From 76074cd59a69a940a8d4d165d5ed1c77d397cd10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 25 Mar 2021 22:17:54 +0100 Subject: [PATCH] Update to 9.16.13 Reworked custom redhat version. Complete version is now part of library names. Libraries are not recommended for any third party application. They are still required for bind-dyndb-ldap only. Version of named changed, only suffix -RH is appended to upstream version. Therefore dig would not contain version 9.6.11-RedHat-9.6.11-1.fc34, but only 9.6.13-RH. Version of fedora build have to be obtained from rpm -q bind. Version is now part of library names, bind-libs-lite was merged to bind-libs. bind-dyndb-ldap needs whole bind, no point to offer smaller library set just for its dependencies. Updated also named(8) manual page to match current state of SELinux. --- .gitignore | 2 + bind-9.10-dist-native-pkcs11.patch | 67 +++++++++++----------- bind-9.11-fips-tests.patch | 86 +++++++++++++++++----------- bind-9.14-config-pkcs11.patch | 12 ++-- bind-9.16-CVE-2020-8625.patch | 45 --------------- bind-9.16-redhat_doc.patch | 44 +++++--------- bind-9.16-unit-tests-multicore.patch | 84 --------------------------- bind.spec | 71 +++++++++-------------- bind99-rh640538.patch | 8 +-- sources | 4 +- 10 files changed, 142 insertions(+), 281 deletions(-) delete mode 100644 bind-9.16-CVE-2020-8625.patch delete mode 100644 bind-9.16-unit-tests-multicore.patch diff --git a/.gitignore b/.gitignore index 27084be..afa828e 100644 --- a/.gitignore +++ b/.gitignore @@ -142,3 +142,5 @@ bind-9.7.2b1.tar.gz /bind-9.16.10.tar.xz.asc /bind-9.16.11.tar.xz /bind-9.16.11.tar.xz.asc +/bind-9.16.13.tar.xz +/bind-9.16.13.tar.xz.asc diff --git a/bind-9.10-dist-native-pkcs11.patch b/bind-9.10-dist-native-pkcs11.patch index 119884e..2003f1b 100644 --- a/bind-9.10-dist-native-pkcs11.patch +++ b/bind-9.10-dist-native-pkcs11.patch @@ -1,4 +1,4 @@ -From 9091161562587fe7ab017fc4042143987514a643 Mon Sep 17 00:00:00 2001 +From 17c6e65cde059c98d48ae3b948aa157865d1c99c Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Thu, 21 Jan 2021 10:46:20 +0100 Subject: [PATCH] Enable custom pkcs11 native build @@ -151,7 +151,7 @@ index ace0e5a..e0f6a00 100644 dnssec-importkey.@O@ ${OBJS} ${LIBS} diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in -index 525f505..d517ec6 100644 +index 98125dd..518a75f 100644 --- a/bin/named-pkcs11/Makefile.in +++ b/bin/named-pkcs11/Makefile.in @@ -37,13 +37,14 @@ DBDRIVER_LIBS = @@ -174,7 +174,7 @@ index 525f505..d517ec6 100644 ${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \ ${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \ ${DBDRIVER_INCLUDES} \ -@@ -55,24 +56,24 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ +@@ -56,24 +57,24 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ ${LIBXML2_CFLAGS} \ ${MAXMINDDB_CFLAGS} @@ -204,7 +204,7 @@ index 525f505..d517ec6 100644 DEPLIBS = ${NSDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS} -@@ -92,7 +93,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \ +@@ -93,7 +94,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \ SUBDIRS = unix @@ -213,7 +213,7 @@ index 525f505..d517ec6 100644 GEOIP2LINKOBJS = geoip.@O@ -@@ -150,7 +151,7 @@ server.@O@: server.c +@@ -151,7 +152,7 @@ server.@O@: server.c -DPRODUCT=\"${PRODUCT}\" \ -DVERSION=\"${VERSION}\" -c ${srcdir}/server.c @@ -222,7 +222,7 @@ index 525f505..d517ec6 100644 export MAKE_SYMTABLE="yes"; \ export BASEOBJS="${OBJS} ${UOBJS}"; \ ${FINALBUILDCMD} -@@ -160,7 +161,7 @@ feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c +@@ -161,7 +162,7 @@ feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ -c ${top_srcdir}/bin/tests/system/feature-test.c @@ -231,7 +231,7 @@ index 525f505..d517ec6 100644 ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \ -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS} -@@ -179,11 +180,11 @@ statschannel.@O@: bind9.xsl.h +@@ -180,11 +181,11 @@ statschannel.@O@: bind9.xsl.h installdirs: $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} @@ -247,10 +247,10 @@ index 525f505..d517ec6 100644 @DLZ_DRIVER_RULES@ diff --git a/configure.ac b/configure.ac -index 02e36a7..f1f50fe 100644 +index 08a7d8a..4d762c9 100644 --- a/configure.ac +++ b/configure.ac -@@ -1245,12 +1245,14 @@ AC_SUBST(USE_GSSAPI) +@@ -1251,12 +1251,14 @@ AC_SUBST(USE_GSSAPI) AC_SUBST(DST_GSSAPI_INC) AC_SUBST(DNS_GSSAPI_LIBS) DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS" @@ -265,7 +265,7 @@ index 02e36a7..f1f50fe 100644 # # was --with-lmdb specified? -@@ -2344,6 +2346,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE) +@@ -2352,6 +2354,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE) AC_SUBST(BIND9_NS_BUILDINCLUDE) AC_SUBST(BIND9_BIND9_BUILDINCLUDE) AC_SUBST(BIND9_IRS_BUILDINCLUDE) @@ -274,7 +274,7 @@ index 02e36a7..f1f50fe 100644 if test "X$srcdir" != "X"; then BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include" BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include" -@@ -2352,6 +2356,8 @@ if test "X$srcdir" != "X"; then +@@ -2360,6 +2364,8 @@ if test "X$srcdir" != "X"; then BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include" BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include" BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include" @@ -283,7 +283,7 @@ index 02e36a7..f1f50fe 100644 else BIND9_ISC_BUILDINCLUDE="" BIND9_ISCCC_BUILDINCLUDE="" -@@ -2360,6 +2366,8 @@ else +@@ -2368,6 +2374,8 @@ else BIND9_NS_BUILDINCLUDE="" BIND9_BIND9_BUILDINCLUDE="" BIND9_IRS_BUILDINCLUDE="" @@ -292,7 +292,7 @@ index 02e36a7..f1f50fe 100644 fi AC_SUBST_FILE(BIND9_MAKE_INCLUDES) -@@ -2830,8 +2838,11 @@ AC_CONFIG_FILES([ +@@ -2823,8 +2831,11 @@ AC_CONFIG_FILES([ bin/delv/Makefile bin/dig/Makefile bin/dnssec/Makefile @@ -304,7 +304,7 @@ index 02e36a7..f1f50fe 100644 bin/nsupdate/Makefile bin/pkcs11/Makefile bin/plugins/Makefile -@@ -2893,6 +2904,10 @@ AC_CONFIG_FILES([ +@@ -2886,6 +2897,10 @@ AC_CONFIG_FILES([ lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile @@ -315,7 +315,7 @@ index 02e36a7..f1f50fe 100644 lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile -@@ -2925,6 +2940,10 @@ AC_CONFIG_FILES([ +@@ -2918,6 +2933,10 @@ AC_CONFIG_FILES([ lib/ns/include/Makefile lib/ns/include/ns/Makefile lib/ns/tests/Makefile @@ -340,10 +340,10 @@ index ffa2d5a..6fbc192 100644 @BIND9_MAKE_RULES@ diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in -index 8de85bf..d5c3c2b 100644 +index 283b7f2..a234dc5 100644 --- a/lib/dns-pkcs11/Makefile.in +++ b/lib/dns-pkcs11/Makefile.in -@@ -26,7 +26,7 @@ VERSION=@BIND9_VERSION@ +@@ -24,7 +24,7 @@ VERSION=@BIND9_VERSION@ USE_ISC_SPNEGO = @USE_ISC_SPNEGO@ @@ -352,7 +352,7 @@ index 8de85bf..d5c3c2b 100644 ${ISC_INCLUDES} \ ${FSTRM_CFLAGS} \ ${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \ -@@ -36,7 +36,7 @@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ +@@ -34,7 +34,7 @@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ ${LMDB_CFLAGS} \ ${MAXMINDDB_CFLAGS} @@ -361,8 +361,8 @@ index 8de85bf..d5c3c2b 100644 CWARNINGS = -@@ -142,15 +142,15 @@ version.@O@: version.c - -DLIBAGE=${LIBAGE} \ +@@ -137,15 +137,15 @@ version.@O@: version.c + -DMAPAPI=\"${MAPAPI}\" \ -c ${srcdir}/version.c -libdns.@SA@: ${OBJS} @@ -375,13 +375,13 @@ index 8de85bf..d5c3c2b 100644 ${LIBTOOL_MODE_LINK} \ - ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \ + ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \ - -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ + -release "${VERSION}" \ - ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} + ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} include: gen ${MAKE} include/dns/enumtype.h -@@ -181,22 +181,22 @@ gen: gen.c +@@ -176,22 +176,22 @@ gen: gen.c ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \ ${BUILD_LIBS} ${LFS_LIBS} @@ -410,16 +410,17 @@ index 8de85bf..d5c3c2b 100644 rm -f include/dns/rdatastruct.h rm -f dnstap.pb-c.c dnstap.pb-c.h diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in -index a56c7d3..768ead8 100644 +index 3bb5e01..c96fe7d 100644 --- a/lib/dns-pkcs11/tests/Makefile.in +++ b/lib/dns-pkcs11/tests/Makefile.in -@@ -15,14 +15,14 @@ VERSION=@BIND9_VERSION@ +@@ -15,15 +15,15 @@ VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ -CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \ +CINCLUDES = -I. -Iinclude ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \ - ${OPENSSL_CFLAGS} ${MAXMINDDB_CFLAGS} @CMOCKA_CFLAGS@ + ${FSTRM_CFLAGS} ${OPENSSL_CFLAGS} \ + ${PROTOBUF_C_CFLAGS} ${MAXMINDDB_CFLAGS} @CMOCKA_CFLAGS@ -CDEFINES = -DTESTS="\"${top_builddir}/lib/dns/tests/\"" +CDEFINES = @USE_PKCS11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\"" @@ -433,10 +434,10 @@ index a56c7d3..768ead8 100644 LIBS = @LIBS@ @CMOCKA_LIBS@ diff --git a/lib/ns-pkcs11/Makefile.in b/lib/ns-pkcs11/Makefile.in -index d00ddaf..b867afe 100644 +index f126f1f..21b20e4 100644 --- a/lib/ns-pkcs11/Makefile.in +++ b/lib/ns-pkcs11/Makefile.in -@@ -20,12 +20,12 @@ VERSION=@BIND9_VERSION@ +@@ -18,12 +18,12 @@ VERSION=@BIND9_VERSION@ USE_ISC_SPNEGO = @USE_ISC_SPNEGO@ @@ -452,7 +453,7 @@ index d00ddaf..b867afe 100644 CWARNINGS = -@@ -33,9 +33,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@ +@@ -31,9 +31,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@ ISCDEPLIBS = ../../lib/isc/libisc.@A@ @@ -464,8 +465,8 @@ index d00ddaf..b867afe 100644 LIBS = @LIBS@ -@@ -67,28 +67,28 @@ version.@O@: version.c - -DLIBAGE=${LIBAGE} \ +@@ -62,28 +62,28 @@ version.@O@: version.c + -DMAJOR=\"${MAJOR}\" \ -c ${srcdir}/version.c -libns.