Accepting request 930088 from home:jmoellers:branches:network

OBS-URL: https://build.opensuse.org/request/show/930088
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=331

bind-CVE-2021-25219.patch

@@ -0,0 +1,73 @@
+diff --git a/bin/named/config.c b/bin/named/config.c
+index 213c45cb33..0b28c8db7a 100644
+--- a/bin/named/config.c
++++ b/bin/named/config.c
+@@ -164,7 +164,7 @@ options {\n\
+ 	fetches-per-server 0;\n\
+ 	fetches-per-zone 0;\n\
+ 	glue-cache yes;\n\
+-	lame-ttl 600;\n"
++	lame-ttl 0;\n"
+ #ifdef HAVE_LMDB
+ 			    "	lmdb-mapsize 32M;\n"
+ #endif /* ifdef HAVE_LMDB */
+diff --git a/bin/named/server.c b/bin/named/server.c
+index ff04689685..0f001ba303 100644
+--- a/bin/named/server.c
++++ b/bin/named/server.c
+@@ -4840,8 +4840,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
+ 	result = named_config_get(maps, "lame-ttl", &obj);
+ 	INSIST(result == ISC_R_SUCCESS);
+ 	lame_ttl = cfg_obj_asduration(obj);
+-	if (lame_ttl > 1800) {
+-		lame_ttl = 1800;
++	if (lame_ttl > 0) {
++		cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
++			    "disabling lame cache despite lame-ttl > 0 as it "
++			    "may cause performance issues");
++		lame_ttl = 0;
+ 	}
+ 	dns_resolver_setlamettl(view->resolver, lame_ttl);
+ 
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 0358241d95..40c416dcf1 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -10122,25 +10122,26 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) {
+  */
+ static isc_result_t
+ rctx_lameserver(respctx_t *rctx) {
+-	isc_result_t result;
++	isc_result_t result = ISC_R_SUCCESS;
+ 	fetchctx_t *fctx = rctx->fctx;
+ 	resquery_t *query = rctx->query;
+ 
+-	if (fctx->res->lame_ttl == 0 || ISFORWARDER(query->addrinfo) ||
+-	    !is_lame(fctx, query->rmessage))
+-	{
++	if (ISFORWARDER(query->addrinfo) || !is_lame(fctx, query->rmessage)) {
+ 		return (ISC_R_SUCCESS);
+ 	}
+ 
+ 	inc_stats(fctx->res, dns_resstatscounter_lame);
+ 	log_lame(fctx, query->addrinfo);
+-	result = dns_adb_marklame(fctx->adb, query->addrinfo, &fctx->name,
+-				  fctx->type, rctx->now + fctx->res->lame_ttl);
+-	if (result != ISC_R_SUCCESS) {
+-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+-			      DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
+-			      "could not mark server as lame: %s",
+-			      isc_result_totext(result));
++	if (fctx->res->lame_ttl != 0) {
++		result = dns_adb_marklame(fctx->adb, query->addrinfo,
++					  &fctx->name, fctx->type,
++					  rctx->now + fctx->res->lame_ttl);
++		if (result != ISC_R_SUCCESS) {
++			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
++				      DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
++				      "could not mark server as lame: %s",
++				      isc_result_totext(result));
++		}
+ 	}
+ 	rctx->broken_server = DNS_R_LAME;
+ 	rctx->next_server = true;

bind.changes

@@ -1,3 +1,26 @@
+-------------------------------------------------------------------
+Mon Nov  8 09:01:21 UTC 2021 - Josef Möllers <josef.moellers@suse.com>
+
+- Aligned SLE15-SP4 and Factory spec files.
+  [bind.spec]
+
+-------------------------------------------------------------------
+Thu Nov  4 08:28:45 UTC 2021 - Josef Möllers <josef.moellers@suse.com>
+
+- Fixed CVE-2021-25219:
+  The lame-ttl option controls how long named caches certain types
+  of broken responses from authoritative servers (see the security
+  advisory for details). This caching mechanism could be abused by
+  an attacker to significantly degrade resolver performance. The
+  vulnerability has been mitigated by changing the default value of
+  lame-ttl to 0 and overriding any explicitly set value with 0,
+  effectively disabling this mechanism altogether. ISC's testing has
+  determined that doing that has a negligible impact on resolver
+  performance while also preventing abuse.
+  Administrators may observe more traffic towards servers issuing
+  certain types of broken responses than in previous BIND 9 releases.
+  [bsc#1192146, CVE-2021-25219, bind-CVE-2021-25219.patch]
+
 -------------------------------------------------------------------
 Mon Oct 18 09:55:18 UTC 2021 - Josef Möllers <josef.moellers@suse.com>
 

