From 55ad72d44a94298a96b8f05488ca5ed97ef04736 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 5 May 2024 20:37:15 +0200 Subject: Adding debian version 1:9.11.5.P4+dfsg-5.1+deb10u7. Signed-off-by: Daniel Baumann --- debian/patches/0033-Disable-lame-ttl-cache.patch | 70 ++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 debian/patches/0033-Disable-lame-ttl-cache.patch (limited to 'debian/patches/0033-Disable-lame-ttl-cache.patch') diff --git a/debian/patches/0033-Disable-lame-ttl-cache.patch b/debian/patches/0033-Disable-lame-ttl-cache.patch new file mode 100644 index 0000000..efd2132 --- /dev/null +++ b/debian/patches/0033-Disable-lame-ttl-cache.patch @@ -0,0 +1,70 @@ +From: =?utf-8?b?T25kxZllaiBTdXLDvQ==?= +Date: Fri, 24 Sep 2021 09:35:11 +0200 +Subject: Disable lame-ttl cache + +The lame-ttl cache is implemented in ADB as per-server locked +linked-list "indexed" with . This list has to be walked +every time there's a new query or new record added into the lame cache. +Determined attacker can use this to degrade performance of the resolver. + +Resolver testing has shown that disabling the lame cache has little +impact on the resolver performance and it's a minimal viable defense +against this kind of attack. +--- + bin/named/config.c | 2 +- + bin/named/server.c | 8 ++++++-- + doc/arm/Bv9ARM-book.xml | 9 +++------ + 3 files changed, 10 insertions(+), 9 deletions(-) + +diff --git a/bin/named/config.c b/bin/named/config.c +index d22ee4b..ba5fa8a 100644 +--- a/bin/named/config.c ++++ b/bin/named/config.c +@@ -170,7 +170,7 @@ options {\n\ + #ifdef HAVE_GEOIP + " geoip-use-ecs yes;\n" + #endif +-" lame-ttl 600;\n" ++" lame-ttl 0;\n" + #ifdef HAVE_LMDB + " lmdb-mapsize 32M;\n" + #endif +diff --git a/bin/named/server.c b/bin/named/server.c +index 149458e..748a150 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -3971,8 +3971,12 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, + result = ns_config_get(maps, "lame-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + lame_ttl = cfg_obj_asuint32(obj); +- if (lame_ttl > 1800) +- lame_ttl = 1800; ++ if (lame_ttl > 0) { ++ cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING, ++ "disabling lame cache despite lame-ttl > 0 as it " ++ "may cause performance issues"); ++ lame_ttl = 0; ++ } + dns_resolver_setlamettl(view->resolver, lame_ttl); + + /* +diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml +index 4b36bd0..7852b5a 100644 +--- a/doc/arm/Bv9ARM-book.xml ++++ b/doc/arm/Bv9ARM-book.xml +@@ -8855,12 +8855,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; + lame-ttl + + +- Sets the number of seconds to cache a +- lame server indication. 0 disables caching. (This is +- NOT recommended.) +- The default is 600 (10 minutes) and the +- maximum value is +- 1800 (30 minutes). ++ This is always set to 0. More information is available ++ in the security advisory for CVE-2021-25219. + + + -- cgit v1.2.3