SHA256
1
0
forked from pool/bind
Dominique Leuenberger 2021-12-06 22:59:13 +00:00 committed by Git OBS Bridge
commit e5af8a378d
9 changed files with 125 additions and 203 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4d0d93c0d0b63080609e84625f24ff8777f8d164e78a75b1c19c334ce42d5b58
size 5042196

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE6atueSM8BBbomT9FDAOvqQpZZ8QFAmETiLMACgkQDAOvqQpZ
Z8Qrug//fMVJ6yfxMqbGrtumqxWBs+T8EAH3kt/mJvGRbFugN0UyOE+/19FcJvGn
Kd440Azap7ophpqt0oWrOXo5YEzStWOpaHRrRqulZ7r0/yOkRHoekuWStyJ4qRXt
ZYutOpbS1aXU9OhnWbQhTah+GPqZSdbp66gXIuGcvor5IpmaClPsVlQ6IEppZ32L
rwZcVYd1yrl5vtUx7b4rOYrrNbadlZA906BPgEGy5xx0Ex+IBtHWkUhQ17RDFl8b
qovmxYp/V+9IPipK37ZVCB1yNNnzsnQU5ca9ZklCNalWKfCY/CNYdH0doybWttFq
rcNFiNqS72pnWTxNMtFu7hwkXf2PRhQ26o4/UZVaI9zOVXZ7Gao7nbNYWxE6QpqE
OT8hNkKPU+PLBbznyE9ktHdJCEXrInb+eRZdcws2C86EN68pCdm3pNzrFzz/eEsX
d38xb1cYZqGlRSZ3tRHdcNh0EZjhHVK9ELcsvx78tr6qEyF+03DrCQEPgsEB3BJI
hZKYGUnd4iwOUZSAjWxalAzAGFeVhO+/dt+YPEWOskZoOw0hpban0dIlBIePn0xW
OqDIGVA8D+FNV3i+16ALWVpyGkKlcmjWj9qzjR1FXKQMWQ/USRRhm8bQv0T1RKhh
ulYNdAQBSAZUvvJHxYXOYHK5EPcoKtAlnXeP//FIGbQorKcEmnM=
=EURP
-----END PGP SIGNATURE-----

3
bind-9.16.23.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:dedb5e27aa9cb6a9ce3e872845887ff837b99e4e9a91a5e2fcd67cf6e1ef173c
size 5068344

View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIzBAABCgAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAmGKhMgACgkQxbTukxqf
nf2PihAA3sF6ycdT+tSUdyqWS5FcRdqnGnlZpT/mhGcsY/bgO4IejRTnbBY/3D95
siXINLzWndKKQMboLDsj5st/BUzBKivmwfqn1AmrzEoD35eg5VdrYWIVXXBr2Qak
Z4npi9krM9D99NRZd4zEBqFb1yQYpg9ps1PsuGyANKwtLbcuoO8/pmmowCYIBLuT
JWqDyWAIBKO6ElM51nWP5qzv6ithJd8jbhuyyMCBV3z/4lZ20WR43VRUNub9KRHG
qMJd4FsSaByJF0tUN9Jsp2Jq85NxXdiNfAAHCBZU+oK0lOIu3cLayGH0ecIPg/fp
okSoWePM8AEr44Fg2yT71OtuKzn41bH8ixAUPi2gVPiLP+VH6f5QnwYTug27CxLk
FgXMV1MOUi7yRicDpfU3nx0jDmwFI02Fd6K5h00lG7Cb3v6EpEWvLXc/oRK1yHkU
GHMczNH36eX0VuKyNcu/+NMXpWO0hIds+oTNx5Ao4w3n+IlhCx/A4T/P6Ar8qRh4
vg/OtJZO3FohShUIhhVXgWTVDdChPEpiivlhb8Cm6qjJl0KH78vYCqLCKBAH9h3A
kzSvl0EhbST1eiNTsnA4OCKelQGKNfehxqU3nNebvRktNNLLrKwT2w1/N4stgB+w
41DF9s+VNTF2HZ2vN6DRhjmLks/v7De81fPjJyVy4gw0G0GR7O0=
=DqKw
-----END PGP SIGNATURE-----

