Commit 79457c4b authored by Dan Streetman's avatar Dan Streetman Committed by Simon McVittie
Browse files

Import Debian changes 237-3ubuntu10.12

systemd (237-3ubuntu10.12) bionic; urgency=medium

  * d/p/resolve-enable-EDNS0-towards-the-127.0.0.53-stub-res.patch
    getaddrinfo() failures when fallback to dns tcp queries, so enable
    edns0 in resolv.conf (LP: #1811471)

  [ Victor Tapia ]
  * d/p/resolved-Increase-size-of-TCP-stub-replies.patch
    dns failures with edns0 disabled and truncated response (LP: #1804487)
parent 18184d7c
systemd (237-3ubuntu10.12) bionic; urgency=medium
* d/p/resolve-enable-EDNS0-towards-the-127.0.0.53-stub-res.patch
getaddrinfo() failures when fallback to dns tcp queries, so enable
edns0 in resolv.conf (LP: #1811471)
[ Victor Tapia ]
* d/p/resolved-Increase-size-of-TCP-stub-replies.patch
dns failures with edns0 disabled and truncated response (LP: #1804487)
-- Dan Streetman <ddstreet@canonical.com> Tue, 29 Jan 2019 14:26:48 -0500
systemd (237-3ubuntu10.11) bionic-security; urgency=medium
* SECURITY UPDATE: memory corruption in journald via attacker controlled alloca
......
From: Tore Anderson <tore@fud.no>
Date: Mon, 17 Dec 2018 09:15:59 +0100
Subject: [PATCH] resolve: enable EDNS0 towards the 127.0.0.53 stub resolver
This appears to be necessary for client software to ensure the reponse data
is validated with DNSSEC. For example, `ssh -v -o VerifyHostKeyDNS=yes -o
StrictHostKeyChecking=yes redpilllinpro01.ring.nlnog.net` fails if EDNS0 is
not enabled. The debugging output reveals that the `SSHFP` records were
found in DNS, but were considered insecure.
Note that the patch intentionally does *not* enable EDNS0 in the
`/run/systemd/resolve/resolv.conf` file (the one that contains `nameserver`
entries for the upstream DNS servers), as it is impossible to know for
certain that all the upstream DNS servers handles EDNS0 correctly.
Origin: https://github.com/systemd/systemd/commit/93158c77bc69fde7cf5cff733617631c1e566fe8
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1811471
--- a/src/resolve/resolv.conf
+++ b/src/resolve/resolv.conf
@@ -15,3 +15,4 @@
# operation for /etc/resolv.conf.
nameserver 127.0.0.53
+options edns0
--- a/src/resolve/resolved-resolv-conf.c
+++ b/src/resolve/resolved-resolv-conf.c
@@ -286,7 +286,8 @@
"# See man:systemd-resolved.service(8) for details about the supported modes of\n"
"# operation for /etc/resolv.conf.\n"
"\n"
- "nameserver 127.0.0.53\n", f);
+ "nameserver 127.0.0.53\n"
+ "options edns0\n", f);
if (!ordered_set_isempty(domains))
write_resolv_conf_search(domains, f);
From: Victor Tapia <victor.tapia@canonical.com>
Date: Wed, 21 Nov 2018 14:01:04 +0100
Subject: [PATCH] resolved: Increase size of TCP stub replies
DNS_PACKET_PAYLOAD_SIZE_MAX is limiting the size of the stub replies to
512 with EDNS off or 4096 with EDNS on, without checking the protocol
used. This makes TCP replies for clients without EDNS support to be
limited to 512, making the truncate flag useless if the query result is
bigger than 512 bytes.
This commit increases the size of TCP replies to DNS_PACKET_SIZE_MAX
Bug: https://github.com/systemd/systemd/issues/10816
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915049
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1804487
Origin: upstream, https://github.com/systemd/systemd/commit/e6eed9445956cfa496e1db933bfd3530db23bfce
--- a/src/resolve/resolved-dns-packet.h
+++ b/src/resolve/resolved-dns-packet.h
@@ -136,11 +136,14 @@
static inline uint16_t DNS_PACKET_PAYLOAD_SIZE_MAX(DnsPacket *p) {
- /* Returns the advertised maximum datagram size for replies, or the DNS default if there's nothing defined. */
+ /* Returns the advertised maximum size for replies, or the DNS default if there's nothing defined. */
if (p->opt)
return MAX(DNS_PACKET_UNICAST_SIZE_MAX, p->opt->key->class);
+ if (p->ipproto == IPPROTO_TCP)
+ return DNS_PACKET_SIZE_MAX;
+
return DNS_PACKET_UNICAST_SIZE_MAX;
}
......@@ -91,3 +91,5 @@ CVE-2018-16864.patch
CVE-2018-16865_1.patch
CVE-2018-16865_2.patch
CVE-2018-16866.patch
resolved-Increase-size-of-TCP-stub-replies.patch
resolve-enable-EDNS0-towards-the-127.0.0.53-stub-res.patch
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment