From 33b4dc7ca146bdf06fce317ed8c5b59b59b42804b5da5dd5c16821571df7f303 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Wed, 23 Feb 2022 12:08:26 +0000 Subject: [PATCH 1/7] Accepting request 952940 from home:jmoellers:branches:network Tested on Tumbleweed and SLE-15-SP4 OBS-URL: https://build.opensuse.org/request/show/952940 OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=336 --- bind-9.16.25.tar.xz | 3 - bind-9.16.25.tar.xz.sha512.asc | 17 -- bind-9.18.0.tar.xz | 3 + bind-9.18.0.tar.xz.sha512.asc | 17 ++ bind-avoid-fallthrough-warning-error.patch | 26 -- bind-define-missing-threads.patch | 10 + bind.changes | 52 ++++ bind.spec | 294 ++++++++++++++++----- named-bootconf.diff | 23 -- vendor-files.tar.bz2 | 4 +- 10 files changed, 309 insertions(+), 140 deletions(-) delete mode 100644 bind-9.16.25.tar.xz delete mode 100644 bind-9.16.25.tar.xz.sha512.asc create mode 100644 bind-9.18.0.tar.xz create mode 100644 bind-9.18.0.tar.xz.sha512.asc delete mode 100644 bind-avoid-fallthrough-warning-error.patch create mode 100644 bind-define-missing-threads.patch delete mode 100644 named-bootconf.diff diff --git a/bind-9.16.25.tar.xz b/bind-9.16.25.tar.xz deleted file mode 100644 index 5bb75f5..0000000 --- a/bind-9.16.25.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9fa328850f82843ef8b7bf1ff5322cb68b110273a33f375ba41f35270f5e1ff3 -size 5086780 diff --git a/bind-9.16.25.tar.xz.sha512.asc b/bind-9.16.25.tar.xz.sha512.asc deleted file mode 100644 index 87aec3b..0000000 --- a/bind-9.16.25.tar.xz.sha512.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Comment: GPGTools - https://gpgtools.org - -iQIzBAABCgAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAmHnQzwACgkQxbTukxqf -nf36OhAAyjIh6tcuDauRQQFfuyBIPHBCDybidjUxE5NsjMfd9EKR6QOp2rICgtJz -4i/+UxQm0e6B1VmogdDddH5YL4NNk9aiNbeBXCeSVicA8jRwAI44lL5iVSSlBK+f -4nQ1rWwlSoV7AkE1oDrTIxfz5wPm1gyG4FBxqrTxxsrqrKsrxKZbHjAqEUeBuEEz -/MqfAkDpvV+JWSFbwp2f8igH/cHx06MCsUkWLuZPWiT3k1g+9lqgfcigcNN3yqoK -tQQwnozLUwjRJt0t4dl99frb93KKkX4IMqk7Pevue2kEWx0yo1GbPLmPiOdrUeK3 -nFMgMopwAvPzla56RKf4gLpHerHR+YNWWFHoju71teg7/6b++LZEWMQ+7stP1wCj -B9COURDClp/4Z7j7GuYgE8jVSvpemuHqlkHZyF/94EA1yY1d4fA0ViCsZVrRBfaj -7QFaKDBl4Qj/5eY1DcP9QZ4t7z83ugSBqgVp5DxJgIqC+ZFPkQSPAy5AxHUILlqX -/XRyLbRDSSp0ZJjt6G+aJ2C2nRKykrp4QcnVlfRo4AWEBfZ2hC5Q8DRP4nQdAVno -2wSCDUt4TSXIJZp848PmbfcQccYEB9H5DBbR865nic8hmcT+CniflASwqATqL5PB -1+RdrwKO1/K0VVrNhmtwswF8JvSMZktWlicqezdLhhQz8Bzdrbc= -=phwZ ------END PGP SIGNATURE----- diff --git a/bind-9.18.0.tar.xz b/bind-9.18.0.tar.xz new file mode 100644 index 0000000..1426ca1 --- /dev/null +++ b/bind-9.18.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:56525bf5caf01fd8fd9d90910880cc0f8a90a27a97d169187d651d4ecf0c411c +size 5292320 diff --git a/bind-9.18.0.tar.xz.sha512.asc b/bind-9.18.0.tar.xz.sha512.asc new file mode 100644 index 0000000..1cfa938 --- /dev/null +++ b/bind-9.18.0.tar.xz.sha512.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Comment: GPGTools - https://gpgtools.org + +iQIzBAABCgAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAmHv4ucACgkQxbTukxqf +nf133g//c/DzUcbtmssrr13B2vPO0LKa/iGolgUqx5F8jdG6L6j68z9zxAGqGYe3 +FzWgkWfh1oHfdEjgu5ta7Orz3j+KnaAuZhGBCzYlSIGNcOjlopuQdZwFPpQKkT9n +Ww/66FMN3QIWN9N7a7Ru6zBl0RwaYrIlmKY6tHIGUsjnXM9tUjxdz0YEhIfMkG6i +HROIJxOhKqAu6Ty5VBHXs/Pede3wLik5dMGJoQ/hZC/vOXF5fjfUiy82HLIKYy+g +2rkBFpUf32Oir3Aei2rJavaHOrtr5DX9F9pTtbW2Ga6XTPB6cEf1IkFPtMHtJswV +NPZqCthQujyYknjDo7cZU25uUfmh4c6G9fPu4Xr9j4OVUC+1cdpNBzxf2SQ+PHGf +Vq3WneoPSA5XfJ2M/5ebX+vFSbwQ2kmawee8g4OruZi8kAFx5ejhwm4LZTqe/tna +Padejt1UE3YVhB5DyoZxMO55KU3W66ah6xhDJnoCFAXriAWO1dsL1AvI9kAtkrWT +UJ3wFGGIqQAJO3wtvT3OC0LvaoF1Dv8riQfDVQ3UAFSdib919iGUK5uk9kadDccq +hcVO4dDn/txM9ffZpUEdvy1wofLhDyVSZSknzuqmpoLVPYhzLAEztF6Y6TowXz7S +yFjFtEgYrwnjPd1zPD9SusoptzxPrctz4gsHzkE3Gn6SBH07uBM= +=gmx/ +-----END PGP SIGNATURE----- diff --git a/bind-avoid-fallthrough-warning-error.patch b/bind-avoid-fallthrough-warning-error.patch deleted file mode 100644 index 761b821..0000000 --- a/bind-avoid-fallthrough-warning-error.patch +++ /dev/null @@ -1,26 +0,0 @@ -Index: bind-9.16.23/contrib/dlz/drivers/dlz_ldap_driver.c -=================================================================== ---- bind-9.16.23.orig/contrib/dlz/drivers/dlz_ldap_driver.c -+++ bind-9.16.23/contrib/dlz/drivers/dlz_ldap_driver.c -@@ -978,11 +978,13 @@ dlz_ldap_create(const char *dlzname, uns - if (result != ISC_R_SUCCESS) { - return (result); - } -+ /* FALLTHROUGH */ - case 11: - result = dlz_ldap_checkURL(argv[10], 3, "all nodes"); - if (result != ISC_R_SUCCESS) { - return (result); - } -+ /* FALLTHROUGH */ - case 10: - if (strlen(argv[9]) > 0) { - result = dlz_ldap_checkURL(argv[9], 3, "authority"); -@@ -990,6 +992,7 @@ dlz_ldap_create(const char *dlzname, uns - return (result); - } - } -+ /* FALLTHROUGH */ - case 9: - result = dlz_ldap_checkURL(argv[8], 3, "lookup"); - if (result != ISC_R_SUCCESS) { diff --git a/bind-define-missing-threads.patch b/bind-define-missing-threads.patch new file mode 100644 index 0000000..716f87b --- /dev/null +++ b/bind-define-missing-threads.patch @@ -0,0 +1,10 @@ +--- bind-9.18.0.orig/contrib/dlz/modules/include/dlz_pthread.h 2022-01-24 09:28:57.521507091 +0100 ++++ bind-9.18.0/contrib/dlz/modules/include/dlz_pthread.h 2022-02-08 12:19:14.177179130 +0100 +@@ -18,6 +18,7 @@ + + #pragma once + ++# define PTHREADS 1 + #include + #define dlz_mutex_t pthread_mutex_t + #define dlz_mutex_init pthread_mutex_init diff --git a/bind.changes b/bind.changes index f110aa8..7780cd0 100644 --- a/bind.changes +++ b/bind.changes @@ -1,3 +1,55 @@ +------------------------------------------------------------------- +Mon Jan 31 13:49:51 UTC 2022 - Josef Möllers + +- Update to new MAJOR VERSION 9.18.0. + This has many enhnancements, bug fixes and changes. + The spec file also has mechanisms to run the integrated test suite. + + MAJOR CHANGES: + * Support for securing DNS traffic using Transport Layer Security (TLS). + TLS is used by both DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). + * Support for zone transfers over TLS (XFR-over-TLS, XoT) for both + incoming and outgoing zone transfers. + * The dig tool is now able to send DoT queries (+tls option). + * Support for OpenSSL 3.0 APIs was added. + + A number of utilities have been removed: dnssec-checkds, + dnssec-coverage, dnssec-keymgr, which have been deprecated in + favor of dnssec-policy feature, as well as python support + (package python3-bind). + A number of utilities have been moved from (/usr)/sbin to (/usr)/bin + The DLZ modules have been put into seperate sub-packages + to keep unwanted dependencies out of the main package: + * bind-modules-perl: dlz_perl_driver.so + * bind-modules-mysql: dlz_mysql_dynamic.so, dlz_mysqldyn_mod.so + * bind-modules-ldap: dlz_ldap_dynamic.so + * bind-modules-bdbhpt: dlz_bdbhpt_dynamic.so + * bind-modules-sqlite3: dlz_sqlite3_dynamic.so + * bind-modules-generic: dlz_filesystem_dynamic.so, dlz_wildcard_dynamic.so + For a complete list of changes, see + * Bind Release Notes + https://downloads.isc.org/isc/bind9/9.18.0/doc/arm/html/notes.html + * The CHANGES file in the source RPM + [bind.spec, bind-9.18.0.tar.xz, bind-9.18.0.tar.xz.sha512.asc, + bind-avoid-fallthrough-warning-error.patch, + bind-contrib-pthread.patch, named-bootconf.diff] + +------------------------------------------------------------------- +Mon Jan 24 13:18:35 UTC 2022 - Josef Möllers + +- Old-style DLZ drivers have been deprecated in favor of + DLZ modules. The DLZ drivers configuration option will + be removed from the next major BIND 9 release. + + The option to use the DLZ modules is already available + in BIND 9; please see the ARM section on DLZ modules. + + The dynamically lodable driver modules are stored in + /usr/lib64/bind-plugins + Example configurations for ldap and mysql are provided in + named.conf. + [bind.spec, vendor-files/config/named.conf] + ------------------------------------------------------------------- Fri Jan 21 16:24:16 UTC 2022 - Callum Farmer diff --git a/bind.spec b/bind.spec index 9bc24bc..c42a8a9 100644 --- a/bind.spec +++ b/bind.spec @@ -17,6 +17,16 @@ %define _buildshell /bin/bash +%bcond_with check + +# DLZ modules +%bcond_without modules_bdbhpt +%bcond_without modules_ldap +%bcond_without modules_mysql +%bcond_without modules_sqlite3 +%bcond_without modules_perl +%bcond_without modules_generic +# end DLZ modules %define VENDOR SUSE %if 0%{?suse_version} >= 1500 @@ -46,7 +56,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: bind -Version: 9.16.25 +Version: 9.18.0 Release: 0 Summary: Domain Name System (DNS) Server (named) License: MPL-2.0 @@ -64,24 +74,24 @@ Source60: dlz-schema.txt Source70: bind.conf # configuation file for systemd-sysusers Source72: named.conf -Patch52: named-bootconf.diff Patch56: bind-ldapdump-use-valid-host.patch -Patch57: bind-avoid-fallthrough-warning-error.patch +# Fix typos in the source code (that will be fixed in th next minor release) +Patch57: bind-define-missing-threads.patch BuildRequires: libcap-devel -BuildRequires: libmysqlclient-devel BuildRequires: libopenssl-devel BuildRequires: libtool -BuildRequires: openldap2-devel BuildRequires: openssl BuildRequires: pkgconfig BuildRequires: python3 BuildRequires: python3-Sphinx BuildRequires: python3-ply BuildRequires: update-desktop-files +BuildRequires: pkgconfig(jemalloc) BuildRequires: pkgconfig(json) BuildRequires: pkgconfig(krb5) BuildRequires: pkgconfig(libidn2) BuildRequires: pkgconfig(libmaxminddb) +BuildRequires: pkgconfig(libnghttp2) BuildRequires: pkgconfig(libuv) BuildRequires: pkgconfig(libxml-2.0) Requires: %{name}-utils @@ -140,15 +150,91 @@ test and query the Domain Name System (DNS) and also the libraries rquired for the base "bind" package. The Berkeley Internet Name Domain (BIND) DNS server is found in the package named bind. -%package -n python3-bind -Summary: A module allowing rndc commands to be sent from Python programs -Group: Development/Languages/Python -Requires: python3 -Requires: python3-ply -BuildArch: noarch +# 9.18.0 %package -n python3-bind +# 9.18.0 Summary: A module allowing rndc commands to be sent from Python programs +# 9.18.0 Group: Development/Languages/Python +# 9.18.0 Requires: python3 +# 9.18.0 Requires: python3-ply +# 9.18.0 BuildArch: noarch -%description -n python3-bind -This package provides a module which allows commands to be sent to rndc directly from Python programs. +# 9.18.0 %description -n python3-bind +# 9.18.0 This package provides a module which allows commands to be sent to rndc directly from Python programs. + +%if %{with_modules_perl} +%package modules-perl +Summary: A dynamically loadable zone (DLZ) plugin embedding a Perl interpreter in BIND +Group: Productivity/Networking/DNS/Servers +BuildRequires: perl + +%description modules-perl +This package includes a dynamically loadable zone (DLZ) plugin +embedding a Perl interpreter in BIND, allowing Perl scripts +to be written to integrate with BIND and serve DNS data. +%endif + +%if %{with_modules_mysql} +%package modules-mysql +Summary: DLZ (dynamically loadable zone) modules which store zone data in a MySQL database +Group: Productivity/Networking/DNS/Servers +BuildRequires: libmysqlclient-devel + +%description modules-mysql +This package includes dynamically loadable zone (DLZ) plugins +which store zone data in a MySQL database +The dlz_mysql_dynamic.so plugin does not support dynamic updates +the dlz_mysqldyn_mod.so plugin is a dynamically loadable zone (DLZ) +plugin that uses a fixed-schema MySQL database for back-end storage. +It allows zone data to be updated via dynamic DNS updates, and +sends DNS NOTIFY packets to other name servers when appropriate. +%endif + +%if %{with_modules_ldap} +%package modules-ldap +Summary: A DLZ (dynamically loadable zone) module which stores zone data in an LDAP directory +Group: Productivity/Networking/DNS/Servers +BuildRequires: openldap2-devel + +%description modules-ldap +This package provides the externally loadable ldap DLZ module, without +update support +%endif + +%if %{with_modules_bdbhpt} +%package modules-bdbhpt +Summary: A DLZ (dynamically loadable zone) module which stores zone data in a BerkeleyDB +Group: Productivity/Networking/DNS/Servers +BuildRequires: libdb-4_8-devel + +%description modules-bdbhpt +This package provides the externally loadable bdbhpt DLZ driver, without +update support +%endif + +%if %{with_modules_sqlite3} +%package modules-sqlite3 +Summary: A DLZ (dynamically loadable zone) module which stores zone data in an sqlite3 db +Group: Productivity/Networking/DNS/Servers +BuildRequires: sqlite3-devel + +%description modules-sqlite3 +This package provides the externally loadable SQLitee DLZ module, without +update support. +%endif + +%if %{with_modules_generic} +%package modules-generic +Summary: DLZ (dynamically loadable zone) module which store zone data in plain files +Group: Productivity/Networking/DNS/Servers + +%description modules-generic +This package provides the externally loadable filesystem DLZ module, without +update support and the externally