From 6e3b160e3724afd2d118c7343684ce6c0f2925f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 16 Apr 2020 10:53:28 +0200 Subject: [PATCH] Update to BIND 9.11.18 From Upstream Release notes: Security Fixes DNS rebinding protection was ineffective when BIND 9 is configured as a forwarding DNS server. Found and responsibly reported by Tobias Klein. [GL #1574] Known Issues We have received reports that in some circumstances, receipt of an IXFR can cause the processing of queries to slow significantly. Some of these were related to RPZ processing, which has been fixed in this release (see below). Others appear to occur where there are NSEC3-related changes (such as an operator changing the NSEC3 salt used in the hash calculation). These are being investigated. [GL #1685] --- .gitignore | 2 ++ bind-9.11-kyua-pkcs11.patch | 34 +++++++++++++++++----------------- bind-9.11-tests-variants.patch | 20 ++++++++++---------- bind.spec | 5 ++++- sources | 4 ++-- 5 files changed, 35 insertions(+), 30 deletions(-) diff --git a/.gitignore b/.gitignore index 621325c..c48ee55 100644 --- a/.gitignore +++ b/.gitignore @@ -104,3 +104,5 @@ bind-9.7.2b1.tar.gz /bind-9.11.14.tar.gz.asc /bind-9.11.17.tar.gz /bind-9.11.17.tar.gz.asc +/bind-9.11.18.tar.gz +/bind-9.11.18.tar.gz.asc diff --git a/bind-9.11-kyua-pkcs11.patch b/bind-9.11-kyua-pkcs11.patch index ac15d22..9cfa618 100644 --- a/bind-9.11-kyua-pkcs11.patch +++ b/bind-9.11-kyua-pkcs11.patch @@ -1,4 +1,4 @@ -From eb38d2278937ec3fe45d0af30cd080953bbb5b54 Mon Sep 17 00:00:00 2001 +From a9b5785f174cf7fd74891fa64f6b69b9a9b55466 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 2 Jan 2018 18:13:07 +0100 Subject: [PATCH] Fix pkcs11 variants atf tests @@ -16,10 +16,10 @@ Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode 6 files changed, 38 insertions(+), 16 deletions(-) diff --git a/configure.ac b/configure.ac -index 0532feb..a83ddd5 100644 +index 62ecf56..0940a7d 100644 --- a/configure.ac +++ b/configure.ac -@@ -5578,6 +5578,7 @@ AC_CONFIG_FILES([ +@@ -5476,6 +5476,7 @@ AC_CONFIG_FILES([ lib/dns-pkcs11/include/Makefile lib/dns-pkcs11/include/dns/Makefile lib/dns-pkcs11/include/dst/Makefile @@ -43,13 +43,13 @@ index 7c8bab0..eec9564 100644 include('isccfg/Kyuafile') include('lwres/Kyuafile') diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in -index 7671e1d..e237d5c 100644 +index 22a06a8..5df5b15 100644 --- a/lib/dns-pkcs11/tests/Makefile.in +++ b/lib/dns-pkcs11/tests/Makefile.in @@ -17,12 +17,12 @@ VERSION=@BIND9_VERSION@ CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \ - @DST_OPENSSL_INC@ + @DST_OPENSSL_INC@ ${MAXMINDDB_CFLAGS} -CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\"" +CDEFINES = @CRYPTO_PK11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\"" @@ -65,10 +65,10 @@ index 7671e1d..e237d5c 100644 LIBS = @LIBS@ @CMOCKA_LIBS@ CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@ diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c -index 4dbfd82..a383b8e 100644 +index a5bf46c..9ff2b76 100644 --- a/lib/dns-pkcs11/tests/dh_test.c +++ b/lib/dns-pkcs11/tests/dh_test.c -@@ -86,7 +86,8 @@ dh_computesecret(void **state) { +@@ -88,7 +88,8 @@ dh_computesecret(void **state) { result = dst_key_computesecret(key, key, &buf); assert_int_equal(result, DST_R_NOTPRIVATEKEY); result = key->func->computesecret(key, key, &buf); @@ -79,7 +79,7 @@ index 4dbfd82..a383b8e 100644 dst_key_free(&key); } diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in -index 