From a049546ee4d26ad75e3a942bca71423130bdeadf2f73af0efb5a0274f2dffe40 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Thu, 31 Mar 2022 09:30:02 +0000 Subject: [PATCH] Accepting request 963527 from home:jmoellers:branches:network OBS-URL: https://build.opensuse.org/request/show/963527 OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=338 --- bind-9.18.0.tar.xz | 3 -- bind-9.18.0.tar.xz.sha512.asc | 17 ------------ bind-9.18.1.tar.xz | 3 ++ bind-9.18.1.tar.xz.sha512.asc | 17 ++++++++++++ bind-define-missing-threads.patch | 10 ------- bind.changes | 46 +++++++++++++++++++++++++++++++ bind.spec | 27 +++++------------- 7 files changed, 73 insertions(+), 50 deletions(-) delete mode 100644 bind-9.18.0.tar.xz delete mode 100644 bind-9.18.0.tar.xz.sha512.asc create mode 100644 bind-9.18.1.tar.xz create mode 100644 bind-9.18.1.tar.xz.sha512.asc delete mode 100644 bind-define-missing-threads.patch diff --git a/bind-9.18.0.tar.xz b/bind-9.18.0.tar.xz deleted file mode 100644 index 1426ca1..0000000 --- a/bind-9.18.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:56525bf5caf01fd8fd9d90910880cc0f8a90a27a97d169187d651d4ecf0c411c -size 5292320 diff --git a/bind-9.18.0.tar.xz.sha512.asc b/bind-9.18.0.tar.xz.sha512.asc deleted file mode 100644 index 1cfa938..0000000 --- a/bind-9.18.0.tar.xz.sha512.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Comment: GPGTools - https://gpgtools.org - -iQIzBAABCgAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAmHv4ucACgkQxbTukxqf -nf133g//c/DzUcbtmssrr13B2vPO0LKa/iGolgUqx5F8jdG6L6j68z9zxAGqGYe3 -FzWgkWfh1oHfdEjgu5ta7Orz3j+KnaAuZhGBCzYlSIGNcOjlopuQdZwFPpQKkT9n -Ww/66FMN3QIWN9N7a7Ru6zBl0RwaYrIlmKY6tHIGUsjnXM9tUjxdz0YEhIfMkG6i -HROIJxOhKqAu6Ty5VBHXs/Pede3wLik5dMGJoQ/hZC/vOXF5fjfUiy82HLIKYy+g -2rkBFpUf32Oir3Aei2rJavaHOrtr5DX9F9pTtbW2Ga6XTPB6cEf1IkFPtMHtJswV -NPZqCthQujyYknjDo7cZU25uUfmh4c6G9fPu4Xr9j4OVUC+1cdpNBzxf2SQ+PHGf -Vq3WneoPSA5XfJ2M/5ebX+vFSbwQ2kmawee8g4OruZi8kAFx5ejhwm4LZTqe/tna -Padejt1UE3YVhB5DyoZxMO55KU3W66ah6xhDJnoCFAXriAWO1dsL1AvI9kAtkrWT -UJ3wFGGIqQAJO3wtvT3OC0LvaoF1Dv8riQfDVQ3UAFSdib919iGUK5uk9kadDccq -hcVO4dDn/txM9ffZpUEdvy1wofLhDyVSZSknzuqmpoLVPYhzLAEztF6Y6TowXz7S -yFjFtEgYrwnjPd1zPD9SusoptzxPrctz4gsHzkE3Gn6SBH07uBM= -=gmx/ ------END PGP SIGNATURE----- diff --git a/bind-9.18.1.tar.xz b/bind-9.18.1.tar.xz new file mode 100644 index 0000000..dceaaca --- /dev/null +++ b/bind-9.18.1.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:57c7afd871694d615cb4defb1c1bd6ed023350943d7458414db8d493ef560427 +size 5059456 diff --git a/bind-9.18.1.tar.xz.sha512.asc b/bind-9.18.1.tar.xz.sha512.asc new file mode 100644 index 0000000..c3995e4 --- /dev/null +++ b/bind-9.18.1.tar.xz.sha512.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Comment: GPGTools - https://gpgtools.org + +iQIzBAABCgAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAmInMmEACgkQxbTukxqf +nf0KDhAAzQav7F0ouTLcDFz3NsTsLhodaofSFPPfBnFrq0Dxj2bInrbc8XVgQWQh +9jkqjyjIiT45/uvlcxmuuLK9mJa95Nr+DieZgyQkam8pb6pNhqNYgmzNdn1/qVuO +xNL5anl/or3FD1cnYU7Xa6K8AFWt0izNmUFmKz4lCir4tJbQxXIIY0yk7lS05OHl ++hYNvWsdtM7ry1dcixaOwY76vkFbK1H4zCLI+LM/5oDjmj/24VlZi+i4TRCfvTHG +Iss15gI+UuLtYnj/DRLjamZGWKhBqPHj/Vo2jzlhy5ID3OJ43m6QxmXZeOFUW1rr +GnL/cGKvi5aq7TcmVVY+w34kdPtdACjw9eZ/MjlTuAb0DtsI/EH4sux1/TNRwcVT ++Ojohd+QvU4f2uXjdC3iVHsuD4txaZBb096uXCk26/IQgWgWbbcJYtWqOj7Rnh5C +YUWUhYDoyL5GbwqJ7BYf6X/wIqPmugBX1DtZpS7lJnVhOckpQNVPc2mjltw5LrI4 +2nkaDsZN7JR707JiTI8gFe4czBXzCY5FYNaAAZPjLI7FvfRQIRmxkrWr6e0PYKWE +xyhrk73t0iacZfoO5uQr7lNIsrFPar7udFW3tfPCzFLfIcfUkFzeBY8ZStlSf33N +axYFNmzB8iCH/MUgfRQc+9pkWHNEQqnOUNJGl0mewoNnp+qIgcQ= +=f5BI +-----END PGP SIGNATURE----- diff --git a/bind-define-missing-threads.patch b/bind-define-missing-threads.patch deleted file mode 100644 index 716f87b..0000000 --- a/bind-define-missing-threads.