From fe313f6991faaf20af4c5c9ce68146f1bc57d3d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Wed, 25 Sep 2024 15:51:28 +0200 Subject: [PATCH] Sync from SUSE:ALP:Source:Standard:1.0 bind revision 5611014a1cd1e4302729c582d8f43f18 --- bind-9.18.24.tar.xz | 3 -- bind-9.18.24.tar.xz.asc | 16 ------ bind-9.20.0.tar.xz | 3 ++ bind-9.20.0.tar.xz.asc | 16 ++++++ bind.changes | 111 ++++++++++++++++++++++++++++++++++++++++ bind.spec | 13 ++--- vendor-files.tar.bz2 | 4 +- 7 files changed, 136 insertions(+), 30 deletions(-) delete mode 100644 bind-9.18.24.tar.xz delete mode 100644 bind-9.18.24.tar.xz.asc create mode 100644 bind-9.20.0.tar.xz create mode 100644 bind-9.20.0.tar.xz.asc diff --git a/bind-9.18.24.tar.xz b/bind-9.18.24.tar.xz deleted file mode 100644 index 16769ca..0000000 --- a/bind-9.18.24.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:709d73023c9115ddad3bab65b6c8c79a590196d0d114f5d0ca2533dbd52ddf66 -size 5515528 diff --git a/bind-9.18.24.tar.xz.asc b/bind-9.18.24.tar.xz.asc deleted file mode 100644 index d53f88a..0000000 --- a/bind-9.18.24.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEcGtsKGIOdvkdEfffUQpkKgbFLOwFAmXI5VgACgkQUQpkKgbF -LOwcMA/+Ow94NYy2xIcuN2bqLtZLnfM8tWU3NL/mUJed/iYp//Q0CI3Q6pnLmPVY -1j5trMDmNGcDHFg1RN4GKtsZmRm4icjANyuqYA7Bcqb2Qr7cezbkbpGrY6AI7ex/ -wGtt5+OL+1aZgAQWZV35XVmyW7c+HJ1zQc28Ctfh7pRwOU+sit7OGvTSZZVPaY/Q -CzyOQnLE2lqpTZzcUT7m/ohHW7mYkf4GN+xRXuvD/TyAE+h3XetYdK03C8+lRY/y -r6KbucVG2hm/6L5u00s2mPMH68vTidQiT1YPMMHcWSAXZ51OcVJdLCg5CVCnXDIJ -O8PoUIs7cxvUstfdRGie7vyCwqsk9fwgH/9M+81OreizdxX7G/orKyzIfiBRxcMw -UHpuc0bMfZ3CWigo79q1FdXaSpC+RA+noBqoDJS6/eMl9M0mFOUwuNIsDbTqHoRK -tGJu9xFz4vjgisXIuXCyNEJfvzESRl/w7fAs90sumMiVrjxWw7JXAUsZfaMNQhI5 -LQedp+SGtrXQLUqLJe/nHeAKSuXKvf6ftgs5/nVBmLS/KPRfnciysDd7Vuu5+lFB -FrEQ4b6m80H7W0kwRdqPEiFcGGS3Zsiyi1SAERMudsoR/JiDGVMuSRuulRwJVQw4 -rpylvX+yCy7VRXQIIo4K65TAWtHLnld3Lp1fnrmHbzL9ZrE2exE= -=CnZp ------END PGP SIGNATURE----- diff --git a/bind-9.20.0.tar.xz b/bind-9.20.0.tar.xz new file mode 100644 index 0000000..f897452 --- /dev/null +++ b/bind-9.20.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cc580998017b51f273964058e8cb3aa5482bc785243dea71e5556ec565a13347 +size 5760416 diff --git a/bind-9.20.0.tar.xz.asc b/bind-9.20.0.tar.xz.asc new file mode 100644 index 0000000..06c6146 --- /dev/null +++ b/bind-9.20.0.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEcGtsKGIOdvkdEfffUQpkKgbFLOwFAmaNMyYACgkQUQpkKgbF +LOzwnBAAgICQ7MC0rkXZxD/8X3vatdpDZ4MkUvkhOR+J4kkKWBuSqZJQvuWA8XeS +/rycCHWFeUf3V9Wj6XbCPa1l4eV5rAnSVJtHHoDoK9Tt/1H6HCd0v2b270a9q1pU +ra5Jdi/ZP76iRYAAse8FpRymMcjEk/aXnnnOsCACOY8MNvxC83mmrciPJJxloEBy +9zGPGzkvnYTM1H/qSR0GrUsGLtzKPiXbvtsRo9jI3f8kL9Tdxw9IlmH0OY14L26L +QKgaFC4Sa3J2PmELLCORtvUEDeKi9FAG9+6ua3h7ork2n/cARmOhvmZ8FFgLlB1e +7GSWCMujw+h44vNJrz1w14Bm1sN3k9PgY34i7ter/WA6ZTFDIWyhQh5tHrbjsdyv +DTlE8EvVNIg4fYMCew57yedXqzWO6bavwFlsiPyjXyG9+k9xSeQEYuuLGismF3gQ +AGXPyUUAiqhnyQd1uCf8qK5sgkH39+g5TRFl5oSvZavOAr/GtzsNhAo5Ii5ia8qL +mUVESk+Jyl4/rKJAAMwWtdl8mk8RYx1BF0XAG/mnvC81HBcuiu5aRBa5N3p8Kg+W +cUMPOjDhXn90pxEcD1MSg6nH1P0sVVOYWaQvJ1FtzKUp7JKNJus0yjgQarF5VI/l +7VSUi36dGSlDyM4EvspS/KAnItErzA8Vn40R9x8qbmzjD1Ka5LU= +=wneo +-----END PGP SIGNATURE----- diff --git a/bind.changes b/bind.changes index 44b0fd4..5356d3c 100644 --- a/bind.changes +++ b/bind.changes @@ -1,3 +1,114 @@ +------------------------------------------------------------------- +Wed Jul 24 09:03:08 UTC 2024 - Jorik Cronenberg + +- Update to new major version 9.20.0 + For a complete list of all changes see: + * https://bind9.readthedocs.io/en/v9.20.0/notes.html + * The CHANGES file in the source RPM + + Some noteworthy changes: + * Added new BuildRequires liburcu for lock free data structures. + * A new DNSSEC tool dnssec-ksr has been added to create Key + Signing Request (KSR) and Signed Key Response (SKR) files. + * /etc/bind.keys and /var/lib/named/named.root.key have been + removed as the correct defaults are pre-compiled and there is + no need to configure bind.keys manually. + * The