diff --git a/Makefile.in.diff b/Makefile.in.diff deleted file mode 100644 index 7063cbc..0000000 --- a/Makefile.in.diff +++ /dev/null @@ -1,14 +0,0 @@ -Index: bind-9.14.7/bin/named/Makefile.in -=================================================================== ---- bind-9.14.7.orig/bin/named/Makefile.in -+++ bind-9.14.7/bin/named/Makefile.in -@@ -173,8 +173,7 @@ installdirs: - - install:: named@EXEEXT@ installdirs - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} -- ${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8 -- ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5 -+ for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man$${m##*.}; done - - uninstall:: - rm -f ${DESTDIR}${mandir}/man5/named.conf.5 diff --git a/bind-9.16.3.tar.xz b/bind-9.16.3.tar.xz deleted file mode 100644 index b88f203..0000000 --- a/bind-9.16.3.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:27ac6513de5f8d0db34b9f241da53baa15a14b2ad21338d0cde0826eaf564f7e -size 4573044 diff --git a/bind-9.16.3.tar.xz.sha512.asc b/bind-9.16.3.tar.xz.sha512.asc deleted file mode 100644 index c40ba02..0000000 --- a/bind-9.16.3.tar.xz.sha512.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEElc7aJWscoKFfMC+1lSGn7V2s6RgFAl61B08ACgkQlSGn7V2s -6RhTuRAAls+mHx7QLKqb9cdDVssaXD5agWhLCgNoeC199W2fUzbvQv7c33mSx5BW -fdX0M//ngLfkvPe7IP0ggqrcnX2GB/i6VIGWl/yKJyxxyfgCyY2k9u094/S9NcaO -//e7hPRE8x9DcVBZTW8LmMMagULhtALeJlqUCeSq7554vMZgzn0wCx7EJnQC82oH -UD60Qq7TAIr5Uqziqc0Hu7yas1HEzrYBOGjsACFE1z1VJXXELyuZgq80yNj3GyRM -W6sy+OS1VobMXt/PQ6qbvQWf+62HppJ2rijpEcKKNEmHtrncvCjsPvuRjbYc1C+O -VULijbTBjxvFdvjYGNNKsShiI/OzBzHxyyZdkhhZqfzAwfuGNLIhXywVxhyo20Li -XhG2Sz7E7RIkyPqzxLQtiAoe0pGUDm+oC7rx5htZLSbQDZK/6xuxG0+wNuEHaJPS -LGYi3nLZ9U4wlXYZaEiIO2h0MlymN2XPf33sHxZYwSIhtUTGATAWKzodyQ72s1Fv -kB00w1AHdKyegxZ/ygwiIQeC4fFUwTRMG1HJ+gkmXNpRfMlkXMJdUuQHcdN19p1+ -/h0N0r1B5hu7sTwQTjPm0dh5kYeOts5WBd2CRterIajaLL3TYQ0QuKJ7/GKVJBWm -ynp9eVT/XYjnHVv9bs64Q50hO0c8wignw1Q7WzmXuhhb9J6AsB4= -=Trz0 ------END PGP SIGNATURE----- diff --git a/bind-9.16.4.tar.xz b/bind-9.16.4.tar.xz new file mode 100644 index 0000000..133ebbb --- /dev/null +++ b/bind-9.16.4.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7522088d3daac8bcabaae37998178e09139ef5ccae6631cb1d8a625b770f370a +size 3465172 diff --git a/bind-9.16.4.tar.xz.sha512.asc b/bind-9.16.4.tar.xz.sha512.asc new file mode 100644 index 0000000..0d1976a --- /dev/null +++ b/bind-9.16.4.tar.xz.sha512.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEElc7aJWscoKFfMC+1lSGn7V2s6RgFAl7n+iQACgkQlSGn7V2s +6RiDpg/+Mol/YWQ+0qLcfhqfRQaIxFdwUo2cXNEdu2Qo36owPGmXCWZbczjNUF1Y +mGp0PAfPH854P/ihtHTEBybZlFq65KcI0WI7eRdF95ao0+XmxFdT0Jxs064d4ts2 +PWXap/NCl+u8y9rErkB+8g+xUru94T+Ezh40msP0Yb8W56+b3fi1UOrBZOSEaIY0 +2m2uZFigM0ztHwcmY9AvXujIDpryzcMKQAE7KBEB7uVVfRATDi3siaGzRH4ZqGZb +cUNPtBYSpIv+6fp1o4J78tXCiPPLRaKx9971i1FBEFoQqyhmARvbjb7q1egWeY1X +s10oFH28/2FR8HvNmzBL6iipwIMs5NZNE5XlLB0otN9JjN+1YVCwmFbXUfToZDxT +Uo1ddYP9KNwxiPLgscG5ZqyPZHnGdBVkD0V//lNShYyFJX0jNBv+yrCrNDOABby/ +C/E7E54XtfQMDAa56jqHmVb/wMkF4DBye3zWDaq4FH0z023EU/EmckgsGfqzBjm/ +ITyzAml0aWSF/XaFPiVn0OioYVuxi+n2VLcy8YwfU2TIEjGVVa8GE2WTPBsoV0r5 +X6b0kF43+7l6904orHQeLCz6pZTfhV8YBHoyUzb+biAlBUzvmB7pKGmo+WVka1lm +JYNQEFsel0tzIFu8p3A9PojSIElSz66NQZZBJaQz3vsXlwPb0rs= +=4/Ft +-----END PGP SIGNATURE----- diff --git a/bind.changes b/bind.changes index bc81e4a..9b1663d 100644 --- a/bind.changes +++ b/bind.changes @@ -1,3 +1,29 @@ +------------------------------------------------------------------- +Thu Jun 18 06:35:35 UTC 2020 - Josef Möllers + +- Upgrade to version bind-9.16.4 + Fixing two security problems: + * It was possible to trigger an INSIST when determining + whether a record would fit into a TCP message buffer. + (CVE-2020-8618) + * It was possible to trigger an INSIST in + lib/dns/rbtdb.c:new_reference() with a particular zone + content and query patterns. (CVE-2020-8619) + Also the following functional changes: + * Reject DS records at the zone apex when loading + master files. Log but otherwise ignore attempts to + add DS records at the zone apex via UPDATE. + * The default value of "max-stale-ttl" has been changed + from 1 week to 12 hours. + * Zone timers are now exported via statistics channel. + Thanks to Paul Frieden, Verizon Media. + Added support for idn2 to spec file (Thanks to Holger Bruenjes + ). + More internal changes see the CHANGES file in the source RPM + This update obsoletes Makefile.in.diff + [bsc#1172958, CVE-2020-8618, CVE-2020-8619, Makefile.in.diff + bind.spec] + ------------------------------------------------------------------- Fri May 15 13:43:46 UTC 2020 - Josef Möllers diff --git a/bind.spec b/bind.spec index 764f776..967ad5b 100644 --- a/bind.spec +++ b/bind.spec @@ -60,7 +60,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: bind -Version: 9.16.3 +Version: 9.16.4 Release: 0 Summary: Domain Name System (DNS) Server (named) License: MPL-2.0 @@ -79,7 +79,6 @@ Source60: dlz-schema.txt Source70: bind.conf Source71: bind-chrootenv.conf Source72: named.conf -Patch1: Makefile.in.diff Patch51: pie_compile.diff Patch52: named-bootconf.diff Patch56: bind-ldapdump-use-valid-host.patch @@ -95,7 +94,7 @@ BuildRequires: python3-ply BuildRequires: update-desktop-files BuildRequires: pkgconfig(json) BuildRequires: pkgconfig(krb5) -BuildRequires: pkgconfig(libidn) +BuildRequires: pkgconfig(libidn2) BuildRequires: pkgconfig(libmaxminddb) BuildRequires: pkgconfig(libuv) BuildRequires: pkgconfig(libxml-2.0) @@ -274,7 +273,6 @@ This package provides a module which allows commands to be sent to rndc directly %prep %setup -q -a1 -%patch1 -p1 %patch51 -p1 %patch52 -p1 %patch56 -p1 @@ -311,6 +309,7 @@ export CFLAGS="%{optflags} -DNO_VERSION_DATE" --with-libtool \ --with-libxml2 \ --with-libjson \ + --with-libidn2 \ --with-dlz-mysql \ --with-dlz-ldap \ --with-randomdev=/dev/urandom \ @@ -521,7 +520,6 @@ fi %{_mandir}/man8/named-checkconf.8%{ext_man} %{_mandir}/man8/named-checkzone.8%{ext_man} %{_mandir}/man8/named.8%{ext_man} -%{_mandir}/man8/named-compilezone.8%{ext_man} %{_mandir}/man8/filter-aaaa.8%{ext_man} %dir %{_datadir}/bind %{_datadir}/bind/createNamedConfInclude @@ -643,6 +641,7 @@ fi %{_mandir}/man1/mdig.1%{ext_man} %{_mandir}/man1/nslookup.1%{ext_man} %{_mandir}/man1/nsupdate.1%{ext_man} +%{_mandir}/man1/dnstap-read.1%{ext_man} %{_mandir}/man5/rndc.conf.5%{ext_man} %{_mandir}/man8/ddns-confgen.8%{ext_man} %{_mandir}/man8/dnssec-dsfromkey.8%{ext_man} @@ -657,13 +656,13 @@ fi %{_mandir}/man8/dnssec-coverage.8%{ext_man} %{_mandir}/man8/dnssec-keymgr.8%{ext_man} %{_mandir}/man8/dnssec-cds.8%{ext_man} +%{_mandir}/man8/named-nzd2nzf.8%{ext_man} # %%{_mandir}/man8/genrandom.8%%{ext_man} # %%{_mandir}/man8/isc-hmac-fixup.8%%{ext_man} %{_mandir}/man8/named-journalprint.8%{ext_man} %{_mandir}/man8/nsec3hash.8%{ext_man} %{_mandir}/man8/rndc.8%{ext_man} %{_mandir}/man8/rndc-confgen.8%{ext_man} -%{_mandir}/man8/tsig-keygen.8%{ext_man} %files -n python3-bind %{python3_sitelib}/isc diff --git a/pie_compile.diff b/pie_compile.diff index 3e9f791..96a6854 100644 --- a/pie_compile.diff +++ b/pie_compile.diff @@ -1,7 +1,7 @@ -Index: bind-9.14.7/bin/Makefile.in +Index: bind-9.16.4/bin/Makefile.in =================================================================== ---- bind-9.14.7.orig/bin/Makefile.in -+++ bind-9.14.7/bin/Makefile.in +--- bind-9.16.4.orig/bin/Makefile.in ++++ bind-9.16.4/bin/Makefile.in @@ -15,4 +15,8 @@ SUBDIRS = named rndc dig delv dnssec too @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests TARGETS = @@ -11,13 +11,13 @@ Index: bind-9.14.7/bin/Makefile.in @BIND9_MAKE_RULES@ + +LDFLAGS += -pie -Index: bind-9.14.7/bin/check/Makefile.in +Index: bind-9.16.4/bin/check/Makefile.in =================================================================== ---- bind-9.14.7.orig/bin/check/Makefile.in -+++ bind-9.14.7/bin/check/Makefile.in -@@ -51,8 +51,12 @@ HTMLPAGES = named-checkconf.html named-c - - MANOBJS = ${MANPAGES} ${HTMLPAGES} +--- bind-9.16.4.orig/bin/check/Makefile.in ++++ bind-9.16.4/bin/check/Makefile.in +@@ -46,8 +46,12 @@ TARGETS = named-checkconf@EXEEXT@ named- + # Alphabetically + SRCS = named-checkconf.c named-checkzone.c check-tool.c +EXT_CFLAGS = -fPIE -static + @@ -28,11 +28,11 @@ Index: bind-9.14.7/bin/check/Makefile.in named-checkconf.@O@: named-checkconf.c ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ -DVERSION=\"${VERSION}\" \ -Index: bind-9.14.7/bin/confgen/Makefile.in +Index: bind-9.16.4/bin/confgen/Makefile.in =================================================================== ---- bind-9.14.7.orig/bin/confgen/Makefile.in -+++ bind-9.14.7/bin/confgen/Makefile.in -@@ -61,8 +61,12 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES} +--- bind-9.16.4.orig/bin/confgen/Makefile.in ++++ bind-9.16.4/bin/confgen/Makefile.in +@@ -55,8 +55,12 @@ TARGETS = rndc-confgen@EXEEXT@ ddns-conf UOBJS = unix/os.