On Fri Jun 26, 2026 at 6:59 PM CEST, Yoann Congal wrote: > On Wed Jun 10, 2026 at 12:04 PM CEST, Ashishkumar Parmar X (asparmar - E > INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote: >> From: Ashishkumar Parmar <[email protected]> >> >> Pick the upstream 9.18 backport [1] for CVE-2026-1519. The public ISC >> advisory [2] describes the vulnerability and identifies the fixed BIND >> release. > > Hello, > > I have not checked but bind is one of those rare project to have a stable > branch that match our stable policy (I've already taken some upgrades). > > Instead of backporting CVE patches, why not trying to upgrade along the > 9.18 branch?
Hello, This whole series is now superseded by https://patchwork.yoctoproject.org/project/oe-core/patch/[email protected]/ Thanks! > >> >> The upstream fix is split across the reproducer and validation commits. >> Also include one prerequisite NSEC3 bounds-check commit that is required >> before the validation changes can be applied cleanly and validated >> safely on the downstream 9.18.44 source: >> >> - CVE-2026-1519_p1.patch [3] adds the upstream system-test reproducer >> for excessive NSEC3 iterations at delegation. >> - CVE-2026-1519-dependent.patch [4] adds the prerequisite NSEC3 >> next_length bounds check in isdelegation(). This patch is not part of >> the CVE merge commit, but it touches the same NSEC3 delegation path >> and must be applied before the functional validation changes. >> - CVE-2026-1519_p2.patch [5] adds the iteration-limit handling in >> isdelegation(). >> - CVE-2026-1519_p3.patch [6] avoids re-validating already trusted >> rdatasets. >> - CVE-2026-1519_p4.patch [7] checks RRset trust in >> validate_neg_rrset(). >> >> Keep the patches split to preserve the upstream commit structure and to >> make the SRC_URI ordering explicit. >> >> [1] >> https://gitlab.com/isc-projects/bind9/-/commit/5ef459eeaa92222ad28d2186f5eae9a586dece70 >> [2] https://kb.isc.org/docs/cve-2026-1519 >> [3] >> https://gitlab.com/isc-projects/bind9/-/commit/2c82f99a3c95f356861d5977f12ef9bbe2063cb6 >> [4] >> https://gitlab.com/isc-projects/bind9/-/commit/368c75a9f567f8b36cf24fefe45023e0a050e47b >> [5] >> https://gitlab.com/isc-projects/bind9/-/commit/85c21feff9acb0982fe60f2c88201bf55533bd0e >> [6] >> https://gitlab.com/isc-projects/bind9/-/commit/8890a91c1c16129333139b9d8a4381e0f741f0d6 >> [7] >> https://gitlab.com/isc-projects/bind9/-/commit/85fcd704e2f7cc2a25d2195bc4bb28398c889ed3 >> >> Signed-off-by: Ashishkumar Parmar <[email protected]> >> --- >> .../bind/bind/CVE-2026-1519-dependent.patch | 50 +++ >> .../bind/bind/CVE-2026-1519_p1.patch | 341 ++++++++++++++++++ >> .../bind/bind/CVE-2026-1519_p2.patch | 176 +++++++++ >> .../bind/bind/CVE-2026-1519_p3.patch | 52 +++ >> .../bind/bind/CVE-2026-1519_p4.patch | 59 +++ >> .../recipes-connectivity/bind/bind_9.18.44.bb | 5 + >> 6 files changed, 683 insertions(+) >> create mode 100644 >> meta/recipes-connectivity/bind/bind/CVE-2026-1519-dependent.patch >> create mode 100644 >> meta/recipes-connectivity/bind/bind/CVE-2026-1519_p1.patch >> create mode 100644 >> meta/recipes-connectivity/bind/bind/CVE-2026-1519_p2.patch >> create mode 100644 >> meta/recipes-connectivity/bind/bind/CVE-2026-1519_p3.patch >> create mode 100644 >> meta/recipes-connectivity/bind/bind/CVE-2026-1519_p4.patch >> >> diff --git >> a/meta/recipes-connectivity/bind/bind/CVE-2026-1519-dependent.patch >> b/meta/recipes-connectivity/bind/bind/CVE-2026-1519-dependent.patch >> new file mode 100644 >> index 0000000000..eff7a06d82 >> --- /dev/null >> +++ b/meta/recipes-connectivity/bind/bind/CVE-2026-1519-dependent.patch >> @@ -0,0 +1,50 @@ >> +From af8929ebe72ca8564882632e59999795c781ebd4 Mon Sep 17 00:00:00 2001 >> +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <[email protected]> >> +Date: Sat, 14 Feb 2026 14:43:41 +0100 >> +Subject: [PATCH] Invalid NSEC3 can cause OOB read of the isdelegation() >> stack >> + >> +When .next_length is longer than NSEC3_MAX_HASH_LENGTH, it causes a >> +harmless out-of-bound read of the isdelegation() stack. This patch >> +fixes the issue by skipping NSEC3 records with an oversized hash length >> +during validation. >> + >> +CVE: CVE-2026-1519 >> +Upstream-Status: Backport >> [https://gitlab.com/isc-projects/bind9/-/commit/368c75a9f567f8b36cf24fefe45023e0a050e47b] >> + >> +(cherry picked from commit 67b4fb56e40bf856e1fccd41e752d5f486b5b569) >> +(cherry picked from commit 368c75a9f567f8b36cf24fefe45023e0a050e47b) >> +Signed-off-by: Ashishkumar Parmar <[email protected]> >> +--- >> + lib/dns/rdata/generic/nsec3_50.c | 1 + >> + lib/dns/validator.c | 3 +++ >> + 2 files changed, 4 insertions(+) >> + >> +diff --git a/lib/dns/rdata/generic/nsec3_50.c >> b/lib/dns/rdata/generic/nsec3_50.c >> +index f45fe4dc33..e04587bd1b 100644 >> +--- a/lib/dns/rdata/generic/nsec3_50.c >> ++++ b/lib/dns/rdata/generic/nsec3_50.c >> +@@ -324,6 +324,7 @@ tostruct_nsec3(ARGS_TOSTRUCT) { >> + } >> + >> + nsec3->mctx = mctx; >> ++ >> + return ISC_R_SUCCESS; >> + >> + cleanup: >> +diff --git a/lib/dns/validator.c b/lib/dns/validator.c >> +index 809b7be911..9ec13581ab 100644 >> +--- a/lib/dns/validator.c >> ++++ b/lib/dns/validator.c >> +@@ -339,6 +339,9 @@ trynsec3: >> + if (nsec3.hash != 1) { >> + continue; >> + } >> ++ if (nsec3.next_length > NSEC3_MAX_HASH_LENGTH) { >> ++ continue; >> ++ } >> + length = isc_iterated_hash( >> + hash, nsec3.hash, nsec3.iterations, nsec3.salt, >> + nsec3.salt_length, name->ndata, name->length); >> +-- >> +2.35.6 >> + >> diff --git a/meta/recipes-connectivity/bind/bind/CVE-2026-1519_p1.patch >> b/meta/recipes-connectivity/bind/bind/CVE-2026-1519_p1.patch >> new file mode 100644 >> index 0000000000..f78af9da11 >> --- /dev/null >> +++ b/meta/recipes-connectivity/bind/bind/CVE-2026-1519_p1.patch >> @@ -0,0 +1,341 @@ >> +From 81f8acc4bdf84eec6f53a65709b61ad3d963b4f7 Mon Sep 17 00:00:00 2001 >> +From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= <[email protected]> >> +Date: Tue, 3 Feb 2026 18:25:04 +0100 >> +Subject: [PATCH] Reproducer for CVE-2026-1519 >> + >> +When a validating resolver processes a delegation from a DNSSEC-signed >> +zone which uses too many NSEC3 iterations, it should cease the attempt >> +to validate due to an NSEC3 iteration limit being exceeded and fall back >> +to insecure. >> + >> +CVE: CVE-2026-1519 >> +Upstream-Status: Backport >> [https://gitlab.com/isc-projects/bind9/-/commit/2c82f99a3c95f356861d5977f12ef9bbe2063cb6] >> + >> +(cherry picked from commit 9bc14a89f1313aa38330e84674ac3b7691db3383) >> +(cherry picked from commit 2c82f99a3c95f356861d5977f12ef9bbe2063cb6) >> +Signed-off-by: Ashishkumar Parmar <[email protected]> >> +--- >> + .../system/nsec3-delegation/ns1/named.conf.j2 | 35 +++++++++++ >> + bin/tests/system/nsec3-delegation/ns1/root.db | 25 ++++++++ >> + .../ns2/iter-too-many.db.j2.manual | 31 ++++++++++ >> + .../system/nsec3-delegation/ns2/named.conf.j2 | 40 ++++++++++++ >> + .../nsec3-delegation/ns2/sub.iter-too-many.db | 24 ++++++++ >> + .../system/nsec3-delegation/ns3/named.conf.j2 | 37 +++++++++++ >> + .../nsec3-delegation/ns3/trusted.conf.j2 | 1 + >> + .../tests_excessive_nsec3_iterations.py | 61 +++++++++++++++++++ >> + 8 files changed, 254 insertions(+) >> + create mode 100644 bin/tests/system/nsec3-delegation/ns1/named.conf.j2 >> + create mode 100644 bin/tests/system/nsec3-delegation/ns1/root.db >> + create mode 100644 >> bin/tests/system/nsec3-delegation/ns2/iter-too-many.db.j2.manual >> + create mode 100644 bin/tests/system/nsec3-delegation/ns2/named.conf.j2 >> + create mode 100644 >> bin/tests/system/nsec3-delegation/ns2/sub.iter-too-many.db >> + create mode 100644 bin/tests/system/nsec3-delegation/ns3/named.conf.j2 >> + create mode 120000 bin/tests/system/nsec3-delegation/ns3/trusted.conf.j2 >> + create mode 100644 >> bin/tests/system/nsec3-delegation/tests_excessive_nsec3_iterations.py >> + >> +diff --git a/bin/tests/system/nsec3-delegation/ns1/named.conf.j2 >> b/bin/tests/system/nsec3-delegation/ns1/named.conf.j2 >> +new file mode 100644 >> +index 0000000000..65016d1c67 >> +--- /dev/null >> ++++ b/bin/tests/system/nsec3-delegation/ns1/named.conf.j2 >> +@@ -0,0 +1,35 @@ >> ++/* >> ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") >> ++ * >> ++ * SPDX-License-Identifier: MPL-2.0 >> ++ * >> ++ * This Source Code Form is subject to the terms of the Mozilla Public >> ++ * License, v. 2.0. If a copy of the MPL was not distributed with this >> ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. >> ++ * >> ++ * See the COPYRIGHT file distributed with this work for additional >> ++ * information regarding copyright ownership. >> ++ */ >> ++ >> ++options { >> ++ query-source address 10.53.0.1; >> ++ notify-source 10.53.0.1; >> ++ transfer-source 10.53.0.1; >> ++ port @PORT@; >> ++ pid-file "named.pid"; >> ++ listen-on { 10.53.0.1; }; >> ++ listen-on-v6 { none; }; >> ++ recursion no; >> ++ dnssec-validation no; >> ++}; >> ++ >> ++controls { >> ++ inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; >> ++}; >> ++ >> ++include "../../_common/rndc.key"; >> ++ >> ++zone "." { >> ++ type primary; >> ++ file "root.db"; >> ++}; >> +diff --git a/bin/tests/system/nsec3-delegation/ns1/root.db >> b/bin/tests/system/nsec3-delegation/ns1/root.db >> +new file mode 100644 >> +index 0000000000..c3f80d0d4b >> +--- /dev/null >> ++++ b/bin/tests/system/nsec3-delegation/ns1/root.db >> +@@ -0,0 +1,25 @@ >> ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") >> ++; >> ++; SPDX-License-Identifier: MPL-2.0 >> ++; >> ++; This Source Code Form is subject to the terms of the Mozilla Public >> ++; License, v. 2.0. If a copy of the MPL was not distributed with this >> ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. >> ++; >> ++; See the COPYRIGHT file distributed with this work for additional >> ++; information regarding copyright ownership. >> ++ >> ++$TTL 300 >> ++. IN SOA . . ( >> ++ 2025063000 ; serial >> ++ 600 ; refresh >> ++ 600 ; retry >> ++ 1200 ; expire >> ++ 600 ; minimum >> ++ ) >> ++. NS a.root-servers.nil. >> ++ >> ++a.root-servers.nil A 10.53.0.1 >> ++ >> ++iter-too-many. NS ns2.iter-too-many. >> ++ns2.iter-too-many. A 10.53.0.2 >> +diff --git >> a/bin/tests/system/nsec3-delegation/ns2/iter-too-many.db.j2.manual >> b/bin/tests/system/nsec3-delegation/ns2/iter-too-many.db.j2.manual >> +new file mode 100644 >> +index 0000000000..fa5023d21b >> +--- /dev/null >> ++++ b/bin/tests/system/nsec3-delegation/ns2/iter-too-many.db.j2.manual >> +@@ -0,0 +1,31 @@ >> ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") >> ++; >> ++; SPDX-License-Identifier: MPL-2.0 >> ++; >> ++; This Source Code Form is subject to the terms of the Mozilla Public >> ++; License, v. 2.0. If a copy of the MPL was not distributed with this >> ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. >> ++; >> ++; See the COPYRIGHT file distributed with this work for additional >> ++; information regarding copyright ownership. >> ++ >> ++{% raw %} >> ++$TTL 300 >> ++@ IN SOA ns2.iter-too-many. hostmaster.iter-too-many. ( >> ++ 2026020300 ; serial >> ++ 20 ; refresh (20 seconds) >> ++ 20 ; retry (20 seconds) >> ++ 1814400 ; expire (3 weeks) >> ++ 3600 ; minimum (1 hour) >> ++) >> ++ >> ++@ IN NS ns2.iter-too-many. >> ++ns2 IN A 10.53.0.2 >> ++ >> ++sub IN NS ns2.sub.iter-too-many. >> ++ns2.sub IN A 10.53.0.2 >> ++{% endraw %} >> ++ >> ++{% for dnskey in dnskeys %} >> ++@dnskey@ >> ++{% endfor %} >> +diff --git a/bin/tests/system/nsec3-delegation/ns2/named.conf.j2 >> b/bin/tests/system/nsec3-delegation/ns2/named.conf.j2 >> +new file mode 100644 >> +index 0000000000..2f4823574f >> +--- /dev/null >> ++++ b/bin/tests/system/nsec3-delegation/ns2/named.conf.j2 >> +@@ -0,0 +1,40 @@ >> ++/* >> ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") >> ++ * >> ++ * SPDX-License-Identifier: MPL-2.0 >> ++ * >> ++ * This Source Code Form is subject to the terms of the Mozilla Public >> ++ * License, v. 2.0. If a copy of the MPL was not distributed with this >> ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. >> ++ * >> ++ * See the COPYRIGHT file distributed with this work for additional >> ++ * information regarding copyright ownership. >> ++ */ >> ++ >> ++options { >> ++ query-source address 10.53.0.2; >> ++ notify-source 10.53.0.2; >> ++ transfer-source 10.53.0.2; >> ++ port @PORT@; >> ++ pid-file "named.pid"; >> ++ listen-on { 10.53.0.2; }; >> ++ listen-on-v6 { none; }; >> ++ recursion no; >> ++ dnssec-validation no; >> ++}; >> ++ >> ++controls { >> ++ inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; >> ++}; >> ++ >> ++include "../../_common/rndc.key"; >> ++ >> ++zone "iter-too-many" { >> ++ type primary; >> ++ file "iter-too-many.signed.db"; >> ++}; >> ++ >> ++zone "sub.iter-too-many" { >> ++ type primary; >> ++ file "sub.iter-too-many.db"; >> ++}; >> +diff --git a/bin/tests/system/nsec3-delegation/ns2/sub.iter-too-many.db >> b/bin/tests/system/nsec3-delegation/ns2/sub.iter-too-many.db >> +new file mode 100644 >> +index 0000000000..09b2bb6fb3 >> +--- /dev/null >> ++++ b/bin/tests/system/nsec3-delegation/ns2/sub.iter-too-many.db >> +@@ -0,0 +1,24 @@ >> ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") >> ++; >> ++; SPDX-License-Identifier: MPL-2.0 >> ++; >> ++; This Source Code Form is subject to the terms of the Mozilla Public >> ++; License, v. 2.0. If a copy of the MPL was not distributed with this >> ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. >> ++; >> ++; See the COPYRIGHT file distributed with this work for additional >> ++; information regarding copyright ownership. >> ++ >> ++$TTL 300 >> ++@ IN SOA ns2.sub.iter-too-many. >> hostmaster.sub.iter-too-many. ( >> ++ 2026020300 ; serial >> ++ 20 ; refresh (20 seconds) >> ++ 20 ; retry (20 seconds) >> ++ 1814400 ; expire (3 weeks) >> ++ 3600 ; minimum (1 hour) >> ++) >> ++ >> ++@ IN NS ns2.sub.iter-too-many. >> ++ns2 IN A 10.53.0.2 >> ++ >> ++example IN A 127.0.0.1 >> +diff --git a/bin/tests/system/nsec3-delegation/ns3/named.conf.j2 >> b/bin/tests/system/nsec3-delegation/ns3/named.conf.j2 >> +new file mode 100644 >> +index 0000000000..e36b88c53e >> +--- /dev/null >> ++++ b/bin/tests/system/nsec3-delegation/ns3/named.conf.j2 >> +@@ -0,0 +1,37 @@ >> ++/* >> ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") >> ++ * >> ++ * SPDX-License-Identifier: MPL-2.0 >> ++ * >> ++ * This Source Code Form is subject to the terms of the Mozilla Public >> ++ * License, v. 2.0. If a copy of the MPL was not distributed with this >> ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. >> ++ * >> ++ * See the COPYRIGHT file distributed with this work for additional >> ++ * information regarding copyright ownership. >> ++ */ >> ++ >> ++options { >> ++ query-source address 10.53.0.3; >> ++ notify-source 10.53.0.3; >> ++ transfer-source 10.53.0.3; >> ++ port @PORT@; >> ++ pid-file "named.pid"; >> ++ listen-on { 10.53.0.3; }; >> ++ listen-on-v6 { none; }; >> ++ recursion yes; >> ++ dnssec-validation yes; >> ++}; >> ++ >> ++controls { >> ++ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; >> ++}; >> ++ >> ++include "../../_common/rndc.key"; >> ++ >> ++zone "." { >> ++ type hint; >> ++ file "../../_common/root.hint"; >> ++}; >> ++ >> ++include "trusted.conf"; >> +diff --git a/bin/tests/system/nsec3-delegation/ns3/trusted.conf.j2 >> b/bin/tests/system/nsec3-delegation/ns3/trusted.conf.j2 >> +new file mode 120000 >> +index 