[bind/f17] update to 9.9.3-P2 (fix for CVE-2013-4854)
Tomas Hozza
thozza at fedoraproject.org
Sun Jul 28 18:23:02 UTC 2013
commit 612f0bc1355f7b8fce8ab98e44565b1abd1e2786
Author: Tomas Hozza <thozza at redhat.com>
Date: Sun Jul 28 20:08:02 2013 +0200
update to 9.9.3-P2 (fix for CVE-2013-4854)
- update RRL patch to 9.9.3-P2-rl.13207.22
Signed-off-by: Tomas Hozza <thozza at redhat.com>
.gitignore | 1 +
bind.spec | 10 +++++++---
rl-9.9.3-P1.patch => rl-9.9.3-P2.patch | 11 +++++++----
sources | 2 +-
4 files changed, 16 insertions(+), 8 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 9267fab..d3e3564 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,3 +31,4 @@ bind-9.7.2b1.tar.gz
/bind-9.9.2-P2.tar.gz
/bind-9.9.3.tar.gz
/bind-9.9.3-P1.tar.gz
+/bind-9.9.3-P2.tar.gz
diff --git a/bind.spec b/bind.spec
index dbede32..e214b7f 100644
--- a/bind.spec
+++ b/bind.spec
@@ -2,7 +2,7 @@
# Red Hat BIND package .spec file
#
-%define PATCHVER P1
+%define PATCHVER P2
#%%define PREVER rc2
#%%define VERSION %{version}%{PREVER}
%define VERSION %{version}-%{PATCHVER}
@@ -22,7 +22,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: ISC
Version: 9.9.3
-Release: 3.%{?PATCHVER}%{?dist}
+Release: 4.%{?PATCHVER}%{?dist}
Epoch: 32
Url: http://www.isc.org/products/BIND/
Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -71,7 +71,7 @@ Patch125:bind99-buildfix.patch
Patch127:bind99-forward.patch
Patch130:bind-9.9.1-P2-multlib-conflict.patch
Patch132:bind99-stat.patch
-Patch133:rl-9.9.3-P1.patch
+Patch133:rl-9.9.3-P2.patch
Patch134:bind99-rrl.patch
# SDB patches
@@ -769,6 +769,10 @@ rm -rf ${RPM_BUILD_ROOT}
%endif
%changelog
+* Sun Jul 28 2013 Tomas Hozza <thozza at redhat.com> 32:9.9.3-4.P2
+- update to 9.9.3-P2 (fix for CVE-2013-4854)
+- update RRL patch to 9.9.3-P2-rl.13207.22
+
* Wed Jun 05 2013 Tomas Hozza <thozza at redhat.com> 32:9.9.3-3.P1
- update to 9.9.3-P1 (fix for CVE-2013-3919)
- update RRL patch to 9.9.3-P1-rl.156.01
diff --git a/rl-9.9.3-P1.patch b/rl-9.9.3-P2.patch
similarity index 99%
rename from rl-9.9.3-P1.patch
rename to rl-9.9.3-P2.patch
index 493c4da..0b4388b 100644
--- a/rl-9.9.3-P1.patch
+++ b/rl-9.9.3-P2.patch
@@ -120,7 +120,7 @@ diff -r -u bin/named/query.c-orig bin/named/query.c
* answer counter, preventing double-counting.
*/
if (counter == dns_nsstatscounter_authans) {
-@@ -5865,6 +5865,128 @@
+@@ -5865,6 +5865,131 @@
resume:
CTRACE("query_find: resume");
@@ -131,12 +131,15 @@ diff -r -u bin/named/query.c-orig bin/named/query.c
+ * Delay handling delegations for which we are certain to recurse and
+ * return here (DNS_R_DELEGATION, not a child of one of our
+ * own zones, and recursion enabled)
++ * Don't mess with responses rewritten by RPZ
+ * Count each response at most once.
+ */
+ if (client->view->rrl != NULL &&
+ ((fname != NULL && dns_name_isabsolute(fname)) ||
+ (result == ISC_R_NOTFOUND && !RECURSIONOK(client))) &&
+ !(result == DNS_R_DELEGATION && !is_zone && RECURSIONOK(client)) &&
++ (client->query.rpz_st == NULL ||
++ (client->query.rpz_st->state & DNS_RPZ_REWRITTEN) == 0)&&
+ (client->query.attributes & NS_QUERYATTR_RRL_CHECKED) == 0) {
+ dns_rdataset_t nc_rdataset;
+ isc_boolean_t wouldlog;
@@ -249,7 +252,7 @@ diff -r -u bin/named/query.c-orig bin/named/query.c
if (!ISC_LIST_EMPTY(client->view->rpz_zones) &&
(RECURSIONOK(client) || !client->view->rpz_recursive_only) &&
rpz_ck_dnssec(client, result, rdataset, sigrdataset) &&
-@@ -7318,12 +7440,14 @@
+@@ -7318,12 +7443,14 @@
}
if (eresult != ISC_R_SUCCESS &&
@@ -3325,6 +3328,6 @@ diff -r -u version-orig version
MAJORVER=9
MINORVER=9
-PATCHVER=3
-+PATCHVER=3-rl.156.01
++PATCHVER=3-rl.13207.22
RELEASETYPE=-P
- RELEASEVER=1
+ RELEASEVER=2
diff --git a/sources b/sources
index f52696b..a64bec4 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-cf9cd9238d7bc15f1b4a5a5fff90f0d4 bind-9.9.3-P1.tar.gz
+943f6de6bfdfd821aa444242c02c1322 bind-9.9.3-P2.tar.gz
6f22bed78f41bc27fa6d885b648da63e config-9.tar.bz2
More information about the scm-commits
mailing list