Hello community, here is the log from the commit of package bind for openSUSE:Factory checked in at 2020-09-24 16:13:23 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/bind (Old) and /work/SRC/openSUSE:Factory/.bind.new.4249 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bind" Thu Sep 24 16:13:23 2020 rev:157 rq:835837 version:9.16.6 Changes: -------- --- /work/SRC/openSUSE:Factory/bind/bind.changes 2020-08-31 17:14:55.717043468 +0200 +++ /work/SRC/openSUSE:Factory/.bind.new.4249/bind.changes 2020-09-24 16:13:59.980883955 +0200 @@ -1,0 +2,26 @@ +Fri Sep 18 13:20:34 UTC 2020 - Josef Möllers <[email protected]> + +- Removed "-r /dev/urandom" from all invocations of rndc-confgen + (init/named system/lwresd.init system/named.init in vendor-files) + as this option is deprecated and causes rndc-confgen to fail. + [bsc#1173311, bsc#1176674, bsc#1170713, vendor-files.tar.bz2] + +------------------------------------------------------------------- +Tue Sep 15 13:54:05 UTC 2020 - Josef Möllers <[email protected]> + +- /usr/bin/genDDNSkey: Removing the use of the -r option in the call + of /usr/sbin/dnssec-keygen as BIND now uses the random number + functions provided by the crypto library (i.e., OpenSSL or a + PKCS#11 provider) as a source of randomness rather than /dev/random. + Therefore the -r command line option no longer has any effect on + dnssec-keygen. Leaving the option in genDDNSkey as to not break + compatibility. Patch provided by Stefan Eisenwiener. + [bsc#1171313, vendor-files.tar.bz2] + +------------------------------------------------------------------- +Fri Sep 4 14:40:27 UTC 2020 - Reinhard Max <[email protected]> + +- Put libns into a separate subpackage to avoid file conflicts + in the libisc subpackage due to different sonums (bsc#1176092). + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bind.spec ++++++ --- /var/tmp/diff_new_pack.HQeiBu/_old 2020-09-24 16:14:00.960884934 +0200 +++ /var/tmp/diff_new_pack.HQeiBu/_new 2020-09-24 16:14:00.964884939 +0200 @@ -31,6 +31,7 @@ %define isccfg_sonum 1600 %define libisccfg libisccfg%{isccfg_sonum} %define libns_sonum 1604 +%define libns libns%{libns_sonum} %define VENDOR SUSE %if 0%{?suse_version} >= 1500 @@ -190,6 +191,14 @@ programs, heap-based priority queues, memory handling, and program logging. +%package -n %{libns} +Summary: NS shared library used by BIND +Group: System/Libraries + +%description -n %{libns} +This library contains miscellaneous utility function used by the BIND +server and utilities. + %package -n %{libisccc} Summary: Command Channel Library used by BIND Group: System/Libraries @@ -225,6 +234,7 @@ Requires: %{libisccc} = %{version} Requires: %{libisccfg} = %{version} Requires: %{libisc} = %{version} +Requires: %{libns} = %{version} Provides: bind8-devel Provides: bind9-devel Obsoletes: bind8-devel < %{version} @@ -478,6 +488,8 @@ %postun -n %{libirs} -p /sbin/ldconfig %post -n %{libisc} -p /sbin/ldconfig %postun -n %{libisc} -p /sbin/ldconfig +%post -n %{libns} -p /sbin/ldconfig +%postun -n %{libns} -p /sbin/ldconfig %post -n %{libisccc} -p /sbin/ldconfig %postun -n %{libisccc} -p /sbin/ldconfig %post -n %{libisccfg} -p /sbin/ldconfig @@ -550,6 +562,8 @@ %files -n %{libisc} %{_libdir}/libisc.so.%{isc_sonum}* + +%files -n %{libns} %{_libdir}/libns.so.%{libns_sonum}* %files -n %{libisccc} ++++++ baselibs.conf ++++++ --- /var/tmp/diff_new_pack.HQeiBu/_old 2020-09-24 16:14:01.012884986 +0200 +++ /var/tmp/diff_new_pack.HQeiBu/_new 2020-09-24 16:14:01.016884991 +0200 @@ -6,6 +6,7 @@ provides "bind-libs-<targettype> = <version>" libisccc1600 libisccfg1600 +libns1604 bind-devel requires -bind-<targettype> requires "libbind9-1600-<targettype> = <version>" ++++++ vendor-files.