0000000000..cb0be77b22 >> +--- /dev/null >> ++++ b/bin/tests/system/nsec3-delegation/ns3/trusted.conf.j2 >> +@@ -0,0 +1 @@ >> ++../../_common/trusted.conf.j2 >> +\ No newline at end of file >> +diff --git >> a/bin/tests/system/nsec3-delegation/tests_excessive_nsec3_iterations.py >> b/bin/tests/system/nsec3-delegation/tests_excessive_nsec3_iterations.py >> +new file mode 100644 >> +index 0000000000..f85384bb1e >> +--- /dev/null >> ++++ b/bin/tests/system/nsec3-delegation/tests_excessive_nsec3_iterations.py >> +@@ -0,0 +1,61 @@ >> ++# Copyright (C) Internet Systems Consortium, Inc. ("ISC") >> ++# >> ++# SPDX-License-Identifier: MPL-2.0 >> ++# >> ++# This Source Code Form is subject to the terms of the Mozilla Public >> ++# License, v. 2.0. If a copy of the MPL was not distributed with this >> ++# file, you can obtain one at https://mozilla.org/MPL/2.0/. >> ++# >> ++# See the COPYRIGHT file distributed with this work for additional >> ++# information regarding copyright ownership. >> ++ >> ++from isctest.run import EnvCmd >> ++ >> ++import isctest >> ++ >> ++ >> ++def bootstrap(): >> ++ templates = isctest.template.TemplateEngine(".") >> ++ keygen = EnvCmd("KEYGEN", "-a ECDSA256") >> ++ signer = EnvCmd("SIGNER") >> ++ >> ++ isctest.log.info("setup iter-too-many.") >> ++ zonename = "iter-too-many." >> ++ ksk_name = keygen(f"-f KSK {zonename}", cwd="ns2").out.strip() >> ++ zsk_name = keygen(f"{zonename}", cwd="ns2").out.strip() >> ++ ksk = isctest.kasp.Key(ksk_name, keydir="ns2") >> ++ zsk = isctest.kasp.Key(zsk_name, keydir="ns2") >> ++ dnskeys = [ksk.dnskey, zsk.dnskey] >> ++ >> ++ tdata = { >> ++ "dnskeys": dnskeys, >> ++ } >> ++ templates.render(f"ns2/{zonename}db", tdata, >> template=f"ns2/{zonename}db.j2.manual") >> ++ signer( >> ++ f"-P -o {zonename} -f {zonename}signed.db -3 A1B2C3D4 -H too-many >> -H 151 -S {zonename}db", >> ++ cwd="ns2", >> ++ ) >> ++ >> ++ return { >> ++ "trust_anchors": [ >> ++ ksk.into_ta("static-key"), >> ++ ], >> ++ } >> ++ >> ++ >> ++def test_excessive_nsec3_iterations_delegation(ns3): >> ++ # reproducer for CVE-2026-1519 [GL#5708] >> ++ zone = "example.sub.iter-too-many" >> ++ msg = isctest.query.create(zone, "A") >> ++ res = isctest.query.tcp(msg, ns3.ip) >> ++ >> ++ # an insecure response is expected regardless of the NSEC3 iteration >> limit, >> ++ # because the sub.iter-too-many. zone is unsigned. the real difference >> is >> ++ # in the CPU usage required for generating such response, but that >> can't be >> ++ # easily and reliably tested in an automated fashion >> ++ isctest.check.noerror(res) >> ++ >> ++ with ns3.watch_log_from_start() as watcher: >> ++ watcher.wait_for_line( >> ++ f"validating {zone}/A: validator_callback_ds: too many >> iterations" >> ++ ) >> +-- >> +2.35.6 >> + >> diff --git a/meta/recipes-connectivity/bind/bind/CVE-2026-1519_p2.patch >> b/meta/recipes-connectivity/bind/bind/CVE-2026-1519_p2.patch >> new file mode 100644 >> index 0000000000..ee033b4b91 >> --- /dev/null >> +++ b/meta/recipes-connectivity/bind/bind/CVE-2026-1519_p2.patch >> @@ -0,0 +1,176 @@ >> +From e77c45ddae1ca87058244978868b6489610ca136 Mon Sep 17 00:00:00 2001 >> +From: Matthijs Mekking <[email protected]> >> +Date: Tue, 3 Mar 2026 10:40:36 +0100 >> +Subject: [PATCH] Check iterations in isdelegation() >> + >> +When looking up an NSEC3 as part of an insecurity proof, check the >> +number of iterations. If this is too high, treat the answer as insecure >> +by marking the answer with trust level "answer", indicating that they >> +did not validate, but could be cached as insecure. >> + >> +CVE: CVE-2026-1519 >> +Upstream-Status: Backport >> [https://gitlab.com/isc-projects/bind9/-/commit/85c21feff9acb0982fe60f2c88201bf55533bd0e] >> + >> +(cherry picked from commit 988040a5e02f86f4a8cdb0704e8d501f9082a89c) >> +(cherry picked from commit 