svn commit: r46095 - in head/share: security/advisories security/patches/SA-14:30 xml
Dag-Erling Smørgrav
des at FreeBSD.org
Wed Dec 17 08:29:55 UTC 2014
Author: des
Date: Wed Dec 17 08:29:53 2014
New Revision: 46095
URL: https://svnweb.freebsd.org/changeset/doc/46095
Log:
Add SA-14:30
Added:
head/share/security/advisories/FreeBSD-SA-14:30.unbound.asc (contents, props changed)
head/share/security/patches/SA-14:30/
head/share/security/patches/SA-14:30/unbound.patch (contents, props changed)
head/share/security/patches/SA-14:30/unbound.patch.asc (contents, props changed)
Modified:
head/share/xml/advisories.xml
Added: head/share/security/advisories/FreeBSD-SA-14:30.unbound.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-14:30.unbound.asc Wed Dec 17 08:29:53 2014 (r46095)
@@ -0,0 +1,131 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:30.unbound Security Advisory
+ The FreeBSD Project
+
+Topic: unbound remote denial of service vulnerability
+
+Category: contrib
+Module: unbound
+Announced: 2014-12-17
+Affects: FreeBSD 10.0-RELEASE and later
+Credits: Florian Maury (ANSSI)
+Corrected: 2014-12-17 06:58:00 UTC (stable/10, 10.1-STABLE)
+ 2014-12-17 06:59:47 UTC (releng/10.1, 10.1-RELEASE-p2)
+ 2014-12-17 06:59:47 UTC (releng/10.0, 10.0-RELEASE-p14)
+CVE Name: CVE-2014-8602
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+Unbound is a validating, recursive, and caching DNS resolver.
+
+II. Problem Description
+
+By causing queries to be made against a maliciously-constructed zone or
+against a malicious DNS server, an attacker who is able to cause
+specific queries to be sent to a nameserver can trick unbound(8) resolver
+into following an endless series of delegations, which consumes a lot of
+resources.
+
+III. Impact
+
+Unbound will spend a lot of resources on this query, and this will impact
+unbound's CPU and network resources. Unbound may therefore lose some
+ability or timelines for the service of customer queries (a denial of
+service). Unbound will continue to respond normally for cached queries.
+
+IV. Workaround
+
+No workaround is available, but hosts not running unbound(8) are not
+vulnerable.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 10.x]
+# fetch https://security.FreeBSD.org/patches/SA-14:30/unbound.patch
+# fetch https://security.FreeBSD.org/patches/SA-14:30/unbound.patch.asc
+# gpg --verify unbound.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the unbound(8) daemons, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r275853
+releng/10.0/ r275854
+releng/10.1/ r275854
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://unbound.net/downloads/CVE-2014-8602.txt>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8602>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-14:30.unbound.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJUkTg1AAoJEO1n7NZdz2rn+iUP/3RP0KKn8B2SnSpSLbXws/eY
+GEOTYEsZJpGTtCyIg5eKmJ/AU7dKiD34da2uaL41Lt4hWa/Icyk13CtV6cK9TfN4
+oSrrgDCbqErrFh74lhQX3v3bYHNMhZRVnaM9tHXHmpa9NAKhyTP+eyo+Ss7iK/am
+lVBW2xPv92OKyjo0Onp5h3o5QT6DHpPgW91f9He4GygYfShMXtOb+VhGpllxwbeM
+aS59yPkhGJLVhxQn2QtFpj67QxS5GIhK6iccwrRKo8Okij2mlRfR4fuD5Ol4L9TK
+sZKMGtgESPLGmfW1Pj/BRobyCWcs+cYLchZkxbomQBcH7ybpOMW+SqTB0FkZcscU
+ODMzvum2VZuSl5fAlu3F6V0/k+8cFiE4B/Xyioqa8aRsfYNfWjoETmfE7ld+zXqX
+8cPizwGYdsuO4g6mNS0HFuuexkJem9qviRfnQUQ/EJQPNfXB33GYBoFquE0mvFUO
