diff --git a/VU697164_VU915404.diff b/VU697164_VU915404.diff deleted file mode 100644 index d727f42..0000000 --- a/VU697164_VU915404.diff +++ /dev/null @@ -1,154 +0,0 @@ -Index: bin/named/query.c -=================================================================== -RCS file: /proj/cvs/prod/bind9/bin/named/query.c,v -retrieving revision 1.198.2.13.4.36 -diff -u -r1.198.2.13.4.36 query.c ---- bin/named/query.c 11 Aug 2005 05:25:20 -0000 1.198.2.13.4.36 -+++ bin/named/query.c 28 Jul 2006 03:41:15 -0000 -@@ -2393,7 +2393,7 @@ - is_zone = ISC_FALSE; - - qtype = event->qtype; -- if (qtype == dns_rdatatype_rrsig) -+ if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig) - type = dns_rdatatype_any; - else - type = qtype; -@@ -2434,7 +2434,7 @@ - /* - * If it's a SIG query, we'll iterate the node. - */ -- if (qtype == dns_rdatatype_rrsig) -+ if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig) - type = dns_rdatatype_any; - else - type = qtype; -Index: lib/dns/resolver.c -=================================================================== -RCS file: /proj/cvs/prod/bind9/lib/dns/resolver.c,v -retrieving revision 1.218.2.18.4.56 -diff -u -r1.218.2.18.4.56 resolver.c ---- lib/dns/resolver.c 14 Oct 2005 01:38:48 -0000 1.218.2.18.4.56 -+++ lib/dns/resolver.c 28 Jul 2006 03:41:25 -0000 -@@ -762,7 +762,8 @@ - INSIST(result != ISC_R_SUCCESS || - dns_rdataset_isassociated(event->rdataset) || - fctx->type == dns_rdatatype_any || -- fctx->type == dns_rdatatype_rrsig); -+ fctx->type == dns_rdatatype_rrsig || -+ fctx->type == dns_rdatatype_sig); - - isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event)); - } -@@ -3188,7 +3189,8 @@ - if (hevent != NULL) { - if (!negative && !chaining && - (fctx->type == dns_rdatatype_any || -- fctx->type == dns_rdatatype_rrsig)) { -+ fctx->type == dns_rdatatype_rrsig || -+ fctx->type == dns_rdatatype_sig)) { - /* - * Don't bind rdatasets; the caller - * will iterate the node. -@@ -3306,7 +3308,8 @@ - if (!ISC_LIST_EMPTY(fctx->validators)) { - INSIST(!negative); - INSIST(fctx->type == dns_rdatatype_any || -- fctx->type == dns_rdatatype_rrsig); -+ fctx->type == dns_rdatatype_rrsig || -+ fctx->type == dns_rdatatype_sig); - /* - * Don't send a response yet - we have - * more rdatasets that still need to -@@ -3455,14 +3458,15 @@ - return (result); - anodep = &event->node; - /* -- * If this is an ANY or SIG query, we're not going -- * to return any rdatasets, unless we encountered -+ * If this is an ANY, SIG or RRSIG query, we're not -+ * going to return any rdatasets, unless we encountered - * a CNAME or DNAME as "the answer". In this case, - * we're going to return DNS_R_CNAME or DNS_R_DNAME - * and we must set up the rdatasets. - */ - if ((fctx->type != dns_rdatatype_any && -- fctx->type != dns_rdatatype_rrsig) || -+ fctx->type != dns_rdatatype_rrsig && -+ fctx->type != dns_rdatatype_sig) || - (name->attributes & DNS_NAMEATTR_CHAINING) != 0) { - ardataset = event->rdataset; - asigrdataset = event->sigrdataset; -@@ -3521,7 +3525,7 @@ - */ - if (secure_domain && rdataset->trust != dns_trust_glue) { - /* -- * SIGs are validated as part of validating the -+ * RRSIGs are validated as part of validating the - * type they cover. - */ - if (rdataset->type == dns_rdatatype_rrsig) -@@ -3591,7 +3595,8 @@ - - if (ANSWER(rdataset) && need_validation) { - if (fctx->type != dns_rdatatype_any && -- fctx->type != dns_rdatatype_rrsig) { -+ fctx->type != dns_rdatatype_rrsig && -+ fctx->type != dns_rdatatype_sig) { - /* - * This is The Answer. We will - * validate it, but first we cache -@@ -3763,23 +3768,28 @@ - isc_result_t *eresultp) - { - isc_result_t result; -+ dns_rdataset_t rdataset; -+ -+ if (ardataset == NULL) { -+ dns_rdataset_init(&rdataset); -+ ardataset = &rdataset; -+ } - result = dns_ncache_add(message, cache, node, covers, now, - maxttl, ardataset); -- if (result == DNS_R_UNCHANGED) { -+ if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) { - /* -- * The data in the cache are better than the negative cache -- * entry we're trying to add. -+ * If the cache now contains a negative entry and we -+ * care about whether it is DNS_R_NCACHENXDOMAIN or -+ * DNS_R_NCACHENXRRSET then extract it. - */ -- if (ardataset != NULL && ardataset->type == 0) { -+ if (ardataset->type == 0) { - /* -- * The cache data is also a negative cache -- * entry. -+ * The cache data is a negative cache entry. - */ - if (NXDOMAIN(ardataset)) - *eresultp = DNS_R_NCACHENXDOMAIN; - else - *eresultp = DNS_R_NCACHENXRRSET; -- result = ISC_R_SUCCESS; - } else { - /* - * Either we don't care about the nature of the -@@ -3791,14 +3801,11 @@ - * XXXRTH There's a CNAME/DNAME problem here. - */ - *eresultp = ISC_R_SUCCESS; -- result = ISC_R_SUCCESS; - } -- } else if (result == ISC_R_SUCCESS) { -- if (NXDOMAIN(ardataset)) -- *eresultp = DNS_R_NCACHENXDOMAIN; -- else -- *eresultp = DNS_R_NCACHENXRRSET; -+ result = ISC_R_SUCCESS; - } -+ if (ardataset == &rdataset && dns_rdataset_isassociated(ardataset)) -+ dns_rdataset_disassociate(ardataset); - - return (result); - } diff --git a/bind-9.3.2.tar.gz b/bind-9.3.2.tar.gz deleted file mode 100644 index 69e5343..0000000 --- a/bind-9.3.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4d4298abd85d06083a0643091dde05ffbe3db051439524dbe4a81c689735c694 -size 5302112 diff --git a/bind-9.3.3.tar.gz b/bind-9.3.3.tar.gz new file mode 100644 index 0000000..88e065b --- /dev/null +++ b/bind-9.3.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d2d115578f9feff1871cbb9a78e99d510da38da5b0eeb31b749b0c084b06dec2 +size 5401230 diff --git a/bind-rsa.patch b/bind-rsa.patch deleted file mode 100644 index 3eaa6fd..0000000 --- a/bind-rsa.patch +++ /dev/null @@ -1,78 +0,0 @@ - -Security Fixes (BIND 9.3.2-P2): - -Change the default RSA exponent from 3 to 65537 which is -not vulnerable to the attacks described in CVE-2006-4339. - -Index: lib/dns/opensslrsa_link.c ---- lib/dns/opensslrsa_link.c.orig 2004-12-09 05:07:18 +0100 -+++ lib/dns/opensslrsa_link.c 2006-11-04 09:58:32 +0100 -@@ -39,6 +39,9 @@ - #include - #include - #include -+#if OPENSSL_VERSION_NUMBER > 0x00908000L -+#include -+#endif - - /* - * XXXMPA Temporarially disable RSA_BLINDING as it requires -@@ -260,13 +263,47 @@ - - static isc_result_t - opensslrsa_generate(dst_key_t *key, int exp) { -+#if OPENSSL_VERSION_NUMBER > 0x00908000L -+ BN_GENCB cb; -+ RSA *rsa = RSA_new(); -+ BIGNUM *e = BN_new(); -+ -+ if (rsa == NULL || e == NULL) -+ goto err; -+ -+ if (exp == 0) { -+ /* RSA_F4 0x10001 */ -+ BN_set_bit(e, 0); -+ BN_set_bit(e, 16); -+ } else { -+ /* F5 0x100000001 */ -+ BN_set_bit(e, 0); -+ BN_set_bit(e, 32); -+ } -+ -+ BN_GENCB_set_old(&cb, NULL, NULL); -+ -+ if (RSA_generate_key_ex(rsa, key->key_size, e, &cb)) { -+ BN_free(e); -+ SET_FLAGS(rsa); -+ key->opaque = rsa; -+ return (ISC_R_SUCCESS); -+ } -+ -+ err: -+ if (e != NULL) -+ BN_free(e); -+ if (rsa != NULL) -+ RSA_free(rsa); -+ return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); -+#else - RSA *rsa; - unsigned long e; - - if (exp == 0) -- e = RSA_3; -- else - e = RSA_F4; -+ else -+ e = 0x40000003; - rsa = RSA_generate_key(key->key_size, e, NULL, NULL); - if (rsa == NULL) - return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); -@@ -274,6 +311,7 @@ - key->opaque = rsa; - - return (ISC_R_SUCCESS); -+#endif - } - - static isc_boolean_t - diff --git a/bind.changes b/bind.changes index 874b220..d10a376 100644 --- a/bind.changes +++ b/bind.