loadable wildcard DLZ module. +The "wildcard" DLZ module provides a "template" zone for domains matching +a wildcard name. +For any zone name matching the wildcard, it would return the data from +the template. "$zone$" is replaced with zone name: i.e., the shortest +possible string of labels in the query name that matches the wildcard. +%endif %prep %autosetup -p1 -a2 @@ -192,23 +278,25 @@ export LDFLAGS="-pie" --enable-threads \ --with-libtool \ --with-libxml2 \ - --with-libjson \ + --with-dlz_filesystem \ + --with-json-c \ --with-libidn2 \ - --with-dlz-mysql \ - --with-dlz-ldap \ --with-randomdev=/dev/urandom \ --enable-ipv6 \ --with-pic \ --disable-openssl-version-check \ --with-tuning=large \ --with-maxminddb \ - --with-dlopen \ + --with-dlopen=auto \ --with-gssapi=yes \ --disable-isc-spnego \ --enable-fixed-rrset \ --enable-filter-aaaa \ %if %{with_systemd} --with-systemd \ +%endif +%if %{with check} + --enable-querytrace \ %endif --enable-full-report # disable rpath @@ -224,6 +312,10 @@ done %if %{with_systemd} %sysusers_generate_pre %{SOURCE72} named named.conf %endif +# special build for the plugins +for d in contrib/dlz/modules/*; do + [ -e $d/Makefile ] && make -C $d +done %install mkdir -p \ @@ -245,12 +337,33 @@ mkdir -p \ mkdir -p %{buildroot}/%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services %endif %make_install -install -m 0644 .clang-format.headers %{buildroot}/%{_defaultdocdir}/bind +# install -m 0644 .clang-format.headers %{buildroot}/%{_defaultdocdir}/bind # remove useless .h files rm -rf %{buildroot}%{_includedir} +# Install the plugins +mkdir -p %{buildroot}/%{_libdir}/bind-plugins +%if %{with_modules_perl} + install -m 0644 contrib/dlz/modules/perl/*.so %{buildroot}/%{_libdir}/bind-plugins +%endif +%if %{with_modules_mysql} + install -m 0644 contrib/dlz/modules/mysql/*.so %{buildroot}/%{_libdir}/bind-plugins + install -m 0644 contrib/dlz/modules/mysqldyn/*.so %{buildroot}/%{_libdir}/bind-plugins +%endif +%if %{with_modules_ldap} + install -m 0644 contrib/dlz/modules/ldap/*.so %{buildroot}/%{_libdir}/bind-plugins +%endif +%if %{with_modules_bdbhpt} + install -m 0644 contrib/dlz/modules/bdbhpt/*.so %{buildroot}/%{_libdir}/bind-plugins +%endif +%if %{with_modules_sqlite3} + install -m 0644 contrib/dlz/modules/sqlite3/*.so %{buildroot}/%{_libdir}/bind-plugins +%endif +%if %{with_modules_generic} + install -m 0644 contrib/dlz/modules/{filesystem,wildcard}/*.so %{buildroot}/%{_libdir}/bind-plugins +%endif # remove useless .la files -rm -f %{buildroot}/%{_libdir}/lib*.{la,a} +rm -f %{buildroot}/%{_libdir}/lib*.{la,a} %{buildroot}/%{_libdir}/bind/*.la mv vendor-files/config/named.conf %{buildroot}/%{_sysconfdir} mv vendor-files/config/bind.reg %{buildroot}/%{_sysconfdir}/slp.reg.d mv vendor-files/config/rndc-access.conf %{buildroot}/%{_sysconfdir}/named.d @@ -286,21 +399,24 @@ done %if %{with_sfw2} install -m 644 vendor-files/sysconfig/SuSEFirewall.named %{buildroot}/%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/bind %endif +%if ! %{with check} # Cleanup doc rm doc/misc/Makefile* find doc/arm -type f ! -name '*.html' -delete +%endif # Create doc as we want it in bind and not bind-doc for file in vendor-files/docu/README*; do basename=$( basename ${file}) cp -a ${file} %{buildroot}/%{_defaultdocdir}/bind/${basename}.%{VENDOR} done -mkdir -p vendor-files/config/ISC-examples -cp -a bin/tests/*.conf* vendor-files/config/ISC-examples +# mkdir -p vendor-files/config/ISC-examples +# cp -a bin/tests/*.conf* vendor-files/config/ISC-examples for d in arm; do cp -a doc/${d}/_build %{buildroot}/%{_defaultdocdir}/bind/${d} echo "%doc %{_defaultdocdir}/bind/${d}" >>filelist-bind-doc done -for file in CHANGES COPYRIGHT README version contrib doc/misc vendor-files/config; do +for file in CHANGES COPYRIGHT README* version contrib/README* doc/misc vendor-files/config; do + [ -r ${file} ] || continue basename=$( basename ${file}) cp -a ${file} %{buildroot}/%{_defaultdocdir}/bind/${basename} echo "%doc %{_defaultdocdir}/bind/${basename}" >>filelist-bind-doc @@ -313,6 +429,8 @@ install -m 0644 bind.keys %{buildroot}%{_localstatedir}/lib/named/named.root.key mkdir -p %{buildroot}%{_sysusersdir} install -m 644 %{SOURCE72} %{buildroot}%{_sysusersdir}/ %endif +find %{buildroot}/usr/share/doc/packages/bind -name cfg_test* -exec rm {} \; +rm -rf %{buildroot}/usr/share/doc/packages/bind/misc/.libs %if %{with_systemd} %pre -f named.pre @@ -325,6 +443,12 @@ install -m 644 %{SOURCE72} %{buildroot}%{_sysusersdir}/ %{USERMOD_NAMED} %endif +%if %{with check} +%check +sudo bin/tests/system/ifconfig.sh up +make test +%endif + %preun %if %{with_systemd} %service_del_preun named.service @@ -365,7 +489,7 @@ fi %dir %{_sysconfdir}/slp.reg.d %attr(0644,root,root) %config /%{_sysconfdir}/slp.reg.d/bind.reg %if %{with_systemd} -%config %{_unitdir}/named.service +%{_unitdir}/named.service %{_prefix}/lib/tmpfiles.d/bind.conf %{_sysusersdir}/named.conf %{_datadir}/factory @@ -378,17 +502,21 @@ fi %{_bindir}/named-rrchecker %{_sbindir}/rcnamed %{_sbindir}/named -%{_sbindir}/named-checkconf -%{_sbindir}/named-checkzone -%{_sbindir}/named-compilezone -%dir %{_libdir}/named -%{_libdir}/named/filter-aaaa.so +%{_bindir}/named-checkconf +%{_bindir}/named-checkzone +%{_bindir}/named-compilezone +%{_bindir}/named-journalprint +%{_bindir}/nsec3hash +%dir %{_libdir}/bind +%{_libdir}/bind/filter-aaaa.so +%{_libdir}/bind/filter-a.so %{_mandir}/man1/named-rrchecker.1%{ext_man} %{_mandir}/man5/named.conf.5%{ext_man} -%{_mandir}/man8/named-checkconf.8%{ext_man} -%{_mandir}/man8/named-checkzone.8%{ext_man} +%{_mandir}/man1/named-checkconf.1%{ext_man} +%{_mandir}/man1/named-checkzone.1%{ext_man} %{_mandir}/man8/named.8%{ext_man} %{_mandir}/man8/filter-aaaa.8%{ext_man} +%{_mandir}/man8/filter-a.8%{ext_man} %dir %{_datadir}/bind %{_datadir}/bind/ldapdump %ghost %{_rundir}/named @@ -403,6 +531,34 @@ fi %config %{_var}/lib/named/named.root.key %dir %{_libexecdir}/bind %{_libexecdir}/bind/named.prep +%dir %{_libdir}/bind-plugins + +%if %{with_modules_perl} +%files modules-perl +%{_libdir}/bind-plugins/dlz_perl_driver.so +%endif +%if %{with_modules_mysql} +%files modules-mysql +%{_libdir}/bind-plugins/dlz_mysql_dynamic.so +%{_libdir}/bind-plugins/dlz_mysqldyn_mod.so +%endif +%if %{with_modules_ldap} +%files modules-ldap +%{_libdir}/bind-plugins/dlz_ldap_dynamic.so +%endif +%if %{with_modules_bdbhpt} +%files modules-bdbhpt +%{_libdir}/bind-plugins/dlz_bdbhpt_dynamic.so +%endif +%if %{with_modules_sqlite3} +%files modules-sqlite3 +%{_libdir}/bind-plugins/dlz_sqlite3_dynamic.so +%endif +%if %{with_modules_generic} +%files modules-generic +%{_libdir}/bind-plugins/dlz_filesystem_dynamic.so +/usr/lib64/bind-plugins/dlz_wildcard_dynamic.so +%endif %files doc -f filelist-bind-doc %dir %doc %{_defaultdocdir}/bind @@ -424,26 +580,26 @@ fi %{_bindir}/nsupdate %{_bindir}/genDDNSkey %{_bindir}/arpaname +%{_bindir}/dnssec-dsfromkey +%{_bindir}/dnssec-importkey +%{_bindir}/dnssec-keyfromlabel +%{_bindir}/dnssec-keygen +%{_bindir}/dnssec-revoke +%{_bindir}/dnssec-settime +%{_bindir}/dnssec-signzone +%{_bindir}/dnssec-verify +%{_bindir}/dnssec-cds %{_sbindir}/ddns-confgen -%{_sbindir}/dnssec-dsfromkey -%{_sbindir}/dnssec-importkey -%{_sbindir}/dnssec-keyfromlabel -%{_sbindir}/dnssec-keygen -%{_sbindir}/dnssec-revoke -%{_sbindir}/dnssec-settime -%{_sbindir}/dnssec-signzone -%{_sbindir}/dnssec-verify -%{_sbindir}/dnssec-checkds -%{_sbindir}/dnssec-coverage -%{_sbindir}/dnssec-keymgr -%{_sbindir}/dnssec-cds -# %%{_sbindir}/genrandom -# %%{_sbindir}/isc-hmac-fixup -%{_sbindir}/named-journalprint -%{_sbindir}/nsec3hash %{_sbindir}/rndc %{_sbindir}/rndc-confgen %{_sbindir}/tsig-keygen +# 9.18.0 %%{_sbindir}/dnssec-checkds +# 9.18.0 %%{_sbindir}/dnssec-coverage +# 9.18.0 %%{_sbindir}/dnssec-keymgr +# %%{_sbindir}/genrandom +# %%{_sbindir}/isc-hmac-fixup +# 9.18.0 %%{_sbindir}/named-journalprint +# 9.18.0 %%{_sbindir}/nsec3hash # Library files, formerly in their own, separate packages: %{_libdir}/libbind9-%{version}.so %{_libdir}/libdns-%{version}.so @@ -461,7 +617,7 @@ fi %{_libdir}/libns.so %dir %doc %{_defaultdocdir}/bind %{_defaultdocdir}/bind/README*.%{VENDOR} -%{_defaultdocdir}/bind/.clang-format.headers +# %%{_defaultdocdir}/bind/.clang-format.headers %{_mandir}/man1/arpaname.1%{ext_man} %{_mandir}/man1/delv.1%{ext_man} %{_mandir}/man1/dig.1%{ext_man} @@ -469,33 +625,33 @@ fi %{_mandir}/man1/mdig.1%{ext_man} %{_mandir}/man1/nslookup.1%{ext_man} %{_mandir}/man1/nsupdate.1%{ext_man} -# %%{_mandir}/man1/dnstap-read.1%%{ext_man} +%{_mandir}/man1/dnssec-dsfromkey.1%{ext_man} +%{_mandir}/man1/dnssec-importkey.1%{ext_man} +%{_mandir}/man1/dnssec-keyfromlabel.1%{ext_man} +%{_mandir}/man1/dnssec-keygen.1%{ext_man} +%{_mandir}/man1/dnssec-revoke.1%{ext_man} +%{_mandir}/man1/dnssec-settime.1%{ext_man} +%{_mandir}/man1/dnssec-signzone.1%{ext_man} +%{_mandir}/man1/dnssec-verify.1%{ext_man} +%{_mandir}/man1/dnssec-cds.1%{ext_man} +%{_mandir}/man1/named-compilezone.1%{ext_man} +%{_mandir}/man1/named-journalprint.1%{ext_man} +%{_mandir}/man1/nsec3hash.1%{ext_man} %{_mandir}/man5/rndc.conf.5%{ext_man} %{_mandir}/man8/ddns-confgen.8%{ext_man} -%{_mandir}/man8/dnssec-dsfromkey.8%{ext_man} -%{_mandir}/man8/dnssec-importkey.8%{ext_man} -%{_mandir}/man8/dnssec-keyfromlabel.8%{ext_man} -%{_mandir}/man8/dnssec-keygen.8%{ext_man} -%{_mandir}/man8/dnssec-revoke.8%{ext_man} -%{_mandir}/man8/dnssec-settime.8%{ext_man} -%{_mandir}/man8/dnssec-signzone.8%{ext_man} -%{_mandir}/man8/dnssec-verify.8%{ext_man} -%{_mandir}/man8/dnssec-checkds.8%{ext_man} -%{_mandir}/man8/dnssec-coverage.8%{ext_man} -%{_mandir}/man8/dnssec-keymgr.8%{ext_man} -%{_mandir}/man8/dnssec-cds.8%{ext_man} +%{_mandir}/man8/rndc.8%{ext_man} +%{_mandir}/man8/rndc-confgen.8%{ext_man} +%{_mandir}/man8/tsig-keygen.8%{ext_man} +# %%{_mandir}/man1/dnstap-read.1%%{ext_man} +# 9.18.0 %%{_mandir}/man8/dnssec-checkds.8%%{ext_man} +# 9.18.0 %%{_mandir}/man8/dnssec-coverage.8%%{ext_man} +# 9.18.0 %%{_mandir}/man8/dnssec-keymgr.8%%{ext_man} # %%{_mandir}/man8/named-nzd2nzf.8%%{ext_man} # %%{_mandir}/man8/genrandom.8%%{ext_man} # %%{_mandir}/man8/isc-hmac-fixup.8%%{ext_man} -%{_mandir}/man8/named-journalprint.8%{ext_man} -%{_mandir}/man8/nsec3hash.8%{ext_man} -%{_mandir}/man8/rndc.8%{ext_man} -%{_mandir}/man8/rndc-confgen.8%{ext_man} -%{_mandir}/man8/named-compilezone.8%{ext_man} -%{_mandir}/man8/tsig-keygen.8%{ext_man} -%files -n python3-bind -%{python3_sitelib}/isc -%{python3_sitelib}/isc-*.egg-info +# 9.18.0 %%files -n python3-bind +# 9.18.0 %%{python3_sitelib}/isc +# 9.18.0 %%{python3_sitelib}/isc-*.egg-info %changelog diff --git a/named-bootconf.diff b/named-bootconf.diff deleted file mode 100644 index 0653528..0000000 --- a/named-bootconf.diff +++ /dev/null @@ -1,23 +0,0 @@ -Index: bind-9.14.7/contrib/scripts/named-bootconf.sh -=================================================================== ---- bind-9.14.7.orig/contrib/scripts/named-bootconf.sh -+++ bind-9.14.7/contrib/scripts/named-bootconf.sh -@@ -39,7 +39,8 @@ - # POSSIBILITY OF SUCH DAMAGE. - - if [ ${OPTIONFILE-X} = X ]; then -- WORKDIR=/tmp/`date +%s`.$$ -+ TMPDIR=`mktemp -p /tmp/ -d named-bootconf.XXXXXXXXXX` || exit 1 -+ WORKDIR=$TMPDIR/`date +%s`.$$ - ( umask 077 ; mkdir $WORKDIR ) || { - echo "unable to create work directory '$WORKDIR'" >&2 - exit 1 -@@ -293,7 +294,7 @@ if [ $DUMP -eq 1 ]; then - cat $ZONEFILE $COMMENTFILE - - rm -f $OPTIONFILE $ZONEFILE $COMMENTFILE -- rmdir $WORKDIR -+ rm -rf $TMPDIR - fi - - exit 0 diff --git a/vendor-files.tar.bz2 b/vendor-files.tar.bz2 index 28cd09e..9eded42 100644 --- a/vendor-files.tar.bz2 +++ b/vendor-files.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:0fa62530ab1e30459f5846db88927c4eca95f557c686bc9cb1cb9efab455f1c2 -size 19509 +oid sha256:8211a8f992a9e8602c111b7f0f244f0ce25dd149d4007c7d00679d6249f9b458 +size 20273 From a6a277bcef1ade786f02bfc9d3572b174c336fce96ef70b1661c4a46a502467f Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Thu, 24 Feb 2022 16:24:59 +0000 Subject: [PATCH 2/7] bind-contrib-pthread.patch, named-bootconf.diff, bind-define-missing-threads.patch] OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=337 --- bind.changes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bind.changes b/bind.changes index 7780cd0..e3ce31d 100644 --- a/bind.changes +++ b/bind.changes @@ -32,7 +32,7 @@ Mon Jan 31 13:49:51 UTC 2022 - Josef Möllers * The CHANGES file in the source RPM [bind.spec, bind-9.18.0.tar.xz, bind-9.18.0.tar.xz.sha512.asc, bind-avoid-fallthrough-warning-error.patch, - bind-contrib-pthread.patch, named-bootconf.diff] + bind-contrib-pthread.patch, named-bootconf.diff, bind-define-missing-threads.patch] ------------------------------------------------------------------- Mon Jan 24 13:18:35 UTC 2022 - Josef Möllers From a049546ee4d26ad75e3a942bca71423130bdeadf2f73af0efb5a0274f2dffe40 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Thu, 31 Mar 2022 09:30:02 +0000 Subject: [PATCH 3/7] Accepting request 963527 from home:jmoellers:branches:network OBS-URL: https://build.opensuse.org/request/show/963527 OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=338 --- bind-9.18.0.tar.xz | 3 -- bind-9.18.0.tar.xz.sha512.asc | 17 ------------ bind-9.18.1.tar.xz | 3 ++ bind-9.18.1.tar.xz.sha512.asc | 17 ++++++++++++ bind-define-missing-threads.patch | 10 ------- bind.changes | 46 +++++++++++++++++++++++++++++++ bind.spec | 27 +++++------------- 7 files changed, 73 insertions(+), 50 deletions(-) delete mode 100644 bind-9.18.0.tar.xz delete mode 100644 bind-9.18.0.tar.xz.sha512.asc create mode 100644 bind-9.18.1.tar.xz create mode 100644 bind-9.18.1.tar.xz.sha512.asc delete mode 100644 bind-define-missing-threads.patch diff --git a/bind-9.18.0.tar.xz b/bind-9.18.0.tar.xz deleted file mode 100644 index 1426ca1..0000000 --- a/bind-9.18.