From edbcc0c8da2d3cb7adab33d85c5be6f64c1a79a6 Mon Sep 17 00:00:00 2001 From: Petr Menšík Date: Jun 17 2020 20:57:19 +0000 Subject: Update to 9.11.20 Fixes CVE-2020-8619 and few more issues --- diff --git a/.gitignore b/.gitignore index 1e054e5..27a7197 100644 --- a/.gitignore +++ b/.gitignore @@ -108,3 +108,5 @@ bind-9.7.2b1.tar.gz /bind-9.11.18.tar.gz.asc /bind-9.11.19.tar.gz /bind-9.11.19.tar.gz.asc +/bind-9.11.20.tar.gz +/bind-9.11.20.tar.gz.asc diff --git a/bind-9.11-rh1624100.patch b/bind-9.11-rh1624100.patch index 5764ed7..0775820 100644 --- a/bind-9.11-rh1624100.patch +++ b/bind-9.11-rh1624100.patch @@ -1,4 +1,4 @@ -From 76594cba9a1e910bb36160d96fc3872349341799 Mon Sep 17 00:00:00 2001 +From f27598743ab6e03271e26f23da4beba748d19c60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Wed, 25 Apr 2018 14:04:31 +0200 Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts @@ -24,10 +24,10 @@ Fix the isc_safe_memwipe() usage with (NULL, >0) delete mode 100644 lib/isc/safe.c diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c -index 6ddaebe..d921870 100644 +index 6dded0c..a9c5557 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c -@@ -787,7 +787,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name, +@@ -784,7 +784,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name, static int hashlist_comp(const void *a, const void *b) { @@ -81,7 +81,7 @@ index ad77f24..670982a 100644 /* accept_sec_context.c */ diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in -index 0fd0837..8ad54bb 100644 +index 149552a..8529a86 100644 --- a/lib/isc/Makefile.in +++ b/lib/isc/Makefile.in @@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \ @@ -91,7 +91,7 @@ index 0fd0837..8ad54bb 100644 - safe.@O@ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \ + serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \ string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \ - tm.@O@ timer.@O@ version.@O@ \ + tm.@O@ timer.@O@ utf8.@O@ version.@O@ \ ${UNIXOBJS} ${NLSOBJS} ${THREADOBJS} @@ -79,7 +79,7 @@ SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \ netaddr.c netscope.c pool.c ondestroy.c \ @@ -100,7 +100,7 @@ index 0fd0837..8ad54bb 100644 - safe.c serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \ + serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \ strtoul.c symtab.c task.c taskpool.c timer.c \ - tm.c version.c + tm.c utf8.c version.c @@ -95,10 +95,6 @@ TESTDIRS = @UNITTESTS@ @@ -284,5 +284,5 @@ index 266ac75..60e9181 100644 return (cmocka_run_group_tests(tests, NULL, NULL)); -- -2.20.1 +2.26.2 diff --git a/bind.spec b/bind.spec index fb3fea0..b5c0195 100644 --- a/bind.spec +++ b/bind.spec @@ -65,7 +65,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Name: bind License: MPLv2.0 -Version: 9.11.19 +Version: 9.11.20 Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ @@ -1604,6 +1604,9 @@ fi; %changelog +* Wed Jun 17 2020 Petr Menšík - 32:9.11.20-1 +- Update to 9.11.20 + * Fri May 15 2020 Petr Menšík - 32:9.11.19-1 - Update to 9.11.19 (CVE-2020-8616, CVE-2020-8617) - Make initscripts just optional dependency diff --git a/bind97-rh645544.patch b/bind97-rh645544.patch index d1d8429..c15eeb5 100644 --- a/bind97-rh645544.patch +++ b/bind97-rh645544.patch @@ -1,7 +1,8 @@ -diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolver.c ---- bind-9.9.4rc2/lib/dns/resolver.c.rh645544 2013-08-19 10:30:52.000000000 +0200 -+++ bind-9.9.4rc2/lib/dns/resolver.c 2013-09-06 17:58:03.864165823 +0200 -@@ -1138,7 +1138,7 @@ log_edns(fetchctx_t *fctx) { +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index ecb3ddb..f7f73cd 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -1456,7 +1456,7 @@ log_edns(fetchctx_t *fctx) { */ dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED, @@ -10,7 +11,7 @@ diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolve "success resolving '%s' (in '%s'?) after %s", fctx->info, domainbuf, fctx->reason); -@@ -3804,7 +3804,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrin +@@ -4667,7 +4667,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) { dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf)); isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS, @@ -19,12 +20,12 @@ diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolve "lame server resolving '%s' (in '%s'?): %s", namebuf, domainbuf, addrbuf); } -@@ -3831,7 +3831,7 @@ log_formerr(fetchctx_t *fctx, const char - } +@@ -4685,7 +4685,7 @@ log_formerr(fetchctx_t *fctx, const char *format, ...) { + isc_sockaddr_format(&fctx->addrinfo->sockaddr, nsbuf, sizeof(nsbuf)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, - DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE, + DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1), - "DNS format error from %s resolving %s%s%s: %s", - nsbuf, fctx->info, clmsg, clbuf, msgbuf); + "DNS format error from %s resolving %s for %s: %s", + nsbuf, fctx->info, fctx->clientstr, msgbuf); } diff --git a/sources b/sources index 1c102a3..3cbd20a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (bind-9.11.19.tar.gz) = 4378afcd8c72a3f1b597e180a21674e1bbfc44b8378831ab3256395bdc46dce74da31aaa855fbae29d4c93e360dad233e3c8e3e69326779ddfecddbc96511ea2 -SHA512 (bind-9.11.19.tar.gz.asc) = 0cdbbe94a1b3a250dcdeb9934b6225cfda35d8646a2e0fada5485ef7b79f3c9bb831b3d19059f93aed9e01ae9ee80708c1d696eca82f01f8e6ae5523c8d3cf2e +SHA512 (bind-9.11.20.tar.gz) = 249710a35dfd340abf8d07c526fb9dd05ab3ed186641f33b697f9a59a866965f43d77e6d0c77b3690698eb6d451a15506cedc5da18aff666c9d95a864268dd25 +SHA512 (bind-9.11.20.tar.gz.asc) = f8dba8b72639eefc4b3e5e5e27f28506aa3333101bb903ea7add92716ec95718a0506023a6d812c6d03b93dc634100c0463b667ce7a889e01d087a97eda903f3