Accepting request 1005206 from home:jcronenberg:branches:network

- Update to bind release 9.18.7
  Security Fixes:
  * Previously, there was no limit to the number of database lookups
    performed while processing large delegations, which could be
    abused to severely impact the performance of named running as a
    recursive resolver. This has been fixed. (CVE-2022-2795)
  * When an HTTP connection was reused to request statistics from the
    stats channel, the content length of successive responses could
    grow in size past the end of the allocated buffer.
    This has been fixed. (CVE-2022-2881)
  * Memory leaks in code handling Diffie-Hellman (DH) keys were fixed
    that could be externally triggered, when using TKEY records in DH
    mode with OpenSSL 3.0.0 and later versions. (CVE-2022-2906)
  * named running as a resolver with the stale-answer-client-timeout
    option set to 0 could crash with an assertion failure, when there
    was a stale CNAME in the cache for the incoming query.
    This has been fixed. (CVE-2022-3080)
  * Memory leaks were fixed that could be externally triggered in the
    DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178)
  Feature Changes:
  * Response Rate Limiting (RRL) code now treats all QNAMEs that are
    subject to wildcard processing within a given zone as the same
    name, to prevent circumventing the limits enforced by RRL.
  * Zones using dnssec-policy now require dynamic DNS or
    inline-signing to be configured explicitly.
  * When reconfiguring dnssec-policy from using NSEC with an NSEC-only
    DNSKEY algorithm (e.g. RSASHA1) to a policy that uses NSEC3,
    BIND 9 no longer fails to sign the zone; instead, it keeps using
    NSEC until the offending DNSKEY records have been removed from the
    zone, then switches to using NSEC3.
  * A backward-compatible approach was implemented for encoding
    internationalized domain names (IDN) in dig and converting the
    domain to IDNA2008 form; if that fails, BIND tries an IDNA2003
    conversion.
  Bug Fixes:
  * A serve-stale bug was fixed, where BIND would try to return stale
    data from cache for lookups that received duplicate queries or
    queries that would be dropped. This bug resulted in premature
    SERVFAIL responses, and has now been resolved.
  This obsoletes the following patch:
  * bind-fix-mysql-bindings.patch
  [bsc#1203614, bsc#1203615, bsc#1203616, bsc#1203618, bsc#1203620]

OBS-URL: https://build.opensuse.org/request/show/1005206
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=357

bind-9.18.6.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d43a0fed03c774d1685d203598218c0b7774a88fcc390a0170710d5feb7fbff1
-size 5171132

bind-9.18.6.tar.xz.sha512.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEE4l6wzxzoBJ1H8dmmM+EOShg6jkYFAmL0AkwACgkQM+EOShg6
-jkaylw/9Evr/sUupCkvNFVt+FtqlnfBDt8WCSlwPaSr5TVU+JCX+0SnNkIrST5Ho
-wOACBRks6ATzvtL4pAnr+DRJFen+G0WL57YJsR6geKKm78W7WzV49zG3FSad6RTq
-FyXoRNClteBttitPd0ubCHhHAqPcrmbVAlS+79l/8Q//r+llV99gY4h8ZVQC2f2I
-rnrJzprT3ZwwCqTyV03zigBcRINS9+/Ij/MlRoG5VGldSaDJB0dLMlJMzeIWeiLG
-aeHRTDB5q64HXS6zpzcYZcs6cG80lMFpYqMFP8+FZml1mz8PEhvhTb5cM94Ar1b1
-Iy/QMLzORneSCHq62o4Tc2jgFTv6y7LqRHnCujt+I0UpOt26tV5O/kr/CbMrgx9R
-mU/PScStLU5m38vwGrIfLegx9fauHPvQckM5Mbvv5E/ntFaza7r7aedjj5cMY92N
-uEHUKknYFP+nIRPEpaN/oIkkbVcRq99LviI2tlVUrkHR/siNy2Y/eHXm1nLs9s3y
-4mdns0dx0/d+sewaL4jpS9+EynDoy3IiAXpo2CMR8no/AIm2nqwrCtcR/slmsdUr
-P5lwlJZoyz4tsjFHTRyeEk4ciMEwDoIFQ+hwQovAL7Vq/2lIgXcvvQn0IX96n2SS
-cmFovsMMN7Y6LE/Tfx8CuHyP2bGs+V3wyepk3p2lJWrIWjJ7a/s=
-=2oT4
------END PGP SIGNATURE-----

bind-9.18.7.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9e2acf1698f49d70ad12ffbad39ec6716a7da524e9ebd98429c7c70ba1262981
+size 5626820

