25371178 Upgrade Solaris to BIND 9.6-ESV-R11-S10
25360334 problem in SERVICE/DNS-SERVER
25382925 ISC's change 4489 broke the handling of CNAME -> DNAME in responses
--- a/components/bind/Makefile Fri Jan 06 01:50:42 2017 -0800
+++ b/components/bind/Makefile Mon Jan 23 11:25:04 2017 -0800
@@ -18,14 +18,14 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2017, Oracle and/or its affiliates. All rights reserved.
#
include ../../make-rules/shared-macros.mk
COMPONENT_NAME= bind
COMPONENT_VERSION= 9.6-ESV-R11
-HUMAN_VERSION= $(COMPONENT_VERSION)-S9
-IPS_COMPONENT_VERSION= 9.6.3.11.9
+HUMAN_VERSION= $(COMPONENT_VERSION)-S10
+IPS_COMPONENT_VERSION= 9.6.3.11.10
COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION)
COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.gz
COMPONENT_PROJECT_URL= http://www.isc.org/software/bind/
--- a/components/bind/bindc.p5m Fri Jan 06 01:50:42 2017 -0800
+++ b/components/bind/bindc.p5m Mon Jan 23 11:25:04 2017 -0800
@@ -18,7 +18,7 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2017, Oracle and/or its affiliates. All rights reserved.
#
set name=pkg.fmri \
@@ -40,9 +40,9 @@
link path=usr/lib/dns/libbind9.so target=libbind9.so.50.0.11
link path=usr/lib/dns/libbind9.so.50 target=libbind9.so.50.0.11
file path=usr/lib/dns/libbind9.so.50.0.11
-link path=usr/lib/dns/libdns.so target=libdns.so.113.1.4
-link path=usr/lib/dns/libdns.so.113 target=libdns.so.113.1.4
-file path=usr/lib/dns/libdns.so.113.1.4
+link path=usr/lib/dns/libdns.so target=libdns.so.113.1.5
+link path=usr/lib/dns/libdns.so.113 target=libdns.so.113.1.5
+file path=usr/lib/dns/libdns.so.113.1.5
link path=usr/lib/dns/libisc.so target=libisc.so.110.0.2
link path=usr/lib/dns/libisc.so.110 target=libisc.so.110.0.2
file path=usr/lib/dns/libisc.so.110.0.2
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/bind/patches/011-RT43522.patch Mon Jan 23 11:25:04 2017 -0800
@@ -0,0 +1,66 @@
+This patch was derived from a source code patch provided by ISC to
+resolve ISC ticket RT #43522. [9.6-ESV-R11-S10]
+
+--- old/./CHANGES Wed Jan 11 23:20:20 2017
++++ new/./CHANGES Wed Jan 11 23:20:20 2017
[email protected]@ -1,3 +1,9 @@
++ --- 9.6-ESV-R11-S10 released ---
++
++4508. [security] Named incorrectly tried to cache TKEY records which
++ could trigger a assertion failure when there was
++ a class mismatch. (CVE-2016-9131) [RT #43522]
++
+ --- 9.6-ESV-R11-S9 released ---
+
+ 4489. [security] It was possible to trigger assertions when processing
+--- old/lib/dns/resolver.c Wed Jan 11 23:20:20 2017
++++ new/lib/dns/resolver.c Wed Jan 11 23:20:20 2017
[email protected]@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
++ * Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003 Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
[email protected]@ -5848,6 +5848,25 @@
+ ISC_LOG_NOTICE, "NSEC3 in answer");
+ return (DNS_R_FORMERR);
+ }
++ if (rdataset->type == dns_rdatatype_tkey) {
++ /*
++ * TKEY is not a valid record in a
++ * response to any query we can make.
