Accepting request 963527 from home:jmoellers:branches:network

OBS-URL: https://build.opensuse.org/request/show/963527
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=338

bind-9.18.0.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:56525bf5caf01fd8fd9d90910880cc0f8a90a27a97d169187d651d4ecf0c411c
-size 5292320

bind-9.18.0.tar.xz.sha512.asc

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Comment: GPGTools - https://gpgtools.org
-
-iQIzBAABCgAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAmHv4ucACgkQxbTukxqf
-nf133g//c/DzUcbtmssrr13B2vPO0LKa/iGolgUqx5F8jdG6L6j68z9zxAGqGYe3
-FzWgkWfh1oHfdEjgu5ta7Orz3j+KnaAuZhGBCzYlSIGNcOjlopuQdZwFPpQKkT9n
-Ww/66FMN3QIWN9N7a7Ru6zBl0RwaYrIlmKY6tHIGUsjnXM9tUjxdz0YEhIfMkG6i
-HROIJxOhKqAu6Ty5VBHXs/Pede3wLik5dMGJoQ/hZC/vOXF5fjfUiy82HLIKYy+g
-2rkBFpUf32Oir3Aei2rJavaHOrtr5DX9F9pTtbW2Ga6XTPB6cEf1IkFPtMHtJswV
-NPZqCthQujyYknjDo7cZU25uUfmh4c6G9fPu4Xr9j4OVUC+1cdpNBzxf2SQ+PHGf
-Vq3WneoPSA5XfJ2M/5ebX+vFSbwQ2kmawee8g4OruZi8kAFx5ejhwm4LZTqe/tna
-Padejt1UE3YVhB5DyoZxMO55KU3W66ah6xhDJnoCFAXriAWO1dsL1AvI9kAtkrWT
-UJ3wFGGIqQAJO3wtvT3OC0LvaoF1Dv8riQfDVQ3UAFSdib919iGUK5uk9kadDccq
-hcVO4dDn/txM9ffZpUEdvy1wofLhDyVSZSknzuqmpoLVPYhzLAEztF6Y6TowXz7S
-yFjFtEgYrwnjPd1zPD9SusoptzxPrctz4gsHzkE3Gn6SBH07uBM=
-=gmx/
------END PGP SIGNATURE-----

bind-9.18.1.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:57c7afd871694d615cb4defb1c1bd6ed023350943d7458414db8d493ef560427
+size 5059456

bind-9.18.1.tar.xz.sha512.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Comment: GPGTools - https://gpgtools.org
+
+iQIzBAABCgAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAmInMmEACgkQxbTukxqf
+nf0KDhAAzQav7F0ouTLcDFz3NsTsLhodaofSFPPfBnFrq0Dxj2bInrbc8XVgQWQh
+9jkqjyjIiT45/uvlcxmuuLK9mJa95Nr+DieZgyQkam8pb6pNhqNYgmzNdn1/qVuO
+xNL5anl/or3FD1cnYU7Xa6K8AFWt0izNmUFmKz4lCir4tJbQxXIIY0yk7lS05OHl
++hYNvWsdtM7ry1dcixaOwY76vkFbK1H4zCLI+LM/5oDjmj/24VlZi+i4TRCfvTHG
+Iss15gI+UuLtYnj/DRLjamZGWKhBqPHj/Vo2jzlhy5ID3OJ43m6QxmXZeOFUW1rr
+GnL/cGKvi5aq7TcmVVY+w34kdPtdACjw9eZ/MjlTuAb0DtsI/EH4sux1/TNRwcVT
++Ojohd+QvU4f2uXjdC3iVHsuD4txaZBb096uXCk26/IQgWgWbbcJYtWqOj7Rnh5C
+YUWUhYDoyL5GbwqJ7BYf6X/wIqPmugBX1DtZpS7lJnVhOckpQNVPc2mjltw5LrI4
+2nkaDsZN7JR707JiTI8gFe4czBXzCY5FYNaAAZPjLI7FvfRQIRmxkrWr6e0PYKWE
+xyhrk73t0iacZfoO5uQr7lNIsrFPar7udFW3tfPCzFLfIcfUkFzeBY8ZStlSf33N
+axYFNmzB8iCH/MUgfRQc+9pkWHNEQqnOUNJGl0mewoNnp+qIgcQ=
+=f5BI
+-----END PGP SIGNATURE-----

