diff --git a/doc/arm/conf.py b/doc/arm/conf.py index be3b0cc901..cc0a3e1ffe 100644 --- a/doc/arm/conf.py +++ b/doc/arm/conf.py @@ -40,6 +40,44 @@ except ImportError: GITLAB_BASE_URL = "https://gitlab.isc.org/isc-projects/bind9/-/" +KNOWLEDGEBASE_BASE_URL = "https://kb.isc.org/docs/" + + +# Custom Sphinx role enabling automatic hyperlinking to security advisory in +# ISC Knowledgebase +class CVERefRole(ReferenceRole): + def __init__(self, base_url: str) -> None: + self.base_url = base_url + super().__init__() + + def run(self) -> Tuple[List[Node], List[system_message]]: + cve_identifier = "(CVE-%s)" % self.target + + target_id = "index-%s" % self.env.new_serialno("index") + entries = [ + ("single", "ISC Knowledgebase; " + cve_identifier, target_id, "", None) + ] + + index = addnodes.index(entries=entries) + target = nodes.target("", "", ids=[target_id]) + self.inliner.document.note_explicit_target(target) + + try: + refuri = self.base_url + "cve-%s" % self.target + reference = nodes.reference( + "", "", internal=False, refuri=refuri, classes=["cve"] + ) + if self.has_explicit_title: + reference += nodes.strong(self.title, self.title) + else: + reference += nodes.strong(cve_identifier, cve_identifier) + except ValueError: + error_text = "invalid ISC Knowledgebase identifier %s" % self.target + msg = self.inliner.reporter.error(error_text, line=self.lineno) + prb = self.inliner.problematic(self.rawtext, self.rawtext, msg) + return [prb], [msg] + + return [index, target, reference], [] # Custom Sphinx role enabling automatic hyperlinking to GitLab issues/MRs. @@ -84,6 +122,7 @@ class GitLabRefRole(ReferenceRole): def setup(app): + roles.register_local_role("cve", CVERefRole(KNOWLEDGEBASE_BASE_URL)) roles.register_local_role("gl", GitLabRefRole(GITLAB_BASE_URL)) app.add_crossref_type("iscman", "iscman", "pair: %s; manual page") diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index c26dbb6dde..3ec2fffb91 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -4052,8 +4052,7 @@ Tuning :short: Sets the resolver's lame cache. This is always set to 0. More information is available in the - `security advisory for CVE-2021-25219 - `_. + security advisory for :cve:`2021-25219`. .. namedconf:statement:: servfail-ttl :tags: server diff --git a/doc/notes/notes-9.19.1.rst b/doc/notes/notes-9.19.1.rst index dd778fb212..9e364bcd7b 100644 --- a/doc/notes/notes-9.19.1.rst +++ b/doc/notes/notes-9.19.1.rst @@ -20,7 +20,7 @@ Security Fixes DNS-over-HTTPS (DoH) clients. This has been fixed. ISC would like to thank Thomas Amgarten from arcade solutions ag for - bringing this vulnerability to our attention. (CVE-2022-1183) + bringing this vulnerability to our attention. :cve:`2022-1183` :gl:`#3216` New Features diff --git a/doc/notes/notes-9.19.14.rst b/doc/notes/notes-9.19.14.rst index 3a270e5d79..102a7f4d83 100644 --- a/doc/notes/notes-9.19.14.rst +++ b/doc/notes/notes-9.19.14.rst @@ -17,7 +17,7 @@ Security Fixes - The overmem cleaning process has been improved, to prevent the cache from significantly exceeding the configured :any:`max-cache-size` limit. - (CVE-2023-2828) + :cve:`2023-2828` ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, diff --git a/doc/notes/notes-9.19.17.rst b/doc/notes/notes-9.19.17.rst index 7081fa3e71..23f40700a9 100644 --- a/doc/notes/notes-9.19.17.rst +++ b/doc/notes/notes-9.19.17.rst @@ -18,7 +18,7 @@ Security Fixes - Previously, sending a specially crafted message over the control channel could cause the packet-parsing code to run out of available stack memory, causing :iscman:`named` to terminate unexpectedly. - This has been fixed. (CVE-2023-3341) + This has been fixed. :cve:`2023-3341` ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for bringing this vulnerability to our attention. :gl:`#4152` diff --git a/doc/notes/notes-9.19.5.rst b/doc/notes/notes-9.19.5.rst index 86c5a89be0..6095a15da4 100644 --- a/doc/notes/notes-9.19.5.rst +++ b/doc/notes/notes-9.19.5.rst @@ -18,7 +18,7 @@ Security Fixes - Previously, there was no limit to the number of database lookups performed while processing large delegations, which could be abused to severely impact the performance of :iscman:`named` running as a - recursive resolver. This has been fixed. (CVE-2022-2795) + recursive resolver. This has been fixed. :cve:`2022-2795` ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat Bremler-Barr & Shani Stajnrod from Reichman University for bringing @@ -27,20 +27,20 @@ Security Fixes - When an HTTP connection was reused to request statistics from the stats channel, the content length of successive responses could grow in size past the end of the allocated buffer. This has been fixed. - (CVE-2022-2881) :gl:`#3493` + :cve:`2022-2881` :gl:`#3493` - Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that could be externally triggered, when using TKEY records in DH mode with - OpenSSL 3.0.0 and later versions. (CVE-2022-2906) :gl:`#3491` + OpenSSL 3.0.0 and later versions. :cve:`2022-2906` :gl:`#3491` - :iscman:`named` running as a resolver with the :any:`stale-answer-client-timeout` option set to ``0`` could crash with an assertion failure, when there was a stale CNAME in the cache - for the incoming query. This has been fixed. (CVE-2022-3080) + for the incoming query. This has been fixed. :cve:`2022-3080` :gl:`#3517` - Memory leaks were fixed that could be externally triggered in the - DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) + DNSSEC verification code for the EdDSA algorithm. :cve:`2022-38178` :gl:`#3487` New Features diff --git a/doc/notes/notes-9.19.9.rst b/doc/notes/notes-9.19.9.rst index 14a773f508..65a4e711ed 100644 --- a/doc/notes/notes-9.19.9.rst +++ b/doc/notes/notes-9.19.9.rst @@ -19,14 +19,14 @@ Security Fixes available memory. This flaw was addressed by adding a new :any:`update-quota` option that controls the maximum number of outstanding DNS UPDATE messages that :iscman:`named` can hold in a - queue at any given time (default: 100). (CVE-2022-3094) + queue at any given time (default: 100). :cve:`2022-3094` ISC would like to thank Rob Schulhof from Infoblox for bringing this vulnerability to our attention. :gl:`#3523` - :iscman:`named` could crash with an assertion failure when an RRSIG query was received and :any:`stale-answer-client-timeout` was set to a - non-zero value. This has been fixed. (CVE-2022-3736) + non-zero value. This has been fixed. :cve:`2022-3736` ISC would like to thank Borja Marcos from Sarenet (with assistance by Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to @@ -36,7 +36,7 @@ Security Fixes :any:`stale-answer-client-timeout` option set to any value greater than ``0`` could crash with an assertion failure, when the :any:`recursive-clients` soft quota was reached. This has been fixed. - (CVE-2022-3924) + :cve:`2022-3924` ISC would like to thank Maksym Odinintsev from AWS for bringing this vulnerability to our attention. :gl:`#3619`