Accepting request 935515 from home:jmoellers:branches:network
OBS-URL: https://build.opensuse.org/request/show/935515 OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=332
This commit is contained in:
parent
bc2ee8dcfd
commit
dd9425ce8e
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:4d0d93c0d0b63080609e84625f24ff8777f8d164e78a75b1c19c334ce42d5b58
|
||||
size 5042196
|
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEE6atueSM8BBbomT9FDAOvqQpZZ8QFAmETiLMACgkQDAOvqQpZ
|
||||
Z8Qrug//fMVJ6yfxMqbGrtumqxWBs+T8EAH3kt/mJvGRbFugN0UyOE+/19FcJvGn
|
||||
Kd440Azap7ophpqt0oWrOXo5YEzStWOpaHRrRqulZ7r0/yOkRHoekuWStyJ4qRXt
|
||||
ZYutOpbS1aXU9OhnWbQhTah+GPqZSdbp66gXIuGcvor5IpmaClPsVlQ6IEppZ32L
|
||||
rwZcVYd1yrl5vtUx7b4rOYrrNbadlZA906BPgEGy5xx0Ex+IBtHWkUhQ17RDFl8b
|
||||
qovmxYp/V+9IPipK37ZVCB1yNNnzsnQU5ca9ZklCNalWKfCY/CNYdH0doybWttFq
|
||||
rcNFiNqS72pnWTxNMtFu7hwkXf2PRhQ26o4/UZVaI9zOVXZ7Gao7nbNYWxE6QpqE
|
||||
OT8hNkKPU+PLBbznyE9ktHdJCEXrInb+eRZdcws2C86EN68pCdm3pNzrFzz/eEsX
|
||||
d38xb1cYZqGlRSZ3tRHdcNh0EZjhHVK9ELcsvx78tr6qEyF+03DrCQEPgsEB3BJI
|
||||
hZKYGUnd4iwOUZSAjWxalAzAGFeVhO+/dt+YPEWOskZoOw0hpban0dIlBIePn0xW
|
||||
OqDIGVA8D+FNV3i+16ALWVpyGkKlcmjWj9qzjR1FXKQMWQ/USRRhm8bQv0T1RKhh
|
||||
ulYNdAQBSAZUvvJHxYXOYHK5EPcoKtAlnXeP//FIGbQorKcEmnM=
|
||||
=EURP
|
||||
-----END PGP SIGNATURE-----
|
3
bind-9.16.23.tar.xz
Normal file
3
bind-9.16.23.tar.xz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:dedb5e27aa9cb6a9ce3e872845887ff837b99e4e9a91a5e2fcd67cf6e1ef173c
|
||||
size 5068344
|
17
bind-9.16.23.tar.xz.sha512.asc
Normal file
17
bind-9.16.23.tar.xz.sha512.asc
Normal file
@ -0,0 +1,17 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Comment: GPGTools - https://gpgtools.org
|
||||
|
||||
iQIzBAABCgAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAmGKhMgACgkQxbTukxqf
|
||||
nf2PihAA3sF6ycdT+tSUdyqWS5FcRdqnGnlZpT/mhGcsY/bgO4IejRTnbBY/3D95
|
||||
siXINLzWndKKQMboLDsj5st/BUzBKivmwfqn1AmrzEoD35eg5VdrYWIVXXBr2Qak
|
||||
Z4npi9krM9D99NRZd4zEBqFb1yQYpg9ps1PsuGyANKwtLbcuoO8/pmmowCYIBLuT
|
||||
JWqDyWAIBKO6ElM51nWP5qzv6ithJd8jbhuyyMCBV3z/4lZ20WR43VRUNub9KRHG
|
||||
qMJd4FsSaByJF0tUN9Jsp2Jq85NxXdiNfAAHCBZU+oK0lOIu3cLayGH0ecIPg/fp
|
||||
okSoWePM8AEr44Fg2yT71OtuKzn41bH8ixAUPi2gVPiLP+VH6f5QnwYTug27CxLk
|
||||
FgXMV1MOUi7yRicDpfU3nx0jDmwFI02Fd6K5h00lG7Cb3v6EpEWvLXc/oRK1yHkU
|
||||
GHMczNH36eX0VuKyNcu/+NMXpWO0hIds+oTNx5Ao4w3n+IlhCx/A4T/P6Ar8qRh4
|
||||
vg/OtJZO3FohShUIhhVXgWTVDdChPEpiivlhb8Cm6qjJl0KH78vYCqLCKBAH9h3A
|
||||
kzSvl0EhbST1eiNTsnA4OCKelQGKNfehxqU3nNebvRktNNLLrKwT2w1/N4stgB+w
|
||||
41DF9s+VNTF2HZ2vN6DRhjmLks/v7De81fPjJyVy4gw0G0GR7O0=
|
||||
=DqKw
|
||||
-----END PGP SIGNATURE-----
|
@ -1,73 +0,0 @@
|
||||
diff --git a/bin/named/config.c b/bin/named/config.c
|
||||
index 213c45cb33..0b28c8db7a 100644
|
||||
--- a/bin/named/config.c
|
||||
+++ b/bin/named/config.c
|
||||
@@ -164,7 +164,7 @@ options {\n\
|
||||
fetches-per-server 0;\n\
|
||||
fetches-per-zone 0;\n\
|
||||
glue-cache yes;\n\
|
||||
- lame-ttl 600;\n"
|
||||
+ lame-ttl 0;\n"
|
||||
#ifdef HAVE_LMDB
|
||||
" lmdb-mapsize 32M;\n"
