dhcp/backport-Fix-CVE-2021-25219.patch

Conflict: NA
Reference : https://downloads.isc.org/isc/bind9/9.11.36/patches/CVE-2021-25219.patch
diff --git a/bind/bind-9.11.14/bin/named/config.c b/bind/bind-9.11.14/bin/named/config.c
index fbd2f2126c..d24e4f8a26 100644
--- a/bind/bind-9.11.14/bin/named/config.c
+++ b/bind/bind-9.11.14/bin/named/config.c
@@ -175,7 +175,7 @@ options {\n\
 #if defined(HAVE_GEOIP) || defined(HAVE_GEOIP2)
 "	geoip-use-ecs yes;\n"
 #endif
-"	lame-ttl 600;\n"
+"	lame-ttl 0;\n"
 #ifdef HAVE_LMDB
 "	lmdb-mapsize 32M;\n"
 #endif
diff --git a/bind/bind-9.11.14/bin/named/server.c b/bind/bind-9.11.14/bin/named/server.c
index 6ff95e3bcc..9826588e6d 100644
--- a/bind/bind-9.11.14/bin/named/server.c
+++ b/bind/bind-9.11.14/bin/named/server.c
@@ -3986,8 +3986,12 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 	result = ns_config_get(maps, "lame-ttl", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	lame_ttl = cfg_obj_asuint32(obj);
-	if (lame_ttl > 1800)
-		lame_ttl = 1800;
+	if (lame_ttl > 0) {
+		cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
+			    "disabling lame cache despite lame-ttl > 0 as it "
+			    "may cause performance issues");
+		lame_ttl = 0;
+	}
 	dns_resolver_setlamettl(view->resolver, lame_ttl);
 
 	/*
diff --git a/bind/bind-9.11.14/lib/dns/resolver.c b/bind/bind-9.11.14/lib/dns/resolver.c
index 8175f7918b..b34cb12b73 100644
--- a/bind/bind-9.11.14/lib/dns/resolver.c
+++ b/bind/bind-9.11.14/lib/dns/resolver.c
@@ -8396,18 +8396,20 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	/*
 	 * Is the server lame?
 	 */
-	if (res->lame_ttl != 0 && !ISFORWARDER(query->addrinfo) &&
-	    is_lame(fctx)) {
+	if (!ISFORWARDER(query->addrinfo) && is_lame(fctx)) {
 		inc_stats(res, dns_resstatscounter_lame);
 		log_lame(fctx, query->addrinfo);
-		result = dns_adb_marklame(fctx->adb, query->addrinfo,
-					  &fctx->name, fctx->type,
-					  now + res->lame_ttl);
-		if (result != ISC_R_SUCCESS)
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-				      DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
-				      "could not mark server as lame: %s",
-				      isc_result_totext(result));
+		if (res->lame_ttl != 0) {
+			result = dns_adb_marklame(fctx->adb, query->addrinfo,
+						  &fctx->name, fctx->type,
+						  now + res->lame_ttl);
+			if (result != ISC_R_SUCCESS) {
+				isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+					      DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
+					      "could not mark server as lame: %s",
+					      isc_result_totext(result));
+			}
+		}
 		broken_server = DNS_R_LAME;
 		keep_trying = true;
 		FCTXTRACE("lame server");
Fix CVE-2021-25214 CVE-2021-25215 CVE-2021-25219 CVE-2021-25220 2022-09-27 15:25:02 +08:00			`Conflict: NA`
Fix CVE-2021-25214 CVE-2021-25215 CVE-2021-25219 CVE-2021-25220 Signed-off-by: renmingshuai <renmingshuai@huawei.com> 2022-09-28 15:26:03 +08:00			`Reference : https://downloads.isc.org/isc/bind9/9.11.36/patches/CVE-2021-25219.patch`
Fix CVE-2021-25214 CVE-2021-25215 CVE-2021-25219 CVE-2021-25220 2022-09-27 15:25:02 +08:00			`diff --git a/bind/bind-9.11.14/bin/named/config.c b/bind/bind-9.11.14/bin/named/config.c`
			`index fbd2f2126c..d24e4f8a26 100644`
			`--- a/bind/bind-9.11.14/bin/named/config.c`
			`+++ b/bind/bind-9.11.14/bin/named/config.c`
			`@@ -175,7 +175,7 @@ options {\n\`
			`#if defined(HAVE_GEOIP) \|\| defined(HAVE_GEOIP2)`
			`" geoip-use-ecs yes;\n"`
			`#endif`
			`-" lame-ttl 600;\n"`
			`+" lame-ttl 0;\n"`
			`#ifdef HAVE_LMDB`
			`" lmdb-mapsize 32M;\n"`
			`#endif`
			`diff --git a/bind/bind-9.11.14/bin/named/server.c b/bind/bind-9.11.14/bin/named/server.c`
			`index 6ff95e3bcc..9826588e6d 100644`
			`--- a/bind/bind-9.11.14/bin/named/server.c`
			`+++ b/bind/bind-9.11.14/bin/named/server.c`
			`@@ -3986,8 +3986,12 @@ configure_view(dns_view_t view, dns_viewlist_t viewlist,`
			`result = ns_config_get(maps, "lame-ttl", &obj);`
			`INSIST(result == ISC_R_SUCCESS);`
			`lame_ttl = cfg_obj_asuint32(obj);`
			`- if (lame_ttl > 1800)`
			`- lame_ttl = 1800;`
			`+ if (lame_ttl > 0) {`
			`+ cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,`
			`+ "disabling lame cache despite lame-ttl > 0 as it "`
			`+ "may cause performance issues");`
			`+ lame_ttl = 0;`
			`+ }`
			`dns_resolver_setlamettl(view->resolver, lame_ttl);`

			`/*`
			`diff --git a/bind/bind-9.11.14/lib/dns/resolver.c b/bind/bind-9.11.14/lib/dns/resolver.c`
			`index 8175f7918b..b34cb12b73 100644`
			`--- a/bind/bind-9.11.14/lib/dns/resolver.c`
			`+++ b/bind/bind-9.11.14/lib/dns/resolver.c`
			`@@ -8396,18 +8396,20 @@ resquery_response(isc_task_t task, isc_event_t event) {`
			`/*`
			`* Is the server lame?`
			`*/`
			`- if (res->lame_ttl != 0 && !ISFORWARDER(query->addrinfo) &&`
			`- is_lame(fctx)) {`
			`+ if (!ISFORWARDER(query->addrinfo) && is_lame(fctx)) {`
			`inc_stats(res, dns_resstatscounter_lame);`
			`log_lame(fctx, query->addrinfo);`
			`- result = dns_adb_marklame(fctx->adb, query->addrinfo,`
			`- &fctx->name, fctx->type,`
			`- now + res->lame_ttl);`
			`- if (result != ISC_R_SUCCESS)`
			`- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,`
			`- DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,`
			`- "could not mark server as lame: %s",`
			`- isc_result_totext(result));`
			`+ if (res->lame_ttl != 0) {`
			`+ result = dns_adb_marklame(fctx->adb, query->addrinfo,`
			`+ &fctx->name, fctx->type,`
			`+ now + res->lame_ttl);`
			`+ if (result != ISC_R_SUCCESS) {`
			`+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,`
			`+ DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,`
			`+ "could not mark server as lame: %s",`
			`+ isc_result_totext(result));`
			`+ }`
			`+ }`
			`broken_server = DNS_R_LAME;`
			`keep_trying = true;`
			`FCTXTRACE("lame server");`