rpms/bind
7
0
Fork 1
Code Issues Pull Requests Releases Activity

import UBI bind-9.16.23-40.el9_8.1

Browse Source
This commit is contained in:
AlmaLinux RelEng Bot 2026-05-19 19:55:51 -04:00
parent 18d374bb85
commit d71ca201e0
6 changed files with 140 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
SOURCES/bind-9.16-properly-process-extra-nameserver-lines.patch Normal file
View File

@ -0,0 +1,38 @@
diff --git a/CHANGES b/CHANGES
index 2b12128544..42c13c9dbd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+6173. [bug] Properly process extra "nameserver" lines in
+ resolv.conf otherwise the next line is not properly
+ processed. [GL #4066]
+
--- 9.16.23 released ---
5752. [bug] Fix an assertion failure caused by missing member zones
diff --git a/lib/irs/resconf.c b/lib/irs/resconf.c
index da6066db7b..775f4e86a4 100644
--- a/lib/irs/resconf.c
+++ b/lib/irs/resconf.c
@@ -286,10 +286,6 @@ resconf_parsenameserver(irs_resconf_t *conf, FILE *fp) {
int cp;
isc_result_t result;
- if (conf->numns == RESCONFMAXNAMESERVERS) {
- return (ISC_R_SUCCESS);
- }
-
cp = getword(fp, word, sizeof(word));
if (strlen(word) == 0U) {
return (ISC_R_UNEXPECTEDEND); /* Nothing on line. */
@@ -301,6 +297,10 @@ resconf_parsenameserver(irs_resconf_t *conf, FILE *fp) {
return (ISC_R_UNEXPECTEDTOKEN); /* Extra junk on line. */
}
+ if (conf->numns == RESCONFMAXNAMESERVERS) {
+ return (ISC_R_SUCCESS);
+ }
+
result = add_server(conf->mctx, word, &conf->nameservers);
if (result != ISC_R_SUCCESS) {
return (result);

38
SOURCES/bind-chroot.tmpfiles.d Normal file
View File

@ -0,0 +1,38 @@
# vim: ft=conf:
# TODO: these definitions are in different form in rpm spec %files chroot section
# find a way to have it defined only once
#defattr(0664,root,named,-)
c /var/named/chroot/dev/null 0664 root named - 1:3
c /var/named/chroot/dev/random 0664 root named - 1:8
c /var/named/chroot/dev/urandom 0664 root named - 1:9
c /var/named/chroot/dev/zero 0664 root named - 1:5
#defattr(0640,root,named,0750)
d /var/named/chroot 0750 root named -
d /var/named/chroot/dev 0750 root named -
d /var/named/chroot/etc 0750 root named -
d /var/named/chroot/etc/named 0750 root named -
d /var/named/chroot/etc/pki 0750 root named -
d /var/named/chroot/etc/pki/dnssec-keys 0750 root named -
d /var/named/chroot/etc/crypto-policies 0750 root named -
d /var/named/chroot/etc/crypto-policies/back-ends 0750 root named -
d /var/named/chroot/var 0750 root named -
d /var/named/chroot/run 0750 root named -
#defattr(-,root,root,-)
d /var/named/chroot/usr - root root -
d /var/named/chroot/usr/lib64 - root root -
d /var/named/chroot/usr/lib64/bind - root root -
d /var/named/chroot/usr/lib64/named - root root -
d /var/named/chroot/usr/share/GeoIP - root root -
d /var/named/chroot/usr/share/named - root root -
d /var/named/chroot/proc - root root -
d /var/named/chroot/proc/sys - root root -
d /var/named/chroot/proc/sys/net - root root -
d /var/named/chroot/proc/sys/net/ipv4 - root root -
#defattr(0660,root,named,01770)
d /var/named/chroot/var/named 01770 root named -
#defattr(0660,named,named,0770)
d /var/named/chroot/var/tmp 0770 named named -
d /var/named/chroot/var/log 0770 named named -
#defattr(-,named,named,-)
d /var/named/chroot/run/named - named named -
L /var/named/chroot/var/run - named named - ../run

9
SOURCES/bind.tmpfiles.d
View File

@ -1 +1,10 @@
# vim: ft=conf:
d /run/named 0755 named named -
d /var/named 01770 root named -
d /var/named/slaves 0770 named named -
d /var/named/data 0770 named named -
d /var/named/dynamic 0770 named named -
L /var/named/named.ca 0640 named named - ../../../usr/share/named/named.ca
L /var/named/named.localhost 0640 named named - ../../../usr/share/named/named.localhost
L /var/named/named.loopback 0640 named named - ../../../usr/share/named/named.loopback
L /var/named/named.empty 0640 named named - ../../../usr/share/named/named.empty

