Bump BIND to 9.11.1 and coverity fixes
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
This commit is contained in:
parent
99268f00fb
commit
a709bf2f4f
116
0001-Coverity-fix-REVERSE_INULL-for-pevent-inst.patch
Normal file
116
0001-Coverity-fix-REVERSE_INULL-for-pevent-inst.patch
Normal file
@ -0,0 +1,116 @@
|
||||
From e5c29893a318c0f1571c9918ab2c7c23dca3c952 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Krizek <tkrizek@redhat.com>
|
||||
Date: Mon, 27 Mar 2017 19:41:05 +0200
|
||||
Subject: [PATCH] Coverity: fix REVERSE_INULL for pevent->inst
|
||||
|
||||
With the DynDB API changes, the ldap instance is acquired
|
||||
differently. Previously, obtaining the instance could fail when
|
||||
LDAP was disconnecting, thus the NULL check was necessary in the
|
||||
cleanup part.
|
||||
|
||||
Now, inst is obtained directly from the API. I'm not sure what is
|
||||
the exact behaviour in edge cases such as LDAP disconnecting, so
|
||||
I perform the NULL check a bit earlier, just to be safe.
|
||||
---
|
||||
src/ldap_helper.c | 42 +++++++++++++++++++++---------------------
|
||||
1 file changed, 21 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
|
||||
index 1fa0ec9adfa2b9ca589587244da03cc6f0584919..e0c4b76f0bd350eda2d81588e6efb67b5221d630 100644
|
||||
--- a/src/ldap_helper.c
|
||||
+++ b/src/ldap_helper.c
|
||||
@@ -3714,6 +3714,7 @@ update_zone(isc_task_t *task, isc_event_t *event)
|
||||
mctx = pevent->mctx;
|
||||
dns_name_init(&prevname, NULL);
|
||||
|
||||
+ REQUIRE(inst != NULL);
|
||||
INSIST(task == inst->task); /* For task-exclusive mode */
|
||||
|
||||
if (SYNCREPL_DEL(pevent->chgtype)) {
|
||||
@@ -3730,12 +3731,11 @@ update_zone(isc_task_t *task, isc_event_t *event)
|
||||
}
|
||||
|
||||
cleanup:
|
||||
- if (inst != NULL) {
|
||||
- sync_concurr_limit_signal(inst->sctx);
|
||||
- sync_event_signal(inst->sctx, pevent);
|
||||
- if (dns_name_dynamic(&prevname))
|
||||
- dns_name_free(&prevname, inst->mctx);
|
||||
- }
|
||||
+ sync_concurr_limit_signal(inst->sctx);
|
||||
+ sync_event_signal(inst->sctx, pevent);
|
||||
+ if (dns_name_dynamic(&prevname))
|
||||
+ dns_name_free(&prevname, inst->mctx);
|
||||
+
|
||||
if (result != ISC_R_SUCCESS)
|
||||
log_error_r("update_zone (syncrepl) failed for %s. "
|
||||
"Zones can be outdated, run `rndc reload`",
|
||||
@@ -3760,14 +3760,14 @@ update_config(isc_task_t * task, isc_event_t *event)
|
||||
|
||||
mctx = pevent->mctx;
|
||||
|
||||
+ REQUIRE(inst != NULL);
|
||||
INSIST(task == inst->task); /* For task-exclusive mode */
|
||||
CHECK(ldap_parse_configentry(entry, inst));
|
||||
|
||||
cleanup:
|
||||
- if (inst != NULL) {
|
||||
- sync_concurr_limit_signal(inst->sctx);
|
||||
- sync_event_signal(inst->sctx, pevent);
|
||||
- }
|
||||
+ sync_concurr_limit_signal(inst->sctx);
|
||||
+ sync_event_signal(inst->sctx, pevent);
|
||||
+
|
||||
if (result != ISC_R_SUCCESS)
|
||||
log_error_r("update_config (syncrepl) failed for %s. "
|
||||
"Configuration can be outdated, run `rndc reload`",
|
||||
@@ -3790,14 +3790,14 @@ update_serverconfig(isc_task_t * task, isc_event_t *event)
|
||||
|
||||
mctx = pevent->mctx;
|
||||
|
||||
+ REQUIRE(inst != NULL);
|
||||
INSIST(task == inst->task); /* For task-exclusive mode */
|
||||
CHECK(ldap_parse_serverconfigentry(entry, inst));
|
||||
|
||||
cleanup:
|
||||
- if (inst != NULL) {
|
||||
- sync_concurr_limit_signal(inst->sctx);
|
||||
- sync_event_signal(inst->sctx, pevent);
|
||||
- }
|
||||
+ sync_concurr_limit_signal(inst->sctx);
|
||||
+ sync_event_signal(inst->sctx, pevent);
|
||||
+
|
||||
if (result != ISC_R_SUCCESS)
|
||||
log_error_r("update_serverconfig (syncrepl) failed for %s. "
|
||||
"Configuration can be outdated, run `rndc reload`",
|
||||
@@ -3860,6 +3860,7 @@ update_record(isc_task_t *task, isc_event_t *event)
|
||||
dns_name_init(&prevname, NULL);
|
||||
dns_name_init(&prevorigin, NULL);
|
||||
|
||||
+ REQUIRE(inst != NULL);
|
||||
CHECK(zr_get_zone_ptr(inst->zone_register, &entry->zone_name, &raw, &secure));
|
||||
zone_found = ISC_TRUE;
|
||||
|
||||
@@ -4020,13 +4021,12 @@ cleanup:
|
||||
ldap_entry_logname(entry), pevent->chgtype);
|
||||
}
|
||||
|
||||
- if (inst != NULL) {
|
||||
- sync_concurr_limit_signal(inst->sctx);
|
||||
- if (dns_name_dynamic(&prevname))
|
||||
- dns_name_free(&prevname, inst->mctx);
|
||||
- if (dns_name_dynamic(&prevorigin))
|
||||
- dns_name_free(&prevorigin, inst->mctx);
|
||||
- }
|
||||
+ sync_concurr_limit_signal(inst->sctx);
|
||||
+ if (dns_name_dynamic(&prevname))
|
||||
+ dns_name_free(&prevname, inst->mctx);
|
||||
+ if (dns_name_dynamic(&prevorigin))
|
||||
+ dns_name_free(&prevorigin, inst->mctx);
|
||||
+
|
||||
if (raw != NULL)
|
||||
dns_zone_detach(&raw);
|
||||
if (secure != NULL)
|
||||
--
|
||||
2.9.3
|
||||
|
30
0002-Add-empty-callback-for-getsize.patch
Normal file
30
0002-Add-empty-callback-for-getsize.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From 107c5ed7247788a04a23d6c65fca50f96c944345 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Krizek <tkrizek@redhat.com>
|
||||
Date: Tue, 27 Jun 2017 10:41:03 +0200
|
||||
Subject: [PATCH] Add empty callback for getsize
|
||||
|
||||
BIND introduced getsize method in db.h. This is related to
|
||||
CVE-2016-6170 and allows to set restriction of zone size limit.
|
||||
|
||||
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
|
||||
---
|
||||
src/ldap_driver.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/ldap_driver.c b/src/ldap_driver.c
|
||||
index 53ce1a9..38673b0 100644
|
||||
--- a/src/ldap_driver.c
|
||||
+++ b/src/ldap_driver.c
|
||||
@@ -867,7 +867,8 @@ static dns_dbmethods_t ldapdb_methods = {
|
||||
findext,
|
||||
setcachestats,
|
||||
hashsize,
|
||||
- nodefullname
|
||||
+ nodefullname,
|
||||
+ NULL, // getsize method not implemented (related BZ1353563)
|
||||
};
|
||||
|
||||
isc_result_t ATTR_NONNULLS
|
||||
--
|
||||
2.9.4
|
||||
|
@ -1,8 +1,10 @@
|
||||
%define VERSION %{version}
|
||||
|
||||
%define bind_version 32:9.11.1-1.P1
|
||||
|
||||
Name: bind-dyndb-ldap
|
||||
Version: 11.1
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Summary: LDAP back-end plug-in for BIND
|
||||
|
||||
Group: System Environment/Libraries
|
||||
@ -11,14 +13,16 @@ URL: https://releases.pagure.org/bind-dyndb-ldap
|
||||
Source0: https://releases.pagure.org/%{name}/%{name}-%{VERSION}.tar.bz2
|
||||
Source1: https://releases.pagure.org/%{name}/%{name}-%{VERSION}.tar.bz2.asc
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
Patch1: 0001-Coverity-fix-REVERSE_INULL-for-pevent-inst.patch
|
||||
Patch2: 0002-Add-empty-callback-for-getsize.patch
|
||||
|
||||
BuildRequires: bind-devel >= 32:9.11.0-6.P2, bind-lite-devel >= 32:9.11.0-6.P2, bind-pkcs11-devel >= 32:9.11.0-6.P2
|
||||
BuildRequires: bind-devel >= %{bind_version}, bind-lite-devel >= %{bind_version}, bind-pkcs11-devel >= %{bind_version}
|
||||
BuildRequires: krb5-devel
|
||||
BuildRequires: openldap-devel
|
||||
BuildRequires: libuuid-devel
|
||||
BuildRequires: automake, autoconf, libtool
|
||||
|
||||
Requires: bind-pkcs11 >= 32:9.11.0-6.P2, bind-pkcs11-utils >= 32:9.11.0-6.P2
|
||||
Requires: bind-pkcs11 >= %{bind_version}, bind-pkcs11-utils >= %{bind_version}
|
||||
|
||||
|
||||
%description
|
||||
@ -29,6 +33,8 @@ off of your LDAP server.
|
||||
|
||||
%prep
|
||||
%setup -q -n %{name}-%{VERSION}
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
|
||||
%build
|
||||
autoreconf -fiv
|
||||
@ -116,6 +122,10 @@ rm -rf %{buildroot}
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Jun 27 2017 Tomas Krizek <tkrizek@redhat.com> - 11.1-4
|
||||
- Bump BIND version and fix library dependecies
|
||||
- Coverity fixes
|
||||
|
||||
* Mon Jun 26 2017 Petr Menšík <pemensik@redhat.com> - 11.1-3
|
||||
- Build with updated libraries
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user