++ */
++ isc_log_write(dns_lctx,
++ DNS_LOGCATEGORY_RESOLVER,
++ DNS_LOGMODULE_RESOLVER,
++ ISC_LOG_NOTICE, "TKEY in answer");
++ return (DNS_R_FORMERR);
++ }
++ if (rdataset->rdclass != fctx->res->rdclass) {
++ isc_log_write(dns_lctx,
++ DNS_LOGCATEGORY_RESOLVER,
++ DNS_LOGMODULE_RESOLVER,
++ ISC_LOG_NOTICE, "Mismatched class "
++ "in answer");
++ return (DNS_R_FORMERR);
++ }
+ if (rdataset->type == type && !found_cname) {
+ /*
+ * We've found an ordinary answer.
[email protected]@ -6017,6 +6036,15 @@
+ rdataset != NULL;
+ rdataset = ISC_LIST_NEXT(rdataset, link))
+ {
++ if (rdataset->rdclass != fctx->res->rdclass) {
++ isc_log_write(dns_lctx,
++ DNS_LOGCATEGORY_RESOLVER,
++ DNS_LOGMODULE_RESOLVER,
++ ISC_LOG_NOTICE, "Mismatched class "
++ "in answer");
++ return (DNS_R_FORMERR);
++ }
++
+ /*
+ * Only pass DNAME or RRSIG(DNAME).
+ */--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/bind/patches/012-RT43548.patch Mon Jan 23 11:25:04 2017 -0800
@@ -0,0 +1,45 @@
+This patch was derived from a source code patch provided by ISC to
+resolve ISC ticket RT #43548. [9.6-ESV-R11-S10]
+
+--- old/./CHANGES Wed Jan 11 23:22:41 2017
++++ new/./CHANGES Wed Jan 11 23:22:41 2017
[email protected]@ -1,5 +1,10 @@
+ --- 9.6-ESV-R11-S10 released ---
+
++4510. [security] Named mishandled some responses where covering RRSIG
++ records are returned without the requested data
++ resulting in a assertion failure. (CVE-2016-9147)
++ [RT #43548]
++
+ 4508. [security] Named incorrectly tried to cache TKEY records which
+ could trigger a assertion failure when there was
+ a class mismatch. (CVE-2016-9131) [RT #43522]
+--- old/lib/dns/resolver.c Wed Jan 11 23:22:41 2017
++++ new/lib/dns/resolver.c Wed Jan 11 23:22:41 2017
[email protected]@ -5958,15 +5958,19 @@
+ * a CNAME or DNAME).
+ */
+ INSIST(!external);
+- if ((rdataset->type !=
+- dns_rdatatype_cname) ||
+- !found_dname ||
+- (aflag ==
+- DNS_RDATASETATTR_ANSWER))
++ /*
++ * Don't use found_cname here
++ * as we have just set it
++ * above.
++ */
++ if (cname == NULL &&
++ !found_dname &&
++ aflag ==
++ DNS_RDATASETATTR_ANSWER)
+ {
+ have_answer = ISC_TRUE;
+- if (rdataset->type ==
+- dns_rdatatype_cname)
++ if (found_cname &&
++ cname == NULL)
+ cname = name;
+ name->attributes |=
+ DNS_NAMEATTR_ANSWER;--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/bind/patches/013-RT43632.patch Mon Jan 23 11:25:04 2017 -0800
@@ -0,0 +1,175 @@
+This patch was derived from a source code patch provided by ISC to
+resolve ISC ticket RT #43632. [9.6-ESV-R11-S10]
+
+--- old/./CHANGES Wed Jan 11 14:12:28 2017
++++ new/./CHANGES Wed Jan 11 14:12:28 2017
[email protected]@ -1,5 +1,9 @@
+ --- 9.6-ESV-R11-S10 released ---
+
++4517. [security] Named could mishandle authority sections that were
++ missing RRSIGs triggering an assertion failure.