bind-9.18.7.tar.xz.sha512.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE4l6wzxzoBJ1H8dmmM+EOShg6jkYFAmMfNs4ACgkQM+EOShg6
+jkY1aRAAySGOpDT4MFnuTI5w7RdWjMNclOGJoFK6ihbkF6lQDrRqRuYlmAq9UwW2
+KR+rAAAqAHk/EmDzsmq15OcsJdJOMrJTp88YEI4EdAcInOK4xbjDl73P0oOnlRjJ
+/8Aw2awrDPjMPoEoF9YBLPfU1Q2Vlunybzlq9sZ7eUWpp1qSa6x3EoWS/bB/f66G
+FhWpbEqdkBOCW8osm3svSOTCkYhlimX6Y2bTyhjSUdfS8q5rwYoiDEsbzjgoMS5l
+eNQb0bexCEBmaTjzARGXo2JzGcNMu9aeee3noeusTV/x3r5zgOjl/TDkx7Y4CAaN
+qtWeoYVp4p4ulisaFqP1bHuksUVgez+2SzrqJ0NpvhLZzbi5dRnsHT93iDcoR+X/
+yjyVQFiunZq3kU46Cf8gT29fxfyi3C/3BVxMkdZz2kI4LwRWvAng7mk9tfKH/2/d
+d44hvv0R4Mdv38/zd8m2pddh8A7rY7l7CbPrKe0V6UTsnErFi/B14fLu58vQHlZL
+8SBBLT2YSiJFQRMfcbCwVTW9r54pqb+MJxkBCgGMDAULOqdBSXfydQdEkbkC1R9i
+u522mH5/VafntJabrxWa4blz/2pClTWswCYCT9LIb8wTFgU+n99+1ozIW7arLFMe
+/ncipDqQffaC+DY88PlF5AOhG4I7hqbJR6yVrPaIL7On+2vIn+A=
+=/BQv
+-----END PGP SIGNATURE-----

bind-fix-mysql-bindings.patch

@@ -1,22 +0,0 @@
---- a/contrib/dlz/modules/mysql/Makefile
-+++ b/contrib/dlz/modules/mysql/Makefile
-@@ -27,7 +27,7 @@ prefix = /usr
- libdir = $(prefix)/lib/bind9
- 
- CFLAGS=-fPIC -g -I../include $(shell mysql_config --cflags)
--LDAP_LIBS=$(shell mysql_config --libs)
-+MYSQL_LIBS=$(shell mysql_config --libs)
- 
- all: dlz_mysql_dynamic.so
- 
---- a/contrib/dlz/modules/mysqldyn/Makefile
-+++ b/contrib/dlz/modules/mysqldyn/Makefile
-@@ -27,7 +27,7 @@ prefix = /usr
- libdir = $(prefix)/lib/bind9
- 
- CFLAGS=-fPIC -g -I../include $(shell mysql_config --cflags)
--LDAP_LIBS=$(shell mysql_config --libs)
-+MYSQL_LIBS=$(shell mysql_config --libs)
- 
- all: dlz_mysqldyn_mod.so
- 

bind.changes

@@ -1,3 +1,52 @@
+-------------------------------------------------------------------
+Wed Sep 21 11:49:07 UTC 2022 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to bind release 9.18.7
+  Security Fixes:
+  * Previously, there was no limit to the number of database lookups
+    performed while processing large delegations, which could be
+    abused to severely impact the performance of named running as a
+    recursive resolver. This has been fixed. (CVE-2022-2795)
+  * When an HTTP connection was reused to request statistics from the
+    stats channel, the content length of successive responses could
+    grow in size past the end of the allocated buffer.
+    This has been fixed. (CVE-2022-2881)
+  * Memory leaks in code handling Diffie-Hellman (DH) keys were fixed
+    that could be externally triggered, when using TKEY records in DH
+    mode with OpenSSL 3.0.0 and later versions. (CVE-2022-2906)
+  * named running as a resolver with the stale-answer-client-timeout
+    option set to 0 could crash with an assertion failure, when there
+    was a stale CNAME in the cache for the incoming query.
+    This has been fixed. (CVE-2022-3080)
+  * Memory leaks were fixed that could be externally triggered in the
+    DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178)
+
+  Feature Changes:
+  * Response Rate Limiting (RRL) code now treats all QNAMEs that are
+    subject to wildcard processing within a given zone as the same
+    name, to prevent circumventing the limits enforced by RRL.
+  * Zones using dnssec-policy now require dynamic DNS or
+    inline-signing to be configured explicitly.
+  * When reconfiguring dnssec-policy from using NSEC with an NSEC-only
+    DNSKEY algorithm (e.g. RSASHA1) to a policy that uses NSEC3,
+    BIND 9 no longer fails to sign the zone; instead, it keeps using
+    NSEC until the offending DNSKEY records have been removed from the
+    zone, then switches to using NSEC3.
+  * A backward-compatible approach was implemented for encoding
+    internationalized domain names (IDN) in dig and converting the
+    domain to IDNA2008 form; if that fails, BIND tries an IDNA2003
+    conversion.
+
+  Bug Fixes:
+  * A serve-stale bug was fixed, where BIND would try to return stale
+    data from cache for lookups that received duplicate queries or
+    queries that would be dropped. This bug resulted in premature
+    SERVFAIL responses, and has now been resolved.
+
+  This obsoletes the following patch:
+  * bind-fix-mysql-bindings.patch
+  [bsc#1203614, bsc#1203615, bsc#1203616, bsc#1203618, bsc#1203620]
+
 -------------------------------------------------------------------
 Thu Aug 18 14:57:33 UTC 2022 - Jorik Cronenberg <jorik.cronenberg@suse.com>
 

bind.spec

@@ -56,7 +56,7 @@
   %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           bind
-Version:        9.18.6
+Version:        9.18.7
 Release:        0
 Summary:        Domain Name System (DNS) Server (named)
 License:        MPL-2.0
@@ -75,7 +75,6 @@ Source70:       bind.conf
 # configuation file for systemd-sysusers
 Source72:       named.conf
 Patch56:        bind-ldapdump-use-valid-host.patch
-Patch57:        bind-fix-mysql-bindings.patch
 BuildRequires:  libcap-devel
 BuildRequires:  libopenssl-devel
 BuildRequires:  libtool