From 2fd20bbaf5832963bf7e92b58f986d33590d1405 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Wed, 14 Feb 2024 14:49:49 +0100 Subject: [PATCH 1/3] Mention CVE-2023-50868 in CHANGES entry 6322 Since CVE-2023-50868 does not have a dedicated fix in BIND 9, mention its CVE identifier in the CHANGES entry for CVE-2023-50387 (KeyTrap), which accompanied the code change that addresses both of these vulnerabilities. --- CHANGES | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index 8dcb70e0e0..8498e65a83 100644 --- a/CHANGES +++ b/CHANGES @@ -85,6 +85,10 @@ condition due to DNS validation taking a long time. (CVE-2023-50387) [GL #4424] + The same code change also addresses another problem: + preparing NSEC3 closest encloser proofs could exhaust + available CPU resources. (CVE-2023-50868) [GL #4459] + 6321. [security] Change 6315 inadvertently introduced regressions that could cause named to crash. [GL #4234] From 01ac86f90ba6fb834e2ee94ad90881522ff9e641 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Wed, 14 Feb 2024 14:49:49 +0100 Subject: [PATCH 2/3] Retroactively add release note for CVE-2023-50868 A release note for CVE-2023-50868 was not included in BIND 9.19.21, even though that vulnerability was already addressed in that release (by the fix for CVE-2023-50387). Retroactively add a relevant release note for BIND 9.19.21. --- doc/notes/notes-9.19.21.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/notes/notes-9.19.21.rst b/doc/notes/notes-9.19.21.rst index 16f1b7bc3b..f059314598 100644 --- a/doc/notes/notes-9.19.21.rst +++ b/doc/notes/notes-9.19.21.rst @@ -24,6 +24,10 @@ Security Fixes Applied Cybersecurity ATHENE for bringing this vulnerability to our attention. :gl:`#4424` +- Preparing an NSEC3 closest encloser proof could cause excessive CPU + load, leading to a denial-of-service condition. This has been fixed. + :cve:`2023-50868` :gl:`#4459` + - Parsing DNS messages with many different names could cause excessive CPU load. This has been fixed. :cve:`2023-4408` From dedc5b9afbda5dd627c59243785bf5f7d65a2590 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Wed, 14 Feb 2024 14:49:49 +0100 Subject: [PATCH 3/3] Swap CHANGES entries 6343 and 6344 Fix a CHANGES entries numbering issue that was inadvertently introduced when change 6344 was backported. This makes the affected CHANGES numbers consistent across all branches and releases again. --- CHANGES | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 8498e65a83..58c2a60b15 100644 --- a/CHANGES +++ b/CHANGES @@ -1,10 +1,10 @@ 6345. [bug] Added missing dns_rdataset_disassociate calls in validator.c:findnsec3proofs. [GL #4571] -6344. [bug] Fix case insensitive setting for isc_ht hashtable. - [GL #4568] +6344. [placeholder] -6343. [placeholder] +6343. [bug] Fix case insensitive setting for isc_ht hashtable. + [GL #4568] 6342. [placeholder]