Commit Graph

176 Commits

Author SHA256 Message Date
Lars Müller
f94eebf621 - Update to version 9.10.2-P3
Security Fixes
  * A specially crafted query could trigger an assertion failure in message.c.
    This flaw was discovered by Jonathan Foote, and is disclosed in
    CVE-2015-5477. [RT #39795]
  * On servers configured to perform DNSSEC validation, an assertion failure
    could be triggered on answers from a specially configured server.
    This flaw was discovered by Breno Silveira Soares, and is disclosed
    in CVE-2015-4620. [RT #39795]
  Bug Fixes
  * Asynchronous zone loads were not handled correctly when the zone load was
    already in progress; this could trigger a crash in zt.c. [RT #37573]
  * Several bugs have been fixed in the RPZ implementation:
    + Policy zones that did not specifically require recursion could be treated
      as if they did; consequently, setting qname-wait-recurse no; was
      sometimes ineffective. This has been corrected. In most configurations,
      behavioral changes due to this fix will not be noticeable. [RT #39229]
    + The server could crash if policy zones were updated (e.g. via
      rndc reload or an incoming zone transfer) while RPZ processing
      was still ongoing for an active query. [RT #39415]
    + On servers with one or more policy zones configured as slaves, if a
      policy zone updated during regular operation (rather than at startup)
      using a full zone reload, such as via AXFR, a bug could allow the RPZ
      summary data to fall out of sync, potentially leading to an assertion
      failure in rpz.c when further incremental updates were made to the zone,
      such as via IXFR. [RT #39567]
    + The server could match a shorter prefix than what was
      available in CLIENT-IP policy triggers, and so, an unexpected
      action could be taken. This has been corrected. [RT #39481]
    + The server could crash if a reload of an RPZ zone was initiated while

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=174
2015-07-29 19:36:46 +00:00
Lars Müller
5693887a0c - Update to version 9.10.2-P2
- An uninitialized value in validator.c could result in an assertion failure.
    (CVE-2015-4620) [RT #39795]
- Update to version 9.10.2-P1
  - Include client-ip rules when logging the number of RPZ rules of each type.
    [RT #39670]
  - Addressed further problems with reloading RPZ zones. [RT #39649]
  - Addressed a regression introduced in change #4121. [RT #39611]
  - The server could match a shorter prefix than what was available in
    CLIENT-IP policy triggers, and so, an unexpected action could be taken.
    This has been corrected. [RT #39481]
  - On servers with one or more policy zones configured as slaves, if a policy
    zone updated during regular operation (rather than at startup) using a full
    zone reload, such as via AXFR, a bug could allow the RPZ summary data to
    fall out of sync, potentially leading to an assertion failure in rpz.c when
    further incremental updates were made to the zone, such as via IXFR.
    [RT #39567]
  - A bug in RPZ could cause the server to crash if policy zones were updated
    while recursion was pending for RPZ processing of an active query.
    [RT #39415]
  - Fix a bug in RPZ that could cause some policy zones that did not
    specifically require recursion to be treated as if they did; consequently,
    setting qname-wait-recurse no; was sometimes ineffective. [RT #39229]
  - Asynchronous zone loads were not handled correctly when the zone load was
    already in progress; this could trigger a crash in zt.c. [RT #37573]
  - Fix an out-of-bounds read in RPZ code. If the read succeeded, it doesn't
    result in a bug during operation. If the read failed, named could segfault.
    [RT #38559]

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=172
2015-07-10 20:54:40 +00:00
Lars Müller
2d26a35729 Change log line wrapping.
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=170
2015-06-18 13:14:58 +00:00
755db9e738 Accepting request 311393 from home:guohouzuo:freeipa
Fix inappropriate use of /var/lib/named for locating dynamic-DB plugins.
Dynamic-DB plugins are now loaded from %{_libexecdir}/bind, consistent with openSUSE packaging guideline.
Install additional header files which are helpful to the development of dynamic-DB plugins.

Please note that - the so-far only implementation of dyanmic-DB plugin does not support running in chroot environment very well, there is great performance impact in doing so.

