diff --git a/baselibs.conf b/baselibs.conf index cf1c221..cbca18b 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -1,5 +1,5 @@ libbind9-140 -libdns160 +libdns161 libidnkit1 libidnkitlite1 libidnkitres1 @@ -13,13 +13,13 @@ liblwres141 bind-devel requires -bind- requires "libbind9-140- = " - requires "libdns160- = " + requires "libdns161- = " requires "libirs141- = " requires "libisc148- = " requires "libisccc140- = " requires "libisccfg140- = " requires "liblwres141- = " idnkit-devel - requires "libdns160- = " + requires "libdns161- = " requires "libidnkit1- = " requires "libidnkitlite1- = " diff --git a/bind-9.10.2-P2.tar.gz b/bind-9.10.2-P2.tar.gz new file mode 100644 index 0000000..dc1ea88 --- /dev/null +++ b/bind-9.10.2-P2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b1e6f0af88634aaf48fb9d06bbf82968264f49b8e2685f061dd3fd4c1ab76c5f +size 8469608 diff --git a/bind-9.10.2-P2.tar.gz.asc b/bind-9.10.2-P2.tar.gz.asc new file mode 100644 index 0000000..2bba1cf --- /dev/null +++ b/bind-9.10.2-P2.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.12 (NetBSD) + +iQEcBAABAgAGBQJViUjjAAoJEG+m68mRGkwCiNkH/3bVmB4iAOCK6wXU+K4OmQ/h +IbOIMwCqkhbuBguDnw8sO9IiKfOEuQUbW2DrBJUiDPEROnW9xe2G7AppfpVEpMuV +ORJOgW4z5UwF3pwONbO7f9bSJzSYbbvDM/QMVjyaQoq2yjd9QEsVYE385C6vZ6y3 +JXWMzO2Y+XgZgeGNJItQFSaJf4IwCb3Cj+BwpZwyU9rVsTX50YkW/D4yQxKkH7r6 +pmHb3iZuytcM60A+cxsMraCAnui9Yn9mDSoozaE2W+ohisF4ifQLqsHwhYYW5VrG +I3/ujBBPj3VokaLs/l/GBTFYBVm/RitDgily6p8rCvbiIKA6bZOTsKhVgaflVwE= +=Gq06 +-----END PGP SIGNATURE----- diff --git a/bind-9.10.2.tar.gz b/bind-9.10.2.tar.gz deleted file mode 100644 index 14ac1ea..0000000 --- a/bind-9.10.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6f9bb7908aa45c1edfa391e356fc0afc1ded175386cdefb6cf9e1289f7457a98 -size 8481111 diff --git a/bind-9.10.2.tar.gz.asc b/bind-9.10.2.tar.gz.asc deleted file mode 100644 index f661dce..0000000 --- a/bind-9.10.2.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.11 (GNU/Linux) - -iQEcBAABAgAGBQJU7cGfAAoJEG+m68mRGkwCjI4H/2wkIzyXFeRtDiqZbci94llj -7ecXQjx3OFya/eu5bqcR3ov55KcDcu/OjR9sagiLoBlenmX9ITHKyGMWPjvUjBrD -ZaSE89seWg8e3Gq0bODv5IMi3rnlxdGSUE+8bSJu8mhlDywc77KLMpvj/6wJAgNs -M56N9KGTPUkvpxJVUGPzIFIn6tWpeZJh/hu9Tw/cXtHcpQajunnWufX5jVFZXoPz -5Dp/02jJ9JMWTua1URDAE5rITa5KwFajdz+epocoaI+9/athoK9xNAeIzYxMl78L -hT9FDi1SNpOO+zBaGiMUEOnzK457ljwA0z9OFlBSYtzXBPIhwxDbYIkNqcaoKT8= -=eKOZ ------END PGP SIGNATURE----- diff --git a/bind-sdb-ldap.patch b/bind-sdb-ldap.patch index 0e5fbe0..f67a745 100644 --- a/bind-sdb-ldap.patch +++ b/bind-sdb-ldap.patch @@ -19,7 +19,7 @@ Index: bin/named/main.c =================================================================== --- bin/named/main.c.orig 2013-12-20 01:28:28.000000000 +0100 +++ bin/named/main.c 2014-01-23 18:45:19.059680008 +0100 -@@ -85,6 +85,7 @@ +@@ -91,6 +91,7 @@ * Include header files for database drivers here. */ /* #include "xxdb.h" */ @@ -27,7 +27,7 @@ Index: bin/named/main.c #ifdef CONTRIB_DLZ /* -@@ -1016,6 +1017,7 @@ +@@ -1064,6 +1065,7 @@ * Add