Update to 9.16.15

Resolves CVE-2021-25215 and CVE-2021-25214. Removes disable-isc-spnego flag, because custom isc spnego code were removed with also this flag. It is default (and the only) option now. (cherry picked from commit f8cb93d57c5be83e9cfbb515d2e8fc1abef24e29) Resolves: rhbz#1956777
2021-04-29 18:12:16 +02:00 · 2021-04-29 18:12:16 +02:00 · a4d7a01bbb
parent 348d01cc21
commit a4d7a01bbb
5 changed files with 30 additions and 82 deletions
--- a/.gitignore
+++ b/.gitignore
@ -144,3 +144,5 @@ bind-9.7.2b1.tar.gz
 /bind-9.16.11.tar.xz.asc
 /bind-9.16.13.tar.xz
 /bind-9.16.13.tar.xz.asc
+/bind-9.16.15.tar.xz
+/bind-9.16.15.tar.xz.asc
--- a/bind-9.10-dist-native-pkcs11.patch
+++ b/bind-9.10-dist-native-pkcs11.patch
@ -1,4 +1,4 @@
-From 17c6e65cde059c98d48ae3b948aa157865d1c99c Mon Sep 17 00:00:00 2001
+From 8f232dac49cbb143a30a5c807f9085f3ef251f0e Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Thu, 21 Jan 2021 10:46:20 +0100
 Subject: [PATCH] Enable custom pkcs11 native build
@ -247,7 +247,7 @@ index 98125dd..518a75f 100644
 @DLZ_DRIVER_RULES@
 
 diff --git a/configure.ac b/configure.ac
-index 08a7d8a..4d762c9 100644
+index da99e85..55680ea 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -1251,12 +1251,14 @@ AC_SUBST(USE_GSSAPI)
@ -265,7 +265,7 @@ index 08a7d8a..4d762c9 100644
 
 #
 # was --with-lmdb specified?
-@@ -2352,6 +2354,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE)
+@@ -2327,6 +2329,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE)
 AC_SUBST(BIND9_NS_BUILDINCLUDE)
 AC_SUBST(BIND9_BIND9_BUILDINCLUDE)
 AC_SUBST(BIND9_IRS_BUILDINCLUDE)
@ -274,7 +274,7 @@ index 08a7d8a..4d762c9 100644
 if test "X$srcdir" != "X"; then
 	BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
 	BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
-@@ -2360,6 +2364,8 @@ if test "X$srcdir" != "X"; then
+@@ -2335,6 +2339,8 @@ if test "X$srcdir" != "X"; then
 	BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include"
 	BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
 	BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include"
@ -283,7 +283,7 @@ index 08a7d8a..4d762c9 100644
 else
 	BIND9_ISC_BUILDINCLUDE=""
 	BIND9_ISCCC_BUILDINCLUDE=""
-@@ -2368,6 +2374,8 @@ else
+@@ -2343,6 +2349,8 @@ else
 	BIND9_NS_BUILDINCLUDE=""
 	BIND9_BIND9_BUILDINCLUDE=""
 	BIND9_IRS_BUILDINCLUDE=""
@ -292,7 +292,7 @@ index 08a7d8a..4d762c9 100644
 fi
 
 AC_SUBST_FILE(BIND9_MAKE_INCLUDES)
-@@ -2823,8 +2831,11 @@ AC_CONFIG_FILES([
+@@ -2798,8 +2806,11 @@ AC_CONFIG_FILES([
 	bin/delv/Makefile
 	bin/dig/Makefile
 	bin/dnssec/Makefile
@ -304,7 +304,7 @@ index 08a7d8a..4d762c9 100644
 	bin/nsupdate/Makefile
 	bin/pkcs11/Makefile
 	bin/plugins/Makefile
-@@ -2886,6 +2897,10 @@ AC_CONFIG_FILES([
+@@ -2861,6 +2872,10 @@ AC_CONFIG_FILES([
 	lib/dns/include/dns/Makefile
 	lib/dns/include/dst/Makefile
 	lib/dns/tests/Makefile
@ -315,7 +315,7 @@ index 08a7d8a..4d762c9 100644
 	lib/irs/Makefile
 	lib/irs/include/Makefile
 	lib/irs/include/irs/Makefile
-@@ -2918,6 +2933,10 @@ AC_CONFIG_FILES([
+@@ -2893,6 +2908,10 @@ AC_CONFIG_FILES([
 	lib/ns/include/Makefile
 	lib/ns/include/ns/Makefile
 	lib/ns/tests/Makefile
@ -340,28 +340,28 @@ index ffa2d5a..6fbc192 100644
 
