Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package bind for openSUSE:Factory checked in at 2021-04-08 21:01:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/bind (Old) and /work/SRC/openSUSE:Factory/.bind.new.2401 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bind" Thu Apr 8 21:01:46 2021 rev:162 rq:880703 version:9.16.12 Changes: -------- --- /work/SRC/openSUSE:Factory/bind/bind.changes 2021-01-30 13:55:36.941943402 +0100 +++ /work/SRC/openSUSE:Factory/.bind.new.2401/bind.changes 2021-04-08 21:01:57.597887315 +0200 @@ -1,0 +2,58 @@ +Fri Mar 12 15:03:21 UTC 2021 - Matthias Gerstner <[email protected]> + +- pass PIE compiler and linker flags via environment variables to make + /usr/bin/delv in bind-tools also position independent (bsc#1183453). +- drop pie_compile.diff: no longer needed, this patch is difficult to + maintain, the environment variable approach is less error prone. + +------------------------------------------------------------------- +Thu Feb 18 08:44:47 UTC 2021 - Josef M??llers <[email protected]> + +- *** MAJOR CHANGES *** + * The libraries shipped with bind are now named after the bind + version (eg libisc-9.16.10.so), not some kind of artificial + number (eg libisc.so.1608)! + * For the time being (ie until the next upgrade), + new BIND option "stale-answer-client-timeout" + will be disabled (in /etc/named.conf): "stale-answer-enable no;" + * All libraries are now in bind-utils as they are used by bind + and bind-utils only and bind requires bind-utils. + This affects libdns, libirs, libisc, libisccc, libisccfg, + libns + * Dropped the devel packages as the libraries are used + internally only. + + * Update to 9.16.12 + Bugs fixed: + - KASP incorrectly set signature validity to the value of + the DNSKEY signature validity. + - Fix off-by-one bug in ISC SPNEGO implementation. + (CVE-2020-8625) + - Dig now reports unknown dash options while pre-parsing + the options. This prevents "-multi" instead of "+multi" + from reporting memory usage before ending option parsing + with "Invalid option: -lti". + - Fixed a crash in "dnssec-keyfromlabel" when using ECDSA + keys. + - Emit useful error message when "rndc retransfer" is + applied to a zone of inappropriate type. + - Improve performance of the DNSSEC verification code by + reducing the number of repeated calls to + dns_dnssec_keyfromrdata(). + - named failed to start when its configuration included a + zone with a non-builtin "allow-update" ACL attached. + - Address potential double free in generatexml(). + - When migrating to KASP, BIND 9 considered keys with the + "Inactive" and/or "Delete" timing metadata to be + possible active keys. + - Fix the "three is a crowd" key rollover bug in KASP by + correctly implementing Equation (2) of the "Flexible and + Robust Key Rollover" paper. + + * dnssec-keygen can no longer generate HMAC keys. + Use tsig-keygen instead. + genDDNSkey script was modified to reflect this. + [vendor-files/tools/bind.genDDNSkey, bsc#1180933, CVE-2020-8625, + bsc#1182246, bsc#1182483] + +------------------------------------------------------------------- Old: ---- baselibs.conf bind-9.16.11.tar.xz bind-9.16.11.tar.xz.sha512.asc pie_compile.diff New: ---- bind-9.16.12.tar.xz bind-9.16.12.tar.xz.sha512.