@SA@: ${OBJS} @@ -478,7 +479,7 @@ index d00ddaf..b867afe 100644 ${LIBTOOL_MODE_LINK} \ - ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns.la -rpath ${libdir} \ + ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns-pkcs11.la -rpath ${libdir} \ - -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ + -release "${VERSION}" \ - ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} + ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} @@ -530,10 +531,10 @@ index 4c3e694..c1b6d99 100644 LIBS = @LIBS@ @CMOCKA_LIBS@ diff --git a/make/includes.in b/make/includes.in -index 5373a7e..f1901ee 100644 +index b8317d3..b73b0c4 100644 --- a/make/includes.in +++ b/make/includes.in -@@ -41,3 +41,10 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \ +@@ -39,3 +39,10 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \ TEST_INCLUDES = \ -I${top_srcdir}/lib/tests/include diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch index 03d7ad1..51927a4 100644 --- a/bind-9.11-fips-tests.patch +++ b/bind-9.11-fips-tests.patch @@ -1,4 +1,4 @@ -From cb648b203af5bf9085ad78d021f47c3baeb9b6e0 Mon Sep 17 00:00:00 2001 +From 3f04cf343dbeb8819197702ce1be737e26e0638a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 2 Aug 2018 23:46:45 +0200 Subject: [PATCH] FIPS tests changes @@ -82,7 +82,7 @@ Date: Wed Mar 7 10:44:23 2018 +0100 bin/tests/system/nsupdate/ns1/named.conf.in | 2 +- bin/tests/system/nsupdate/ns2/named.conf.in | 2 +- bin/tests/system/nsupdate/setup.sh | 6 +- - bin/tests/system/nsupdate/tests.sh | 11 +++- + bin/tests/system/nsupdate/tests.sh | 15 +++-- bin/tests/system/rndc/setup.sh | 2 +- bin/tests/system/rndc/tests.sh | 23 ++++--- bin/tests/system/tsig/ns1/named.conf.in | 10 +-- @@ -91,11 +91,11 @@ Date: Wed Mar 7 10:44:23 2018 +0100 bin/tests/system/tsig/tests.sh | 65 ++++++++++++------- bin/tests/system/upforwd/ns1/named.conf.in | 2 +- bin/tests/system/upforwd/tests.sh | 2 +- - 33 files changed, 160 insertions(+), 106 deletions(-) + 33 files changed, 162 insertions(+), 108 deletions(-) create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in -index 0ea6502..026db3f 100644 +index 60f22e1..249f672 100644 --- a/bin/tests/system/acl/ns2/named1.conf.in +++ b/bin/tests/system/acl/ns2/named1.conf.in @@ -33,12 +33,12 @@ options { @@ -114,7 +114,7 @@ index 0ea6502..026db3f 100644 }; diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in -index b877880..d8f50be 100644 +index ada97bc..f82d858 100644 --- a/bin/tests/system/acl/ns2/named2.conf.in +++ b/bin/tests/system/acl/ns2/named2.conf.in @@ -33,12 +33,12 @@ options { @@ -133,7 +133,7 @@ index b877880..d8f50be 100644 }; diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in -index 0a95062..aa54088 100644 +index 97684e4..de6a2e9 100644 --- a/bin/tests/system/acl/ns2/named3.conf.in +++ b/bin/tests/system/acl/ns2/named3.conf.in @@ -33,17 +33,17 @@ options { @@ -158,7 +158,7 @@ index 0a95062..aa54088 100644 }; diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in -index 7cdcb6e..606a345 100644 +index 462b3fa..994b35c 100644 --- a/bin/tests/system/acl/ns2/named4.conf.in +++ b/bin/tests/system/acl/ns2/named4.conf.in @@ -33,12 +33,12 @@ options { @@ -177,7 +177,7 @@ index 7cdcb6e..606a345 100644 }; diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in -index 7e20bac..9753a9d 100644 +index 728da58..8f00d09 100644 --- a/bin/tests/system/acl/ns2/named5.conf.in +++ b/bin/tests/system/acl/ns2/named5.conf.in @@ -35,12 +35,12 @@ options { @@ -196,7 +196,7 @@ index 7e20bac..9753a9d 100644 }; diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh -index b4d3045..ebbc798 100644 +index be59d64..13d5bdc 100644 --- a/bin/tests/system/acl/tests.sh +++ b/bin/tests/system/acl/tests.sh @@ -22,14 +22,14 @@ echo_i "testing basic ACL processing" @@ -322,7 +322,7 @@ index b4d3045..ebbc798 100644 echo_i "testing allow-query-on ACL processing" diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in -index c5f38c9..00db0da 100644 +index 7d43e36..f7b25f9 100644 --- a/bin/tests/system/allow-query/ns2/named10.conf.in +++ b/bin/tests/system/allow-query/ns2/named10.conf.in @@ -10,7 +10,7 @@ @@ -335,7 +335,7 @@ index c5f38c9..00db0da 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in -index 56e5cc4..2c32b71 100644 +index 2952518..121557e 100644 --- a/bin/tests/system/allow-query/ns2/named11.conf.in +++ b/bin/tests/system/allow-query/ns2/named11.conf.in @@ -10,12 +10,12 @@ @@ -354,7 +354,7 @@ index 56e5cc4..2c32b71 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in -index 8381950..21a6366 100644 +index 0c01071..ceabbb5 100644 --- a/bin/tests/system/allow-query/ns2/named12.conf.in +++ b/bin/tests/system/allow-query/ns2/named12.conf.in @@ -10,7 +10,7 @@ @@ -367,7 +367,7 @@ index 8381950..21a6366 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in -index 0e5ff55..a90ed6a 100644 +index 4c17292..9cd9d1f 100644 --- a/bin/tests/system/allow-query/ns2/named30.conf.in +++ b/bin/tests/system/allow-query/ns2/named30.conf.in @@ -10,7 +10,7 @@ @@ -380,7 +380,7 @@ index 0e5ff55..a90ed6a 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in -index faadb3f..b99f337 100644 +index a2690a4..f488730 100644 --- a/bin/tests/system/allow-query/ns2/named31.conf.in +++ b/bin/tests/system/allow-query/ns2/named31.conf.in @@ -10,12 +10,12 @@ @@ -399,7 +399,7 @@ index faadb3f..b99f337 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in -index 9e78dd0..ea7a413 100644 +index a0708c8..51fa457 100644 --- a/bin/tests/system/allow-query/ns2/named32.conf.in +++ b/bin/tests/system/allow-query/ns2/named32.conf.in @@ -10,7 +10,7 @@ @@ -412,7 +412,7 @@ index 9e78dd0..ea7a413 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in -index f4bc399..e01f312 100644 +index 687768e..d24d6d2 100644 --- a/bin/tests/system/allow-query/ns2/named40.conf.in +++ b/bin/tests/system/allow-query/ns2/named40.conf.in @@ -14,12 +14,12 @@ acl accept { 10.53.0.2; }; @@ -431,7 +431,7 @@ index f4bc399..e01f312 100644 }; diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh -index 4cb2709..c0884cf 100644 +index fe40635..543c663 100644 --- a/bin/tests/system/allow-query/tests.sh +++ b/bin/tests/system/allow-query/tests.sh @@ -182,7 +182,7 @@ rndc_reload ns2 10.53.0.2 @@ -516,7 +516,7 @@ index 4cb2709..c0884cf 100644 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in -index 74b7d37..c353766 100644 +index 1218669..e62715e 100644 --- a/bin/tests/system/catz/ns1/named.conf.in +++ b/bin/tests/system/catz/ns1/named.conf.in @@ -61,5 +61,5 @@ zone "catalog4.example" { @@ -527,7 +527,7 @@ index 74b7d37..c353766 100644 + algorithm hmac-sha256; }; diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in -index ee83efb..35ced08 100644 +index 30333e6..4005152 100644 --- a/bin/tests/system/catz/ns2/named.conf.in +++ b/bin/tests/system/catz/ns2/named.conf.in @@ -70,5 +70,5 @@ zone "catalog4.example" { @@ -551,10 +551,10 @@ index 21be03e..e57c308 100644 }; diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf -index 0dabe54..d55c51b 100644 +index e09b9e8..2e824b3 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf -@@ -204,6 +204,6 @@ dyndb "name" "library.so" { +@@ -210,6 +210,6 @@ dyndb "name" "library.so" { system; }; key "mykey" { @@ -563,7 +563,7 @@ index 0dabe54..d55c51b 100644 secret "qwertyuiopasdfgh"; }; diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c -index 4a90332..2f85b44 100644 +index 877504f..577660a 100644 --- a/bin/tests/system/feature-test.c +++ b/bin/tests/system/feature-test.c @@ -14,6 +14,7 @@ @@ -574,7 +574,7 @@ index 4a90332..2f85b44 100644 #include #include #include -@@ -177,6 +178,19 @@ main(int argc, char **argv) { +@@ -186,6 +187,19 @@ main(int argc, char **argv) { #endif /* ifdef DLZ_FILESYSTEM */ } @@ -595,7 +595,7 @@ index 4a90332..2f85b44 100644 #ifdef HAVE_LIBIDN2 return (0); diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in -index 2976bfc..256d846 100644 +index 1ee8df4..2b75d9a 100644 --- a/bin/tests/system/notify/ns5/named.conf.in +++ b/bin/tests/system/notify/ns5/named.conf.in @@ -10,17 +10,17 @@ @@ -644,10 +644,10 @@ index 3d7e0b7..ec4d9a7 100644 grep "test string" dig.out.b.ns5.test$n > /dev/null && grep "test string" dig.out.c.ns5.test$n > /dev/null && diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in -index 346b647..c018fb4 100644 +index b51e700..436c97d 100644 --- a/bin/tests/system/nsupdate/ns1/named.conf.in +++ b/bin/tests/system/nsupdate/ns1/named.conf.in -@@ -33,7 +33,7 @@ controls { +@@ -37,7 +37,7 @@ controls { }; key altkey { @@ -657,7 +657,7 @@ index 346b647..c018fb4 100644 }; diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in -index b703843..8bfe2b0 100644 +index da6b3b4..c547e47 100644 --- a/bin/tests/system/nsupdate/ns2/named.conf.in +++ b/bin/tests/system/nsupdate/ns2/named.conf.in @@ -32,7 +32,7 @@ controls { @@ -687,13 +687,13 @@ index c055da3..4e1242b 100644 $DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key $DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh -index b15fa2d..cb7979b 100755 +index b35d797..41c128e 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -797,7 +797,14 @@ fi n=`expr $n + 1` ret=0 - echo_i "check TSIG key algorithms ($n)" + echo_i "check TSIG key algorithms (nsupdate -k) ($n)" -for alg in md5 sha1 sha224 sha256 sha384 sha512; do +if $FEATURETEST --md5 +then @@ -715,6 +715,24 @@ index b15fa2d..cb7979b 100755 $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 done if [ $ret -ne 0 ]; then +@@ -816,7 +823,7 @@ fi + n=`expr $n + 1` + ret=0 + echo_i "check TSIG key algorithms (nsupdate -y) ($n)" +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++for alg in $ALGS; do + secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key) + $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" < /dev/null || ret=1 + server 10.53.0.1 ${PORT} +@@ -825,7 +832,7 @@ send + END + done + sleep 2 +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++for alg in $ALGS; do + $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1 + done + if [ $ret -ne 0 ]; then diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh index b59e7a7..04d5f5a 100644 --- a/bin/tests/system/rndc/setup.sh @@ -729,7 +747,7 @@ index b59e7a7..04d5f5a 100644 make_key 3 ${EXTRAPORT3} hmac-sha224 make_key 4 ${EXTRAPORT4} hmac-sha256 diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh -index 78508f3..a2a201e 100644 +index 9fd84ed..d0b188f 100644 --- a/bin/tests/system/rndc/tests.sh +++ b/bin/tests/system/rndc/tests.sh @@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi @@ -763,7 +781,7 @@ index 78508f3..a2a201e 100644 n=`expr $n + 1` echo_i "testing rndc with hmac-sha1 ($n)" diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in -index 4ee703f..635434e 100644 +index 3470c4f..cf539cd 100644 --- a/bin/tests/system/tsig/ns1/named.conf.in +++ b/bin/tests/system/tsig/ns1/named.conf.in @@ -21,10 +21,7 @@ options { @@ -911,7 +929,7 @@ index 38d842a..668aa6f 100644 echo_i "fetching using hmac-sha1-80 (BADTRUNC)" diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in -index ea42b4d..08676da 100644 +index 3873c7c..b359a5a 100644 --- a/bin/tests/system/upforwd/ns1/named.conf.in +++ b/bin/tests/system/upforwd/ns1/named.conf.in @@ -10,7 +10,7 @@ @@ -924,10 +942,10 @@ index ea42b4d..08676da 100644 }; diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh -index ecd91a6..be9993a 100644 +index a50c896..8062d68 100644 --- a/bin/tests/system/upforwd/tests.sh +++ b/bin/tests/system/upforwd/tests.sh -@@ -66,7 +66,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +@@ -79,7 +79,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi echo_i "updating zone (signed) ($n)" ret=0 diff --git a/bind-9.14-config-pkcs11.patch b/bind-9.14-config-pkcs11.patch index 58b492b..0d62df6 100644 --- a/bind-9.14-config-pkcs11.patch +++ b/bind-9.14-config-pkcs11.patch @@ -1,4 +1,4 @@ -From c42c0ff6f6e0e920356d99b9ed26ed52544621c2 Mon Sep 17 00:00:00 2001 +From e6ab9c67f0a14adc23c1067e03a106da1b1651b7 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 18 Oct 2019 21:30:52 +0200 Subject: [PATCH] Move USE_PKCS11 and USE_OPENSSL out of config.h @@ -26,10 +26,10 @@ index 1b7512d..c126bf3 100644 ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ diff --git a/configure.ac b/configure.ac -index eaa6b12..2ff68a5 100644 +index f5483fe..08a7d8a 100644 --- a/configure.ac +++ b/configure.ac -@@ -900,10 +900,14 @@ AC_SUBST([PKCS11_TEST]) +@@ -935,10 +935,14 @@ AC_SUBST([PKCS11_TEST]) AC_SUBST([PKCS11_TOOLS]) AC_SUBST([PKCS11_MANS]) @@ -47,7 +47,7 @@ index eaa6b12..2ff68a5 100644 # preparation for automake # AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"]) diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h -index 116e2d2..99bdf5b 100644 +index 2c3b4a3..55e9dc4 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -38,6 +38,13 @@ @@ -64,9 +64,9 @@ index 116e2d2..99bdf5b 100644 #if USE_PKCS11 #include #include -@@ -98,11 +105,10 @@ struct dst_key { +@@ -116,11 +123,10 @@ struct dst_key { void *generic; - gss_ctx_id_t gssctx; + dns_gss_ctx_id_t gssctx; DH *dh; -#if USE_OPENSSL - EVP_PKEY *pkey; diff --git a/bind-9.16-CVE-2020-8625.patch b/bind-9.16-CVE-2020-8625.patch deleted file mode 100644 index ce92a48..0000000 --- a/bind-9.16-CVE-2020-8625.patch +++ /dev/null @@ -1,45 +0,0 @@ -From b04cb88462863d762093760ffcfe1946200e30f5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= -Date: Thu, 7 Jan 2021 10:44:46 +0100 -Subject: [PATCH] Fix off-by-one bug in ISC SPNEGO implementation - -The ISC SPNEGO implementation is based on mod_auth_kerb code. When -CVE-2006-5989 was disclosed, the relevant fix was not applied to the -BIND 9 codebase, making the latter vulnerable to the aforementioned flaw -when "tkey-gssapi-keytab" or "tkey-gssapi-credential" is set in -named.conf. - -The original description of CVE-2006-5989 was: - - Off-by-one error in the der_get_oid function in mod_auth_kerb 5.0 - allows remote attackers to cause a denial of service (crash) via a - crafted Kerberos message that triggers a heap-based buffer overflow - in the component array. - -Later research revealed that this flaw also theoretically enables remote -code execution, though achieving the latter in real-world conditions is -currently deemed very difficult. - -This vulnerability was responsibly reported as ZDI-CAN-12302 ("ISC BIND -TKEY Query Heap-based Buffer Overflow Remote Code Execution -Vulnerability") by Trend Micro Zero Day Initiative. ---- - lib/dns/spnego.