.patch
 Patch194: Fix_the_difference_at_the_macro_definition_using_clock_gettime_instead_of_gettimeofda.patch
 Patch195: CVE-2020-8625.patch
+Patch196: backport-CVE-2021-25214.patch
+Patch197: backport-CVE-2021-25215.patch
 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
 Patch12: bind-9.10-sdb.patch
@@ -365,6 +367,8 @@ are used for building ISC DHCP.
 %patch193 -p1
 %patch194 -p1
 %patch195 -p1
+%patch196 -p1
+%patch197 -p1
 
 mkdir lib/dns/tests/testdata/dstrandom
 cp -a %{SOURCE29} lib/dns/tests/testdata/dstrandom/random.data
@@ -1153,6 +1157,12 @@ rm -rf ${RPM_BUILD_ROOT}
 
 
 %changelog
+* Wed May 26 2021 jiangheng <jiangheng12@huawei.com> - 9.11.21-11
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC:fix CVE-2021-25214 CVE-2021-25215
+
 * Thu May 22 2021 jiangheng <jiangheng12@huawei.com> - 9.11.21-10
 - Type:bugfix
 - ID:NA