Update to 9.11.8

Contains: 5244. [security] Fixed a race condition in dns_dispatch_getnext() that could cause an assertion failure if a significant number of incoming packets were rejected. (CVE-2019-6471) [GL #942] 5241. [bug] Fix Ed448 private and public key ASN.1 prefix blobs. [GL #225] 5237. [bug] Recurse to find the root server list with 'dig +trace'. [GL #1028]
2019-07-02 11:10:03 +02:00 · 2019-07-02 11:10:03 +02:00 · 16ecf0736f
commit 16ecf0736f
parent 564c143a1b
6 changed files with 39 additions and 35 deletions
--- a/.gitignore
+++ b/.gitignore
@ -93,3 +93,4 @@ bind-9.7.2b1.tar.gz
 /bind-9.11.6.tar.gz
 /bind-9.11.6-P1.tar.gz
 /bind-9.11.7.tar.gz
+/bind-9.11.8.tar.gz
--- a/bind-9.10-dist-native-pkcs11.patch
+++ b/bind-9.10-dist-native-pkcs11.patch
@ -300,10 +300,10 @@ index a058c91..d4b689a 100644
 DEPLIBS =	${ISCDEPLIBS}
 
 diff --git a/configure.ac b/configure.ac
-index 5e4e839..0ef2c8f 100644
+index d48fd51..79c96f8 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1081,12 +1081,14 @@ AC_SUBST(USE_GSSAPI)
+@@ -1089,12 +1089,14 @@ AC_SUBST(USE_GSSAPI)
 AC_SUBST(DST_GSSAPI_INC)
 AC_SUBST(DNS_GSSAPI_LIBS)
 DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
@ -318,7 +318,7 @@ index 5e4e839..0ef2c8f 100644
 
 #
 # was --with-randomdev specified?
-@@ -1471,11 +1473,11 @@ fi
+@@ -1479,11 +1481,11 @@ fi
 AC_MSG_CHECKING(for OpenSSL library)
 OPENSSL_WARNING=
 openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
@ -335,7 +335,7 @@ index 5e4e839..0ef2c8f 100644
 
 if test "auto" = "$use_openssl"
 then
-@@ -1488,6 +1490,7 @@ then
+@@ -1496,6 +1498,7 @@ then
 		fi
 	done
 fi
@ -343,7 +343,7 @@ index 5e4e839..0ef2c8f 100644
 OPENSSL_ECDSA=""
 OPENSSL_GOST=""
 OPENSSL_ED25519=""
-@@ -1509,11 +1512,10 @@ case "$with_gost" in
+@@ -1517,11 +1520,10 @@ case "$with_gost" in
 		;;
 esac
 
@ -358,7 +358,7 @@ index 5e4e839..0ef2c8f 100644
 		CRYPTOLIB="pkcs11"
 		OPENSSLECDSALINKOBJS=""
 		OPENSSLECDSALINKSRCS=""
-@@ -1523,7 +1525,9 @@ case "$use_openssl" in
+@@ -1531,7 +1533,9 @@ case "$use_openssl" in
 		OPENSSLGOSTLINKSRCS=""
 		OPENSSLLINKOBJS=""
 		OPENSSLLINKSRCS=""
@ -369,7 +369,7 @@ index 5e4e839..0ef2c8f 100644
 	no)
 		AC_MSG_RESULT(no)
 		DST_OPENSSL_INC=""
-@@ -1555,7 +1559,7 @@ case "$use_openssl" in
+@@ -1563,7 +1567,7 @@ case "$use_openssl" in
 If you do not want OpenSSL, use --without-openssl])
 		;;
 	*)
@ -378,7 +378,7 @@ index 5e4e839..0ef2c8f 100644
 		then
 			AC_MSG_RESULT()
 			AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
-@@ -1983,6 +1987,7 @@ AC_SUBST(OPENSSL_ED25519)
+@@ -1991,6 +1995,7 @@ AC_SUBST(OPENSSL_ED25519)
 AC_SUBST(OPENSSL_GOST)
 
 DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
@ -386,7 +386,7 @@ index 5e4e839..0ef2c8f 100644
 
 ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
 if test "yes" = "$with_aes"
-@@ -2306,6 +2311,7 @@ esac
+@@ -2314,6 +2319,7 @@ esac
 AC_SUBST(PKCS11LINKOBJS)
 AC_SUBST(PKCS11LINKSRCS)
 AC_SUBST(CRYPTO)
@ -394,7 +394,7 @@ index 5e4e839..0ef2c8f 100644
 AC_SUBST(PKCS11_ECDSA)
 AC_SUBST(PKCS11_GOST)
 AC_SUBST(PKCS11_ED25519)
-@@ -5428,8 +5434,11 @@ AC_CONFIG_FILES([
+@@ -5441,8 +5447,11 @@ AC_CONFIG_FILES([
 	bin/delv/Makefile
 	bin/dig/Makefile
 	bin/dnssec/Makefile
@ -406,7 +406,7 @@ index 5e4e839..0ef2c8f 100644
 	bin/nsupdate/Makefile
 	bin/pkcs11/Makefile
 	bin/python/Makefile
-@@ -5502,6 +5511,10 @@ AC_CONFIG_FILES([
+@@ -5515,6 +5524,10 @@ AC_CONFIG_FILES([
 	lib/dns/include/dns/Makefile
 	lib/dns/include/dst/Makefile
 	lib/dns/tests/Makefile
@ -417,7 +417,7 @@ index 5e4e839..0ef2c8f 100644
 	lib/irs/Makefile
 	lib/irs/include/Makefile
 	lib/irs/include/irs/Makefile
-@@ -5526,6 +5539,24 @@ AC_CONFIG_FILES([
+@@ -5539,6 +5552,24 @@ AC_CONFIG_FILES([
 	lib/isc/unix/include/Makefile
 	lib/isc/unix/include/isc/Makefile
 	lib/isc/unix/include/pkcs11/Makefile
@ -456,7 +456,7 @@ index 81270a0..bcb5312 100644
 
 @BIND9_MAKE_RULES@
 diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
-index 56dd259..f9aa782 100644
+index f6868d1..ea6fd36 100644
 --- a/lib/dns-pkcs11/Makefile.in
 +++ b/lib/dns-pkcs11/Makefile.in
@@ -26,16 +26,16 @@ VERSION=@BIND9_VERSION@
@ -501,9 +501,9 @@ index 56dd259..f9aa782 100644
 
 include: gen
 	${MAKE} include/dns/enumtype.h
-@@ -183,22 +183,22 @@ gen: gen.c
- 	${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \
- 	${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS}
+@@ -185,22 +185,22 @@ gen: gen.c
+ 	${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
+ 	${BUILD_LIBS} ${LFS_LIBS}
 
