From 549b8143a6087eeb1ce29bf5c4db0ec818593ace Mon Sep 17 00:00:00 2001 From: Petr Menšík Date: Apr 30 2021 09:23:49 +0000 Subject: Update to 9.11.31 Resolves CVE-2021-25215 and CVE-2021-25214. Removes disable-isc-spnego flag, because custom isc spnego code were removed with also this flag. It is default (and the only) option now. https://downloads.isc.org/isc/bind9/9.11.31/RELEASE-NOTES-bind-9.11.31.html --- diff --git a/.gitignore b/.gitignore index 1f9e205..69b95dc 100644 --- a/.gitignore +++ b/.gitignore @@ -126,3 +126,5 @@ bind-9.7.2b1.tar.gz /bind-9.11.27.tar.gz.asc /bind-9.11.28.tar.gz /bind-9.11.28.tar.gz.asc +/bind-9.11.31.tar.gz +/bind-9.11.31.tar.gz.asc diff --git a/bind-9.10-dist-native-pkcs11.patch b/bind-9.10-dist-native-pkcs11.patch index 52909c0..eb0a72c 100644 --- a/bind-9.10-dist-native-pkcs11.patch +++ b/bind-9.10-dist-native-pkcs11.patch @@ -302,7 +302,7 @@ index 2c19e7e..8223d5e 100644 DEPLIBS = ${ISCDEPLIBS} diff --git a/configure.ac b/configure.ac -index c6715b4..8144268 100644 +index ab92837..be23d99 100644 --- a/configure.ac +++ b/configure.ac @@ -1176,12 +1176,14 @@ AC_SUBST(USE_GSSAPI) @@ -382,7 +382,7 @@ index c6715b4..8144268 100644 then AC_MSG_RESULT() AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.]) -@@ -2067,6 +2071,7 @@ AC_SUBST(OPENSSL_ED25519) +@@ -2075,6 +2079,7 @@ AC_SUBST(OPENSSL_ED25519) AC_SUBST(OPENSSL_GOST) DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS" @@ -390,7 +390,7 @@ index c6715b4..8144268 100644 ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES" if test "yes" = "$with_aes" -@@ -2353,6 +2358,7 @@ esac +@@ -2361,6 +2366,7 @@ esac AC_SUBST(PKCS11LINKOBJS) AC_SUBST(PKCS11LINKSRCS) AC_SUBST(CRYPTO) @@ -398,7 +398,7 @@ index c6715b4..8144268 100644 AC_SUBST(PKCS11_ECDSA) AC_SUBST(PKCS11_GOST) AC_SUBST(PKCS11_ED25519) -@@ -5501,8 +5507,11 @@ AC_CONFIG_FILES([ +@@ -5489,8 +5495,11 @@ AC_CONFIG_FILES([ bin/delv/Makefile bin/dig/Makefile bin/dnssec/Makefile @@ -410,7 +410,7 @@ index c6715b4..8144268 100644 bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile -@@ -5575,6 +5584,10 @@ AC_CONFIG_FILES([ +@@ -5563,6 +5572,10 @@ AC_CONFIG_FILES([ lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile @@ -421,7 +421,7 @@ index c6715b4..8144268 100644 lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile -@@ -5599,6 +5612,24 @@ AC_CONFIG_FILES([ +@@ -5587,6 +5600,24 @@ AC_CONFIG_FILES([ lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile @@ -460,21 +460,20 @@ index f089bea..3ed939b 100644 @BIND9_MAKE_RULES@ diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in -index 8fc4e94..5eefb14 100644 +index 1d0f5df..0ec7eeb 100644 --- a/lib/dns-pkcs11/Makefile.in +++ b/lib/dns-pkcs11/Makefile.in -@@ -26,17 +26,16 @@ VERSION=@BIND9_VERSION@ +@@ -24,17 +24,17 @@ VERSION=@BIND9_VERSION@ - USE_ISC_SPNEGO = @USE_ISC_SPNEGO@ + @BIND9_MAKE_INCLUDES@ -CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ -- ${ISC_INCLUDES} ${MAXMINDDB_CFLAGS} \ -- @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ +CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \ -+ ${ISC_PKCS11_INCLUDES} ${MAXMINDDB_CFLAGS} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ + ${ISC_INCLUDES} ${MAXMINDDB_CFLAGS} \ + @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ --CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO} -+CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO} +-CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ++CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ CWARNINGS = @@ -486,7 +485,7 @@ index 8fc4e94..5eefb14 100644 LIBS = ${MAXMINDDB_LIBS} @LIBS@ -@@ -150,15 +149,15 @@ version.