diff --git a/doc/arm/conf.py b/doc/arm/conf.py index 6224f0fbb3..8e209bee3e 100644 --- a/doc/arm/conf.py +++ b/doc/arm/conf.py @@ -40,6 +40,44 @@ except ImportError: GITLAB_BASE_URL = "https://gitlab.isc.org/isc-projects/bind9/-/" +KNOWLEDGEBASE_BASE_URL = "https://kb.isc.org/docs/" + + +# Custom Sphinx role enabling automatic hyperlinking to security advisory in +# ISC Knowledgebase +class CVERefRole(ReferenceRole): + def __init__(self, base_url: str) -> None: + self.base_url = base_url + super().__init__() + + def run(self) -> Tuple[List[Node], List[system_message]]: + cve_identifier = "(CVE-%s)" % self.target + + target_id = "index-%s" % self.env.new_serialno("index") + entries = [ + ("single", "ISC Knowledgebase; " + cve_identifier, target_id, "", None) + ] + + index = addnodes.index(entries=entries) + target = nodes.target("", "", ids=[target_id]) + self.inliner.document.note_explicit_target(target) + + try: + refuri = self.base_url + "cve-%s" % self.target + reference = nodes.reference( + "", "", internal=False, refuri=refuri, classes=["cve"] + ) + if self.has_explicit_title: + reference += nodes.strong(self.title, self.title) + else: + reference += nodes.strong(cve_identifier, cve_identifier) + except ValueError: + error_text = "invalid ISC Knowledgebase identifier %s" % self.target + msg = self.inliner.reporter.error(error_text, line=self.lineno) + prb = self.inliner.problematic(self.rawtext, self.rawtext, msg) + return [prb], [msg] + + return [index, target, reference], [] # Custom Sphinx role enabling automatic hyperlinking to GitLab issues/MRs. @@ -84,6 +122,7 @@ class GitLabRefRole(ReferenceRole): def setup(app): + roles.register_local_role("cve", CVERefRole(KNOWLEDGEBASE_BASE_URL)) roles.register_local_role("gl", GitLabRefRole(GITLAB_BASE_URL)) app.add_crossref_type("iscman", "iscman", "pair: %s; manual page") diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 02f111e513..1a60db6479 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -4281,8 +4281,7 @@ Tuning :short: Sets the resolver's lame cache. This is always set to 0. More information is available in the - `security advisory for CVE-2021-25219 - `_. + security advisory for :cve:`2021-25219`. .. namedconf:statement:: servfail-ttl :tags: server diff --git a/doc/notes/notes-9.18.1.rst b/doc/notes/notes-9.18.1.rst index f76369b4fa..f0cfe773f1 100644 --- a/doc/notes/notes-9.18.1.rst +++ b/doc/notes/notes-9.18.1.rst @@ -17,7 +17,7 @@ Security Fixes - The rules for acceptance of records into the cache have been tightened to prevent the possibility of poisoning if forwarders send records - outside the configured bailiwick. (CVE-2021-25220) + outside the configured bailiwick. :cve:`2021-25220` ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from Network and Information Security Lab, Tsinghua University, and @@ -26,18 +26,18 @@ Security Fixes - TCP connections with :any:`keep-response-order` enabled could leave the TCP sockets in the ``CLOSE_WAIT`` state when the client did not - properly shut down the connection. (CVE-2022-0396) :gl:`#3112` + properly shut down the connection. :cve:`2022-0396` :gl:`#3112` - Lookups involving a DNAME could trigger an assertion failure when :any:`synth-from-dnssec` was enabled (which is the default). - (CVE-2022-0635) + :cve:`2022-0635` ISC would like to thank Vincent Levigneron from AFNIC for bringing this vulnerability to our attention. :gl:`#3158` - When chasing DS records, a timed-out or artificially delayed fetch could cause ``named`` to crash while resuming a DS lookup. - (CVE-2022-0667) :gl:`#3129` + :cve:`2022-0667` :gl:`#3129` Feature Changes ~~~~~~~~~~~~~~~ diff --git a/doc/notes/notes-9.18.11.rst b/doc/notes/notes-9.18.11.rst index 3e44dc2d69..77ee344c94 100644 --- a/doc/notes/notes-9.18.11.rst +++ b/doc/notes/notes-9.18.11.rst @@ -19,14 +19,14 @@ Security Fixes available memory. This flaw was addressed by adding a new :any:`update-quota` option that controls the maximum number of outstanding DNS UPDATE messages that :iscman:`named` can hold in a - queue at any given time (default: 100). (CVE-2022-3094) + queue at any given time (default: 100). :cve:`2022-3094` ISC would like to thank Rob Schulhof from Infoblox for bringing this vulnerability to our attention. :gl:`#3523` - :iscman:`named` could crash with an assertion failure when an RRSIG query was received and :any:`stale-answer-client-timeout` was set to a - non-zero value. This has been fixed. (CVE-2022-3736) + non-zero value. This has been fixed. :cve:`2022-3736` ISC would like to thank Borja Marcos from Sarenet (with