Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package bind for openSUSE:Factory checked in at 2022-05-17 17:23:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/bind (Old) and /work/SRC/openSUSE:Factory/.bind.new.1538 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bind" Tue May 17 17:23:41 2022 rev:178 rq:977470 version:9.18.2 Changes: -------- --- /work/SRC/openSUSE:Factory/bind/bind.changes 2022-01-26 21:26:47.658071078 +0100 +++ /work/SRC/openSUSE:Factory/.bind.new.1538/bind.changes 2022-05-17 17:23:45.927134562 +0200 @@ -1,0 +2,174 @@ +Mon May 16 08:14:55 UTC 2022 - Martin Li??ka <[email protected]> + +- Add upstream patch bind-prevent-buffer-overflow.patch. + +------------------------------------------------------------------- +Thu May 12 14:25:28 UTC 2022 - Josef M??llers <[email protected]> + +- The named-checkconf had been moved from /usr/sbin to /usr/bin + but that had not been reflected in scripts that called this, + eg named.prep. So these scripts failed. + Some installations still have "createNamedConfInclude" in the + NAMED_INITIALIZE_SCRIPTS in /etc/sysconfig/named. The named.prep + will now report this but continue. + [bsc#1199044, vendor-files.tar.bz2] + +------------------------------------------------------------------- +Mon Apr 25 06:56:58 UTC 2022 - Josef M??llers <[email protected]> + +- Upgrade to 9.18.2: + Most important bugs fixed: + * The "starting maxtime timer" message related to outgoing + zone transfers was incorrectly logged at the ERROR level + instead of DEBUG(1). + * Ensure that zone maintenance queries have a retry limit. + * When using both the `+qr` and `+y` options `dig` could + crash if the connection to the first server was not + successful. + * dig could hang in some cases involving multiple servers + in a lookup, when a request fails and the next one + refuses to start for some reason, for example if it was + an IPv4 mapped IPv6 address. + * dig +nssearch was hanging until manually interrupted. + * When an UPDATE targets a zone that is not configured, + the requested zone name is now logged in the "not + authoritative" error message, so that it is easier to + track down problematic update clients. + * Quote the dns64 prefix in error messages that complain + about problems with it, to avoid confusion with the + following dns64 ACLs. + * When encountering socket error while trying to initiate + a TCP connection to a server, dig could hang + indefinitely, when there were more servers to try. + * When timing-out or having other types of socket errors + during a query, dig wasn't trying to perform the lookup + using other servers, in case they exist. + * Resending a UDP request in the result of a timeout + could cause an assertion failure when the resent + query's result was SERVFAIL. + * Replace single TCP write timer with per-TCP write + timers. + * Invalid dnssec-policy definitions were being accepted + where the defined keys did not cover both KSK and ZSK + roles for a given algorithm. This is now checked for + and the dnssec-policy is rejected if both roles are + not present for all algorithms in use. + * Fix query context management issues in the TCP part + of dig. + + Noteworthy functional changes: + * Add new "reuseport" option to enable/disable load + balancing of sockets. + * Set the minimum MTU on UDPv6 and TCPv6 sockets and + limit TCP maximum segment size (TCP_MAXSEG) to (1220) + for both TCPv4 and TCPv6 sockets. + + Needed to define two macros in contrib code: + FALLTHOUGH is a copy of how it is defined in <isc/util.h> + + UNREACHABLE follows the model used in MacOS /usr/include/c++/v1/cstdlib + to determine if __builtin_ureachable is available + [bind-9.18.2.tar.xz, bind-9.18.2.tar.xz.sha512.asc, + bind-define-local-instances-of-FALLTHROUGH-and-UNREACHABLE.patch] + +------------------------------------------------------------------- +Thu Mar 17 07:28:25 UTC 2022 - Josef M??llers <[email protected]> + +- * When using forwarders, bogus NS records supplied by, or via, those + forwarders may be cached and used by named if it needs to recurse + for any reason, causing it to obtain and pass on potentially + incorrect answers. [CVE-2021-25220] + * TCP connection slots may be consumed for an indefinite time frame + via a specifically crafted TCP stream sent from a client. + This issue can only be triggered on BIND servers which have + keep-response-order enabled, which is not the default configuration. + The keep-response-order option is an ACL block, and as such, any + hosts specified within it will be able to trigger this issue on + affected versions. [CVE-2022-0396] + * The RFC 8198 Aggressive Use of DNSSEC-Validated Cache feature + (synth-from-dnssec) had been refactored and the default has been + changed so that is now automatically enabled for dnssec-validating + resolvers. Subsequently it was found that repeated patterns of + specific queries to servers with this feature enabled could cause + an INSIST failure in query.c:query_dname which causes named to + terminate unexpectedly. + The vulnerability affects BIND resolvers running 9.18.0 that have + both dnssec-validation and synth-from-dnssec enabled. (Note that + dnssec-validation auto; is the default setting unless configured + otherwise in named.conf and that enabling dnssec-validation + automatically enables synth-from-dnssec unless explicitly disabled) + [CVE-2022-0635] + * The refactoring of the recursive client code introduced a + "backstop lifetime timer." + While BIND is processing a request for a DS record that needs to be + forwarded, it waits until this processing is complete or until the + backstop lifetime timer has timed out. When the resume_dslookup() function + is called as a result of such a timeout, the function does not test + whether the fetch has previously been shut down. This introduces the + possibility of triggering an assertion failure, which could cause the BIND + process to terminate. [CVE-2022-0667] + * Reset client TCP connection when data received cannot + be parsed as a valid DNS request. + For a complete list of changes, see + * Bind Release Notes + https://downloads.isc.org/isc/bind9/9.18.1/doc/arm/html/notes.html + * The CHANGES file in the source RPM + This obsoletes bind-define-missing-threads.patch + Also, removed bind-python3 from the spec file as it is not build + any longer. + [bind.spec, bind-9.18.1.tar.xz, bind-9.18.1.tar.xz.sha512.asc, + bind-define-missing-threads.patch] + +------------------------------------------------------------------- +Mon Jan 31 13:49:51 UTC 2022 - Josef M??llers <[email protected]> + +- Update to new MAJOR VERSION 9.18.0. + This has many enhnancements, bug fixes and changes. + The spec file also has mechanisms to run the integrated test suite. + + MAJOR CHANGES: + * Support for securing DNS traffic using Transport Layer Security (TLS). + TLS is used by both DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). + * Support for zone transfers over TLS (XFR-over-TLS, XoT) for both + incoming and outgoing zone transfers. + * The dig tool is now able to send DoT queries (+tls option). + * Support for OpenSSL 3.0 APIs was added. + + A number of utilities have been removed: dnssec-checkds, + dnssec-coverage, dnssec-keymgr, which have been deprecated in + favor of dnssec-policy feature, as well as python support + (package python3-bind). + A number of utilities have been moved from (/usr)/sbin to (/usr)/bin + The DLZ modules have been put into seperate sub-packages + to keep unwanted dependencies out of the main