functions that were in the libbind9 shared library have + been moved to the libisc and libisccfg libraries. The now-empty + libbind9 has been removed and is no longer installed. + * The irs_resconf module has been moved to the libdns shared + library. The now-empty libirs library has been removed and is + no longer installed. + + Security Fixes: + * A malicious DNS client that sent many queries over TCP but + never read the responses could cause a server to respond slowly + or not at all for other clients. This has been fixed. + (CVE-2024-0760) + [bsc#1228255] + * It is possible to craft excessively large resource records + sets, which have the effect of slowing down database + processing. This has been addressed by adding a configurable + limit to the number of records that can be stored per name and + type in a cache or zone database. The default is 100, which can + be tuned with the new max-records-per-type option. + * It is possible to craft excessively large numbers of resource + record types for a given owner name, which has the effect of + slowing down database processing. This has been addressed by + adding a configurable limit to the number of records that can + be stored per name and type in a cache or zone database. The + default is 100, which can be tuned with the new + max-types-per-name option. (CVE-2024-1737) + [bsc#1228256] + * Validating DNS messages signed using the SIG(0) protocol (RFC + 2931) could cause excessive CPU load, leading to a + denial-of-service condition. Support for SIG(0) message + validation was removed from this version of named. + (CVE-2024-1975) + [bsc#1228257] + * Due to a logic error, lookups that triggered serving stale data + and required lookups in local authoritative zone data could + have resulted in an assertion failure. This has been fixed. + * Potential data races were found in our DoH implementation, + related to HTTP/2 session object management and endpoints set + object management after reconfiguration. These issues have been + fixed. + * When looking up the NS records of parent zones as part of + looking up DS records, it was possible for named to trigger an + assertion failure if serve-stale was enabled. This has been + fixed. (CVE-2024-4076) + [bsc#1228258] + +------------------------------------------------------------------- +Fri May 17 16:05:37 UTC 2024 - Jorik Cronenberg + +- Update to release 9.18.27 + New Features: + * A new option signatures-jitter has been added to dnssec-policy + to allow signature expirations to be spread out over a period + of time. + + Feature Changes: + * DNSSEC signatures that are not valid because the current time + falls outside the signature inception and expiration dates are + skipped instead of causing an immediate validation failure. + +------------------------------------------------------------------- +Sun Apr 21 21:17:19 UTC 2024 - Jorik Cronenberg + +- Update to release 9.18.26 + New Features: + * The statistics channel now includes counters that indicate the + number of currently connected TCP IPv4/IPv6 clients. + * Added RESOLVER.ARPA to the built in empty zones. + + Bug Fixes: + * Changes to listen-on statements were ignored on reconfiguration + unless the port or interface address was changed, making it + impossible to change a related listener transport type. That + issue has been fixed. + * A bug in the keymgr code unintentionally slowed down some + DNSSEC key rollovers. This has been fixed. + * Some ISO 8601 durations were accepted erroneously, leading to + shorter durations than expected. This has been fixed. + +------------------------------------------------------------------- +Wed Mar 20 13:39:16 UTC 2024 - Jorik Cronenberg + +- Update to release 9.18.25 + Bug Fixes: + * A regression in cache-cleaning code enabled memory use to grow + significantly more quickly than before, until the configured + max-cache-size limit was reached. This has been fixed. + * Using rndc flush inadvertently caused cache cleaning