Update to 9.18.32 (rhbz#2331675)

- Remove CHANGES file from package Removed Features: - Disable DLZ plugins, they are not shipped with bind anymore New Features: - new 2024 KSK root key Feature Changes: - max-records-per-type and max-types-per-name improved logging when reached over their value And NSEC3 and two dig bug fixes. https://downloads.isc.org/isc/bind9/9.18.32/doc/arm/html/notes.html#notes-for-bind-9-18-32 Resolves: RHEL-48798
2024-12-12 19:54:03 +01:00 · 2024-12-12 19:54:03 +01:00 · 491ec650e2
commit 491ec650e2
parent d0eb0f5c06
5 changed files with 33 additions and 63 deletions
--- a/.gitignore
+++ b/.gitignore
@ -226,3 +226,5 @@ bind-9.7.2b1.tar.gz
 /bind-9.18.28.tar.xz.asc
 /bind-9.18.29.tar.xz
 /bind-9.18.29.tar.xz.asc
+/bind-9.18.32.tar.xz
+/bind-9.18.32.tar.xz.asc
--- a/bind-9.20-openssl-no-engine.patch
+++ b/bind-9.20-openssl-no-engine.patch
@ -1,47 +0,0 @@
-From b487bd340ae1b635ce5cffe76f748ddc97f301f7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
-Date: Sat, 3 Aug 2024 01:28:36 +0200
-Subject: [PATCH] Remove unused <openssl/{hmac,engine}.h> headers from OpenSSL
- shims
-
-The <openssl/{hmac,engine}.h> headers were unused and including the
-<openssl/engine.h> header might cause build failure when OpenSSL
-doesn't have Engines support enabled.
-
-See https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine
---
- lib/isc/openssl_shim.c | 2 --
- lib/isc/openssl_shim.h | 2 --
- 2 files changed, 4 deletions(-)
-
-diff --git a/lib/isc/openssl_shim.c b/lib/isc/openssl_shim.c
-index c39ba8c6827..02d0105eb9e 100644
--- a/lib/isc/openssl_shim.c
-+++ b/lib/isc/openssl_shim.c
-@@ -16,9 +16,7 @@
- #include <string.h>
- 
- #include <openssl/crypto.h>
-#include <openssl/engine.h>
- #include <openssl/evp.h>
-#include <openssl/hmac.h>
- #include <openssl/opensslv.h>
- #include <openssl/ssl.h>
- 
-diff --git a/lib/isc/openssl_shim.h b/lib/isc/openssl_shim.h
-index b2916e20a90..95b2f08e231 100644
--- a/lib/isc/openssl_shim.h
-+++ b/lib/isc/openssl_shim.h
-@@ -14,9 +14,7 @@
- #pragma once
- 
- #include <openssl/crypto.h>
-#include <openssl/engine.h>
- #include <openssl/evp.h>
-#include <openssl/hmac.h>
- #include <openssl/opensslv.h>
- #include <openssl/ssl.h>
- 
-- 
-2.46.2
-
--- a/bind-9.5-PIE.patch
+++ b/bind-9.5-PIE.patch
@ -1,17 +1,28 @@
+From 13348a5fc64387bf53ef450688e181100d0ceddb Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Thu, 12 Dec 2024 15:56:13 +0100
+Subject: [PATCH] Harden named service build flags
+
+---
+ bin/named/Makefile.am | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
 diff --git a/bin/named/Makefile.am b/bin/named/Makefile.am
-index 57a023b..085f2f7 100644
+index 57a023b..b832e9c 100644
 --- a/bin/named/Makefile.am
 +++ b/bin/named/Makefile.am
-@@ -32,9 +32,12 @@ AM_CPPFLAGS +=				\
- endif HAVE_LIBXML2
+@@ -33,7 +33,10 @@ endif HAVE_LIBXML2
 