View File

@ -1,73 +0,0 @@
diff --git a/bin/named/config.c b/bin/named/config.c
index 213c45cb33..0b28c8db7a 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -164,7 +164,7 @@ options {\n\
fetches-per-server 0;\n\
fetches-per-zone 0;\n\
glue-cache yes;\n\
- lame-ttl 600;\n"
+ lame-ttl 0;\n"
#ifdef HAVE_LMDB
" lmdb-mapsize 32M;\n"
#endif /* ifdef HAVE_LMDB */
diff --git a/bin/named/server.c b/bin/named/server.c
index ff04689685..0f001ba303 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -4840,8 +4840,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
result = named_config_get(maps, "lame-ttl", &obj);
INSIST(result == ISC_R_SUCCESS);
lame_ttl = cfg_obj_asduration(obj);
- if (lame_ttl > 1800) {
- lame_ttl = 1800;
+ if (lame_ttl > 0) {
+ cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+ "disabling lame cache despite lame-ttl > 0 as it "
+ "may cause performance issues");
+ lame_ttl = 0;
}
dns_resolver_setlamettl(view->resolver, lame_ttl);
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 0358241d95..40c416dcf1 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -10122,25 +10122,26 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) {
*/
static isc_result_t
rctx_lameserver(respctx_t *rctx) {
- isc_result_t result;
+ isc_result_t result = ISC_R_SUCCESS;
fetchctx_t *fctx = rctx->fctx;
resquery_t *query = rctx->query;
- if (fctx->res->lame_ttl == 0 || ISFORWARDER(query->addrinfo) ||
- !is_lame(fctx, query->rmessage))
- {
+ if (ISFORWARDER(query->addrinfo) || !is_lame(fctx, query->rmessage)) {
return (ISC_R_SUCCESS);
}
inc_stats(fctx->res, dns_resstatscounter_lame);
log_lame(fctx, query->addrinfo);
- result = dns_adb_marklame(fctx->adb, query->addrinfo, &fctx->name,
- fctx->type, rctx->now + fctx->res->lame_ttl);
- if (result != ISC_R_SUCCESS) {
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
- DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
- "could not mark server as lame: %s",
- isc_result_totext(result));
+ if (fctx->res->lame_ttl != 0) {
+ result = dns_adb_marklame(fctx->adb, query->addrinfo,
+ &fctx->name, fctx->type,
+ rctx->now + fctx->res->lame_ttl);
+ if (result != ISC_R_SUCCESS) {
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
+ "could not mark server as lame: %s",
+ isc_result_totext(result));
+ }
}
rctx->broken_server = DNS_R_LAME;
rctx->next_server = true;

View File

@ -0,0 +1,26 @@
Index: bind-9.16.23/contrib/dlz/drivers/dlz_ldap_driver.c
===================================================================
--- bind-9.16.23.orig/contrib/dlz/drivers/dlz_ldap_driver.c
+++ bind-9.16.23/contrib/dlz/drivers/dlz_ldap_driver.c
@@ -978,11 +978,13 @@ dlz_ldap_create(const char *dlzname, uns
if (result != ISC_R_SUCCESS) {
return (result);
}
+ /* FALLTHROUGH */
case 11:
result = dlz_ldap_checkURL(argv[10], 3, "all nodes");
if (result != ISC_R_SUCCESS) {
return (result);
}
+ /* FALLTHROUGH */
case 10:
if (strlen(argv[9]) > 0) {
result = dlz_ldap_checkURL(argv[9], 3, "authority");
@@ -990,6 +992,7 @@ dlz_ldap_create(const char *dlzname, uns
return (result);
}
}
+ /* FALLTHROUGH */
case 9:
result = dlz_ldap_checkURL(argv[8], 3, "lookup");
if (result != ISC_R_SUCCESS) {