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/init/named new/vendor-files/init/named --- old/vendor-files/init/named 2017-05-20 14:06:10.382900608 +0200 +++ new/vendor-files/init/named 2020-09-18 15:23:03.198833016 +0200 @@ -157,7 +157,7 @@ # check for /etc/rndc.key if [ ! -f /etc/rndc.key ]; then warnMessage "File /etc/rndc.key not found. Creating it." - /usr/sbin/rndc-confgen -a -b 512 -r /dev/urandom + /usr/sbin/rndc-confgen -a -b 512 chmod 0640 /etc/rndc.key chown root:named /etc/rndc.key fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/system/lwresd.init new/vendor-files/system/lwresd.init --- old/vendor-files/system/lwresd.init 2018-05-16 12:21:47.306362749 +0200 +++ new/vendor-files/system/lwresd.init 2020-09-18 15:23:07.678833158 +0200 @@ -55,7 +55,7 @@ # check for /etc/rndc.key if [ ! -f /etc/rndc.key ]; then warnMessage "File /etc/rndc.key not found. Creating it." - /usr/sbin/rndc-confgen -a -b 512 -r /dev/urandom + /usr/sbin/rndc-confgen -a -b 512 chmod 0640 /etc/rndc.key chown root:named /etc/rndc.key fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/system/named.init new/vendor-files/system/named.init --- old/vendor-files/system/named.init 2018-02-06 18:18:30.691915048 +0100 +++ new/vendor-files/system/named.init 2020-09-18 15:23:14.838833386 +0200 @@ -120,7 +120,7 @@ # check for /etc/rndc.key if [ ! -f /etc/rndc.key ]; then warnMessage "File /etc/rndc.key not found. Creating it." - /usr/sbin/rndc-confgen -a -b 512 -r /dev/urandom + /usr/sbin/rndc-confgen -a -b 512 chmod 0640 /etc/rndc.key chown root:named /etc/rndc.key fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/tools/bind.genDDNSkey new/vendor-files/tools/bind.genDDNSkey --- old/vendor-files/tools/bind.genDDNSkey 2009-01-28 11:02:54.000000000 +0100 +++ new/vendor-files/tools/bind.genDDNSkey 2020-09-18 15:28:26.898843316 +0200 @@ -23,7 +23,7 @@ -n|--key-name <NAME> name of the key (default: $keyname_default) -d|--key-dir <NAME> public / private key directory (default is key-file directory) - -r|--random random device to use (default: $random_dev_default) + -r|--random random device to use (default: $random_dev_default, obsolete) --force overwrite an existing key file --help print usage info @@ -53,7 +53,7 @@ -r|--random) shift - RANDOM_DEV=${1:?option requires an argument} ;; + echo 'the -r option is obsolete and is ignored' >&2 ;; --force) force=true ;; @@ -68,7 +68,6 @@ : ${KEYFILE:=$keyfile_default} : ${KEYNAME:=$keyname_default} : ${KEY_DIR:=$(dirname "$KEYFILE")} -: ${RANDOM_DEV:=$random_dev_default} if ! $force; then if [ -e "$ROOT/$KEYFILE" ]; then @@ -86,6 +85,10 @@ # determine the BIND version if [ -f /usr/sbin/rndc ]; then bind9=true + bind9_hmac_md5=false + if [ -n "$(/usr/sbin/dnssec-keygen -h 2>&1 | grep -l 'HMAC-MD5')" ]; then + bind9_hmac_md5=true + fi elif [ -f /usr/sbin/ndc ]; then bind9=false else @@ -96,8 +99,12 @@ umask 600 # generate a 512 bit HMAC-MD5 Zone (DNS validation) key -if $bind9; then - keyfile=$(/usr/sbin/dnssec-keygen -a hmac-md5 -b 512 -r ${RANDOM_DEV} -n user "${KEYNAME}") +if $bind9; then + if $bind9_hmac_md5; then + keyfile=$(/usr/sbin/dnssec-keygen -a hmac-md5 -b 512 -n user "${KEYNAME}") + else + keyfile=$(/usr/sbin/dnssec-keygen -a RSASHA512 -b 4096 "${KEYNAME}") + fi else keyfile=$(/usr/sbin/dnskeygen -H 512 -z -c -n "${KEYNAME}") # dhskeygen has (had) a weekness, it puts one key into a world readable file @@ -119,7 +126,7 @@ # read the secret while read line; do case $line in - Key:*) secret=${line#* } + Key:*|Modulus:*) secret=${line#* } esac done < $keyfile.private @@ -129,8 +136,12 @@ # generated by $(basename $0) on $(date) key ${KEYNAME} { - $(if $bind9; then - echo "algorithm hmac-md5;" + $(if $bind9; then + if $bind9_hmac_md5; then + echo "algorithm hmac-md5;" + else + echo "algorithm rsasha512;" + fi else echo "algorithm HMAC-MD5.SIG-ALG.REG.INT;" fi)