++ (CVE-2016-9444) [RT #43632]
++
+ 4510. [security] Named mishandled some responses where covering RRSIG
+ records are returned without the requested data
+ resulting in a assertion failure. (CVE-2016-9147)
+--- old/lib/dns/api Wed Jan 11 14:12:28 2017
++++ new/lib/dns/api Wed Jan 11 14:12:28 2017
[email protected]@ -5,5 +5,5 @@
+ # 9.9: 90-109
+ # 9.9-sub: 130-139
+ LIBINTERFACE = 114
+-LIBREVISION = 4
++LIBREVISION = 5
+ LIBAGE = 1
+--- old/lib/dns/message.c Wed Jan 11 14:12:28 2017
++++ new/lib/dns/message.c Wed Jan 11 14:12:28 2017
[email protected]@ -1169,6 +1169,63 @@
+ return (ISC_FALSE);
+ }
+
++/*
++ * Check to confirm that all DNSSEC records (DS, NSEC, NSEC3) have
++ * covering RRSIGs.
++ */
++static isc_boolean_t
++auth_signed(dns_namelist_t *section) {
++ dns_name_t *name;
++
++ for (name = ISC_LIST_HEAD(*section);
++ name != NULL;
++ name = ISC_LIST_NEXT(name, link))
++ {
++ int auth_dnssec = 0, auth_rrsig = 0;
++ dns_rdataset_t *rds;
++
++ for (rds = ISC_LIST_HEAD(name->list);
++ rds != NULL;
++ rds = ISC_LIST_NEXT(rds, link))
++ {
++ switch (rds->type) {
++ case dns_rdatatype_ds:
++ auth_dnssec |= 0x1;
++ break;
++ case dns_rdatatype_nsec:
++ auth_dnssec |= 0x2;
++ break;
++ case dns_rdatatype_nsec3:
++ auth_dnssec |= 0x4;
++ break;
++ case dns_rdatatype_rrsig:
++ break;
++ default:
++ continue;
++ }
++
++ switch (rds->covers) {
++ case dns_rdatatype_ds:
++ auth_rrsig |= 0x1;
++ break;
++ case dns_rdatatype_nsec:
++ auth_rrsig |= 0x2;
++ break;
++ case dns_rdatatype_nsec3:
++ auth_rrsig |= 0x4;
++ break;
++ default:
++ break;
++ }
++ }
++
++ if (auth_dnssec != auth_rrsig)
++ return (ISC_FALSE);
++ }
++
++ return (ISC_TRUE);
++}
++
+ static isc_result_t
+ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+ dns_section_t sectionid, unsigned int options)
[email protected]@ -1194,12 +1251,12 @@
+ best_effort = ISC_TF(options & DNS_MESSAGEPARSE_BESTEFFORT);
+ seen_problem = ISC_FALSE;
+
++ section = &msg->sections[sectionid];
++
+ for (count = 0; count < msg->counts[sectionid]; count++) {
+ int recstart = source->current;
+ isc_boolean_t skip_name_search, skip_type_search;
+
+- section = &msg->sections[sectionid];
+-
+ skip_name_search = ISC_FALSE;
+ skip_type_search = ISC_FALSE;
+ free_rdataset = ISC_FALSE;
[email protected]@ -1372,7 +1429,7 @@
+ goto cleanup;
+ rdata->rdclass = rdclass;
+ issigzero = ISC_FALSE;
+- if (rdtype == dns_rdatatype_rrsig &&
++ if (rdtype == dns_rdatatype_rrsig &&
+ rdata->flags == 0) {
+ covers = dns_rdata_covers(rdata);
+ if (covers == 0)
[email protected]@ -1577,6 +1634,19 @@
+ INSIST(free_rdataset == ISC_FALSE);
+ }
+
++ /*
++ * If any of DS, NSEC or NSEC3 appeared in the
++ * authority section of a query response without
++ * a covering RRSIG, FORMERR
++ */
++ if (sectionid == DNS_SECTION_AUTHORITY &&
++ msg->opcode == dns_opcode_query &&
++ ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) &&
++ ((msg->flags & DNS_MESSAGEFLAG_TC) == 0) &&
++ !preserve_order &&
++ !auth_signed(section))
++ DO_FORMERR;
++
+ if (seen_problem)
+ return (DNS_R_RECOVERABLE);
+ return (ISC_R_SUCCESS);
