Accepting request 264083 from home:lmuelle:bind

- Add a versioned dependency when obsoleting packages. - Remove superfluous obsoletes *-64bit in the ifarch ppc64 case; (bnc#437293). - Fix gssapi_krb configure time header detection. - Update root zone (dated Nov 5, 2014). - Update to version 9.10.1 - This release addresses the security flaws described in CVE-2014-3214 and CVE-2014-3859. - Update to version 9.10.0 - Update to version 9.9.6 Cf the bind changes file for all the details of 9.9.6 till 9.10.1. - Remove merged rpz2+rl-9.9.5.patch and obsoleted rpz2+rl-9.9.5.patch - Update baselibs.conf (added libirs and library interface version updates). OBS-URL: https://build.opensuse.org/request/show/264083 OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=153
2014-12-05 10:12:05 +00:00
parent e179acbc40
commit 932f848950
15 changed files with 372 additions and 7786 deletions
--- a/bind.changes
+++ b/bind.changes
@@ -1,3 +1,187 @@
+-------------------------------------------------------------------
+Thu Dec  4 18:36:41 UTC 2014 - lmuelle@suse.com
+
+- Add a versioned dependency when obsoleting packages.
+
+-------------------------------------------------------------------
+Thu Dec  4 18:15:01 UTC 2014 - lmuelle@suse.com
+
+- Remove superfluous obsoletes *-64bit in the ifarch ppc64 case; (bnc#437293).
+
+-------------------------------------------------------------------
+Wed Dec  3 16:58:24 UTC 2014 - lmuelle@suse.com
+
+- Fix gssapi_krb configure time header detection.
+
+-------------------------------------------------------------------
+Sun Nov 30 13:52:44 UTC 2014 - lmuelle@suse.com
+
+- Update root zone (dated Nov 5, 2014).
+
+-------------------------------------------------------------------
+Sat Nov 29 19:35:53 UTC 2014 - lmuelle@suse.com
+
+- Update to version 9.10.1
+  - This release addresses the security flaws described in CVE-2014-3214 and
+     CVE-2014-3859.
+- Update to version 9.10.0
+  - DNS Response-rate limiting (DNS RRL), which blunts the impact of
+    reflection and amplification attacks, is always compiled in and no longer
+    requires a compile-time option to enable it.
+  - An experimental "Source Identity Token" (SIT) EDNS option is now available.
+  - A new zone file format, "map", stores zone data in a
+    format that can be mapped directly into memory, allowing
+    significantly faster zone loading.
+  - "delv" (domain entity lookup and validation) is a new tool with dig-like
+    semantics for looking up DNS data and performing internal DNSSEC
+    validation.
+  - Improved EDNS(0) processing for better resolver performance
+    and reliability over slow or lossy connections.
+  - Substantial improvement in response-policy zone (RPZ) performance.  Up to
+    32 response-policy zones can be configured with minimal performance loss.
+  - To improve recursive resolver performance, cache records which are still
+    being requested by clients can now be automatically refreshed from the
+    authoritative server before they expire, reducing or eliminating the time
+    window in which no answer is available in the cache.
+  - New "rpz-client-ip" triggers and drop policies allowing
+    response policies based on the IP address of the client.
+  - ACLs can now be specified based on geographic location using the MaxMind
+    GeoIP databases.  Use "configure --with-geoip" to enable.
+  - Zone data can now be shared between views, allowing multiple views to serve
+    the same zones authoritatively without storing multiple copies in memory.
+  - New XML schema (version 3) for the statistics channel includes many new
+    statistics and uses a flattened XML tree for faster parsing. The older
+    schema is now deprecated.
+  - A new stylesheet, based on the Google Charts API, displays XML statistics
+    in charts and graphs on javascript-enabled browsers.
+  - The statistics channel can now provide data in JSON format as well as XML.
+  - New stats counters track TCP and UDP queries received
+    per zone, and EDNS options received in total.
+  - The internal and export versions of the BIND libraries (libisc, libdns,
+    etc) have been unified so that external library clients can use the same
+    libraries as BIND itself.
+  - A new compile-time option, "configure --enable-native-pkcs11", allows BIND
+    9 cryptography functions to use the PKCS#11 API natively, so that BIND can
+    drive a cryptographic hardware service module (HSM) directly instead of
+    using a modified OpenSSL as an intermediary.
+  - The new "max-zone-ttl" option enforces maximum TTLs for zones. This can
+    simplify the process of rolling DNSSEC keys by guaranteeing that cached
+    signatures will have expired within the specified amount of time.
+  - "dig +subnet" sends an EDNS CLIENT-SUBNET option when querying.
+  - "dig +expire" sends an EDNS EXPIRE option when querying.
+  - New "dnssec-coverage" tool to check DNSSEC key coverage for a zone and
+    report if a lapse in signing coverage has been inadvertently scheduled.
+  - Signing algorithm flexibility and other improvements
+    for the "rndc" control channel.
+  - "named-checkzone" and "named-compilezone" can now read
+    journal files, allowing them to process dynamic zones.
+  - Multiple DLZ databases can now be configured.  Individual zones can be
+    configured to be served from a specific DLZ database.  DLZ databases now
+    serve zones of type "master" and "redirect".
+  - "rndc zonestatus" reports information about a specified zone.
+  - "named" now listens on IPv6 as well as IPv4 interfaces by default.
+  - "named" now preserves the capitalization of names
+    when responding to queries.
+  - new "dnssec-importkey" command allows the use of offline
+    DNSSEC keys with automatic DNSKEY management.
+  - New "named-rrchecker" tool to verify the syntactic