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:56525bf5caf01fd8fd9d90910880cc0f8a90a27a97d169187d651d4ecf0c411c -size 5292320 diff --git a/bind-9.18.0.tar.xz.sha512.asc b/bind-9.18.0.tar.xz.sha512.asc deleted file mode 100644 index 1cfa938..0000000 --- a/bind-9.18.0.tar.xz.sha512.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Comment: GPGTools - https://gpgtools.org - -iQIzBAABCgAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAmHv4ucACgkQxbTukxqf -nf133g//c/DzUcbtmssrr13B2vPO0LKa/iGolgUqx5F8jdG6L6j68z9zxAGqGYe3 -FzWgkWfh1oHfdEjgu5ta7Orz3j+KnaAuZhGBCzYlSIGNcOjlopuQdZwFPpQKkT9n -Ww/66FMN3QIWN9N7a7Ru6zBl0RwaYrIlmKY6tHIGUsjnXM9tUjxdz0YEhIfMkG6i -HROIJxOhKqAu6Ty5VBHXs/Pede3wLik5dMGJoQ/hZC/vOXF5fjfUiy82HLIKYy+g -2rkBFpUf32Oir3Aei2rJavaHOrtr5DX9F9pTtbW2Ga6XTPB6cEf1IkFPtMHtJswV -NPZqCthQujyYknjDo7cZU25uUfmh4c6G9fPu4Xr9j4OVUC+1cdpNBzxf2SQ+PHGf -Vq3WneoPSA5XfJ2M/5ebX+vFSbwQ2kmawee8g4OruZi8kAFx5ejhwm4LZTqe/tna -Padejt1UE3YVhB5DyoZxMO55KU3W66ah6xhDJnoCFAXriAWO1dsL1AvI9kAtkrWT -UJ3wFGGIqQAJO3wtvT3OC0LvaoF1Dv8riQfDVQ3UAFSdib919iGUK5uk9kadDccq -hcVO4dDn/txM9ffZpUEdvy1wofLhDyVSZSknzuqmpoLVPYhzLAEztF6Y6TowXz7S -yFjFtEgYrwnjPd1zPD9SusoptzxPrctz4gsHzkE3Gn6SBH07uBM= -=gmx/ ------END PGP SIGNATURE----- diff --git a/bind-9.18.1.tar.xz b/bind-9.18.1.tar.xz new file mode 100644 index 0000000..dceaaca --- /dev/null +++ b/bind-9.18.1.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:57c7afd871694d615cb4defb1c1bd6ed023350943d7458414db8d493ef560427 +size 5059456 diff --git a/bind-9.18.1.tar.xz.sha512.asc b/bind-9.18.1.tar.xz.sha512.asc new file mode 100644 index 0000000..c3995e4 --- /dev/null +++ b/bind-9.18.1.tar.xz.sha512.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Comment: GPGTools - https://gpgtools.org + +iQIzBAABCgAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAmInMmEACgkQxbTukxqf +nf0KDhAAzQav7F0ouTLcDFz3NsTsLhodaofSFPPfBnFrq0Dxj2bInrbc8XVgQWQh +9jkqjyjIiT45/uvlcxmuuLK9mJa95Nr+DieZgyQkam8pb6pNhqNYgmzNdn1/qVuO +xNL5anl/or3FD1cnYU7Xa6K8AFWt0izNmUFmKz4lCir4tJbQxXIIY0yk7lS05OHl ++hYNvWsdtM7ry1dcixaOwY76vkFbK1H4zCLI+LM/5oDjmj/24VlZi+i4TRCfvTHG +Iss15gI+UuLtYnj/DRLjamZGWKhBqPHj/Vo2jzlhy5ID3OJ43m6QxmXZeOFUW1rr +GnL/cGKvi5aq7TcmVVY+w34kdPtdACjw9eZ/MjlTuAb0DtsI/EH4sux1/TNRwcVT ++Ojohd+QvU4f2uXjdC3iVHsuD4txaZBb096uXCk26/IQgWgWbbcJYtWqOj7Rnh5C +YUWUhYDoyL5GbwqJ7BYf6X/wIqPmugBX1DtZpS7lJnVhOckpQNVPc2mjltw5LrI4 +2nkaDsZN7JR707JiTI8gFe4czBXzCY5FYNaAAZPjLI7FvfRQIRmxkrWr6e0PYKWE +xyhrk73t0iacZfoO5uQr7lNIsrFPar7udFW3tfPCzFLfIcfUkFzeBY8ZStlSf33N +axYFNmzB8iCH/MUgfRQc+9pkWHNEQqnOUNJGl0mewoNnp+qIgcQ= +=f5BI +-----END PGP SIGNATURE----- diff --git a/bind-define-missing-threads.patch b/bind-define-missing-threads.patch deleted file mode 100644 index 716f87b..0000000 --- a/bind-define-missing-threads.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- bind-9.18.0.orig/contrib/dlz/modules/include/dlz_pthread.h 2022-01-24 09:28:57.521507091 +0100 -+++ bind-9.18.0/contrib/dlz/modules/include/dlz_pthread.h 2022-02-08 12:19:14.177179130 +0100 -@@ -18,6 +18,7 @@ - - #pragma once - -+# define PTHREADS 1 - #include - #define dlz_mutex_t pthread_mutex_t - #define dlz_mutex_init pthread_mutex_init diff --git a/bind.changes b/bind.changes index e3ce31d..71c2c9f 100644 --- a/bind.changes +++ b/bind.changes @@ -1,3 +1,49 @@ +------------------------------------------------------------------- +Thu Mar 17 07:28:25 UTC 2022 - Josef Möllers + +- * When using forwarders, bogus NS records supplied by, or via, those + forwarders may be cached and used by named if it needs to recurse + for any reason, causing it to obtain and pass on potentially + incorrect answers. [CVE-2021-25220] + * TCP connection slots may be consumed for an indefinite time frame + via a specifically crafted TCP stream sent from a client. + This issue can only be triggered on BIND servers which have + keep-response-order enabled, which is not the default configuration. + The keep-response-order option is an ACL block, and as such, any + hosts specified within it will be able to trigger this issue on + affected versions. [CVE-2022-0396] + * The RFC 8198 Aggressive Use of DNSSEC-Validated Cache feature + (synth-from-dnssec) had been refactored and the default has been + changed so that is now automatically enabled for dnssec-validating + resolvers. Subsequently it was found that repeated patterns of + specific queries to servers with this feature enabled could cause + an INSIST failure in query.c:query_dname which causes named to + terminate unexpectedly. + The vulnerability affects BIND resolvers running 9.18.0 that have + both dnssec-validation and synth-from-dnssec enabled. (Note that + dnssec-validation auto; is the default setting unless configured + otherwise in named.conf and that enabling dnssec-validation + automatically enables synth-from-dnssec unless explicitly disabled) + [CVE-2022-0635] + * The refactoring of the recursive client code introduced a + "backstop lifetime timer." + While BIND is processing a request for a DS record that needs to be + forwarded, it waits until this processing is complete or until the + backstop lifetime timer has timed out. When the resume_dslookup() function + is called as a result of such a timeout, the function does not test + whether the fetch has previously been shut down. This introduces the + possibility of triggering an assertion failure, which could cause the BIND + process to terminate. [CVE-2022-0667] + * Reset client TCP connection when data received cannot + be parsed as a valid DNS request. + For a complete list of changes, see + * Bind Release Notes + https://downloads.isc.org/isc/bind9/9.18.1/doc/arm/html/notes.html + * The CHANGES file in the source RPM + This obsoletes bind-define-missing-threads.patch + [bind-9.18.1.tar.xz, bind-9.18.1.tar.xz.sha512.asc, + bind-define-missing-threads.patch] + ------------------------------------------------------------------- Mon Jan 31 13:49:51 UTC 2022 - Josef Möllers diff --git a/bind.spec b/bind.spec index c42a8a9..c331b40 100644 --- a/bind.spec +++ b/bind.spec @@ -56,7 +56,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: bind -Version: 9.18.0 +Version: 9.18.1 Release: 0 Summary: Domain Name System (DNS) Server (named) License: MPL-2.0 @@ -75,8 +75,6 @@ Source70: bind.conf # configuation file for systemd-sysusers Source72: named.conf Patch56: bind-ldapdump-use-valid-host.patch -# Fix typos in the source code (that will be fixed in th next minor release) -Patch57: bind-define-missing-threads.patch BuildRequires: libcap-devel BuildRequires: libopenssl-devel BuildRequires: libtool @@ -150,16 +148,6 @@ test and query the Domain Name System (DNS) and also the libraries rquired for the base "bind" package. The Berkeley Internet Name Domain (BIND) DNS server is found in the package named bind. -# 9.18.0 %package -n python3-bind -# 9.18.0 Summary: A module allowing rndc commands to be sent from Python programs -# 9.18.0 Group: Development/Languages/Python -# 9.18.0 Requires: python3 -# 9.18.0 Requires: python3-ply -# 9.18.0 BuildArch: noarch - -# 9.18.0 %description -n python3-bind -# 9.18.0 This package provides a module which allows commands to be sent to rndc directly from Python programs. - %if %{with_modules_perl} %package modules-perl Summary: A dynamically loadable zone (DLZ) plugin embedding a Perl interpreter in BIND @@ -174,7 +162,7 @@ to be written to integrate with BIND and serve DNS data. %if %{with_modules_mysql} %package modules-mysql -Summary: DLZ (dynamically loadable zone) modules which store zone data in a MySQL database +Summary: DLZ modules which store zone data in a MySQL database Group: Productivity/Networking/DNS/Servers BuildRequires: libmysqlclient-devel @@ -190,7 +178,7 @@ sends DNS NOTIFY packets to other name servers when appropriate. %if %{with_modules_ldap} %package modules-ldap -Summary: A DLZ (dynamically loadable zone) module which stores zone data in an LDAP directory +Summary: A DLZ module which stores zone data in an LDAP directory Group: Productivity/Networking/DNS/Servers BuildRequires: openldap2-devel @@ -201,7 +189,7 @@ update support %if %{with_modules_bdbhpt} %package modules-bdbhpt -Summary: A DLZ (dynamically loadable zone) module which stores zone data in a BerkeleyDB +Summary: A DLZ module which stores zone data in a BerkeleyDB Group: Productivity/Networking/DNS/Servers BuildRequires: libdb-4_8-devel @@ -212,7 +200,7 @@ update support %if %{with_modules_sqlite3} %package modules-sqlite3 -Summary: A DLZ (dynamically loadable zone) module which stores zone data in an sqlite3 db +Summary: A DLZ module which stores zone data in an sqlite3 db Group: Productivity/Networking/DNS/Servers BuildRequires: sqlite3-devel @@ -223,7 +211,7 @@ update support. %if %{with_modules_generic} %package modules-generic -Summary: DLZ (dynamically loadable zone) module which store zone data in plain files +Summary: DLZ module which store zone data in plain files Group: Productivity/Networking/DNS/Servers %description modules-generic @@ -337,7 +325,6 @@ mkdir -p \ mkdir -p %{buildroot}/%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services %endif %make_install -# install -m 0644 .clang-format.headers %{buildroot}/%{_defaultdocdir}/bind # remove useless .h files rm -rf %{buildroot}%{_includedir} @@ -557,7 +544,7 @@ fi %if %{with_modules_generic} %files modules-generic %{_libdir}/bind-plugins/dlz_filesystem_dynamic.so -/usr/lib64/bind-plugins/dlz_wildcard_dynamic.so +%{_libdir}/bind-plugins/dlz_wildcard_dynamic.so %endif %files doc -f filelist-bind-doc From de343e57f95b43f6f2f91bf6625ac426403257390ac24b21f79deb286edbb6b2 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Tue, 12 Apr 2022 15:01:39 +0000 Subject: [PATCH 4/7] Accepting request 966391 from home:jmoellers:branches:network OBS-URL: https://build.opensuse.org/request/show/966391 OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=339 --- bind.changes | 4 +++- bind.spec | 1 - 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/bind.changes b/bind.changes index 71c2c9f..9f0c2bd 100644 --- a/bind.changes +++ b/bind.changes @@ -41,7 +41,9 @@ Thu Mar 17 07:28:25 UTC 2022 - Josef Möllers https://downloads.isc.org/isc/bind9/9.18.1/doc/arm/html/notes.html * The CHANGES file in the source RPM This obsoletes bind-define-missing-threads.patch - [bind-9.18.1.tar.xz, bind-9.18.1.tar.xz.sha512.asc, + Also, removed bind-python3 from the spec file as it is not build + any longer. + [bind.spec, bind-9.18.1.tar.xz, bind-9.18.1.tar.xz.sha512.asc, bind-define-missing-threads.patch] ------------------------------------------------------------------- diff --git a/bind.spec b/bind.spec index c331b40..a34529f 100644 --- a/bind.spec +++ b/bind.spec @@ -133,7 +133,6 @@ includes also the BIND Administrator Reference Manual (ARM). Summary: Libraries for "bind" and utilities to query and test DNS # Needed for dnssec parts Group: Productivity/Networking/DNS/Utilities -Requires: python3-bind = %{version} Provides: bind9-utils Provides: bindutil Provides: dns_utils From 9fc32bb7e7106488408d4f6a5c0aea5c563f9b295042651a7f811dad35fda2f9 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Fri, 6 May 2022 07:52:29 +0000 Subject: [PATCH 5/7] Accepting request 973839 from home:jmoellers:branches:network OBS-URL: https://build.opensuse.org/request/show/973839 OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=340 --- bind-9.18.1.tar.xz | 3 - bind-9.18.1.tar.xz.sha512.asc | 17 ------ bind-9.18.2.tar.xz | 3 + bind-9.18.2.tar.xz.sha512.asc | 17 ++++++ ...ances-of-FALLTHROUGH-and-UNREACHABLE.patch | 38 ++++++++++++ bind.changes | 58 +++++++++++++++++++ bind.spec | 3 +- 7 files changed, 118 insertions(+), 21 deletions(-) delete mode 100644 bind-9.18.1.tar.xz delete mode 100644 bind-9.18.1.tar.xz.sha512.asc create mode 100644 bind-9.18.2.tar.xz create mode 100644 bind-9.18.2.tar.xz.sha512.asc create mode 100644 bind-define-local-instances-of-FALLTHROUGH-and-UNREACHABLE.patch diff --git a/bind-9.18.1.tar.xz b/bind-9.18.1.tar.xz deleted file mode 100644 index dceaaca..0000000 --- a/bind-9.18.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:57c7afd871694d615cb4defb1c1bd6ed023350943d7458414db8d493ef560427 -size 5059456 diff --git a/bind-9.18.1.tar.xz.sha512.asc b/bind-9.18.1.tar.xz.sha512.asc deleted file mode 100644 index c3995e4..0000000 --- a/bind-9.18.1.tar.xz.sha512.