+--- old/lib/dns/resolver.c Wed Jan 11 14:12:30 2017
++++ new/lib/dns/resolver.c Wed Jan 11 14:12:29 2017
[email protected]@ -4766,13 +4766,9 @@
+ rdataset->type,
+ &noqname);
+ if (tresult == ISC_R_SUCCESS &&
+- noqname != NULL) {
+- tresult =
+- dns_rdataset_addnoqname(
++ noqname != NULL)
++ (void) dns_rdataset_addnoqname(
+ rdataset, noqname);
+- RUNTIME_CHECK(tresult ==
+- ISC_R_SUCCESS);
+- }
+ }
+ addedrdataset = ardataset;
+ result = dns_db_addrdataset(fctx->cache, node,
[email protected]@ -4902,11 +4898,9 @@
+ tresult = findnoqname(fctx, name,
+ rdataset->type, &noqname);
+ if (tresult == ISC_R_SUCCESS &&
+- noqname != NULL) {
+- tresult = dns_rdataset_addnoqname(
+- rdataset, noqname);
+- RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
+- }
++ noqname != NULL)
++ (void) dns_rdataset_addnoqname(
++ rdataset, noqname);
+ }
+
+ /*
+--- old/./version Wed Jan 11 14:12:30 2017
++++ new/./version Wed Jan 11 14:12:29 2017
[email protected]@ -10,4 +10,4 @@
+ PATCHVER=
+ RELEASETYPE=-ESV
+ RELEASEVER=-R11
+-EXTENSIONS=-S9
++EXTENSIONS=-S10--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/bind/patches/014-RT43779.patch Mon Jan 23 11:25:04 2017 -0800
@@ -0,0 +1,151 @@
+This patch was derived from a source code patch provided by ISC to
+resolve ISC ticket RT #43779. [9.6-ESV-R11-S10]
+
+--- old/./CHANGES Thu Jan 12 00:28:22 2017
++++ new/./CHANGES Thu Jan 12 00:28:22 2017
[email protected]@ -1,5 +1,9 @@
+ --- 9.6-ESV-R11-S10 released ---
+
++4530. [bug] Change 4489 broke the handling of CNAME -> DNAME
++ in responses resulting in SERVFAIL being returned.
++ [RT #43779]
++
+ 4517. [security] Named could mishandle authority sections that were
+ missing RRSIGs triggering an assertion failure.
+ (CVE-2016-9444) [RT #43632]
+--- old/bin/tests/system/dname/ns2/example.db Thu Jan 12 00:28:22 2017
++++ new/bin/tests/system/dname/ns2/example.db Thu Jan 12 00:28:22 2017
[email protected]@ -29,4 +29,6 @@
+ short-dname DNAME short
+ a.longlonglonglonglonglonglonglonglonglonglonglonglong A 10.0.0.2
+ long-dname DNAME longlonglonglonglonglonglonglonglonglonglonglonglong
+-;
++cname CNAME a.cnamedname
++cnamedname DNAME target
++a.target A 10.0.0.3
+--- old/bin/tests/system/dname/tests.sh Thu Jan 12 00:28:22 2017
++++ new/bin/tests/system/dname/tests.sh Thu Jan 12 00:28:22 2017
[email protected]@ -63,6 +63,24 @@
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+
++echo "I:checking cname to dname from authoritative"
++ret=0
++$DIG cname.example @10.53.0.2 a -p 5300 > dig.out.ns2.cname
++grep "status: NOERROR" dig.out.ns2.cname > /dev/null || ret=1
++if [ $ret != 0 ]; then echo "I:failed"; fi
++status=`expr $status + $ret`
++
++echo "I:checking cname to dname from recursive"
++ret=0
++$DIG cname.example @10.53.0.4 a -p 5300 > dig.out.ns4.cname
++grep "status: NOERROR" dig.out.ns4.cname > /dev/null || ret=1
++grep '^cname.example.' dig.out.ns4.cname > /dev/null || ret=1
++grep '^cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1
++grep '^a.cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1
++grep '^a.target.example.' dig.out.ns4.cname > /dev/null || ret=1