|
||||
#endif /* ifdef HAVE_LMDB */
|
||||
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||
index ff04689685..0f001ba303 100644
|
||||
--- a/bin/named/server.c
|
||||
+++ b/bin/named/server.c
|
||||
@@ -4840,8 +4840,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
|
||||
result = named_config_get(maps, "lame-ttl", &obj);
|
||||
INSIST(result == ISC_R_SUCCESS);
|
||||
lame_ttl = cfg_obj_asduration(obj);
|
||||
- if (lame_ttl > 1800) {
|
||||
- lame_ttl = 1800;
|
||||
+ if (lame_ttl > 0) {
|
||||
+ cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
|
||||
+ "disabling lame cache despite lame-ttl > 0 as it "
|
||||
+ "may cause performance issues");
|
||||
+ lame_ttl = 0;
|
||||
}
|
||||
dns_resolver_setlamettl(view->resolver, lame_ttl);
|
||||
|
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||
index 0358241d95..40c416dcf1 100644
|
||||
--- a/lib/dns/resolver.c
|
||||
+++ b/lib/dns/resolver.c
|
||||
@@ -10122,25 +10122,26 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) {
|
||||
*/
|
||||
static isc_result_t
|
||||
rctx_lameserver(respctx_t *rctx) {
|
||||
- isc_result_t result;
|
||||
+ isc_result_t result = ISC_R_SUCCESS;
|
||||
fetchctx_t *fctx = rctx->fctx;
|
||||
resquery_t *query = rctx->query;
|
||||
|
||||
- if (fctx->res->lame_ttl == 0 || ISFORWARDER(query->addrinfo) ||
|
||||
- !is_lame(fctx, query->rmessage))
|
||||
- {
|
||||
+ if (ISFORWARDER(query->addrinfo) || !is_lame(fctx, query->rmessage)) {
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
inc_stats(fctx->res, dns_resstatscounter_lame);
|
||||
log_lame(fctx, query->addrinfo);
|
||||
- result = dns_adb_marklame(fctx->adb, query->addrinfo, &fctx->name,
|
||||
- fctx->type, rctx->now + fctx->res->lame_ttl);
|
||||
- if (result != ISC_R_SUCCESS) {
|
||||
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
|
||||
- DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
|
||||
- "could not mark server as lame: %s",
|
||||
- isc_result_totext(result));
|
||||
+ if (fctx->res->lame_ttl != 0) {
|
||||
+ result = dns_adb_marklame(fctx->adb, query->addrinfo,
|
||||
+ &fctx->name, fctx->type,
|
||||
+ rctx->now + fctx->res->lame_ttl);
|
||||
+ if (result != ISC_R_SUCCESS) {
|
||||
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
|
||||
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
|
||||
+ "could not mark server as lame: %s",
|
||||
+ isc_result_totext(result));
|
||||
+ }
|
||||
}
|
||||
rctx->broken_server = DNS_R_LAME;
|
||||
rctx->next_server = true;
|
26
bind-avoid-fallthrough-warning-error.patch
Normal file
26
bind-avoid-fallthrough-warning-error.patch
Normal file
@ -0,0 +1,26 @@
|
||||
Index: bind-9.16.23/contrib/dlz/drivers/dlz_ldap_driver.c
|
||||
===================================================================
|
||||
--- bind-9.16.23.orig/contrib/dlz/drivers/dlz_ldap_driver.c
|
||||
+++ bind-9.16.23/contrib/dlz/drivers/dlz_ldap_driver.c
|
||||
@@ -978,11 +978,13 @@ dlz_ldap_create(const char *dlzname, uns
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
return (result);
