From dd9425ce8eb500f547f3deecd686bf57ef4c431c7dc6fb2be5b818913ce00ccb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josef=20M=C3=B6llers?= Date: Fri, 3 Dec 2021 15:42:52 +0000 Subject: [PATCH] Accepting request 935515 from home:jmoellers:branches:network OBS-URL: https://build.opensuse.org/request/show/935515 OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=332 --- bind-9.16.20.tar.xz | 3 - bind-9.16.20.tar.xz.sha512.asc | 16 --- bind-9.16.23.tar.xz | 3 + bind-9.16.23.tar.xz.sha512.asc | 17 ++++ bind-CVE-2021-25219.patch | 73 -------------- bind-avoid-fallthrough-warning-error.patch | 26 +++++ bind-fix-build-with-older-sphinx.patch | 108 --------------------- bind.changes | 77 +++++++++++++++ bind.spec | 5 +- 9 files changed, 125 insertions(+), 203 deletions(-) delete mode 100644 bind-9.16.20.tar.xz delete mode 100644 bind-9.16.20.tar.xz.sha512.asc create mode 100644 bind-9.16.23.tar.xz create mode 100644 bind-9.16.23.tar.xz.sha512.asc delete mode 100644 bind-CVE-2021-25219.patch create mode 100644 bind-avoid-fallthrough-warning-error.patch delete mode 100644 bind-fix-build-with-older-sphinx.patch diff --git a/bind-9.16.20.tar.xz b/bind-9.16.20.tar.xz deleted file mode 100644 index 733b31f..0000000 --- a/bind-9.16.20.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4d0d93c0d0b63080609e84625f24ff8777f8d164e78a75b1c19c334ce42d5b58 -size 5042196 diff --git a/bind-9.16.20.tar.xz.sha512.asc b/bind-9.16.20.tar.xz.sha512.asc deleted file mode 100644 index af922f3..0000000 --- a/bind-9.16.20.tar.xz.sha512.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEE6atueSM8BBbomT9FDAOvqQpZZ8QFAmETiLMACgkQDAOvqQpZ -Z8Qrug//fMVJ6yfxMqbGrtumqxWBs+T8EAH3kt/mJvGRbFugN0UyOE+/19FcJvGn -Kd440Azap7ophpqt0oWrOXo5YEzStWOpaHRrRqulZ7r0/yOkRHoekuWStyJ4qRXt -ZYutOpbS1aXU9OhnWbQhTah+GPqZSdbp66gXIuGcvor5IpmaClPsVlQ6IEppZ32L -rwZcVYd1yrl5vtUx7b4rOYrrNbadlZA906BPgEGy5xx0Ex+IBtHWkUhQ17RDFl8b -qovmxYp/V+9IPipK37ZVCB1yNNnzsnQU5ca9ZklCNalWKfCY/CNYdH0doybWttFq -rcNFiNqS72pnWTxNMtFu7hwkXf2PRhQ26o4/UZVaI9zOVXZ7Gao7nbNYWxE6QpqE -OT8hNkKPU+PLBbznyE9ktHdJCEXrInb+eRZdcws2C86EN68pCdm3pNzrFzz/eEsX -d38xb1cYZqGlRSZ3tRHdcNh0EZjhHVK9ELcsvx78tr6qEyF+03DrCQEPgsEB3BJI -hZKYGUnd4iwOUZSAjWxalAzAGFeVhO+/dt+YPEWOskZoOw0hpban0dIlBIePn0xW -OqDIGVA8D+FNV3i+16ALWVpyGkKlcmjWj9qzjR1FXKQMWQ/USRRhm8bQv0T1RKhh -ulYNdAQBSAZUvvJHxYXOYHK5EPcoKtAlnXeP//FIGbQorKcEmnM= -=EURP ------END PGP SIGNATURE----- diff --git a/bind-9.16.23.tar.xz b/bind-9.16.23.tar.xz new file mode 100644 index 0000000..c116d8c --- /dev/null +++ b/bind-9.16.23.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dedb5e27aa9cb6a9ce3e872845887ff837b99e4e9a91a5e2fcd67cf6e1ef173c +size 5068344 diff --git a/bind-9.16.23.tar.xz.sha512.asc b/bind-9.16.23.tar.xz.sha512.asc new file mode 100644 index 0000000..c99a98d --- /dev/null +++ b/bind-9.16.23.tar.xz.sha512.