Update to 9.16.15

Resolves CVE-2021-25215 and CVE-2021-25214.
Removes disable-isc-spnego flag, because custom isc spnego code were
removed with also this flag. It is default (and the only) option now.
This commit is contained in:
Petr Menšík 2021-04-29 18:12:16 +02:00
parent 2e4a03677c
commit f8cb93d57c
5 changed files with 30 additions and 82 deletions

2
.gitignore vendored
View File

@ -144,3 +144,5 @@ bind-9.7.2b1.tar.gz
/bind-9.16.11.tar.xz.asc /bind-9.16.11.tar.xz.asc
/bind-9.16.13.tar.xz /bind-9.16.13.tar.xz
/bind-9.16.13.tar.xz.asc /bind-9.16.13.tar.xz.asc
/bind-9.16.15.tar.xz
/bind-9.16.15.tar.xz.asc

View File

@ -1,4 +1,4 @@
From 17c6e65cde059c98d48ae3b948aa157865d1c99c Mon Sep 17 00:00:00 2001 From 8f232dac49cbb143a30a5c807f9085f3ef251f0e Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com> From: Petr Mensik <pemensik@redhat.com>
Date: Thu, 21 Jan 2021 10:46:20 +0100 Date: Thu, 21 Jan 2021 10:46:20 +0100
Subject: [PATCH] Enable custom pkcs11 native build Subject: [PATCH] Enable custom pkcs11 native build
@ -247,7 +247,7 @@ index 98125dd..518a75f 100644
@DLZ_DRIVER_RULES@ @DLZ_DRIVER_RULES@
diff --git a/configure.ac b/configure.ac diff --git a/configure.ac b/configure.ac
index 08a7d8a..4d762c9 100644 index da99e85..55680ea 100644
--- a/configure.ac --- a/configure.ac
+++ b/configure.ac +++ b/configure.ac
@@ -1251,12 +1251,14 @@ AC_SUBST(USE_GSSAPI) @@ -1251,12 +1251,14 @@ AC_SUBST(USE_GSSAPI)
@ -265,7 +265,7 @@ index 08a7d8a..4d762c9 100644
# #
# was --with-lmdb specified? # was --with-lmdb specified?
@@ -2352,6 +2354,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE) @@ -2327,6 +2329,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE)
AC_SUBST(BIND9_NS_BUILDINCLUDE) AC_SUBST(BIND9_NS_BUILDINCLUDE)
AC_SUBST(BIND9_BIND9_BUILDINCLUDE) AC_SUBST(BIND9_BIND9_BUILDINCLUDE)
AC_SUBST(BIND9_IRS_BUILDINCLUDE) AC_SUBST(BIND9_IRS_BUILDINCLUDE)
@ -274,7 +274,7 @@ index 08a7d8a..4d762c9 100644
if test "X$srcdir" != "X"; then if test "X$srcdir" != "X"; then
BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include" BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include" BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
@@ -2360,6 +2364,8 @@ if test "X$srcdir" != "X"; then @@ -2335,6 +2339,8 @@ if test "X$srcdir" != "X"; then
BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include" BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include"
BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include" BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include" BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include"
@ -283,7 +283,7 @@ index 08a7d8a..4d762c9 100644
else else
BIND9_ISC_BUILDINCLUDE="" BIND9_ISC_BUILDINCLUDE=""
BIND9_ISCCC_BUILDINCLUDE="" BIND9_ISCCC_BUILDINCLUDE=""
@@ -2368,6 +2374,8 @@ else @@ -2343,6 +2349,8 @@ else
BIND9_NS_BUILDINCLUDE="" BIND9_NS_BUILDINCLUDE=""
BIND9_BIND9_BUILDINCLUDE="" BIND9_BIND9_BUILDINCLUDE=""
BIND9_IRS_BUILDINCLUDE="" BIND9_IRS_BUILDINCLUDE=""
@ -292,7 +292,7 @@ index 08a7d8a..4d762c9 100644
fi fi
AC_SUBST_FILE(BIND9_MAKE_INCLUDES) AC_SUBST_FILE(BIND9_MAKE_INCLUDES)
@@ -2823,8 +2831,11 @@ AC_CONFIG_FILES([ @@ -2798,8 +2806,11 @@ AC_CONFIG_FILES([
bin/delv/Makefile bin/delv/Makefile
bin/dig/Makefile bin/dig/Makefile
bin/dnssec/Makefile bin/dnssec/Makefile
@ -304,7 +304,7 @@ index 08a7d8a..4d762c9 100644
bin/nsupdate/Makefile bin/nsupdate/Makefile
bin/pkcs11/Makefile bin/pkcs11/Makefile
bin/plugins/Makefile bin/plugins/Makefile
@@ -2886,6 +2897,10 @@ AC_CONFIG_FILES([ @@ -2861,6 +2872,10 @@ AC_CONFIG_FILES([
lib/dns/include/dns/Makefile lib/dns/include/dns/Makefile
lib/dns/include/dst/Makefile lib/dns/include/dst/Makefile
lib/dns/tests/Makefile lib/dns/tests/Makefile
@ -315,7 +315,7 @@ index 08a7d8a..4d762c9 100644
lib/irs/Makefile lib/irs/Makefile
lib/irs/include/Makefile lib/irs/include/Makefile
lib/irs/include/irs/Makefile lib/irs/include/irs/Makefile
@@ -2918,6 +2933,10 @@ AC_CONFIG_FILES([ @@ -2893,6 +2908,10 @@ AC_CONFIG_FILES([
lib/ns/include/Makefile lib/ns/include/Makefile
lib/ns/include/ns/Makefile lib/ns/include/ns/Makefile
lib/ns/tests/Makefile lib/ns/tests/Makefile
@ -340,28 +340,28 @@ index ffa2d5a..6fbc192 100644
@BIND9_MAKE_RULES@ @BIND9_MAKE_RULES@
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
index 283b7f2..a234dc5 100644 index 58bda3c..d6a45df 100644
--- a/lib/dns-pkcs11/Makefile.in --- a/lib/dns-pkcs11/Makefile.in
+++ b/lib/dns-pkcs11/Makefile.in +++ b/lib/dns-pkcs11/Makefile.in
@@ -24,7 +24,7 @@ VERSION=@BIND9_VERSION@ @@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
USE_ISC_SPNEGO = @USE_ISC_SPNEGO@ @BIND9_MAKE_INCLUDES@
-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ -CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \ +CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
${ISC_INCLUDES} \ ${ISC_INCLUDES} \
${FSTRM_CFLAGS} \ ${FSTRM_CFLAGS} \
${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \ ${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \
@@ -34,7 +34,7 @@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ @@ -32,7 +32,7 @@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
${LMDB_CFLAGS} \ ${LMDB_CFLAGS} \
${MAXMINDDB_CFLAGS} ${MAXMINDDB_CFLAGS}
-CDEFINES = @USE_GSSAPI@ ${USE_ISC_SPNEGO} -CDEFINES = @USE_GSSAPI@
+CDEFINES = @USE_GSSAPI@ ${USE_ISC_SPNEGO} @USE_PKCS11@ +CDEFINES = @USE_GSSAPI@ @USE_PKCS11@
CWARNINGS = CWARNINGS =
@@ -137,15 +137,15 @@ version.@O@: version.c @@ -135,15 +135,15 @@ version.@O@: version.c
-DMAPAPI=\"${MAPAPI}\" \ -DMAPAPI=\"${MAPAPI}\" \
-c ${srcdir}/version.c -c ${srcdir}/version.c
@ -381,7 +381,7 @@ index 283b7f2..a234dc5 100644
include: gen include: gen
${MAKE} include/dns/enumtype.h ${MAKE} include/dns/enumtype.h
@@ -176,22 +176,22 @@ gen: gen.c @@ -174,22 +174,22 @@ gen: gen.c
${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \ ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
${BUILD_LIBS} ${LFS_LIBS} ${BUILD_LIBS} ${LFS_LIBS}
@ -434,12 +434,12 @@ index 3bb5e01..c96fe7d 100644
LIBS = @LIBS@ @CMOCKA_LIBS@ LIBS = @LIBS@ @CMOCKA_LIBS@
diff --git a/lib/ns-pkcs11/Makefile.in b/lib/ns-pkcs11/Makefile.in diff --git a/lib/ns-pkcs11/Makefile.in b/lib/ns-pkcs11/Makefile.in
index f126f1f..21b20e4 100644 index bc683ce..7a9d2f2 100644
--- a/lib/ns-pkcs11/Makefile.in --- a/lib/ns-pkcs11/Makefile.in
+++ b/lib/ns-pkcs11/Makefile.in +++ b/lib/ns-pkcs11/Makefile.in
@@ -18,12 +18,12 @@ VERSION=@BIND9_VERSION@ @@ -16,12 +16,12 @@ VERSION=@BIND9_VERSION@
USE_ISC_SPNEGO = @USE_ISC_SPNEGO@ @BIND9_MAKE_INCLUDES@
-CINCLUDES = -I. -I${top_srcdir}/lib/ns -Iinclude \ -CINCLUDES = -I. -I${top_srcdir}/lib/ns -Iinclude \
- ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \ - ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
@ -453,7 +453,7 @@ index f126f1f..21b20e4 100644
CWARNINGS = CWARNINGS =
@@ -31,9 +31,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@ @@ -29,9 +29,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@ ISCDEPLIBS = ../../lib/isc/libisc.@A@
@ -465,7 +465,7 @@ index f126f1f..21b20e4 100644
LIBS = @LIBS@ LIBS = @LIBS@
@@ -62,28 +62,28 @@ version.@O@: version.c @@ -60,28 +60,28 @@ version.@O@: version.c
-DMAJOR=\"${MAJOR}\" \ -DMAJOR=\"${MAJOR}\" \
-c ${srcdir}/version.c -c ${srcdir}/version.c
@ -546,5 +546,5 @@ index b8317d3..b73b0c4 100644
+ -I${top_srcdir}/lib/ns-pkcs11/include + -I${top_srcdir}/lib/ns-pkcs11/include
+ +
-- --
2.26.2 2.26.3

View File

@ -1,53 +0,0 @@
From 48df32cadb5071f5b186b00da3f4406a13320b44 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Fri, 26 Mar 2021 11:01:59 +0100
Subject: [PATCH] Do not require config.h to use isc/util.h
util.h requires ISC_CONSTRUCTOR definition, which depends on config.h
inclusion. It does not include it from isc/util.h (or any other header).
Using isc/util.h fails hard when isc/util.h is used without including
bind's config.h.
Move the check to c file, where ISC_CONSTRUCTOR is used. Ensure config.h
is included there.
---
lib/isc/include/isc/util.h | 2 --
lib/isc/lib.c | 5 +++++
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h
index 3c8c40b..3144557 100644
--- a/lib/isc/include/isc/util.h
+++ b/lib/isc/include/isc/util.h
@@ -54,8 +54,6 @@
#elif WIN32
#define ISC_CONSTRUCTOR(priority)
#define ISC_DESTRUCTOR(priority)
-#else
-#error Either __attribute__((constructor|destructor))__ or DllMain support needed to compile BIND 9.
#endif
/*%
diff --git a/lib/isc/lib.c b/lib/isc/lib.c
index 27d7be1..08a1b91 100644
--- a/lib/isc/lib.c
+++ b/lib/isc/lib.c
@@ -17,10 +17,15 @@
#include <isc/tls.h>
#include <isc/util.h>
+#include "config.h"
#include "mem_p.h"
#include "tls_p.h"
#include "trampoline_p.h"
+#ifndef ISC_CONSTRUCTOR
+#error Either __attribute__((constructor|destructor))__ or DllMain support needed to compile BIND 9.
+#endif
+
/***
*** Functions
***/
--
2.26.2

View File

@ -61,7 +61,7 @@
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
Name: bind Name: bind
License: MPLv2.0 License: MPLv2.0
Version: 9.16.13 Version: 9.16.15
Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32 Epoch: 32
Url: https://www.isc.org/downloads/bind/ Url: https://www.isc.org/downloads/bind/
@ -114,8 +114,6 @@ Patch157:bind-9.11-fips-tests.patch
Patch164:bind-9.11-rh1666814.patch Patch164:bind-9.11-rh1666814.patch
Patch170:bind-9.11-feature-test-named.patch Patch170:bind-9.11-feature-test-named.patch
Patch171:bind-9.11-tests-variants.patch Patch171:bind-9.11-tests-variants.patch
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4840
Patch172:bind-9.16-isc-constructor.h
Requires(post): systemd Requires(post): systemd
Requires(preun): systemd Requires(preun): systemd
@ -420,7 +418,6 @@ in HTML and PDF format.
%patch164 -p1 -b .rh1666814 %patch164 -p1 -b .rh1666814
%patch170 -p1 -b .featuretest-named %patch170 -p1 -b .featuretest-named
%patch171 -p1 -b .test-variant %patch171 -p1 -b .test-variant
%patch172 -p1 -b .isc-constructor
%if %{with PKCS11} %if %{with PKCS11}
%patch135 -p1 -b .config-pkcs11 %patch135 -p1 -b .config-pkcs11
@ -505,7 +502,6 @@ export LIBDIR_SUFFIX
--with-dlopen=yes \ --with-dlopen=yes \
%if %{with GSSTSIG} %if %{with GSSTSIG}
--with-gssapi=yes \ --with-gssapi=yes \
--disable-isc-spnego \
%endif %endif
%if %{with LMDB} %if %{with LMDB}
--with-lmdb=yes \ --with-lmdb=yes \
@ -1142,6 +1138,9 @@ fi;
%endif %endif
%changelog %changelog
* Thu Apr 29 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.15-1
- Update to 9.16.15
* Thu Mar 25 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.13-1 * Thu Mar 25 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.13-1
- Update to 9.16.13 - Update to 9.16.13
- Changed displayed version just to include -RH suffix, not release - Changed displayed version just to include -RH suffix, not release

View File

@ -1,2 +1,2 @@
SHA512 (bind-9.16.13.tar.xz) = 1f3c8f54dd2c9e18cd9b67cfebb645d0a8e8f566add07fc4690cb8820bf81640c33b2b0685cb8be095e0f9ac84b2cf78176aea841a30c27d547b569b8353b07b SHA512 (bind-9.16.15.tar.xz) = 30dad6e2144b3ac53ef0a2d1ed3c8342120f148fc0eb6409113a6d5ed3444eecb917915fdf39c26fd223396fc1e873410a50da305f0b870864f7fbbdccec8033
SHA512 (bind-9.16.13.tar.xz.asc) = 636c5101f31092b1a0251c923676583afed69eb1e7ff625d3d7b2088c66014090e9676a61e332e553e4283872c5e641db1c09fbf76871e52938715163d61dd2e SHA512 (bind-9.16.15.tar.xz.asc) = b845f0527235a5b24c617e4e0975988df3966b05db3eec33c798c242b00560dbfdb3258da991743629eb24017759d7deccbaf58277d215ff4616f6c255a8c0d4