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bind.spec ++++++ --- /var/tmp/diff_new_pack.APAzz8/_old 2021-04-08 21:01:58.321888098 +0200 +++ /var/tmp/diff_new_pack.APAzz8/_new 2021-04-08 21:01:58.325888102 +0200 @@ -16,23 +16,6 @@ # -# Don't forget to update the package names also in baselibs.conf -# Note that the sonums are LIBINTERFACE - LIBAGE -%define bind9_sonum 1600 -%define libbind9 libbind9-%{bind9_sonum} -%define dns_sonum 1611 -%define libdns libdns%{dns_sonum} -%define irs_sonum 1601 -%define libirs libirs%{irs_sonum} -%define isc_sonum 1609 -%define libisc libisc%{isc_sonum} -%define isccc_sonum 1600 -%define libisccc libisccc%{isccc_sonum} -%define isccfg_sonum 1603 -%define libisccfg libisccfg%{isccfg_sonum} -%define ns_sonum 1607 -%define libns libns%{ns_sonum} - %define VENDOR SUSE %if 0%{?suse_version} >= 1500 %define with_systemd 1 @@ -61,7 +44,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: bind -Version: 9.16.11 +Version: 9.16.12 Release: 0 Summary: Domain Name System (DNS) Server (named) License: MPL-2.0 @@ -69,7 +52,6 @@ URL: http://isc.org/sw/bind/ Source: ftp://ftp.isc.org/isc/bind9/%{version}/bind-%{version}.tar.xz Source1: vendor-files.tar.bz2 -Source2: baselibs.conf Source3: ftp://ftp.isc.org/isc/bind9/%{version}/bind-%{version}.tar.xz.sha512.asc # from http://www.isc.org/about/openpgp/ ... changes yearly apparently. Source4: %{name}.keyring @@ -79,7 +61,6 @@ # configuation files for systemd-tmpfiles Source70: bind.conf Source72: named.conf -Patch51: pie_compile.diff Patch52: named-bootconf.diff Patch56: bind-ldapdump-use-valid-host.patch BuildRequires: libcap-devel @@ -127,113 +108,6 @@ reference implementation of the major components of the Domain Name System. This package includes the components to operate a DNS server. -%package -n %{libbind9} -Summary: BIND9 shared library used by BIND -Group: System/Libraries - -%description -n %{libbind9} -This library contains a few utility functions used by the BIND -server and utilities. - -%package -n %{libdns} -Summary: DNS library used by BIND -Group: System/Libraries - -%description -n %{libdns} -This subpackage contains the "DNS client" module. This is a higher -level API that provides an interface to name resolution, single DNS -transaction with a particular server, and dynamic update. Regarding -name resolution, it supports advanced features such as DNSSEC -validation and caching. This module supports both synchronous and -asynchronous mode. - -It also contains the Advanced Database (ADB) and Simple Database -(SDB) APIs. ADB allows user-written routines to replace BIND???s -internal database function for both nominated and all zones. SDB -allows a user-written driver to supply zone data either from -alternate data sources (for instance, a relational database) or using -specialized algorithms (for instance, for load-balancing). -[Book links for SDB: "Pro DNS and BIND 10", R. Aitchison, Apress] - -%package -n %{libirs} -Summary: The BIND Information Retrieval System library -Group: System/Libraries - -%description -n %{libirs} -libirs provides an interface to parse the traditional resolv.conf file and an -"advanced" configuration file related to the DNS library for configuration -parameters that would be beyond the capability of the resolv.conf file. -Specifically, it is intended to provide DNSSEC related configuration -parameters. By default, the path to this configuration file is %{_sysconfdir}/dns.conf. - -%package -n libirs-devel -Summary: Development files for IRS -Group: Development/Libraries/C and C++ -Requires: %{libirs} = %{version} - -%description -n libirs-devel -libirs provides an interface to parse the traditional resolv.conf file and an -"advanced" configuration file related to the DNS library for configuration -parameters that would be beyond the capability of the resolv.conf file. This -subpackage contains the header files needed for building programs with it. - -%package -n %{libisc} -Summary: ISC shared library used by BIND -Group: System/Libraries -Provides: bind-libs = %{version}-%{release} -Obsoletes: bind-libs < %{version}-%{release} - -%description -n %{libisc} -This library contains