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Comment: GPGTools - https://gpgtools.org - -iQIzBAABCgAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAmInMmEACgkQxbTukxqf -nf0KDhAAzQav7F0ouTLcDFz3NsTsLhodaofSFPPfBnFrq0Dxj2bInrbc8XVgQWQh -9jkqjyjIiT45/uvlcxmuuLK9mJa95Nr+DieZgyQkam8pb6pNhqNYgmzNdn1/qVuO -xNL5anl/or3FD1cnYU7Xa6K8AFWt0izNmUFmKz4lCir4tJbQxXIIY0yk7lS05OHl -+hYNvWsdtM7ry1dcixaOwY76vkFbK1H4zCLI+LM/5oDjmj/24VlZi+i4TRCfvTHG -Iss15gI+UuLtYnj/DRLjamZGWKhBqPHj/Vo2jzlhy5ID3OJ43m6QxmXZeOFUW1rr -GnL/cGKvi5aq7TcmVVY+w34kdPtdACjw9eZ/MjlTuAb0DtsI/EH4sux1/TNRwcVT -+Ojohd+QvU4f2uXjdC3iVHsuD4txaZBb096uXCk26/IQgWgWbbcJYtWqOj7Rnh5C -YUWUhYDoyL5GbwqJ7BYf6X/wIqPmugBX1DtZpS7lJnVhOckpQNVPc2mjltw5LrI4 -2nkaDsZN7JR707JiTI8gFe4czBXzCY5FYNaAAZPjLI7FvfRQIRmxkrWr6e0PYKWE -xyhrk73t0iacZfoO5uQr7lNIsrFPar7udFW3tfPCzFLfIcfUkFzeBY8ZStlSf33N -axYFNmzB8iCH/MUgfRQc+9pkWHNEQqnOUNJGl0mewoNnp+qIgcQ= -=f5BI ------END PGP SIGNATURE----- diff --git a/bind-9.18.2.tar.xz b/bind-9.18.2.tar.xz new file mode 100644 index 0000000..24e571f --- /dev/null +++ b/bind-9.18.2.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2e4b38779bba0a23ee634fdf7c525fd9794c41d692bfd83cda25823a2a3ed969 +size 5109916 diff --git a/bind-9.18.2.tar.xz.sha512.asc b/bind-9.18.2.tar.xz.sha512.asc new file mode 100644 index 0000000..79fce4e --- /dev/null +++ b/bind-9.18.2.tar.xz.sha512.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Comment: GPGTools - https://gpgtools.org + +iQIzBAABCgAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAmJdcqsACgkQxbTukxqf +nf3E5xAApY6+1ckL4EJpdEJux9WHBoHKlnTFAaD1HKIGNbJUPwnfc0j9LgVgRXIH +AClkZS+9n45+CJEAwaoWcCmfAF4fUnoPukF16XhtRFcDCW4CSGSIbhXVKrN5hWkP +nhpjmLC3DVVxxCEBySK1TxUQUPeLC5cbdtozgkA/QL/LiMdm2gagBXlKRL9nVdIX +v5Fm+ZyVAU22WG639y7MpiquXdZ3P9xcmLcu4gg3A2IQ25mF4yj3C/nxNmqpZCVj +e4i3/jyrXliSEXJ5lCZ7k5JBziS67edpoEMUnQgVxEIcLabl4xB5Q114eU1RI4C+ +JX9EZdgmXClqkQrJXuIgu1usm+cjvhNkltokNz/FcpClaDUpXQptC56UNLQUfZS2 +ZBOfxUhJYR+Fzru3pO5rXgs99nZlphS6BAbwLEmvgP1Ws3x1ye7lVKWuytKCxRhM +yuNK7o5PBzMK8iW+B3h0ok9JsakhEJH1sOqlthInfrcJO1GLox1v5Ih3cGrRHNLK +CnU8AkZkFPuTtNJMGFOtkftckkufiIcisakTjF2jfr7eWkf3k/FN4+AWF+h4R7gD +vFz0YMH9I9GdfMFbikh2KUm1sU3d1RQ1mf600vEGFAsjPRuZCCe6762g3OLr9Rza +TN3/XeHFyjJep2P+RCUUdEGUcb0ry3qV9jr9wUyB/KkJNefScHE= +=A7Yz +-----END PGP SIGNATURE----- diff --git a/bind-define-local-instances-of-FALLTHROUGH-and-UNREACHABLE.patch b/bind-define-local-instances-of-FALLTHROUGH-and-UNREACHABLE.patch new file mode 100644 index 0000000..c1c859b --- /dev/null +++ b/bind-define-local-instances-of-FALLTHROUGH-and-UNREACHABLE.patch @@ -0,0 +1,38 @@ +Index: bind-9.18.2/contrib/dlz/modules/include/dlz_minimal.h +=================================================================== +--- bind-9.18.2.orig/contrib/dlz/modules/include/dlz_minimal.h ++++ bind-9.18.2/contrib/dlz/modules/include/dlz_minimal.h +@@ -27,6 +27,7 @@ + + #include + #include ++#include + + #include + #include +@@ -85,6 +86,25 @@ typedef uint32_t dns_ttl_t; + var = _u.v; \ + } while (0) + ++ ++#if !defined(__has_attribute) ++#define __has_attribute(x) 0 ++#endif /* if !defined(__has_attribute) */ ++ ++#if __GNUC__ >= 7 || __has_attribute(fallthrough) ++#define FALLTHROUGH __attribute__((fallthrough)) ++#else ++/* clang-format off */ ++#define FALLTHROUGH do {} while (0) /* FALLTHROUGH */ ++/* clang-format on */ ++#endif ++ ++#ifdef __GNUC__ ++#define UNREACHABLE() __builtin_unreachable() ++#else ++#define UNREACHABLE() abort() ++#endif ++ + /* opaque structures */ + typedef void *dns_sdlzlookup_t; + typedef void *dns_sdlzallnodes_t; diff --git a/bind.changes b/bind.changes index 9f0c2bd..9a058ec 100644 --- a/bind.changes +++ b/bind.changes @@ -1,3 +1,61 @@ +------------------------------------------------------------------- +Mon Apr 25 06:56:58 UTC 2022 - Josef Möllers + +- Upgrade to 9.18.2: + Most important bugs fixed: + * The "starting maxtime timer" message related to outgoing + zone transfers was incorrectly logged at the ERROR level + instead of DEBUG(1). + * Ensure that zone maintenance queries have a retry limit. + * When using both the `+qr` and `+y` options `dig` could + crash if the connection to the first server was not + successful. + * dig could hang in some cases involving multiple servers + in a lookup, when a request fails and the next one + refuses to start for some reason, for example if it was + an IPv4 mapped IPv6 address. + * dig +nssearch was hanging until manually interrupted. + * When an UPDATE targets a zone that is not configured, + the requested zone name is now logged in the "not + authoritative" error message, so that it is easier to + track down problematic update clients. + * Quote the dns64 prefix in error messages that complain + about problems with it, to avoid confusion with the + following dns64 ACLs. + * When encountering socket error while trying to initiate + a TCP connection to a server, dig could hang + indefinitely, when there were more servers to try. + * When timing-out or having other types of socket errors + during a query, dig wasn't trying to perform the lookup + using other servers, in case they exist. + * Resending a UDP request in the result of a timeout + could cause an assertion failure when the resent + query's result was SERVFAIL. + * Replace single TCP write timer with per-TCP write + timers. + * Invalid dnssec-policy definitions were being accepted + where the defined keys did not cover both KSK and ZSK + roles for a given algorithm. This is now checked for + and the dnssec-policy is rejected if both roles are + not present for all algorithms in use. + * Fix query context management issues in the TCP part + of dig. + + Noteworthy functional changes: + * Add new "reuseport" option to enable/disable load + balancing of sockets. + * Set the minimum MTU on UDPv6 and TCPv6 sockets and + limit TCP maximum segment size (TCP_MAXSEG) to (1220) + for both TCPv4 and TCPv6 sockets. + + Needed to define two macros in contrib code: + FALLTHOUGH is a copy of how it is defined in + + UNREACHABLE follows the model used in MacOS /usr/include/c++/v1/cstdlib + to determine if __builtin_ureachable is available + [bind-9.18.2.tar.xz, bind-9.18.2.tar.xz.sha512.asc, + bind-define-local-instances-of-FALLTHROUGH-and-UNREACHABLE.patch] + ------------------------------------------------------------------- Thu Mar 17 07:28:25 UTC 2022 - Josef Möllers diff --git a/bind.spec b/bind.spec index a34529f..826593b 100644 --- a/bind.spec +++ b/bind.spec @@ -56,7 +56,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: bind -Version: 9.18.1 +Version: 9.18.2 