bind-define-missing-threads.patch

@@ -1,10 +0,0 @@
---- bind-9.18.0.orig/contrib/dlz/modules/include/dlz_pthread.h	2022-01-24 09:28:57.521507091 +0100
-+++ bind-9.18.0/contrib/dlz/modules/include/dlz_pthread.h	2022-02-08 12:19:14.177179130 +0100
-@@ -18,6 +18,7 @@
- 
- #pragma once
- 
-+# define PTHREADS 1
- #include <pthread.h>
- #define dlz_mutex_t	  pthread_mutex_t
- #define dlz_mutex_init	  pthread_mutex_init

bind.changes

@@ -1,3 +1,49 @@
+-------------------------------------------------------------------
+Thu Mar 17 07:28:25 UTC 2022 - Josef Möllers <josef.moellers@suse.com>
+
+- * When using forwarders, bogus NS records supplied by, or via, those
+    forwarders may be cached and used by named if it needs to recurse
+    for any reason, causing it to obtain and pass on potentially
+    incorrect answers. [CVE-2021-25220]
+  * TCP connection slots may be consumed for an indefinite time frame
+    via a specifically crafted TCP stream sent from a client.
+    This issue can only be triggered on BIND servers which have
+    keep-response-order enabled, which is not the default configuration.
+    The keep-response-order option is an ACL block, and as such, any
+    hosts specified within it will be able to trigger this issue on
+    affected versions. [CVE-2022-0396]
+  * The RFC 8198 Aggressive Use of DNSSEC-Validated Cache feature
+    (synth-from-dnssec) had been refactored and the default has been
+    changed so that is now automatically enabled for dnssec-validating
+    resolvers. Subsequently it was found that repeated patterns of
+    specific queries to servers with this feature enabled could cause
+    an INSIST failure in query.c:query_dname which causes named to
+    terminate unexpectedly.
+    The vulnerability affects BIND resolvers running 9.18.0 that have
+    both dnssec-validation and synth-from-dnssec enabled. (Note that
+    dnssec-validation auto; is the default setting unless configured
+    otherwise in named.conf and that enabling dnssec-validation
+    automatically enables synth-from-dnssec unless explicitly disabled)
+    [CVE-2022-0635]
+  * The refactoring of the recursive client code introduced a
+    "backstop lifetime timer."
+    While BIND is processing a request for a DS record that needs to be
+    forwarded, it waits until this processing is complete or until the
+    backstop lifetime timer has timed out. When the resume_dslookup() function
+    is called as a result of such a timeout, the function does not test
+    whether the fetch has previously been shut down. This introduces the
+    possibility of triggering an assertion failure, which could cause the BIND
+    process to terminate. [CVE-2022-0667]
+  * Reset client TCP connection when data received cannot
+    be parsed as a valid DNS request.
+  For a complete list of changes, see
+  * Bind Release Notes
+    https://downloads.isc.org/isc/bind9/9.18.1/doc/arm/html/notes.html
+  * The CHANGES file in the source RPM
+  This obsoletes bind-define-missing-threads.patch
+  [bind-9.18.1.tar.xz, bind-9.18.1.tar.xz.sha512.asc,
+   bind-define-missing-threads.patch]
+
 -------------------------------------------------------------------
 Mon Jan 31 13:49:51 UTC 2022 - Josef Möllers <josef.moellers@suse.com>
 