bind.spec

@@ -17,6 +17,7 @@
 
 
 %define _buildshell /bin/bash
+
 %define	VENDOR SUSE
 %if 0%{?suse_version} >= 1500
 %define with_systemd 1
@@ -51,21 +52,22 @@ Summary:        Domain Name System (DNS) Server (named)
 License:        MPL-2.0
 Group:          Productivity/Networking/DNS/Servers
 URL:            https://www.isc.org/bind/
-Source0:        https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.tar.xz
+Source:         https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.tar.xz
 Source1:        https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.tar.xz.sha512.asc
 Source2:        vendor-files.tar.bz2
 # from http://www.isc.org/about/openpgp/ ... changes yearly apparently.
-Source4:        %{name}.keyring
+Source3:        %{name}.keyring
 Source9:        ftp://ftp.internic.net/domain/named.root
 Source40:       dnszone-schema.txt
 Source60:       dlz-schema.txt
-# configuation file for systemd-tmpfiles
+# configuration file for systemd-tmpfiles
 Source70:       bind.conf
 # configuation file for systemd-sysusers
 Source72:       named.conf
 Patch52:        named-bootconf.diff
 Patch56:        bind-ldapdump-use-valid-host.patch
 Patch68:        bind-fix-build-with-older-sphinx.patch
+Patch69:        bind-CVE-2021-25219.patch
 BuildRequires:  libcap-devel
 BuildRequires:  libmysqlclient-devel
 BuildRequires:  libopenssl-devel
@@ -121,19 +123,22 @@ System implementation of the Domain Name System (DNS) protocols.  This
 includes also the BIND Administrator Reference Manual (ARM).
 
 %package utils
-Summary:        Utilities to query and test DNS
+Summary:        Libraries for "bind" and utilities to query and test DNS
 # Needed for dnssec parts
 Group:          Productivity/Networking/DNS/Utilities
 Requires:       python3-bind = %{version}
 Provides:       bind9-utils
 Provides:       bindutil
 Provides:       dns_utils
+Obsoletes:      bind-devel < %{version}
 Obsoletes:      bind9-utils < %{version}
 Obsoletes:      bindutil < %{version}
+Obsoletes:      libirs-devel < %{version}
 
 %description utils
 This package includes the utilities "host", "dig", and "nslookup" used to
-test and query the Domain Name System (DNS).  The Berkeley Internet
+test and query the Domain Name System (DNS) and also the libraries rquired
+for the base "bind" package. The Berkeley Internet
 Name Domain (BIND) DNS server is found in the package named bind.
 
 %package -n python3-bind
@@ -169,7 +174,7 @@ for file in docu/README* config/{README,named.conf} sysconfig/named-named; do
 done
 popd
 
-%if 0%{?sle_version} >= 150000 && 0%{?sle_version} <= 150300
+%if 0%{?sle_version} >= 150000 && 0%{?sle_version} <= 150400
 # the Administration Reference Manual doesn't build with Leap/SLES due to an way too old Sphinx package
 # that is missing sphinx.util.docutils.ReferenceRole.
 # patch68 disables this extension, and here, we're removing the :gl: tags in the notes
@@ -197,7 +202,7 @@ export LDFLAGS="-pie"
 	--with-pic \
 	--disable-openssl-version-check \
 	--with-tuning=large \
-	--with-geoip \
+	--with-maxminddb \
 	--with-dlopen \
 	--with-gssapi=yes \
 	--disable-isc-spnego \
@@ -218,7 +223,7 @@ for d in arm; do
 	make -C doc/${d} SPHINXBUILD=sphinx-build doc
 done
 %if %{with_systemd}
-%sysusers_generate_pre %{SOURCE72} named named.conf
+%sysusers_generate_pre %{SOURCE72} named
 %endif
 
 %install
@@ -254,8 +259,8 @@ mv vendor-files/config/rndc-access.conf %{buildroot}/%{_sysconfdir}/named.d
 %if %{with_systemd}
 	for file in named; do
         	install -D -m 0644 vendor-files/system/${file}.service %{buildroot}%{_unitdir}/${file}.service
-		sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" -i %{buildroot}%{_unitdir}/${file}.service
-                install -m 0755 vendor-files/system/${file}.prep %{buildroot}%{_libexecdir}/bind/${file}.prep
+                sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" -i %{buildroot}%{_unitdir}/${file}.service
+		install -m 0755 vendor-files/system/${file}.prep %{buildroot}%{_libexecdir}/bind/${file}.prep
 		ln -s /sbin/service %{buildroot}%{_sbindir}/rc${file}
 	done
 	install -D -m 0644 %{SOURCE70} %{buildroot}%{_prefix}/lib/tmpfiles.d/bind.conf
@@ -290,7 +295,6 @@ for file in vendor-files/docu/README*; do
 	basename=$( basename ${file})
 	cp -a ${file} %{buildroot}/%{_defaultdocdir}/bind/${basename}.%{VENDOR}
 done
-
 mkdir -p vendor-files/config/ISC-examples
 cp -a bin/tests/*.conf* vendor-files/config/ISC-examples
 for d in arm; do
@@ -315,7 +319,6 @@ install -m 644 %{SOURCE72} %{buildroot}%{_sysusersdir}/
 %pre -f named.pre
 %service_add_pre named.service
 %else
-
 %pre
 %{GROUPADD_NAMED}
 %{USERADD_NAMED}
@@ -338,7 +341,7 @@ install -m 644 %{SOURCE72} %{buildroot}%{_sysusersdir}/
 %else
 %{fillup_and_insserv -nf named}
 if [ -x %{_bindir}/systemctl ]; then
-# make sure systemctl knows about the service even though it's not a systemd service
+# make sure systemctl knows about the service
 # Without this, systemctl status named would return
 #     Unit named.service could not be found.
 # until systemctl daemon-reload has been executed