package: + * bind-modules-perl: dlz_perl_driver.so + * bind-modules-mysql: dlz_mysql_dynamic.so, dlz_mysqldyn_mod.so + * bind-modules-ldap: dlz_ldap_dynamic.so + * bind-modules-bdbhpt: dlz_bdbhpt_dynamic.so + * bind-modules-sqlite3: dlz_sqlite3_dynamic.so + * bind-modules-generic: dlz_filesystem_dynamic.so, dlz_wildcard_dynamic.so + For a complete list of changes, see + * Bind Release Notes + https://downloads.isc.org/isc/bind9/9.18.0/doc/arm/html/notes.html + * The CHANGES file in the source RPM + [bind.spec, bind-9.18.0.tar.xz, bind-9.18.0.tar.xz.sha512.asc, + bind-avoid-fallthrough-warning-error.patch, + bind-contrib-pthread.patch, named-bootconf.diff, bind-define-missing-threads.patch] + +------------------------------------------------------------------- +Mon Jan 24 13:18:35 UTC 2022 - Josef M??llers <[email protected]> + +- Old-style DLZ drivers have been deprecated in favor of + DLZ modules. The DLZ drivers configuration option will + be removed from the next major BIND 9 release. + + The option to use the DLZ modules is already available + in BIND 9; please see the ARM section on DLZ modules. + + The dynamically lodable driver modules are stored in + /usr/lib64/bind-plugins + Example configurations for ldap and mysql are provided in + named.conf. + [bind.spec, vendor-files/config/named.conf] + +------------------------------------------------------------------- Old: ---- bind-9.16.25.tar.xz bind-9.16.25.tar.xz.sha512.asc bind-avoid-fallthrough-warning-error.patch named-bootconf.diff New: ---- bind-9.18.2.tar.xz bind-9.18.2.tar.xz.sha512.asc bind-define-local-instances-of-FALLTHROUGH-and-UNREACHABLE.patch bind-prevent-buffer-overflow.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bind.spec ++++++ --- /var/tmp/diff_new_pack.2igKDx/_old 2022-05-17 17:23:46.583135160 +0200 +++ /var/tmp/diff_new_pack.2igKDx/_new 2022-05-17 17:23:46.587135163 +0200 @@ -17,6 +17,16 @@ %define _buildshell /bin/bash +%bcond_with check + +# DLZ modules +%bcond_without modules_bdbhpt +%bcond_without modules_ldap +%bcond_without modules_mysql +%bcond_without modules_sqlite3 +%bcond_without modules_perl +%bcond_without modules_generic +# end DLZ modules %define VENDOR SUSE %if 0%{?suse_version} >= 1500 @@ -46,7 +56,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: bind -Version: 9.16.25 +Version: 9.18.2 Release: 0 Summary: Domain Name System (DNS) Server (named) License: MPL-2.0 @@ -64,24 +74,24 @@ Source70: bind.conf # configuation file for systemd-sysusers Source72: named.conf -Patch52: named-bootconf.diff Patch56: bind-ldapdump-use-valid-host.patch -Patch57: bind-avoid-fallthrough-warning-error.patch +Patch57: bind-define-local-instances-of-FALLTHROUGH-and-UNREACHABLE.patch +Patch58: bind-prevent-buffer-overflow.patch BuildRequires: libcap-devel -BuildRequires: libmysqlclient-devel BuildRequires: libopenssl-devel BuildRequires: libtool -BuildRequires: openldap2-devel BuildRequires: openssl BuildRequires: pkgconfig BuildRequires: python3 BuildRequires: python3-Sphinx BuildRequires: python3-ply BuildRequires: update-desktop-files +BuildRequires: pkgconfig(jemalloc) BuildRequires: pkgconfig(json) BuildRequires: pkgconfig(krb5) BuildRequires: pkgconfig(libidn2) BuildRequires: pkgconfig(libmaxminddb) +BuildRequires: pkgconfig(libnghttp2) BuildRequires: pkgconfig(libuv) BuildRequires: pkgconfig(libxml-2.0) Requires: %{name}-utils @@ -125,7 +135,6 @@ Summary: Libraries for "bind" and utilities to query and test DNS # Needed for dnssec parts Group: Productivity/Networking/DNS/Utilities -Requires: python3-bind = %{version} Provides: bind9-utils Provides: bindutil Provides: dns_utils @@ -140,15 +149,81 @@ for the base "bind" package. The Berkeley Internet Name Domain (BIND) DNS server is found in the package named bind. -%package -n python3-bind -Summary: A module allowing rndc commands to be sent from Python programs -Group: Development/Languages/Python -Requires: python3 -Requires: python3-ply -BuildArch: noarch +%if %{with_modules_perl} +%package modules-perl +Summary: A dynamically loadable zone (DLZ) plugin embedding a Perl interpreter in BIND +Group: Productivity/Networking/DNS/Servers +BuildRequires: perl -%description -n python3-bind -This package provides a module which allows commands to be sent to rndc directly from Python programs. +%description modules-perl +This package includes a dynamically loadable zone (DLZ) plugin +embedding a Perl interpreter in BIND, allowing Perl scripts +to be written to integrate with BIND and serve DNS data. +%endif + +%if %{with_modules_mysql} +%package modules-mysql +Summary: DLZ modules which store zone data in a MySQL database +Group: Productivity/Networking/DNS/Servers +BuildRequires: libmysqlclient-devel + +%description modules-mysql +This package includes dynamically loadable zone (DLZ) plugins +which store zone data in a MySQL database +The dlz_mysql_dynamic.so plugin does not support dynamic updates +the dlz_mysqldyn_mod.so plugin is a dynamically loadable zone (DLZ) +plugin that uses a fixed-schema MySQL database for back-end storage. +It allows zone data to be updated via dynamic DNS updates, and +sends DNS NOTIFY packets to other name servers when appropriate. +%endif + +%if %{with_modules_ldap} +%package modules-ldap +Summary: A DLZ module which stores zone data in an LDAP directory +Group: Productivity/Networking/DNS/Servers +BuildRequires: openldap2-devel + +%description modules-ldap +This package provides the externally loadable ldap DLZ module, without +update support +%endif + +%if %{with_modules_bdbhpt} +%package modules-bdbhpt +Summary: A DLZ module which stores zone data in a BerkeleyDB +Group: Productivity/Networking/DNS/Servers +BuildRequires: libdb-4_8-devel + +%description modules-bdbhpt +This package provides the externally loadable bdbhpt DLZ driver, without +update support +%endif + +%if %{with_modules_sqlite3} +%package modules-sqlite3 +Summary: A DLZ module which stores zone data in an sqlite3 db +Group: Productivity/Networking/DNS/Servers +BuildRequires: sqlite3-devel + +%description modules-sqlite3 +This package provides the externally loadable SQLitee DLZ module, without +update support. +%endif + +%if %{with_modules_generic} +%package modules-generic +Summary: DLZ module which store zone data in plain files +Group: Productivity/Networking/DNS/Servers + +%description modules-generic +This package provides the externally loadable filesystem DLZ module, without +update support and the externally loadable wildcard DLZ module. +The "wildcard" DLZ module provides a "template" zone for domains matching +a wildcard name. +For any zone name matching the wildcard, it would return the data from +the template. "$zone$" is replaced with zone name: i.e., the shortest +possible string of labels in the query name that matches the wildcard. +%endif %prep %autosetup -p1 -a2 @@ -192,17 +267,16 @@ --enable-threads \ --with-libtool \ --with-libxml2 \ - --with-libjson \ + --with-dlz_filesystem \ + --with-json-c \ --with-libidn2 \ - --with-dlz-mysql \ - --with-dlz-ldap \ --with-randomdev=/dev/urandom \ --enable-ipv6 \ --with-pic \ --disable-openssl-version-check \ --with-tuning=large \ --with-maxminddb \ - --with-dlopen \ + --with-dlopen=auto \ --with-gssapi=yes \ --disable-isc-spnego \ --enable-fixed-rrset \ @@ -210,6 +284,9 @@ %if %{with_systemd} --with-systemd \ %endif +%if %{with check} + --enable-querytrace \ +%endif --enable-full-report # disable rpath sed -i ' @@ -224,6 +301,10 @@ %if %{with_systemd} %sysusers_generate_pre %{SOURCE72} named named.conf %endif +# special build for the plugins +for d in contrib/dlz/modules/*; do + [ -e $d/Makefile ] && make -C $d +done %install mkdir -p \ @@ -245,12 +326,32 @@ mkdir -p %{buildroot}/%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services %endif %make_install -install -m 0644 .clang-format.headers %{buildroot}/%{_defaultdocdir}/bind # remove useless .h files rm -rf %{buildroot}%{_includedir} +# Install the plugins +mkdir -p %{buildroot}/%{_libdir}/bind-plugins +%if %{with_modules_perl} + install -m 0644 contrib/dlz/modules/perl/*.so %{buildroot}/%{_libdir}/bind-plugins +%endif +%if %{with_modules_mysql} + install -m 0644 contrib/dlz/modules/mysql/*.so %{buildroot}/%{_libdir}/bind-plugins + install -m 0644 contrib/dlz/modules/mysqldyn/*.so %{buildroot}/%{_libdir}/bind-plugins +%endif +%if %{with_modules_ldap} + install -m 0644 contrib/dlz/modules/ldap/*.so %{buildroot}/%{_libdir}/bind-plugins +%endif +%if %{with_modules_bdbhpt} + install -m 0644 contrib/dlz/modules/bdbhpt/*.so %{buildroot}/%{_libdir}/bind-plugins +%endif +%if %{with_modules_sqlite3} + install -m 0644 contrib/dlz/modules/sqlite3/*.so %{buildroot}/%{_libdir}/bind-plugins +%endif +%if %{with_modules_generic} + install -m 0644 contrib/dlz/modules/{filesystem,wildcard}/*.so %{buildroot}/%{_libdir}/bind-plugins +%endif # remove useless .la files -rm -f %{buildroot}/%{_libdir}/lib*.{la,a} +rm -f %{buildroot}/%{_libdir}/lib*.{la,a} %{buildroot}/%{_libdir}/bind/*.la mv vendor-files/config/named.conf %{buildroot}/%{_sysconfdir} mv vendor-files/config/bind.reg %{buildroot}/%{_sysconfdir}/slp.reg.d mv vendor-files/config/rndc-access.conf %{buildroot}/%{_sysconfdir}/named.d @@ -286,21 +387,24 @@ %if %{with_sfw2} install -m 644 vendor-files/sysconfig/SuSEFirewall.named %{buildroot}/%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/bind %endif +%if ! %{with check} # Cleanup doc rm doc/misc/Makefile* find doc/arm -type f ! -name '*.html' -delete +%endif # Create doc as we want it in bind and not bind-doc for file in vendor-files/docu/README*; do basename=$( basename ${file}) cp -a ${file} %{buildroot}/%{_defaultdocdir}/bind/${basename}.%{VENDOR} done -mkdir -p vendor-files/config/ISC-examples -cp -a bin/tests/*.conf* vendor-files/config/ISC-examples +# mkdir -p vendor-files/config/ISC-examples +# cp -a bin/tests/*.conf* vendor-files/config/ISC-examples for d in arm; do cp -a doc/${d}/_build %{buildroot}/%{_defaultdocdir}/bind/${d} echo "%doc %{_defaultdocdir}/bind/${d}" >>filelist-bind-doc done -for file in CHANGES COPYRIGHT README version contrib doc/misc vendor-files/config; do +for file in CHANGES COPYRIGHT README* version contrib/README* doc/misc vendor-files/config; do + [ -r ${file} ] || continue basename=$( basename ${file}) cp -a ${file} %{buildroot}/%{_defaultdocdir}/bind/${basename} echo "%doc %{_defaultdocdir}/bind/${basename}" >>filelist-bind-doc @@ -313,11 +417,14 @@ mkdir -p %{buildroot}%{_sysusersdir} install -m 644 %{SOURCE72} %{buildroot}%{_sysusersdir}/ %endif +find %{buildroot}/usr/share/doc/packages/bind -name cfg_test* -exec rm {} \; +rm -rf %{buildroot}/usr/share/doc/packages/bind/misc/.libs %if %{with_systemd} %pre -f named.pre %service_add_pre named.service %else + %pre %{GROUPADD_NAMED} %{USERADD_NAMED} @@ -325,6 +432,12 @@ %{USERMOD_NAMED} %endif +%if %{with check} +%check +sudo bin/tests/system/ifconfig.sh up +make test +%endif + %preun %if %{with_systemd} %service_del_preun named.service @@ -365,7 +478,7 @@ %dir %{_sysconfdir}/slp.reg.d %attr(0644,root,root) %config /%{_sysconfdir}/slp.reg.d/bind.reg %if %{with_systemd} -%config %{_unitdir}/named.service +%{_unitdir}/named.service %{_prefix}/lib/tmpfiles.d/bind.conf %{_sysusersdir}/named.conf %{_datadir}/factory @@ -378,17 +491,21 @@ %{_bindir}/named-rrchecker %{_sbindir}/rcnamed %{_sbindir}/named -%{_sbindir}/named-checkconf -%{_sbindir}/named-checkzone -%{_sbindir}/named-compilezone -%dir %{_libdir}/named -%{_libdir}/named/filter-aaaa.so +%{_bindir}/named-checkconf +%{_bindir}/named-checkzone +%{_bindir}/named-compilezone +%{_bindir}/named-journalprint +%{_bindir}/nsec3hash +%dir %{_libdir}/bind +%{_libdir}/bind/filter-aaaa.so +%{_libdir}/bind/filter-a.so %{_mandir}/man1/named-rrchecker.1%{ext_man} %{_mandir}/man5/named.conf.5%{ext_man} -%{_mandir}/man8/named-checkconf.8%{ext_man} -%{_mandir}/man8/named-checkzone.8%{ext_man} +%{_mandir}/man1/named-checkconf.1%{ext_man} +%{_mandir}/man1/named-checkzone.1%{ext_man} %{_mandir}/man8/named.8%{ext_man} %{_mandir}/man8/filter-aaaa.8%{ext_man} +%{_mandir}/man8/filter-a.8%{ext_man} %dir %{_datadir}/bind %{_datadir}/bind/ldapdump %ghost %{_rundir}/named @@ -403,6 +520,34 @@ %config %{_var}/lib/named/named.root.key %dir %{_libexecdir}/bind %{_libexecdir}/bind/named.prep +%dir %{_libdir}/bind-plugins + +%if %{with_modules_perl} +%files modules-perl +%{_libdir}/bind-plugins/dlz_perl_driver.so +%endif +%if %{with_modules_mysql} +%files modules-mysql +%{_libdir}/bind-plugins/dlz_mysql_dynamic.so +%{_libdir}/bind-plugins/dlz_mysqldyn_mod.so +%endif +%if %{with_modules_ldap} +%files modules-ldap +%{_libdir}/bind-plugins/dlz_ldap_dynamic.so +%endif +%if %{with_modules_bdbhpt} +%files modules-bdbhpt +%{_libdir}/bind-plugins/dlz_bdbhpt_dynamic.so +%endif +%if %{with_modules_sqlite3} +%files modules-sqlite3 +%{_libdir}/bind-plugins/dlz_sqlite3_dynamic.so +%endif +%if %{with_modules_generic} +%files modules-generic +%{_libdir}/bind-plugins/dlz_filesystem_dynamic.so +%{_libdir}/bind-plugins/dlz_wildcard_dynamic.so +%endif %files doc -f filelist-bind-doc %dir %doc %{_defaultdocdir}/bind @@ -424,27 +569,19 @@ %{_bindir}/nsupdate %{_bindir}/genDDNSkey %{_bindir}/arpaname +%{_bindir}/dnssec-dsfromkey +%{_bindir}/dnssec-importkey +%{_bindir}/dnssec-keyfromlabel +%{_bindir}/dnssec-keygen +%{_bindir}/dnssec-revoke +%{_bindir}/dnssec-settime +%{_bindir}/dnssec-signzone +%{_bindir}/dnssec-verify +%{_bindir}/dnssec-cds %{_sbindir}/ddns-confgen -%{_sbindir}/dnssec-dsfromkey -%{_sbindir}/dnssec-importkey -%{_sbindir}/dnssec-keyfromlabel -%{_sbindir}/dnssec-keygen -%{_sbindir}/dnssec-revoke -%{_sbindir}/dnssec-settime -%{_sbindir}/dnssec-signzone -%{_sbindir}/dnssec-verify -%{_sbindir}/dnssec-checkds -%{_sbindir}/dnssec-coverage -%{_sbindir}/dnssec-keymgr -%{_sbindir}/dnssec-cds -# %%{_sbindir}/genrandom -# %%{_sbindir}/isc-hmac-fixup -%{_sbindir}/named-journalprint -%{_sbindir}/nsec3hash %{_sbindir}/rndc %{_sbindir}/rndc-confgen %{_sbindir}/tsig-keygen -# Library files, formerly in their own, separate packages: %{_libdir}/libbind9-%{version}.so %{_libdir}/libdns-%{version}.so %{_libdir}/libirs-%{version}.so @@ -461,7 +598,6 @@ %{_libdir}/libns.so %dir %doc %{_defaultdocdir}/bind %{_defaultdocdir}/bind/README*.%{VENDOR} -%{_defaultdocdir}/bind/.clang-format.headers %{_mandir}/man1/arpaname.1%{ext_man} %{_mandir}/man1/delv.1%{ext_man} %{_mandir}/man1/dig.1%{ext_man} @@ -469,33 +605,22 @@ %{_mandir}/man1/mdig.1%{ext_man} %{_mandir}/man1/nslookup.1%{ext_man} %{_mandir}/man1/nsupdate.1%{ext_man} -# %%{_mandir}/man1/dnstap-read.1%%{ext_man} +%{_mandir}/man1/dnssec-dsfromkey.1%{ext_man} +%{_mandir}/man1/dnssec-importkey.1%{ext_man} +%{_mandir}/man1/dnssec-keyfromlabel.1%{ext_man} +%{_mandir}/man1/dnssec-keygen.1%{ext_man} +%{_mandir}/man1/dnssec-revoke.1%{ext_man} +%{_mandir}/man1/dnssec-settime.1%{ext_man} +%{_mandir}/man1/dnssec-signzone.1%{ext_man} +%{_mandir}/man1/dnssec-verify.1%{ext_man} +%{_mandir}/man1/dnssec-cds.1%{ext_man} +%{_mandir}/man1/named-compilezone.1%{ext_man} +%{_mandir}/man1/named-journalprint.1%{ext_man} +%{_mandir}/man1/nsec3hash.1%{ext