From 585cc3f41add0d8edf4185f215276218db4103e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 9 Aug 2024 12:37:35 +0200 Subject: [PATCH] Minor fix of reclimit test backport Fix local rebuilds on Fedora. BIND 9.16 does not work well with fortify source level 3. Fix also DEFAULT_HMAC not properly set in tests, failing reclimit test. That was issue only of backport. Resolves: RHEL-49900 --- bind-9.16-CVE-2024-1737-records-test2.patch | 27 +++++++++++++++++++++ bind.spec | 11 ++++++++- 2 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 bind-9.16-CVE-2024-1737-records-test2.patch diff --git a/bind-9.16-CVE-2024-1737-records-test2.patch b/bind-9.16-CVE-2024-1737-records-test2.patch new file mode 100644 index 0000000..3684c7d --- /dev/null +++ b/bind-9.16-CVE-2024-1737-records-test2.patch @@ -0,0 +1,27 @@ +From 7bc5e5abf5a3cd66f11cc649b6ecf4c39c92bd9e Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Fri, 9 Aug 2024 12:32:20 +0200 +Subject: [PATCH] fixup! Add test for not-loading and not-transfering huge + RRSets + +--- + bin/tests/system/conf.sh.common | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common +index 9fab00f..e617595 100644 +--- a/bin/tests/system/conf.sh.common ++++ b/bin/tests/system/conf.sh.common +@@ -301,6 +301,9 @@ DISABLED_ALGORITHM=ECDSAP384SHA384 + DISABLED_ALGORITHM_NUMBER=14 + DISABLED_BITS=384 + ++# Default HMAC algorithm. ++export DEFAULT_HMAC=hmac-sha256 ++ + # + # Useful functions in test scripts + # +-- +2.45.2 + diff --git a/bind.spec b/bind.spec index af12e2d..1901dde 100644 --- a/bind.spec +++ b/bind.spec @@ -33,6 +33,9 @@ %{_libdir}/bind %{_libdir}/named %{_datadir}/GeoIP /proc/sys/net/ipv4 %global selinuxbooleans named_write_master_zones=1 + +# BIND 9.16 does not work with fortify 3 level, make builds work on Fedora +%global _fortify_level 2 ## The order of libs is important. See lib/Makefile.in for details %define bind_export_libs isc dns isccfg irs %{!?_export_dir:%global _export_dir /bind9-export/} @@ -51,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.16.23 -Release: 23%{?dist} +Release: 24%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -169,6 +172,8 @@ Patch211: bind-9.16-CVE-2024-1737-records-test.patch # https://gitlab.isc.org/isc-projects/bind9/commit/3f1826f2f78792e95f56da7af3a35c46b4d6d9af Patch212: bind-9.16-CVE-2024-1737-types.patch Patch213: bind-9.16-CVE-2024-1737-types-test.patch +# backport issue fix +Patch214: bind-9.16-CVE-2024-1737-records-test2.patch %{?systemd_ordering} Requires: coreutils @@ -513,6 +518,7 @@ in HTML and PDF format. %patch211 -p1 -b .CVE-2024-1737-records-test %patch212 -p1 -b .CVE-2024-1737-types %patch213 -p1 -b .CVE-2024-1737-types-test +%patch214 -p1 -b .CVE-2024-1737-records-test2 %if %{with PKCS11} %patch135 -p1 -b .config-pkcs11 @@ -1241,6 +1247,9 @@ fi; %endif %changelog +* Fri Aug 09 2024 Petr Menšík - 32:9.16.23-24 +- Minor fix of reclimit test backport (CVE-2024-1737) + * Wed Aug 07 2024 Petr Menšík - 32:9.16.23-23 - Backport addition of max-records-per-type and max-records-per-type options