@O@ @@ -45,10 +45,10 @@ Index: bind-9.14.7/bin/confgen/Makefile.in rndc-confgen.@O@: rndc-confgen.c ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ -DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \ -Index: bind-9.14.7/bin/confgen/unix/Makefile.in +Index: bind-9.16.4/bin/confgen/unix/Makefile.in =================================================================== ---- bind-9.14.7.orig/bin/confgen/unix/Makefile.in -+++ bind-9.14.7/bin/confgen/unix/Makefile.in +--- bind-9.16.4.orig/bin/confgen/unix/Makefile.in ++++ bind-9.16.4/bin/confgen/unix/Makefile.in @@ -25,4 +25,8 @@ SRCS = os.c TARGETS = ${OBJS} @@ -58,13 +58,13 @@ Index: bind-9.14.7/bin/confgen/unix/Makefile.in @BIND9_MAKE_RULES@ + +LDFLAGS += -pie -Index: bind-9.14.7/bin/dig/Makefile.in +Index: bind-9.16.4/bin/dig/Makefile.in =================================================================== ---- bind-9.14.7.orig/bin/dig/Makefile.in -+++ bind-9.14.7/bin/dig/Makefile.in -@@ -62,10 +62,14 @@ HTMLPAGES = dig.html host.html nslookup. +--- bind-9.16.4.orig/bin/dig/Makefile.in ++++ bind-9.16.4/bin/dig/Makefile.in +@@ -57,10 +57,14 @@ UOBJS = - MANOBJS = ${MANPAGES} ${HTMLPAGES} + SRCS = dig.c dighost.c host.c nslookup.c +EXT_CFLAGS = -fPIE -static + @@ -77,13 +77,13 @@ Index: bind-9.14.7/bin/dig/Makefile.in dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS} export BASEOBJS="dig.@O@ dighost.@O@ ${UOBJS}"; \ export LIBS0="${DNSLIBS} ${IRSLIBS}"; \ -Index: bind-9.14.7/bin/dnssec/Makefile.in +Index: bind-9.16.4/bin/dnssec/Makefile.in =================================================================== ---- bind-9.14.7.orig/bin/dnssec/Makefile.in -+++ bind-9.14.7/bin/dnssec/Makefile.in -@@ -59,8 +59,12 @@ HTMLPAGES = dnssec-cds.html dnssec-dsfro - - MANOBJS = ${MANPAGES} ${HTMLPAGES} +--- bind-9.16.4.orig/bin/dnssec/Makefile.in ++++ bind-9.16.4/bin/dnssec/Makefile.in +@@ -50,8 +50,12 @@ SRCS = dnssec-cds.c dnssec-dsfromkey.c + dnssec-settime.c dnssec-signzone.c dnssec-verify.c \ + dnssectool.c +EXT_CFLAGS = -fPIE -static + @@ -94,13 +94,13 @@ Index: bind-9.14.7/bin/dnssec/Makefile.in dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS} export BASEOBJS="dnssec-cds.@O@ ${OBJS}"; \ ${FINALBUILDCMD} -Index: bind-9.14.7/bin/named/Makefile.in +Index: bind-9.16.4/bin/named/Makefile.in =================================================================== ---- bind-9.14.7.orig/bin/named/Makefile.in -+++ bind-9.14.7/bin/named/Makefile.in -@@ -117,8 +117,12 @@ HTMLPAGES = named.html named.conf.html - - MANOBJS = ${MANPAGES} ${HTMLPAGES} +--- bind-9.16.4.orig/bin/named/Makefile.in ++++ bind-9.16.4/bin/named/Makefile.in +@@ -117,8 +117,12 @@ SRCS = builtin.c config.c control.c \ + tkeyconf.c tsigconf.c zoneconf.c \ + ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS} +EXT_CFLAGS = -fPIE -static + @@ -111,11 +111,11 @@ Index: bind-9.14.7/bin/named/Makefile.in main.