Ubuntu
bind9 package

Merge ~ahasenack/ubuntu/+source/bind9:focal-bind9-rebinding-protection-fix into ubuntu/+source/bind9:ubuntu/devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/bind9
  3. focal-bind9-rebinding-protection-fix
  4. Merge into ubuntu/devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: Andreas Hasenack
Approved revision: 40e3d999b9f4ed1e6f4ea82318e00653b21e5c65
Merged at revision: 40e3d999b9f4ed1e6f4ea82318e00653b21e5c65
Proposed branch: ~ahasenack/ubuntu/+source/bind9:focal-bind9-rebinding-protection-fix
Merge into: ubuntu/+source/bind9:ubuntu/devel
Diff against target: 70 lines (+49/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/fix-rebinding-protection.patch (+41/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Lucas Kanashiro (community) Approve
Review via email: mp+382326@code.launchpad.net

Description of the change

Upstream patch for what they flagged as a security issue, and that is part of the new 9.16.2 release made today. I don't have a test for it, and the upstream bug report is (still) private.

I didn't pull in the upstream test changes, because we don't run those. But the fact they added such tests adds confidence in this fix.

PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/bind9-rebinding-protection-fix

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

The simple existing DEP8 test passed locally:

autopkgtest [15:21:31]: test simpletest: [-----------------------

; <<>> DiG 9.16.1-Ubuntu <<>> -x 127.0.0.1 @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24603
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 31e227f1881752c4010000005e9750b28166c8dd192db241 (good)
;; QUESTION SECTION:
;1.0.0.127.in-addr.arpa. IN PTR

;; ANSWER SECTION:
1.0.0.127.in-addr.arpa. 604800 IN PTR localhost.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Apr 15 18:21:38 UTC 2020
;; MSG SIZE rcvd: 102

autopkgtest [15:21:39]: test simpletest: -----------------------]
autopkgtest [15:21:39]: test simpletest: - - - - - - - - - - results - - - - - - - - - -
simpletest PASS
autopkgtest [15:21:40]: @@@@@@@@@@@@@@@@@@@@ summary
simpletest PASS

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

+1, LGTM.

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, tagging and uploading 40e3d999b9f4ed1e6f4ea82318e00653b21e5c65

$ git push pkg upload/1%9.16.1-0ubuntu2
Enumerating objects: 16, done.
Counting objects: 100% (16/16), done.
Delta compression using up to 4 threads
Compressing objects: 100% (11/11), done.
Writing objects: 100% (11/11), 2.08 KiB | 304.00 KiB/s, done.
Total 11 (delta 7), reused 0 (delta 0)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/bind9
 * [new tag] upload/1%9.16.1-0ubuntu2 -> upload/1%9.16.1-0ubuntu2

$ dput ubuntu ../bind9_9.16.1-0ubuntu2_source.changes
Checking signature on .changes
gpg: ../bind9_9.16.1-0ubuntu2_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../bind9_9.16.1-0ubuntu2.dsc: Valid signature from AC983EB5BF6BCBA9
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading bind9_9.16.1-0ubuntu2.dsc: done.
  Uploading bind9_9.16.1-0ubuntu2.debian.tar.xz: done.
  Uploading bind9_9.16.1-0ubuntu2_source.buildinfo: done.
  Uploading bind9_9.16.1-0ubuntu2_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 340d58c..a827489 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+bind9 (1:9.16.1-0ubuntu2) focal; urgency=medium
7+
8+ * d/p/fix-rebinding-protection.patch: fix rebinding protection bug
9+ when using forwarder setups (LP: #1873046)
10+
11+ -- Andreas Hasenack <andreas@canonical.com> Wed, 15 Apr 2020 14:59:51 -0300
12+
13 bind9 (1:9.16.1-0ubuntu1) focal; urgency=medium
14
15 * New upstream release: 19.16.1 (LP: #1868272)
16diff --git a/debian/patches/fix-rebinding-protection.patch b/debian/patches/fix-rebinding-protection.patch
17new file mode 100644
18index 0000000..4b1050f
19--- /dev/null
20+++ b/debian/patches/fix-rebinding-protection.patch
21@@ -0,0 +1,41 @@
22+commit bba353d512bf72bdc91f6fd8aadda494a378ccfd
23+Author: Diego Fronza <diego@isc.org>
24+Date: Thu Feb 13 20:17:13 2020 -0300
25+
26+ Fixed rebinding protection bug when using forwarder setups
27+
28+ BIND wasn't honoring option "deny-answer-aliases" when configured to
29+ forward queries.
30+
31+ Before the fix it was possible for nameservers listed in "forwarders"
32+ option to return CNAME answers pointing to unrelated domains of the
33+ original query, which could be used as a vector for rebinding attacks.
34+
35+ The fix ensures that BIND apply filters even if configured as a forwarder
36+ instance.
37+
38+ (cherry picked from commit af6a4de3d5ad6c1967173facf366e6c86b3ffc28)
39+
40+Bug: https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/3343
41+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1873046
42+Origin: upstream, https://gitlab.isc.org/isc-projects/bind9/-/commit/bba353d512bf72bdc91f6fd8aadda494a378ccfd
43+Last-Update: 2020-04-15
44+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
45+index 51bc368bf6..645a3e12cb 100644
46+--- a/lib/dns/resolver.c
47++++ b/lib/dns/resolver.c
48+@@ -7115,8 +7115,13 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
49+
50+ /*
51+ * If the target name is a subdomain of the search domain, allow it.
52++ *
53++ * Note that if BIND is configured as a forwarding DNS server, the
54++ * search domain will always match the root domain ("."), so we
55++ * must also check whether forwarding is enabled so that filters
56++ * can be applied; see GL #1574.
57+ */
58+- if (dns_name_issubdomain(tname, &fctx->domain)) {
59++ if (!fctx->forwarding && dns_name_issubdomain(tname, &fctx->domain)) {
60+ return (true);
61+ }
62+
63diff --git a/debian/patches/series b/debian/patches/series
64index af4c00f..800c3f7 100644
65--- a/debian/patches/series
66+++ b/debian/patches/series
67@@ -1,2 +1,3 @@
68 0001-Add_--install-layout=deb_to_setup.py_call.patch
69 0002-python-fix-for-dist-packages.patch
70+fix-rebinding-protection.patch

Subscribers

People subscribed via source and target branches