to become + less effective. This could ultimately lead to the configured + max-cache-size limit being exceeded and has now been fixed. + * The logic for cleaning up expired cached DNS records was + tweaked to be more aggressive. This change helps with enforcing + max-cache-ttl and max-ncache-ttl in a timely manner. [GL #4591] + * It was possible to trigger a use-after-free assertion when the + overmem cache cleaning was initiated. This has been fixed. + ------------------------------------------------------------------- Tue Feb 13 15:15:21 UTC 2024 - Jorik Cronenberg diff --git a/bind.spec b/bind.spec index 5c889fe..e007f55 100644 --- a/bind.spec +++ b/bind.spec @@ -56,7 +56,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: bind -Version: 9.18.24 +Version: 9.20.0 Release: 0 Summary: Domain Name System (DNS) Server (named) License: MPL-2.0 @@ -92,6 +92,7 @@ BuildRequires: pkgconfig(krb5) BuildRequires: pkgconfig(libidn2) BuildRequires: pkgconfig(libmaxminddb) BuildRequires: pkgconfig(libnghttp2) +BuildRequires: pkgconfig(liburcu) BuildRequires: pkgconfig(libuv) BuildRequires: pkgconfig(libxml-2.0) Requires: %{name}-utils @@ -375,7 +376,6 @@ mv vendor-files/config/rndc-access.conf %{buildroot}/%{_sysconfdir}/named.d install -D -m 0644 %{SOURCE70} %{buildroot}%{_prefix}/lib/tmpfiles.d/bind.conf install -D -m 0644 %{_sourcedir}/named.root %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named/root.hint install -m 0644 vendor-files/config/{127.0.0,localhost}.zone %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named - install -m 0644 bind.keys %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named/named.root.key install -d -m 0755 %{buildroot}/%{_unitdir}/named.service.d %else for file in named; do @@ -422,7 +422,6 @@ done # --------------------------------------------------------------------------- # remove useless Makefiles and Makefile skeletons find %{buildroot}/%{_defaultdocdir}/bind \( -name Makefile -o -name Makefile.in \) -exec rm {} + -install -m 0644 bind.keys %{buildroot}%{_localstatedir}/lib/named/named.root.key %if %{with_systemd} mkdir -p %{buildroot}%{_sysusersdir} install -m 644 %{SOURCE72} %{buildroot}%{_sysusersdir}/ @@ -532,7 +531,6 @@ fi %config %{_var}/lib/named/root.hint %config %{_var}/lib/named/127.0.0.zone %config %{_var}/lib/named/localhost.zone -%config %{_var}/lib/named/named.root.key %dir %{_libexecdir}/bind %{_libexecdir}/bind/named.prep %dir %{_libdir}/bind-plugins @@ -571,7 +569,6 @@ fi %files utils %dir %{_sysconfdir}/named.d %config(noreplace) %{_sysconfdir}/named.d/rndc-access.conf -%config(noreplace) %{_sysconfdir}/bind.keys %dir %{_sysconfdir}/openldap %dir %{_sysconfdir}/openldap/schema %attr(0444,root,root) %config %{_sysconfdir}/openldap/schema/dnszone.schema @@ -594,20 +591,17 @@ fi %{_bindir}/dnssec-verify %{_bindir}/dnssec-cds %{_bindir}/dnstap-read +%{_bindir}/dnssec-ksr %{_sbindir}/ddns-confgen %{_sbindir}/rndc %{_sbindir}/rndc-confgen %{_sbindir}/tsig-keygen -%{_libdir}/libbind9-%{version}.so %{_libdir}/libdns-%{version}.so -%{_libdir}/libirs-%{version}.so %{_libdir}/libisc-%{version}.so %{_libdir}/libisccc-%{version}.so %{_libdir}/libisccfg-%{version}.so %{_libdir}/libns-%{version}.so -%{_libdir}/libbind9.so %{_libdir}/libdns.so -%{_libdir}/libirs.so %{_libdir}/libisc.so %{_libdir}/libisccc.so %{_libdir}/libisccfg.so @@ -634,6 +628,7 @@ fi %{_mandir}/man1/named-journalprint.1%{ext_man} %{_mandir}/man1/nsec3hash.1%{ext_man} %{_mandir}/man1/dnstap-read.1%{ext_man} +%{_mandir}/man1/dnssec-ksr.1.gz %{_mandir}/man5/rndc.conf.5%{ext_man} %{_mandir}/man8/ddns-confgen.8%{ext_man} %{_mandir}/man8/rndc.8%{ext_man} diff --git a/vendor-files.tar.bz2 b/vendor-files.tar.bz2 index 2103b2e..054df8a 100644 --- a/vendor-files.tar.bz2 +++ b/vendor-files.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:7d4bca3adb71c0b663fe751ab13abb8e14548585338014a0f106f330fc4d1039 -size 20398 +oid sha256:4e9c271e4e1c7d9a7fef8ac8afb01986aa037c6c020ed52a6d19cb7d093a7f3f +size 20084