Merge branch '3622-serve-stale-rrsig-fix-security-v9_18' into 'security-v9_18'

[9.18] [CVE-2022-3736] Properly handle stale RRSIG lookups

See merge request isc-private/bind9!485

CHANGES

@@ -1,3 +1,6 @@
+6066.	[security]	Handle RRSIG lookups when serve-stale is active.
+			(CVE-2022-3736) [GL #3622]
+
 6064.	[security]	An UPDATE message flood could cause named to exhaust all
 			available memory. This flaw was addressed by adding a
 			new "update-quota" statement that controls the number of

doc/notes/notes-current.rst

@@ -24,6 +24,14 @@ Security Fixes
   ISC would like to thank Rob Schulhof from Infoblox for bringing this
   vulnerability to our attention. :gl:`#3523`
 
+- :iscman:`named` could crash with an assertion failure when an RRSIG
+  query was received and :any:`stale-answer-client-timeout` was set to a
+  non-zero value. This has been fixed. (CVE-2022-3736)
+
+  ISC would like to thank Borja Marcos from Sarenet (with assistance by
+  Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to
+  our attention. :gl:`#3622`
+
 New Features
 ~~~~~~~~~~~~
 

lib/ns/query.c

@@ -5237,6 +5237,15 @@ qctx_init(ns_client_t *client, dns_fetchevent_t **eventp, dns_rdatatype_t qtype,
 	qctx->result = ISC_R_SUCCESS;
 	qctx->findcoveringnsec = qctx->view->synthfromdnssec;
 
+	/*
+	 * If it's an RRSIG or SIG query, we'll iterate the node.
+	 */
+	if (qctx->qtype == dns_rdatatype_rrsig ||
+	    qctx->qtype == dns_rdatatype_sig)
+	{
+		qctx->type = dns_rdatatype_any;
+	}
+
 	CALL_HOOK_NORETURN(NS_QUERY_QCTX_INITIALIZED, qctx);
 }
 
@@ -5424,15 +5433,6 @@ query_setup(ns_client_t *client, dns_rdatatype_t qtype) {
 
 	CALL_HOOK(NS_QUERY_SETUP, &qctx);
 
-	/*
-	 * If it's a SIG query, we'll iterate the node.
-	 */
-	if (qctx.qtype == dns_rdatatype_rrsig ||
-	    qctx.qtype == dns_rdatatype_sig)
-	{
-		qctx.type = dns_rdatatype_any;
-	}
-
 	/*
 	 * Check SERVFAIL cache
 	 */