_man} %{_mandir}/man5/rndc.conf.5%{ext_man} %{_mandir}/man8/ddns-confgen.8%{ext_man} -%{_mandir}/man8/dnssec-dsfromkey.8%{ext_man} -%{_mandir}/man8/dnssec-importkey.8%{ext_man} -%{_mandir}/man8/dnssec-keyfromlabel.8%{ext_man} -%{_mandir}/man8/dnssec-keygen.8%{ext_man} -%{_mandir}/man8/dnssec-revoke.8%{ext_man} -%{_mandir}/man8/dnssec-settime.8%{ext_man} -%{_mandir}/man8/dnssec-signzone.8%{ext_man} -%{_mandir}/man8/dnssec-verify.8%{ext_man} -%{_mandir}/man8/dnssec-checkds.8%{ext_man} -%{_mandir}/man8/dnssec-coverage.8%{ext_man} -%{_mandir}/man8/dnssec-keymgr.8%{ext_man} -%{_mandir}/man8/dnssec-cds.8%{ext_man} -# %%{_mandir}/man8/named-nzd2nzf.8%%{ext_man} -# %%{_mandir}/man8/genrandom.8%%{ext_man} -# %%{_mandir}/man8/isc-hmac-fixup.8%%{ext_man} -%{_mandir}/man8/named-journalprint.8%{ext_man} -%{_mandir}/man8/nsec3hash.8%{ext_man} %{_mandir}/man8/rndc.8%{ext_man} %{_mandir}/man8/rndc-confgen.8%{ext_man} -%{_mandir}/man8/named-compilezone.8%{ext_man} %{_mandir}/man8/tsig-keygen.8%{ext_man} -%files -n python3-bind -%{python3_sitelib}/isc -%{python3_sitelib}/isc-*.egg-info - %changelog ++++++ bind-9.16.25.tar.xz -> bind-9.18.2.tar.xz ++++++ ++++ 447762 lines of diff (skipped) ++++++ bind-define-local-instances-of-FALLTHROUGH-and-UNREACHABLE.patch ++++++ Index: bind-9.18.2/contrib/dlz/modules/include/dlz_minimal.h =================================================================== --- bind-9.18.2.orig/contrib/dlz/modules/include/dlz_minimal.h +++ bind-9.18.2/contrib/dlz/modules/include/dlz_minimal.h @@ -27,6 +27,7 @@ #include <inttypes.h> #include <stdbool.h> +#include <stdlib.h> #include <arpa/inet.h> #include <net/if.h> @@ -85,6 +86,25 @@ typedef uint32_t dns_ttl_t; var = _u.v; \ } while (0) + +#if !defined(__has_attribute) +#define __has_attribute(x) 0 +#endif /* if !defined(__has_attribute) */ + +#if __GNUC__ >= 7 || __has_attribute(fallthrough) +#define FALLTHROUGH __attribute__((fallthrough)) +#else +/* clang-format off */ +#define FALLTHROUGH do {} while (0) /* FALLTHROUGH */ +/* clang-format on */ +#endif + +#ifdef __GNUC__ +#define UNREACHABLE() __builtin_unreachable() +#else +#define UNREACHABLE() abort() +#endif + /* opaque structures */ typedef void *dns_sdlzlookup_t; typedef void *dns_sdlzallnodes_t; ++++++ bind-prevent-buffer-overflow.patch ++++++ >From 921043b54161c7a3e6dc4036b038ca4dbc5fe472 Mon Sep 17 00:00:00 2001 From: Evan Hunt <[email protected]> Date: Fri, 13 May 2022 19:59:58 -0700 Subject: [PATCH] prevent a possible buffer overflow in configuration check corrected code that could have allowed a buffer overfow while parsing named.conf. --- lib/bind9/check.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 658daec76d..baacd29a84 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -3009,8 +3009,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, } else if (dns_name_isula(zname)) { ula = true; } - tmp += strlen(tmp); len -= strlen(tmp); + tmp += strlen(tmp); (void)snprintf(tmp, len, "%u/%s", zclass, (ztype == CFG_ZONE_INVIEW) ? target : (viewname != NULL) ? viewname @@ -3719,8 +3719,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, char *tmp = keydirbuf; size_t len = sizeof(keydirbuf); dns_name_format(zname, keydirbuf, sizeof(keydirbuf)); - tmp += strlen(tmp); len -= strlen(tmp); + tmp += strlen(tmp); (void)snprintf(tmp, len, "/%s", (dir == NULL) ? "(null)" : dir); tresult = keydirexist(zconfig, (const char *)keydirbuf, kaspname, keydirs, logctx, mctx); -- GitLab ++++++ vendor-files.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/config/named.conf new/vendor-files/config/named.conf --- old/vendor-files/config/named.conf 2021-10-18 11:53:03.427850129 +0200 +++ new/vendor-files/config/named.conf 2022-01-26 08:38:15.055451213 +0100 @@ -168,3 +168,37 @@ # You can insert further zone records for your own domains below # See /usr/share/doc/packages/__BIND_PACKAGE_NAME__/README.