Add /dev/urandom to chroot env
note: it is not world writable to make our rpmlint security checker happy - and it is not required anyway
without this, named start shows warnings in journal:
Feb 16 13:28:35 testleap named[1514]: could not open entropy source /dev/urandom: file not found
Feb 16 13:28:35 testleap named[1514]: using pre-chroot entropy source /dev/urandom
OBS-URL: https://build.opensuse.org/request/show/577255
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=232
- Add back init scripts, systemd units aren't ready yet
- Add python3-bind subpackage to allow python bind interactions
- Sync configure options with RH package and remove unused ones
* Enable python3
* Enable gssapi
* Enable dnssec scripts
- Drop idnkit from the build, the bind uses libidn since 2007 to run
all the resolutions in dig/etc. bsc#1030306
- Add patch to make sure we build against system idn:
* bind-99-libidn.patch
- Refresh patch:
* pie_compile.diff
- Remove patches that are unused due to above:
* idnkit-powerpc-ltconfig.patch
* runidn.diff
- drop bind-openssl11.patch (merged upstream)
- Remove systemd conditionals as we are not building on sle11 anyway
- Force the systemd to be base for the initscript deployment
- Bump up version of most of the libraries
- Rename the subpackages to match the version updates
- Add macros for easier handling of the library package names
- Drop more unneeded patches
* dns_dynamic_db.patch (upstream)
OBS-URL: https://build.opensuse.org/request/show/545259
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=224
- Added bind-CVE-2017-3142-and-3143.patch to fix a security issue
where an attacker with the ability to send and receive messages
to an authoritative DNS server was able to circumvent TSIG
authentication of AXFR requests. A server that relies solely on
TSIG keys for protection with no other ACL protection could be
manipulated into (1) providing an AXFR of a zone to an
unauthorized recipient and (2) accepting bogus Notify packets.
[bsc#1046554, CVE-2017-3142, bsc#1046555, CVE-2017-3143]
OBS-URL: https://build.opensuse.org/request/show/507232
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=211
to break a service dependency cycle (bsc#947483, bsc#963971).
- Make /var/lib/named owned by the named user (bsc#908850,
bsc#875691).
- Call systemd service macros with the full service name.
- Security update 9.10.3-P4:
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=194
- Security update 9.10.3-P3:
* CVE-2016-1285, bsc#970072: assert failure on input parsing can
cause premature exit.
* CVE-2016-1286, bsc#970073: An error when parsing signature
records for DNAME can lead to named exiting due to an assertion
failure.
* CVE-2016-2088, bsc#970074: a deliberately misconstructed packet
containing multiple cookie options to cause named to terminate
with an assertion failure.
OBS-URL: https://build.opensuse.org/request/show/370068
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=114
* CVE-2016-1285, bsc#970072: assert failure on input parsing can
cause premature exit.
* CVE-2016-1286, bsc#970073: An error when parsing signature
records for DNAME can lead to named exiting due to an assertion
failure.
* CVE-2016-2088, bsc#970074: a deliberately misconstructed packet
containing multiple cookie options to cause named to terminate
with an assertion failure.
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=190
- Security update 9.10.3-P3:
* Specific APL data could trigger an INSIST (CVE-2015-8704,
bsc#962189).
* Certain errors that could be encountered when printing out or
logging an OPT record containing a CLIENT-SUBNET option could
be mishandled, resulting in an assertion failure
(CVE-2015-8705, bsc#962190).
* Authoritative servers that were marked as bogus (e.g.
blackholed in configuration or with invalid addresses) were
being queried anyway.
OBS-URL: https://build.opensuse.org/request/show/354931
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=112
* Specific APL data could trigger an INSIST (CVE-2015-8704,
bsc#962189).
* Certain errors that could be encountered when printing out or
logging an OPT record containing a CLIENT-SUBNET option could
be mishandled, resulting in an assertion failure
(CVE-2015-8705, bsc#962190).
* Authoritative servers that were marked as bogus (e.g.
blackholed in configuration or with invalid addresses) were
being queried anyway.
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=183