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c -index e61d1c600f..753dc8049f 100644 ---- a/lib/dns/spnego.c -+++ b/lib/dns/spnego.c -@@ -848,7 +848,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) { - return (ASN1_OVERRUN); - } - -- data->components = malloc(len * sizeof(*data->components)); -+ data->components = malloc((len + 1) * sizeof(*data->components)); - if (data->components == NULL) { - return (ENOMEM); - } --- -2.26.2 - diff --git a/bind-9.16-redhat_doc.patch b/bind-9.16-redhat_doc.patch index 15c8a41..ef76e16 100644 --- a/bind-9.16-redhat_doc.patch +++ b/bind-9.16-redhat_doc.patch @@ -1,4 +1,4 @@ -From 86fd25f3f0c5189fa93e10c6afa1a1cffe639ade Mon Sep 17 00:00:00 2001 +From 3a161af91bffcd457586ab466e32ac8484028763 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Wed, 17 Jun 2020 23:17:13 +0200 Subject: [PATCH] Update man named with Red Hat specifics @@ -6,14 +6,14 @@ Subject: [PATCH] Update man named with Red Hat specifics This is almost unmodified text and requires revalidation. Some of those statements are no longer correct. --- - bin/named/named.rst | 49 +++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 49 insertions(+) + bin/named/named.rst | 35 +++++++++++++++++++++++++++++++++++ + 1 file changed, 35 insertions(+) diff --git a/bin/named/named.rst b/bin/named/named.rst -index 3c54a67..c44b6d7 100644 +index 6fd8f87..3cd6350 100644 --- a/bin/named/named.rst +++ b/bin/named/named.rst -@@ -228,6 +228,55 @@ Files +@@ -228,6 +228,41 @@ Files ``/var/run/named/named.pid`` The default process-id file. @@ -24,7 +24,7 @@ index 3c54a67..c44b6d7 100644 + +By default, Red Hat ships BIND with the most secure SELinux policy +that will not prevent normal BIND operation and will prevent exploitation -+of all known BIND security vulnerabilities . See the selinux(8) man page ++of all known BIND security vulnerabilities. See the selinux(8) man page +for information about SElinux. + +It is not necessary to run named in a chroot environment if the Red Hat @@ -34,37 +34,23 @@ index 3c54a67..c44b6d7 100644 + +*With this extra security comes some restrictions:* + -+By default, the SELinux policy does not allow named to write any master -+zone database files. Only the root user may create files in the $ROOTDIR/var/named -+zone database file directory (the options { "directory" } option), where -+$ROOTDIR is set in /etc/sysconfig/named. ++By default, the SELinux policy does not allow named to write outside directory ++/var/named. That directory used to be read-only for named, but write access is ++enabled by default now. + +The "named" group must be granted read privelege to +these files in order for named to be enabled to read them. ++Any file updated by named must be writeable by named user or named group. + +Any file created in the zone database file directory is automatically assigned +the SELinux file context *named_zone_t* . + -+By default, SELinux prevents any role from modifying *named_zone_t* files; this -+means that files in the zone database directory cannot be modified by dynamic -+DNS (DDNS) updates or zone transfers. -+ +The Red Hat BIND distribution and SELinux policy creates three directories where -+named is allowed to create and modify files: */var/named/slaves*, */var/named/dynamic* -+*/var/named/data*. By placing files you want named to modify, such as -+slave or DDNS updateable zone files and database / statistics dump files in -+these directories, named will work normally and no further operator action is -+required. Files in these directories are automatically assigned the '*named_cache_t*' -+file context, which SELinux allows named to write. -+ -+**Red Hat BIND SDB support:** -+ -+Red Hat ships named with compiled in Simplified Database Backend modules that ISC -+provides in the "contrib/sdb" directory. Install **bind-sdb** package if you want use them -+ -+The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into *named-sdb*. -+ -+See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ . ++named were allowed to create and modify files: */var/named/slaves*, */var/named/dynamic* ++*/var/named/data*. The service is able to write and file under */var/named* with appropriate ++permissions. They are used for better organisation of zones and backward compatibility. ++Files in these directories are automatically assigned the '*named_cache_t*' ++file context, which SELinux always allows named to write. + See Also ~~~~~~~~ diff --git a/bind-9.16-unit-tests-multicore.patch b/bind-9.16-unit-tests-multicore.patch deleted file mode 100644 index 8ca0448..0000000 --- a/bind-9.16-unit-tests-multicore.