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Comment: GPGTools - https://gpgtools.org + +iQIzBAABCgAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAmGKhMgACgkQxbTukxqf +nf2PihAA3sF6ycdT+tSUdyqWS5FcRdqnGnlZpT/mhGcsY/bgO4IejRTnbBY/3D95 +siXINLzWndKKQMboLDsj5st/BUzBKivmwfqn1AmrzEoD35eg5VdrYWIVXXBr2Qak +Z4npi9krM9D99NRZd4zEBqFb1yQYpg9ps1PsuGyANKwtLbcuoO8/pmmowCYIBLuT +JWqDyWAIBKO6ElM51nWP5qzv6ithJd8jbhuyyMCBV3z/4lZ20WR43VRUNub9KRHG +qMJd4FsSaByJF0tUN9Jsp2Jq85NxXdiNfAAHCBZU+oK0lOIu3cLayGH0ecIPg/fp +okSoWePM8AEr44Fg2yT71OtuKzn41bH8ixAUPi2gVPiLP+VH6f5QnwYTug27CxLk +FgXMV1MOUi7yRicDpfU3nx0jDmwFI02Fd6K5h00lG7Cb3v6EpEWvLXc/oRK1yHkU +GHMczNH36eX0VuKyNcu/+NMXpWO0hIds+oTNx5Ao4w3n+IlhCx/A4T/P6Ar8qRh4 +vg/OtJZO3FohShUIhhVXgWTVDdChPEpiivlhb8Cm6qjJl0KH78vYCqLCKBAH9h3A +kzSvl0EhbST1eiNTsnA4OCKelQGKNfehxqU3nNebvRktNNLLrKwT2w1/N4stgB+w +41DF9s+VNTF2HZ2vN6DRhjmLks/v7De81fPjJyVy4gw0G0GR7O0= +=DqKw +-----END PGP SIGNATURE----- diff --git a/bind-CVE-2021-25219.patch b/bind-CVE-2021-25219.patch deleted file mode 100644 index c05cbcf..0000000 --- a/bind-CVE-2021-25219.patch +++ /dev/null @@ -1,73 +0,0 @@ -diff --git a/bin/named/config.c b/bin/named/config.c -index 213c45cb33..0b28c8db7a 100644 ---- a/bin/named/config.c -+++ b/bin/named/config.c -@@ -164,7 +164,7 @@ options {\n\ - fetches-per-server 0;\n\ - fetches-per-zone 0;\n\ - glue-cache yes;\n\ -- lame-ttl 600;\n" -+ lame-ttl 0;\n" - #ifdef HAVE_LMDB - " lmdb-mapsize 32M;\n" - #endif /* ifdef HAVE_LMDB */ -diff --git a/bin/named/server.c b/bin/named/server.c -index ff04689685..0f001ba303 100644 ---- a/bin/named/server.c -+++ b/bin/named/server.c -@@ -4840,8 +4840,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, - result = named_config_get(maps, "lame-ttl", &obj); - INSIST(result == ISC_R_SUCCESS); - lame_ttl = cfg_obj_asduration(obj); -- if (lame_ttl > 1800) { -- lame_ttl = 1800; -+ if (lame_ttl > 0) { -+ cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING, -+ "disabling lame cache despite lame-ttl > 0 as it " -+ "may cause performance issues"); -+ lame_ttl = 0; - } - dns_resolver_setlamettl(view->resolver, lame_ttl); - -diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c -index 0358241d95..40c416dcf1 100644 ---- a/lib/dns/resolver.c -+++ b/lib/dns/resolver.c -@@ -10122,25 +10122,26 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) { - */ - static isc_result_t - rctx_lameserver(respctx_t *rctx) { -- isc_result_t result; -+ isc_result_t result = ISC_R_SUCCESS; - fetchctx_t *fctx = rctx->fctx; - resquery_t *query = rctx->query; - -- if (fctx->res->lame_ttl == 0 || ISFORWARDER(query->addrinfo) || -- !is_lame(fctx, query->rmessage)) -- { -+ if (ISFORWARDER(query->addrinfo) || !is_lame(fctx, query->rmessage)) { - return (ISC_R_SUCCESS); - } - - inc_stats(fctx->res, dns_resstatscounter_lame); - log_lame(fctx, query->addrinfo); -- result = dns_adb_marklame(fctx->adb, query->addrinfo, &fctx->name, -- fctx->type, rctx->now + fctx->res->lame_ttl); -- if (result != ISC_R_SUCCESS) { -- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, -- DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR, -- "could not mark server as lame: %s", -- isc_result_totext(result)); -+ if (fctx->res->lame_ttl != 0) { -+ result = dns_adb_marklame(fctx->adb, query->addrinfo, -+ &fctx->name, fctx->type, -+ rctx->now + fctx->res->lame_ttl); -+ if (result != ISC_R_SUCCESS) { -+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, -+ DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR, -+ "could not mark server