85c21feff9acb0982fe60f2c88201bf55533bd0e) >> +Signed-off-by: Ashishkumar Parmar <[email protected]> >> +--- >> + lib/dns/validator.c | 64 +++++++++++++++++++++++++++++++++------------ >> + 1 file changed, 48 insertions(+), 16 deletions(-) >> + >> +diff --git a/lib/dns/validator.c b/lib/dns/validator.c >> +index 9ec13581ab..179b6590b5 100644 >> +--- a/lib/dns/validator.c >> ++++ b/lib/dns/validator.c >> +@@ -256,12 +256,25 @@ exit_check(dns_validator_t *val) { >> + } >> + >> + /*% >> +- * Look in the NSEC record returned from a DS query to see if there is >> +- * a NS RRset at this name. If it is found we are at a delegation point. >> ++ * The isdelegation() function is called as part of seeking the DS record. >> ++ * Look in the NSEC or NSEC3 record returned from a DS query to see if the >> ++ * record has the NS bitmap set. If so, we are at a delegation point. >> ++ * >> ++ * If the response contains NSEC3 records with too high iterations, we >> cannot >> ++ * (or rather we are not going to) validate the insecurity proof. Instead >> we >> ++ * are going to treat the message as insecure and just assume the DS was at >> ++ * the delegation. >> ++ * >> ++ * Returns: >> ++ *\li #ISC_R_SUCCESS the NS bitmap was set in the NSEC or NSEC3 >> record, or >> ++ * the NSEC3 covers the name (in case of opt-out), or >> ++ * we cannot validate the insecurity proof and are going >> ++ * to treat the message as isnecure. >> ++ *\li #ISC_R_NOTFOUND the NS bitmap was not set, >> + */ >> +-static bool >> +-isdelegation(dns_name_t *name, dns_rdataset_t *rdataset, >> +- isc_result_t dbresult) { >> ++static isc_result_t >> ++isdelegation(dns_validator_t *val, dns_name_t *name, dns_rdataset_t >> *rdataset, >> ++ isc_result_t dbresult, const char *caller) { >> + dns_fixedname_t fixed; >> + dns_label_t hashlabel; >> + dns_name_t nsec3name; >> +@@ -289,7 +302,7 @@ isdelegation(dns_name_t *name, dns_rdataset_t *rdataset, >> + goto trynsec3; >> + } >> + if (result != ISC_R_SUCCESS) { >> +- return false; >> ++ return ISC_R_NOTFOUND; >> + } >> + } >> + >> +@@ -303,7 +316,7 @@ isdelegation(dns_name_t *name, dns_rdataset_t *rdataset, >> + dns_rdata_reset(&rdata); >> + } >> + dns_rdataset_disassociate(&set); >> +- return found; >> ++ return found ? ISC_R_SUCCESS : ISC_R_NOTFOUND; >> + >> + trynsec3: >> + /* >> +@@ -342,6 +355,18 @@ trynsec3: >> + if (nsec3.next_length > NSEC3_MAX_HASH_LENGTH) { >> + continue; >> + } >> ++ /* >> ++ * If there are too many iterations assume bad things >> ++ * are happening and bail out early. Treat as if the >> ++ * DS was at the delegation. >> ++ */ >> ++ if (nsec3.iterations > DNS_NSEC3_MAXITERATIONS) { >> ++ validator_log(val, ISC_LOG_DEBUG(3), >> ++ "%s: too many iterations", >> ++ caller); >> ++ dns_rdataset_disassociate(&set); >> ++ return ISC_R_SUCCESS; >> ++ } >> + length = isc_iterated_hash( >> + hash, nsec3.hash, nsec3.iterations, nsec3.salt, >> + nsec3.salt_length, name->ndata, name->length); >> +@@ -353,7 +378,7 @@ trynsec3: >> + found = dns_nsec3_typepresent(&rdata, >> + dns_rdatatype_ns); >> + dns_rdataset_disassociate(&set); >> +- return found; >> ++ return found ? ISC_R_SUCCESS : ISC_R_NOTFOUND; >> + } >> + if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) == 0) { >> + continue; >> +@@ -369,12 +394,12 @@ trynsec3: >> + memcmp(hash, nsec3.next, length) < 0))) >> + { >> + dns_rdataset_disassociate(&set); >> +- return true; >> ++ return ISC_R_SUCCESS; >> + } >> + } >> + dns_rdataset_disassociate(&set); >> + } >> +- return found; >> ++ return found ? ISC_R_SUCCESS : ISC_R_NOTFOUND; >> + } >> + >> + /*% >> +@@ -590,8 +615,9 @@ fetch_callback_ds(isc_task_t *task, isc_event_t *event) >> { >> + } else if (eresult == DNS_R_SERVFAIL) { >> + goto unexpected; >> + } else if (eresult != DNS_R_CNAME && >> +- isdelegation(devent->foundname, &val->frdataset, >> +- eresult)) >> ++ isdelegation(val, devent->foundname, &val->frdataset, >> ++ eresult, >> ++ "fetch_callback_ds") == ISC_R_SUCCESS) >> + { >> + /* >> + * Failed to find a DS while trying to prove >> +@@ -755,10 +781,13 @@ validator_callback_ds(isc_task_t *task, isc_event_t >> *event) { >> + dns_trust_totext(val->frdataset.trust)); >> + have_dsset = (val->frdataset.type == dns_rdatatype_ds); >> + name = dns_fixedname_name(&val->fname); >> ++ >> + if ((val->attributes & VALATTR_INSECURITY) != 0 && >> + val->frdataset.covers == dns_rdatatype_ds && >> + NEGATIVE(&val->frdataset) && >> +- isdelegation(name, &val->frdataset, DNS_R_NCACHENXRRSET)) >> ++ isdelegation(val, name, &val->frdataset, >> ++ DNS_R_NCACHENXRRSET, >> ++ "validator_callback_ds") == ISC_R_SUCCESS) >> + { >> + result = markanswer(val, "validator_callback_ds", >> + "no DS and this is a delegation"); >> +@@ -2590,7 +2619,8 @@ validate_nx(dns_validator_t *val, bool resume) { >> + result = findnsec3proofs(val); >> + if (result == DNS_R_NSEC3ITERRANGE) { >> + validator_log(val, ISC_LOG_DEBUG(3), >> +- "too many iterations"); >> ++ "%s: too many iterations", >> ++ __func__); >> + markanswer(val, "validate_nx (3)", NULL); >> + return ISC_R_SUCCESS; >> + } >> +@@ -2626,7 +2656,7 @@ validate_nx(dns_validator_t *val, bool resume) { >> + result = findnsec3proofs(val); >> + if (result == DNS_R_NSEC3ITERRANGE) { >> + validator_log(val, ISC_LOG_DEBUG(3), >> +- "too many iterations"); >> ++ "%s: too many iterations", __func__); >> + markanswer(val, "validate_nx (4)", NULL); >> + return ISC_R_SUCCESS; >> + } >> +@@ -2833,7 +2863,9 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) { >> + return ISC_R_COMPLETE; >> + } >> + >> +- if (isdelegation(tname, &val->frdataset, result)) { >> ++ result = isdelegation(val, tname, &val->frdataset, result, >> ++ "seek_ds"); >> ++ if (result == ISC_R_SUCCESS) { >> + *resp = markanswer(val, "seek_ds (3)", >> + "this is a delegation"); >> + return ISC_R_COMPLETE; >> +-- >> +2.35.6 >> + >> diff --git a/meta/recipes-connectivity/bind/bind/CVE-2026-1519_p3.patch >> b/meta/recipes-connectivity/bind/bind/CVE-2026-1519_p3.patch >> new file mode 100644 >> index 0000000000..0473f40752 >> --- /dev/null >> +++ b/meta/recipes-connectivity/bind/bind/CVE-2026-1519_p3.patch >> @@ -0,0 +1,52 @@ >> +From 87c7c1aa7c648f15d57810afb198db709aa08ad3 Mon Sep 17 00:00:00 2001 >> +From: Matthijs Mekking <[email protected]> >> +Date: Tue, 3 Mar 2026 11:17:25 +0100 >> +Subject: [PATCH] Don't verify already trusted rdatasets >> + >> +If we already marked an rdataset as secure (or it has even stronger >> +trust), there is no need to cryptographically verify it again. >> + >> +CVE: CVE-2026-1519 >> +Upstream-Status: Backport >> [https://gitlab.com/isc-projects/bind9/-/commit/8890a91c1c16129333139b9d8a4381e0f741f0d6] >> + >> +(cherry picked from commit 0ec08c212022d08c9717f2bc6bd3e8ebd6f034ce) >> +(cherry picked from commit 8890a91c1c16129333139b9d8a4381e0f741f0d6) >> +Signed-off-by: Ashishkumar Parmar <[email protected]> >> +--- >> + lib/dns/include/dns/types.h | 1 + >> + lib/dns/validator.c | 7 +++++++ >> + 2 files changed, 8 insertions(+) >> + >> +diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h >> +index 8ddcbeb4e2..bd9623058a 100644 >> +--- a/lib/dns/include/dns/types.h >> ++++ b/lib/dns/include/dns/types.h >> +@@ -352,6 +352,7 @@ enum { >> + ((x) == dns_trust_additional || (x) == dns_trust_pending_additional) >> + #define DNS_TRUST_GLUE(x) ((x) == dns_trust_glue) >> + #define DNS_TRUST_ANSWER(x) ((x) == dns_trust_answer) >> ++#define DNS_TRUST_SECURE(x) ((x) >= dns_trust_secure) >> + >> + /*% >> + * Name checking severities. >> +diff --git a/lib/dns/validator.c b/lib/dns/validator.c >> +index 179b6590b5..47efd3940f 100644 >> +--- a/lib/dns/validator.c >> ++++ b/lib/dns/validator.c >> +@@ -1523,6 +1523,13 @@ verify(dns_validator_t *val, dst_key_t *key, >> dns_rdata_t *rdata, >> + bool ignore = false; >> + dns_name_t *wild; >> + >> ++ if (DNS_TRUST_SECURE(val->event->rdataset->trust)) { >> ++ /* >> ++ * This RRset was already verified before. >> ++ */ >> ++ return ISC_R_SUCCESS; >> ++ } >> ++ >> + val->attributes |= VALATTR_TRIEDVERIFY; >> + wild = dns_fixedname_initname(&fixed); >> + again: >> +-- >> +2.35.6 >> + >> diff --git a/meta/recipes-connectivity/bind/bind/CVE-2026-1519_p4.patch >> b/meta/recipes-connectivity/bind/bind/CVE-2026-1519_p4.patch >> new file mode 100644 >> index 0000000000..fd5d1afcd7 >> --- /dev/null >> +++ b/meta/recipes-connectivity/bind/bind/CVE-2026-1519_p4.patch >> @@ -0,0 +1,59 @@ >> +From 52b1997275768884d46c648b40f2ea625c386d17 Mon Sep 17 00:00:00 2001 >> +From: Matthijs Mekking <[email protected]> >> +Date: Tue, 3 Mar 2026 11:43:23 +0100 >> +Subject: [PATCH] Check RRset trust in validate_neg_rrset() >> + >> +In many places we only create a validator if the RRset has too low >> +trust (the RRset is pending validation, or could not be validated >> +before). This check was missing prior to validating negative response >> +data. >> + >> +CVE: CVE-2026-1519 >> +Upstream-Status: Backport >> [https://gitlab.com/isc-projects/bind9/-/commit/85fcd704e2f7cc2a25d2195bc4bb28398c889ed3] >> + >> +(cherry picked from commit 6ca67f65cd685cf8699540a852c1e3775bd48d64) >> +(cherry picked from commit 85fcd704e2f7cc2a25d2195bc4bb28398c889ed3) >> +Signed-off-by: Ashishkumar Parmar <[email protected]> >> +--- >> + lib/dns/validator.c | 17 +++++++++++++---- >> + 1 file changed, 13 insertions(+), 4 deletions(-) >> + >> +diff --git a/lib/dns/validator.c b/lib/dns/validator.c >> +index 47efd3940f..7db102062b 100644 >> +--- a/lib/dns/validator.c >> ++++ b/lib/dns/validator.c >> +@@ -2463,6 +2463,17 @@ validate_neg_rrset(dns_validator_t *val, dns_name_t >> *name, >> + } >> + } >> + >> ++ if (rdataset->type != dns_rdatatype_nsec && >> ++ DNS_TRUST_SECURE(rdataset->trust)) >> ++ { >> ++ /* >> ++ * The negative response data is already verified. >> ++ * We skip NSEC records, because they require special >> ++ * processing in validator_callback_nsec(). >> ++ */ >> ++ return DNS_R_CONTINUE; >> ++ } >> ++ >> + val->currentset = rdataset; >> + result = create_validator(val, name, rdataset->type, rdataset, >> + sigrdataset, validator_callback_nsec, >> +@@ -2573,11 +2584,9 @@ validate_ncache(dns_validator_t *val, bool resume) { >> + } >> + >> + result = validate_neg_rrset(val, name, rdataset, sigrdataset); >> +- if (result == DNS_R_CONTINUE) { >> +- continue; >> ++ if (result != DNS_R_CONTINUE) { >> ++ return result; >> + } >> +- >> +- return result; >> + } >> + if (result == ISC_R_NOMORE) { >> + result = ISC_R_SUCCESS; >> +-- >> +2.35.6 >> + >> diff --git a/meta/recipes-connectivity/bind/bind_9.18.44.bb >> b/meta/recipes-connectivity/bind/bind_9.18.44.bb >> index d424edcb4e..9c8b73dccc 100644 >> --- a/meta/recipes-connectivity/bind/bind_9.18.44.bb >> +++ b/meta/recipes-connectivity/bind/bind_9.18.44.bb >> @@ -18,6 +18,11 @@ SRC_URI = >> "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \ >> >> file://bind-ensure-searching-for-json-headers-searches-sysr.patch \ >> >> file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \ >> file://0001-avoid-start-failure-with-bind-user.patch \ >> + file://CVE-2026-1519_p1.patch \ >> + file://CVE-2026-1519-dependent.patch \ >> + file://CVE-2026-1519_p2.patch \ >> + file://CVE-2026-1519_p3.patch \ >> + file://CVE-2026-1519_p4.patch \ >> " >> >> SRC_URI[sha256sum] = >> "81f5035a25c576af1a93f0061cf70bde6d00a0c7bd1274abf73f5b5389a6f82d" -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240246): https://lists.openembedded.org/g/openembedded-core/message/240246 Mute This Topic: https://lists.openembedded.org/mt/119737287/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