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- bind-9.18.0.orig/contrib/dlz/modules/include/dlz_pthread.h 2022-01-24 09:28:57.521507091 +0100 -+++ bind-9.18.0/contrib/dlz/modules/include/dlz_pthread.h 2022-02-08 12:19:14.177179130 +0100 -@@ -18,6 +18,7 @@ - - #pragma once - -+# define PTHREADS 1 - #include - #define dlz_mutex_t pthread_mutex_t - #define dlz_mutex_init pthread_mutex_init diff --git a/bind.changes b/bind.changes index e3ce31d..71c2c9f 100644 --- a/bind.changes +++ b/bind.changes @@ -1,3 +1,49 @@ +------------------------------------------------------------------- +Thu Mar 17 07:28:25 UTC 2022 - Josef Möllers + +- * When using forwarders, bogus NS records supplied by, or via, those + forwarders may be cached and used by named if it needs to recurse + for any reason, causing it to obtain and pass on potentially + incorrect answers. [CVE-2021-25220] + * TCP connection slots may be consumed for an indefinite time frame + via a specifically crafted TCP stream sent from a client. + This issue can only be triggered on BIND servers which have + keep-response-order enabled, which is not the default configuration. + The keep-response-order option is an ACL block, and as such, any + hosts specified within it will be able to trigger this issue on + affected versions. [CVE-2022-0396] + * The RFC 8198 Aggressive Use of DNSSEC-Validated Cache feature + (synth-from-dnssec) had been refactored and the default has been + changed so that is now automatically enabled for dnssec-validating + resolvers. Subsequently it was found that repeated patterns of + specific queries to servers with this feature enabled could cause + an INSIST failure in query.c:query_dname which causes named to + terminate unexpectedly. + The vulnerability affects BIND resolvers running 9.18.0 that have + both dnssec-validation and synth-from-dnssec enabled. (Note that + dnssec-validation auto; is the default setting unless configured + otherwise in named.conf and that enabling dnssec-validation + automatically enables synth-from-dnssec unless explicitly disabled) + [CVE-2022-0635] + * The refactoring of the recursive client code introduced a + "backstop lifetime timer." + While BIND is processing a request for a DS record that needs to be + forwarded, it waits until this processing is complete or until the + backstop lifetime timer has timed out. When the resume_dslookup() function + is called as a result of such a timeout, the function does not test + whether the fetch has previously been shut down. This introduces the + possibility of triggering an assertion failure, which could cause the BIND + process to terminate. [CVE-2022-0667] + * Reset client TCP connection when data received cannot + be parsed as a valid DNS request. + For a complete list of changes, see + * Bind Release Notes + https://downloads.isc.org/isc/bind9/9.18.1/doc/arm/html/notes.html + * The CHANGES file in the source RPM + This obsoletes bind-define-missing-threads.patch + [bind-9.18.1.tar.xz, bind-9.18.1.tar.xz.sha512.asc, + bind-define-missing-threads.patch] + ------------------------------------------------------------------- Mon Jan 31 13:49:51 UTC 2022 - Josef Möllers diff --git a/bind.spec b/bind.spec index c42a8a9..c331b40 100644 --- a/bind.spec +++ b/bind.spec @@ -56,7 +56,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: bind -Version: 9.18.0 +Version: 9.18.1 Release: 0 Summary: Domain Name System (DNS) Server (named) License: MPL-2.0 @@ -75,8 +75,6 @@ Source70: bind.conf # configuation file for systemd-sysusers Source72: named.conf Patch56: bind-ldapdump-use-valid-host.patch -# Fix typos in the source code (that will be fixed in th next minor release) -Patch57: bind-define-missing-threads.patch BuildRequires: libcap-devel BuildRequires: libopenssl-devel BuildRequires: libtool @@ -150,16 +148,6 @@ test and query the Domain Name System (DNS) and also the libraries rquired for the base "bind" package. The Berkeley Internet Name Domain (BIND) DNS server is found in the package named bind. -# 9.18.0 %package -n python3-bind -# 9.18.0 Summary: A module allowing rndc commands to be sent from Python programs -# 9.18.0 Group: Development/Languages/Python -# 9.18.0 Requires: python3 -# 9.18.0 Requires: python3-ply -# 9.18.0 BuildArch: noarch - -# 9.18.0 %description -n python3-bind -# 9.18.0 This package provides a module which allows commands to be sent to rndc directly from Python programs. - %if %{with_modules_perl} %package modules-perl Summary: A dynamically loadable zone (DLZ) plugin embedding a Perl interpreter in BIND @@ -174,7 +162,7 @@ to be written to integrate with BIND and serve DNS data. %if %{with_modules_mysql} %package modules-mysql -Summary: DLZ (dynamically loadable zone) modules which store zone data in a MySQL database +Summary: DLZ modules which store zone data in a MySQL database Group: Productivity/Networking/DNS/Servers BuildRequires: libmysqlclient-devel @@ -190,7 +178,7 @@ sends DNS NOTIFY packets to other name servers when appropriate. %if %{with_modules_ldap} %package modules-ldap -Summary: A DLZ (dynamically loadable zone) module which stores zone data in an LDAP directory +Summary: A DLZ module which stores zone data in an LDAP directory Group: Productivity/Networking/DNS/Servers BuildRequires: openldap2-devel @@ -201,7 +189,7 @@ update support %if %{with_modules_bdbhpt} %package modules-bdbhpt -Summary: A DLZ (dynamically loadable zone) module which stores zone data in a BerkeleyDB +Summary: A DLZ module which stores zone data in a BerkeleyDB Group: Productivity/Networking/DNS/Servers BuildRequires: libdb-4_8-devel @@ -212,7 +200,7 @@ update support %if %{with_modules_sqlite3} %package modules-sqlite3 -Summary: A DLZ (dynamically loadable zone) module which stores zone data in an sqlite3 db +Summary: A DLZ module which stores zone data in an sqlite3 db Group: Productivity/Networking/DNS/Servers BuildRequires: sqlite3-devel @@ -223,7 +211,7 @@ update support. %if %{with_modules_generic} %package modules-generic -Summary: DLZ (dynamically loadable zone) module which store zone data in plain files +Summary: DLZ module which store zone data in plain files Group: Productivity/Networking/DNS/Servers %description modules-generic @@ -337,7 +325,6 @@ mkdir -p \ mkdir -p %{buildroot}/%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services %endif %make_install -# install -m 0644 .clang-format.headers %{buildroot}/%{_defaultdocdir}/bind # remove useless .h files rm -rf %{buildroot}%{_includedir} @@ -557,7 +544,7 @@ fi %if %{with_modules_generic} %files modules-generic %{_libdir}/bind-plugins/dlz_filesystem_dynamic.so -/usr/lib64/bind-plugins/dlz_wildcard_dynamic.so +%{_libdir}/bind-plugins/dlz_wildcard_dynamic.so %endif %files doc -f filelist-bind-doc