as lame: %s", -+ isc_result_totext(result)); -+ } - } - rctx->broken_server = DNS_R_LAME; - rctx->next_server = true; diff --git a/bind-avoid-fallthrough-warning-error.patch b/bind-avoid-fallthrough-warning-error.patch new file mode 100644 index 0000000..761b821 --- /dev/null +++ b/bind-avoid-fallthrough-warning-error.patch @@ -0,0 +1,26 @@ +Index: bind-9.16.23/contrib/dlz/drivers/dlz_ldap_driver.c +=================================================================== +--- bind-9.16.23.orig/contrib/dlz/drivers/dlz_ldap_driver.c ++++ bind-9.16.23/contrib/dlz/drivers/dlz_ldap_driver.c +@@ -978,11 +978,13 @@ dlz_ldap_create(const char *dlzname, uns + if (result != ISC_R_SUCCESS) { + return (result); + } ++ /* FALLTHROUGH */ + case 11: + result = dlz_ldap_checkURL(argv[10], 3, "all nodes"); + if (result != ISC_R_SUCCESS) { + return (result); + } ++ /* FALLTHROUGH */ + case 10: + if (strlen(argv[9]) > 0) { + result = dlz_ldap_checkURL(argv[9], 3, "authority"); +@@ -990,6 +992,7 @@ dlz_ldap_create(const char *dlzname, uns + return (result); + } + } ++ /* FALLTHROUGH */ + case 9: + result = dlz_ldap_checkURL(argv[8], 3, "lookup"); + if (result != ISC_R_SUCCESS) { diff --git a/bind-fix-build-with-older-sphinx.patch b/bind-fix-build-with-older-sphinx.patch deleted file mode 100644 index 1df9bb8..0000000 --- a/bind-fix-build-with-older-sphinx.patch +++ /dev/null @@ -1,108 +0,0 @@ -Index: b/doc/arm/conf.py -=================================================================== ---- a/doc/arm/conf.py -+++ b/doc/arm/conf.py -@@ -18,54 +18,58 @@ from docutils.nodes import Node, system_ - from docutils.parsers.rst import roles - - from sphinx import addnodes --from sphinx.util.docutils import ReferenceRole -+try: -+ from sphinx.util.docutils import ReferenceRole - -+ GITLAB_BASE_URL = 'https://gitlab.isc.org/isc-projects/bind9/-/' - --GITLAB_BASE_URL = 'https://gitlab.isc.org/isc-projects/bind9/-/' - -- --# Custom Sphinx role enabling automatic hyperlinking to GitLab issues/MRs. --class GitLabRefRole(ReferenceRole): -- def __init__(self, base_url: str) -> None: -- self.base_url = base_url -- super().__init__() -- -- def run(self) -> Tuple[List[Node], List[system_message]]: -- gl_identifier = '[GL %s]' % self.target -- -- target_id = 'index-%s' % self.env.new_serialno('index') -- entries = [('single', 'GitLab; ' + gl_identifier, target_id, '', None)] -- -- index = addnodes.index(entries=entries) -- target = nodes.target('', '', ids=[target_id]) -- self.inliner.document.note_explicit_target(target) -- -- try: -- refuri = self.build_uri() -- reference = nodes.reference('', '', internal=False, refuri=refuri, -- classes=['gl']) -- if self.has_explicit_title: -- reference += nodes.strong(self.title, self.title) -- else: -- reference += nodes.strong(gl_identifier, gl_identifier) -- except ValueError: -- error_text = 'invalid GitLab identifier %s' % self.target -- msg = self.inliner.reporter.error(error_text, line=self.lineno) -- prb = self.inliner.problematic(self.rawtext, self.rawtext, msg) -- return [prb], [msg] -- -- return [index, target, reference], [] -- -- def build_uri(self): -- if self.target[0] == '#': -- return self.base_url + 'issues/%d' % int(self.target[1:]) -- if self.target[0] == '!': -- return self.base_url + 'merge_requests/%d' % int(self.target[1:]) -- raise ValueError -- -- --def setup(_): -- roles.register_local_role('gl', GitLabRefRole(GITLAB_BASE_URL)) -+ # Custom Sphinx role enabling automatic hyperlinking to GitLab issues/MRs. -+ class GitLabRefRole(ReferenceRole): -+ def __init__(self, base_url: str) -> None: -+ self.base_url = base_url -+ super().