+    correctness of individual resource records.
+  - When re-signing a zone, the new "dnssec-signzone -Q" option drops
+    signatures from keys that are still published but are no longer active.
+  - "named-checkconf -px" will print the contents of configuration files with
+    the shared secrets obscured, making it easier to share configuration (e.g.
+    when submitting a bug report) without revealing private information.
+  - "rndc scan" causes named to re-scan network interfaces for
+    changes in local addresses.
+  - On operating systems with support for routing sockets, network interfaces
+    are re-scanned automatically whenever they change.
+  - "tsig-keygen" is now available as an alternate command
+    name to use for "ddns-confgen".
+- Update to version 9.9.6
+  New Features
+  - Support for CAA record types, as described in RFC 6844 "DNS
+    Certification Authority Authorization (CAA) Resource Record",
+    was added. [RT#36625] [RT #36737]
+  - Disallow "request-ixfr" from being specified in zone statements where it
+    is not valid (it is only valid for slave and redirect zones) [RT #36608]
+  - Support for CDS and CDNSKEY resource record types was added. For
+    details see the proposed Informational Internet-Draft "Automating
+    DNSSEC Delegation Trust Maintenance" at
+    http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14.
+    [RT #36333]
+  - Added version printing options to various BIND utilities. [RT #26057]
+    [RT #10686]
+  - Added a "no-case-compress" ACL, which causes named to use case-insensitive
+    compression (disabling change #3645) for specified clients. (This is useful
+    when dealing with broken client implementations that use case-sensitive
+    name comparisons, rejecting responses that fail to match the capitalization
+    of the query that was sent.) [RT #35300]
+  Feature Changes
+  - Adds RPZ SOA to the additional section of responses to clearly
+    indicate the use of RPZ in a manner that is intended to avoid
+    causing issues for downstream resolvers and forwarders [RT #36507]
+  - rndc now gives distinct error messages when an unqualified zone
+    name matches multiple views vs. matching no views [RT #36691]
+  - Improves the accuracy of dig's reported round trip times.  [RT #36611]
+  - When an SPF record exists in a zone but no equivalent TXT record
+    does, a warning will be issued.  The warning for the reverse
+    condition is no longer issued. See the check-spf option in the
+    documentation for details. [RT #36210]
+  - "named" will now log explicitly when using rndc.key to configure
+    command channel. [RT #35316]
+  - The default setting for the -U option (setting the number of UDP
+    listeners per interface) has been adjusted to improve performance.
+    [RT #35417]
+  - Aging of smoothed round-trip time measurements is now limited
+    to no more than once per second, to improve accuracy in selecting
+    the best name server. [RT #32909]
+  - DNSSEC keys that have been marked active but have no publication
+    date are no longer presumed to be publishable. [RT #35063]
+  Bug Fixes
+  - The Makefile in bin/python was changed to work around a bmake
+    bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**)
+  - Corrected bugs in the handling of wildcard records by the DNSSEC
+    validator: invalid wildcard expansions could be treated as valid
+    if signed, and valid wildcard expansions in NSEC3 opt-out ranges
+    had the AD bit set incorrectly in responses. [RT #37093] [RT #37072]
+  - When resigning, dnssec-signzone was removing all signatures from
+    delegation nodes. It now retains DS and (if applicable) NSEC
+    signatures.  [RT #36946]
+  - The AD flag was being set inappopriately on RPZ responses. [RT #36833]
+  - Updates the URI record type to current draft standard,
+    draft-faltstrom-uri-08, and allows the value field to be zero
+    length [RT #36642] [RT #36737]
+  - RRSIG sets that were not loaded in a single transaction at start
+    up were not being correctly added to re-signing heaps.  [RT #36302]
+  - Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452]
+  - A race condition could cause a crash in isc_event_free during
+    shutdown.  [RT #36720]
+  - Addresses a race condition issue in dispatch. [RT #36731]
+  - acl elements could be miscounted, causing a crash while loading
+    a config [RT #36675]
+  - Corrects a deadlock between view.c and adb.c. [RT #36341]
+  - liblwres wasn't properly handling link-local addresses in
+    nameserver clauses in resolv.conf. [RT #36039]
+  - Buffers in isc_print_vsnprintf were not properly initialized
+    leading to potential overflows when printing out quad values.
+    [RT #36505]
+  - Don't call qsort() with a null pointer, and disable the GCC 4.9
+    "delete null pointer check" optimizer option. This fixes problems
+    when using GNU GCC 4.9.0 where its compiler code optimizations
+    may cause crashes in BIND. For more information, see the operational
+    advisory at https://kb.isc.org/article/AA-01167/. [RT #35968]
+  - Fixed a bug that could cause repeated resigning of records in
+    dynamically signed zones. [RT #35273]
+  - Fixed a bug that could cause an assertion failure after forwarding
+    was disabled. [RT #35979]
+  - Fixed a bug that caused SERVFAILs when using RPZ on a system
+    configured as a forwarder. [RT #36060]
+  - Worked around a limitation in Solaris's /dev/poll implementation
+    that could cause named to fail to start when configured to use
+    more sockets than the system could accomodate. [RT #35878]
+- Remove merged rpz2+rl-9.9.5.patch and obsoleted rpz2+rl-9.9.5.patch
+- Update baselibs.conf (added libirs and library interface version updates).
+
 -------------------------------------------------------------------
 Fri Nov 14 09:18:26 UTC 2014 - dimstar@opensuse.org

