From 9f34324bc0cfe2cdd85e71d1a43645404da6bed0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 25 Mar 2021 22:17:54 +0100 Subject: [PATCH] Update to 9.16.13 Reworked custom redhat version. Complete version is now part of library names. Libraries are not recommended for any third party application. They are still required for bind-dyndb-ldap only. Version of named changed, only suffix -RH is appended to upstream version. Therefore dig would not contain version 9.6.11-RedHat-9.6.11-1.fc34, but only 9.6.13-RH. Version of fedora build have to be obtained from rpm -q bind. Version is now part of library names, bind-libs-lite was merged to bind-libs. bind-dyndb-ldap needs whole bind, no point to offer smaller library set just for its dependencies. Updated also named(8) manual page to match current state of SELinux. (cherry picked from commit 76074cd59a69a940a8d4d165d5ed1c77d397cd10) Resolves: rhbz#1956777 --- .gitignore | 2 + bind-9.10-dist-native-pkcs11.patch | 67 +++++++++++----------- bind-9.11-fips-tests.patch | 86 +++++++++++++++++----------- bind-9.14-config-pkcs11.patch | 12 ++-- bind-9.16-CVE-2020-8625.patch | 45 --------------- bind-9.16-redhat_doc.patch | 44 +++++--------- bind-9.16-unit-tests-multicore.patch | 84 --------------------------- bind.spec | 71 +++++++++-------------- bind99-rh640538.patch | 8 +-- sources | 4 +- 10 files changed, 142 insertions(+), 281 deletions(-) delete mode 100644 bind-9.16-CVE-2020-8625.patch delete mode 100644 bind-9.16-unit-tests-multicore.patch diff --git a/.gitignore b/.gitignore index 27084be..afa828e 100644 --- a/.gitignore +++ b/.gitignore @@ -142,3 +142,5 @@ bind-9.7.2b1.tar.gz /bind-9.16.10.tar.xz.asc /bind-9.16.11.tar.xz /bind-9.16.11.tar.xz.asc +/bind-9.16.13.tar.xz +/bind-9.16.13.tar.xz.asc diff --git a/bind-9.10-dist-native-pkcs11.patch b/bind-9.10-dist-native-pkcs11.patch index 119884e..2003f1b 100644 --- a/bind-9.10-dist-native-pkcs11.patch +++ b/bind-9.10-dist-native-pkcs11.patch @@ -1,4 +1,4 @@ -From 9091161562587fe7ab017fc4042143987514a643 Mon Sep 17 00:00:00 2001 +From 17c6e65cde059c98d48ae3b948aa157865d1c99c Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Thu, 21 Jan 2021 10:46:20 +0100 Subject: [PATCH] Enable custom pkcs11 native build @@ -151,7 +151,7 @@ index ace0e5a..e0f6a00 100644 dnssec-importkey.@O@ ${OBJS} ${LIBS} diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in -index 525f505..d517ec6 100644 +index 98125dd..518a75f 100644 --- a/bin/named-pkcs11/Makefile.in +++ b/bin/named-pkcs11/Makefile.in @@ -37,13 +37,14 @@ DBDRIVER_LIBS = @@ -174,7 +174,7 @@ index 525f505..d517ec6 100644 ${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \ ${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \ ${DBDRIVER_INCLUDES} \ -@@ -55,24 +56,24 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ +@@ -56,24 +57,24 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ ${LIBXML2_CFLAGS} \ ${MAXMINDDB_CFLAGS} @@ -204,7 +204,7 @@ index 525f505..d517ec6 100644 DEPLIBS = ${NSDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS} -@@ -92,7 +93,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \ +@@ -93,7 +94,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \ SUBDIRS = unix @@ -213,7 +213,7 @@ index 525f505..d517ec6 100644 GEOIP2LINKOBJS = geoip.@O@ -@@ -150,7 +151,7 @@ server.@O@: server.c +@@ -151,7 +152,7 @@ server.@O@: server.c -DPRODUCT=\"${PRODUCT}\" \ -DVERSION=\"${VERSION}\" -c ${srcdir}/server.c @@ -222,7 +222,7 @@ index 525f505..d517ec6 100644 export MAKE_SYMTABLE="yes"; \ export BASEOBJS="${OBJS} ${UOBJS}"; \ ${FINALBUILDCMD} -@@ -160,7 +161,7 @@ feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c +@@ -161,7 +162,7 @@ feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ -c ${top_srcdir}/bin/tests/system/feature-test.c @@ -231,7 +231,7 @@ index 525f505..d517ec6 100644 ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \ -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS} -@@ -179,11 +180,11 @@ statschannel.@O@: bind9.xsl.h +@@ -180,11 +181,11 @@ statschannel.@O@: bind9.xsl.h installdirs: $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} @@ -247,10 +247,10 @@ index 525f505..d517ec6 100644 @DLZ_DRIVER_RULES@ diff --git a/configure.ac b/configure.ac -index 02e36a7..f1f50fe 100644 +index 08a7d8a..4d762c9 100644 --- a/configure.ac +++ b/configure.ac -@@ -1245,12 +1245,14 @@ AC_SUBST(USE_GSSAPI) +@@ -1251,12 +1251,14 @@ AC_SUBST(USE_GSSAPI) AC_SUBST(DST_GSSAPI_INC) AC_SUBST(DNS_GSSAPI_LIBS) DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS" @@ -265,7 +265,7 @@ index 02e36a7..f1f50fe 100644 # # was --with-lmdb specified? -@@ -2344,6 +2346,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE) +@@ -2352,6 +2354,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE) AC_SUBST(BIND9_NS_BUILDINCLUDE) AC_SUBST(BIND9_BIND9_BUILDINCLUDE) AC_SUBST(BIND9_IRS_BUILDINCLUDE) @@ -274,7 +274,7 @@ index 02e36a7..f1f50fe 100644 if test "X$srcdir" != "X"; then BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include" BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include" -@@ -2352,6 +2356,8 @@ if test "X$srcdir" != "X"; then +@@ -2360,6 +2364,8 @@ if test "X$srcdir" != "X"; then BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include" BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include" BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include" @@ -283,7 +283,7 @@ index 02e36a7..f1f50fe 100644 else BIND9_ISC_BUILDINCLUDE="" BIND9_ISCCC_BUILDINCLUDE="" -@@ -2360,6 +2366,8 @@ else +@@ -2368,6 +2374,8 @@ else BIND9_NS_BUILDINCLUDE="" BIND9_BIND9_BUILDINCLUDE="" BIND9_IRS_BUILDINCLUDE="" @@ -292,7 +292,7 @@ index 02e36a7..f1f50fe 100644 fi AC_SUBST_FILE(BIND9_MAKE_INCLUDES) -@@ -2830,8 +2838,11 @@ AC_CONFIG_FILES([ +@@ -2823,8 +2831,11 @@ AC_CONFIG_FILES([ bin/delv/Makefile bin/dig/Makefile bin/dnssec/Makefile @@ -304,7 +304,7 @@ index 02e36a7..f1f50fe 100644 bin/nsupdate/Makefile bin/pkcs11/Makefile bin/plugins/Makefile -@@ -2893,6 +2904,10 @@ AC_CONFIG_FILES([ +@@ -2886,6 +2897,10 @@ AC_CONFIG_FILES([ lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile @@ -315,7 +315,7 @@ index 02e36a7..f1f50fe 100644 lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile -@@ -2925,6 +2940,10 @@ AC_CONFIG_FILES([ +@@ -2918,6 +2933,10 @@ AC_CONFIG_FILES([ lib/ns/include/Makefile lib/ns/include/ns/Makefile lib/ns/tests/Makefile @@ -340,10 +340,10 @@ index ffa2d5a..6fbc192 100644 @BIND9_MAKE_RULES@ diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in -index 8de85bf..d5c3c2b 100644 +index 283b7f2..a234dc5 100644 --- a/lib/dns-pkcs11/Makefile.in +++ b/lib/dns-pkcs11/Makefile.in -@@ -26,7 +26,7 @@ VERSION=@BIND9_VERSION@ +@@ -24,7 +24,7 @@ VERSION=@BIND9_VERSION@ USE_ISC_SPNEGO = @USE_ISC_SPNEGO@ @@ -352,7 +352,7 @@ index 8de85bf..d5c3c2b 100644 ${ISC_INCLUDES} \ ${FSTRM_CFLAGS} \ ${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \ -@@ -36,7 +36,7 @@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ +@@ -34,7 +34,7 @@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ ${LMDB_CFLAGS} \ ${MAXMINDDB_CFLAGS} @@ -361,8 +361,8 @@ index 8de85bf..d5c3c2b 100644 CWARNINGS = -@@ -142,15 +142,15 @@ version.@O@: version.c - -DLIBAGE=${LIBAGE} \ +@@ -137,15 +137,15 @@ version.@O@: version.c + -DMAPAPI=\"${MAPAPI}\" \ -c ${srcdir}/version.c -libdns.@SA@: ${OBJS} @@ -375,13 +375,13 @@ index 8de85bf..d5c3c2b 100644 ${LIBTOOL_MODE_LINK} \ - ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \ + ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \ - -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ + -release "${VERSION}" \ - ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} + ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} include: gen ${MAKE} include/dns/enumtype.h -@@ -181,22 +181,22 @@ gen: gen.c +@@ -176,22 +176,22 @@ gen: gen.c ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \ ${BUILD_LIBS} ${LFS_LIBS} @@ -410,16 +410,17 @@ index 8de85bf..d5c3c2b 100644 rm -f include/dns/rdatastruct.h rm -f dnstap.pb-c.c dnstap.pb-c.h diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in -index a56c7d3..768ead8 100644 +index 3bb5e01..c96fe7d 100644 --- a/lib/dns-pkcs11/tests/Makefile.in +++ b/lib/dns-pkcs11/tests/Makefile.in -@@ -15,14 +15,14 @@ VERSION=@BIND9_VERSION@ +@@ -15,15 +15,15 @@ VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ -CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \ +CINCLUDES = -I. -Iinclude ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \ - ${OPENSSL_CFLAGS} ${MAXMINDDB_CFLAGS} @CMOCKA_CFLAGS@ + ${FSTRM_CFLAGS} ${OPENSSL_CFLAGS} \ + ${PROTOBUF_C_CFLAGS} ${MAXMINDDB_CFLAGS} @CMOCKA_CFLAGS@ -CDEFINES = -DTESTS="\"${top_builddir}/lib/dns/tests/\"" +CDEFINES = @USE_PKCS11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\"" @@ -433,10 +434,10 @@ index a56c7d3..768ead8 100644 LIBS = @LIBS@ @CMOCKA_LIBS@ diff --git a/lib/ns-pkcs11/Makefile.in b/lib/ns-pkcs11/Makefile.in -index d00ddaf..b867afe 100644 +index f126f1f..21b20e4 100644 --- a/lib/ns-pkcs11/Makefile.in +++ b/lib/ns-pkcs11/Makefile.in -@@ -20,12 +20,12 @@ VERSION=@BIND9_VERSION@ +@@ -18,12 +18,12 @@ VERSION=@BIND9_VERSION@ USE_ISC_SPNEGO = @USE_ISC_SPNEGO@ @@ -452,7 +453,7 @@ index d00ddaf..b867afe 100644 CWARNINGS = -@@ -33,9 +33,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@ +@@ -31,9 +31,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@ ISCDEPLIBS = ../../lib/isc/libisc.@A@ @@ -464,8 +465,8 @@ index d00ddaf..b867afe 100644 LIBS = @LIBS@ -@@ -67,28 +67,28 @@ version.@O@: version.c - -DLIBAGE=${LIBAGE} \ +@@ -62,28 +62,28 @@ version.@O@: version.c + -DMAJOR=\"${MAJOR}\" \ -c ${srcdir}/version.c -libns.@SA@: ${OBJS} @@ -478,7 +479,7 @@ index d00ddaf..b867afe 100644 ${LIBTOOL_MODE_LINK} \ - ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns.la -rpath ${libdir} \ + ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns-pkcs11.la -rpath ${libdir} \ - -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ + -release "${VERSION}" \ - ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} + ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} @@ -530,10 +531,10 @@ index 4c3e694..c1b6d99 100644 LIBS = @LIBS@ @CMOCKA_LIBS@ diff --git a/make/includes.in b/make/includes.in -index 5373a7e..f1901ee 100644 +index b8317d3..b73b0c4 100644 --- a/make/includes.in +++ b/make/includes.in -@@ -41,3 +41,10 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \ +@@ -39,3 +39,10 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \ TEST_INCLUDES = \ -I${top_srcdir}/lib/tests/include diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch index 03d7ad1..51927a4 100644 --- a/bind-9.11-fips-tests.patch +++ b/bind-9.11-fips-tests.patch @@ -1,4 +1,4 @@ -From cb648b203af5bf9085ad78d021f47c3baeb9b6e0 Mon Sep 17 00:00:00 2001 +From 3f04cf343dbeb8819197702ce1be737e26e0638a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 2 Aug 2018 23:46:45 +0200 Subject: [PATCH] FIPS tests changes @@ -82,7 +82,7 @@ Date: Wed Mar 7 10:44:23 2018 +0100 bin/tests/system/nsupdate/ns1/named.conf.in | 2 +- bin/tests/system/nsupdate/ns2/named.conf.in | 2 +- bin/tests/system/nsupdate/setup.sh | 6 +- - bin/tests/system/nsupdate/tests.sh | 11 +++- + bin/tests/system/nsupdate/tests.sh | 15 +++-- bin/tests/system/rndc/setup.sh | 2 +- bin/tests/system/rndc/tests.sh | 23 ++++--- bin/tests/system/tsig/ns1/named.conf.in | 10 +-- @@ -91,11 +91,11 @@ Date: Wed Mar 7 10:44:23 2018 +0100 bin/tests/system/tsig/tests.sh | 65 ++++++++++++------- bin/tests/system/upforwd/ns1/named.conf.in | 2 +- bin/tests/system/upforwd/tests.sh | 2 +- - 33 files changed, 160 insertions(+), 106 deletions(-) + 33 files changed, 162 insertions(+), 108 deletions(-) create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in -index 0ea6502..026db3f 100644 +index 60f22e1..249f672 100644 --- a/bin/tests/system/acl/ns2/named1.conf.in +++ b/bin/tests/system/acl/ns2/named1.conf.in @@ -33,12 +33,12 @@ options { @@ -114,7 +114,7 @@ index 0ea6502..026db3f 100644 }; diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in -index b877880..d8f50be 100644 +index ada97bc..f82d858 100644 --- a/bin/tests/system/acl/ns2/named2.conf.in +++ b/bin/tests/system/acl/ns2/named2.conf.in @@ -33,12 +33,12 @@ options { @@ -133,7 +133,7 @@ index b877880..d8f50be 100644 }; diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in -index 0a95062..aa54088 100644 +index 97684e4..de6a2e9 100644 --- a/bin/tests/system/acl/ns2/named3.conf.in +++ b/bin/tests/system/acl/ns2/named3.conf.in @@ -33,17 +33,17 @@ options { @@ -158,7 +158,7 @@ index 0a95062..aa54088 100644 }; diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in -index 7cdcb6e..606a345 100644 +index 462b3fa..994b35c 100644 --- a/bin/tests/system/acl/ns2/named4.conf.in +++ b/bin/tests/system/acl/ns2/named4.conf.in @@ -33,12 +33,12 @@ options { @@ -177,7 +177,7 @@ index 7cdcb6e..606a345 100644 }; diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in -index 7e20bac..9753a9d 100644 +index 728da58..8f00d09 100644 --- a/bin/tests/system/acl/ns2/named5.conf.in +++ b/bin/tests/system/acl/ns2/named5.conf.in @@ -35,12 +35,12 @@ options { @@ -196,7 +196,7 @@ index 7e20bac..9753a9d 100644 }; diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh -index b4d3045..ebbc798 100644 +index be59d64..13d5bdc 100644 --- a/bin/tests/system/acl/tests.sh +++ b/bin/tests/system/acl/tests.sh @@ -22,14 +22,14 @@ echo_i "testing basic ACL processing" @@ -322,7 +322,7 @@ index b4d3045..ebbc798 100644 echo_i "testing allow-query-on ACL processing" diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in -index c5f38c9..00db0da 100644 +index 7d43e36..f7b25f9 100644 --- a/bin/tests/system/allow-query/ns2/named10.conf.in +++ b/bin/tests/system/allow-query/ns2/named10.conf.in @@ -10,7 +10,7 @@ @@ -335,7 +335,7 @@ index c5f38c9..00db0da 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in -index 56e5cc4..2c32b71 100644 +index 2952518..121557e 100644 --- a/bin/tests/system/allow-query/ns2/named11.conf.in +++ b/bin/tests/system/allow-query/ns2/named11.conf.in @@ -10,12 +10,12 @@ @@ -354,7 +354,7 @@ index 56e5cc4..2c32b71 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in -index 8381950..21a6366 100644 +index 0c01071..ceabbb5 100644 --- a/bin/tests/system/allow-query/ns2/named12.conf.in +++ b/bin/tests/system/allow-query/ns2/named12.conf.in @@ -10,7 +10,7 @@ @@ -367,7 +367,7 @@ index 8381950..21a6366 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in -index 0e5ff55..a90ed6a 100644 +index 4c17292..9cd9d1f 100644 --- a/bin/tests/system/allow-query/ns2/named30.conf.in +++ b/bin/tests/system/allow-query/ns2/named30.conf.in @@ -10,7 +10,7 @@ @@ -380,7 +380,7 @@ index 0e5ff55..a90ed6a 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in -index faadb3f..b99f337 100644 +index a2690a4..f488730 100644 --- a/bin/tests/system/allow-query/ns2/named31.conf.in +++ b/bin/tests/system/allow-query/ns2/named31.conf.in @@ -10,12 +10,12 @@ @@ -399,7 +399,7 @@ index faadb3f..b99f337 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in -index 9e78dd0..ea7a413 100644 +index a0708c8..51fa457 100644 --- a/bin/tests/system/allow-query/ns2/named32.conf.in +++ b/bin/tests/system/allow-query/ns2/named32.conf.in @@ -10,7 +10,7 @@ @@ -412,7 +412,7 @@ index 9e78dd0..ea7a413 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in -index f4bc399..e01f312 100644 +index 687768e..d24d6d2 100644 --- a/bin/tests/system/allow-query/ns2/named40.conf.in +++ b/bin/tests/system/allow-query/ns2/named40.conf.in @@ -14,12 +14,12 @@ acl accept { 10.53.0.2; }; @@ -431,7 +431,7 @@ index f4bc399..e01f312 100644 }; diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh -index 4cb2709..c0884cf 100644 +index fe40635..543c663 100644 --- a/bin/tests/system/allow-query/tests.sh +++ b/bin/tests/system/allow-query/tests.sh @@ -182,7 +182,7 @@ rndc_reload ns2 10.53.0.2 @@ -516,7 +516,7 @@ index 4cb2709..c0884cf 100644 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in -index 74b7d37..c353766 100644 +index 1218669..e62715e 100644 --- a/bin/tests/system/catz/ns1/named.conf.in +++ b/bin/tests/system/catz/ns1/named.conf.in @@ -61,5 +61,5 @@ zone "catalog4.example" { @@ -527,7 +527,7 @@ index 74b7d37..c353766 100644 + algorithm hmac-sha256; }; diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in -index ee83efb..35ced08 100644 +index 30333e6..4005152 100644 --- a/bin/tests/system/catz/ns2/named.conf.in +++ b/bin/tests/system/catz/ns2/named.conf.in @@ -70,5 +70,5 @@ zone "catalog4.example" { @@ -551,10 +551,10 @@ index 21be03e..e57c308 100644 }; diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf -index 0dabe54..d55c51b 100644 +index e09b9e8..2e824b3 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf -@@ -204,6 +204,6 @@ dyndb "name" "library.so" { +@@ -210,6 +210,6 @@ dyndb "name" "library.so" { system; }; key "mykey" { @@ -563,7 +563,7 @@ index 0dabe54..d55c51b 100644 secret "qwertyuiopasdfgh"; }; diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c -index 4a90332..2f85b44 100644 +index 877504f..577660a 100644 --- a/bin/tests/system/feature-test.c +++ b/bin/tests/system/feature-test.c @@ -14,6 +14,7 @@ @@ -574,7 +574,7 @@ index 4a90332..2f85b44 100644 #include #include #include -@@ -177,6 +178,19 @@ main(int argc, char **argv) { +@@ -186,6 +187,19 @@ main(int argc, char **argv) { #endif /* ifdef DLZ_FILESYSTEM */ } @@ -595,7 +595,7 @@ index 4a90332..2f85b44 100644 #ifdef HAVE_LIBIDN2 return (0); diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in -index 2976bfc..256d846 100644 +index 1ee8df4..2b75d9a 100644 --- a/bin/tests/system/notify/ns5/named.conf.in +++ b/bin/tests/system/notify/ns5/named.conf.in @@ -10,17 +10,17 @@ @@ -644,10 +644,10 @@ index 3d7e0b7..ec4d9a7 100644 grep "test string" dig.out.b.ns5.test$n > /dev/null && grep "test string" dig.out.c.ns5.test$n > /dev/null && diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in -index 346b647..c018fb4 100644 +index b51e700..436c97d 100644 --- a/bin/tests/system/nsupdate/ns1/named.conf.in +++ b/bin/tests/system/nsupdate/ns1/named.conf.in -@@ -33,7 +33,7 @@ controls { +@@ -37,7 +37,7 @@ controls { }; key altkey { @@ -657,7 +657,7 @@ index 346b647..c018fb4 100644 }; diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in -index b703843..8bfe2b0 100644 +index da6b3b4..c547e47 100644 --- a/bin/tests/system/nsupdate/ns2/named.conf.in +++ b/bin/tests/system/nsupdate/ns2/named.conf.in @@ -32,7 +32,7 @@ controls { @@ -687,13 +687,13 @@ index c055da3..4e1242b 100644 $DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key $DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh -index b15fa2d..cb7979b 100755 +index b35d797..41c128e 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -797,7 +797,14 @@ fi n=`expr $n + 1` ret=0 - echo_i "check TSIG key algorithms ($n)" + echo_i "check TSIG key algorithms (nsupdate -k) ($n)" -for alg in md5 sha1 sha224 sha256 sha384 sha512; do +if $FEATURETEST --md5 +then @@ -715,6 +715,24 @@ index b15fa2d..cb7979b 100755 $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 done if [ $ret -ne 0 ]; then +@@ -816,7 +823,7 @@ fi + n=`expr $n + 1` + ret=0 + echo_i "check TSIG key algorithms (nsupdate -y) ($n)" +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++for alg in $ALGS; do + secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key) + $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" < /dev/null || ret=1 + server 10.53.0.1 ${PORT} +@@ -825,7 +832,7 @@ send + END + done + sleep 2 +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++for alg in $ALGS; do + $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1 + done + if [ $ret -ne 0 ]; then diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh index b59e7a7..04d5f5a 100644 --- a/bin/tests/system/rndc/setup.sh @@ -729,7 +747,7 @@ index b59e7a7..04d5f5a 100644 make_key 3 ${EXTRAPORT3} hmac-sha224 make_key 4 ${EXTRAPORT4} hmac-sha256 diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh -index 78508f3..a2a201e 100644 +index 9fd84ed..d0b188f 100644 --- a/bin/tests/system/rndc/tests.sh +++ b/bin/tests/system/rndc/tests.sh @@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi @@ -763,7 +781,7 @@ index 78508f3..a2a201e 100644 n=`expr $n + 1` echo_i "testing rndc with hmac-sha1 ($n)" diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in -index 4ee703f..635434e 100644 +index 3470c4f..cf539cd 100644 --- a/bin/tests/system/tsig/ns1/named.conf.in +++ b/bin/tests/system/tsig/ns1/named.conf.in @@ -21,10 +21,7 @@ options { @@ -911,7 +929,7 @@ index 38d842a..668aa6f 100644 echo_i "fetching using hmac-sha1-80 (BADTRUNC)" diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in -index ea42b4d..08676da 100644 +index 3873c7c..b359a5a 100644 --- a/bin/tests/system/upforwd/ns1/named.conf.in +++ b/bin/tests/system/upforwd/ns1/named.conf.in @@ -10,7 +10,7 @@ @@ -924,10 +942,10 @@ index ea42b4d..08676da 100644 }; diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh -index ecd91a6..be9993a 100644 +index a50c896..8062d68 100644 --- a/bin/tests/system/upforwd/tests.sh +++ b/bin/tests/system/upforwd/tests.sh -@@ -66,7 +66,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +@@ -79,7 +79,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi echo_i "updating zone (signed) ($n)" ret=0 diff --git a/bind-9.14-config-pkcs11.patch b/bind-9.14-config-pkcs11.patch index 58b492b..0d62df6 100644 --- a/bind-9.14-config-pkcs11.patch +++ b/bind-9.14-config-pkcs11.patch @@ -1,4 +1,4 @@ -From c42c0ff6f6e0e920356d99b9ed26ed52544621c2 Mon Sep 17 00:00:00 2001 +From e6ab9c67f0a14adc23c1067e03a106da1b1651b7 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 18 Oct 2019 21:30:52 +0200 Subject: [PATCH] Move USE_PKCS11 and USE_OPENSSL out of config.h @@ -26,10 +26,10 @@ index 1b7512d..c126bf3 100644 ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ diff --git a/configure.ac b/configure.ac -index eaa6b12..2ff68a5 100644 +index f5483fe..08a7d8a 100644 --- a/configure.ac +++ b/configure.ac -@@ -900,10 +900,14 @@ AC_SUBST([PKCS11_TEST]) +@@ -935,10 +935,14 @@ AC_SUBST([PKCS11_TEST]) AC_SUBST([PKCS11_TOOLS]) AC_SUBST([PKCS11_MANS]) @@ -47,7 +47,7 @@ index eaa6b12..2ff68a5 100644 # preparation for automake # AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"]) diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h -index 116e2d2..99bdf5b 100644 +index 2c3b4a3..55e9dc4 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -38,6 +38,13 @@ @@ -64,9 +64,9 @@ index 116e2d2..99bdf5b 100644 #if USE_PKCS11 #include #include -@@ -98,11 +105,10 @@ struct dst_key { +@@ -116,11 +123,10 @@ struct dst_key { void *generic; - gss_ctx_id_t gssctx; + dns_gss_ctx_id_t gssctx; DH *dh; -#if USE_OPENSSL - EVP_PKEY *pkey; diff --git a/bind-9.16-CVE-2020-8625.patch b/bind-9.16-CVE-2020-8625.patch deleted file mode 100644 index ce92a48..0000000 --- a/bind-9.16-CVE-2020-8625.patch +++ /dev/null @@ -1,45 +0,0 @@ -From b04cb88462863d762093760ffcfe1946200e30f5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= -Date: Thu, 7 Jan 2021 10:44:46 +0100 -Subject: [PATCH] Fix off-by-one bug in ISC SPNEGO implementation - -The ISC SPNEGO implementation is based on mod_auth_kerb code. When -CVE-2006-5989 was disclosed, the relevant fix was not applied to the -BIND 9 codebase, making the latter vulnerable to the aforementioned flaw -when "tkey-gssapi-keytab" or "tkey-gssapi-credential" is set in -named.conf. - -The original description of CVE-2006-5989 was: - - Off-by-one error in the der_get_oid function in mod_auth_kerb 5.0 - allows remote attackers to cause a denial of service (crash) via a - crafted Kerberos message that triggers a heap-based buffer overflow - in the component array. - -Later research revealed that this flaw also theoretically enables remote -code execution, though achieving the latter in real-world conditions is -currently deemed very difficult. - -This vulnerability was responsibly reported as ZDI-CAN-12302 ("ISC BIND -TKEY Query Heap-based Buffer Overflow Remote Code Execution -Vulnerability") by Trend Micro Zero Day Initiative. ---- - lib/dns/spnego.