View File

@ -1,108 +0,0 @@
Index: b/doc/arm/conf.py
===================================================================
--- a/doc/arm/conf.py
+++ b/doc/arm/conf.py
@@ -18,54 +18,58 @@ from docutils.nodes import Node, system_
from docutils.parsers.rst import roles
from sphinx import addnodes
-from sphinx.util.docutils import ReferenceRole
+try:
+ from sphinx.util.docutils import ReferenceRole
+ GITLAB_BASE_URL = 'https://gitlab.isc.org/isc-projects/bind9/-/'
-GITLAB_BASE_URL = 'https://gitlab.isc.org/isc-projects/bind9/-/'
-
-# Custom Sphinx role enabling automatic hyperlinking to GitLab issues/MRs.
-class GitLabRefRole(ReferenceRole):
- def __init__(self, base_url: str) -> None:
- self.base_url = base_url
- super().__init__()
-
- def run(self) -> Tuple[List[Node], List[system_message]]:
- gl_identifier = '[GL %s]' % self.target
-
- target_id = 'index-%s' % self.env.new_serialno('index')
- entries = [('single', 'GitLab; ' + gl_identifier, target_id, '', None)]
-
- index = addnodes.index(entries=entries)
- target = nodes.target('', '', ids=[target_id])
- self.inliner.document.note_explicit_target(target)
-
- try:
- refuri = self.build_uri()
- reference = nodes.reference('', '', internal=False, refuri=refuri,
- classes=['gl'])
- if self.has_explicit_title:
- reference += nodes.strong(self.title, self.title)
- else:
- reference += nodes.strong(gl_identifier, gl_identifier)
- except ValueError:
- error_text = 'invalid GitLab identifier %s' % self.target
- msg = self.inliner.reporter.error(error_text, line=self.lineno)
- prb = self.inliner.problematic(self.rawtext, self.rawtext, msg)
- return [prb], [msg]
-
- return [index, target, reference], []
-
- def build_uri(self):
- if self.target[0] == '#':
- return self.base_url + 'issues/%d' % int(self.target[1:])
- if self.target[0] == '!':
- return self.base_url + 'merge_requests/%d' % int(self.target[1:])
- raise ValueError
-
-
-def setup(_):
- roles.register_local_role('gl', GitLabRefRole(GITLAB_BASE_URL))
+ # Custom Sphinx role enabling automatic hyperlinking to GitLab issues/MRs.
+ class GitLabRefRole(ReferenceRole):
+ def __init__(self, base_url: str) -> None:
+ self.base_url = base_url
+ super().__init__()
+
+ def run(self) -> Tuple[List[Node], List[system_message]]:
+ gl_identifier = '[GL %s]' % self.target
+
+ target_id = 'index-%s' % self.env.new_serialno('index')
+ entries = [('single', 'GitLab; ' + gl_identifier, target_id, '', None)]
+
+ index = addnodes.index(entries=entries)
+ target = nodes.target('', '', ids=[target_id])
+ self.inliner.document.note_explicit_target(target)
+
+ try:
+ refuri = self.build_uri()
+ reference = nodes.reference('', '', internal=False, refuri=refuri,
+ classes=['gl'])
+ if self.has_explicit_title:
+ reference += nodes.strong(self.title, self.title)
+ else:
+ reference += nodes.strong(gl_identifier, gl_identifier)
+ except ValueError:
+ error_text = 'invalid GitLab identifier %s' % self.target
+ msg = self.inliner.reporter.error(error_text, line=self.lineno)
+ prb = self.inliner.problematic(self.rawtext, self.rawtext, msg)
+ return [prb], [msg]
+
+ return [index, target, reference], []
+
+ def build_uri(self):
+ if self.target[0] == '#':
+ return self.base_url + 'issues/%d' % int(self.target[1:])
+ if self.target[0] == '!':
+ return self.base_url + 'merge_requests/%d' % int(self.target[1:])
+ raise ValueError
+
+
+ def setup(_):
+ roles.register_local_role('gl', GitLabRefRole(GITLAB_BASE_URL))
+
+except ImportError:
+ # better loose this feature, than failing the build
+ pass
#
# Configuration file for the Sphinx documentation builder.