calls to register sdb drivers here. */ /* xxdb_init(); */ @@ -35,7 +35,7 @@ Index: bin/named/main.c #ifdef ISC_DLZ_DLOPEN /* -@@ -1056,6 +1058,7 @@ +@@ -1104,6 +1106,7 @@ * Add calls to unregister sdb drivers here. */ /* xxdb_clear(); */ diff --git a/bind.changes b/bind.changes index ad0945a..04ce00d 100644 --- a/bind.changes +++ b/bind.changes @@ -1,3 +1,35 @@ +------------------------------------------------------------------- +Fri Jul 10 18:02:41 UTC 2015 - lmuelle@suse.com + +- Update to version 9.10.2-P2 + - An uninitialized value in validator.c could result in an assertion failure. + (CVE-2015-4620) [RT #39795] +- Update to version 9.10.2-P1 + - Include client-ip rules when logging the number of RPZ rules of each type. + [RT #39670] + - Addressed further problems with reloading RPZ zones. [RT #39649] + - Addressed a regression introduced in change #4121. [RT #39611] + - The server could match a shorter prefix than what was available in + CLIENT-IP policy triggers, and so, an unexpected action could be taken. + This has been corrected. [RT #39481] + - On servers with one or more policy zones configured as slaves, if a policy + zone updated during regular operation (rather than at startup) using a full + zone reload, such as via AXFR, a bug could allow the RPZ summary data to + fall out of sync, potentially leading to an assertion failure in rpz.c when + further incremental updates were made to the zone, such as via IXFR. + [RT #39567] + - A bug in RPZ could cause the server to crash if policy zones were updated + while recursion was pending for RPZ processing of an active query. + [RT #39415] + - Fix a bug in RPZ that could cause some policy zones that did not + specifically require recursion to be treated as if they did; consequently, + setting qname-wait-recurse no; was sometimes ineffective. [RT #39229] + - Asynchronous zone loads were not handled correctly when the zone load was + already in progress; this could trigger a crash in zt.c. [RT #37573] + - Fix an out-of-bounds read in RPZ code. If the read succeeded, it doesn't + result in a bug during operation. If the read failed, named could segfault. + [RT #38559] + ------------------------------------------------------------------- Wed May 13 09:35:40 UTC 2015 - hguo@suse.com diff --git a/bind.spec b/bind.spec index 0e15c59..38da6e3 100644 --- a/bind.spec +++ b/bind.spec @@ -18,8 +18,8 @@ Name: bind %define pkg_name bind -%define pkg_vers 9.10.2 -%define rpm_vers 9.10.2 +%define pkg_vers 9.10.2-P2 +%define rpm_vers 9.10.2P2 %define idn_vers 1.0 Summary: Domain Name System (DNS) Server (named) License: ISC @@ -140,13 +140,13 @@ Release: 0 This library contains a few utility functions used by the BIND server and utilities. -%package -n libdns160 +%package -n libdns161 Summary: DNS library used by BIND Group: System/Libraries Version: %rpm_vers Release: 0 -%description -n libdns160 +%description -n libdns161 This subpackage contains the "DNS client" module. This is a higher level