Add /dev/urandom to chroot env
note: it is not world writable to make our rpmlint security checker happy - and it is not required anyway
without this, named start shows warnings in journal:
Feb 16 13:28:35 testleap named[1514]: could not open entropy source /dev/urandom: file not found
Feb 16 13:28:35 testleap named[1514]: using pre-chroot entropy source /dev/urandom
OBS-URL: https://build.opensuse.org/request/show/577255
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=232
- Add back init scripts, systemd units aren't ready yet
- Add python3-bind subpackage to allow python bind interactions
- Sync configure options with RH package and remove unused ones
* Enable python3
* Enable gssapi
* Enable dnssec scripts
- Drop idnkit from the build, the bind uses libidn since 2007 to run
all the resolutions in dig/etc. bsc#1030306
- Add patch to make sure we build against system idn:
* bind-99-libidn.patch
- Refresh patch:
* pie_compile.diff
- Remove patches that are unused due to above:
* idnkit-powerpc-ltconfig.patch
* runidn.diff
- drop bind-openssl11.patch (merged upstream)
- Remove systemd conditionals as we are not building on sle11 anyway
- Force the systemd to be base for the initscript deployment
- Bump up version of most of the libraries
- Rename the subpackages to match the version updates
- Add macros for easier handling of the library package names
- Drop more unneeded patches
* dns_dynamic_db.patch (upstream)
OBS-URL: https://build.opensuse.org/request/show/545259
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=224
- Added bind-CVE-2017-3142-and-3143.patch to fix a security issue
where an attacker with the ability to send and receive messages
to an authoritative DNS server was able to circumvent TSIG
authentication of AXFR requests. A server that relies solely on
TSIG keys for protection with no other ACL protection could be
manipulated into (1) providing an AXFR of a zone to an
unauthorized recipient and (2) accepting bogus Notify packets.
[bsc#1046554, CVE-2017-3142, bsc#1046555, CVE-2017-3143]
OBS-URL: https://build.opensuse.org/request/show/507232
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=211
to break a service dependency cycle (bsc#947483, bsc#963971).
- Make /var/lib/named owned by the named user (bsc#908850,
bsc#875691).
- Call systemd service macros with the full service name.
- Security update 9.10.3-P4:
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=194
* CVE-2016-1285, bsc#970072: assert failure on input parsing can
cause premature exit.
* CVE-2016-1286, bsc#970073: An error when parsing signature
records for DNAME can lead to named exiting due to an assertion
failure.
* CVE-2016-2088, bsc#970074: a deliberately misconstructed packet
containing multiple cookie options to cause named to terminate
with an assertion failure.
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=190
* Specific APL data could trigger an INSIST (CVE-2015-8704,
bsc#962189).
* Certain errors that could be encountered when printing out or
logging an OPT record containing a CLIENT-SUBNET option could
be mishandled, resulting in an assertion failure
(CVE-2015-8705, bsc#962190).
* Authoritative servers that were marked as bogus (e.g.
blackholed in configuration or with invalid addresses) were
being queried anyway.
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=183
Security Fixes
* A specially crafted query could trigger an assertion failure in message.c.
This flaw was discovered by Jonathan Foote, and is disclosed in
CVE-2015-5477. [RT #39795]
* On servers configured to perform DNSSEC validation, an assertion failure
could be triggered on answers from a specially configured server.
This flaw was discovered by Breno Silveira Soares, and is disclosed
in CVE-2015-4620. [RT #39795]
Bug Fixes
* Asynchronous zone loads were not handled correctly when the zone load was
already in progress; this could trigger a crash in zt.c. [RT #37573]
* Several bugs have been fixed in the RPZ implementation:
+ Policy zones that did not specifically require recursion could be treated
as if they did; consequently, setting qname-wait-recurse no; was
sometimes ineffective. This has been corrected. In most configurations,
behavioral changes due to this fix will not be noticeable. [RT #39229]
+ The server could crash if policy zones were updated (e.g. via
rndc reload or an incoming zone transfer) while RPZ processing
was still ongoing for an active query. [RT #39415]
+ On servers with one or more policy zones configured as slaves, if a
policy zone updated during regular operation (rather than at startup)
using a full zone reload, such as via AXFR, a bug could allow the RPZ
summary data to fall out of sync, potentially leading to an assertion
failure in rpz.c when further incremental updates were made to the zone,
such as via IXFR. [RT #39567]
+ The server could match a shorter prefix than what was
available in CLIENT-IP policy triggers, and so, an unexpected
action could be taken. This has been corrected. [RT #39481]
+ The server could crash if a reload of an RPZ zone was initiated while
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=174
- An uninitialized value in validator.c could result in an assertion failure.
(CVE-2015-4620) [RT #39795]
- Update to version 9.10.2-P1
- Include client-ip rules when logging the number of RPZ rules of each type.
[RT #39670]
- Addressed further problems with reloading RPZ zones. [RT #39649]
- Addressed a regression introduced in change #4121. [RT #39611]
- The server could match a shorter prefix than what was available in
CLIENT-IP policy triggers, and so, an unexpected action could be taken.
This has been corrected. [RT #39481]
- On servers with one or more policy zones configured as slaves, if a policy
zone updated during regular operation (rather than at startup) using a full
zone reload, such as via AXFR, a bug could allow the RPZ summary data to
fall out of sync, potentially leading to an assertion failure in rpz.c when
further incremental updates were made to the zone, such as via IXFR.
[RT #39567]
- A bug in RPZ could cause the server to crash if policy zones were updated
while recursion was pending for RPZ processing of an active query.
[RT #39415]
- Fix a bug in RPZ that could cause some policy zones that did not
specifically require recursion to be treated as if they did; consequently,
setting qname-wait-recurse no; was sometimes ineffective. [RT #39229]
- Asynchronous zone loads were not handled correctly when the zone load was
already in progress; this could trigger a crash in zt.c. [RT #37573]
- Fix an out-of-bounds read in RPZ code. If the read succeeded, it doesn't
result in a bug during operation. If the read failed, named could segfault.
[RT #38559]
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=172
Fix inappropriate use of /var/lib/named for locating dynamic-DB plugins.
Dynamic-DB plugins are now loaded from %{_libexecdir}/bind, consistent with openSUSE packaging guideline.
Install additional header files which are helpful to the development of dynamic-DB plugins.
Please note that - the so-far only implementation of dyanmic-DB plugin does not support running in chroot environment very well, there is great performance impact in doing so.
OBS-URL: https://build.opensuse.org/request/show/311393
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=169