|
||||
}
|
||||
+ /* FALLTHROUGH */
|
||||
case 11:
|
||||
result = dlz_ldap_checkURL(argv[10], 3, "all nodes");
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
return (result);
|
||||
}
|
||||
+ /* FALLTHROUGH */
|
||||
case 10:
|
||||
if (strlen(argv[9]) > 0) {
|
||||
result = dlz_ldap_checkURL(argv[9], 3, "authority");
|
||||
@@ -990,6 +992,7 @@ dlz_ldap_create(const char *dlzname, uns
|
||||
return (result);
|
||||
}
|
||||
}
|
||||
+ /* FALLTHROUGH */
|
||||
case 9:
|
||||
result = dlz_ldap_checkURL(argv[8], 3, "lookup");
|
||||
if (result != ISC_R_SUCCESS) {
|
@ -1,108 +0,0 @@
|
||||
Index: b/doc/arm/conf.py
|
||||
===================================================================
|
||||
--- a/doc/arm/conf.py
|
||||
+++ b/doc/arm/conf.py
|
||||
@@ -18,54 +18,58 @@ from docutils.nodes import Node, system_
|
||||
from docutils.parsers.rst import roles
|
||||
|
||||
from sphinx import addnodes
|
||||
-from sphinx.util.docutils import ReferenceRole
|
||||
+try:
|
||||
+ from sphinx.util.docutils import ReferenceRole
|
||||
|
||||
+ GITLAB_BASE_URL = 'https://gitlab.isc.org/isc-projects/bind9/-/'
|
||||
|
||||
-GITLAB_BASE_URL = 'https://gitlab.isc.org/isc-projects/bind9/-/'
|
||||
|
||||
-
|
||||
-# Custom Sphinx role enabling automatic hyperlinking to GitLab issues/MRs.
|
||||
-class GitLabRefRole(ReferenceRole):
|
||||
- def __init__(self, base_url: str) -> None:
|
||||
- self.base_url = base_url
|
||||
- super().__init__()
|
||||
-
|
||||
- def run(self) -> Tuple[List[Node], List[system_message]]:
|
||||
- gl_identifier = '[GL %s]' % self.target
|
||||
-
|
||||
- target_id = 'index-%s' % self.env.new_serialno('index')
|
||||
- entries = [('single', 'GitLab; ' + gl_identifier, target_id, '', None)]
|
||||
-
|
||||
- index = addnodes.index(entries=entries)
|
||||
- target = nodes.target('', '', ids=[target_id])
|
||||
- self.inliner.document.note_explicit_target(target)
|
||||
-
|
||||
- try:
|
||||
- refuri = self.build_uri()
|
||||
- reference = nodes.reference('', '', internal=False, refuri=refuri,
|
||||
- classes=['gl'])
|
||||
- if self.has_explicit_title:
|
||||
- reference += nodes.strong(self.title, self.title)
|
||||
- else:
|
||||
- reference += nodes.strong(gl_identifier, gl_identifier)
|
||||
- except ValueError:
|
||||
- error_text = 'invalid GitLab identifier %s' % self.target
|
||||
- msg = self.inliner.reporter.error(error_text, line=self.lineno)
|
||||
- prb = self.inliner.problematic(self.rawtext, self.rawtext, msg)
|
||||
- return [prb], [msg]
|
||||
-
|
||||
- return [index, target, reference], []
|
||||
-
|
||||
- def build_uri(self):
|
||||
- if self.target[0] == '#':
|
||||
- return self.base_url + 'issues/%d' % int(self.target[1:])
|
||||
- if self.target[0] == '!':
|
||||
- return self.base_url + 'merge_requests/%d' % int(self.target[1:])
|
||||
- raise ValueError
|
||||
-
|
||||
-
|
||||
-def setup(_):
|
||||
- roles.register_local_role('gl', GitLabRefRole(GITLAB_BASE_URL))
|
||||
+ # Custom Sphinx role enabling automatic hyperlinking to GitLab issues/MRs.