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c -index e61d1c600f..753dc8049f 100644 ---- a/lib/dns/spnego.c -+++ b/lib/dns/spnego.c -@@ -848,7 +848,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) { - return (ASN1_OVERRUN); - } - -- data->components = malloc(len * sizeof(*data->components)); -+ data->components = malloc((len + 1) * sizeof(*data->components)); - if (data->components == NULL) { - return (ENOMEM); - } --- -2.26.2 - diff --git a/bind-9.16-redhat_doc.patch b/bind-9.16-redhat_doc.patch index 15c8a41..ef76e16 100644 --- a/bind-9.16-redhat_doc.patch +++ b/bind-9.16-redhat_doc.patch @@ -1,4 +1,4 @@ -From 86fd25f3f0c5189fa93e10c6afa1a1cffe639ade Mon Sep 17 00:00:00 2001 +From 3a161af91bffcd457586ab466e32ac8484028763 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Wed, 17 Jun 2020 23:17:13 +0200 Subject: [PATCH] Update man named with Red Hat specifics @@ -6,14 +6,14 @@ Subject: [PATCH] Update man named with Red Hat specifics This is almost unmodified text and requires revalidation. Some of those statements are no longer correct. --- - bin/named/named.rst | 49 +++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 49 insertions(+) + bin/named/named.rst | 35 +++++++++++++++++++++++++++++++++++ + 1 file changed, 35 insertions(+) diff --git a/bin/named/named.rst b/bin/named/named.rst -index 3c54a67..c44b6d7 100644 +index 6fd8f87..3cd6350 100644 --- a/bin/named/named.rst +++ b/bin/named/named.rst -@@ -228,6 +228,55 @@ Files +@@ -228,6 +228,41 @@ Files ``/var/run/named/named.pid`` The default process-id file. @@ -24,7 +24,7 @@ index 3c54a67..c44b6d7 100644 + +By default, Red Hat ships BIND with the most secure SELinux policy +that will not prevent normal BIND operation and will prevent exploitation -+of all known BIND security vulnerabilities . See the selinux(8) man page ++of all known BIND security vulnerabilities. See the selinux(8) man page +for information about SElinux. + +It is not necessary to run named in a chroot environment if the Red Hat @@ -34,37 +34,23 @@ index 3c54a67..c44b6d7 100644 + +*With this extra security comes some restrictions:* + -+By default, the SELinux policy does not allow named to write any master -+zone database files. Only the root user may create files in the $ROOTDIR/var/named -+zone database file directory (the options { "directory" } option), where -+$ROOTDIR is set in /etc/sysconfig/named. ++By default, the SELinux policy does not allow named to write outside directory ++/var/named. That directory used to be read-only for named, but write access is ++enabled by default now. + +The "named" group must be granted read privelege to +these files in order for named to be enabled to read them. ++Any file updated by named must be writeable by named user or named group. + +Any file created in the zone database file directory is automatically assigned +the SELinux file context *named_zone_t* . + -+By default, SELinux prevents any role from modifying *named_zone_t* files; this -+means that files in the zone database directory cannot be modified by dynamic -+DNS (DDNS) updates or zone transfers. -+ +The Red Hat BIND distribution and SELinux policy creates three directories where -+named is allowed to create and modify files: */var/named/slaves*, */var/named/dynamic* -+*/var/named/data*. By placing files you want named to modify, such as -+slave or DDNS updateable zone files and database / statistics dump files in -+these directories, named will work normally and no further operator action is -+required. Files in these directories are automatically assigned the '*named_cache_t*' -+file context, which SELinux allows named to write. -+ -+**Red Hat BIND SDB support:** -+ -+Red Hat ships named with compiled in Simplified Database Backend modules that ISC -+provides in the "contrib/sdb" directory. Install **bind-sdb** package if you want use them -+ -+The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into *named-sdb*. -+ -+See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ . ++named were allowed to create and modify files: */var/named/slaves*, */var/named/dynamic* ++*/var/named/data*. The service is able to write and file under */var/named* with appropriate ++permissions. They are used for better organisation of zones and backward compatibility. ++Files in these directories are automatically assigned the '*named_cache_t*' ++file context, which SELinux always allows named to write. + See Also ~~~~~~~~ diff --git a/bind-9.16-unit-tests-multicore.patch b/bind-9.16-unit-tests-multicore.patch deleted file mode 100644 index 8ca0448..0000000 --- a/bind-9.16-unit-tests-multicore.