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 0175b942efc2fb6a05a2c76d62a9fb9157141757 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Wed, 20 Jan 2021 01:01:52 +0100 -Subject: [PATCH] Workaround errors in unit test on 56 CPU machine - -hp.c should be just implementation detail, but unit tests use it -repeatedly without resetting tid_v_base. Reset the base counter, when -number of processors is configured. Configure it when creating network -manager. - -Use id of current thread as a base. Should be usually 0, but must not be -below id of the main thread. ---- - bin/named/main.c | 7 ------- - lib/isc/hp.c | 1 + - lib/isc/netmgr/netmgr.c | 8 ++++++++ - 3 files changed, 9 insertions(+), 7 deletions(-) - -diff --git a/bin/named/main.c b/bin/named/main.c -index 9836de9d7f..d1be43a632 100644 ---- a/bin/named/main.c -+++ b/bin/named/main.c -@@ -24,7 +24,6 @@ - #include - #include - #include --#include - #include - #include - #include -@@ -909,12 +908,6 @@ create_managers(void) { - "using %u UDP listener%s per interface", named_g_udpdisp, - named_g_udpdisp == 1 ? "" : "s"); - -- /* -- * We have ncpus network threads, ncpus worker threads, ncpus -- * old network threads - make it 4x just to be safe. The memory -- * impact is negligible. -- */ -- isc_hp_init(4 * named_g_cpus); - named_g_nm = isc_nm_start(named_g_mctx, named_g_cpus); - if (named_g_nm == NULL) { - UNEXPECTED_ERROR(__FILE__, __LINE__, "isc_nm_start() failed"); -diff --git a/lib/isc/hp.c b/lib/isc/hp.c -index 3ea13bbe24..e4a98afc82 100644 ---- a/lib/isc/hp.c -+++ b/lib/isc/hp.c -@@ -95,6 +95,7 @@ void - isc_hp_init(int max_threads) { - isc__hp_max_threads = max_threads; - isc__hp_max_retired = max_threads * HP_MAX_HPS; -+ atomic_store_release(&tid_v_base, tid()); - } - - isc_hp_t * -diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c -index 46f0758620..e3469f4c3a 100644 ---- a/lib/isc/netmgr/netmgr.c -+++ b/lib/isc/netmgr/netmgr.c -@@ -17,6 +17,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -238,6 +239,13 @@ isc_nm_start(isc_mem_t *mctx, uint32_t workers) { - atomic_init(&mgr->keepalive, 30000); - atomic_init(&mgr->advertised, 30000); - -+ /* -+ * We have ncpus network threads, ncpus worker threads, ncpus -+ * old network threads - make it 4x just to be safe. The memory -+ * impact is negligible. -+ */ -+ isc_hp_init(4 * workers); -+ - isc_mutex_init(&mgr->reqlock); - isc_mempool_create(mgr->mctx, sizeof(isc__nm_uvreq_t), &mgr->reqpool); - isc_mempool_setname(mgr->reqpool, "nm_reqpool"); --- -2.26.2 - diff --git a/bind.spec b/bind.spec index 70a7b73..234dbcb 100644 --- a/bind.spec +++ b/bind.spec @@ -54,20 +54,15 @@ # # significant changes: # no more isc-config.sh and bind9-config - -# lib*.so.X versions of selected libraries -%global sover_dns 1611 -%global sover_isc 1609 -%global sover_irs 1601 -%global sover_isccfg 1603 -%global sover_ns 1607 +# lib*.so.X versions of selected libraries no longer provided, +# lib*-%%{version}-RH.so is provided as an internal implementation detail Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Name: bind License: MPLv2.0 -Version: 9.16.11 -Release: 6%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Version: 9.16.13 +Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -119,10 +114,6 @@ Patch157:bind-9.11-fips-tests.patch Patch164:bind-9.11-rh1666814.patch Patch170:bind-9.11-feature-test-named.patch Patch171:bind-9.11-tests-variants.patch -# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4582 -Patch172:bind-9.16-unit-tests-multicore.patch -# https://gitlab.isc.org/isc-projects/bind9/commit/b04cb88462863d762093760ffcfe1946200e30f5 -Patch173:bind-9.16-CVE-2020-8625.patch Requires(post): systemd Requires(preun): systemd @@ -208,7 +199,6 @@ Summary: Bind with native PKCS#11 functionality for crypto Requires: systemd Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} -Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release} Recommends: softhsm @@ -247,18 +237,11 @@ This a set of development files for BIND libraries (dns, isc) compiled with native PKCS#11 functionality. %endif -%package libs-lite -Summary: Libraries for working with the DNS protocol -Requires: bind-license = %{epoch}:%{version}-%{release} - -%description libs-lite -Contains lite version of BIND suite libraries which are used by various -programs to work with DNS protocol. - %package libs Summary: Libraries used by the BIND DNS packages Requires: bind-license = %{epoch}:%{version}-%{release} -Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} +Provides: bind-libs-lite = %{epoch}:%{version}-%{release} +Obsoletes: bind-libs-lite < 32:9.16.13 %description libs Contains heavyweight version of BIND suite libraries used by both named DNS @@ -273,7 +256,6 @@ Contains license of the BIND DNS suite. %package utils Summary: Utilities for querying DNS name servers -Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} # For compatibility with Debian package Provides: dnsutils = %{epoch}:%{version}-%{release} @@ -290,7 +272,7 @@ servers. %package dnssec-utils Summary: DNSSEC keys and zones management utilities -Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} +Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} Recommends: bind-utils Requires: python3-bind = %{epoch}:%{version}-%{release} Requires: bind-dnssec-doc = %{epoch}:%{version}-%{release} @@ -310,14 +292,13 @@ BuildArch:noarch %description dnssec-doc Bind-dnssec-doc contains manual pages for bind-dnssec-utils. + %package devel -Summary: Header files and libraries needed for BIND DNS development +Summary: Header files and libraries needed for bind-dyndb-ldap Provides: bind-lite-devel = %{epoch}:%{version}-%{release} Obsoletes: bind-lite-devel < 32:9.16.6-3 -Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} Requires: openssl-devel%{?