@@ -17,7 +201,7 @@ Wed Oct  1 15:26:40 UTC 2014 - jengelh@inai.de
 -------------------------------------------------------------------
 Mon Sep  8 21:10:50 UTC 2014 - werner@suse.de

- Require systemd-rpm-macros at build 
+- Require systemd-rpm-macros at build

 -------------------------------------------------------------------
 Mon Sep  8 14:00:01 UTC 2014 - werner@suse.de
@@ -166,12 +350,12 @@ Sun Jun  1 13:30:10 UTC 2014 - chris@computersalat.de
 -------------------------------------------------------------------
 Sun May 25 17:24:21 UTC 2014 - crrodriguez@opensuse.org

- Build with LFS_CFLAGS in 32 bit systems. 
+- Build with LFS_CFLAGS in 32 bit systems.

 -------------------------------------------------------------------
 Thu May  8 11:23:47 CEST 2014 - ro@suse.de

- use %_rundir macro 
+- use %_rundir macro

 -------------------------------------------------------------------
 Fri Mar 28 20:49:57 CET 2014 - lchiquitto@suse.de
@@ -256,7 +440,7 @@ Mon Jun 24 13:17:11 UTC 2013 - meissner@suse.com

  -	[maint]		Added AAAA for D.ROOT-SERVERS.NET.
  -	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.
- Updated to current rate limiting + rpz patch from 
+- Updated to current rate limiting + rpz patch from
  http://ss.vix.su/~vjs/rrlrpz.html
 - moved dnssec-* helpers to bind-utils package. bnc#813911