bind.spec

@@ -56,7 +56,7 @@
   %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           bind
-Version:        9.18.0
+Version:        9.18.1
 Release:        0
 Summary:        Domain Name System (DNS) Server (named)
 License:        MPL-2.0
@@ -75,8 +75,6 @@ Source70:       bind.conf
 # configuation file for systemd-sysusers
 Source72:       named.conf
 Patch56:        bind-ldapdump-use-valid-host.patch
-# Fix typos in the source code (that will be fixed in th next minor release)
-Patch57:        bind-define-missing-threads.patch
 BuildRequires:  libcap-devel
 BuildRequires:  libopenssl-devel
 BuildRequires:  libtool
@@ -150,16 +148,6 @@ test and query the Domain Name System (DNS) and also the libraries rquired
 for the base "bind" package. The Berkeley Internet
 Name Domain (BIND) DNS server is found in the package named bind.
 
-# 9.18.0 %package -n python3-bind
-# 9.18.0 Summary:        A module allowing rndc commands to be sent from Python programs
-# 9.18.0 Group:          Development/Languages/Python
-# 9.18.0 Requires:       python3
-# 9.18.0 Requires:       python3-ply
-# 9.18.0 BuildArch:      noarch
-
-# 9.18.0 %description -n python3-bind
-# 9.18.0 This package provides a module which allows commands to be sent to rndc directly from Python programs.
-
 %if %{with_modules_perl}
 %package modules-perl
 Summary:        A dynamically loadable zone (DLZ) plugin embedding a Perl interpreter in BIND
@@ -174,7 +162,7 @@ to be written to integrate with BIND and serve DNS data.
 
 %if %{with_modules_mysql}
 %package modules-mysql
-Summary:        DLZ (dynamically loadable zone) modules which store zone data in a MySQL database
+Summary:        DLZ modules which store zone data in a MySQL database
 Group:          Productivity/Networking/DNS/Servers
 BuildRequires:  libmysqlclient-devel
 
@@ -190,7 +178,7 @@ sends DNS NOTIFY packets to other name servers when appropriate.
 
 %if %{with_modules_ldap}
 %package modules-ldap
-Summary:        A DLZ (dynamically loadable zone) module which stores zone data in an LDAP directory
+Summary:        A DLZ module which stores zone data in an LDAP directory
 Group:          Productivity/Networking/DNS/Servers
 BuildRequires:  openldap2-devel
 
@@ -201,7 +189,7 @@ update support
 
 %if %{with_modules_bdbhpt}
 %package modules-bdbhpt
-Summary:        A DLZ (dynamically loadable zone) module which stores zone data in a BerkeleyDB
+Summary:        A DLZ module which stores zone data in a BerkeleyDB
 Group:          Productivity/Networking/DNS/Servers
 BuildRequires:  libdb-4_8-devel
 
@@ -212,7 +200,7 @@ update support
 
 %if %{with_modules_sqlite3}
 %package modules-sqlite3
-Summary:        A DLZ (dynamically loadable zone) module which stores zone data in an sqlite3 db
+Summary:        A DLZ module which stores zone data in an sqlite3 db
 Group:          Productivity/Networking/DNS/Servers
 BuildRequires:  sqlite3-devel
 
@@ -223,7 +211,7 @@ update support.
 
 %if %{with_modules_generic}
 %package modules-generic
-Summary:        DLZ (dynamically loadable zone) module which store zone data in plain files
+Summary:        DLZ module which store zone data in plain files
 Group:          Productivity/Networking/DNS/Servers
 
 %description modules-generic
@@ -337,7 +325,6 @@ mkdir -p \
 mkdir -p %{buildroot}/%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services
 %endif
 %make_install
-# install -m 0644 .clang-format.headers %{buildroot}/%{_defaultdocdir}/bind
 # remove useless .h files
 rm -rf %{buildroot}%{_includedir}
 
@@ -557,7 +544,7 @@ fi
 %if %{with_modules_generic}
 %files modules-generic
 %{_libdir}/bind-plugins/dlz_filesystem_dynamic.so
-/usr/lib64/bind-plugins/dlz_wildcard_dynamic.so
+%{_libdir}/bind-plugins/dlz_wildcard_dynamic.so
 %endif
 
 %files doc -f filelist-bind-doc