Commit 3d71785e authored by Evan Hunt's avatar Evan Hunt Committed by Ondřej Surý

allow-recursion could incorrectly inherit from the default allow-query

parent cbed2a46
......@@ -24,6 +24,13 @@
4962. [cleanup] Move 'named -T' processing to its own function.
[GL #316]
4960. [security] When recursion is enabled, but the "allow-recursion"
and "allow-query-cache" ACLs are not specified,
they should be limited to local networks,
but were inadvertently set to match the default
"allow-query", thus allowing remote queries.
(CVE-2018-5738) [GL #309]
4958. [bug] Remove redundant space from NSEC3 record. [GL #281]
4955. [cleanup] Silence cppcheck warnings in lib/dns/master.c.
......
......@@ -3373,10 +3373,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
dns_acache_setcachesize(view->acache, max_acache_size);
}
CHECK(configure_view_acl(vconfig, config, ns_g_config,
"allow-query", NULL, actx,
ns_g_mctx, &view->queryacl));
/*
* Make the list of response policy zone names for a view that
* is used for real lookups and so cares about hints.
......@@ -4260,9 +4256,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
INSIST(result == ISC_R_SUCCESS);
view->root_key_sentinel = cfg_obj_asboolean(obj);
CHECK(configure_view_acl(vconfig, config, ns_g_config,
"allow-query-cache-on", NULL, actx,
ns_g_mctx, &view->cacheonacl));
/*
* Set sources where additional data and CNAME/DNAME
* targets for authoritative answers may be found.
......@@ -4289,22 +4282,40 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
view->additionalfromcache = ISC_TRUE;
}
CHECK(configure_view_acl(vconfig, config, ns_g_config,
"allow-query-cache-on", NULL, actx,
ns_g_mctx, &view->cacheonacl));
/*
* Set "allow-query-cache", "allow-recursion", and
* "allow-recursion-on" acls if configured in named.conf.
* (Ignore the global defaults for now, because these ACLs
* can inherit from each other when only some of them set at
* the options/view level.)
* Set the "allow-query", "allow-query-cache", "allow-recursion",
* and "allow-recursion-on" ACLs if configured in named.conf, but
* NOT from the global defaults. This is done by leaving the third
* argument to configure_view_acl() NULL.
*
* We ignore the global defaults here because these ACLs
* can inherit from each other. If any are still unset after
* applying the inheritance rules, we'll look up the defaults at
* that time.
*/
CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache",
NULL, actx, ns_g_mctx, &view->cacheacl));
/* named.conf only */
CHECK(configure_view_acl(vconfig, config, NULL,
"allow-query", NULL, actx,
ns_g_mctx, &view->queryacl));
/* named.conf only */
CHECK(configure_view_acl(vconfig, config, NULL,
"allow-query-cache", NULL, actx,
ns_g_mctx, &view->cacheacl));
if (strcmp(view->name, "_bind") != 0 &&
view->rdclass != dns_rdataclass_chaos)
{
/* named.conf only */
CHECK(configure_view_acl(vconfig, config, NULL,
"allow-recursion", NULL, actx,
ns_g_mctx, &view->recursionacl));
/* named.conf only */
CHECK(configure_view_acl(vconfig, config, NULL,
"allow-recursion-on", NULL, actx,
ns_g_mctx, &view->recursiononacl));
......@@ -4342,18 +4353,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
* the global config.
*/
if (view->recursionacl == NULL) {
/* global default only */
CHECK(configure_view_acl(NULL, NULL, ns_g_config,
"allow-recursion", NULL,
actx, ns_g_mctx,
&view->recursionacl));
}
if (view->recursiononacl == NULL) {
/* global default only */
CHECK(configure_view_acl(NULL, NULL, ns_g_config,
"allow-recursion-on", NULL,
actx, ns_g_mctx,
&view->recursiononacl));
}
if (view->cacheacl == NULL) {
/* global default only */
CHECK(configure_view_acl(NULL, NULL, ns_g_config,
"allow-query-cache", NULL,
actx, ns_g_mctx,
......@@ -4367,6 +4381,14 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
CHECK(dns_acl_none(mctx, &view->cacheacl));
}
if (view->queryacl == NULL) {
/* global default only */
CHECK(configure_view_acl(NULL, NULL, ns_g_config,
"allow-query", NULL,
actx, ns_g_mctx,
&view->queryacl));
}
/*
* Ignore case when compressing responses to the specified
* clients. This causes case not always to be preserved,
......
......@@ -78,42 +78,11 @@
<itemizedlist>
<listitem>
<para>
An error in TSIG handling could permit unauthorized zone
transfers or zone updates. These flaws are disclosed in
CVE-2017-3142 and CVE-2017-3143. [RT #45383]
</para>
</listitem>
<listitem>
<para>
The BIND installer on Windows used an unquoted service path,
which can enable privilege escalation. This flaw is disclosed
in CVE-2017-3141. [RT #45229]
</para>
</listitem>
<listitem>
<para>
With certain RPZ configurations, a response with TTL 0
could cause <command>named</command> to go into an infinite
query loop. This flaw is disclosed in CVE-2017-3140.
[RT #45181]
</para>
</listitem>
<listitem>
<para>
Addresses could be referenced after being freed during resolver
processing, causing an assertion failure. The chances of this
happening were remote, but the introduction of a delay in
resolution increased them. This bug is disclosed in
CVE-2017-3145. [RT #46839]
</para>
</listitem>
<listitem>
<para>
update-policy rules that otherwise ignore the name field now
require that it be set to "." to ensure that any type list
present is properly interpreted. If the name field was omitted
from the rule declaration and a type list was present it wouldn't
be interpreted as expected.
When recursion is enabled but the <command>allow-recursion</command>
and <command>allow-query-cache</command> ACLs are not specified, they
should be limited to local networks, but they were inadvertently set
to match the default <command>allow-query</command>, thus allowing
remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
</para>
</listitem>
</itemizedlist>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment