Update to 9.16.15
Resolves CVE-2021-25215 and CVE-2021-25214. Removes disable-isc-spnego flag, because custom isc spnego code were removed with also this flag. It is default (and the only) option now.
This commit is contained in:
parent
2e4a03677c
commit
f8cb93d57c
2
.gitignore
vendored
2
.gitignore
vendored
@ -144,3 +144,5 @@ bind-9.7.2b1.tar.gz
|
||||
/bind-9.16.11.tar.xz.asc
|
||||
/bind-9.16.13.tar.xz
|
||||
/bind-9.16.13.tar.xz.asc
|
||||
/bind-9.16.15.tar.xz
|
||||
/bind-9.16.15.tar.xz.asc
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 17c6e65cde059c98d48ae3b948aa157865d1c99c Mon Sep 17 00:00:00 2001
|
||||
From 8f232dac49cbb143a30a5c807f9085f3ef251f0e Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Thu, 21 Jan 2021 10:46:20 +0100
|
||||
Subject: [PATCH] Enable custom pkcs11 native build
|
||||
@ -247,7 +247,7 @@ index 98125dd..518a75f 100644
|
||||
@DLZ_DRIVER_RULES@
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 08a7d8a..4d762c9 100644
|
||||
index da99e85..55680ea 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -1251,12 +1251,14 @@ AC_SUBST(USE_GSSAPI)
|
||||
@ -265,7 +265,7 @@ index 08a7d8a..4d762c9 100644
|
||||
|
||||
#
|
||||
# was --with-lmdb specified?
|
||||
@@ -2352,6 +2354,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE)
|
||||
@@ -2327,6 +2329,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE)
|
||||
AC_SUBST(BIND9_NS_BUILDINCLUDE)
|
||||
AC_SUBST(BIND9_BIND9_BUILDINCLUDE)
|
||||
AC_SUBST(BIND9_IRS_BUILDINCLUDE)
|
||||
@ -274,7 +274,7 @@ index 08a7d8a..4d762c9 100644
|
||||
if test "X$srcdir" != "X"; then
|
||||
BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
|
||||
BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
|
||||
@@ -2360,6 +2364,8 @@ if test "X$srcdir" != "X"; then
|
||||
@@ -2335,6 +2339,8 @@ if test "X$srcdir" != "X"; then
|
||||
BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include"
|
||||
BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
|
||||
BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include"
|
||||
@ -283,7 +283,7 @@ index 08a7d8a..4d762c9 100644
|
||||
else
|
||||
BIND9_ISC_BUILDINCLUDE=""
|
||||
BIND9_ISCCC_BUILDINCLUDE=""
|
||||
@@ -2368,6 +2374,8 @@ else
|
||||
@@ -2343,6 +2349,8 @@ else
|
||||
BIND9_NS_BUILDINCLUDE=""
|
||||
BIND9_BIND9_BUILDINCLUDE=""
|
||||
BIND9_IRS_BUILDINCLUDE=""
|
||||
@ -292,7 +292,7 @@ index 08a7d8a..4d762c9 100644
|
||||
fi
|
||||
|
||||
AC_SUBST_FILE(BIND9_MAKE_INCLUDES)
|
||||
@@ -2823,8 +2831,11 @@ AC_CONFIG_FILES([
|
||||
@@ -2798,8 +2806,11 @@ AC_CONFIG_FILES([
|
||||
bin/delv/Makefile
|
||||
bin/dig/Makefile
|
||||
bin/dnssec/Makefile
|
||||
@ -304,7 +304,7 @@ index 08a7d8a..4d762c9 100644
|
||||
bin/nsupdate/Makefile
|
||||
bin/pkcs11/Makefile
|
||||
bin/plugins/Makefile
|
||||
@@ -2886,6 +2897,10 @@ AC_CONFIG_FILES([
|
||||
@@ -2861,6 +2872,10 @@ AC_CONFIG_FILES([
|
||||
lib/dns/include/dns/Makefile
|
||||
lib/dns/include/dst/Makefile
|
||||
lib/dns/tests/Makefile
|
||||
@ -315,7 +315,7 @@ index 08a7d8a..4d762c9 100644
|
||||
lib/irs/Makefile
|
||||
lib/irs/include/Makefile
|
||||
lib/irs/include/irs/Makefile
|
||||
@@ -2918,6 +2933,10 @@ AC_CONFIG_FILES([
|
||||
@@ -2893,6 +2908,10 @@ AC_CONFIG_FILES([
|
||||
lib/ns/include/Makefile
|
||||
lib/ns/include/ns/Makefile
|
||||
lib/ns/tests/Makefile
|
||||
@ -340,28 +340,28 @@ index ffa2d5a..6fbc192 100644
|
||||
|
||||
@BIND9_MAKE_RULES@
|
||||
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
|
||||
index 283b7f2..a234dc5 100644