 @BIND9_MAKE_RULES@
 diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
-index 283b7f2..a234dc5 100644
+index 58bda3c..d6a45df 100644
 --- a/lib/dns-pkcs11/Makefile.in
 +++ b/lib/dns-pkcs11/Makefile.in
-@@ -24,7 +24,7 @@ VERSION=@BIND9_VERSION@
+@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
 
- USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
+ @BIND9_MAKE_INCLUDES@
 
 -CINCLUDES =	-I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
 +CINCLUDES =	-I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
 		${ISC_INCLUDES} \
 		${FSTRM_CFLAGS} \
 		${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \
-@@ -34,7 +34,7 @@ CINCLUDES =	-I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
+@@ -32,7 +32,7 @@ CINCLUDES =	-I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
 		${LMDB_CFLAGS} \
 		${MAXMINDDB_CFLAGS}
 
-CDEFINES =	@USE_GSSAPI@ ${USE_ISC_SPNEGO}
-+CDEFINES =	@USE_GSSAPI@ ${USE_ISC_SPNEGO} @USE_PKCS11@
+-CDEFINES =	@USE_GSSAPI@
+CDEFINES =	@USE_GSSAPI@ @USE_PKCS11@
 
 CWARNINGS =
 
-@@ -137,15 +137,15 @@ version.@O@: version.c
+@@ -135,15 +135,15 @@ version.@O@: version.c
 		-DMAPAPI=\"${MAPAPI}\" \
 		-c ${srcdir}/version.c
 
@ -381,7 +381,7 @@ index 283b7f2..a234dc5 100644
 
 include: gen
 	${MAKE} include/dns/enumtype.h
-@@ -176,22 +176,22 @@ gen: gen.c
+@@ -174,22 +174,22 @@ gen: gen.c
 	${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
 	${BUILD_LIBS} ${LFS_LIBS}
 
@ -434,12 +434,12 @@ index 3bb5e01..c96fe7d 100644
 LIBS =		@LIBS@ @CMOCKA_LIBS@
 
 diff --git a/lib/ns-pkcs11/Makefile.in b/lib/ns-pkcs11/Makefile.in
-index f126f1f..21b20e4 100644
+index bc683ce..7a9d2f2 100644
 --- a/lib/ns-pkcs11/Makefile.in
 +++ b/lib/ns-pkcs11/Makefile.in
-@@ -18,12 +18,12 @@ VERSION=@BIND9_VERSION@
+@@ -16,12 +16,12 @@ VERSION=@BIND9_VERSION@
 
- USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
+ @BIND9_MAKE_INCLUDES@
 
 -CINCLUDES =	-I. -I${top_srcdir}/lib/ns -Iinclude \
 -		${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
@ -453,7 +453,7 @@ index f126f1f..21b20e4 100644
 
 CWARNINGS =
 
-@@ -31,9 +31,9 @@ ISCLIBS =	../../lib/isc/libisc.@A@
+@@ -29,9 +29,9 @@ ISCLIBS =	../../lib/isc/libisc.@A@
 
 ISCDEPLIBS =	../../lib/isc/libisc.@A@
 
@ -465,7 +465,7 @@ index f126f1f..21b20e4 100644
 
 LIBS =		@LIBS@
 
-@@ -62,28 +62,28 @@ version.@O@: version.c
+@@ -60,28 +60,28 @@ version.@O@: version.c
 		-DMAJOR=\"${MAJOR}\" \
 		-c ${srcdir}/version.c
 
@ -546,5 +546,5 @@ index b8317d3..b73b0c4 100644
 +	-I${top_srcdir}/lib/ns-pkcs11/include
 +
 -- 
-2.26.2
+2.26.3