miscellaneous utility function used by the BIND -server and utilities. It includes functions for assertion handling, -balanced binary (AVL) trees, bit masks comparison, event based -programs, heap-based priority queues, memory handling, and program -logging. - -%package -n %{libns} -Summary: NS shared library used by BIND -Group: System/Libraries - -%description -n %{libns} -This library contains miscellaneous utility function used by the BIND -server and utilities. - -%package -n %{libisccc} -Summary: Command Channel Library used by BIND -Group: System/Libraries - -%description -n %{libisccc} -This library is used for communicating with BIND servers' -administrative command channel (port 953 by default). - -%package -n %{libisccfg} -Summary: Exported ISC configuration shared library -Group: System/Libraries - -%description -n %{libisccfg} -This BIND library contains the configuration file parser. - -%package devel -Summary: Development Libraries and Header Files of BIND -Group: Development/Libraries/C and C++ -Requires: %{libbind9} = %{version} -Requires: %{libdns} = %{version} -Requires: %{libirs} = %{version} -Requires: %{libisccc} = %{version} -Requires: %{libisccfg} = %{version} -Requires: %{libisc} = %{version} -Requires: %{libns} = %{version} -Provides: bind8-devel -Provides: bind9-devel -Obsoletes: bind8-devel < %{version} -Obsoletes: bind9-devel < %{version} - -%description devel -This package contains the header files, libraries, and documentation -for building programs using the libraries of the Berkeley Internet Name -Domain (BIND) Domain Name System implementation of the Domain Name -System (DNS) protocols. - %package doc Summary: BIND documentation Group: Documentation/Other @@ -272,7 +146,6 @@ %prep %setup -q -a1 -%patch51 -p1 %patch52 -p1 %patch56 -p1 @@ -298,7 +171,8 @@ %build autoreconf -fvi -export CFLAGS="%{optflags} -DNO_VERSION_DATE" +export CFLAGS="%{optflags} -fPIE -DNO_VERSION_DATE" +export LDFLAGS="-pie" %configure \ --with-python=%{_bindir}/python3 \ --includedir=%{_includedir}/bind \ @@ -360,10 +234,9 @@ mkdir -p %{buildroot}/%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services %endif %make_install -# install errno2result.h, some dynamic DB plugins could use it. -install -m 0755 -d %{buildroot}%{_includedir}/isc/ -install -m 0644 lib/isc/unix/errno2result.h %{buildroot}%{_includedir}/isc/ install -m 0644 .clang-format.headers %{buildroot}/%{_defaultdocdir}/bind +# remove useless .h files +rm -rf %{buildroot}%{_includedir} # remove useless .la files rm -f %{buildroot}/%{_libdir}/lib*.{la,a} @@ -478,20 +351,8 @@ %insserv_cleanup %endif -%post -n %{libbind9} -p /sbin/ldconfig -%postun -n %{libbind9} -p /sbin/ldconfig -%post -n %{libdns} -p /sbin/ldconfig -%postun -n %{libdns} -p /sbin/ldconfig -%post -n %{libirs} -p /sbin/ldconfig -%postun -n %{libirs} -p /sbin/ldconfig -%post -n %{libisc} -p /sbin/ldconfig -%postun -n %{libisc} -p /sbin/ldconfig -%post -n %{libns} -p /sbin/ldconfig -%postun -n %{libns} -p /sbin/ldconfig -%post -n %{libisccc} -p /sbin/ldconfig -%postun -n %{libisccc} -p /sbin/ldconfig -%post -n %{libisccfg} -p /sbin/ldconfig -%postun -n %{libisccfg} -p /sbin/ldconfig +%post -n bind-utils -p /sbin/ldconfig +%postun -n bind-utils -p /sbin/ldconfig %files %license LICENSE @@ -539,39 +400,6 @@ %config %{_var}/lib/named/named.root.key %dir %{_libexecdir}/bind -%files -n %{libbind9} -%{_libdir}/libbind9.so.%{bind9_sonum}* - -%files -n %{libdns} -%{_libdir}/libdns.so.%{dns_sonum}* - -%files -n %{libirs} -%{_libdir}/libirs.so.%{irs_sonum}* - -%files -n libirs-devel -%{_libdir}/libirs.so - -%files -n %{libisc} -%{_libdir}/libisc.so.%{isc_sonum}* - -%files -n %{libns} -%{_libdir}/libns.so.