|
||||
+ class GitLabRefRole(ReferenceRole):
|
||||
+ def __init__(self, base_url: str) -> None:
|
||||
+ self.base_url = base_url
|
||||
+ super().__init__()
|
||||
+
|
||||
+ def run(self) -> Tuple[List[Node], List[system_message]]:
|
||||
+ gl_identifier = '[GL %s]' % self.target
|
||||
+
|
||||
+ target_id = 'index-%s' % self.env.new_serialno('index')
|
||||
+ entries = [('single', 'GitLab; ' + gl_identifier, target_id, '', None)]
|
||||
+
|
||||
+ index = addnodes.index(entries=entries)
|
||||
+ target = nodes.target('', '', ids=[target_id])
|
||||
+ self.inliner.document.note_explicit_target(target)
|
||||
+
|
||||
+ try:
|
||||
+ refuri = self.build_uri()
|
||||
+ reference = nodes.reference('', '', internal=False, refuri=refuri,
|
||||
+ classes=['gl'])
|
||||
+ if self.has_explicit_title:
|
||||
+ reference += nodes.strong(self.title, self.title)
|
||||
+ else:
|
||||
+ reference += nodes.strong(gl_identifier, gl_identifier)
|
||||
+ except ValueError:
|
||||
+ error_text = 'invalid GitLab identifier %s' % self.target
|
||||
+ msg = self.inliner.reporter.error(error_text, line=self.lineno)
|
||||
+ prb = self.inliner.problematic(self.rawtext, self.rawtext, msg)
|
||||
+ return [prb], [msg]
|
||||
+
|
||||
+ return [index, target, reference], []
|
||||
+
|
||||
+ def build_uri(self):
|
||||
+ if self.target[0] == '#':
|
||||
+ return self.base_url + 'issues/%d' % int(self.target[1:])
|
||||
+ if self.target[0] == '!':
|
||||
+ return self.base_url + 'merge_requests/%d' % int(self.target[1:])
|
||||
+ raise ValueError
|
||||
+
|
||||
+
|
||||
+ def setup(_):
|
||||
+ roles.register_local_role('gl', GitLabRefRole(GITLAB_BASE_URL))
|
||||
+
|
||||
+except ImportError:
|
||||
+ # better loose this feature, than failing the build
|
||||
+ pass
|
||||
|
||||
#
|
||||
# Configuration file for the Sphinx documentation builder.
|
77
bind.changes
77
bind.changes
@ -1,3 +1,80 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Dec 3 07:52:38 UTC 2021 - Josef Möllers <josef.moellers@suse.com>
|
||||
|
||||
- Upgrade to 9.16.23
|
||||
Security issues fixed:
|
||||
The "lame-ttl" option is now forcibly set to 0. This
|
||||
effectively disables the lame server cache, as it could
|
||||
previously be abused by an attacker to significantly
|
||||
degrade resolver performance. (CVE-2021-25219)
|
||||
|
||||
Bugs fixed:
|
||||
In 9.16.21:
|
||||
* When a dynamic zone was made available in another view
|
||||
using the "in-view" statement, running "rndc freeze"
|
||||
always reported an "already frozen" error even though
|
||||
the zone was successfully frozen.
|
||||
* Stale data in the cache could cause named to send
|
||||
non-minimized queries despite QNAME minimization being
|
||||
enabled.
|
||||
* When a DNSSEC-signed zone which only has a single
|
||||
signing key available is migrated to use KASP, that key
|
||||
is now treated as a Combined Signing Key (CSK).