_isa} libxml2-devel%{?_isa} -# Not required by headers, but "isc-config.sh --libs isc" requires it Requires: libcap-devel%{?_isa} %if %{with GSSTSIG} Requires: krb5-devel%{?_isa} @@ -336,7 +317,8 @@ Requires: libmaxminddb-devel%{?_isa} %description devel The bind-devel package contains full version of the header files and libraries -required for development with ISC BIND 9 +required for building bind-dyndb-ldap. Upstream no longer supports nor recommends +bind libraries for third party applications. %endif %package chroot @@ -436,8 +418,6 @@ in HTML and PDF format. %patch164 -p1 -b .rh1666814 %patch170 -p1 -b .featuretest-named %patch171 -p1 -b .test-variant -%patch172 -p1 -b .multicore -%patch173 -p1 -b .CVE-2020-8625 %if %{with PKCS11} %patch135 -p1 -b .config-pkcs11 @@ -487,7 +467,7 @@ export STD_CDEFINES="$CPPFLAGS" sed -i -e \ -'s/RELEASEVER=\(.*\)/RELEASEVER=\1-RedHat-%{version}-%{release}/' \ +'s/RELEASEVER=\(.*\)/RELEASEVER=\1-RH/' \ version libtoolize -c -f; aclocal -I libtool.m4 --force; autoconf -f @@ -904,7 +884,6 @@ fi /bin/systemctl try-restart named.service >/dev/null 2>&1 || : %ldconfig_scriptlets libs -%ldconfig_scriptlets libs-lite %if %{with PKCS11} %ldconfig_scriptlets pkcs11-libs @@ -990,15 +969,13 @@ fi; %dir /run/named %files libs -%{_libdir}/libbind9.so.1600* -%{_libdir}/libisccc.so.1600* -%{_libdir}/libns.so.%{sover_ns}* - -%files libs-lite -%{_libdir}/libdns.so.%{sover_dns}* -%{_libdir}/libirs.so.%{sover_irs}* -%{_libdir}/libisc.so.%{sover_isc}* -%{_libdir}/libisccfg.so.%{sover_isccfg}* +%{_libdir}/libbind9-%{version}*.so +%{_libdir}/libisccc-%{version}*.so +%{_libdir}/libns-%{version}*.so +%{_libdir}/libdns-%{version}*.so +%{_libdir}/libirs-%{version}*.so +%{_libdir}/libisc-%{version}*.so +%{_libdir}/libisccfg-%{version}*.so %files license %{!?_licensedir:%global license %%doc} @@ -1123,8 +1100,8 @@ fi; %{_mandir}/man8/dnssec*-pkcs11.8* %files pkcs11-libs -%{_libdir}/libdns-pkcs11.so.%{sover_dns}* -%{_libdir}/libns-pkcs11.so.%{sover_ns}* +%{_libdir}/libdns-pkcs11-%{version}*.so +%{_libdir}/libns-pkcs11-%{version}*.so %files pkcs11-devel %{_includedir}/bind9/pk11/*.h @@ -1168,6 +1145,12 @@ fi; %endif %changelog +* Thu Mar 25 2021 Petr Menšík - 32:9.16.13-1 +- Update to 9.16.13 +- Changed displayed version just to include -RH suffix, not release +- Version is now part of library names, soname versions are no longer provided +- Removed bind-libs-lite subpackage + * Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 32:9.16.11-6 - Rebuilt for updated systemd-rpm-macros See https://pagure.io/fesco/issue/2583. diff --git a/bind99-rh640538.patch b/bind99-rh640538.patch index 30e0a03..833c476 100644 --- a/bind99-rh640538.patch +++ b/bind99-rh640538.patch @@ -1,4 +1,4 @@ -From 8b0a284d551d24ec2323713a5641b783b6e1baaa Mon Sep 17 00:00:00 2001 +From d3c58d860737f0f70eff05edad77e0b2a90d4cb9 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 19 Jun 2020 18:48:23 +0200 Subject: [PATCH] .rh640538 @@ -8,11 +8,11 @@ Subject: [PATCH] .rh640538 1 file changed, 20 insertions(+) diff --git a/bin/dig/dig.rst b/bin/dig/dig.rst -index 3c899ce..46c9885 100644 +index bef52ba..9f16607 100644 --- a/bin/dig/dig.rst +++ b/bin/dig/dig.rst -@@ -616,6 +616,26 @@ like to turn off the IDN support for some reason, use parameters - ``+noidnin`` and ``+noidnout`` or define the IDN_DISABLE environment +@@ -615,6 +615,26 @@ To turn off IDN support, use the parameters + ``+noidnin`` and ``+noidnout``, or define the ``IDN_DISABLE`` environment variable. +Return Codes diff --git a/sources b/sources index e157acd..cc951ad 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (bind-9.16.11.tar.xz) = 5ed632df7c74f5e6693db9b378450ea3073b8002e9924df1d0465f8b8edb933df3a853d3965a290a0477a67ca2bfa79f679d7e344db08a65462860c58d04dc1b -SHA512 (bind-9.16.11.tar.xz.asc) = 90f548c13f617b4f0db2bfe0af9e357cd67ebcfff861114c2d45a3b33867070023cac2112f30ba965d2260d43c46d5e739c05143e44fa78ee1df1e0c8478ecdf +SHA512 (bind-9.16.13.tar.xz) = 1f3c8f54dd2c9e18cd9b67cfebb645d0a8e8f566add07fc4690cb8820bf81640c33b2b0685cb8be095e0f9ac84b2cf78176aea841a30c27d547b569b8353b07b +SHA512 (bind-9.16.13.tar.xz.asc) = 636c5101f31092b1a0251c923676583afed69eb1e7ff625d3d7b2088c66014090e9676a61e332e553e4283872c5e641db1c09fbf76871e52938715163d61dd2e