Accepting request 980817 from network

- Upgrade to 9.18.3:
  Bugs fixed:
  * Fix a crash in DNS-over-HTTPS (DoH) code caused by premature
    TLS stream socket object deletion.
  * RPZ NSIP and NSDNAME rule processing didn't handle stub and
    static-stub zones at or above the query name. This has now
    been addressed.
  * Fixed a deadlock that could occur if an rndc connection arrived
    during the shutdown of network interfaces.
  * Refactor the fctx_done() function to set fctx to NULL after
    detaching, so that reference counting errors will be easier to
    avoid.
  * udp_recv() in dispatch could trigger an INSIST when the
    callback's result indicated success but the response was
    canceled in the meantime.
  * Work around a jemalloc quirk which could trigger an
    out-of-memory condition in named over time.
  * If there was a pending negative cache DS entry, validations
    depending upon it could fail.
  * dig returned a 0 exit status on UDP connection failure.
  * Fix an assertion failure when using dig with +nssearch and
    +tcp options by starting the next query in the send_done()
    callback (like in the UDP mode) instead of doing that
    recursively in start_tcp(). Also ensure that queries
    interrupted while connecting are detached properly.
  * Don't remove CDS/CDNSKEY DELETE records on zone sign when
    using 'auto-dnssec maintain;'.
  This obsoletes the following patch:
  bind-define-local-instances-of-FALLTHROUGH-and-UNREACHABLE.patch
  [CVE-2022-1183, bsc#1199619]

OBS-URL: https://build.opensuse.org/request/show/980817
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=179

bind-9.18.2.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:2e4b38779bba0a23ee634fdf7c525fd9794c41d692bfd83cda25823a2a3ed969
-size 5109916

bind-9.18.2.tar.xz.sha512.asc

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Comment: GPGTools - https://gpgtools.org
-
-iQIzBAABCgAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAmJdcqsACgkQxbTukxqf
-nf3E5xAApY6+1ckL4EJpdEJux9WHBoHKlnTFAaD1HKIGNbJUPwnfc0j9LgVgRXIH
-AClkZS+9n45+CJEAwaoWcCmfAF4fUnoPukF16XhtRFcDCW4CSGSIbhXVKrN5hWkP
-nhpjmLC3DVVxxCEBySK1TxUQUPeLC5cbdtozgkA/QL/LiMdm2gagBXlKRL9nVdIX
-v5Fm+ZyVAU22WG639y7MpiquXdZ3P9xcmLcu4gg3A2IQ25mF4yj3C/nxNmqpZCVj
-e4i3/jyrXliSEXJ5lCZ7k5JBziS67edpoEMUnQgVxEIcLabl4xB5Q114eU1RI4C+
-JX9EZdgmXClqkQrJXuIgu1usm+cjvhNkltokNz/FcpClaDUpXQptC56UNLQUfZS2
-ZBOfxUhJYR+Fzru3pO5rXgs99nZlphS6BAbwLEmvgP1Ws3x1ye7lVKWuytKCxRhM
-yuNK7o5PBzMK8iW+B3h0ok9JsakhEJH1sOqlthInfrcJO1GLox1v5Ih3cGrRHNLK
-CnU8AkZkFPuTtNJMGFOtkftckkufiIcisakTjF2jfr7eWkf3k/FN4+AWF+h4R7gD
-vFz0YMH9I9GdfMFbikh2KUm1sU3d1RQ1mf600vEGFAsjPRuZCCe6762g3OLr9Rza
-TN3/XeHFyjJep2P+RCUUdEGUcb0ry3qV9jr9wUyB/KkJNefScHE=
-=A7Yz
------END PGP SIGNATURE-----

bind-9.18.3.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0ad8da773bd93cba0ef66cc81999698ebdf9c3e51faed5e5c8c1eb75cad2ae6f
+size 5136984

bind-9.18.3.tar.xz.sha512.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Comment: GPGTools - https://gpgtools.org
+
+iQIzBAABCgAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAmJ7ilwACgkQxbTukxqf
+nf3Oyw/8D9mK2rDC/kIPVZnTL5G9s+Qhy/fEeVwKrjbszK1spQUsfSwIzfMcRN6x
+eJ7d1RcCN+zVv0JGaa5sa2pa6ftpP2PiZ3OrxdenN9/GdeXl7Tepm9/c7Pg0SEfk
+hupo0JG+O1vHThWn82x0F1EnJ+qUdHlVYROeu887Da9SFOPKCo5jOey5u3LM55OA
+0WbZRIjeWUExGWK54wREEOJ0fpNzGQNo+amf82FimgV7jWtTmPyreqlrO+UnJgKs
+tu1Gf3/a8kQy6AIHnHnBHIZdelPzZ+4omFfdP5f9/0LIB2rrWxzgtYBHMLZJcc7z
+vL60iIjK8JxtmcKdu8bugPnL1L2wVjb1uf5t23PO/yewngJbrI54+eQHdqrTRqsY
+LdzQcJ8pWA6GuFtlTDrcSwuvxGa8+0U3HkQdUo4F0L7TW60zkfRd9enTli2Kxoa/
+KRHuVAa9Veg9ybdyWF4gITqH21H8MT/0l1Pn2f9JVosTI/s2N5kJ29e4C47THav5
+iqY0NKtZGjMrExbkel0fQ2d/GecrT0QeZBEl3MTkj7kzWq1aHr987Q+N+vqkw5kj
+V88kdYgWgR6JnrvkUHSI/LYagMnXt7kktAQ+OudY0fNaUjRqnR0UqZez87fEc3xr
+/VDn/PEppUooa2lHKjnMv415SStLQkb1I0GqLAOBKjqvwt9B8dw=
+=JC/r
+-----END PGP SIGNATURE-----