%{ns_sonum}* - -%files -n %{libisccc} -%{_libdir}/libisccc.so.%{isccc_sonum}* - -%files -n %{libisccfg} -%{_libdir}/libisccfg.so.%{isccfg_sonum}* - -%files devel -%dir %{_includedir}/isc -%{_includedir}/isc/errno2result.h -%{_libdir}/libbind9.so -%{_libdir}/libdns.so -%{_libdir}/libisc*.so -%{_libdir}/libns.so -%{_includedir}/bind - %files doc -f filelist-bind-doc %dir %doc %{_defaultdocdir}/bind %doc %{_datadir}/susehelp @@ -612,6 +440,21 @@ %{_sbindir}/rndc %{_sbindir}/rndc-confgen %{_sbindir}/tsig-keygen +# Library files, formerly in their own, separate packages: +%{_libdir}/libbind9-%{version}.so +%{_libdir}/libdns-%{version}.so +%{_libdir}/libirs-%{version}.so +%{_libdir}/libisc-%{version}.so +%{_libdir}/libisccc-%{version}.so +%{_libdir}/libisccfg-%{version}.so +%{_libdir}/libns-%{version}.so +%{_libdir}/libbind9.so +%{_libdir}/libdns.so +%{_libdir}/libirs.so +%{_libdir}/libisc.so +%{_libdir}/libisccc.so +%{_libdir}/libisccfg.so +%{_libdir}/libns.so %dir %doc %{_defaultdocdir}/bind %{_defaultdocdir}/bind/README*.%{VENDOR} %{_defaultdocdir}/bind/.clang-format.headers ++++++ bind-9.16.11.tar.xz -> bind-9.16.12.tar.xz ++++++ ++++ 38426 lines of diff (skipped) ++++++ vendor-files.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/config/named.conf new/vendor-files/config/named.conf --- old/vendor-files/config/named.conf 2021-01-21 14:28:11.462642463 +0100 +++ new/vendor-files/config/named.conf 2021-02-19 10:31:51.905165699 +0100 @@ -15,6 +15,9 @@ # /usr/share/doc/packages/__BIND_PACKAGE_NAME__/misc/options. options { + # For the time being, disable new BIND option "stale-answer-client-timeout" + # as it can result in unexpected server termination + stale-answer-enable no; # The directory statement defines the name server's working directory diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/tools/bind.genDDNSkey new/vendor-files/tools/bind.genDDNSkey --- old/vendor-files/tools/bind.genDDNSkey 2020-09-18 15:28:26.898843316 +0200 +++ new/vendor-files/tools/bind.genDDNSkey 2021-02-17 14:29:49.059970673 +0100 @@ -82,74 +82,15 @@ exit 1 } -# determine the BIND version -if [ -f /usr/sbin/rndc ]; then - bind9=true - bind9_hmac_md5=false - if [ -n "$(/usr/sbin/dnssec-keygen -h 2>&1 | grep -l 'HMAC-MD5')" ]; then - bind9_hmac_md5=true - fi -elif [ -f /usr/sbin/ndc ]; then - bind9=false -else - echo >&2 "Could not determine the BIND version. Exiting." - exit 1 -fi - umask 600 -# generate a 512 bit HMAC-MD5 Zone (DNS validation) key -if $bind9; then - if $bind9_hmac_md5; then - keyfile=$(/usr/sbin/dnssec-keygen -a hmac-md5 -b 512 -n user "${KEYNAME}") - else - keyfile=$(/usr/sbin/dnssec-keygen -a RSASHA512 -b 4096 "${KEYNAME}") - fi -else - keyfile=$(/usr/sbin/dnskeygen -H 512 -z -c -n "${KEYNAME}") - # dhskeygen has (had) a weekness, it puts one key into a world readable file - # (see http://xforce.iss.net/alerts/advise78.php) - chmod 600 $keyfile* -fi -# now we've got files like these: -# -rw------- 1 root root 77 Sep 11 01:03 K${KEYNAME}+157+00000.private -# -rw-r--r-- 1 root root 58 Sep 11 01:03 K${KEYNAME}+157+00000.key -# -# ---------- ----- -# name key id -# -# --- -# 157 is short -# for hmac-md5 -echo $keyfile - -# read the secret -while read line; do - case $line in - Key:*|Modulus:*) secret=${line#* } - esac -done < $keyfile.private - - +# generate a HMAC-MD5 Zone (DNS validation) key cat >"$KEYFILE" <<-EOF # generated by $(basename $0) on $(date) -key ${KEYNAME} { - $(if $bind9; then - if $bind9_hmac_md5; then - echo "algorithm hmac-md5;" - else - echo "algorithm rsasha512;" - fi - else - echo "algorithm HMAC-MD5.SIG-ALG.REG.INT;" - fi) - secret "$secret"; -}; - - EOF +tsig-keygen -a hmac-md5 "${KEYNAME}" >> "$KEYFILE" # set permissions chown root.named "$KEYFILE"
