rpms/bind-dyndb-ldap
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS bind-dyndb-ldap-11.11-2.el9

Browse Source
This commit is contained in:
eabdullin 2025-03-11 07:01:50 +00:00
parent 21586ca87a
commit 4b898d641c
9 changed files with 79 additions and 205 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.bind-dyndb-ldap.metadata
View File

@ -1 +1 @@
2ddce96217240ef58962105e7677e70a52550eec SOURCES/bind-dyndb-ldap-11.9.tar.bz2
73251b2d57a1be41317bea9da4eb3204c1d808c0 SOURCES/bind-dyndb-ldap-11.11.tar.bz2

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/bind-dyndb-ldap-11.9.tar.bz2
SOURCES/bind-dyndb-ldap-11.11.tar.bz2

35
SOURCES/0001-Modify-empty-zone-conflicts-under-exclusive-mode_rhbz#2129844.patch
View File

@ -1,35 +0,0 @@
From 7b4c1e28b3e64f7cd075599472e349510f8d33da Mon Sep 17 00:00:00 2001
From: Petr Menšík <pemensik@redhat.com>
Date: Sep 14 2022 15:23:20 +0000
Subject: Modify empty zone conflicts under exclusive mode
Does not accept new request when exclusive mode is active. Zone table
can be modified even after main fwd entries have been added. Ensure
empty zones handling keeps exclusive mode active.
Exclusive mode were mentioned as the only protection it had by bind
maintainer:
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6637#note_308928
---
diff --git a/src/fwd.c b/src/fwd.c
index 24f6e53..0a3c673 100644
--- a/src/fwd.c
+++ b/src/fwd.c
@@ -595,10 +595,12 @@ fwd_configure_zone(const settings_set_t *set, ldap_instance_t *inst,
dns_result_totext(result));
/* Handle collisions with automatic empty zones. */
- if (isconfigured == true)
+ if (isconfigured == true) {
+ run_exclusive_enter(inst, &lock_state);
CHECK(empty_zone_handle_conflicts(name,
view->zonetable,
(fwdpolicy == dns_fwdpolicy_first)));
+ }
cleanup:
run_exclusive_exit(inst, lock_state);

76
SOURCES/bind-dyndb-ldap-11.10-bind-CVE-2024-1737.patch
View File

@ -1,76 +0,0 @@
From c7801fabb1597c4d4b18b21fcfcf6ab064040ba5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 7 Aug 2024 16:19:46 +0200
Subject: [PATCH] Detect presence of dns_zone_setmaxrrperset
Because it were backported into bind-9.16 branch by upstream and testing
of simpler variant fails in some cases. This assumes these call do not
appear only after 9.18.28, but may be backported into previous versions.
Tests just call presence and assumes dns_db_setmaxtypepername will be
present also.
---
configure.ac | 4 ++++
src/ldap_driver.c | 25 +++++++++++++++++++++++++
2 files changed, 29 insertions(+)
diff --git a/configure.ac b/configure.ac
index faac214..b897c2b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -137,6 +137,10 @@ AC_CHECK_LIB([dns], [dns_db_setservestalettl],
[AC_DEFINE([HAVE_DNS_SERVESTALE], 1, [Define if dns library provides dns_db_setservestalettl])]
)
+AC_CHECK_LIB([dns], [dns_db_setmaxrrperset],
+ [AC_DEFINE([HAVE_DNS_DB_SETMAXRRPERSET], 1, [Define if dns library provides dns_db_setmaxrrperset])]
+)
+
dnl Older autoconf (2.59, for example) doesn't define docdir
[[ ! -n "$docdir" ]] && docdir='${datadir}/doc/${PACKAGE_TARNAME}'
AC_SUBST([docdir])
diff --git a/src/ldap_driver.c b/src/ldap_driver.c
index 5f9e00a..29896d4 100644
--- a/src/ldap_driver.c
+++ b/src/ldap_driver.c
@@ -909,6 +909,27 @@ adjusthashsize(dns_db_t *db, size_t size) {
}
#endif
+#if HAVE_DNS_DB_SETMAXRRPERSET
+/* Calls added to fix CVE-2024-1737 in 9.18.28 */
+static void
+setmaxrrperset(dns_db_t *db, uint32_t value) {
+ ldapdb_t *ldapdb = (ldapdb_t *) db;
+
+ REQUIRE(VALID_LDAPDB(ldapdb));
+
+ return dns_db_setmaxrrperset(ldapdb->rbtdb, value);
+}
+
+static void
+setmaxtypepername(dns_db_t *db, uint32_t value) {
+ ldapdb_t *ldapdb = (ldapdb_t *) db;
+
+ REQUIRE(VALID_LDAPDB(ldapdb));
+
+ return dns_db_setmaxtypepername(ldapdb->rbtdb, value);
+}
+#endif
+
static dns_dbmethods_t ldapdb_methods = {
attach,
detach,
@@ -969,6 +990,10 @@ static dns_dbmethods_t ldapdb_methods = {
#if LIBDNS_VERSION_MAJOR >= 1606
adjusthashsize, /* adjusthashsize */
#endif
+#if HAVE_DNS_DB_SETMAXRRPERSET
+ setmaxrrperset, /* setmaxrrperset */
+ setmaxtypepername, /* setmaxtypepername */
+#endif
};
isc_result_t ATTR_NONNULLS
--
2.45.2

17
SOURCES/bind-dyndb-ldap-11.11.tar.bz2.asc Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
iQJMBAABCgA2FiEEhD/TWKTBHgTUwD3S5vWnKGOylwYFAmeQyXAYHHJlbGVhc2Vz
QG1nLmZyZWVpcGEub3JnAAoJEOb1pyhjspcGQTIQAKzF8EmPBIQQbMZlSdsH312r
M7tkjr7+mdcOEKaiGtbpAT8h8KmDWZjDqCuCzYMIVFLL5S7aRpFjowbPQo612a3j
MYEchw5O0vkBaqRxqwZqBxgRkgFiyw7LfziZospLS23UbKYxtZA32/GUhhnaXpoC
EeH3afXE4zMSy8OhLDYIcAa0Vpb0eQcouGbN3/bmoMXwafdt/mlKMgNupgrnnXFT
RYSkvMnfD5vakFeXbPhu9b4fkV+hUAh8vxJbBDa2Gkkrmu/DMwR/Y0QcMec5RF/z
MMpma3YaqetIC8jIsHAcCV6Tq8gjCoIXzIbueWxspBZU6tzHFRfMlKl4ZQjxz3Jq
SvFFTw5vvEwewgPChL+ReVgqx56FAr7RrYHCM1eADBCoVvrTLYZeZObip+z1xLEt
i6yYvnb93Hyr9r5rKdd1S9IbKQiqArYXT+9GF2a6w/ti44E/Iav9PI8uOGmIWPLc
25INbGGAZoHCmESWX1zXgm0DGLGQ7fbY2Iyl1tTo2ugtyDvhkNjjSmZ2z1zu7N+2
O5hTtSovrmsl8fqpL/52NiUsEcHllZuXEDUMP+w8Lk8IM5ZWtBtypzhh6Ej2AHQZ
/WrBmhanA/fcOEdUpG5LIJ0ce+mif/K+pUgIwuRJ4m4NpV0c7UxC4IZXx4vOfmyn
p8OUsetDMyZQRuZn6TtN
=UB7t
-----END PGP SIGNATURE-----

35
SOURCES/bind-dyndb-ldap-11.9-bind-9.16.17.patch
View File

@ -1,35 +0,0 @@
From d7d3032de7f5d3dd3cffea6064549b63a9ad7d59 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Thu, 17 Jun 2021 17:57:52 +0200
Subject: [PATCH] Skip isc_bind9 check on BIND 9.16.17+
Reference variable refvar from dns_dyndbctx_t were removed. Removed was
also flag requesting different namespace. Skip that check on last stable
version, it should eval to false on all versions anyway.
---
src/ldap_driver.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/ldap_driver.c b/src/ldap_driver.c
index e9f1005ee..5f9e00af1 100644
--- a/src/ldap_driver.c
+++ b/src/ldap_driver.c
@@ -1156,6 +1156,7 @@ dyndb_init(isc_mem_t *mctx, const char *name, const char *parameters,
RUNTIME_CHECK(isc_once_do(&library_init_once, library_init)
== ISC_R_SUCCESS);
+#if LIBDNS_VERSION_MAJOR < 1617
/*
* Depending on how dlopen() was called, we may not have
* access to named's global namespace, in which case we need
@@ -1168,6 +1169,7 @@ dyndb_init(isc_mem_t *mctx, const char *name, const char *parameters,
isc_hash_set_initializer(dctx->hashinit);
log_debug(5, "registering library from dynamic ldap driver, %p != %p.", dctx->refvar, &isc_bind9);
}
+#endif
log_debug(2, "registering dynamic ldap driver for %s.", name);
--
2.31.1

24
SOURCES/bind-dyndb-ldap-11.9-bind-CVE-2023-50387.patch
View File

@ -1,24 +0,0 @@
diff --git a/src/mldap.c b/src/mldap.c
index 92a330c..79efddb 100644
--- a/src/mldap.c
+++ b/src/mldap.c
@@ -50,18 +50,7 @@
static unsigned char uuid_rootname_ndata[]
= { 4, 'u', 'u', 'i', 'd', 4, 'l', 'd', 'a', 'p', 0 };
static unsigned char uuid_rootname_offsets[] = { 0, 5, 10 };
-static dns_name_t uuid_rootname =
-{
- DNS_NAME_MAGIC,
- uuid_rootname_ndata,
- sizeof(uuid_rootname_ndata),
- sizeof(uuid_rootname_offsets),
- DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
- uuid_rootname_offsets,
- NULL,
- { (void *)-1, (void *)-1 },
- { NULL, NULL }
-};
+static dns_name_t uuid_rootname = DNS_NAME_INITABSOLUTE(uuid_rootname_ndata, uuid_rootname_offsets);
struct mldapdb {
isc_mem_t *mctx;

16
SOURCES/bind-dyndb-ldap-11.9.tar.bz2.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmCtCAoACgkQRxniuKu/
YhptNQ//QvGsnJsvlhZddT1EnoiiNhmKyW6HAV7f/0z4L/1RE9sng930mLhRD5mI
wFPzeJBBYVTM82hZwjboaa8r5hpAHiq29Q6o7cBCIcOEN6YhNZePoO7RmU1TaF57
6LGIzmUuEHfHaajV7fvYUY/kW0mJrxLwu58IJX7wi8OsJi+Exx8EqjVIVPJYkj3n
hen17jJmxnPyjI3fhwZt+ON3X3yfocLgsg08Zl4dtB6MTHMeb0a6gxZ2MQwpCGrq
zmo+Qv3OkvxJHPtpKO46je4GHZ3JYSNfCu8fVSqFiZfqu0Zv1DF6YUjxsHHU1BVk
64CCEN1vNal1rIblwz447oEAwBWQ0ky0r+EtAYfUggSHZ/Lwjh8LX44VYISa/4Io
R3aq3Egz8YwttXoH1PEGqv6ag9O7S8dVqKRm2+UmC6ajKtDtQimvWfyiInAjAsm4
ngwiWoqfYVYvs38YSc9oL/VFc0N7NglNGTVOKzgrkUlG8RF2GEdeMqXBcPflIL16
+R8AEgaFOcFmyrv1DMTglK6Mq2EjSDlfxVb8Rv1jiBmglB1z0hzLi0yVLNIAobPF
eOgi5Aq7UYWnT7oE8t6m1PWomVBObNFtC7OgMTdXt0lT7ZdqbRkxaW0CCY1+e645
4NlyEvwONUGPKzl7jlSNH/5eE0GuYp6Qi68b+LkBf5wfK4axfdY=
=OlUq
-----END PGP SIGNATURE-----

77
SPECS/bind-dyndb-ldap.spec
View File

@ -1,18 +1,26 @@
%define VERSION %{version}
%define bind_version 32:9.16.23-19
%define bind_name bind9.18
%define bind_version 32:9.18.29-2
%if 0%{?fedora} >= 31 || 0%{?rhel} > 8
%if 0%{?fedora} >= 40 || 0%{?rhel} >= 10
%global openssl_pkcs11_version 0.3
%global openssl_pkcs11_name pkcs11-provider
%global softhsm_version 2.6.1
%else
%global openssl_pkcs11_version 0.4.10-6
%global openssl_pkcs11_name openssl-pkcs11
%global softhsm_version 2.5.0-4
%endif
%else
%global with_bind_pkcs11 1
%endif
Name: bind-dyndb-ldap
Version: 11.9
Release: 10%{?dist}
Version: 11.11
Release: 2%{?dist}
Summary: LDAP back-end plug-in for BIND
License: GPLv2+
@ -20,30 +28,54 @@ URL: https://releases.pagure.org/bind-dyndb-ldap
Source0: https://releases.pagure.org/%{name}/%{name}-%{VERSION}.tar.bz2
Source1: https://releases.pagure.org/%{name}/%{name}-%{VERSION}.tar.bz2.asc
Patch1: bind-dyndb-ldap-11.9-bind-9.16.17.patch
Patch2: 0001-Modify-empty-zone-conflicts-under-exclusive-mode_rhbz#2129844.patch
# https://pagure.io/bind-dyndb-ldap/pull-request/229
Patch3: https://pagure.io/bind-dyndb-ldap/raw/dbbcc2f07ea6955c6b0b5a719f8058c54b1d750c#/bind-dyndb-ldap-11.9-bind-CVE-2023-50387.patch
# https://pagure.io/bind-dyndb-ldap/pull-request/235
Patch4: bind-dyndb-ldap-11.10-bind-CVE-2024-1737.patch
%if "%{bind_name}" != "bind" && 0%{?rhel} == 9
Obsoletes: bind < 32:9.18
Obsoletes: bind-chroot <= 32:9.18
Obsoletes: bind-devel <= 32:9.18
Obsoletes: bind-dlz-filesystem <= 32:9.18
Obsoletes: bind-dlz-ldap <= 32:9.18
Obsoletes: bind-dlz-mysql <= 32:9.18
Obsoletes: bind-dlz-sqlite3 <= 32:9.18
Obsoletes: bind-dnssec-doc <= 32:9.18
Obsoletes: bind-dnssec-utils <= 32:9.18
Obsoletes: bind-doc <= 32:9.18
Obsoletes: bind-license <= 32:9.18
Obsoletes: bind-libs <= 32:9.18
Obsoletes: bind-utils <= 32:9.18
Obsoletes: python3-bind <= 32:9.18
%endif
%if "%{bind_name}" != "bind9.18" && 0%{?rhel} > 9
Obsoletes: bind9.18 <= 32:9.18
Obsoletes: bind9.18-chroot <= 32:9.18
Obsoletes: bind9.18-devel <= 32:9.18
Obsoletes: bind9.18-dnssec-doc <= 32:9.18
Obsoletes: bind9.18-dnssec-utils <= 32:9.18
Obsoletes: bind9.18-doc <= 32:9.18
Obsoletes: bind9.18-libs <= 32:9.18
Obsoletes: bind9.18-utils <= 32:9.18
%endif
BuildRequires: bind-devel >= %{bind_version}, bind-lite-devel >= %{bind_version}
BuildRequires: %{bind_name}-devel >= %{bind_version}, %{bind_name}-lite-devel >= %{bind_version}
BuildRequires: krb5-devel
BuildRequires: openldap-devel
BuildRequires: libuuid-devel
BuildRequires: automake, autoconf, libtool
BuildRequires: autoconf-archive
# https://bugzilla.redhat.com/show_bug.cgi?id=2165256
Conflicts: bind9-next
%if %{with bind_pkcs11}
BuildRequires: bind-pkcs11-devel >= %{bind_version}
BuildRequires: %{bind_name}-pkcs11-devel >= %{bind_version}
BuildRequires: make
Requires(pre): bind-pkcs11 >= %{bind_version}
Requires: bind-pkcs11 >= %{bind_version}
Requires: bind-pkcs11-utils >= %{bind_version}
Requires(pre): %{bind_name}-pkcs11 >= %{bind_version}
Requires: %{bind_name}-pkcs11 >= %{bind_version}
Requires: %{bind_name}-pkcs11-utils >= %{bind_version}
%else
Requires: softhsm >= %{softhsm_version}
Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
Requires(pre): bind >= %{bind_version}
Requires: bind >= %{bind_version}
Requires: %{openssl_pkcs11_name} >= %{openssl_pkcs11_version}
Requires(pre): %{bind_name} >= %{bind_version}
Requires: %{bind_name} >= %{bind_version}
%endif
%description
@ -121,6 +153,17 @@ sed -i.bak -e "$SEDSCRIPT" /etc/named.conf
%changelog
* Wed Feb 12 2025 Thomas Woerner <twoerner@redhat.com> - 11.11-2
- Release bump, fixed date for previous changelog entry
Resolves: RHEL-78927
* Tue Feb 11 2025 Thomas Woerner <twoerner@redhat.com> - 11.11-1
- Release 11.11, Support BIND 9.18
Resolves: RHEL-78927
* Fri Sep 06 2024 Petr Menšík <pemensik@redhat.com> - 11.9-11
- Bump version above RHEL 9.5
* Wed Aug 07 2024 Petr Menšík <pemensik@redhat.com> - 11.9-10
- Rebuilt for BIND CVE-2024-1737 fixes (CVE-2024-1737)