@@ -768,7 +952,7 @@ Thu May  5 16:59:49 CEST 2011 - ug@suse.de
 Thu Feb 24 11:14:09 CET 2011 - ug@suse.de

 - fixed security issue
-  VUL-0: bind: IXFR or DDNS update combined with high query rate 
+  VUL-0: bind: IXFR or DDNS update combined with high query rate
  DoS vulnerability (CVE-2011-0414 bnc#674431)
 - version to 9.7.3

@@ -953,7 +1137,7 @@ Wed Sep 30 15:44:32 CEST 2009 - ug@suse.de
 -------------------------------------------------------------------
 Mon Aug 10 15:30:23 CEST 2009 - ug@suse.de

- version update to 9.6.1-P1 
+- version update to 9.6.1-P1
  (security fix CVE-2009-0696)
  bnc#526185

@@ -977,7 +1161,7 @@ Thu Apr  9 11:27:57 CEST 2009 - ug@suse.de
 -------------------------------------------------------------------
 Tue Mar  3 11:08:59 CET 2009 - ug@suse.de

- /etc/named.conf does not include /etc/named.d/forwarders.conf 
+- /etc/named.conf does not include /etc/named.d/forwarders.conf
  by default (bnc#480334)

 -------------------------------------------------------------------
@@ -1014,7 +1198,7 @@ Wed Nov 26 09:53:06 CET 2008 - ug@suse.de
 -------------------------------------------------------------------
 Tue Nov 11 16:54:01 CET 2008 - ro@suse.de

- SLE-11 uses PPC64 instead of PPC, adapt baselibs.conf 
+- SLE-11 uses PPC64 instead of PPC, adapt baselibs.conf

 -------------------------------------------------------------------
 Thu Oct 30 12:34:56 CET 2008 - olh@suse.de
@@ -1057,7 +1241,7 @@ Tue Aug 12 16:39:27 CEST 2008 - ug@suse.de
      outstanding UDP queries as possible
   + additional security of port randomization at the same level as P1

- also includes fixes for several bugs in the 9.5.0 base code 
+- also includes fixes for several bugs in the 9.5.0 base code
 - 9.5.0-P2

 -------------------------------------------------------------------
@@ -1069,9 +1253,9 @@ Sun Jul 27 11:51:38 CEST 2008 - aj@suse.de
 -------------------------------------------------------------------
 Wed Jul 16 12:50:46 CEST 2008 - ug@suse.de

- BIND 9.5 offers many new features, including many 
-  behind-the-scenes improvements. For the most part, the non-visible 
-  features help ISC's customers who have run into the upper-end of 
+- BIND 9.5 offers many new features, including many
+  behind-the-scenes improvements. For the most part, the non-visible
+  features help ISC's customers who have run into the upper-end of
  what BIND 9.4 could handle.
  See CHANGES for details
 - Statistics Counters / server
@@ -1120,7 +1304,7 @@ Thu Jul 26 13:46:45 CEST 2007 - mt@suse.de
 -------------------------------------------------------------------
 Sat May 26 23:43:35 CEST 2007 - ro@suse.de

- added ldconfig to postinstall script for bind-libs 
+- added ldconfig to postinstall script for bind-libs

 -------------------------------------------------------------------
 Tue May 15 12:19:20 CEST 2007 - ug@suse.de
@@ -1251,7 +1435,7 @@ Fri Jan 27 00:49:18 CET 2006 - mls@suse.de
 -------------------------------------------------------------------
 Wed Jan 25 14:27:11 CET 2006 - ug@suse.de

- fixed #145169 
+- fixed #145169
  (follow symlinks during chroot jail creation)

 -------------------------------------------------------------------
@@ -1273,7 +1457,7 @@ Mon Nov 21 12:16:32 CET 2005 - ug@suse.de
 -------------------------------------------------------------------
 Mon Sep 26 01:27:01 CEST 2005 - ro@suse.de

- added LDAP_DEPRECATED to CFLAGS 
+- added LDAP_DEPRECATED to CFLAGS

 -------------------------------------------------------------------
 Fri Jul 22 16:50:27 CEST 2005 - lmuelle@suse.de
@@ -1303,7 +1487,7 @@ Fri Mar 11 18:28:37 CET 2005 - ug@suse.de

