Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package bind for openSUSE:Factory checked in at 2021-12-01 20:46:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/bind (Old) and /work/SRC/openSUSE:Factory/.bind.new.31177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bind" Wed Dec 1 20:46:44 2021 rev:173 rq:934423 version:9.16.20 Changes: -------- --- /work/SRC/openSUSE:Factory/bind/bind.changes 2021-10-23 00:50:45.601126660 +0200 +++ /work/SRC/openSUSE:Factory/.bind.new.31177/bind.changes 2021-12-02 02:10:27.259541018 +0100 @@ -1,0 +2,23 @@ +Mon Nov 8 09:01:21 UTC 2021 - Josef M??llers <[email protected]> + +- Aligned SLE15-SP4 and Factory spec files. + [bind.spec] + +------------------------------------------------------------------- +Thu Nov 4 08:28:45 UTC 2021 - Josef M??llers <[email protected]> + +- Fixed CVE-2021-25219: + The lame-ttl option controls how long named caches certain types + of broken responses from authoritative servers (see the security + advisory for details). This caching mechanism could be abused by + an attacker to significantly degrade resolver performance. The + vulnerability has been mitigated by changing the default value of + lame-ttl to 0 and overriding any explicitly set value with 0, + effectively disabling this mechanism altogether. ISC's testing has + determined that doing that has a negligible impact on resolver + performance while also preventing abuse. + Administrators may observe more traffic towards servers issuing + certain types of broken responses than in previous BIND 9 releases. + [bsc#1192146, CVE-2021-25219, bind-CVE-2021-25219.patch] + +------------------------------------------------------------------- New: ---- bind-CVE-2021-25219.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bind.spec ++++++ --- /var/tmp/diff_new_pack.0Eo5sj/_old 2021-12-02 02:10:27.995538774 +0100 +++ /var/tmp/diff_new_pack.0Eo5sj/_new 2021-12-02 02:10:27.995538774 +0100 @@ -17,6 +17,7 @@ %define _buildshell /bin/bash + %define VENDOR SUSE %if 0%{?suse_version} >= 1500 %define with_systemd 1 @@ -51,21 +52,22 @@ License: MPL-2.0 Group: Productivity/Networking/DNS/Servers URL: https://www.isc.org/bind/ -Source0: https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.tar.xz +Source: https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.tar.xz Source1: https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.tar.xz.sha512.asc Source2: vendor-files.tar.bz2 # from http://www.isc.org/about/openpgp/ ... changes yearly apparently. -Source4: %{name}.keyring +Source3: %{name}.keyring Source9: ftp://ftp.internic.net/domain/named.root Source40: dnszone-schema.txt Source60: dlz-schema.txt -# configuation file for systemd-tmpfiles +# configuration file for systemd-tmpfiles Source70: bind.conf # configuation file for systemd-sysusers Source72: named.conf Patch52: named-bootconf.diff Patch56: bind-ldapdump-use-valid-host.patch Patch68: bind-fix-build-with-older-sphinx.patch +Patch69: bind-CVE-2021-25219.patch BuildRequires: libcap-devel BuildRequires: libmysqlclient-devel BuildRequires: libopenssl-devel @@ -121,19 +123,22 @@ includes also the BIND Administrator Reference Manual (ARM). %package utils -Summary: Utilities to query and test DNS +Summary: Libraries for "bind" and utilities to query and test DNS # Needed for dnssec parts Group: Productivity/Networking/DNS/Utilities Requires: python3-bind = %{version} Provides: bind9-utils Provides: bindutil Provides: dns_utils +Obsoletes: bind-devel < %{version} Obsoletes: bind9-utils < %{version} Obsoletes: bindutil < %{version} +Obsoletes: libirs-devel < %{version} %description utils This package includes the utilities "host", "dig", and "nslookup" used to -test and query the Domain Name System (DNS). The Berkeley Internet +test and query the Domain Name System (DNS) and also the libraries rquired +for the base "bind" package. The Berkeley Internet Name Domain (BIND) DNS server is found in the package named bind. %package -n python3-bind @@ -169,7 +174,7 @@ done popd -%if 0%{?sle_version} >= 150000 && 0%{?sle_version} <= 150300 +%if 0%{?sle_version} >= 150000 && 0%{?sle_version} <= 150400 # the Administration Reference Manual doesn't build with Leap/SLES due to an way too old Sphinx package # that is missing sphinx.util.docutils.ReferenceRole. # patch68 disables this extension, and here, we're removing the :gl: tags in the notes @@ -197,7 +202,7 @@ --with-pic \ --disable-openssl-version-check \ --with-tuning=large \ - --with-geoip \ + --with-maxminddb \ --with-dlopen \ --with-gssapi=yes \ --disable-isc-spnego \ @@ -218,7 +223,7 @@ make -C doc/${d} SPHINXBUILD=sphinx-build doc done %if %{with_systemd} -%sysusers_generate_pre %{SOURCE72} named named.conf +%sysusers_generate_pre %{SOURCE72} named %endif %install @@ -290,7 +295,6 @@ basename=$( basename ${file}) cp -a ${file} %{buildroot}/%{_defaultdocdir}/bind/${basename}.%{VENDOR} done - mkdir -p vendor-files/config/ISC-examples cp -a bin/tests/*.conf* vendor-files/config/ISC-examples for d in arm; do @@ -315,7 +319,6 @@ %pre -f named.pre %service_add_pre named.service %else - %pre %{GROUPADD_NAMED} %{USERADD_NAMED} @@ -338,7 +341,7 @@ %else %{fillup_and_insserv -nf named} if [ -x %{_bindir}/systemctl ]; then -# make sure systemctl knows about the service even though it's not a systemd service +# make sure systemctl knows about the service # Without this, systemctl status named would return # Unit named.service could not be found. # until systemctl daemon-reload has been executed ++++++ bind-CVE-2021-25219.patch ++++++ diff --git a/bin/named/config.c b/bin/named/config.c index 213c45cb33..0b28c8db7a 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -164,7 +164,7 @@ options {\n\ fetches-per-server 0;\n\ fetches-per-zone 0;\n\ glue-cache yes;\n\ - lame-ttl 600;\n" + lame-ttl 0;\n" #ifdef HAVE_LMDB " lmdb-mapsize 32M;\n" #endif /* ifdef HAVE_LMDB */ diff --git a/bin/named/server.c b/bin/named/server.c index ff04689685..0f001ba303 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -4840,8 +4840,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, result = named_config_get(maps, "lame-ttl", &obj); INSIST(result == ISC_R_SUCCESS); lame_ttl = cfg_obj_asduration(obj); - if (lame_ttl > 1800) { - lame_ttl = 1800; + if (lame_ttl > 0) { + cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING, + "disabling lame cache despite lame-ttl > 0 as it " + "may cause performance issues"); + lame_ttl = 0; } dns_resolver_setlamettl(view->resolver, lame_ttl); diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 0358241d95..40c416dcf1 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -10122,25 +10122,26 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) { */ static isc_result_t rctx_lameserver(respctx_t *rctx) { - isc_result_t result; + isc_result_t result = ISC_R_SUCCESS; fetchctx_t *fctx = rctx->fctx; resquery_t *query = rctx->query; - if (fctx->res->lame_ttl == 0 || ISFORWARDER(query->addrinfo) || - !is_lame(fctx, query->rmessage)) - { + if (ISFORWARDER(query->addrinfo) || !is_lame(fctx, query->rmessage)) { return (ISC_R_SUCCESS); } inc_stats(fctx->res, dns_resstatscounter_lame); log_lame(fctx, query->addrinfo); - result = dns_adb_marklame(fctx->adb, query->addrinfo, &fctx->name, - fctx->type, rctx->now + fctx->res->lame_ttl); - if (result != ISC_R_SUCCESS) { - isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, - DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR, - "could not mark server as lame: %s", - isc_result_totext(result)); + if (fctx->res->lame_ttl != 0) { + result = dns_adb_marklame(fctx->adb, query->addrinfo, + &fctx->name, fctx->type, + rctx->now + fctx->res->lame_ttl); + if (result != ISC_R_SUCCESS) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, + DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR, + "could not mark server as lame: %s", + isc_result_totext(result)); + } } rctx->broken_server = DNS_R_LAME; rctx->next_server = true;