@O@: main.c ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ -DVERSION=\"${VERSION}\" \ -Index: bind-9.14.7/bin/named/unix/Makefile.in +Index: bind-9.16.4/bin/named/unix/Makefile.in =================================================================== ---- bind-9.14.7.orig/bin/named/unix/Makefile.in -+++ bind-9.14.7/bin/named/unix/Makefile.in -@@ -26,4 +26,8 @@ SRCS = os.c dlz_dlopen_driver.c +--- bind-9.16.4.orig/bin/named/unix/Makefile.in ++++ bind-9.16.4/bin/named/unix/Makefile.in +@@ -27,4 +27,8 @@ SRCS = os.c dlz_dlopen_driver.c TARGETS = ${OBJS} @@ -124,13 +124,13 @@ Index: bind-9.14.7/bin/named/unix/Makefile.in @BIND9_MAKE_RULES@ + +LDFLAGS += -pie -Index: bind-9.14.7/bin/nsupdate/Makefile.in +Index: bind-9.16.4/bin/nsupdate/Makefile.in =================================================================== ---- bind-9.14.7.orig/bin/nsupdate/Makefile.in -+++ bind-9.14.7/bin/nsupdate/Makefile.in -@@ -64,8 +64,12 @@ HTMLPAGES = nsupdate.html +--- bind-9.16.4.orig/bin/nsupdate/Makefile.in ++++ bind-9.16.4/bin/nsupdate/Makefile.in +@@ -59,8 +59,12 @@ UOBJS = - MANOBJS = ${MANPAGES} ${HTMLPAGES} + SRCS = nsupdate.c +EXT_CFLAGS = -fPIE -static + @@ -141,13 +141,13 @@ Index: bind-9.14.7/bin/nsupdate/Makefile.in nsupdate.@O@: nsupdate.c ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ -DSESSION_KEYFILE=\"${localstatedir}/run/named/session.key\" \ -Index: bind-9.14.7/bin/rndc/Makefile.in +Index: bind-9.16.4/bin/rndc/Makefile.in =================================================================== ---- bind-9.14.7.orig/bin/rndc/Makefile.in -+++ bind-9.14.7/bin/rndc/Makefile.in -@@ -51,8 +51,12 @@ HTMLPAGES = rndc.html rndc.conf.html +--- bind-9.16.4.orig/bin/rndc/Makefile.in ++++ bind-9.16.4/bin/rndc/Makefile.in +@@ -45,8 +45,12 @@ SRCS= rndc.c - MANOBJS = ${MANPAGES} ${HTMLPAGES} + TARGETS = rndc@EXEEXT@ +EXT_CFLAGS = -fPIE -static + @@ -158,13 +158,13 @@ Index: bind-9.14.7/bin/rndc/Makefile.in rndc.@O@: rndc.c ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ -DVERSION=\"${VERSION}\" \ -Index: bind-9.14.7/bin/tools/Makefile.in +Index: bind-9.16.4/bin/tools/Makefile.in =================================================================== ---- bind-9.14.7.orig/bin/tools/Makefile.in -+++ bind-9.14.7/bin/tools/Makefile.in -@@ -61,8 +61,12 @@ HTMLPAGES = arpaname.html dnstap-read.ht - - MANOBJS = ${MANPAGES} ${HTMLPAGES} +--- bind-9.16.4.orig/bin/tools/Makefile.in ++++ bind-9.16.4/bin/tools/Makefile.in +@@ -54,8 +54,12 @@ SRCS = arpaname.c named-journalprint.c + nsec3hash.c mdig.c \ + @DNSTAPSRCS@ @NZDSRCS@ +EXT_CFLAGS = -fPIE -static +