[bind/f19] update to 9.9.3-P2 (fix for CVE-2013-4854)
Tomas Hozza
thozza at fedoraproject.org
Sun Jul 28 18:26:11 UTC 2013
commit 8d916c392676382eda55094a60362a759f3f4b9b
Author: Tomas Hozza <thozza at redhat.com>
Date: Sun Jul 28 20:08:02 2013 +0200
update to 9.9.3-P2 (fix for CVE-2013-4854)
- update RRL patch to 9.9.3-P2-rl.13207.22
Signed-off-by: Tomas Hozza <thozza at redhat.com>
.gitignore | 1 +
bind.spec | 10 +++++++---
rl-9.9.3-P1.patch => rl-9.9.3-P2.patch | 11 +++++++----
sources | 2 +-
4 files changed, 16 insertions(+), 8 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index a137e07..6417023 100644
--- a/.gitignore
+++ b/.gitignore
@@ -35,3 +35,4 @@ bind-9.7.2b1.tar.gz
/bind-9.9.3rc2.tar.gz
/bind-9.9.3.tar.gz
/bind-9.9.3-P1.tar.gz
+/bind-9.9.3-P2.tar.gz
diff --git a/bind.spec b/bind.spec
index 06868e0..1753b62 100644
--- a/bind.spec
+++ b/bind.spec
@@ -2,7 +2,7 @@
# Red Hat BIND package .spec file
#
-%global PATCHVER P1
+%global PATCHVER P2
#%%global PREVER rc2
#%%global VERSION %{version}%{PREVER}
#%%global VERSION %{version}
@@ -26,7 +26,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: ISC
Version: 9.9.3
-Release: 4.%{?PATCHVER}%{?dist}
+Release: 5.%{?PATCHVER}%{?dist}
Epoch: 32
Url: http://www.isc.org/products/BIND/
Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -79,7 +79,7 @@ Patch131:bind-9.9.1-P2-multlib-conflict.patch
Patch132:bind99-stat.patch
Patch133:bind99-rh640538.patch
Patch134:bind97-rh669163.patch
-Patch136:rl-9.9.3-P1.patch
+Patch136:rl-9.9.3-P2.patch
Patch137:bind99-rrl.patch
# Install dns/update.h header for bind-dyndb-ldap plugin
Patch138:bind-9.9.3-include-update-h.patch
@@ -779,6 +779,10 @@ rm -rf ${RPM_BUILD_ROOT}
%endif
%changelog
+* Sun Jul 28 2013 Tomas Hozza <thozza at redhat.com> 32:9.9.3-5.P2
+- update to 9.9.3-P2 (fix for CVE-2013-4854)
+- update RRL patch to 9.9.3-P2-rl.13207.22
+
* Thu Jul 18 2013 Tomas Hozza <thozza at redhat.com> 32:9.9.3-4.P1
- Fix script for setting up chroot so it unmounts everything successfully
diff --git a/rl-9.9.3-P1.patch b/rl-9.9.3-P2.patch
similarity index 99%
rename from rl-9.9.3-P1.patch
rename to rl-9.9.3-P2.patch
index 493c4da..0b4388b 100644
--- a/rl-9.9.3-P1.patch
+++ b/rl-9.9.3-P2.patch
@@ -120,7 +120,7 @@ diff -r -u bin/named/query.c-orig bin/named/query.c
* answer counter, preventing double-counting.
*/
if (counter == dns_nsstatscounter_authans) {
-@@ -5865,6 +5865,128 @@
+@@ -5865,6 +5865,131 @@
resume:
CTRACE("query_find: resume");
@@ -131,12 +131,15 @@ diff -r -u bin/named/query.c-orig bin/named/query.c
+ * Delay handling delegations for which we are certain to recurse and
+ * return here (DNS_R_DELEGATION, not a child of one of our
+ * own zones, and recursion enabled)
++ * Don't mess with responses rewritten by RPZ
+ * Count each response at most once.
+ */
+ if (client->view->rrl != NULL &&
+ ((fname != NULL && dns_name_isabsolute(fname)) ||
+ (result == ISC_R_NOTFOUND && !RECURSIONOK(client))) &&
+ !(result == DNS_R_DELEGATION && !is_zone && RECURSIONOK(client)) &&
++ (client->query.rpz_st == NULL ||
++ (client->query.rpz_st->state & DNS_RPZ_REWRITTEN) == 0)&&
+ (client->query.attributes & NS_QUERYATTR_RRL_CHECKED) == 0) {
+ dns_rdataset_t nc_rdataset;
+ isc_boolean_t wouldlog;
@@ -249,7 +252,7 @@ diff -r -u bin/named/query.c-orig bin/named/query.c
if (!ISC_LIST_EMPTY(client->view->rpz_zones) &&
(RECURSIONOK(client) || !client->view->rpz_recursive_only) &&
rpz_ck_dnssec(client, result, rdataset, sigrdataset) &&
-@@ -7318,12 +7440,14 @@
+@@ -7318,12 +7443,14 @@
}
if (eresult != ISC_R_SUCCESS &&
@@ -3325,6 +3328,6 @@ diff -r -u version-orig version
MAJORVER=9
MINORVER=9
-PATCHVER=3
-+PATCHVER=3-rl.156.01
++PATCHVER=3-rl.13207.22
RELEASETYPE=-P
- RELEASEVER=1
+ RELEASEVER=2
diff --git a/sources b/sources
index 22e98e8..4b03009 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-cf9cd9238d7bc15f1b4a5a5fff90f0d4 bind-9.9.3-P1.tar.gz
+943f6de6bfdfd821aa444242c02c1322 bind-9.9.3-P2.tar.gz
d64062a182bf71dbcae7b2e2fe2cd55b config-11.tar.bz2
More information about the scm-commits
mailing list