2fdee0b..a263b35 100644 +index 36d2207..00dfbc9 100644 --- a/lib/isc-pkcs11/tests/Makefile.in +++ b/lib/isc-pkcs11/tests/Makefile.in @@ -16,10 +16,10 @@ VERSION=@BIND9_VERSION@ @@ -97,10 +97,10 @@ index 2fdee0b..a263b35 100644 LIBS = @LIBS@ @CMOCKA_LIBS@ CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@ diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c -index 9c4d299..d9deba2 100644 +index 4fafc38..5eb2be2 100644 --- a/lib/isc-pkcs11/tests/hash_test.c +++ b/lib/isc-pkcs11/tests/hash_test.c -@@ -85,7 +85,7 @@ typedef struct hash_testcase { +@@ -84,7 +84,7 @@ typedef struct hash_testcase { typedef struct hash_test_key { const char *key; @@ -109,7 +109,7 @@ index 9c4d299..d9deba2 100644 } hash_test_key_t; /* non-hmac tests */ -@@ -956,8 +956,11 @@ isc_hmacsha1_test(void **state) { +@@ -955,8 +955,11 @@ isc_hmacsha1_test(void **state) { hash_test_key_t *test_key = test_keys; while (testcase->input != NULL && testcase->result != NULL) { @@ -122,7 +122,7 @@ index 9c4d299..d9deba2 100644 isc_hmacsha1_update(&hmacsha1, (const uint8_t *) testcase->input, testcase->input_len); -@@ -1116,8 +1119,11 @@ isc_hmacsha224_test(void **state) { +@@ -1115,8 +1118,11 @@ isc_hmacsha224_test(void **state) { hash_test_key_t *test_key = test_keys; while (testcase->input != NULL && testcase->result != NULL) { @@ -135,7 +135,7 @@ index 9c4d299..d9deba2 100644 isc_hmacsha224_update(&hmacsha224, (const uint8_t *) testcase->input, testcase->input_len); -@@ -1277,8 +1283,11 @@ isc_hmacsha256_test(void **state) { +@@ -1276,8 +1282,11 @@ isc_hmacsha256_test(void **state) { hash_test_key_t *test_key = test_keys; while (testcase->input != NULL && testcase->result != NULL) { @@ -148,7 +148,7 @@ index 9c4d299..d9deba2 100644 isc_hmacsha256_update(&hmacsha256, (const uint8_t *) testcase->input, testcase->input_len); -@@ -1444,8 +1453,11 @@ isc_hmacsha384_test(void **state) { +@@ -1443,8 +1452,11 @@ isc_hmacsha384_test(void **state) { hash_test_key_t *test_key = test_keys; while (testcase->input != NULL && testcase->result != NULL) { @@ -161,7 +161,7 @@ index 9c4d299..d9deba2 100644 isc_hmacsha384_update(&hmacsha384, (const uint8_t *) testcase->input, testcase->input_len); -@@ -1611,8 +1623,11 @@ isc_hmacsha512_test(void **state) { +@@ -1610,8 +1622,11 @@ isc_hmacsha512_test(void **state) { hash_test_key_t *test_key = test_keys; while (testcase->input != NULL && testcase->result != NULL) { @@ -174,7 +174,7 @@ index 9c4d299..d9deba2 100644 isc_hmacsha512_update(&hmacsha512, (const uint8_t *) testcase->input, testcase->input_len); -@@ -1755,8 +1770,11 @@ isc_hmacmd5_test(void **state) { +@@ -1754,8 +1769,11 @@ isc_hmacmd5_test(void **state) { hash_test_key_t *test_key = test_keys; while (testcase->input != NULL && testcase->result != NULL) { @@ -188,5 +188,5 @@ index 9c4d299..d9deba2 100644 (const uint8_t *) testcase->input, testcase->input_len); -- -2.20.1 +2.21.1 diff --git a/bind-9.11-tests-variants.patch b/bind-9.11-tests-variants.patch index d983671..7f28397 100644 --- a/bind-9.11-tests-variants.patch +++ b/bind-9.11-tests-variants.patch @@ -1,4 +1,4 @@ -From 06a22ff20ac3d68fa1f995c91068b43392425e43 Mon Sep 17 00:00:00 2001 +From 9576e960ad3719aa9c1707734ad7ba0eccf16e5f Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 1 Mar 2019 15:48:20 +0100 Subject: [PATCH] Make alternative named builds testable in system tests @@ -13,14 +13,14 @@ export NAMED_VARIANT=-sdb DNSSEC_VARIANT= For pkcs variant use: export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11 --- - bin/tests/system/conf.sh.in | 19 ++++++++++--------- - 1 file changed, 10 insertions(+), 9 deletions(-) + bin/tests/system/conf.sh.in | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in -index 4b0fe39..f135af6 100644 +index 6f2dbcd..05605ae 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in -@@ -34,7 +34,7 @@ DISABLED_ALGORITHM=ECDSAP384SHA384 +@@ -37,7 +37,7 @@ DISABLED_ALGORITHM=ECDSAP384SHA384 DISABLED_ALGORITHM_NUMBER=14 DISABLED_BITS=384 @@ -29,7 +29,7 @@ index 4b0fe39..f135af6 100644 # We must use "named -l" instead of "lwresd" because argv[0] is lost # if the program is libtoolized. LWRESD="$TOP/bin/named/named -l" -@@ -45,13 +45,14 @@ NSUPDATE=$TOP/bin/nsupdate/nsupdate +@@ -48,14 +48,14 @@ NSUPDATE=$TOP/bin/nsupdate/nsupdate DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen @@ -39,19 +39,19 @@ index 4b0fe39..f135af6 100644 -REVOKE=$TOP/bin/dnssec/dnssec-revoke -SETTIME=$TOP/bin/dnssec/dnssec-settime -DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey --IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey +KEYGEN=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keygen${DNSSEC_VARIANT} +KEYFRLAB=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keyfromlabel${DNSSEC_VARIANT} +SIGNER=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-signzone${DNSSEC_VARIANT} +REVOKE=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-revoke${DNSSEC_VARIANT} +SETTIME=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-settime${DNSSEC_VARIANT} +DSFROMKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-dsfromkey${DNSSEC_VARIANT} + HOST=$TOP/bin/dig/host +-IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey +IMPORTKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-importkey${DNSSEC_VARIANT} -+CHECKDS=$TOP/bin/python/dnssec-checkds CHECKDS=$TOP/bin/python/dnssec-checkds COVERAGE=$TOP/bin/python/dnssec-coverage KEYMGR=$TOP/bin/python/dnssec-keymgr -@@ -71,7 +72,7 @@ DNSTAPREAD=$TOP/bin/tools/dnstap-read +@@ -75,7 +75,7 @@ DNSTAPREAD=$TOP/bin/tools/dnstap-read MDIG=$TOP/bin/tools/mdig NZD2NZF=$TOP/bin/tools/named-nzd2nzf FSTRM_CAPTURE=@FSTRM_CAPTURE@ @@ -61,5 +61,5 @@ index 4b0fe39..f135af6 100644 RANDFILE=$TOP/bin/tests/system/random.data -- -2.20.1 +2.21.1 diff --git a/bind.spec b/bind.spec index a0e9182..5f411ed 100644 --- a/bind.spec +++ b/bind.spec @@ -63,7 +63,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Name: bind License: MPLv2.0 -Version: 9.11.17 +Version: 9.11.18 Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ @@ -1600,6 +1600,9 @@ fi; %changelog +* Thu Apr 16 2020 Petr Menšík - 32:9.11.18-1 +- Update to 9.11.18 + * Tue Mar 31 2020 Petr Menšík - 32:9.11.17-1 - Update to 9.11.17 diff --git a/sources b/sources index d31ad61..d0ed2a0 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (bind-9.11.17.tar.gz) = 0c5aebd9763fdf61709d347abc79c898f62bcc6bc19bcae0e355804cfee3fd24d7054ebb574dce1987138e4a755c4bc963afb92f920ac15223c1a738d831b652 -SHA512 (bind-9.11.17.tar.gz.asc) = fb5c03facaf8530bf4168be6a106bc75517bb4b45e164fbadd20ce9968098e43badff854ca735b14cddbeb76f8cc10cfaf7cad760b7b630639a1c9243dd7c422 +SHA512 (bind-9.11.18.tar.gz) = 947a7f9f58ac40744c541b2c23ef3eb9d8b6ecc8e3bb4f4b102ba5aafcc20c58ad5e8bacdd338821369c1f7de9d1073c264208e45f054ff7e3a9391894b424ab +SHA512 (bind-9.11.18.tar.gz.asc) = aeeef8b211199a5d2715b63da9d648322241726e60b8cffae883bcec0e6335fd6c5ee431755a0bcb5b2a39ce540986edb0c9f51c6365aa226cff83ba358bac1a