View File

@ -1,3 +1,80 @@
-------------------------------------------------------------------
Fri Dec 3 07:52:38 UTC 2021 - Josef Möllers <josef.moellers@suse.com>
- Upgrade to 9.16.23
Security issues fixed:
The "lame-ttl" option is now forcibly set to 0. This
effectively disables the lame server cache, as it could
previously be abused by an attacker to significantly
degrade resolver performance. (CVE-2021-25219)
Bugs fixed:
In 9.16.21:
* When a dynamic zone was made available in another view
using the "in-view" statement, running "rndc freeze"
always reported an "already frozen" error even though
the zone was successfully frozen.
* Stale data in the cache could cause named to send
non-minimized queries despite QNAME minimization being
enabled.
* When a DNSSEC-signed zone which only has a single
signing key available is migrated to use KASP, that key
is now treated as a Combined Signing Key (CSK).
* When a member zone was removed from a catalog zone,
journal files for the former were not deleted.
* named-checkconf failed to detect syntactically invalid
values of the "key" and "tls" parameters used to define
members of remote server lists.
* Fixed a regression which caused the EDNS TCP Keepalive option to be
ignored inadvertently in client requests. It has now
been fixed and this option is handled properly again.
* Fixed a regression which altered the internal memory structure of
zone databases, but neglected to update the MAPAPI value
for zone files in "map" format. This caused named to
attempt to load incompatible map files, triggering an
assertion failure on startup. The MAPAPI value has now
been updated, so named rejects outdated files when
encountering them.
* The thread-local isc_tid_v variable was not properly
initialized when running BIND 9 as a Windows Service,
leading to a crash on startup.
* "map" files exceeding 2GB in size failed to load due to
a size comparison that incorrectly treated the file size
as a signed integer.
In 9.16.22:
* Remove the "adjust interface" mechanism which was
responsible for setting up listeners on interfaces when
the "*-source(-v6)" address and port were the same as
the "listen-on(-v6)" address and port. Such a
configuration is no longer supported; under certain
timing conditions, that mechanism could prevent named
from listening on some TCP ports. This has been fixed.
* Multiple library names were mistakenly passed to the
krb5-config utility when ./configure was invoked with
the --with-gssapi=[/path/to/]krb5-config option. This
has been fixed by invoking krb5-config separately for
each required library.
* Fixed a regression which broke backward compatibility for the
"check-names master ..." and "check-names slave ..."
options. This has been fixed.
* Address a potential deadlock when checking zone content
consistency.
In 9.16.23:
* Address Coverity warning in lib/dns/dnssec.c.
* Fix a bug when comparing two RSA keys. There was a typo
which caused the "p" prime factors to not being
compared.
* Fix an assertion failure caused by missing member zones
during a reload of a catalog zone.
This obsoletes bind-CVE-2021-25219.patch and
bind-fix-build-with-older-sphinx.patch
Other issues:
A compile time waring about fall through in a switch statement
has been averted by marking the cases as FALLTHROUGH.
[bind-9.16.23.tar.xz, bind-9.16.23.tar.xz.sha512.asc,
bind-CVE-2021-25219.patch, bind-fix-build-with-older-sphinx.patch,
bind-avoid-fallthrough-warning-error.patch]
-------------------------------------------------------------------
Mon Nov 8 09:01:21 UTC 2021 - Josef Möllers <josef.moellers@suse.com>

View File

@ -46,7 +46,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: bind
Version: 9.16.20
Version: 9.16.23
Release: 0
Summary: Domain Name System (DNS) Server (named)
License: MPL-2.0
@ -66,8 +66,7 @@ Source70: bind.conf
Source72: named.conf
Patch52: named-bootconf.diff
Patch56: bind-ldapdump-use-valid-host.patch
Patch68: bind-fix-build-with-older-sphinx.patch
Patch69: bind-CVE-2021-25219.patch
Patch57: bind-avoid-fallthrough-warning-error.patch
BuildRequires: libcap-devel
BuildRequires: libmysqlclient-devel
BuildRequires: libopenssl-devel