Accepting request 507232 from home:simotek:branches:network

- Added bind-CVE-2017-3142-and-3143.patch to fix a security issue where an attacker with the ability to send and receive messages to an authoritative DNS server was able to circumvent TSIG authentication of AXFR requests. A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into (1) providing an AXFR of a zone to an unauthorized recipient and (2) accepting bogus Notify packets. [bsc#1046554, CVE-2017-3142, bsc#1046555, CVE-2017-3143] OBS-URL: https://build.opensuse.org/request/show/507232 OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=211
2017-06-30 10:58:48 +00:00
parent 7b1425a23f
commit 43448a770a
3 changed files with 510 additions and 0 deletions
--- a/bind.spec
+++ b/bind.spec
@@ -47,6 +47,7 @@ Patch53:        bind-sdb-ldap.patch
 Patch101:       runidn.diff
 Patch102:       idnkit-powerpc-ltconfig.patch
 Patch103:       bind-CVE-2017-3135.patch
+Patch104:       bind-CVE-2017-3142-and-3143.patch
 BuildRequires:  krb5-devel
 BuildRequires:  libcap-devel
 BuildRequires:  libmysqlclient-devel
@@ -384,6 +385,7 @@ Name Domain (BIND) DNS server is found in the package named bind.
 %patch101 -p1
 %patch102 -p1
 %patch103 -p1
+%patch104 -p1

 # use the year from source gzip header instead of current one to make reproducible rpms
 year=$(perl -e 'sysread(STDIN, $h, 8); print (1900+(gmtime(unpack("l",substr($h,4))))[5])' < %{S:0})