Release: 0 Summary: Domain Name System (DNS) Server (named) License: MPL-2.0 @@ -75,6 +75,7 @@ Source70: bind.conf # configuation file for systemd-sysusers Source72: named.conf Patch56: bind-ldapdump-use-valid-host.patch +Patch57: bind-define-local-instances-of-FALLTHROUGH-and-UNREACHABLE.patch BuildRequires: libcap-devel BuildRequires: libopenssl-devel BuildRequires: libtool From d16c91b0602ce49d5a7e0fbd5015ffc0a5840ee2a67314731f21775921ff8dc7 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Mon, 16 May 2022 08:27:30 +0000 Subject: [PATCH 6/7] Accepting request 977464 from home:marxin:branches:network - Add upstream patch bind-prevent-buffer-overflow.patch. OBS-URL: https://build.opensuse.org/request/show/977464 OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=341 --- bind-prevent-buffer-overflow.patch | 38 ++++++++++++++++++++++++++++++ bind.changes | 5 ++++ bind.spec | 2 ++ 3 files changed, 45 insertions(+) create mode 100644 bind-prevent-buffer-overflow.patch diff --git a/bind-prevent-buffer-overflow.patch b/bind-prevent-buffer-overflow.patch new file mode 100644 index 0000000..d39789b --- /dev/null +++ b/bind-prevent-buffer-overflow.patch @@ -0,0 +1,38 @@ +From 921043b54161c7a3e6dc4036b038ca4dbc5fe472 Mon Sep 17 00:00:00 2001 +From: Evan Hunt +Date: Fri, 13 May 2022 19:59:58 -0700 +Subject: [PATCH] prevent a possible buffer overflow in configuration check + +corrected code that could have allowed a buffer overfow while +parsing named.conf. +--- + lib/bind9/check.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/bind9/check.c b/lib/bind9/check.c +index 658daec76d..baacd29a84 100644 +--- a/lib/bind9/check.c ++++ b/lib/bind9/check.c +@@ -3009,8 +3009,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, + } else if (dns_name_isula(zname)) { + ula = true; + } +- tmp += strlen(tmp); + len -= strlen(tmp); ++ tmp += strlen(tmp); + (void)snprintf(tmp, len, "%u/%s", zclass, + (ztype == CFG_ZONE_INVIEW) ? target + : (viewname != NULL) ? viewname +@@ -3719,8 +3719,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, + char *tmp = keydirbuf; + size_t len = sizeof(keydirbuf); + dns_name_format(zname, keydirbuf, sizeof(keydirbuf)); +- tmp += strlen(tmp); + len -= strlen(tmp); ++ tmp += strlen(tmp); + (void)snprintf(tmp, len, "/%s", (dir == NULL) ? "(null)" : dir); + tresult = keydirexist(zconfig, (const char *)keydirbuf, + kaspname, keydirs, logctx, mctx); +-- +GitLab + diff --git a/bind.changes b/bind.changes index 9a058ec..92c35c8 100644 --- a/bind.changes +++ b/bind.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon May 16 08:14:55 UTC 2022 - Martin Liška + +- Add upstream patch bind-prevent-buffer-overflow.patch. + ------------------------------------------------------------------- Mon Apr 25 06:56:58 UTC 2022 - Josef Möllers diff --git a/bind.spec b/bind.spec index 826593b..ae12653 100644 --- a/bind.spec +++ b/bind.spec @@ -76,6 +76,7 @@ Source70: bind.conf Source72: named.conf Patch56: bind-ldapdump-use-valid-host.patch Patch57: bind-define-local-instances-of-FALLTHROUGH-and-UNREACHABLE.patch +Patch58: bind-prevent-buffer-overflow.patch BuildRequires: libcap-devel BuildRequires: libopenssl-devel BuildRequires: libtool @@ -423,6 +424,7 @@ rm -rf %{buildroot}/usr/share/doc/packages/bind/misc/.libs %pre -f named.pre %service_add_pre named.service %else + %pre %{GROUPADD_NAMED} %{USERADD_NAMED} From ed00a571eb84ab92b1ce351e2770dfc1cd308aafa1e461799e88de19cec24fb1 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Mon, 16 May 2022 08:30:17 +0000 Subject: [PATCH 7/7] Accepting request 977055 from home:jmoellers:branches:network OBS-URL: https://build.opensuse.org/request/show/977055 OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=342 --- bind.changes | 11 +++++++++++ bind.spec | 20 -------------------- vendor-files.tar.bz2 | 4 ++-- 3 files changed, 13 insertions(+), 22 deletions(-) diff --git a/bind.changes b/bind.changes index 92c35c8..47faf9f 100644 --- a/bind.changes +++ b/bind.changes @@ -3,6 +3,17 @@ Mon May 16 08:14:55 UTC 2022 - Martin Liška - Add upstream patch bind-prevent-buffer-overflow.patch. +------------------------------------------------------------------- +Thu May 12 14:25:28 UTC 2022 - Josef Möllers + +- The named-checkconf had been moved from /usr/sbin to /usr/bin + but that had not been reflected in scripts that called this, + eg named.prep. So these scripts failed. + Some installations still have "createNamedConfInclude" in the + NAMED_INITIALIZE_SCRIPTS in /etc/sysconfig/named. The named.prep + will now report this but continue. + [bsc#1199044, vendor-files.tar.bz2] + ------------------------------------------------------------------- Mon Apr 25 06:56:58 UTC 2022 - Josef Möllers diff --git a/bind.spec b/bind.spec index ae12653..dd3b506 100644 --- a/bind.spec +++ b/bind.spec @@ -582,14 +582,6 @@ fi %{_sbindir}/rndc %{_sbindir}/rndc-confgen %{_sbindir}/tsig-keygen -# 9.18.0 %%{_sbindir}/dnssec-checkds -# 9.18.0 %%{_sbindir}/dnssec-coverage -# 9.18.0 %%{_sbindir}/dnssec-keymgr -# %%{_sbindir}/genrandom -# %%{_sbindir}/isc-hmac-fixup -# 9.18.0 %%{_sbindir}/named-journalprint -# 9.18.0 %%{_sbindir}/nsec3hash -# Library files, formerly in their own, separate packages: %{_libdir}/libbind9-%{version}.so %{_libdir}/libdns-%{version}.so %{_libdir}/libirs-%{version}.so @@ -606,7 +598,6 @@ fi %{_libdir}/libns.so %dir %doc %{_defaultdocdir}/bind %{_defaultdocdir}/bind/README*.%{VENDOR} -# %%{_defaultdocdir}/bind/.clang-format.headers %{_mandir}/man1/arpaname.1%{ext_man} %{_mandir}/man1/delv.1%{ext_man} %{_mandir}/man1/dig.1%{ext_man} @@ -631,16 +622,5 @@ fi %{_mandir}/man8/rndc.8%{ext_man} %{_mandir}/man8/rndc-confgen.8%{ext_man} %{_mandir}/man8/tsig-keygen.8%{ext_man} -# %%{_mandir}/man1/dnstap-read.1%%{ext_man} -# 9.18.0 %%{_mandir}/man8/dnssec-checkds.8%%{ext_man} -# 9.18.0 %%{_mandir}/man8/dnssec-coverage.8%%{ext_man} -# 9.18.0 %%{_mandir}/man8/dnssec-keymgr.8%%{ext_man} -# %%{_mandir}/man8/named-nzd2nzf.8%%{ext_man} -# %%{_mandir}/man8/genrandom.8%%{ext_man} -# %%{_mandir}/man8/isc-hmac-fixup.8%%{ext_man} - -# 9.18.0 %%files -n python3-bind -# 9.18.0 %%{python3_sitelib}/isc -# 9.18.0 %%{python3_sitelib}/isc-*.egg-info %changelog diff --git a/vendor-files.tar.bz2 b/vendor-files.tar.bz2 index 9eded42..927d6f1 100644 --- a/vendor-files.tar.bz2 +++ b/vendor-files.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:8211a8f992a9e8602c111b7f0f244f0ce25dd149d4007c7d00679d6249f9b458 -size 20273 +oid sha256:1bcc216c1bbd72cd737ee6119206121c0313a429492591335130068abcf41201 +size 20177