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 0175b942efc2fb6a05a2c76d62a9fb9157141757 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Wed, 20 Jan 2021 01:01:52 +0100 -Subject: [PATCH] Workaround errors in unit test on 56 CPU machine - -hp.c should be just implementation detail, but unit tests use it -repeatedly without resetting tid_v_base. Reset the base counter, when -number of processors is configured. Configure it when creating network -manager. - -Use id of current thread as a base. Should be usually 0, but must not be -below id of the main thread. ---- - bin/named/main.c | 7 ------- - lib/isc/hp.c | 1 + - lib/isc/netmgr/netmgr.c | 8 ++++++++ - 3 files changed, 9 insertions(+), 7 deletions(-) - -diff --git a/bin/named/main.c b/bin/named/main.c -index 9836de9d7f..d1be43a632 100644 ---- a/bin/named/main.c -+++ b/bin/named/main.c -@@ -24,7 +24,6 @@ - #include - #include - #include --#include - #include - #include - #include -@@ -909,12 +908,6 @@ create_managers(void) { - "using %u UDP listener%s per interface", named_g_udpdisp, - named_g_udpdisp == 1 ? "" : "s"); - -- /* -- * We have ncpus network threads, ncpus worker threads, ncpus -- * old network threads - make it 4x just to be safe. The memory -- * impact is negligible. -- */ -- isc_hp_init(4 * named_g_cpus); - named_g_nm = isc_nm_start(named_g_mctx, named_g_cpus); - if (named_g_nm == NULL) { - UNEXPECTED_ERROR(__FILE__, __LINE__, "isc_nm_start() failed"); -diff --git a/lib/isc/hp.c b/lib/isc/hp.c -index 3ea13bbe24..e4a98afc82 100644 ---- a/lib/isc/hp.c -+++ b/lib/isc/hp.c -@@ -95,6 +95,7 @@ void - isc_hp_init(int max_threads) { - isc__hp_max_threads = max_threads; - isc__hp_max_retired = max_threads * HP_MAX_HPS; -+ atomic_store_release(&tid_v_base, tid()); - } - - isc_hp_t * -diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c -index 46f0758620..e3469f4c3a 100644 ---- a/lib/isc/netmgr/netmgr.c -+++ b/lib/isc/netmgr/netmgr.c -@@ -17,6 +17,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -238,6 +239,13 @@ isc_nm_start(isc_mem_t *mctx, uint32_t workers) { - atomic_init(&mgr->keepalive, 30000); - atomic_init(&mgr->advertised, 30000); - -+ /* -+ * We have ncpus network threads, ncpus worker threads, ncpus -+ * old network threads - make it 4x just to be safe. The memory -+ * impact is negligible. -+ */ -+ isc_hp_init(4 * workers); -+ - isc_mutex_init(&mgr->reqlock); - isc_mempool_create(mgr->mctx, sizeof(isc__nm_uvreq_t), &mgr->reqpool); - isc_mempool_setname(mgr->reqpool, "nm_reqpool"); --- -2.26.2 - diff --git a/bind.spec b/bind.spec index 7747134..b17e8dc 100644 --- a/bind.spec +++ b/bind.spec @@ -54,20 +54,15 @@ # # significant changes: # no more isc-config.sh and bind9-config - -# lib*.so.X versions of selected libraries -%global sover_dns 1611 -%global sover_isc 1609 -%global sover_irs 1601 -%global sover_isccfg 1603 -%global sover_ns 1607 +# lib*.so.X versions of selected libraries no longer provided, +# lib*-%%{version}-RH.so is provided as an internal implementation detail Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Name: bind License: MPLv2.0 -Version: 9.16.11 -Release: 6%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Version: 9.16.13 +Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -119,10 +114,6 @@ Patch157:bind-9.11-fips-tests.patch Patch164:bind-9.11-rh1666814.patch Patch170:bind-9.11-feature-test-named.patch Patch171:bind-9.11-tests-variants.patch -# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4582 -Patch172:bind-9.16-unit-tests-multicore.patch -# https://gitlab.isc.org/isc-projects/bind9/commit/b04cb88462863d762093760ffcfe1946200e30f5 -Patch173:bind-9.16-CVE-2020-8625.patch Requires(post): systemd Requires(preun): systemd @@ -208,7 +199,6 @@ Summary: Bind with native PKCS#11 functionality for crypto Requires: systemd Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} -Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release} Recommends: softhsm @@ -247,18 +237,11 @@ This a set of development files for BIND libraries (dns, isc) compiled with native PKCS#11 functionality. %endif -%package libs-lite -Summary: Libraries for working with the DNS protocol -Requires: bind-license = %{epoch}:%{version}-%{release} - -%description libs-lite -Contains lite version of BIND suite libraries which are used by various -programs to work with DNS protocol. - %package libs Summary: Libraries used by the BIND DNS packages Requires: bind-license = %{epoch}:%{version}-%{release} -Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} +Provides: bind-libs-lite = %{epoch}:%{version}-%{release} +Obsoletes: bind-libs-lite < 32:9.16.13 %description libs Contains heavyweight version of BIND suite libraries used by both named DNS @@ -273,7 +256,6 @@ Contains license of the BIND DNS suite. %package utils Summary: Utilities for querying DNS name servers -Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} # For compatibility with Debian package Provides: dnsutils = %{epoch}:%{version}-%{release} @@ -290,7 +272,7 @@ servers. %package dnssec-utils Summary: DNSSEC keys and zones management utilities -Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} +Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} Recommends: bind-utils Requires: python3-bind = %{epoch}:%{version}-%{release} Requires: bind-dnssec-doc = %{epoch}:%{version}-%{release} @@ -310,14 +292,13 @@ BuildArch:noarch %description dnssec-doc Bind-dnssec-doc contains manual pages for bind-dnssec-utils. + %package devel -Summary: Header files and libraries needed for BIND DNS development +Summary: Header files and libraries needed for bind-dyndb-ldap Provides: bind-lite-devel = %{epoch}:%{version}-%{release} Obsoletes: bind-lite-devel < 32:9.16.6-3 -Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} Requires: openssl-devel%{?