[bind/f18] update to 9.9.3-P2 (fix for CVE-2013-4854)
Tomas Hozza
thozza at fedoraproject.org
Sun Jul 28 18:25:02 UTC 2013
commit c029d10f87c6d472616c371534f940ea6cc36335
Author: Tomas Hozza <thozza at redhat.com>
Date: Sun Jul 28 20:08:02 2013 +0200
update to 9.9.3-P2 (fix for CVE-2013-4854)
- update RRL patch to 9.9.3-P2-rl.13207.22
Signed-off-by: Tomas Hozza <thozza at redhat.com>
.gitignore | 1 +
bind.spec | 44 +++++++++++++++++--------------
rl-9.9.3-P1.patch => rl-9.9.3-P2.patch | 11 +++++---
sources | 2 +-
4 files changed, 33 insertions(+), 25 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 9267fab..d3e3564 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,3 +31,4 @@ bind-9.7.2b1.tar.gz
/bind-9.9.2-P2.tar.gz
/bind-9.9.3.tar.gz
/bind-9.9.3-P1.tar.gz
+/bind-9.9.3-P2.tar.gz
diff --git a/bind.spec b/bind.spec
index b54c1e5..4db4f9b 100644
--- a/bind.spec
+++ b/bind.spec
@@ -2,7 +2,7 @@
# Red Hat BIND package .spec file
#
-%global PATCHVER P1
+%global PATCHVER P2
#%%global PREVER rc2
#%%global VERSION %{version}%{PREVER}
#%%global VERSION %{version}
@@ -26,7 +26,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: ISC
Version: 9.9.3
-Release: 3.%{?PATCHVER}%{?dist}
+Release: 4.%{?PATCHVER}%{?dist}
Epoch: 32
Url: http://www.isc.org/products/BIND/
Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -79,7 +79,7 @@ Patch131:bind-9.9.1-P2-multlib-conflict.patch
Patch132:bind99-stat.patch
Patch133:bind99-rh640538.patch
Patch134:bind97-rh669163.patch
-Patch136:rl-9.9.3-P1.patch
+Patch136:rl-9.9.3-P2.patch
Patch137:bind99-rrl.patch
# SDB patches
@@ -775,6 +775,10 @@ rm -rf ${RPM_BUILD_ROOT}
%endif
%changelog
+* Sun Jul 28 2013 Tomas Hozza <thozza at redhat.com> 32:9.9.3-4.P2
+- update to 9.9.3-P2 (fix for CVE-2013-4854)
+- update RRL patch to 9.9.3-P2-rl.13207.22
+
* Wed Jun 05 2013 Tomas Hozza <thozza at redhat.com> 32:9.9.3-3.P1
- update to 9.9.3-P1 (fix for CVE-2013-3919)
- update RRL patch to 9.9.3-P1-rl.156.01
@@ -1161,7 +1165,7 @@ rm -rf ${RPM_BUILD_ROOT}
* Fri Nov 06 2009 Adam Tkac <atkac redhat com> 32:9.7.0-0.7.b2
- update to 9.7.0b2
-* Mon Nov 03 2009 Adam Tkac <atkac redhat com> 32:9.7.0-0.6.b1
+* Tue Nov 03 2009 Adam Tkac <atkac redhat com> 32:9.7.0-0.6.b1
- update to 9.7.0b1
- add bind-pkcs11 subpackage to support PKCS11 compatible keystores for DNSSEC
keys
@@ -1393,7 +1397,7 @@ rm -rf ${RPM_BUILD_ROOT}
- removed dns-keygen utility in favour of rndc-confgen -a (#449287)
- some minor sample fixes (#449274)
-* Wed May 29 2008 Adam Tkac <atkac redhat com> 32:9.5.0-36
+* Thu May 29 2008 Adam Tkac <atkac redhat com> 32:9.5.0-36
- updated to 9.5.0 final
- use getifaddrs to find available interfaces
@@ -1401,7 +1405,7 @@ rm -rf ${RPM_BUILD_ROOT}
- make /var/run/named writable by named (#448277)
- fixed one non-utf8 file
-* Wed May 22 2008 Adam Tkac <atkac redhat com> 32:9.5.0-34.rc1
+* Thu May 22 2008 Adam Tkac <atkac redhat com> 32:9.5.0-34.rc1
- fixes needed to pass package review (#225614)
* Wed May 21 2008 Adam Tkac <atkac redhat com> 32:9.5.0-33.1.rc1
@@ -1550,13 +1554,13 @@ rm -rf ${RPM_BUILD_ROOT}
* Fri Oct 26 2007 Adam Tkac <atkac redhat com> 32:9.5.0-16.2.a6
- minor cleanup in bind-chroot-admin
-* Wed Oct 25 2007 Adam Tkac <atkac redhat com> 32:9.5.0-16.1.a6
+* Thu Oct 25 2007 Adam Tkac <atkac redhat com> 32:9.5.0-16.1.a6
- fixed typo in initscript
* Tue Oct 23 2007 Adam Tkac <atkac redhat com> 32:9.5.0-16.a6
- disabled DBUS (dhcdbd doesn't exist & #339191)
-* Wed Oct 18 2007 Adam Tkac <atkac redhat com> 32:9.5.0-15.1.a6
+* Thu Oct 18 2007 Adam Tkac <atkac redhat com> 32:9.5.0-15.1.a6
- fixed missing va_end () functions (#336601)
- fixed memory leak when dbus initialization fails
@@ -1662,7 +1666,7 @@ rm -rf ${RPM_BUILD_ROOT}