 AM_CPPFLAGS +=						\
-+	-fpie                                           \
 	-DNAMED_LOCALSTATEDIR=\"${localstatedir}\"	\
- 	-DNAMED_SYSCONFDIR=\"${sysconfdir}\"
- 
-+AM_LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
+-	-DNAMED_SYSCONFDIR=\"${sysconfdir}\"
+	-DNAMED_SYSCONFDIR=\"${sysconfdir}\"		\
+	-fpie
 +
+AM_LDFLAGS  += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
+ 
 sbin_PROGRAMS = named
 
- nodist_named_SOURCES = xsl.c
+-- 
+2.47.1
+
--- a/bind.spec
+++ b/bind.spec
@ -9,7 +9,7 @@
 %bcond_without GSSTSIG
 %bcond_without JSON
 # FIXME: Not ready. Should it be worked on?
-%bcond_without DLZ
+%bcond_with    DLZ
 # New MaxMind GeoLite support
 %bcond_without GEOIP2
 # Disabled temporarily until kyua is fixed on rawhide, bug #1926779
@ -80,7 +80,10 @@ License:  MPL-2.0 AND ISC AND MIT AND BSD-3-Clause AND BSD-2-Clause
 # ./lib/isc/string.c BSD-3-clause and/or MPL-2.0
 # ./lib/isc/tm.c BSD-2-clause and/or MPL-2.0
 # ./lib/isccfg/parser.c BSD-2-clause and/or MPL-2.0
-Version:  9.18.29
+#
+# Before rebasing bind, ensure bind-dyndb-ldap is ready to be rebuild and use side-tag with it.
+# Updating just bind will cause freeipa-dns-server package to be uninstallable.
+Version:  9.18.32
 Release:  1%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
@ -118,9 +121,6 @@ Patch10: bind-9.5-PIE.patch
 Patch16: bind-9.16-redhat_doc.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2122010
 Patch26: bind-9.18-unittest-netmgr-unstable.patch
-# Correct support for building without openssl/engine.h header
-# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9593
-Patch27: bind-9.20-openssl-no-engine.patch

 %{?systemd_ordering}
 Requires:       coreutils
@ -811,7 +811,7 @@ fi;
 %{_mandir}/man8/rndc-confgen.8*
 %{_mandir}/man1/named-journalprint.1*
 %{_mandir}/man8/filter-*.8.gz
-%doc CHANGES README.md named.conf.default
+%doc README.md named.conf.default
 %doc sample/

 # Hide configuration
@ -977,6 +977,10 @@ fi;
 %endif

 %changelog
+* Thu Dec 12 2024 Petr Menšík <pemensik@redhat.com> - 32:9.18.32-1
+- Update to 9.18.32 (RHEL-48798)
+- Remove CHANGES file from package
+
 * Tue Oct 29 2024 Petr Menšík <pemensik@redhat.com> - 32:9.18.29-1
 - Update to 9.18.29 (RHEL-48798)

--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (bind-9.18.29.tar.xz) = 6c2676e2e2cb90f3bd73afb367813c54d1c961e12df1e12e41b9d0ee5a1d5cdf368d81410469753eaef37e43358b56796f078f3b2f20c3b247c4bef91d56c716
-SHA512 (bind-9.18.29.tar.xz.asc) = 6612c7151c4c1736e0237b8219cefbafbc1dcd4b04ad9b12b99cba703e6debde90d2f9838dd1465a47b9a002a598d9b8f3221dfe1a3bdc41436a92e6d06db472
+SHA512 (bind-9.18.32.tar.xz) = fa01978ca44cb5d559d8675dda4272b1327aebc0dca68b2e7b948e8c1bbd82da74f6258d40896ddccf86711d554b7ed4c0df93143e78b663724466738ac1320d
+SHA512 (bind-9.18.32.tar.xz.asc) = b1b15734a90ec2df2da4a9f881fd9f9ea217a12e521b01d2cb06ff0f3305c80c933309d2bddf926e0ab647f4b925b4950c25c5d464ed276727dfbf6824387830