@O@: version.c +@@ -148,15 +148,15 @@ version.@O@: version.c -DLIBAGE=${LIBAGE} \ -c ${srcdir}/version.c @@ -506,7 +505,7 @@ index 8fc4e94..5eefb14 100644 include: gen ${MAKE} include/dns/enumtype.h -@@ -189,22 +188,22 @@ gen: gen.c +@@ -187,22 +187,22 @@ gen: gen.c ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \ ${BUILD_LIBS} ${LFS_LIBS} diff --git a/bind-9.11-rt31459.patch b/bind-9.11-rt31459.patch index 822839c..723d7a8 100644 --- a/bind-9.11-rt31459.patch +++ b/bind-9.11-rt31459.patch @@ -1,4 +1,4 @@ -From 63d1fe9e1ac0db37f89cf31b40c35d6d22578ded Mon Sep 17 00:00:00 2001 +From 08003079bbb017325bf7a52c2f902308a22dd0d7 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 12 Sep 2017 19:05:46 -0700 Subject: [PATCH] rebased rt31459c @@ -324,7 +324,7 @@ index 30d38be..b2ae57c 100644 } diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c -index 5a2c660..7f15cbc 100644 +index c20c6e3..db47b3b 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -278,7 +278,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { @@ -688,7 +688,7 @@ index 26fa609..fb34aa0 100644 parse_args(false, argc, argv); if (server == NULL) diff --git a/configure b/configure -index 0faca65..d5ffc87 100755 +index 97e184f..36a6330 100755 --- a/configure +++ b/configure @@ -640,6 +640,7 @@ ac_includes_default="\ @@ -699,7 +699,7 @@ index 0faca65..d5ffc87 100755 BUILD_LIBS BUILD_LDFLAGS BUILD_CPPFLAGS -@@ -823,6 +824,7 @@ LIBXML2_CFLAGS +@@ -822,6 +823,7 @@ LIBXML2_CFLAGS NZDTARGETS NZDSRCS NZD_TOOLS @@ -707,7 +707,7 @@ index 0faca65..d5ffc87 100755 PKCS11_TEST PKCS11_ED25519 PKCS11_GOST -@@ -1047,6 +1049,7 @@ with_eddsa +@@ -1046,6 +1048,7 @@ with_eddsa with_aes enable_openssl_hash with_cc_alg @@ -715,7 +715,7 @@ index 0faca65..d5ffc87 100755 with_lmdb with_libxml2 with_libjson -@@ -1749,6 +1752,7 @@ Optional Features: +@@ -1747,6 +1750,7 @@ Optional Features: --enable-threads enable multithreading --enable-native-pkcs11 use native PKCS11 for all crypto [default=no] --enable-openssl-hash use OpenSSL for hash functions [default=no] @@ -723,7 +723,7 @@ index 0faca65..d5ffc87 100755 --enable-largefile 64-bit file support --enable-backtrace log stack backtrace on abort [default=yes] --enable-symtable use internal symbol table for backtrace -@@ -17205,6 +17209,7 @@ case "$use_openssl" in +@@ -17202,6 +17206,7 @@ case "$use_openssl" in $as_echo "disabled because of native PKCS11" >&6; } DST_OPENSSL_INC="" CRYPTO="-DPKCS11CRYPTO" @@ -731,7 +731,7 @@ index 0faca65..d5ffc87 100755 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -17219,6 +17224,7 @@ $as_echo "disabled because of native PKCS11" >&6; } +@@ -17216,6 +17221,7 @@ $as_echo "disabled because of native PKCS11" >&6; } $as_echo "no" >&6; } DST_OPENSSL_INC="" CRYPTO="" @@ -739,7 +739,7 @@ index 0faca65..d5ffc87 100755 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -17231,6 +17237,7 @@ $as_echo "no" >&6; } +@@ -17228,6 +17234,7 @@ $as_echo "no" >&6; } auto) DST_OPENSSL_INC="" CRYPTO="" @@ -747,7 +747,7 @@ index 0faca65..d5ffc87 100755 OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKSRCS="" OPENSSLEDDSALINKOBJS="" -@@ -17240,7 +17247,7 @@ $as_echo "no" >&6; } +@@ -17237,7 +17244,7 @@ $as_echo "no" >&6; } OPENSSLLINKOBJS="" OPENSSLLINKSRCS="" as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path @@ -756,7 +756,7 @@ index 0faca65..d5ffc87 100755 ;; *) if test "yes" = "$want_native_pkcs11" -@@ -17271,6 +17278,7 @@ $as_echo "not found" >&6; } +@@ -17268,6 +17275,7 @@ $as_echo "not found" >&6; } as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5 fi CRYPTO='-DOPENSSL' @@ -764,7 +764,7 @@ index 0faca65..d5ffc87 100755 if test "/usr" = "$use_openssl" then DST_OPENSSL_INC="" -@@ -17897,8 +17905,6 @@ fi +@@ -17902,8 +17910,6 @@ fi # Use OpenSSL for hash functions # @@ -773,7 +773,7 @@ index 0faca65..d5ffc87 100755 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" case $want_openssl_hash in yes) -@@ -18273,6 +18279,86 @@ if test "rt" = "$have_clock_gt"; then +@@ -18278,6 +18284,86 @@ if test "rt" = "$have_clock_gt"; then LIBS="-lrt $LIBS" fi @@ -860,7 +860,7 @@ index 0faca65..d5ffc87 100755 # # was --with-lmdb specified? # -@@ -20549,9 +20635,12 @@ _ACEOF +@@ -20554,9 +20640,12 @@ _ACEOF if ac_fn_c_try_compile "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5 $as_echo "size_t for buflen; int for flags" >&6; } @@ -875,7 +875,7 @@ index 0faca65..d5ffc87 100755 $as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h -@@ -21877,12 +21966,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" +@@ -21854,12 +21943,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" if test "yes" = "$use_atomic"; then @@ -889,7 +889,7 @@ index 0faca65..d5ffc87 100755 # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. -@@ -21915,6 +21999,11 @@ cat >>confdefs.h <<_ACEOF +@@ -21892,6 +21976,11 @@ cat >>confdefs.h <<_ACEOF _ACEOF @@ -901,7 +901,7 @@ index 0faca65..d5ffc87 100755 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -21923,39 +22012,6 @@ _ACEOF +@@ -21900,39 +21989,6 @@ _ACEOF fi ;; x86_64-*|amd64-*) @@ -941,7 +941,7 @@ index 0faca65..d5ffc87 100755 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -21986,6 +22042,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; } +@@ -21963,6 +22019,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; } $as_echo "$arch" >&6; } fi @@ -952,7 +952,7 @@ index 0faca65..d5ffc87 100755 if test "yes" = "$have_atomic"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5 $as_echo_n "checking compiler support for inline assembly code... " >&6; } -@@ -24567,6 +24627,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS" +@@ -24545,6 +24605,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS" # dlzdir='${DLZ_DRIVER_DIR}' @@ -983,7 +983,7 @@ index 0faca65..d5ffc87 100755 # # Private autoconf macro to simplify configuring drivers: # -@@ -24897,11 +24981,11 @@ $as_echo "no" >&6; } +@@ -24875,11 +24959,11 @@ $as_echo "no" >&6; } $as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; } ;; *) @@ -998,7 +998,7 @@ index 0faca65..d5ffc87 100755 fi CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL" -@@ -24986,7 +25070,7 @@ $as_echo "" >&6; } +@@ -24964,7 +25048,7 @@ $as_echo "" >&6; } # Check other locations for includes. # Order is important (sigh). @@ -1007,7 +1007,7 @@ index 0faca65..d5ffc87 100755 # include a blank element first for d in "" $bdb_incdirs do -@@ -25011,57 +25095,9 @@ $as_echo "" >&6; } +@@ -24989,57 +25073,9 @@ $as_echo "" >&6; } bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db" for d in $bdb_libnames do @@ -1067,7 +1067,7 @@ index 0faca65..d5ffc87 100755 break fi done -@@ -25220,10 +25256,10 @@ $as_echo "no" >&6; } +@@ -25198,10 +25234,10 @@ $as_echo "no" >&6; } DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include" DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include" fi @@ -1081,7 +1081,7 @@ index 0faca65..d5ffc87 100755 fi -@@ -25309,11 +25345,11 @@ fi +@@ -25287,11 +25323,11 @@ fi odbcdirs="/usr /usr/local /usr/pkg" for d in $odbcdirs do @@ -1095,7 +1095,7 @@ index 0faca65..d5ffc87 100755 break fi done -@@ -25588,6 +25624,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS" +@@ -25566,6 +25602,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS" @@ -1104,7 +1104,7 @@ index 0faca65..d5ffc87 100755 # # Commands to run at the end of config.status. # Don't just put these into configure, it won't work right if somebody -@@ -27966,6 +28004,8 @@ report() { +@@ -27944,6 +27982,8 @@ report() { echo " IPv6 support (--enable-ipv6)" test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ echo " OpenSSL cryptography/DNSSEC (--with-openssl)" @@ -1113,7 +1113,7 @@ index 0faca65..d5ffc87 100755 test "X$PYTHON" = "X" || echo " Python tools (--with-python)" test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" -@@ -28006,6 +28046,8 @@ report() { +@@ -27984,6 +28024,8 @@ report() { echo " Very verbose query trace logging (--enable-querytrace)" test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)" @@ -1122,7 +1122,7 @@ index 0faca65..d5ffc87 100755 echo " Dynamically loadable zone (DLZ) drivers:" test "no" = "$use_dlz_bdb" || \ echo " Berkeley DB (--with-dlz-bdb)" -@@ -28053,6 +28095,8 @@ report() { +@@ -28031,6 +28073,8 @@ report() { echo " ECDSA algorithm support (--with-ecdsa)" test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ echo " EDDSA algorithm support (--with-eddsa)" @@ -1132,7 +1132,7 @@ index 0faca65..d5ffc87 100755 test "yes" = "$enable_seccomp" || \ echo " Use libseccomp system call filtering (--enable-seccomp)" diff --git a/configure.ac b/configure.ac -index 78535bd..faef2e8 100644 +index 6ddbd7b..c312a9a 100644 --- a/configure.ac +++ b/configure.ac @@ -1598,6 +1598,7 @@ case "$use_openssl" in @@ -1176,7 +1176,7 @@ index 78535bd..faef2e8 100644 if test "/usr" = "$use_openssl" then DST_OPENSSL_INC="" -@@ -2099,7 +2103,6 @@ fi +@@ -2107,7 +2111,6 @@ fi # Use OpenSSL for hash functions # @@ -1184,7 +1184,7 @@ index 78535bd..faef2e8 100644 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" case $want_openssl_hash in yes) -@@ -2371,6 +2374,67 @@ if test "rt" = "$have_clock_gt"; then +@@ -2379,6 +2382,67 @@ if test "rt" = "$have_clock_gt"; then LIBS="-lrt $LIBS" fi @@ -1252,7 +1252,7 @@ index 78535bd..faef2e8 100644 # # was --with-lmdb specified? # -@@ -4188,12 +4252,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" +@@ -4172,12 +4236,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" if test "yes" = "$use_atomic"; then @@ -1266,7 +1266,7 @@ index 78535bd..faef2e8 100644 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -4202,7 +4266,6 @@ if test "yes" = "$use_atomic"; then +@@ -4186,7 +4250,6 @@ if test "yes" = "$use_atomic"; then fi ;; x86_64-*|amd64-*) @@ -1274,7 +1274,7 @@ index 78535bd..faef2e8 100644 if test $ac_cv_sizeof_void_p = 8; then arch=x86_64 have_xaddq=yes -@@ -5635,6 +5698,8 @@ report() { +@@ -5620,6 +5683,8 @@ report() { echo " IPv6 support (--enable-ipv6)" test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ echo " OpenSSL cryptography/DNSSEC (--with-openssl)" @@ -1283,7 +1283,7 @@ index 78535bd..faef2e8 100644 test "X$PYTHON" = "X" || echo " Python tools (--with-python)" test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" -@@ -5675,6 +5740,8 @@ report() { +@@ -5660,6 +5725,8 @@ report() { echo " Very verbose query trace logging (--enable-querytrace)" test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)" @@ -1292,7 +1292,7 @@ index 78535bd..faef2e8 100644 echo " Dynamically loadable zone (DLZ) drivers:" test "no" = "$use_dlz_bdb" || \ echo " Berkeley DB (--with-dlz-bdb)" -@@ -5722,6 +5789,8 @@ report() { +@@ -5707,6 +5774,8 @@ report() { echo " ECDSA algorithm support (--with-ecdsa)" test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ echo " EDDSA algorithm support (--with-eddsa)" @@ -2015,7 +2015,7 @@ index 1f785e0..f9051c3 100644 * Define if the hash functions must be provided by OpenSSL. */ diff --git a/win32utils/Configure b/win32utils/Configure -index 5f66a82..ff39910 100644 +index 7ac30fb..55b6c23 100644 --- a/win32utils/Configure +++ b/win32utils/Configure @@ -382,6 +382,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA", @@ -2026,7 +2026,7 @@ index 5f66a82..ff39910 100644 "ISC_PLATFORM_HAVEATOMICSTORE", "ISC_PLATFORM_HAVEATOMICSTOREQ", "ISC_PLATFORM_HAVECMPXCHG", -@@ -517,7 +518,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER"); +@@ -516,7 +517,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER"); # enable-xxx/disable-xxx @@ -2035,16 +2035,16 @@ index 5f66a82..ff39910 100644 + "developer", "fixed-rrset", "intrinsics", - "isc-spnego", -@@ -580,6 +582,7 @@ my @help = ( + "native-pkcs11", +@@ -578,6 +580,7 @@ my @help = ( "\nOptional Features:\n", " enable-intrinsics enable intrinsic/atomic functions [default=yes]\n", " enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n", +" enable-crypto-rand use crypto provider for random [default=yes]\n", " enable-openssl-hash use OpenSSL for hash functions [default=yes]\n", - " enable-isc-spnego use SPNEGO from lib/dns [default=yes]\n", " enable-filter-aaaa enable filtering of AAAA records [default=yes]\n", -@@ -628,7 +631,9 @@ my $want_clean = "no"; + " enable-fixed-rrset enable fixed rrset ordering [default=no]\n", +@@ -625,7 +628,9 @@ my $want_clean = "no"; my $want_unknown = "no"; my $unknown_value; my $enable_intrinsics = "yes"; @@ -2053,8 +2053,8 @@ index 5f66a82..ff39910 100644 +my $enable_crypto_rand = "yes"; my $enable_openssl_hash = "auto"; my $enable_filter_aaaa = "yes"; - my $enable_isc_spnego = "yes"; -@@ -848,6 +853,10 @@ sub myenable { + my $enable_fixed_rrset = "no"; +@@ -844,6 +849,10 @@ sub myenable { if ($val =~ /^yes$/i) { $enable_native_pkcs11 = "yes"; } @@ -2065,7 +2065,7 @@ index 5f66a82..ff39910 100644 } elsif ($key =~ /^openssl-hash$/i) { if ($val =~ /^yes$/i) { $enable_openssl_hash = "yes"; -@@ -1154,6 +1163,11 @@ if ($verbose) { +@@ -1146,6 +1155,11 @@ if ($verbose) { } else { print "native-pkcs11: disabled\n"; } @@ -2077,7 +2077,7 @@ index 5f66a82..ff39910 100644 if ($enable_openssl_hash eq "yes") { print "openssl-hash: enabled\n"; } else { -@@ -1511,6 +1525,7 @@ if ($enable_intrinsics eq "yes") { +@@ -1498,6 +1512,7 @@ if ($enable_intrinsics eq "yes") { # enable-native-pkcs11 if ($enable_native_pkcs11 eq "yes") { @@ -2085,15 +2085,15 @@ index 5f66a82..ff39910 100644 if ($use_openssl eq "auto") { $use_openssl = "no"; } -@@ -1720,6 +1735,7 @@ if ($use_openssl eq "yes") { +@@ -1707,6 +1722,7 @@ if ($use_openssl eq "yes") { $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]"); - } + } + $cryptolib = "openssl"; $configcond{"OPENSSL"} = 1; $configdefd{"CRYPTO"} = "OPENSSL"; $configvar{"OPENSSL_PATH"} = "$openssl_path"; -@@ -2291,6 +2307,15 @@ if ($use_aes eq "yes") { +@@ -2278,6 +2294,15 @@ if ($use_aes eq "yes") { } @@ -2109,7 +2109,7 @@ index 5f66a82..ff39910 100644 # enable-openssl-hash if ($enable_openssl_hash eq "yes") { if ($use_openssl eq "no") { -@@ -3673,6 +3698,7 @@ exit 0; +@@ -3650,6 +3675,7 @@ exit 0; # --enable-developer partially supported # --enable-newstats (9.9/9.9sub only) # --enable-native-pkcs11 supported @@ -2118,5 +2118,5 @@ index 5f66a82..ff39910 100644 # --enable-openssl-hash supported # --enable-threads included without a way to disable it -- -2.26.2 +2.26.3 diff --git a/bind.spec b/bind.spec index 502a20b..10f53ec 100644 --- a/bind.spec +++ b/bind.spec @@ -57,7 +57,7 @@ # # lib*.so.X versions of selected libraries -%global sover_dns 1113 +%global sover_dns 1114 %global sover_isc 1107 %global sover_irs 161 %global sover_isccfg 163 @@ -65,7 +65,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Name: bind License: MPLv2.0 -Version: 9.11.28 +Version: 9.11.31 Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ @@ -712,7 +712,6 @@ export LIBDIR_SUFFIX %endif %if %{with GSSTSIG} --with-gssapi=yes \ - --disable-isc-spnego \ %endif %if %{with LMDB} --with-lmdb=yes \ @@ -811,7 +810,6 @@ export LIBDIR_SUFFIX --enable-openssl-hash \ %if %{with GSSTSIG} --with-gssapi=yes \ - --disable-isc-spnego \ %endif %if %{with UNITTEST} --with-cmocka \ @@ -1629,6 +1627,9 @@ fi; %changelog +* Thu Apr 29 2021 Petr Menšík - 32:9.11.31-1 +- Update to 9.11.31 + * Fri Feb 19 2021 Petr Menšík - 32:9.11.28-1 - Update to 9.11.28 diff --git a/sources b/sources index b9e689c..5cbd3bb 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (bind-9.11.28.tar.gz) = 4189051b4503ee33827049d8fd27ca850e00131f67ab19edfdbfd3b201224b56859a08fa198f6134a6d34736b34099a6bb4f7bb39be1d5e9e382219281515701 -SHA512 (bind-9.11.28.tar.gz.asc) = 21d33c8e60d0b5f60f9366b30736f26bd29731bd9e56fe61a279d2d7ceea0cded8fdaa6358322f6ca46f36ddec9bf5ffc821b6a04b3ba99c8e518f2dd8a70dda +SHA512 (bind-9.11.31.tar.gz) = 791adcb382b0cc6767dedccd0cbdbc48b5d32507c569f672397c9f2de59241433c39027cc3099957fea0885e1bc8db882cf83ae27fe0127d543cec8fc2e89f04 +SHA512 (bind-9.11.31.tar.gz.asc) = 9425d70ac0e083ea2274b3a12d126c49ebe36251a51cb1e90b6569963c2f0f8e235b14e451634852c200857f2ec9737d8042ceb5dd3d452f9a3f90573803f896