|
||||
index 58bda3c..d6a45df 100644
|
||||
--- a/lib/dns-pkcs11/Makefile.in
|
||||
+++ b/lib/dns-pkcs11/Makefile.in
|
||||
@@ -24,7 +24,7 @@ VERSION=@BIND9_VERSION@
|
||||
@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
|
||||
|
||||
USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
|
||||
@BIND9_MAKE_INCLUDES@
|
||||
|
||||
-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
|
||||
+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
|
||||
${ISC_INCLUDES} \
|
||||
${FSTRM_CFLAGS} \
|
||||
${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \
|
||||
@@ -34,7 +34,7 @@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
|
||||
@@ -32,7 +32,7 @@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
|
||||
${LMDB_CFLAGS} \
|
||||
${MAXMINDDB_CFLAGS}
|
||||
|
||||
-CDEFINES = @USE_GSSAPI@ ${USE_ISC_SPNEGO}
|
||||
+CDEFINES = @USE_GSSAPI@ ${USE_ISC_SPNEGO} @USE_PKCS11@
|
||||
-CDEFINES = @USE_GSSAPI@
|
||||
+CDEFINES = @USE_GSSAPI@ @USE_PKCS11@
|
||||
|
||||
CWARNINGS =
|
||||
|
||||
@@ -137,15 +137,15 @@ version.@O@: version.c
|
||||
@@ -135,15 +135,15 @@ version.@O@: version.c
|
||||
-DMAPAPI=\"${MAPAPI}\" \
|
||||
-c ${srcdir}/version.c
|
||||
|
||||
@ -381,7 +381,7 @@ index 283b7f2..a234dc5 100644
|
||||
|
||||
include: gen
|
||||
${MAKE} include/dns/enumtype.h
|
||||
@@ -176,22 +176,22 @@ gen: gen.c
|
||||
@@ -174,22 +174,22 @@ gen: gen.c
|
||||
${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
|
||||
${BUILD_LIBS} ${LFS_LIBS}
|
||||
|
||||
@ -434,12 +434,12 @@ index 3bb5e01..c96fe7d 100644
|
||||
LIBS = @LIBS@ @CMOCKA_LIBS@
|
||||
|
||||
diff --git a/lib/ns-pkcs11/Makefile.in b/lib/ns-pkcs11/Makefile.in
|
||||
index f126f1f..21b20e4 100644
|
||||
index bc683ce..7a9d2f2 100644
|
||||
--- a/lib/ns-pkcs11/Makefile.in
|
||||
+++ b/lib/ns-pkcs11/Makefile.in
|
||||
@@ -18,12 +18,12 @@ VERSION=@BIND9_VERSION@
|
||||
@@ -16,12 +16,12 @@ VERSION=@BIND9_VERSION@
|
||||
|
||||
USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
|
||||
@BIND9_MAKE_INCLUDES@
|
||||
|
||||
-CINCLUDES = -I. -I${top_srcdir}/lib/ns -Iinclude \
|
||||
- ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
|
||||
@ -453,7 +453,7 @@ index f126f1f..21b20e4 100644
|
||||
|
||||
CWARNINGS =
|
||||
|
||||
@@ -31,9 +31,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@
|
||||
@@ -29,9 +29,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@
|
||||
|
||||
ISCDEPLIBS = ../../lib/isc/libisc.@A@
|
||||
|
||||
@ -465,7 +465,7 @@ index f126f1f..21b20e4 100644
|
||||
|
||||
LIBS = @LIBS@
|
||||
|
||||
@@ -62,28 +62,28 @@ version.@O@: version.c
|
||||
@@ -60,28 +60,28 @@ version.@O@: version.c
|
||||
-DMAJOR=\"${MAJOR}\" \
|
||||
-c ${srcdir}/version.c
|
||||
|
||||
@ -546,5 +546,5 @@ index b8317d3..b73b0c4 100644
|
||||
+ -I${top_srcdir}/lib/ns-pkcs11/include
|
||||
+
|
||||
--
|
||||
2.26.2
|
||||
2.26.3
|
||||
|
||||
|
@ -1,53 +0,0 @@
|
||||
From 48df32cadb5071f5b186b00da3f4406a13320b44 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Fri, 26 Mar 2021 11:01:59 +0100
|
||||
Subject: [PATCH] Do not require config.h to use isc/util.h
|
||||
|
||||
util.h requires ISC_CONSTRUCTOR definition, which depends on config.h
|
||||
inclusion. It does not include it from isc/util.h (or any other header).
|
||||
Using isc/util.h fails hard when isc/util.h is used without including
|
||||
bind's config.h.
|
||||
|
||||
Move the check to c file, where ISC_CONSTRUCTOR is used. Ensure config.h
|
||||
is included there.