__VENDOR__ for more details. + +# Old-style DLZ drivers have been deprecated in favor of DLZ modules. +# The DLZ drivers configuration option will be removed from the next +# major BIND 9 release +# The option to use the DLZ modules is already available in BIND 9; +# please see the ARM section on DLZ modules. +# The following two sections give you a hint as to the configuration +#dlz "test" { +# database "dlopen /usr/lib64/bind-plugins/dlz_ldap_dynamic.so" +# v3 simple {cn=Manager,o=bind-dlz} {secret} {127.0.0.1} +# ldap:///dlzZoneName=$zone$,ou=dns,o=bind-dlz???objectclass=dlzZone +# +# ldap:///dlzHostName=$record$,dlzZoneName=$zone$,ou=dns,o=bind-dlz?dlzTTL,dlzType,dlzPreference,dlzData,dlzIPAddr?sub?(&(objectclass=dlzAbstractRecord)(!(dlzType=soa))) +# +# ldap:///dlzHostName=@,dlzZoneName=$zone$,ou=dns,o=bind-dlz?dlzTTL,dlzType,dlzData,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectclass=dlzAbstractRecord)(dlzType=soa)) +# +# ldap:///dlzZoneName=$zone$,ou=dns,o=bind-dlz?dlzTTL,dlzType,dlzHostName,dlzPreference,dlzData,dlzIPAddr,dlzPrimaryNS,dlzAdminEmail,dlzSerial,dlzRefresh,dlzRetry,dlzExpire,dlzMinimum?sub?(&(objectclass=dlzAbstractRecord)(!(dlzType=soa))) +# +# ldap:///dlzZoneName=$zone$,ou=dns,o=bind-dlz??sub?(&(objectclass=dlzXFR)(dlzIPAddr=$client$))"; +#}; +# +# +#dlz "test" { +# database "dlopen /usr/lib64/bind-plugins/dlz_mysql_dynamic.so +# { +# host=127.0.0.1 port=3306 socket=/tmp/mysql.sock +# dbname=BindDB user=USER pass=PASSWORD threads=2 +# } +# {SELECT zone FROM records WHERE zone = '$zone$'} +# {SELECT ttl, type, mx_priority, IF(type = 'TXT', CONCAT('\"',data,'\"'), data) AS data FROM records WHERE zone = '$zone$' AND host = '$record$' AND type <> 'SOA' AND type <> 'NS'} +# {SELECT ttl, type, data, primary_ns, resp_contact, serial, refresh, retry, expire, minimum FROM records WHERE zone = '$zone$' AND (type = 'SOA' OR type='NS')} +# {SELECT ttl, type, host, mx_priority, IF(type = 'TXT', CONCAT('\"',data,'\"'), data) AS data, resp_contact, serial, refresh, retry, expire, minimum FROM records WHERE zone = '$zone$' AND type <> 'SOA' AND type <> 'NS'} +# {SELECT zone FROM xfr where zone='$zone$' AND client = '$client$'}"; +#}; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/init/named new/vendor-files/init/named --- old/vendor-files/init/named 2021-03-31 16:46:55.963679204 +0200 +++ new/vendor-files/init/named 2022-05-12 16:24:23.080905169 +0200 @@ -86,7 +86,7 @@ done fi -NAMED_CHECKCONF_BIN="/usr/sbin/named-checkconf" +NAMED_CHECKCONF_BIN="/usr/bin/named-checkconf" NAMED_PID="/var/run/named/named.pid" RNDC_BIN="/usr/sbin/rndc" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/system/named.prep new/vendor-files/system/named.prep --- old/vendor-files/system/named.prep 2021-05-21 09:22:32.915895196 +0200 +++ new/vendor-files/system/named.prep 2022-05-13 14:03:37.239514135 +0200 @@ -18,7 +18,7 @@ done . $SYSCONFIG_FILE -: ${NAMED_CHECKCONF_BIN:=/usr/sbin/named-checkconf} +: ${NAMED_CHECKCONF_BIN:=/usr/bin/named-checkconf} : ${NAMED_CHECKCONF_ARGS:=""} : ${ETC_RNDC_KEY:=/etc/rndc.key} : ${NEW_RNDC_KEY:=/var/lib/named/rndc.key} @@ -29,9 +29,12 @@ # Run all scripts defined in NAMED_INITIALIZE_SCRIPTS (/etc/sysconfig/named) for script in ${NAMED_INITIALIZE_SCRIPTS}; do test "${script:0:1}" = "/" || script="/usr/share/bind/${script}" - [ -x "$script" ] || warnMessage "\"$script\" does not exist or is not executable" - ${script} - test $? -ne 0 && rc=$? + if [ -x "$script" ]; then + ${script} + tmp=$?; [ $tmp = 0 ] || rc=$tmp + else + warnMessage "\"$script\" does not exist or is not executable. Check /etc/sysconfig/named" + fi done # If /etc/rndc.key is not a symbolic link,