_isa} libxml2-devel%{?_isa} -# Not required by headers, but "isc-config.sh --libs isc" requires it Requires: libcap-devel%{?_isa} %if %{with GSSTSIG} Requires: krb5-devel%{?_isa} @@ -336,7 +317,8 @@ Requires: libmaxminddb-devel%{?_isa} %description devel The bind-devel package contains full version of the header files and libraries -required for development with ISC BIND 9 +required for building bind-dyndb-ldap. Upstream no longer supports nor recommends +bind libraries for third party applications. %endif %package chroot @@ -436,8 +418,6 @@ in HTML and PDF format. %patch164 -p1 -b .rh1666814 %patch170 -p1 -b .featuretest-named %patch171 -p1 -b .test-variant -%patch172 -p1 -b .multicore -%patch173 -p1 -b .CVE-2020-8625 %if %{with PKCS11} %patch135 -p1 -b .config-pkcs11 @@ -487,7 +467,7 @@ export STD_CDEFINES="$CPPFLAGS" sed -i -e \ -'s/RELEASEVER=\(.*\)/RELEASEVER=\1-RedHat-%{version}-%{release}/' \ +'s/RELEASEVER=\(.*\)/RELEASEVER=\1-RH/' \ version libtoolize -c -f; aclocal -I libtool.m4 --force; autoconf -f @@ -904,7 +884,6 @@ fi /bin/systemctl try-restart named.service >/dev/null 2>&1 || : %ldconfig_scriptlets libs -%ldconfig_scriptlets libs-lite %if %{with PKCS11} %ldconfig_scriptlets pkcs11-libs @@ -990,15 +969,13 @@ fi; %dir /run/named %files libs -%{_libdir}/libbind9.so.1600* -%{_libdir}/libisccc.so.1600* -%{_libdir}/libns.so.%{sover_ns}* - -%files libs-lite -%{_libdir}/libdns.so.%{sover_dns}* -%{_libdir}/libirs.so.%{sover_irs}* -%{_libdir}/libisc.so.%{sover_isc}* -%{_libdir}/libisccfg.so.%{sover_isccfg}* +%{_libdir}/libbind9-%{version}*.so +%{_libdir}/libisccc-%{version}*.so +%{_libdir}/libns-%{version}*.so +%{_libdir}/libdns-%{version}*.so +%{_libdir}/libirs-%{version}*.so +%{_libdir}/libisc-%{version}*.so +%{_libdir}/libisccfg-%{version}*.so %files license %{!?_licensedir:%global license %%doc} @@ -1123,8 +1100,8 @@ fi; %{_mandir}/man8/dnssec*-pkcs11.8* %files pkcs11-libs -%{_libdir}/libdns-pkcs11.so.%{sover_dns}* -%{_libdir}/libns-pkcs11.so.%{sover_ns}* +%{_libdir}/libdns-pkcs11-%{version}*.so +%{_libdir}/libns-pkcs11-%{version}*.so %files pkcs11-devel %{_includedir}/bind9/pk11/*.h @@ -1168,6 +1145,12 @@ fi; %endif %changelog +* Thu Apr 15 2021 Petr Menšík - 32:9.16.13-1 +- Update to 9.16.13 +- Changed displayed version just to include -RH suffix, not release +- Version is now part of library names, soname versions are no longer provided +- Removed bind-libs-lite subpackage + * Thu Apr 15 2021 Mohan Boddu - 32:9.16.11-6 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 diff --git a/bind99-rh640538.patch b/bind99-rh640538.patch index 30e0a03..833c476 100644 --- a/bind99-rh640538.patch +++ b/bind99-rh640538.patch @@ -1,4 +1,4 @@ -From 8b0a284d551d24ec2323713a5641b783b6e1baaa Mon Sep 17 00:00:00 2001 +From d3c58d860737f0f70eff05edad77e0b2a90d4cb9 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Fri, 19 Jun 2020 18:48:23 +0200 Subject: [PATCH] .rh640538 @@ -8,11 +8,11 @@ Subject: [PATCH] .rh640538 1 file changed, 20 insertions(+) diff --git a/bin/dig/dig.rst b/bin/dig/dig.rst -index 3c899ce..46c9885 100644 +index bef52ba..9f16607 100644 --- a/bin/dig/dig.rst +++ b/bin/dig/dig.rst -@@ -616,6 +616,26 @@ like to turn off the IDN support for some reason, use parameters - ``+noidnin`` and ``+noidnout`` or define the IDN_DISABLE environment +@@ -615,6 +615,26 @@ To turn off IDN support, use the parameters + ``+noidnin`` and ``+noidnout``, or define the ``IDN_DISABLE`` environment variable. +Return Codes diff --git a/sources b/sources index e157acd..cc951ad 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (bind-9.16.11.tar.xz) = 5ed632df7c74f5e6693db9b378450ea3073b8002e9924df1d0465f8b8edb933df3a853d3965a290a0477a67ca2bfa79f679d7e344db08a65462860c58d04dc1b -SHA512 (bind-9.16.11.tar.xz.asc) = 90f548c13f617b4f0db2bfe0af9e357cd67ebcfff861114c2d45a3b33867070023cac2112f30ba965d2260d43c46d5e739c05143e44fa78ee1df1e0c8478ecdf +SHA512 (bind-9.16.13.tar.xz) = 1f3c8f54dd2c9e18cd9b67cfebb645d0a8e8f566add07fc4690cb8820bf81640c33b2b0685cb8be095e0f9ac84b2cf78176aea841a30c27d547b569b8353b07b +SHA512 (bind-9.16.13.tar.xz.asc) = 636c5101f31092b1a0251c923676583afed69eb1e7ff625d3d7b2088c66014090e9676a61e332e553e4283872c5e641db1c09fbf76871e52938715163d61dd2e