assistance by Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to @@ -36,7 +36,7 @@ Security Fixes :any:`stale-answer-client-timeout` option set to any value greater than ``0`` could crash with an assertion failure, when the :any:`recursive-clients` soft quota was reached. This has been fixed. - (CVE-2022-3924) + :cve:`2022-3924` ISC would like to thank Maksym Odinintsev from AWS for bringing this vulnerability to our attention. :gl:`#3619` diff --git a/doc/notes/notes-9.18.16.rst b/doc/notes/notes-9.18.16.rst index 9ed090ca9c..d1350c1f68 100644 --- a/doc/notes/notes-9.18.16.rst +++ b/doc/notes/notes-9.18.16.rst @@ -17,7 +17,7 @@ Security Fixes - The overmem cleaning process has been improved, to prevent the cache from significantly exceeding the configured :any:`max-cache-size` limit. - (CVE-2023-2828) + :cve:`2023-2828` ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, @@ -27,7 +27,7 @@ Security Fixes - A query that prioritizes stale data over lookup triggers a fetch to refresh the stale data in cache. If the fetch is aborted for exceeding the recursion quota, it was possible for :iscman:`named` to enter an infinite callback - loop and crash due to stack overflow. This has been fixed. (CVE-2023-2911) + loop and crash due to stack overflow. This has been fixed. :cve:`2023-2911` :gl:`#4089` New Features diff --git a/doc/notes/notes-9.18.19.rst b/doc/notes/notes-9.18.19.rst index 3d3c513fc9..9c3ebd8f8c 100644 --- a/doc/notes/notes-9.18.19.rst +++ b/doc/notes/notes-9.18.19.rst @@ -18,7 +18,7 @@ Security Fixes - Previously, sending a specially crafted message over the control channel could cause the packet-parsing code to run out of available stack memory, causing :iscman:`named` to terminate unexpectedly. - This has been fixed. (CVE-2023-3341) + This has been fixed. :cve:`2023-3341` ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for bringing this vulnerability to our attention. :gl:`#4152` @@ -26,7 +26,7 @@ Security Fixes - A flaw in the networking code handling DNS-over-TLS queries could cause :iscman:`named` to terminate unexpectedly due to an assertion failure under significant DNS-over-TLS query load. This has been - fixed. (CVE-2023-4236) + fixed. :cve:`2023-4236` ISC would like to thank Robert Story from USC/ISI Root Server Operations for bringing this vulnerability to our attention. diff --git a/doc/notes/notes-9.18.3.rst b/doc/notes/notes-9.18.3.rst index 09952c99e7..8ed2be6368 100644 --- a/doc/notes/notes-9.18.3.rst +++ b/doc/notes/notes-9.18.3.rst @@ -20,7 +20,7 @@ Security Fixes DNS-over-HTTPS (DoH) clients. This has been fixed. ISC would like to thank Thomas Amgarten from arcade solutions ag for - bringing this vulnerability to our attention. (CVE-2022-1183) + bringing this vulnerability to our attention. :cve:`2022-1183` :gl:`#3216` Known Issues diff --git a/doc/notes/notes-9.18.7.rst b/doc/notes/notes-9.18.7.rst index dade98ed4d..5d46acd80c 100644 --- a/doc/notes/notes-9.18.7.rst +++ b/doc/notes/notes-9.18.7.rst @@ -18,7 +18,7 @@ Security Fixes - Previously, there was no limit to the number of database lookups performed while processing large delegations, which could be abused to severely impact the performance of :iscman:`named` running as a - recursive resolver. This has been fixed. (CVE-2022-2795) + recursive resolver. This has been fixed. :cve:`2022-2795` ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat Bremler-Barr & Shani Stajnrod from Reichman University for bringing @@ -27,20 +27,20 @@ Security Fixes - When an HTTP connection was reused to request statistics from the stats channel, the content length of successive responses could grow in size past the end of the allocated buffer. This has been fixed. - (CVE-2022-2881) :gl:`#3493` + :cve:`2022-2881` :gl:`#3493` - Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that could be externally triggered, when using TKEY records in DH mode with - OpenSSL 3.0.0 and later versions. (CVE-2022-2906) :gl:`#3491` + OpenSSL 3.0.0 and later versions. :cve:`2022-2906` :gl:`#3491` - :iscman:`named` running as a resolver with the :any:`stale-answer-client-timeout` option set to ``0`` could crash with an assertion failure, when there was a stale CNAME in the cache - for the incoming query. This has been fixed. (CVE-2022-3080) + for the incoming query. This has been fixed. :cve:`2022-3080` :gl:`#3517` - Memory leaks were fixed that could be externally triggered in the - DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) + DNSSEC verification code for the EdDSA algorithm. :cve:`2022-38178` :gl:`#3487` Feature Changes