Re: BIND 9.3.4-2 backport of 9.4.1's fix
CVE-2007-2241
On Mon, Apr 30, 2007 at 06:37:36PM -0600, LaMont Jones wrote:
> Here's a diff that backports the security fix in bind 9.4.1 to bind
> 9.3.4. I dug around a bit and found no CVE for it yet...
>
> lamont
>
> --- orig/CHANGES
> +++ mod/CHANGES
> @@ -1,3 +1,5 @@
> +2172. [bug] query_addsoa() was being called with a non zone db.
> + [RT #16834]
>
> --- 9.3.4 released ---
>
>
>
> --- orig/bin/named/query.c
> +++ mod/bin/named/query.c
> @@ -3212,6 +3212,21 @@
> * an error unless we were searching for
> * glue. Ugh.
> */
> + if (!is_zone) {
> + authoritative = ISC_FALSE;
> + dns_rdatasetiter_destroy(&rdsiter);
> + if (RECURSIONOK(client)) {
> + result = query_recurse(client,
> + qtype,
> + NULL,
> + NULL);
> + if (result == ISC_R_SUCCESS)
> + client->query.attributes |=
> + NS_QUERYATTR_RECURSING;
> + else
> + QUERY_ERROR(DNS_R_SERVFAIL); }
> + goto addauth;
> + }
> /*
> * We were searching for SIG records in
> * a nonsecure zone. Send a "no error,
>
>
> --- orig/debian/changelog
> +++ mod/debian/changelog
> @@ -1,3 +1,9 @@
> +bind9 (1:9.3.4-2+etch1) stable; urgency=low
> +
> + * Backport security fix from 9.4.1
> +
> + -- LaMont Jones <lamont@debian.org> Mon, 30 Apr 2007 18:29:40 -0600
> +
> bind9 (1:9.3.4-2) unstable; urgency=high
>
> * Actually really do the merge of 9.3.4. Sigh. Closes: #408925
>
>
Reply to: