bind/bind-9.5-PIE.patch

From 13348a5fc64387bf53ef450688e181100d0ceddb Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Thu, 12 Dec 2024 15:56:13 +0100
Subject: [PATCH] Harden named service build flags

---
 bin/named/Makefile.am | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/bin/named/Makefile.am b/bin/named/Makefile.am
index 57a023b..b832e9c 100644
--- a/bin/named/Makefile.am
+++ b/bin/named/Makefile.am
@@ -33,7 +33,10 @@ endif HAVE_LIBXML2
 
 AM_CPPFLAGS +=						\
 	-DNAMED_LOCALSTATEDIR=\"${localstatedir}\"	\
-	-DNAMED_SYSCONFDIR=\"${sysconfdir}\"
+	-DNAMED_SYSCONFDIR=\"${sysconfdir}\"		\
+	-fpie
+
+AM_LDFLAGS  += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
 
 sbin_PROGRAMS = named
 
-- 
2.47.1
Update to 9.18.32 (rhbz#2331675) - Remove CHANGES file from package Removed Features: - Disable DLZ plugins, they are not shipped with bind anymore New Features: - new 2024 KSK root key Feature Changes: - max-records-per-type and max-types-per-name improved logging when reached over their value And NSEC3 and two dig bug fixes. https://downloads.isc.org/isc/bind9/9.18.32/doc/arm/html/notes.html#notes-for-bind-9-18-32 Resolves: RHEL-48798 2024-12-12 18:54:03 +00:00			`From 13348a5fc64387bf53ef450688e181100d0ceddb Mon Sep 17 00:00:00 2001`
			`From: Petr Mensik <pemensik@redhat.com>`
			`Date: Thu, 12 Dec 2024 15:56:13 +0100`
			`Subject: [PATCH] Harden named service build flags`

			`---`
			`bin/named/Makefile.am \| 5 ++++-`
			`1 file changed, 4 insertions(+), 1 deletion(-)`

Import version from branch v9_18 Uses git checkout 38726e67340b2b60715fa2f342dc800273d3772f -- . Remove unused patches from distgit. 2022-07-12 13:40:10 +00:00			`diff --git a/bin/named/Makefile.am b/bin/named/Makefile.am`
Update to 9.18.32 (rhbz#2331675) - Remove CHANGES file from package Removed Features: - Disable DLZ plugins, they are not shipped with bind anymore New Features: - new 2024 KSK root key Feature Changes: - max-records-per-type and max-types-per-name improved logging when reached over their value And NSEC3 and two dig bug fixes. https://downloads.isc.org/isc/bind9/9.18.32/doc/arm/html/notes.html#notes-for-bind-9-18-32 Resolves: RHEL-48798 2024-12-12 18:54:03 +00:00			`index 57a023b..b832e9c 100644`
Import version from branch v9_18 Uses git checkout 38726e67340b2b60715fa2f342dc800273d3772f -- . Remove unused patches from distgit. 2022-07-12 13:40:10 +00:00			`--- a/bin/named/Makefile.am`
			`+++ b/bin/named/Makefile.am`
Update to 9.18.32 (rhbz#2331675) - Remove CHANGES file from package Removed Features: - Disable DLZ plugins, they are not shipped with bind anymore New Features: - new 2024 KSK root key Feature Changes: - max-records-per-type and max-types-per-name improved logging when reached over their value And NSEC3 and two dig bug fixes. https://downloads.isc.org/isc/bind9/9.18.32/doc/arm/html/notes.html#notes-for-bind-9-18-32 Resolves: RHEL-48798 2024-12-12 18:54:03 +00:00			`@@ -33,7 +33,10 @@ endif HAVE_LIBXML2`
- build with -D_GNU_SOURCE (#431734) - improved fix for #253537, posttrans script is now used - improved fix for #400461 - 9.5.0b2 - bind-9.3.2b1-PIE.patch replaced by bind-9.5-PIE.patch - only named, named-sdb and lwresd are PIE - bind-9.5-sdb.patch has been updated - bind-9.5-libidn.patch has been updated - bind-9.4.0-sdb-sqlite-bld.patch replaced by bind-9.5-sdb-sqlite-bld.patch - removed bind-9.5-gssapi-header.patch (upstream) - removed bind-9.5-CVE-2008-0122.patch (upstream) - removed bind-9.2.2-nsl.patch 2008-02-11 17:11:26 +00:00
Import version from branch v9_18 Uses git checkout 38726e67340b2b60715fa2f342dc800273d3772f -- . Remove unused patches from distgit. 2022-07-12 13:40:10 +00:00			`AM_CPPFLAGS += \`
			`-DNAMED_LOCALSTATEDIR=\"${localstatedir}\" \`
Update to 9.18.32 (rhbz#2331675) - Remove CHANGES file from package Removed Features: - Disable DLZ plugins, they are not shipped with bind anymore New Features: - new 2024 KSK root key Feature Changes: - max-records-per-type and max-types-per-name improved logging when reached over their value And NSEC3 and two dig bug fixes. https://downloads.isc.org/isc/bind9/9.18.32/doc/arm/html/notes.html#notes-for-bind-9-18-32 Resolves: RHEL-48798 2024-12-12 18:54:03 +00:00			`- -DNAMED_SYSCONFDIR=\"${sysconfdir}\"`
			`+ -DNAMED_SYSCONFDIR=\"${sysconfdir}\" \`
			`+ -fpie`
- build with -D_GNU_SOURCE (#431734) - improved fix for #253537, posttrans script is now used - improved fix for #400461 - 9.5.0b2 - bind-9.3.2b1-PIE.patch replaced by bind-9.5-PIE.patch - only named, named-sdb and lwresd are PIE - bind-9.5-sdb.patch has been updated - bind-9.5-libidn.patch has been updated - bind-9.4.0-sdb-sqlite-bld.patch replaced by bind-9.5-sdb-sqlite-bld.patch - removed bind-9.5-gssapi-header.patch (upstream) - removed bind-9.5-CVE-2008-0122.patch (upstream) - removed bind-9.2.2-nsl.patch 2008-02-11 17:11:26 +00:00			`+`
Update to 9.18.32 (rhbz#2331675) - Remove CHANGES file from package Removed Features: - Disable DLZ plugins, they are not shipped with bind anymore New Features: - new 2024 KSK root key Feature Changes: - max-records-per-type and max-types-per-name improved logging when reached over their value And NSEC3 and two dig bug fixes. https://downloads.isc.org/isc/bind9/9.18.32/doc/arm/html/notes.html#notes-for-bind-9-18-32 Resolves: RHEL-48798 2024-12-12 18:54:03 +00:00			`+AM_LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack`

Update to 9.18.5 (#2109170) https://downloads.isc.org/isc/bind9/9.18.5/doc/arm/html/notes.html#notes-for-bind-9-18-5 Changes NSEC3 default count to zero. 2022-08-03 18:17:30 +00:00			`sbin_PROGRAMS = named`

Update to 9.18.32 (rhbz#2331675) - Remove CHANGES file from package Removed Features: - Disable DLZ plugins, they are not shipped with bind anymore New Features: - new 2024 KSK root key Feature Changes: - max-records-per-type and max-types-per-name improved logging when reached over their value And NSEC3 and two dig bug fixes. https://downloads.isc.org/isc/bind9/9.18.32/doc/arm/html/notes.html#notes-for-bind-9-18-32 Resolves: RHEL-48798 2024-12-12 18:54:03 +00:00			`--`
			`2.47.1`