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Jan 19 10:38:46 CET 2007 - ug@suse.de + +- version 9.3.2 to 9.3.3 +- lots of bugfixes (see changelog for details) + ------------------------------------------------------------------- Tue Jan 2 15:50:59 CET 2007 - ug@suse.de diff --git a/bind.spec b/bind.spec index 9d6925e..579e900 100644 --- a/bind.spec +++ b/bind.spec @@ -1,5 +1,5 @@ # -# spec file for package bind (Version 9.3.2) +# spec file for package bind (Version 9.3.3) # # Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -13,8 +13,8 @@ Name: bind BuildRequires: openldap2 openldap2-devel Summary: Domain Name System (DNS) Server (named) -Version: 9.3.2 -Release: 54 +Version: 9.3.3 +Release: 1 %define SDB_LDAP_VERSION 1.0-beta License: GNU General Public License (GPL) Group: Productivity/Networking/DNS/Servers @@ -38,8 +38,6 @@ Patch50: sdb_ldap.diff Patch51: pie_compile.diff Patch52: named-bootconf.diff Patch53: nsupdate.8.diff -Patch54: VU697164_VU915404.diff -Patch55: bind-rsa.patch %if %ul_version >= 1 %define VENDOR UL %else @@ -190,8 +188,6 @@ Authors: %patch51 %patch52 %patch53 -%patch54 -%patch55 # modify settings of some files regarding to OS version and vendor function replaceStrings() { @@ -652,6 +648,9 @@ fi %doc %{_mandir}/man5/idnrc.5.gz %changelog -n bind +* Fri Jan 19 2007 - ug@suse.de +- version 9.3.2 to 9.3.3 +- lots of bugfixes (see changelog for details) * Tue Jan 02 2007 - ug@suse.de - load of bind during boot fails if ip-up starts modify_resolvconf at the same time (#221948) diff --git a/named-bootconf.diff b/named-bootconf.diff index cf9b8f6..361b3dd 100644 --- a/named-bootconf.diff +++ b/named-bootconf.diff @@ -1,24 +1,20 @@ --- contrib/named-bootconf/named-bootconf.sh -+++ contrib/named-bootconf/named-bootconf.sh 2005/11/21 10:57:33 -@@ -54,9 +54,10 @@ ++++ contrib/named-bootconf/named-bootconf.sh 2006/11/06 08:59:04 +@@ -54,7 +54,8 @@ # POSSIBILITY OF SUCH DAMAGE. if [ ${OPTIONFILE-X} = X ]; then -- OPTIONFILE=/tmp/.options.`date +%s`.$$ -- ZONEFILE=/tmp/.zones.`date +%s`.$$ -- COMMENTFILE=/tmp/.comments.`date +%s`.$$ -+ TMPDIR=`mktemp -p /tmp/ -d named-bootconf.XXXXXXXXXX` || exit 1 -+ OPTIONFILE=$TMPDIR/.options.`date +%s`.$$ -+ ZONEFILE=$TMPDIR/.zones.`date +%s`.$$ -+ COMMENTFILE=$TMPDIR/.comments.`date +%s`.$$ - export OPTIONFILE ZONEFILE COMMENTFILE - touch $OPTIONFILE $ZONEFILE $COMMENTFILE - DUMP=1 -@@ -302,7 +303,7 @@ - echo "};" +- WORKDIR=/tmp/`date +%s`.$$ ++ TMPDIR=`mktemp -p /tmp/ -d named-bootconf.XXXXXXXXXX` || exit 1 ++ WORKDIR=$TMPDIR/`date +%s`.$$ + ( umask 077 ; mkdir $WORKDIR ) || { + echo "unable to create work directory '$WORKDIR'" >&2 + exit 1 +@@ -308,7 +309,7 @@ cat $ZONEFILE $COMMENTFILE -- rm -f $OPTIONFILE $ZONEFILE $COMMENTFILE + rm -f $OPTIONFILE $ZONEFILE $COMMENTFILE +- rmdir $WORKDIR + rm -rf $TMPDIR fi diff --git a/nsupdate.8.diff b/nsupdate.8.diff index d35517b..df92626 100644 --- a/nsupdate.8.diff +++ b/nsupdate.8.diff @@ -1,107 +1,99 @@ ---- bin/nsupdate//nsupdate.8 2006-07-06 11:17:01.000000000 +0200 -+++ /usr/share/man/man8/nsupdate.8 2006-07-06 11:19:37.000000000 +0200 -@@ -29,7 +29,6 @@ - .SH "NAME" - nsupdate \- Dynamic DNS update utility - .SH "SYNOPSIS" --.HP 9 - \fBnsupdate\fR [\fB\-d\fR] [[\fB\-y\ \fR\fB\fIkeyname:secret\fR\fR] [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-v\fR] [filename] - .SH "DESCRIPTION" - .PP -@@ -124,7 +123,7 @@ +--- bin/nsupdate/nsupdate.8 ++++ bin/nsupdate/nsupdate.8 2006/08/04 07:54:15 +@@ -128,7 +128,7 @@ .PP The command formats and their meaning are as follows: - .TP + .TP 3n -.HP 7 \fBserver\fR {servername} [port] +\fBserver\fR {servername} [port] Sends all dynamic update requests to the name server \fIservername\fR. When no server statement is provided, \fBnsupdate\fR -@@ -134,7 +133,7 @@ +@@ -138,7 +138,7 @@ \fIservername\fR where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is used. - .TP + .TP 3n -.HP 6 \fBlocal\fR {address} [port] +\fBlocal\fR {address} [port] Sends all dynamic update requests using the local \fIaddress\fR. When no local statement is provided, \fBnsupdate\fR -@@ -142,7 +141,7 @@ +@@ -146,7 +146,7 @@ \fIport\fR can additionally be used to make requests come from a specific port. If no port number is specified, the system will assign one. - .TP + .TP 3n -.HP 5 \fBzone\fR {zonename} +\fBzone\fR {zonename} Specifies that all updates are to be made to the zone \fIzonename\fR. If no \fIzone\fR -@@ -150,13 +149,13 @@ +@@ -154,13 +154,13 @@ \fBnsupdate\fR will attempt determine the correct zone to update based on the rest of the input. - .TP + .TP 3n -.HP 6 \fBclass\fR {classname} +\fBclass\fR {classname} Specify the default class. If no \fIclass\fR is specified the default class is \fIIN\fR. - .TP + .TP 3n -.HP 4 \fBkey\fR {name} {secret} +\fBkey\fR {name} {secret} Specifies that all updates are to be TSIG signed using the - \fIkeyname\fR\fIkeysecret\fR - pair. The -@@ -166,16 +165,16 @@ + \fIkeyname\fR + \fIkeysecret\fR +@@ -171,16 +171,16 @@ or \fB\-k\fR. - .TP + .TP 3n -.HP 16 \fBprereq nxdomain\fR {domain\-name} +\fBprereq nxdomain\fR {domain\-name} Requires that no resource record of any type exists with name \fIdomain\-name\fR. - .TP + .TP 3n -.HP 16 \fBprereq yxdomain\fR {domain\-name} +\fBprereq yxdomain\fR {domain\-name} Requires that \fIdomain\-name\fR exists (has as at least one resource record, of any type). - .TP + .TP 3n -.HP 15 \fBprereq nxrrset\fR {domain\-name} [class] {type} +\fBprereq nxrrset\fR {domain\-name} [class] {type} Requires that no resource record exists of the specified \fItype\fR, \fIclass\fR -@@ -184,7 +183,7 @@ +@@ -189,7 +189,7 @@ \fIclass\fR is omitted, IN (internet) is assumed. - .TP + .TP 3n -.HP 15 \fBprereq yxrrset\fR {domain\-name} [class] {type} +\fBprereq yxrrset\fR {domain\-name} [class] {type} This requires that a resource record of the specified \fItype\fR, \fIclass\fR -@@ -194,7 +193,7 @@ +@@ -199,7 +199,7 @@ \fIclass\fR is omitted, IN (internet) is assumed. - .TP + .TP 3n -.HP 15 \fBprereq yxrrset\fR {domain\-name} [class] {type} {data...} +\fBprereq yxrrset\fR {domain\-name} [class] {type} {data...} The \fIdata\fR from each set of prerequisites of this form sharing a common -@@ -208,7 +207,7 @@ +@@ -213,7 +213,7 @@ \fIdata\fR are written in the standard text representation of the resource record's RDATA. - .TP + .TP 3n -.HP 14 \fBupdate delete\fR {domain\-name} [ttl] [class] [type\ [data...]] +\fBupdate delete\fR {domain\-name} [ttl] [class] [type\ [data...]] Deletes any resource records named \fIdomain\-name\fR. If \fItype\fR -@@ -220,20 +219,20 @@ +@@ -225,20 +225,20 @@ \fIttl\fR is ignored, and is only allowed for compatibility. - .TP + .TP 3n -.HP 11 \fBupdate add\fR {domain\-name} {ttl} [class] {type} {data...} +\fBupdate add\fR {domain\-name} {ttl} [class] {type} {data...} Adds a new resource record with the specified @@ -109,15 +101,15 @@ \fIclass\fR and \fIdata\fR. - .TP + .TP 3n -.HP 5 \fBshow\fR +\fBshow\fR Displays the current message, containing all of the prerequisites and updates specified since the last send. - .TP + .TP 3n -.HP 5 \fBsend\fR +\fBsend\fR Sends the current message. This is equivalent to entering a blank line. - .TP + .TP 3n -.HP 7 \fBanswer\fR +\fBanswer\fR Displays the answer.