__init__() -+ -+ def run(self) -> Tuple[List[Node], List[system_message]]: -+ gl_identifier = '[GL %s]' % self.target -+ -+ target_id = 'index-%s' % self.env.new_serialno('index') -+ entries = [('single', 'GitLab; ' + gl_identifier, target_id, '', None)] -+ -+ index = addnodes.index(entries=entries) -+ target = nodes.target('', '', ids=[target_id]) -+ self.inliner.document.note_explicit_target(target) -+ -+ try: -+ refuri = self.build_uri() -+ reference = nodes.reference('', '', internal=False, refuri=refuri, -+ classes=['gl']) -+ if self.has_explicit_title: -+ reference += nodes.strong(self.title, self.title) -+ else: -+ reference += nodes.strong(gl_identifier, gl_identifier) -+ except ValueError: -+ error_text = 'invalid GitLab identifier %s' % self.target -+ msg = self.inliner.reporter.error(error_text, line=self.lineno) -+ prb = self.inliner.problematic(self.rawtext, self.rawtext, msg) -+ return [prb], [msg] -+ -+ return [index, target, reference], [] -+ -+ def build_uri(self): -+ if self.target[0] == '#': -+ return self.base_url + 'issues/%d' % int(self.target[1:]) -+ if self.target[0] == '!': -+ return self.base_url + 'merge_requests/%d' % int(self.target[1:]) -+ raise ValueError -+ -+ -+ def setup(_): -+ roles.register_local_role('gl', GitLabRefRole(GITLAB_BASE_URL)) -+ -+except ImportError: -+ # better loose this feature, than failing the build -+ pass - - # - # Configuration file for the Sphinx documentation builder. diff --git a/bind.changes b/bind.changes index 3d150fc..7c13cc9 100644 --- a/bind.changes +++ b/bind.changes @@ -1,3 +1,80 @@ +------------------------------------------------------------------- +Fri Dec 3 07:52:38 UTC 2021 - Josef Möllers + +- Upgrade to 9.16.23 + Security issues fixed: + The "lame-ttl" option is now forcibly set to 0. This + effectively disables the lame server cache, as it could + previously be abused by an attacker to significantly + degrade resolver performance. (CVE-2021-25219) + + Bugs fixed: + In 9.16.21: + * When a dynamic zone was made available in another view + using the "in-view" statement, running "rndc freeze" + always reported an "already frozen" error even though + the zone was successfully frozen. + * Stale data in the cache could cause named to send + non-minimized queries despite QNAME minimization being + enabled. + * When a DNSSEC-signed zone which only has a single + signing key available is migrated to use KASP, that key + is now treated as a Combined Signing Key (CSK). + * When a member zone was removed from a catalog zone, + journal files for the former were not deleted. + * named-checkconf failed to detect syntactically invalid + values of the "key" and "tls" parameters used to define + members of remote server