2
SOURCES/named-chroot.files
View File

@ -3,6 +3,7 @@
# if they are missing or empty in target directory.
/etc/localtime
/etc/named.root.key
/etc/named.ca
/etc/named.conf
/etc/named.rfc1912.zones
/etc/rndc.conf
@ -19,6 +20,7 @@
/usr/lib64/named
/usr/lib/named
/usr/share/GeoIP
/usr/share/named
/run/named
/proc/sys/net/ipv4/ip_local_port_range
# Warning: the order is important

3
SOURCES/named.sysusers Normal file
View File

@ -0,0 +1,3 @@
#Type Name ID GECOS Home directory Shell
u named 25 "Named" /var/named /sbin/nologin
g named 25

68
SPECS/bind.spec
View File

@ -25,14 +25,12 @@
%bcond_with DOCPDF
%bcond_with TSAN
%{?!bind_uid: %global bind_uid 25}
%{?!bind_gid: %global bind_gid 25}
%{!?_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
%global bind_dir /var/named
%global chroot_prefix %{bind_dir}/chroot
%global chroot_create_directories /dev /run/named %{_localstatedir}/{log,named,tmp} \\\
%{_sysconfdir}/{crypto-policies/back-ends,pki/dnssec-keys,named} \\\
%{_libdir}/bind %{_libdir}/named %{_datadir}/GeoIP /proc/sys/net/ipv4
%{_libdir}/bind %{_libdir}/named %{_datadir}/{GeoIP,named} /proc/sys/net/ipv4
%global selinuxbooleans named_write_master_zones=1
@ -56,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: MPLv2.0
Version: 9.16.23
Release: 34%{?dist}.2
Release: 40%{?dist}.1
Epoch: 32
Url: https://www.isc.org/downloads/bind/
#
@ -87,6 +85,8 @@ Source46: named-setup-rndc.service
Source47: named-pkcs11.service
Source48: setup-named-softhsm.sh
Source49: named-chroot.files
Source50: named.sysusers
Source51: bind-chroot.tmpfiles.d
# Common patches
Patch10: bind-9.5-PIE.patch
@ -199,12 +199,15 @@ Patch224: bind-9.16-CVE-2025-40780.patch
# https://gitlab.isc.org/isc-projects/bind9/commit/50479358efdf432d690415131b74b5df158a9d69
# https://gitlab.isc.org/isc-projects/bind9/commit/33a7db1fe964e55b76b4ac003ecc56cc67028bd9
Patch225: bind-9.16-CVE-2025-40778.patch
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/7942
Patch226: bind-9.16-properly-process-extra-nameserver-lines.patch
# https://gitlab.isc.org/isc-projects/bind9/-/commit/a5e8d2354385d4f42a58113b16960d85ec306b09
Patch226: bind-9.16-CVE-2026-1519.patch
Patch227: bind-9.16-CVE-2026-1519.patch
%{?systemd_ordering}
# https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers
%{?sysusers_requires_compat}
Requires: coreutils
Requires(pre): shadow-utils
Requires(post): shadow-utils
Requires(post): glibc-common
Requires(post): grep
@ -767,6 +770,9 @@ install -m 644 %{SOURCE38} ${RPM_BUILD_ROOT}%{_unitdir}
install -m 644 %{SOURCE44} ${RPM_BUILD_ROOT}%{_unitdir}
install -m 644 %{SOURCE46} ${RPM_BUILD_ROOT}%{_unitdir}
mkdir -p ${RPM_BUILD_ROOT}%{_sysusersdir}
install -m 644 %{SOURCE50} ${RPM_BUILD_ROOT}%{_sysusersdir}/named.conf
%if %{with PKCS11}
install -m 644 %{SOURCE47} ${RPM_BUILD_ROOT}%{_unitdir}
%else
@ -871,21 +877,28 @@ touch ${RPM_BUILD_ROOT}%{_sysconfdir}/rndc.{key,conf}
install -m 644 %{SOURCE27} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.root.key
install -m 644 %{SOURCE36} ${RPM_BUILD_ROOT}%{_sysconfdir}/trusted-key.key
mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/named
mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/named
install -p -m 644 %{SOURCE17} ${RPM_BUILD_ROOT}%{_datadir}/named/named.ca
install -p -m 644 %{SOURCE18} ${RPM_BUILD_ROOT}%{_datadir}/named/named.localhost
install -p -m 644 %{SOURCE19} ${RPM_BUILD_ROOT}%{_datadir}/named/named.loopback
install -p -m 644 %{SOURCE20} ${RPM_BUILD_ROOT}%{_datadir}/named/named.empty
# data files:
mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/named
install -m 640 %{SOURCE17} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.ca
install -m 640 %{SOURCE18} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.localhost
install -m 640 %{SOURCE19} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.loopback
install -m 640 %{SOURCE20} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.empty
install -m 640 %{SOURCE23} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.rfc1912.zones
# Create duplicate copies for maximal backward compatibility
install -p -m 644 %{SOURCE17} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.ca
install -p -m 644 %{SOURCE18} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.localhost