|
||||
* When a member zone was removed from a catalog zone,
|
||||
journal files for the former were not deleted.
|
||||
* named-checkconf failed to detect syntactically invalid
|
||||
values of the "key" and "tls" parameters used to define
|
||||
members of remote server lists.
|
||||
* Fixed a regression which caused the EDNS TCP Keepalive option to be
|
||||
ignored inadvertently in client requests. It has now
|
||||
been fixed and this option is handled properly again.
|
||||
* Fixed a regression which altered the internal memory structure of
|
||||
zone databases, but neglected to update the MAPAPI value
|
||||
for zone files in "map" format. This caused named to
|
||||
attempt to load incompatible map files, triggering an
|
||||
assertion failure on startup. The MAPAPI value has now
|
||||
been updated, so named rejects outdated files when
|
||||
encountering them.
|
||||
* The thread-local isc_tid_v variable was not properly
|
||||
initialized when running BIND 9 as a Windows Service,
|
||||
leading to a crash on startup.
|
||||
* "map" files exceeding 2GB in size failed to load due to
|
||||
a size comparison that incorrectly treated the file size
|
||||
as a signed integer.
|
||||
In 9.16.22:
|
||||
* Remove the "adjust interface" mechanism which was
|
||||
responsible for setting up listeners on interfaces when
|
||||
the "*-source(-v6)" address and port were the same as
|
||||
the "listen-on(-v6)" address and port. Such a
|
||||
configuration is no longer supported; under certain
|
||||
timing conditions, that mechanism could prevent named
|
||||
from listening on some TCP ports. This has been fixed.
|
||||
* Multiple library names were mistakenly passed to the
|
||||
krb5-config utility when ./configure was invoked with
|
||||
the --with-gssapi=[/path/to/]krb5-config option. This
|
||||
has been fixed by invoking krb5-config separately for
|
||||
each required library.
|
||||
* Fixed a regression which broke backward compatibility for the
|
||||
"check-names master ..." and "check-names slave ..."
|
||||
options. This has been fixed.
|
||||
* Address a potential deadlock when checking zone content
|
||||
consistency.
|
||||
In 9.16.23:
|
||||
* Address Coverity warning in lib/dns/dnssec.c.
|
||||
* Fix a bug when comparing two RSA keys. There was a typo
|
||||
which caused the "p" prime factors to not being
|
||||
compared.
|
||||
* Fix an assertion failure caused by missing member zones
|
||||
during a reload of a catalog zone.
|
||||
This obsoletes bind-CVE-2021-25219.patch and
|
||||
bind-fix-build-with-older-sphinx.patch
|
||||
Other issues:
|
||||
A compile time waring about fall through in a switch statement
|
||||
has been averted by marking the cases as FALLTHROUGH.
|
||||
[bind-9.16.23.tar.xz, bind-9.16.23.tar.xz.sha512.asc,
|
||||
bind-CVE-2021-25219.patch, bind-fix-build-with-older-sphinx.patch,
|
||||
bind-avoid-fallthrough-warning-error.patch]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Nov 8 09:01:21 UTC 2021 - Josef Möllers <josef.moellers@suse.com>
|
||||
|
||||
|
@ -46,7 +46,7 @@
|
||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||
%endif
|
||||
Name: bind
|
||||
Version: 9.16.20
|
||||
Version: 9.16.23
|
||||
Release: 0
|
||||
Summary: Domain Name System (DNS) Server (named)
|
||||
License: MPL-2.0
|
||||
@ -66,8 +66,7 @@ Source70: bind.conf
|
||||
Source72: named.conf
|
||||
Patch52: named-bootconf.diff
|
||||
Patch56: bind-ldapdump-use-valid-host.patch
|
||||
Patch68: bind-fix-build-with-older-sphinx.patch
|
||||
Patch69: bind-CVE-2021-25219.patch
|
||||
Patch57: bind-avoid-fallthrough-warning-error.patch
|
||||
BuildRequires: libcap-devel
|
||||
BuildRequires: libmysqlclient-devel
|
||||
BuildRequires: libopenssl-devel
|
||||
|
Loading…
Reference in New Issue
Block a user