* Mon Jul 16 2007 Adam Tkac <atkac redhat com> 31:9.5.0a5-2.2
- moved chroot configfiles into chroot subpackage (#248306)
-* Thu Jul 02 2007 Adam Tkac <atkac redhat com> 31:9.5.0a5-2
+* Mon Jul 02 2007 Adam Tkac <atkac redhat com> 31:9.5.0a5-2
- minor changes in default configuration
- fix h_errno assigment during resolver initialization (unbounded recursion, #245857)
- removed wrong patch to #150288
@@ -1670,7 +1674,7 @@ rm -rf ${RPM_BUILD_ROOT}
* Tue Jun 19 2007 Adam Tkac <atkac redhat com> 31:9.5.0a5-1
- updated to latest upstream
-* Mon Jun 13 2007 Adam Tkac <atkac redhat com> 31:9.4.1-7
+* Wed Jun 13 2007 Adam Tkac <atkac redhat com> 31:9.4.1-7
- marked caching-nameserver as obsolete (#244604)
- fixed typo in initscript (causes that named doesn't detect NetworkManager
correctly)
@@ -1683,14 +1687,14 @@ rm -rf ${RPM_BUILD_ROOT}
package to main bind package as default configuration and major
configuration cleanup
-* Tue Jun 04 2007 Adam Tkac <atkac redhat com> 31:9.4.1-5
+* Mon Jun 04 2007 Adam Tkac <atkac redhat com> 31:9.4.1-5
- very minor compatibility change in bind-chroot-admin (line 215)
- enabled IDN support by default and don't distribute IDN libraries
- specfile cleanup
- add dynamic directory to /var/named. This directory will be primarily used for
dynamic DNS zones. ENABLE_ZONE_WRITE and SELinux's named_write_master_zones no longer exist
-* Wed May 24 2007 Adam Tkac <atkac redhat com> 31:9.4.1-4
+* Thu May 24 2007 Adam Tkac <atkac redhat com> 31:9.4.1-4
- removed ldap-api patch and start using deprecated API
- fixed minor problem in bind-chroot-admin script (#241103)
@@ -1766,7 +1770,7 @@ rm -rf ${RPM_BUILD_ROOT}
* Mon Jan 29 2007 Adam Tkac <atkac at redhat.com> 31:9.3.4-2.fc7
- redirected output from bind-chroot prep and %%preun stages to /dev/null
-* Wed Jan 25 2007 Adam Tkac <atkac at redhat.com> 31:9.3.4-1.fc7
+* Thu Jan 25 2007 Adam Tkac <atkac at redhat.com> 31:9.3.4-1.fc7
- updated to version 9.3.4 which contains security bugfixes
* Tue Jan 23 2007 Adam Tkac <atkac at redhat.com> 31:9.3.3-5.fc7
@@ -1834,7 +1838,7 @@ rm -rf ${RPM_BUILD_ROOT}
- suppressed messages from bind-chroot-admin
- cleared notes about bind-config
-* Mon Aug 22 2006 Martin Stransky <stransky at redhat.com> - 30:9.3.2-39
+* Tue Aug 22 2006 Martin Stransky <stransky at redhat.com> - 30:9.3.2-39
- added fix for #203522 - "bind-chroot-admin -e" command fails
* Mon Aug 21 2006 Martin Stransky <stransky at redhat.com> - 30:9.3.2-38
@@ -2204,10 +2208,10 @@ rm -rf ${RPM_BUILD_ROOT}
- 'service named stop' and 'service named reload'
- as per bug 127775
-* Thu Jun 23 2004 Daniel Walsh <dwalsh at redhat.com> 9.2.3-19
+* Wed Jun 23 2004 Daniel Walsh <dwalsh at redhat.com> 9.2.3-19
- Bump for rhel 3.0 U3
-* Thu Jun 23 2004 Daniel Walsh <dwalsh at redhat.com> 9.2.3-18
+* Wed Jun 23 2004 Daniel Walsh <dwalsh at redhat.com> 9.2.3-18
- remove disable-linux-caps
* Wed Jun 16 2004 Daniel Walsh <dwalsh at redhat.com> 9.2.3-17
@@ -2216,7 +2220,7 @@ rm -rf ${RPM_BUILD_ROOT}
* Tue Jun 15 2004 Elliot Lee <sopwith at redhat.com>
- rebuilt
-* Wed Jun 8 2004 Daniel Walsh <dwalsh at redhat.com> 9.2.3-15
+* Tue Jun 8 2004 Daniel Walsh <dwalsh at redhat.com> 9.2.3-15
- Remove device files from chroot, Named uses the system one
* Fri Mar 26 2004 Daniel Walsh <dwalsh at redhat.com> 9.2.3-14
@@ -2366,7 +2370,7 @@ rm -rf ${RPM_BUILD_ROOT}
* Tue Mar 4 2003 Daniel Walsh <dwalsh at redhat.com> 9.2.2-1
- update to 9.2.2
-* Tue Jan 24 2003 Daniel Walsh <dwalsh at redhat.com> 9.2.1-16
+* Fri Jan 24 2003 Daniel Walsh <dwalsh at redhat.com> 9.2.1-16
- Put a sleep in restart to make sure stop completes
* Wed Jan 22 2003 Tim Powers <timp at redhat.com>
@@ -2708,10 +2712,10 @@ versions).