+WN5QiietSnNp4/TF+BjXlaeo/PtO+Q8xIdqgdSzouslx95a4j3N127k8Yoz55Nx+
+3mEeqvZRf5/7ieIgyHti/v/xKZOyGCs6NwlZ6xN+0kanNqMDfjpKnfzTJnnSTbj6
+z6FCzXn986EqL8kpJisKZEJfntvZu4ft/KUo4qzZAtuNgnoUGFYXv5DfQrM75ZJ/
+9PFQzCA+8snPiCyUhAaC
+=fkvr
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-14:30/unbound.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-14:30/unbound.patch Wed Dec 17 08:29:53 2014 (r46095)
@@ -0,0 +1,149 @@
+Index: contrib/unbound/iterator/iterator.c
+===================================================================
+--- contrib/unbound/iterator/iterator.c.orig
++++ contrib/unbound/iterator/iterator.c
+@@ -117,6 +117,7 @@
+ iq->query_restart_count = 0;
+ iq->referral_count = 0;
+ iq->sent_count = 0;
++ iq->target_count = NULL;
+ iq->wait_priming_stub = 0;
+ iq->refetch_glue = 0;
+ iq->dnssec_expected = 0;
+@@ -442,6 +443,26 @@
+ return 1;
+ }
+
++/** create target count structure for this query */
++static void
++target_count_create(struct iter_qstate* iq)
++{
++ if(!iq->target_count) {
++ iq->target_count = (int*)calloc(2, sizeof(int));
++ /* if calloc fails we simply do not track this number */
++ if(iq->target_count)
++ iq->target_count[0] = 1;
++ }
++}
++
++static void
++target_count_increase(struct iter_qstate* iq, int num)
++{
++ target_count_create(iq);
++ if(iq->target_count)
++ iq->target_count[1] += num;
++}
++
+ /**
+ * Generate a subrequest.
+ * Generate a local request event. Local events are tied to this module, and
+@@ -513,6 +534,10 @@
+ subiq = (struct iter_qstate*)subq->minfo[id];
+ memset(subiq, 0, sizeof(*subiq));
+ subiq->num_target_queries = 0;
++ target_count_create(iq);
++ subiq->target_count = iq->target_count;
++ if(iq->target_count)
++ iq->target_count[0] ++; /* extra reference */
+ subiq->num_current_queries = 0;
+ subiq->depth = iq->depth+1;
+ outbound_list_init(&subiq->outlist);
+@@ -1339,6 +1364,12 @@
+
+ if(iq->depth == ie->max_dependency_depth)
+ return 0;
++ if(iq->depth > 0 && iq->target_count &&
++ iq->target_count[1] > MAX_TARGET_COUNT) {
++ verbose(VERB_QUERY, "request has exceeded the maximum "
++ "number of glue fetches %d", iq->target_count[1]);
++ return 0;
++ }
+
+ iter_mark_cycle_targets(qstate, iq->dp);
+ missing = (int)delegpt_count_missing_targets(iq->dp);
+@@ -1487,6 +1518,7 @@
+ return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+ }
+ iq->num_target_queries += qs;
++ target_count_increase(iq, qs);
+ if(qs != 0) {
+ qstate->ext_state[id] = module_wait_subquery;
+ return 0; /* and wait for them */
+@@ -1496,6 +1528,12 @@
+ verbose(VERB_QUERY, "maxdepth and need more nameservers, fail");
+ return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
+ }
++ if(iq->depth > 0 && iq->target_count &&
++ iq->target_count[1] > MAX_TARGET_COUNT) {
++ verbose(VERB_QUERY, "request has exceeded the maximum "
++ "number of glue fetches %d", iq->target_count[1]);
++ return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
++ }
+ /* mark cycle targets for parent-side lookups */
+ iter_mark_pside_cycle_targets(qstate, iq->dp);
+ /* see if we can issue queries to get nameserver addresses */
+@@ -1525,6 +1563,7 @@
+ if(query_count != 0) { /* suspend to await results */
+ verbose(VERB_ALGO, "try parent-side glue lookup");
+ iq->num_target_queries += query_count;
++ target_count_increase(iq, query_count);
+ qstate->ext_state[id] = module_wait_subquery;
+ return 0;
+ }
