diff options
Diffstat (limited to 'debian/patches/0019-CVE-2020-8617.patch')
| -rw-r--r-- | debian/patches/0019-CVE-2020-8617.patch | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/debian/patches/0019-CVE-2020-8617.patch b/debian/patches/0019-CVE-2020-8617.patch new file mode 100644 index 0000000..63e84d3 --- /dev/null +++ b/debian/patches/0019-CVE-2020-8617.patch @@ -0,0 +1,33 @@ +From: =?utf-8?b?T25kxZllaiBTdXLDvQ==?= <ondrej@debian.org> +Date: Thu, 14 May 2020 12:24:23 +0200 +Subject: CVE-2020-8617 + +--- + lib/dns/tsig.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c +index a94ec69..ff40b99 100644 +--- a/lib/dns/tsig.c ++++ b/lib/dns/tsig.c +@@ -1422,8 +1422,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, + goto cleanup_context; + } + msg->verified_sig = 1; +- } else if (tsig.error != dns_tsigerror_badsig && +- tsig.error != dns_tsigerror_badkey) { ++ } else if (!response || (tsig.error != dns_tsigerror_badsig && ++ tsig.error != dns_tsigerror_badkey)) ++ { + tsig_log(msg->tsigkey, 2, "signature was empty"); + return (DNS_R_TSIGVERIFYFAILURE); + } +@@ -1489,7 +1490,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, + } + } + +- if (tsig.error != dns_rcode_noerror) { ++ if (response && tsig.error != dns_rcode_noerror) { + msg->tsigstatus = tsig.error; + if (tsig.error == dns_tsigerror_badtime) + ret = DNS_R_CLOCKSKEW; |