++if [ $ret != 0 ]; then echo "I:failed"; fi
++status=`expr $status + $ret`
++
+ echo "I:exit status: $status"
+
+ exit $status
+--- old/lib/dns/resolver.c Thu Jan 12 00:28:23 2017
++++ new/lib/dns/resolver.c Thu Jan 12 00:28:23 2017
[email protected]@ -5776,7 +5776,7 @@
+ answer_response(fetchctx_t *fctx) {
+ isc_result_t result;
+ dns_message_t *message;
+- dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
++ dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
+ dns_name_t *cname = NULL;
+ dns_rdataset_t *rdataset, *ns_rdataset;
+ isc_boolean_t done, external, chaining, aa, found, want_chaining;
[email protected]@ -5784,7 +5784,7 @@
+ isc_boolean_t wanted_chaining;
+ unsigned int aflag;
+ dns_rdatatype_t type;
+- dns_fixedname_t fdname, fqname, fqdname;
++ dns_fixedname_t fdname, fqname;
+
+ FCTXTRACE("answer_response");
+
[email protected]@ -5807,12 +5807,11 @@
+ aa = ISC_TRUE;
+ else
+ aa = ISC_FALSE;
+- dqname = qname = &fctx->name;
++ qname = &fctx->name;
+ type = fctx->type;
+- dns_fixedname_init(&fqdname);
+ result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+ while (!done && result == ISC_R_SUCCESS) {
+- dns_namereln_t namereln, dnamereln;
++ dns_namereln_t namereln;
+
+ int order;
+ unsigned int nlabels;
[email protected]@ -5821,8 +5820,6 @@
+ dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
+ external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
+ namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
+- dnamereln = dns_name_fullcompare(dqname, name, &order,
+- &nlabels);
+ if (namereln == dns_namereln_equal) {
+ wanted_chaining = ISC_FALSE;
+ for (rdataset = ISC_LIST_HEAD(name->list);
[email protected]@ -6074,11 +6071,24 @@
+ return (DNS_R_FORMERR);
+ }
+
+- if (dnamereln != dns_namereln_subdomain) {
++ /*
++ * If DNAME + synthetic CNAME then the
++ * namereln is dns_namereln_subdomain.
++ *
++ * If synthetic CNAME + DNAME then the
++ * namereln is dns_namereln_commonancestor
++ * and the number of label must match the
++ * DNAME. This order is not RFC compliant.
++ */
++
++ if (namereln != dns_namereln_subdomain &&
++ (namereln != dns_namereln_commonancestor ||
++ nlabels != dns_name_countlabels(name)))
++ {
+ char qbuf[DNS_NAME_FORMATSIZE];
+ char obuf[DNS_NAME_FORMATSIZE];
+
+- dns_name_format(dqname, qbuf,
++ dns_name_format(qname, qbuf,
+ sizeof(qbuf));
+ dns_name_format(name, obuf,
+ sizeof(obuf));
[email protected]@ -6097,7 +6107,7 @@
+ want_chaining = ISC_TRUE;
+ POST(want_chaining);
+ aflag = DNS_RDATASETATTR_ANSWER;
+- result = dname_target(rdataset, dqname,
++ result = dname_target(rdataset, qname,
+ nlabels, &fdname);
+ if (result == ISC_R_NOSPACE) {
+ /*
[email protected]@ -6113,8 +6123,6 @@
+ dnameset = rdataset;
+
+ dname = dns_fixedname_name(&fdname);
+- dqname = dns_fixedname_name(&fqdname);
+- dns_name_copy(dname, dqname, NULL);
+ } else {
+ /*
+ * We've found a signature that
[email protected]@ -6261,7 +6269,8 @@
+ rdataset->trust =
+ dns_trust_additional;
+
+- if (rdataset->type == dns_rdatatype_ns) {
++ if (rdataset->type == dns_rdatatype_ns)
++ {
+ ns_name = name;
+ ns_rdataset = rdataset;
+ }