lists. + * Fixed a regression which caused the EDNS TCP Keepalive option to be + ignored inadvertently in client requests. It has now + been fixed and this option is handled properly again. + * Fixed a regression which altered the internal memory structure of + zone databases, but neglected to update the MAPAPI value + for zone files in "map" format. This caused named to + attempt to load incompatible map files, triggering an + assertion failure on startup. The MAPAPI value has now + been updated, so named rejects outdated files when + encountering them. + * The thread-local isc_tid_v variable was not properly + initialized when running BIND 9 as a Windows Service, + leading to a crash on startup. + * "map" files exceeding 2GB in size failed to load due to + a size comparison that incorrectly treated the file size + as a signed integer. + In 9.16.22: + * Remove the "adjust interface" mechanism which was + responsible for setting up listeners on interfaces when + the "*-source(-v6)" address and port were the same as + the "listen-on(-v6)" address and port. Such a + configuration is no longer supported; under certain + timing conditions, that mechanism could prevent named + from listening on some TCP ports. This has been fixed. + * Multiple library names were mistakenly passed to the + krb5-config utility when ./configure was invoked with + the --with-gssapi=[/path/to/]krb5-config option. This + has been fixed by invoking krb5-config separately for + each required library. + * Fixed a regression which broke backward compatibility for the + "check-names master ..." and "check-names slave ..." + options. This has been fixed. + * Address a potential deadlock when checking zone content + consistency. + In 9.16.23: + * Address Coverity warning in lib/dns/dnssec.c. + * Fix a bug when comparing two RSA keys. There was a typo + which caused the "p" prime factors to not being + compared. + * Fix an assertion failure caused by missing member zones + during a reload of a catalog zone. + This obsoletes bind-CVE-2021-25219.patch and + bind-fix-build-with-older-sphinx.patch + Other issues: + A compile time waring about fall through in a switch statement + has been averted by marking the cases as FALLTHROUGH. + [bind-9.16.23.tar.xz, bind-9.16.23.tar.xz.sha512.asc, + bind-CVE-2021-25219.patch, bind-fix-build-with-older-sphinx.patch, + bind-avoid-fallthrough-warning-error.patch] + ------------------------------------------------------------------- Mon Nov 8 09:01:21 UTC 2021 - Josef Möllers diff --git a/bind.spec b/bind.spec index 6669ae9..7290f6a 100644 --- a/bind.spec +++ b/bind.spec @@ -46,7 +46,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: bind -Version: 9.16.20 +Version: 9.16.23 Release: 0 Summary: Domain Name System (DNS) Server (named) License: MPL-2.0 @@ -66,8 +66,7 @@ Source70: bind.conf Source72: named.conf Patch52: named-bootconf.diff Patch56: bind-ldapdump-use-valid-host.patch -Patch68: bind-fix-build-with-older-sphinx.patch -Patch69: bind-CVE-2021-25219.patch +Patch57: bind-avoid-fallthrough-warning-error.patch BuildRequires: libcap-devel BuildRequires: libmysqlclient-devel BuildRequires: libopenssl-devel