bind-define-local-instances-of-FALLTHROUGH-and-UNREACHABLE.patch

@@ -1,38 +0,0 @@
-Index: bind-9.18.2/contrib/dlz/modules/include/dlz_minimal.h
-===================================================================
---- bind-9.18.2.orig/contrib/dlz/modules/include/dlz_minimal.h
-+++ bind-9.18.2/contrib/dlz/modules/include/dlz_minimal.h
-@@ -27,6 +27,7 @@
- 
- #include <inttypes.h>
- #include <stdbool.h>
-+#include <stdlib.h>
- 
- #include <arpa/inet.h>
- #include <net/if.h>
-@@ -85,6 +86,25 @@ typedef uint32_t     dns_ttl_t;
- 		var = _u.v;            \
- 	} while (0)
- 
-+
-+#if !defined(__has_attribute)
-+#define __has_attribute(x) 0
-+#endif /* if !defined(__has_attribute) */
-+
-+#if __GNUC__ >= 7 || __has_attribute(fallthrough)
-+#define FALLTHROUGH __attribute__((fallthrough))
-+#else
-+/* clang-format off */
-+#define FALLTHROUGH do {} while (0) /* FALLTHROUGH */
-+/* clang-format on */
-+#endif
-+
-+#ifdef __GNUC__
-+#define UNREACHABLE() __builtin_unreachable()
-+#else
-+#define UNREACHABLE() abort()
-+#endif
-+
- /* opaque structures */
- typedef void *dns_sdlzlookup_t;
- typedef void *dns_sdlzallnodes_t;

bind.changes

@@ -1,3 +1,45 @@
+-------------------------------------------------------------------
+Thu May 19 07:32:31 UTC 2022 - Josef Möllers <josef.moellers@suse.com>
+
+- Upgrade to 9.18.3:
+  Bugs fixed:
+  * Fix a crash in DNS-over-HTTPS (DoH) code caused by premature
+    TLS stream socket object deletion.
+  * RPZ NSIP and NSDNAME rule processing didn't handle stub and
+    static-stub zones at or above the query name. This has now
+    been addressed.
+  * Fixed a deadlock that could occur if an rndc connection arrived
+    during the shutdown of network interfaces.
+  * Refactor the fctx_done() function to set fctx to NULL after
+    detaching, so that reference counting errors will be easier to
+    avoid.
+  * udp_recv() in dispatch could trigger an INSIST when the
+    callback's result indicated success but the response was
+    canceled in the meantime.
+  * Work around a jemalloc quirk which could trigger an
+    out-of-memory condition in named over time.
+  * If there was a pending negative cache DS entry, validations
+    depending upon it could fail.
+  * dig returned a 0 exit status on UDP connection failure.
+  * Fix an assertion failure when using dig with +nssearch and
+    +tcp options by starting the next query in the send_done()
+    callback (like in the UDP mode) instead of doing that
+    recursively in start_tcp(). Also ensure that queries
+    interrupted while connecting are detached properly.
+  * Don't remove CDS/CDNSKEY DELETE records on zone sign when
+    using 'auto-dnssec maintain;'.
+  This obsoletes the following patch:
+  bind-define-local-instances-of-FALLTHROUGH-and-UNREACHABLE.patch
+  [CVE-2022-1183, bsc#1199619]
+
+-------------------------------------------------------------------
+Tue May 17 12:06:17 UTC 2022 - Josef Möllers <josef.moellers@suse.com>
+
+- An assertion failure can be triggered if a TLS connection to a
+  configured http TLS listener with a defined endpoint is destroyed too
+  early.
+  [CVE-2022-1183, bsc#1199619, CVE-2022-1183.patch]
+
 -------------------------------------------------------------------
 Mon May 16 08:14:55 UTC 2022 - Martin Liška <mliska@suse.cz>
 

bind.spec

@@ -56,7 +56,7 @@
   %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           bind
-Version:        9.18.2
+Version:        9.18.3
 Release:        0
 Summary:        Domain Name System (DNS) Server (named)
 License:        MPL-2.0
@@ -75,7 +75,6 @@ Source70:       bind.conf
 # configuation file for systemd-sysusers
 Source72:       named.conf
 Patch56:        bind-ldapdump-use-valid-host.patch
-Patch57:        bind-define-local-instances-of-FALLTHROUGH-and-UNREACHABLE.patch
 Patch58:        bind-prevent-buffer-overflow.patch
 BuildRequires:  libcap-devel
 BuildRequires:  libopenssl-devel