 -timestamp: include libdns.@A@
 +timestamp: include libdns-pkcs11.@A@
--- a/bind-9.11.7.tar.gz.asc
+++ b/bind-9.11.7.tar.gz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABAgAdFiEEFWiQaF6g32oTce8gF8xdsfAIhAcFAlzbSNIACgkQF8xdsfAI
-hAdG9hAAijQlh+4kFBMwjXgHFWxUYXr8/JFWVgz5wqsbUb4iuD7fbJ//h7IB69qr
-rOAtwEEf0X1//+cQP5Zqn/8GMcXrOSlp8LoH2C9ougMcIzIe43mDMMZCiGYwNXsm
-9UGKznZyXBcgGGqzKC2pc6vThrzgWtapgztcl+WWb2k5gSDo9pAeC4xnRLLcrmcn
-EhU6uSbtN8ODcWZhAhboHzHrDZrWOm+7CzZZabf/pnZM70P7mm7OJUWdpKclE4ub
-v/Re0IcnNt9ow3pvB2BGgP0/wEIkqb7toysV3MEqdJ0HDysNzmvr0JZLVD2Dvak1
-oyQjUX2eGzgZ5phu6jjhOAWs/Bw8YtGLCJyBoxvpH6AXQqJII4S8ALqnrL6NEEHz
-0Qurk39Z0LrE73XRIsn/Y1Z9xmxYp+vfl9AWQelGYOXu8s6lw+gFqZAmPasa84XA
-iHSnZalqcZEuiPuVIGdSgBokOA8XXhjBtzRIAI2nns57qLTki+l+NzgRmxIEUiyM
-4JX20GM1R9afP5U97ti3Taqw7xr9OlIJqWT7LRhTOGJAv30pd/wfAI2fuP4OPiXg
-crXRuSd33TNnC6bd28Dx8mKoYxVoLfN2GXpRWy5jmTUQY/NchDFkAejXY4ilTvI/
-hZxf3Fgy20xlAFfk7w1HGPDEM7eqtDm8cAyIz3bD6J0ONFB0t5Y=
-=xIZJ
-----END PGP SIGNATURE-----
--- a/bind-9.11.8.tar.gz.asc
+++ b/bind-9.11.8.tar.gz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABAgAdFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlz45qgACgkQdLtrmky7
+PThZoxAAuqUxL9JV1NsvODkJ049F8hRrrzhN8Vgx19D/w6oLWawaHuOahU67RYWh
+OGa3D72G0mClVFBABTV9YiAwkNnbkq3Nkclh6riWDjAO3RPKMo50yiAhLKSt2Z4N
+i0dMSIzZb8T9nq19T9JI1loyEG3oU+I97uWLyzrLe2WqCpSmdCTNd8PsD/0r+MxV
+QnBt1RFHda4z7r0fYLMw5oALXiNttPg6JdKByssgmYB6DYYw4f9ywMj1e8Jnn307
+6BXMweF0uOpGgy18HzgdfSjMNc3g9WKU86gTyAblAd1HALtdwe/VKgH1ZVJZoflT
+QnxzJDDjNbKE5OP7TOgzN9pLPCGwvQhpHDqGTTn+cTj5h9pQZcfq0vQQJ+MGzFWF
+kj0TUeLYs9FNnJt91Rpk+T96sOUypOrpPM9RdAEKp38qSMmZN8DJ83sga2b1OCqr
+zIcuQOBuXlKu9uD9g2cTquGGSG0vGvVSx0OXogUYEPS635AZbyZ9IqSntlDE+cnS
+mJt7jCQv+DVFVDUiyfLcdmPZk0U88hHdruKTbN3dc+a+OMddukPM4AepLKgdAWkQ
+F9et7SJ5VeiGiHgIwJaeu04VhD4DuQILo6xx7wxJIiPQ8H1sazdrikcn70hxMQwB
+yq1tBfQHTUfHmZBCytMVRR3sEQscv/7MBEhS9DXmNRYfIXrXKIE=
+=j1R3
+-----END PGP SIGNATURE-----
--- a/bind.spec
+++ b/bind.spec
@ -52,8 +52,8 @@
 Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
 Name:     bind
 License:  MPLv2.0
-Version:  9.11.7
-Release:  2%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Version:  9.11.8
+Release:  1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@ -1511,6 +1511,9 @@ fi;


 %changelog
+* Tue Jul 02 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.8-1
+- Update to 9.11.8
+
 * Mon Jun 17 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.7-2
 - Fix OpenSSL random generator initialization

--- a/2
+++ b/2
@ -1,2 +1,2 @@
-SHA512 (bind-9.11.7.tar.gz) = eecf731c55b04f56385cda013c9444ee69c1ea23621fa77fece4389fda12fe5fc3fa43aec0d6cc5a2947eb90fb16a6c4d366a30dfc80f5d222e11ae1f059e665
+SHA512 (bind-9.11.8.tar.gz) = 0192d6e087cdbdebec171869d908c4326c2575d65ee5367a78ed9da26de357e017b0306349d66a6016a7ec80ad27f5f7f9f2db25002c6d0c78589dc473a015fc
 SHA512 (config-19.tar.bz2) = 36aa38a0c7c33267ae594b31c81681290ac58dde7ca6749bd599da531380b5b1428330813dbe983e01071ccaed83e83f6a9cd92179a53b7d0ccbb6851a0b017c