OBS-URL: https://build.opensuse.org/request/show/311393
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=169
2015-06-18 12:30:16 +00:00
Lars Müller
1ea9273bb0 This change set makes bind build again for SLE 11 too.
- Depend on systemd macros and sysvinit on post-12.3 only.
- Create empty lwresd.conf at build time.
- Reduce file list pre-13.1.

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=167
2015-05-08 18:11:21 +00:00
Lars Müller
44ffc351bb - Update to version 9.10.2
- Handle timeout in legacy system test. [RT #38573]
  - dns_rdata_freestruct could be called on a uninitialised structure when
    handling a error. [RT #38568]
  - Addressed valgrind warnings. [RT #38549]
  - UDP dispatches could use the wrong pseudorandom
    number generator context. [RT #38578]
  - Fixed several small bugs in automatic trust anchor management, including a
    memory leak and a possible loss of key state information. [RT #38458]
  - 'dnssec-dsfromkey -T 0' failed to add ttl field. [RT #38565]
  - Revoking a managed trust anchor and supplying an untrusted replacement
    could cause named to crash with an assertion failure.
    (CVE-2015-1349) [RT #38344]
  - Fix a leak of query fetchlock. [RT #38454]
  - Fix a leak of pthread_mutexattr_t. [RT #38454]
  - RPZ could send spurious SERVFAILs in response
    to duplicate queries. [RT #38510]
  - CDS and CDNSKEY had the wrong attributes. [RT #38491]
  - adb hash table was not being grown. [RT #38470]
- Update bind.keyring
- Update baselibs.conf due to updates to libdns160 and libisc148

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=166
2015-05-08 15:44:01 +00:00
Lars Müller
fa2687cc7a Accepting request 305950 from home:guohouzuo:freeipa
- Enable export libraries to support plugin development.
  Install DNSSEC root key.
  Expose new interface for developing dynamic zone database.
  + dns_dynamic_db.patch

OBS-URL: https://build.opensuse.org/request/show/305950
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=165
2015-05-08 14:24:45 +00:00
a72d9724b3 Accepting request 285468 from home:k0da:branches:network
- PowerPC can build shared libraries for sure.
  idnkit-powerpc-ltconfig.patch

OBS-URL: https://build.opensuse.org/request/show/285468
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=163
2015-02-11 12:29:20 +00:00
Andrey Karepin
4d1f101c72 added mistakenly deleted row (Request 266520)
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=161
2015-01-11 18:19:25 +00:00
Andrey Karepin
43ba3368ef Accepting request 266520 from home:jengelh:branches:network
- Explicitly BuildRequire systemd-rpm-macros since it is used
  for lwresd %post etc. Then drop pre-12.x material.
  Remove configure.in.diff2.

OBS-URL: https://build.opensuse.org/request/show/266520
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=160
2015-01-11 16:14:25 +00:00
Lars Müller
ce7779f753 Add lost hyphen to minimize diff with the submit request to factory.
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=158
2014-12-11 15:29:03 +00:00
Lars Müller
70eef698ee Accepting request 264794 from home:jengelh:branches:network
- Corrections to baselibs.conf
Just merge my changes properly already.

OBS-URL: https://build.opensuse.org/request/show/264794
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=157
2014-12-11 14:46:49 +00:00
Lars Müller
24da4f54fa Accepting request 264596 from home:lmuelle:bind
- Update to version 9.10.1-P1
  - A flaw in delegation handling could be exploited to put named into an
    infinite loop.  This has been addressed by placing limits on the number of
    levels of recursion named will allow (default 7), and the number of
    iterative queries that it will send (default 50) before terminating a
    recursive query (CVE-2014-8500); (bnc#908994).
    The recursion depth limit is configured via the "max-recursion-depth"
    option, and the query limit via the "max-recursion-queries" option.
    [RT #37580]
  - When geoip-directory was reconfigured during named run-time, the
    previously loaded GeoIP data could remain, potentially causing wrong ACLs
    to be used or wrong results to be served based on geolocation
    (CVE-2014-8680). [RT #37720]; (bnc#908995).
  - Lookups in GeoIP databases that were not loaded could cause an assertion
    failure (CVE-2014-8680). [RT #37679]; (bnc#908995).
  - The caching of GeoIP lookups did not always handle address families
    correctly, potentially resulting in an assertion failure (CVE-2014-8680).
    [RT #37672]; (bnc#908995).

OBS-URL: https://build.opensuse.org/request/show/264596
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=156
2014-12-09 22:47:11 +00:00
c38019450e Accepting request 264325 from home:lmuelle:bind
Merge request 264305:

- Convert some hard PreReq to leaner Requires(pre).
- Typograhical and orthographic fixes to description texts.

Changes already present with request 264243:

- Fix bashisms in the createNamedConfInclude script.
- Post scripts: remove '-e' option of 'echo' that may be unsupported
  in some POSIX-compliant shells.

- Add openssl engines to the lwresd chroot.
- Add /etc/lwresd.conf with attribute ghost to the list of files.
- Add /run/lwresd to the list of files of the lwresd package.
- Shift /run/named from the chroot sub to the main bind package.
- Drop /proc from the chroot as multi CPU systems work fine even without it.

OBS-URL: https://build.opensuse.org/request/show/264325
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=155
2014-12-08 08:18:17 +00:00
c1eb80a9c7 - Removed pid-path.diff
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=154
2014-12-05 10:58:49 +00:00
932f848950 Accepting request 264083 from home:lmuelle:bind
- Add a versioned dependency when obsoleting packages.

- Remove superfluous obsoletes *-64bit in the ifarch ppc64 case; (bnc#437293).

- Fix gssapi_krb configure time header detection.

- Update root zone (dated Nov 5, 2014).

- Update to version 9.10.1
  - This release addresses the security flaws described in CVE-2014-3214 and
     CVE-2014-3859.
- Update to version 9.10.0
- Update to version 9.9.6

  Cf the bind changes file for all the details of 9.9.6 till 9.10.1.

- Remove merged rpz2+rl-9.9.5.patch and obsoleted rpz2+rl-9.9.5.patch
- Update baselibs.conf (added libirs and library interface version updates).

OBS-URL: https://build.opensuse.org/request/show/264083
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=153
2014-12-05 10:12:05 +00:00
Lars Müller
e179acbc40 Accepting request 261547 from home:dimstar:gpg2
OBS-URL: https://build.opensuse.org/request/show/261547
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=152
2014-11-14 10:36:34 +00:00
Reinhard Max
dab82c1e27 Accepting request 253555 from home:jengelh:branches:network
the IDN parts are totally optional

OBS-URL: https://build.opensuse.org/request/show/253555
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=151
2014-10-16 14:25:14 +00:00
Andrey Karepin
48ca52dcbe Accepting request 248172 from home:WernerFink:branches:network
- Require systemd-rpm-macros at build

OBS-URL: https://build.opensuse.org/request/show/248172
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=149
2014-09-12 05:49:00 +00:00
Reinhard Max
c0a72d4f0b Accepting request 248035 from home:WernerFink:branches:network
- Use the systemd service macros to make sure init scripts are
  registered properly (bnc#894627)

OBS-URL: https://build.opensuse.org/request/show/248035
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=148
2014-09-08 14:06:56 +00:00
Reinhard Max
27153bee19 - Version 9.9.5P1 also fixes a problem with zone transfers on
multicore machines (bnc#882511).

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=147
2014-09-03 11:44:55 +00:00
Reinhard Max
40916246e7 - Version 9.9.5P1 also fixes orphan mode (bnc#883859).
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=146
2014-09-03 11:40:39 +00:00
ed559646e6 Accepting request 243329 from home:lmuelle:branches:network
- Package dnssec-checkds and dnssec-coverage binaries and man pages only on
  post-11.1 systems.

- Update to version 9.9.5P1
  Various bugfixes and some feature fixes. (see CHANGES files)
  Security and maintenance issues:
  - [bug] Don't call qsort with a null pointer. [RT #35968]
  - [bug] Disable GCC 4.9 "delete null pointer check". [RT #35968]
  - [port] linux: libcap support: declare curval at start of block. [RT #35387]
- Update to version 9.9.5
  Various bugfixes and some feature fixes. (see CHANGES files)
- Updated to current rpz patch from·http://ss.vix.su/~vjs/rrlrpz.html
  - rpz2-9.9.4.patch
  + rpz2+rl-9.9.5.patch

OBS-URL: https://build.opensuse.org/request/show/243329
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=144
2014-08-01 11:43:42 +00:00
Sascha Peilicke
03789a4890 Accepting request 235970 from home:computersalat:devel:network
add stuff for DNSSEC validation to named.conf

OBS-URL: https://build.opensuse.org/request/show/235970
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=142
2014-06-02 09:09:36 +00:00
b25ceb6024 Accepting request 235320 from home:elvigia:branches:network
- Build with LFS_CFLAGS in 32 bit systems.

OBS-URL: https://build.opensuse.org/request/show/235320
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=141
2014-06-01 10:06:10 +00:00
Reinhard Max
8dac1c49a4 Re-sync changes file with SLE12.
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=139
2014-05-08 10:01:10 +00:00
Reinhard Max
9927c8db29 Accepting request 233009 from home:oertel:branches:network
- use %_rundir macro

OBS-URL: https://build.opensuse.org/request/show/233009
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=138
2014-05-08 09:51:15 +00:00
Reinhard Max
f40daf517b - Add the sdb-ldap backend module (fate#313216).
- Details can be found here:
  * http://bind9-ldap.bayour.com/
  * http://bind9-ldap.bayour.com/dnszonehowto.html

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=136
2014-01-24 10:15:48 +00:00
Reinhard Max
6fa65ad99d unfuzz rpz2-9.9.4.patch
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=135
2014-01-21 17:29:39 +00:00
Reinhard Max
2280b862ef - Update to version 9.9.4P2
* Fixes named crash when handling malformed NSEC3-signed zones
    (CVE-2014-0591, bnc#858639)
  * Obsoletes workaround-compile-problem.diff
- Replace rpz2+rl-9.9.3-P1.patch by rpz2-9.9.4.patch, rl is now
  supported upstream (--enable-rrl).

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=134
2014-01-21 17:09:17 +00:00
Reinhard Max
f61744ed46 Remove createNamedConfInclude~
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=132
2013-12-09 13:33:42 +00:00
Reinhard Max
c13e4cf96e Fix creation of /etc/named.conf.include .
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=131
2013-12-09 12:23:41 +00:00
Reinhard Max
e0efd1bf47 - Systemd doesn't set $TERM, and hence breaks tput (bnc#823175).
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=129
2013-08-07 15:23:09 +00:00
Reinhard Max
b255a507e5 - Systemd doesn't set $TERM, and hence breaks tput.
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=128
2013-08-07 15:21:50 +00:00
Reinhard Max
ef9b332868 - Improve pie_compile.diff (bnc#828874).
- dnssec-checkds and dnssec-coverage need python-base.
- disable rpath in libtool.

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=127
2013-08-06 13:06:41 +00:00
Reinhard Max
2e7cad6b7d dnssec-checkds and dnssec-coverage need python-base for building.
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=126
2013-08-06 09:11:23 +00:00
Reinhard Max
28ef07b698 - Update to 9.9.3P2 fixes CVE-2013-4854, bnc#831899.
* Incorrect bounds checking on private type 'keydata' can lead
    to a remotely triggerable REQUIRE failure.

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=125
2013-08-05 14:51:21 +00:00
Reinhard Max
8e89b870e6 - Remove non-working apparmor profiles (bnc#740327).
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=123
2013-07-24 15:38:10 +00:00
918e706647 - the README file is not a directory, drop the dir attribute
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=121
2013-07-17 12:09:28 +00:00
67378e3874 - moved dnssec-* helpers to bind-utils package. bnc#813911
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=119
2013-06-27 09:27:34 +00:00
7f803cee73 - Updated to current rate limiting + rpz patch from
http://ss.vix.su/~vjs/rrlrpz.html

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=118
2013-06-26 12:27:48 +00:00
306b1609e0 Security and maintenance issues:
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=117
2013-06-26 10:51:54 +00:00
7dbe78dc6a - Use updated config.guess/sub in the embedded idnkit sources
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=116
2013-06-26 10:50:57 +00:00
8591e27de2 - Updated to 9.9.3-P1
Various bugfixes and some feature fixes. (see CHANGES files)
  Security and maintenance issues: 
  -	[security]	Caching data from an incompletely signed zone could
			trigger an assertion failure in resolver.c [RT #33690]
  -	[security]	Support NAPTR regular expression validation on
			all platforms without using libregex, which
			can be vulnerable to memory exhaustion attack
			(CVE-2013-2266). [RT #32688]
  -	[security]	RPZ rules to generate A records (but not AAAA records)
			could trigger an assertion failure when used in
			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
  -	[bug]		Fixed several Coverity warnings.
			Note: This change includes a fix for a bug that
			was subsequently determined to be an exploitable
			security vulnerability, CVE-2012-5688: named could
			die on specific queries with dns64 enabled.
			[RT #30996]
  -	[maint]		Added AAAA for D.ROOT-SERVERS.NET.
  -	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=115
2013-06-26 10:50:27 +00:00
e2db8fe61f Accepting request 174818 from devel:ARM:AArch64:Factory
- Use updated config.guess/sub in the embedded idnkit sources

OBS-URL: https://build.opensuse.org/request/show/174818
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=113
2013-05-08 13:45:12 +00:00
eec4a4f40d - Updated to 9.9.2-P2 (bnc#811876)
Fix for: https://kb.isc.org/article/AA-00871 CVE-2013-2266
  * Security Fixes
    Removed the check for regex.h in configure in order to disable regex
    syntax checking, as it exposes BIND to a critical flaw in libregex
    on some platforms. [RT #32688]
- added gpg key source verification

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=111
2013-03-27 12:36:47 +00:00
4d43181a2f OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=109 2012-12-06 15:46:53 +00:00
d414c6c46e OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=108 2012-12-06 15:46:13 +00:00
636c118d37 - Updated to 9.9.2-P1 (bnc#792926)
https://kb.isc.org/article/AA-00828
  * Security Fixes
    Prevents named from aborting with a require assertion failure on
    servers with DNS64 enabled.  These crashes might occur as a result of
    specific queries that are received.  (Note that this fix is a subset
    of a series of updates that will be included in full in BIND 9.8.5
    and 9.9.3 as change #3388, RT #30996).  [CVE-2012-5688] [RT #30792]
    A deliberately constructed combination of records could cause
    named to hang while populating the additional section of a
    response. [CVE-2012-5166] [RT #31090]
    Prevents a named assert (crash) when queried for a record whose
    RDATA exceeds 65535 bytes.  [CVE-2012-4244]  [RT #30416]
    Prevents a named assert (crash) when validating caused by using
    "Bad cache" data before it has been initialized. [CVE-2012-3817]
    [RT #30025]
    A condition has been corrected where improper handling of zero-length
    RDATA could cause undesirable behavior, including termination of
    the named process. [CVE-2012-1667]  [RT #29644]
    ISC_QUEUE handling for recursive clients was updated to address a race
    condition that could cause a memory leak. This rarely occurred with
    UDP clients, but could be a significant problem for a server handling
    a steady rate of TCP queries. [CVE-2012-3868]  [RT #29539 & #30233]
New Features
    Elliptic Curve Digital Signature Algorithm keys and signatures in
    DNSSEC are now supported per RFC 6605. [RT #21918]
    Introduces a new tool "dnssec-checkds" command that checks a zone to
    determine which DS records should be published in the parent zone,
    or which DLV records should be published in a DLV zone, and queries
    the DNS to ensure that it exists. (Note: This tool depends on python;

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=107
2012-12-06 08:05:49 +00:00
4161728e00 - added a ratelimiting (draft RFC) patch from Paul Vixie.
see http://www.redbarn.org/dns/ratelimits
  suggested by Stefan Schaefer <stefan@invis-server.org>

OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=105
2012-11-18 18:12:17 +00:00