From eec4a4f40d12876119a79d7f4cba01194103c5519d7216f73e3d49167a3c5402 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Wed, 27 Mar 2013 12:36:47 +0000 Subject: [PATCH] - Updated to 9.9.2-P2 (bnc#811876) Fix for: https://kb.isc.org/article/AA-00871 CVE-2013-2266 * Security Fixes Removed the check for regex.h in configure in order to disable regex syntax checking, as it exposes BIND to a critical flaw in libregex on some platforms. [RT #32688] - added gpg key source verification OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=111 --- bind-9.9.2-P1.tar.gz | 3 --- bind-9.9.2-P2.tar.gz | 3 +++ bind-9.9.2-P2.tar.gz.asc | 12 ++++++++++++ bind.changes | 13 +++++++++++++ bind.keyring | 31 +++++++++++++++++++++++++++++++ bind.spec | 13 +++++++++++-- named.root | 6 +++--- 7 files changed, 73 insertions(+), 8 deletions(-) delete mode 100644 bind-9.9.2-P1.tar.gz create mode 100644 bind-9.9.2-P2.tar.gz create mode 100644 bind-9.9.2-P2.tar.gz.asc create mode 100644 bind.keyring diff --git a/bind-9.9.2-P1.tar.gz b/bind-9.9.2-P1.tar.gz deleted file mode 100644 index e93c58b..0000000 --- a/bind-9.9.2-P1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4bce7c020402623333b655be5167ae8c52f30a6bfe9750caa3ab70da7d90219c -size 7277498 diff --git a/bind-9.9.2-P2.tar.gz b/bind-9.9.2-P2.tar.gz new file mode 100644 index 0000000..c9c97cf --- /dev/null +++ b/bind-9.9.2-P2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ff822734e3550969251411e20f6f7397d14a912613a42af423752e93fdb565d2 +size 7277958 diff --git a/bind-9.9.2-P2.tar.gz.asc b/bind-9.9.2-P2.tar.gz.asc new file mode 100644 index 0000000..c60fefd --- /dev/null +++ b/bind-9.9.2-P2.tar.gz.asc @@ -0,0 +1,12 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG/MacGPG2 v2.0.19 (Darwin) +Comment: GPGTools - http://gpgtools.org + +iQEcBAABAgAGBQJRTKtMAAoJEEWseFcYnNvF8/MH/iumeUL6oxa6oVk/RaBj+J0T +/ETUPoUoMGsz92bK7PgpvR/R9i0PVrA+79j3VLgsoXFEVPtZfBQeVXW08tWkeWdD +S2asvEdEHxPla6pIQ9jOrevXwt7vdTjWgXpqXcSXsJ2SXOYYYUMIjTW7IFa5vyaL +VUVirJpxTwxaw7rdYTGMGdD86DYpWi+hlFUdXuc+tbcUpEJrEiJhRoV9dwMsHOuS +7APlB06WAnfluWzmjUk5Q0vl9XiXDRqagDUl3Ovas3ceHgEucqh0kMOtwLHBjQ0U +n8C2+EpdLCnDThpwJ2IZdKomM6QoFLBbsTmBWUxONjqGwMpICZIbrxHoNfGEv0E= +=vmRC +-----END PGP SIGNATURE----- diff --git a/bind.changes b/bind.changes index 036bef1..e93e339 100644 --- a/bind.changes +++ b/bind.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Wed Mar 27 12:33:34 UTC 2013 - meissner@suse.com + +- Updated to 9.9.2-P2 (bnc#811876) + Fix for: https://kb.isc.org/article/AA-00871 CVE-2013-2266 + + * Security Fixes + Removed the check for regex.h in configure in order to disable regex + syntax checking, as it exposes BIND to a critical flaw in libregex + on some platforms. [RT #32688] + +- added gpg key source verification + ------------------------------------------------------------------- Thu Dec 6 08:00:31 UTC 2012 - meissner@suse.com diff --git a/bind.keyring b/bind.keyring new file mode 100644 index 0000000..525fbc1 --- /dev/null +++ b/bind.keyring @@ -0,0 +1,31 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.12 (NetBSD) + +mQENBFEKeFYBCADaN83gsb0VDjlGZkYra0PPlHz/eczKBU+/6I/VBq/FcsFEc27/ +O8IE05rIID10rXLjZ0k8y4ydvhI40eVZfxwaFvQEX/StVtU1ie3F7TS02ZuJ1yal +YRtU29hhnZ5icDdiJ98gcZSH2WKhIWLRpmc60Lja/sTsO0lkLPJe9x2MDuzkQu9M +Z7hlMgqZxZ1I/mQ/KsjT3oUt8euwyntg8/w/cpY8H0EVjyBnZWV2yejsLnbCo947 +hbjvUMSluGs7AZP0d+yqpGNsgRQ9iHy0NiL3ELdBqD22cqGRGTkX76KcLoXvqLVY +450bBtXsI2uUXy5iL/eUkUP2JgWQybjju/M3ABEBAAG0SEludGVybmV0IFN5c3Rl +bXMgQ29uc29ydGl1bSwgSW5jLiAoU2lnbmluZyBrZXksIDIwMTMpIDxjb2Rlc2ln +bkBpc2Mub3JnPokBPgQTAQIAKAUCUQp4VgIbAwUJA8JnAAYLCQgHAwIGFQgCCQoL +BBYCAwECHgECF4AACgkQRax4Vxic28XzIQf6AwLblJ98KI6l8gWqKVHMErYgl9+Q +RiIxrqJtyn4OjeZHX9diVjv2HlsRjnTpNl5MiSB9tXvq+GX696w6dtpoqYjZEQoP +ZCwE2USR6XO71eYO3rxLBnc0ymRvQm4zB2YKqworQDym0+wE8xiGBO8LyyVDfS5G +aGWXl0YJkfNYXzhEp6toIiLwRE0uP0TarHcHCo2CboVBgODvDZqwSBfT+i6dT+Gy +6nVEh3j7XnqgjCQ25cGev9sHR3hobT/fxG0F2YZ7sMwpWj9q0Y/dOlY7SV/ZGSs+ +ubKQ55BWsTjJRrNqyDX8QLb8oVic5q/yQkV+RTs1sP5s6JSs0KqQdyR3ZbkBDQRR +CnhWAQgApxtu688JKcr6NXWOneWXn1Pti2jRhdVKNlNkGgLJ76vQTVdMmmTDwEty +YQM6C9qjIXj8cEwz+LGRUXoCXOX9Yokf5oOjNpQutn4KVS+IRvWMYaK0qsTaa/c0 +FaIiFWvswyGucXAX/q9H5IoK8uYKXv5ww7+x3l1etg9/QdDQ/CANyMQbjBn38Wfn +Fy/zoUl+mMZLfqs+3NwT5C+m/4M99SoyC7XQLaZt3PBO4rVjUnMkCgiXsNdDIZnv +0XgUKyzSgrdPZcqKEG3yj8v5aTOC2k60Ffw1/ytA3hyfxLmdxxsyGyNQ4ZY8ZxmB +Z6AyUWVK95bL4oQqUCqfzSscHpWokQARAQABiQElBBgBAgAPBQJRCnhWAhsMBQkD +wmcAAAoJEEWseFcYnNvF4JAH/0MlU+Iwu5k6II3KufE2agMsRD2hk1VkpZcC08qi +LfHxX/4HrCZd7jcViLpFeK+I5JaDM2G21Co9jBMoPh+EUDnalG3eglXgeNEbUfAZ +pM7c9UejTNVmrw6crcgeUhKS2l0oBu9gRRlcSJEYY8XngfKJHBscCrsafp3RMVkO +m4Ti4CcxOot3uQ10U8GojjtWp7bgqIaFBF8aV8vugXJLl9IHqgVEtvo9miM+0Tfi +evOzuZMrgVY4zI2ZiLcrVM1KuIeZ2nIKbNWkJpDH2ZwUfsIx/KTxjpqld+NStzGQ +B9v1wazIBDHQU4hq5ddOlk0lrLDAmMJzHbavlduWmFRkuv4= +=bGLP +-----END PGP PUBLIC KEY BLOCK----- diff --git a/bind.spec b/bind.spec index 037f515..f9d4489 100644 --- a/bind.spec +++ b/bind.spec @@ -1,7 +1,7 @@ # # spec file for package bind # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ Name: bind %define pkg_name bind -%define pkg_vers 9.9.2-P1 +%define pkg_vers 9.9.2-P2 BuildRequires: krb5-devel BuildRequires: libcap BuildRequires: libcap-devel @@ -44,6 +44,9 @@ Requires: %{name}-utils PreReq: %fillup_prereq %insserv_prereq bind-utils /bin/grep /bin/sed /bin/mkdir /usr/bin/tee /bin/chmod /bin/chown /bin/mv /bin/cat /usr/bin/dirname /usr/bin/diff /usr/bin/old /usr/sbin/groupadd /usr/sbin/useradd /usr/sbin/usermod Url: http://isc.org/sw/bind/ Source: ftp://ftp.isc.org/isc/bind9/%{pkg_vers}/bind-%{pkg_vers}.tar.gz +Source3: ftp://ftp.isc.org/isc/bind9/%{pkg_vers}/bind-%{pkg_vers}.tar.gz.asc +# from http://www.isc.org/about/openpgp/ ... changes yearly apparently. +Source4: %name.keyring Source1: vendor-files.tar.bz2 Source2: baselibs.conf Source9: ftp://ftp.internic.net/domain/named.root @@ -56,6 +59,9 @@ Patch51: pie_compile.diff Patch52: named-bootconf.diff Patch100: configure.in.diff2 Patch110: workaround-compile-problem.diff +%if 0%{?suse_version} > 1220 +BuildRequires: gpg-offline +%endif # Rate limiting patch by Paul Vixie et.al. for reflection DoS protection # see http://www.redbarn.org/dns/ratelimits @@ -185,6 +191,9 @@ test and query the Domain Name System (DNS). The Berkeley Internet Name Domain (BIND) DNS server is found in the package named bind. %prep +%if 0%{?suse_version} > 1220 +%gpg_verify %{S:3} +%endif %setup -q -n %{pkg_name}-%{pkg_vers} #%setup -n %{pkg_name}-%{version} -T -D -a1 -a50 %setup -q -n %{pkg_name}-%{pkg_vers} -T -D -a1 diff --git a/named.root b/named.root index baf3fc0..2fba31d 100644 --- a/named.root +++ b/named.root @@ -9,8 +9,8 @@ ; on server FTP.INTERNIC.NET ; -OR- RS.INTERNIC.NET ; -; last update: Jun 8, 2011 -; related version of root zone: 2011060800 +; last update: Jan 3, 2013 +; related version of root zone: 2013010300 ; ; formerly NS.INTERNIC.NET ; @@ -31,7 +31,7 @@ C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 ; FORMERLY TERP.UMD.EDU ; . 3600000 NS D.ROOT-SERVERS.NET. -D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90 +D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13 D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D ; ; FORMERLY NS.NASA.GOV