+@@ -1680,6 +1719,7 @@
+ return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+ }
+ iq->num_target_queries += extra;
++ target_count_increase(iq, extra);
+ if(iq->num_target_queries > 0) {
+ /* wait to get all targets, we want to try em */
+ verbose(VERB_ALGO, "wait for all targets for fallback");
+@@ -1720,6 +1760,7 @@
+ /* errors ignored, these targets are not strictly necessary for
+ * this result, we do not have to reply with SERVFAIL */
+ iq->num_target_queries += extra;
++ target_count_increase(iq, extra);
+ }
+
+ /* Add the current set of unused targets to our queue. */
+@@ -1765,6 +1806,7 @@
+ return 1;
+ }
+ iq->num_target_queries += qs;
++ target_count_increase(iq, qs);
+ }
+ /* Since a target query might have been made, we
+ * need to check again. */
+@@ -2847,6 +2889,8 @@
+ iq = (struct iter_qstate*)qstate->minfo[id];
+ if(iq) {
+ outbound_list_clear(&iq->outlist);
++ if(iq->target_count && --iq->target_count[0] == 0)
++ free(iq->target_count);
+ iq->num_current_queries = 0;
+ }
+ qstate->minfo[id] = NULL;
+Index: contrib/unbound/iterator/iterator.h
+===================================================================
+--- contrib/unbound/iterator/iterator.h.orig
++++ contrib/unbound/iterator/iterator.h
+@@ -52,6 +52,8 @@
+ struct iter_prep_list;
+ struct iter_priv;
+
++/** max number of targets spawned for a query and its subqueries */
++#define MAX_TARGET_COUNT 32
+ /** max number of query restarts. Determines max number of CNAME chain. */
+ #define MAX_RESTART_COUNT 8
+ /** max number of referrals. Makes sure resolver does not run away */
+@@ -254,6 +256,10 @@
+
+ /** number of queries fired off */
+ int sent_count;
++
++ /** number of target queries spawned in [1], for this query and its
++ * subqueries, the malloced-array is shared, [0] refcount. */
++ int* target_count;
+
+ /**
+ * The query must store NS records from referrals as parentside RRs
Added: head/share/security/patches/SA-14:30/unbound.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-14:30/unbound.patch.asc Wed Dec 17 08:29:53 2014 (r46095)
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJUkTgmAAoJEO1n7NZdz2rn1OUP/1ERY7/RPW53T3mkpm1gFCTt
+R7DVRj7QuMkyKqUOnKtN/QahgY+fr5BA/QT5zh60+gXr7GtkwM4TjP5r/CTqPjZS
++sO3/FR6Vg2M2HoTqCVtXUyJybbayXWfBht508NHWc3y8DniVO3138rnydT6T1bJ
+vQPhgbmHaxQa7ghW2y9u3w1MR1Y+gnjcqA/o9qsNPypCZp/ZhWRgnSK1Jdp2Zshl
+rukFU0hI/1wwRRMznFwlTVGCIzAK73AqLs155BpyjN9ppodJ0NLHvslrBnnuT2ag
+/vUx7x+dfL1EVvbzcQ4DLM0c5TPIl9a2tLfEAhqy7g69VfTNiNlGQ7IqHIIoIBMs
+P0RMEnoiBXKoXVZ+ccVsCOsOZleiBeKrY3I5sfJ29eeTnRhwWiDYHVpN/wDuLYMb
+9KzJDre1eCPZmllT5CQkW2qZWrOTTnFmuHf9OBuCWBrf7RZghnOhegKsBGWofktC
+issxVfcT4RlSd2gg6pO/hgC3t4pOCXf7WK8qc5ikTyR9UcvuN0UGsqY3GWP4TfjD
+DkDj0TC2WwFNWPa1RjMX3r3njXqjeBNUm65hrtiiQl8MTczysguQjY8C/p86R79A
+D+A2D6bhf+uHY0FRtFTOuC+Ttooi928hPOrCC2MuiUXKVCENQNuEWAgTldNvQKx9
+Iu8S3h8qAXzs8cwAWZIB
+=fSbR
+-----END PGP SIGNATURE-----
Modified: head/share/xml/advisories.xml
==============================================================================
--- head/share/xml/advisories.xml Sun Dec 14 22:39:44 2014 (r46094)
+++ head/share/xml/advisories.xml Wed Dec 17 08:29:53 2014 (r46095)
@@ -11,6 +11,14 @@
<name>12</name>
<day>
+ <name>17</name>
+
+ <advisory>
+ <name>FreeBSD-SA-14:30.unbound</name>
+ </advisory>
+ </day>
+
+ <day>
<name>10</name>
<advisory>
More information about the svn-doc-head
mailing list