API that provides an interface to name resolution, single DNS transaction with a particular server, and dynamic update. Regarding @@ -297,7 +297,7 @@ Group: Development/Libraries/C and C++ Version: %rpm_vers Release: 0 Requires: libbind9-140 = %version -Requires: libdns160 = %version +Requires: libdns161 = %version Requires: libirs141 = %version Requires: libisc148 = %version Requires: libisccc140 = %version @@ -726,8 +726,8 @@ fi %post -n libbind9-140 -p /sbin/ldconfig %postun -n libbind9-140 -p /sbin/ldconfig -%post -n libdns160 -p /sbin/ldconfig -%postun -n libdns160 -p /sbin/ldconfig +%post -n libdns161 -p /sbin/ldconfig +%postun -n libdns161 -p /sbin/ldconfig %post -n libidnkit1 -p /sbin/ldconfig %postun -n libidnkit1 -p /sbin/ldconfig %post -n libidnkitlite1 -p /sbin/ldconfig @@ -865,9 +865,9 @@ fi %defattr(-,root,root) %_libdir/libbind9.so.140* -%files -n libdns160 +%files -n libdns161 %defattr(-,root,root) -%_libdir/libdns.so.160* +%_libdir/libdns.so.161* %files -n libidnkit1 %defattr(-,root,root) diff --git a/dns_dynamic_db.patch b/dns_dynamic_db.patch index d1144f8..0660ab9 100644 --- a/dns_dynamic_db.patch +++ b/dns_dynamic_db.patch @@ -102,7 +102,7 @@ diff -rupN bind-9.10.1-P1-orig/bin/named/server.c bind-9.10.1-P1-patched/bin/nam disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) { isc_result_t result; const cfg_obj_t *algorithms; -@@ -2329,6 +2396,7 @@ configure_view(dns_view_t *view, dns_vie +@@ -2335,6 +2402,7 @@ configure_view(dns_view_t *view, dns_vie const cfg_obj_t *dlz; unsigned int dlzargc; char **dlzargv; @@ -110,7 +110,7 @@ diff -rupN bind-9.10.1-P1-orig/bin/named/server.c bind-9.10.1-P1-patched/bin/nam const cfg_obj_t *disabled; const cfg_obj_t *obj; const cfg_listelt_t *element; -@@ -2605,6 +2673,8 @@ configure_view(dns_view_t *view, dns_vie +@@ -2611,6 +2679,8 @@ configure_view(dns_view_t *view, dns_vie } } @@ -119,7 +119,7 @@ diff -rupN bind-9.10.1-P1-orig/bin/named/server.c bind-9.10.1-P1-patched/bin/nam /* * Obtain configuration parameters that affect the decision of whether * we can reuse/share an existing cache. -@@ -3607,6 +3677,37 @@ configure_view(dns_view_t *view, dns_vie +@@ -3613,6 +3683,37 @@ configure_view(dns_view_t *view, dns_vie dns_view_setrootdelonly(view, ISC_FALSE); /* @@ -157,7 +157,7 @@ diff -rupN bind-9.10.1-P1-orig/bin/named/server.c bind-9.10.1-P1-patched/bin/nam * Setup automatic empty zones. If recursion is off then * they are disabled by default. */ -@@ -5349,6 +5450,7 @@ load_configuration(const char *filename, +@@ -5355,6 +5456,7 @@ load_configuration(const char *filename, cfg_aclconfctx_detach(&ns_g_aclconfctx); CHECK(cfg_aclconfctx_create(ns_g_mctx, &ns_g_aclconfctx)); @@ -165,7 +165,7 @@ diff -rupN bind-9.10.1-P1-orig/bin/named/server.c bind-9.10.1-P1-patched/bin/nam /* * Parse the global default pseudo-config file. */ -@@ -6556,6 +6658,8 @@ shutdown_server(isc_task_t *task, isc_ev +@@ -6562,6 +6664,8 @@ shutdown_server(isc_task_t *task, isc_ev dns_view_detach(&view); }