- fix typo in spec (it's %%post, without a leading blank) introduced in -6
- change SYSTYPE to linux
-* Sat Feb 11 2000 Bill Nottingham <notting at redhat.com>
+* Fri Feb 11 2000 Bill Nottingham <notting at redhat.com>
- pick a standard < 100 uid/gid for named
-* Thu Feb 04 2000 Elliot Lee <sopwith at redhat.com>
+* Fri Feb 04 2000 Elliot Lee <sopwith at redhat.com>
- Pass named a '-u named' parameter by default, and add/remove user.
* Thu Feb 3 2000 Bernhard Rosenkraenzer <bero at redhat.com>
diff --git a/rl-9.9.3-P1.patch b/rl-9.9.3-P2.patch
similarity index 99%
rename from rl-9.9.3-P1.patch
rename to rl-9.9.3-P2.patch
index 493c4da..0b4388b 100644
--- a/rl-9.9.3-P1.patch
+++ b/rl-9.9.3-P2.patch
@@ -120,7 +120,7 @@ diff -r -u bin/named/query.c-orig bin/named/query.c
* answer counter, preventing double-counting.
*/
if (counter == dns_nsstatscounter_authans) {
-@@ -5865,6 +5865,128 @@
+@@ -5865,6 +5865,131 @@
resume:
CTRACE("query_find: resume");
@@ -131,12 +131,15 @@ diff -r -u bin/named/query.c-orig bin/named/query.c
+ * Delay handling delegations for which we are certain to recurse and
+ * return here (DNS_R_DELEGATION, not a child of one of our
+ * own zones, and recursion enabled)
++ * Don't mess with responses rewritten by RPZ
+ * Count each response at most once.
+ */
+ if (client->view->rrl != NULL &&
+ ((fname != NULL && dns_name_isabsolute(fname)) ||
+ (result == ISC_R_NOTFOUND && !RECURSIONOK(client))) &&
+ !(result == DNS_R_DELEGATION && !is_zone && RECURSIONOK(client)) &&
++ (client->query.rpz_st == NULL ||
++ (client->query.rpz_st->state & DNS_RPZ_REWRITTEN) == 0)&&
+ (client->query.attributes & NS_QUERYATTR_RRL_CHECKED) == 0) {
+ dns_rdataset_t nc_rdataset;
+ isc_boolean_t wouldlog;
@@ -249,7 +252,7 @@ diff -r -u bin/named/query.c-orig bin/named/query.c
if (!ISC_LIST_EMPTY(client->view->rpz_zones) &&
(RECURSIONOK(client) || !client->view->rpz_recursive_only) &&
rpz_ck_dnssec(client, result, rdataset, sigrdataset) &&
-@@ -7318,12 +7440,14 @@
+@@ -7318,12 +7443,14 @@
}
if (eresult != ISC_R_SUCCESS &&
@@ -3325,6 +3328,6 @@ diff -r -u version-orig version
MAJORVER=9
MINORVER=9
-PATCHVER=3
-+PATCHVER=3-rl.156.01
++PATCHVER=3-rl.13207.22
RELEASETYPE=-P
- RELEASEVER=1
+ RELEASEVER=2
diff --git a/sources b/sources
index f52696b..a64bec4 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-cf9cd9238d7bc15f1b4a5a5fff90f0d4 bind-9.9.3-P1.tar.gz
+943f6de6bfdfd821aa444242c02c1322 bind-9.9.3-P2.tar.gz
6f22bed78f41bc27fa6d885b648da63e config-9.tar.bz2
More information about the scm-commits
mailing list