install -p -m 644 %{SOURCE19} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.loopback
install -p -m 644 %{SOURCE20} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.empty
install -p -m 640 %{SOURCE23} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.rfc1912.zones
# sample bind configuration files for %%doc:
mkdir -p sample/etc sample/var/named/{data,slaves}
install -m 644 %{SOURCE25} sample/etc/named.conf
# Copy default configuration to %%doc to make it usable from system-config-bind
# Copy default configuration to %%doc
install -m 644 %{SOURCE16} named.conf.default
install -m 644 %{SOURCE23} sample/etc/named.rfc1912.zones
# Extra copies in documentation too.
install -m 644 %{SOURCE18} %{SOURCE19} %{SOURCE20} sample/var/named
install -m 644 %{SOURCE17} sample/var/named/named.ca
for f in my.internal.zone.db slaves/my.slave.internal.zone.db slaves/my.ddns.internal.zone.db my.external.zone.db; do
@ -895,15 +908,15 @@ done
:;
mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir}
install -m 644 %{SOURCE35} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/named.conf
install -p -m 644 %{SOURCE35} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/named.conf
install -p -m 644 %{SOURCE51} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/%{name}-chroot.conf
mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d
install -m 644 %{SOURCE43} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named
install -p -m 644 %{SOURCE43} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named
%pre
if [ "$1" -eq 1 ]; then
/usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :;
/usr/sbin/useradd -u %{bind_uid} -r -N -M -g named -s /sbin/nologin -d /var/named -c Named named >/dev/null 2>&1 || :;
%sysusers_create_compat %{SOURCE50}
fi;
:;
@ -1022,6 +1035,7 @@ fi;
%{_unitdir}/named.service
%{_unitdir}/named-setup-rndc.service
%{_sbindir}/named-journalprint
%{_sysusersdir}/named.conf
%{_sbindir}/named-checkconf
%{_bindir}/named-rrchecker
%{_bindir}/mdig
@ -1054,6 +1068,7 @@ fi;
%dir %{_localstatedir}/named/dynamic
%ghost %{_localstatedir}/log/named.log
%defattr(0640,root,named,0750)
%{_datadir}/named/
%config %verify(not link) %{_localstatedir}/named/named.ca
%config %verify(not link) %{_localstatedir}/named/named.localhost
%config %verify(not link) %{_localstatedir}/named/named.loopback
@ -1149,6 +1164,7 @@ fi;
%{_unitdir}/named-chroot.service
%{_unitdir}/named-chroot-setup.service
%{_libexecdir}/setup-named-chroot.sh
%{_tmpfilesdir}/%{name}-chroot.conf
%defattr(0664,root,named,-)
%ghost %dev(c,1,3) %verify(not mtime) %{chroot_prefix}/dev/null
%ghost %dev(c,1,8) %verify(not mtime) %{chroot_prefix}/dev/random
@ -1172,6 +1188,7 @@ fi;
%dir %{chroot_prefix}/%{_libdir}/bind
%dir %{chroot_prefix}/%{_libdir}/named
%dir %{chroot_prefix}/%{_datadir}/GeoIP
%dir %{chroot_prefix}/%{_datadir}/named
%{chroot_prefix}/proc
%defattr(0660,root,named,01770)
%dir %{chroot_prefix}%{_localstatedir}/named
@ -1245,11 +1262,26 @@ fi;
%endif
%changelog
* Fri Mar 27 2026 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-34.2
* Fri Mar 27 2026 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-40.1
- Prevent Denial of Service via maliciously crafted DNSSEC-validated zone
(CVE-2026-1519)
* Wed Oct 29 2025 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-34.1
* Wed Jan 28 2026 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-40
- Add forgotten _libdir/named into bind-chroot tmpfiles (RHEL-135629)
* Thu Jan 22 2026 Fedor Vorobev <fvorobev@redhat.com> - 32:9.16.23-39
- Backport fix for nameserver line processing. (RHEL-79714)
* Fri Dec 12 2025 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-38
- Add sysusers named user creation (RHEL-132053)
* Fri Dec 12 2025 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-37
- Create /var/named directories for bind-chroot (RHEL-132053)
* Wed Oct 29 2025 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-36
- Copy named.* files from /var/named into /usr/share/named
* Wed Oct 29 2025 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-35
- Prevent cache poisoning due to weak PRNG (CVE-2025-40780)
- Replace downstream fixes with upstream changes
- Address various spoofing attacks (CVE-2025-40778)