Merge commit '89c42ea3bb40cb2dd621c9099028590d0e4ac3906cc1be7eeabd9b7118acbc2e' into slfo-main

- Upgrade to release 9.20.18
  (CVE-2025-13878)
  [bsc#1256997]

OBS-URL: https://build.opensuse.org/request/show/1328514
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=226

bind-9.20.11.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEE2ZzOr4eXRwFPA41jGC4jV5Ri76oFAmhrokkACgkQGC4jV5Ri
-76pkhBAAr2uwXELHq6q2SCyoc46zEmGRv5Wzv99oh+ohESW+OTcDMhWgQxsbVO0m
-7FphbaVjv+Aj5HMb6txRFcrRG/XWgsTmhPXdYftmdOTd4wXPIgm54j+Ee5JSHbuq
-wAcfb+19HBpoP9wrPdCV5W3fqDJZtEJbo/yoQbxUOm30nMKQrEKENpZ8R0A5Qsxc
-FLAlfv+Wmkb2b0l9kk6NRFKSjPGkJXU/sjtOUejry4n90c7EgOSHixgujl2jwqy0
-ktuJD4LOA3wP7sUiyoShko3Z/Lhsoa51VbFt/5iki0oMFSDZ2lgFUWxcvZPD5zIf
-UHPfZ3F6DH0BotuDYyk57s2fo203M7b30kPjQBYRWGYlEbQXHX+iiJWtJKiFt/D0
-bNPo8V0fE8CZeqCgaX+RTgMC97aFVuLC76EkLfNLQygqAb09dqQhKH1b2HgUfMoQ
-/9pZQnxiONbW0Yvi2x7JJzVhFEyxkTDMmkyq/fJFtwXWr8ukq9dLCO7AeDww3Iww
-CksttE2UbgTx4j0eLjVFK63/bxsK5vH/2m37xpnx5li5Q2uSQg+q0Aww35+10KgX
-g54wywTDjqh6qDpRv26mIjQaT2xhU/9CcQo3c/WbiYKstjtlkxggivm46PRIl2pu
-M7Mbz98T+PajUEsMhbDfOZV6n3rAWl+D73IRUVeRBR677Kl0UIo=
-=TXeA
------END PGP SIGNATURE-----

bind-9.20.18.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE2ZzOr4eXRwFPA41jGC4jV5Ri76oFAmlky8sACgkQGC4jV5Ri
+76qe7BAAhslROp6BoZFFYFnF2f3EmbXCVhHv85CIBtvzmMHp0N8zdZMHeco6aeqg
+zQgmq/fXaidkL+7sRbflwyPYYVV3lXafF2BEBX2VYVtijJNjHQ8nxTJC2K4B6jgE
+Jekxi7usd/sbgP/3PZLB1csEu+8Dm1qCkC/gMZD5sE/Kfl3o8ryvUa49Tt15wbo7
+sXvJ1WNwJTuZhcd3kcpePn+E7Y0NK8jetGslJc9qrTNXXxM5JYVaNj+bj8+bh5ey
+IJGY9isds/tx2qsZGL7M3VEZMsEmeKijpF9fl6w+nTiqmbK/TdeqcdPfZdHn66Hj
+IuJqgq5MJ/i4Bm0LBMS69rH4lfqSrrIxDGWA4U5fO7jx2rS1WBHYz9kcUeAqf52u
+N4bdjVWJuIrWcmiVDyaAFH8bJifzzTHXUQOgaxMOGXXcroOs5bAC1kULIbYirTnk
+JzxzkoEdj8x906UKWo7G0PW/qbDziY4Oc3Mmzd94ni7CDcRIwHbTaYcJx+AkGU0E
+gnbcFJGqxqz0ATI3QyHaCA/++3psDZ5L701fSx5dBiAjg1EazmXbRX3msgawR0uP
+PTQSHQKtyl6OYjtgbDOmqFxpi719N6hm9/A7oUifZq7w4R7rFN8rxe0LTwfzjuW4
+2YSuIbOEOB9Qqz0RvI5X3xWhNti25CcD5Z5xfVGLO6aR91TqWbY=
+=GQYe
+-----END PGP SIGNATURE-----

bind.changes

@@ -1,3 +1,115 @@
+-------------------------------------------------------------------
+Wed Jan 21 13:03:10 UTC 2026 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Upgrade to release 9.20.18
+  Security Fixes:
+  * Fix incorrect length checks for BRID and HHIT records. 
+  (CVE-2025-13878)
+  [bsc#1256997]
+
+  Feature Changes:
+  * Add more information to the rndc recursing output about
+    fetches.
+  * Reduce the number of outgoing queries.
+  * Provide more information when memory allocation fails.
+
+  Bug Fixes:
+  * Make DNSSEC key rollovers more robust.
+  * Fix a catalog zone issue, where member zones could fail to
+    load.
+  * Allow glue in delegations with QTYPE=ANY.
+  * Fix slow speed when signing a large delegation zone with NSEC3
+    opt-out.
+  * Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to
+    be invalid.
+  * Fix a possible catalog zone issue during reconfiguration.
+  * Fix the charts in the statistics channel.
+  * Adding NSEC3 opt-out records could leave invalid records in
+    chain.
+  * Fix spurious timeouts while resolving names.
+  * Fix bug where zone switches from NSEC3 to NSEC after
+    retransfer.
+  * AMTRELAY type 0 presentation format handling was wrong.
+  * Fix parsing bug in remote-servers with key or TLS.
+  * Fix DoT reconfigure/reload bug in the resolver.
+  * Skip unsupported algorithms when looking for a signing key.
+  * Fix dnssec-keygen key collision checking for KEY RRtype keys.
+  * dnssec-verify now uses exit code 1 when failing due to illegal
+    options.
+  * Prevent assertion failures of dig when a server is specified
+    before the -b option.
+  * Skip buffer allocations if not logging.
+
+-------------------------------------------------------------------
+Wed Dec 17 00:30:28 UTC 2025 - Jeff Mahoney <jeffm@suse.com>
+
+- Remove packaging support for releases prior to SLES 15 SP4/Leap 15.4.
+  - The builds have dependencies that are no longer met by these older
+    releases.
+- Fix Sphinx processing of documentation on SLES/Leap 15.
+
+-------------------------------------------------------------------
+Wed Oct 22 14:14:38 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Upgrade to release 9.20.15
+  Security Fixes:
+  * DNSSEC validation fails if matching but invalid DNSKEY is found.
+    [CVE-2025-8677, bsc#1252378]
+  * Address various spoofing attacks.
+    [CVE-2025-40778, bsc#1252379]
+  * Cache-poisoning due to weak pseudo-random number generator.
+    [CVE-2025-40780, bsc#1252380]
+
+  New Features:
+  * Add dnssec-policy keys configuration check to named-checkconf.
+
+  Bug Fixes:
+  * Missing DNSSEC information when CD bit is set in query.
+  * rndc sign during ZSK rollover will now replace signatures.
+  * Use signer name when disabling DNSSEC algorithms.
+  * Preserve cache when reload fails and reload the server again.
+
+-------------------------------------------------------------------
+Thu Sep 11 09:17:09 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Upgrade to release 9.20.13
+  New Features:
+  * Add a new option `manual-mode` to dnssec-policy.
+  * Add a new option `servfail-until-ready` to response-policy
+    zones.
+  * Support for parsing HHIT and BRID records has been added.
+
+  Removed Features:
+  * Deprecate the `tkey-gssapi-credential` statement.
+  * Obsolete the `tkey-domain` statement.
+
+  Bug Fixes:
+  * Prevent spurious SERVFAILs for certain 0-TTL resource records.
+  * Fix unexpected termination if catalog-zones had undefined
+    `default-primaries`.
+
+-------------------------------------------------------------------
+Thu Aug 21 08:57:20 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Upgrade to release 9.20.12
+  New Features:
+  * Support for parsing DSYNC records has been added.
+
+  Feature Changes:
+  * Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1, and DS
+    digest type 1.
+
+  Bug Fixes:
+  * Stale RRsets in a CNAME chain were not always refreshed.
+  * Add RPZ extended DNS error for zones with a CNAME override
+    policy configured.
+  * Fix dig +keepopen option.
+  * Log dropped or slipped responses in the query-errors category.
+  * Fix synth-from-dnssec not working in some scenarios.
+  * Clean enough memory when adding new ADB names/entries under
+    memory pressure.
+  * Prevent spurious validation failures.
+
 -------------------------------------------------------------------
 Tue Jul 15 13:56:33 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
 

bind.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package bind
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 # Copyright (c) 2024 Andreas Stieger <Andreas.Stieger@gmx.de>
 #
 # All modifications and additions to the file contributed by third parties
@@ -30,36 +30,11 @@
 # end DLZ modules
 
 %define	VENDOR SUSE
-%if 0%{?suse_version} >= 1500
-%define with_systemd 1
-%else
-%define with_systemd 0
-# Defines for user and group add
-%define	NAMED_UID 44
-%define	NAMED_UID_NAME named
-%define	NAMED_GID 44
-%define	NAMED_GID_NAME named
-%define	NAMED_COMMENT Name server daemon
-%define	NAMED_HOMEDIR %{_localstatedir}/lib/named
-%define	NAMED_SHELL /bin/false
-%define	GROUPADD_NAMED getent group %{NAMED_GID_NAME} >/dev/null || %{_sbindir}/groupadd -g %{NAMED_GID} -o -r %{NAMED_GID_NAME}
-%define	USERADD_NAMED getent passwd %{NAMED_UID_NAME} >/dev/null || %{_sbindir}/useradd -r -o -g %{NAMED_GID_NAME} -u %{NAMED_UID} -s %{NAMED_SHELL} -c "%{NAMED_COMMENT}" -d %{NAMED_HOMEDIR} %{NAMED_UID_NAME}
-%define	USERMOD_NAMED getent passwd %{NAMED_UID_NAME} >/dev/null || %{_sbindir}/usermod -s %{NAMED_SHELL} -d  %{NAMED_HOMEDIR} %{NAMED_UID_NAME}
-%endif
-%if 0%{?suse_version} < 1315
-%define with_sfw2 1
-%else
-%define with_sfw2 0
-%endif
 
 %define dlz_modules_hash 5923650
 
-#Compat macro for new _fillupdir macro introduced in Nov 2017
-%if ! %{defined _fillupdir}
-  %define _fillupdir %{_localstatedir}/adm/fillup-templates
-%endif
 Name:           bind
-Version:        9.20.11
+Version:        9.20.18
 Release:        0
 Summary:        Domain Name System (DNS) Server (named)
 License:        MPL-2.0
@@ -107,13 +82,8 @@ Provides:       bind9 = %{version}
 Provides:       dns_daemon
 Obsoletes:      bind8 < %{version}
 Obsoletes:      bind9 < %{version}
-%if %{with_systemd}
 BuildRequires:  sysuser-tools
 %sysusers_requires
-%else
-Requires(post): %insserv_prereq
-Requires(pre):  shadow
-%endif
 
 %description
 Berkeley Internet Name Domain (BIND) is an implementation of the Domain
@@ -252,8 +222,22 @@ for file in docu/README* config/{README,named.conf} sysconfig/named-named; do
 done
 popd
 
-%if 0%{?sle_version} >= 150000 && 0%{?sle_version} <= 150400
-# the Administration Reference Manual doesn't build with Leap/SLES due to an way too old Sphinx package
+%if 0%{?suse_version} == 1500
+# Sphinx in SLE15 doesn't allow :option:`+option` or :option:`cmd +option` so we
+# replace it with :code:
+sed -i -E 's#:option:(`[^`]*)\+([[:alnum:]_-]+)#:code:\1\+\2#g' bin/delv/delv.rst bin/dig/dig.rst bin/tools/mdig.rst doc/notes/notes-9.20.0.rst
+# Liberal use of :any: confuses the version of Sphinx in SLES/Leap 15. Converting it to :code:
+# will at least make it readable.
+awk '
+  /^\.\. namedconf:statement::/ { in_stmt=1; print; next }
+  in_stmt && /^[^[:space:]]/ && $0 !~ /^$/ { in_stmt=0 }
+  in_stmt && /^[[:space:]]/ {
+    $0 = gensub(/:any:`([^`]+)`/, ":code:`\\1`", "g")
+  }
+  { print }
+' doc/arm/reference.rst > doc/arm/reference.rst.new && mv doc/arm/reference.rst.new doc/arm/reference.rst
+
+# the Administration Reference Manual doesn't build with Leap/SLES 15 due to an way too old Sphinx package
 # that is missing sphinx.util.docutils.ReferenceRole.
 # patch68 disables this extension, and here, we're removing the :gl: tags in the notes
 sed -i 's|:gl:||g' doc/notes/notes*.rst
@@ -286,9 +270,7 @@ export LDFLAGS="-pie"
 	--enable-fixed-rrset \
 	--enable-filter-aaaa \
         --enable-dnstap \
-%if %{with_systemd}
         --with-systemd \
-%endif
 %if %{with check}
 	--enable-querytrace \
 %endif
@@ -303,9 +285,7 @@ sed -i '
 for d in arm; do
 	make -C doc/${d} SPHINXBUILD=sphinx-build doc
 done
-%if %{with_systemd}
 %sysusers_generate_pre %{SOURCE72} named named.conf
-%endif
 # special build for the plugins
 for d in dlz-modules-%{dlz_modules_hash}/modules/*; do
        [ -e $d/Makefile ] && make -C $d
@@ -330,9 +310,6 @@ mkdir -p \
 	%{buildroot}/%{_rundir} \
 	%{buildroot}%{_includedir}/bind/dns \
 	%{buildroot}%{_libexecdir}/bind
-%if %{with_sfw2}
-mkdir -p %{buildroot}/%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services
-%endif
 %make_install
 # remove useless .h files
 rm -rf %{buildroot}%{_includedir}
@@ -369,23 +346,16 @@ mv vendor-files/config/bind.reg %{buildroot}/%{_sysconfdir}/slp.reg.d
 %endif
 mv vendor-files/config/rndc-access.conf %{buildroot}/%{_sysconfdir}/named.d
 
-%if %{with_systemd}
-	for file in named; do
-        	install -D -m 0644 vendor-files/system/${file}.service %{buildroot}%{_unitdir}/${file}.service
-                sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" -i %{buildroot}%{_unitdir}/${file}.service
-		install -m 0755 vendor-files/system/${file}.prep %{buildroot}%{_libexecdir}/bind/${file}.prep
-		ln -s /sbin/service %{buildroot}%{_sbindir}/rc${file}
-	done
-	install -D -m 0644 %{SOURCE70} %{buildroot}%{_prefix}/lib/tmpfiles.d/bind.conf
-	install -D -m 0644 %{_sourcedir}/named.root %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named/root.hint
-	install -m 0644 vendor-files/config/{127.0.0,localhost}.zone %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named
-	install -d -m 0755 %{buildroot}/%{_unitdir}/named.service.d
-%else
-	for file in named; do
-		install -m 0754 vendor-files/init/${file} %{buildroot}%{_initddir}/${file}
-		ln -sf %{_initddir}/${file} %{buildroot}%{_sbindir}/rc${file}
-	done
-%endif
+for file in named; do
+       	install -D -m 0644 vendor-files/system/${file}.service %{buildroot}%{_unitdir}/${file}.service
+        sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" -i %{buildroot}%{_unitdir}/${file}.service
+	install -m 0755 vendor-files/system/${file}.prep %{buildroot}%{_libexecdir}/bind/${file}.prep
+	ln -s /sbin/service %{buildroot}%{_sbindir}/rc${file}
+done
+install -D -m 0644 %{SOURCE70} %{buildroot}%{_prefix}/lib/tmpfiles.d/bind.conf
+install -D -m 0644 %{_sourcedir}/named.root %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named/root.hint
+install -m 0644 vendor-files/config/{127.0.0,localhost}.zone %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named
+install -d -m 0755 %{buildroot}/%{_unitdir}/named.service.d
 install -m 0644 %{_sourcedir}/named.root %{buildroot}%{_localstatedir}/lib/named/root.hint
 mv vendor-files/config/{127.0.0,localhost}.zone %{buildroot}%{_localstatedir}/lib/named
 install -m 0755 vendor-files/tools/bind.genDDNSkey %{buildroot}/%{_bindir}/genDDNSkey
@@ -396,9 +366,6 @@ find %{buildroot}/%{_libdir} -type f -name '*.so*' -exec chmod 0755 {} +
 for file in named-named; do
 	install -m 0644 vendor-files/sysconfig/${file} %{buildroot}%{_fillupdir}/sysconfig.${file}
 done
-%if %{with_sfw2}
-install -m 644 vendor-files/sysconfig/SuSEFirewall.named %{buildroot}/%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/bind
-%endif
 %if ! %{with check}
 # Cleanup doc
 rm doc/misc/Makefile*
@@ -424,24 +391,13 @@ done
 # ---------------------------------------------------------------------------
 # remove useless Makefiles and Makefile skeletons
 find %{buildroot}/%{_defaultdocdir}/bind \( -name Makefile -o -name Makefile.in \) -exec rm {} +
-%if %{with_systemd}
 mkdir -p %{buildroot}%{_sysusersdir}
 install -m 644 %{SOURCE72} %{buildroot}%{_sysusersdir}/
-%endif
 find %{buildroot}/usr/share/doc/packages/bind -name cfg_test* -exec rm {} \;
 rm -rf %{buildroot}/usr/share/doc/packages/bind/misc/.libs
 
-%if %{with_systemd}
 %pre -f named.pre
 %service_add_pre named.service
-%else
-
-%pre
-%{GROUPADD_NAMED}
-%{USERADD_NAMED}
-# Might be an update.
-%{USERMOD_NAMED}
-%endif
 
 %if %{with check}
 %check
@@ -450,35 +406,15 @@ make test
 %endif
 
 %preun
-%if %{with_systemd}
 %service_del_preun named.service
-%else
-%stop_on_removal named
-%endif
 
 %post
-%if %{with_systemd}
 %{fillup_only -nsa named named}
 %service_add_post named.service
 %tmpfiles_create bind.conf
-%else
-%{fillup_and_insserv -nf named}
-if [ -x %{_bindir}/systemctl ]; then
-# make sure systemctl knows about the service
-# Without this, systemctl status named would return
-#     Unit named.service could not be found.
-# until systemctl daemon-reload has been executed
-    %{_bindir}/systemctl daemon-reload || :
-fi
-%endif
 
 %postun
-%if %{with_systemd}
 %service_del_postun named.service
-%else
-%restart_on_update named
-%insserv_cleanup
-%endif
 
 %post   -n bind-utils -p /sbin/ldconfig
 %postun -n bind-utils -p /sbin/ldconfig
@@ -490,18 +426,11 @@ fi
 %dir %{_sysconfdir}/slp.reg.d
 %attr(0644,root,root) %config /%{_sysconfdir}/slp.reg.d/bind.reg
 %endif
-%if %{with_systemd}
 %{_unitdir}/named.service
 %dir %{_unitdir}/named.service.d
 %{_prefix}/lib/tmpfiles.d/bind.conf
 %{_sysusersdir}/named.conf
 %{_datadir}/factory
-%else
-%config /%{_sysconfdir}/init.d/named
-%endif
-%if %{with_sfw2}
-%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/bind
-%endif
 %dir %{_sysconfdir}/crypto-policies
 %dir %{_sysconfdir}/crypto-policies/back-ends
 %{_bindir}/named-rrchecker