 - version update from 9.3.0 to 9.3.1
 - fixed bug #72153
-  lwresd doesn't notice if name server is 
+  lwresd doesn't notice if name server is
  unreachable and times out

 -------------------------------------------------------------------
@@ -1623,7 +1807,7 @@ Tue Mar  4 17:50:58 CET 2003 - lmuelle@suse.de
 -------------------------------------------------------------------
 Sat Mar  1 17:41:47 CET 2003 - ro@suse.de

- also create named user/group in utils preinstall 
+- also create named user/group in utils preinstall

 -------------------------------------------------------------------
 Thu Feb 27 23:53:01 CET 2003 - ro@suse.de
@@ -1664,17 +1848,17 @@ Mon Feb 17 22:48:21 CET 2003 - lmuelle@suse.de
 -------------------------------------------------------------------
 Wed Nov 13 01:43:18 CET 2002 - ro@suse.de

- fix build with current bison (end all rules with ";") 
+- fix build with current bison (end all rules with ";")

 -------------------------------------------------------------------
 Sat Sep  7 16:31:04 CEST 2002 - kukuk@suse.de

- Fix running bind9 as user named [Bug #18417] 
+- Fix running bind9 as user named [Bug #18417]

 -------------------------------------------------------------------
 Mon Aug 19 15:22:43 CEST 2002 - ro@suse.de

- added prereqs (#17807) 
+- added prereqs (#17807)

 -------------------------------------------------------------------
 Mon Aug 19 12:50:37 CEST 2002 - okir@suse.de
@@ -1717,7 +1901,7 @@ Mon Jun  3 10:59:07 CEST 2002 - okir@suse.de
 -------------------------------------------------------------------
 Fri Dec 14 17:55:36 CET 2001 - ro@suse.de

- removed START_NAMED 
+- removed START_NAMED

 -------------------------------------------------------------------
 Wed Sep  5 20:32:15 CEST 2001 - pthomas@suse.de
@@ -1732,7 +1916,7 @@ Sun Aug 12 15:04:44 CEST 2001 - kukuk@suse.de
 -------------------------------------------------------------------
 Wed Jul  4 09:06:38 CEST 2001 - bodammer@suse.de

- Update to bind-9.1.3 (release) 
+- Update to bind-9.1.3 (release)
 - Config-files moved away from bind-9.1.3.dif

 -------------------------------------------------------------------
@@ -1831,7 +2015,7 @@ Mon Feb 12 18:04:03 CET 2001 - bodammer@suse.de
 Thu Feb  8 12:08:50 CET 2001 - bodammer@suse.de

 - update to bind-9.1.1rc1
- missing headerfile included in stdtime.c 
+- missing headerfile included in stdtime.c

 -------------------------------------------------------------------
 Thu Jan 18 09:40:33 CET 2001 - bodammer@suse.de
@@ -1846,7 +2030,7 @@ Tue Nov 28 19:01:37 CET 2000 - bodammer@suse.de
 -------------------------------------------------------------------
 Thu Nov 23 23:46:02 CET 2000 - ro@suse.de

- added insserv calls 
+- added insserv calls

 -------------------------------------------------------------------
 Thu Nov 23 22:40:37 CET 2000 - bodammer@suse.de
@@ -1861,7 +2045,7 @@ Mon Nov 13 18:19:00 CET 2000 - bodammer@suse.de
 -------------------------------------------------------------------
 Fri Oct  6 18:09:53 CEST 2000 - kukuk@suse.de

- change group tag 
+- change group tag

 -------------------------------------------------------------------
 Mon Sep 18 11:07:47 CEST 2000 - bodammer@suse.de
@@ -1893,7 +2077,7 @@ Thu Jul 13 09:53:58 CEST 2000 - bodammer@suse.de
 Mon Jul  3 23:10:21 CEST 2000 - bodammer@suse.de

 - update to bind-9.0.0b5
- host renamed to host9 
+- host renamed to host9

 -------------------------------------------------------------------
 Fri Jun 16 10:55:41 CEST 2000 - bodammer@suse.de