|
||||
---
|
||||
lib/isc/include/isc/util.h | 2 --
|
||||
lib/isc/lib.c | 5 +++++
|
||||
2 files changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h
|
||||
index 3c8c40b..3144557 100644
|
||||
--- a/lib/isc/include/isc/util.h
|
||||
+++ b/lib/isc/include/isc/util.h
|
||||
@@ -54,8 +54,6 @@
|
||||
#elif WIN32
|
||||
#define ISC_CONSTRUCTOR(priority)
|
||||
#define ISC_DESTRUCTOR(priority)
|
||||
-#else
|
||||
-#error Either __attribute__((constructor|destructor))__ or DllMain support needed to compile BIND 9.
|
||||
#endif
|
||||
|
||||
/*%
|
||||
diff --git a/lib/isc/lib.c b/lib/isc/lib.c
|
||||
index 27d7be1..08a1b91 100644
|
||||
--- a/lib/isc/lib.c
|
||||
+++ b/lib/isc/lib.c
|
||||
@@ -17,10 +17,15 @@
|
||||
#include <isc/tls.h>
|
||||
#include <isc/util.h>
|
||||
|
||||
+#include "config.h"
|
||||
#include "mem_p.h"
|
||||
#include "tls_p.h"
|
||||
#include "trampoline_p.h"
|
||||
|
||||
+#ifndef ISC_CONSTRUCTOR
|
||||
+#error Either __attribute__((constructor|destructor))__ or DllMain support needed to compile BIND 9.
|
||||
+#endif
|
||||
+
|
||||
/***
|
||||
*** Functions
|
||||
***/
|
||||
--
|
||||
2.26.2
|
||||
|
@ -61,7 +61,7 @@
|
||||
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
|
||||
Name: bind
|
||||
License: MPLv2.0
|
||||
Version: 9.16.13
|
||||
Version: 9.16.15
|
||||
Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
|
||||
Epoch: 32
|
||||
Url: https://www.isc.org/downloads/bind/
|
||||
@ -114,8 +114,6 @@ Patch157:bind-9.11-fips-tests.patch
|
||||
Patch164:bind-9.11-rh1666814.patch
|
||||
Patch170:bind-9.11-feature-test-named.patch
|
||||
Patch171:bind-9.11-tests-variants.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4840
|
||||
Patch172:bind-9.16-isc-constructor.h
|
||||
|
||||
Requires(post): systemd
|
||||
Requires(preun): systemd
|
||||
@ -420,7 +418,6 @@ in HTML and PDF format.
|
||||
%patch164 -p1 -b .rh1666814
|
||||
%patch170 -p1 -b .featuretest-named
|
||||
%patch171 -p1 -b .test-variant
|
||||
%patch172 -p1 -b .isc-constructor
|
||||
|
||||
%if %{with PKCS11}
|
||||
%patch135 -p1 -b .config-pkcs11
|
||||
@ -505,7 +502,6 @@ export LIBDIR_SUFFIX
|
||||
--with-dlopen=yes \
|
||||
%if %{with GSSTSIG}
|
||||
--with-gssapi=yes \
|
||||
--disable-isc-spnego \
|
||||
%endif
|
||||
%if %{with LMDB}
|
||||
--with-lmdb=yes \
|
||||
@ -1142,6 +1138,9 @@ fi;
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Apr 29 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.15-1
|
||||
- Update to 9.16.15
|
||||
|
||||
* Thu Mar 25 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.13-1
|
||||
- Update to 9.16.13
|
||||
- Changed displayed version just to include -RH suffix, not release
|
||||
|
4
sources
4
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (bind-9.16.13.tar.xz) = 1f3c8f54dd2c9e18cd9b67cfebb645d0a8e8f566add07fc4690cb8820bf81640c33b2b0685cb8be095e0f9ac84b2cf78176aea841a30c27d547b569b8353b07b
|
||||
SHA512 (bind-9.16.13.tar.xz.asc) = 636c5101f31092b1a0251c923676583afed69eb1e7ff625d3d7b2088c66014090e9676a61e332e553e4283872c5e641db1c09fbf76871e52938715163d61dd2e
|
||||
SHA512 (bind-9.16.15.tar.xz) = 30dad6e2144b3ac53ef0a2d1ed3c8342120f148fc0eb6409113a6d5ed3444eecb917915fdf39c26fd223396fc1e873410a50da305f0b870864f7fbbdccec8033
|
||||
SHA512 (bind-9.16.15.tar.xz.asc) = b845f0527235a5b24c617e4e0975988df3966b05db3eec33c798c242b00560dbfdb3258da991743629eb24017759d7deccbaf58277d215ff4616f6c255a8c0d4
|
||||
|
Loading…
Reference in New Issue
Block a user