--- a/bind-9.16-isc-constructor.h
+++ b/bind-9.16-isc-constructor.h
@ -1,53 +0,0 @@
-From 48df32cadb5071f5b186b00da3f4406a13320b44 Mon Sep 17 00:00:00 2001
-From: Petr Mensik <pemensik@redhat.com>
-Date: Fri, 26 Mar 2021 11:01:59 +0100
-Subject: [PATCH] Do not require config.h to use isc/util.h
-
-util.h requires ISC_CONSTRUCTOR definition, which depends on config.h
-inclusion. It does not include it from isc/util.h (or any other header).
-Using isc/util.h fails hard when isc/util.h is used without including
-bind's config.h.
-
-Move the check to c file, where ISC_CONSTRUCTOR is used. Ensure config.h
-is included there.
---
- lib/isc/include/isc/util.h | 2 --
- lib/isc/lib.c              | 5 +++++
- 2 files changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h
-index 3c8c40b..3144557 100644
--- a/lib/isc/include/isc/util.h
-+++ b/lib/isc/include/isc/util.h
-@@ -54,8 +54,6 @@
- #elif WIN32
- #define ISC_CONSTRUCTOR(priority)
- #define ISC_DESTRUCTOR(priority)
-#else
-#error Either __attribute__((constructor|destructor))__ or DllMain support needed to compile BIND 9.
- #endif
- 
- /*%
-diff --git a/lib/isc/lib.c b/lib/isc/lib.c
-index 27d7be1..08a1b91 100644
--- a/lib/isc/lib.c
-+++ b/lib/isc/lib.c
-@@ -17,10 +17,15 @@
- #include <isc/tls.h>
- #include <isc/util.h>
- 
-+#include "config.h"
- #include "mem_p.h"
- #include "tls_p.h"
- #include "trampoline_p.h"
- 
-+#ifndef ISC_CONSTRUCTOR
-+#error Either __attribute__((constructor|destructor))__ or DllMain support needed to compile BIND 9.
-+#endif
-+
- /***
-  *** Functions
-  ***/
-- 
-2.26.2
-
--- a/bind.spec
+++ b/bind.spec
@ -61,7 +61,7 @@
 Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
 Name:     bind
 License:  MPLv2.0
-Version:  9.16.13
+Version:  9.16.15
 Release:  1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
@ -114,8 +114,6 @@ Patch157:bind-9.11-fips-tests.patch
 Patch164:bind-9.11-rh1666814.patch
 Patch170:bind-9.11-feature-test-named.patch
 Patch171:bind-9.11-tests-variants.patch
-# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4840
-Patch172:bind-9.16-isc-constructor.h

 Requires(post):   systemd
 Requires(preun):  systemd
@ -420,7 +418,6 @@ in HTML and PDF format.
 %patch164 -p1 -b .rh1666814
 %patch170 -p1 -b .featuretest-named
 %patch171 -p1 -b .test-variant
-%patch172 -p1 -b .isc-constructor

 %if %{with PKCS11}
 %patch135 -p1 -b .config-pkcs11
@ -505,7 +502,6 @@ export LIBDIR_SUFFIX
  --with-dlopen=yes \
 %if %{with GSSTSIG}
  --with-gssapi=yes \
-  --disable-isc-spnego \
 %endif
 %if %{with LMDB}
  --with-lmdb=yes \
@ -1142,6 +1138,9 @@ fi;
 %endif

 %changelog
+* Thu Apr 29 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.15-1
+- Update to 9.16.15
+
 * Thu Apr 15 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.13-1
 - Update to 9.16.13
 - Changed displayed version just to include -RH suffix, not release
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (bind-9.16.13.tar.xz) = 1f3c8f54dd2c9e18cd9b67cfebb645d0a8e8f566add07fc4690cb8820bf81640c33b2b0685cb8be095e0f9ac84b2cf78176aea841a30c27d547b569b8353b07b
-SHA512 (bind-9.16.13.tar.xz.asc) = 636c5101f31092b1a0251c923676583afed69eb1e7ff625d3d7b2088c66014090e9676a61e332e553e4283872c5e641db1c09fbf76871e52938715163d61dd2e
+SHA512 (bind-9.16.15.tar.xz) = 30dad6e2144b3ac53ef0a2d1ed3c8342120f148fc0eb6409113a6d5ed3444eecb917915fdf39c26fd223396fc1e873410a50da305f0b870864f7fbbdccec8033
+SHA512 (bind-9.16.15.tar.xz.asc) = b845f0527235a5b24c617e4e0975988df3966b05db3eec33c798c242b00560dbfdb3258da991743629eb24017759d7deccbaf58277d215ff4616f6c255a8c0d4