Drop original user creating in favor of sysusers file definition.
(cherry picked from commit 071ec07d27989a8d548834292fa46ca2312b4862)
(cherry picked from commit efb20ad8e7)
Resolves: RHEL-135629
Imagemode might have separate /var partition not properly initialized by
package installation. Add creation of compat files into tmpfiles.d
definition.
Make copies of those files from /var/named to /usr/shared/named, so we
even have some place to symlink them from. Originally it had only copy
in sample documentation, which may not be installed.
These source file should be read-only from named and not modified
anyway. Move them to /usr/share/named as read-only, always present
sources. Make symlinks in /var/named to point to them only when files
are missing.
To maximize backward compatibility, make copies and avoid replacing
those files with symlinks.
Resolves: RHEL-122168
IDNA tests always redirect output into the file. That means its
behaviour has changed and is now processing IDN input by default and
just disables IDN output by default.
New behaviour when redirected is the same as +idnin +noidnout, but does
not fail hard on input errors.
Resolves: RHEL-66172
Many variants are never built anymore. Clean actions to just those still
shipped. But do not trigger named reload when named.run file is empty.
That is common on freeipa installation, where configuration changes
logging to put it elsewhere. named reload is disruptive because how
bind-dyndb-ldap behaves during reloads. Avoid unnecessary reloads with
visible service disruption.
Keep named-pkcs11 reload variant.
Resolves: RHEL-113942
Use the same name in dig or host utilities when stdout is not a
terminal. Until now it disabled IDN processing when stdout were not a
terminal. Disable just IDN output in that case and try to decode input
name with IDN. Keep failing in interactive sessions, but send even
undecoded name query when output is redirected.
That should limit new surprises and keep most of behaviour without
changes. But do not break in when input name failed to decode and
it were not trying to decode it before.
Resolves: RHEL-66172
NAMED_MAXADDITIONAL environment can change default limit of 13. Format
is just number of accepted NS, which will be processed for additional
records.
Resolves: RHEL-84006
When too many NS records are fetched from authoritative zone, limit
number of fetched additional records. Instead of not producing any
additional record when there is over 13 NS servers, limit number of
records for which those records would be fetched.
Resolves: RHEL-84006
resume_qmin did not handle special case of recursing query hit
unexpected DNS_R_CNAME result. Change result to SERVFAIL in case
of a zone loaded after the recursion started. That prevents crashing
later in query_setorder, where there is uninitialized foundname compared
with absolute order names.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5357
Resolves: RHEL-30407
Intended to be run like:
centpkg mockbuild --with SYSTEMTEST -N --enable-network
Do fail when it does not pass. But allow running tests as root.
Related: RHEL-76884
When answering queries, don't add data to the additional section if
the answer has more than 13 names in the RDATA. This limits the
number of lookups into the database(s) during a single client query,
reducing query processing load.
Also, don't append any additional data to type=ANY queries. The
answer to ANY is already big enough.
Vulnerability: CVE-2024-11187
Resolves: RHEL-76884
RPM tools keep complaining about old-style patches applying with
%patchX. Avoid that by using autopatch from now on, applying all changes
sorted but patch number.
Related: RHEL-76884
Fix local rebuilds on Fedora. BIND 9.16 does not work well with fortify
source level 3. Fix also DEFAULT_HMAC not properly set in tests, failing
reclimit test. That was issue only of backport.
Resolves: RHEL-49900
This aligns the fix for large number of RRs in RRSet with 9.18 and up
by backporting to `max-records-per-type` configuration option to
BIND 9.16.
Merge branch 'ondrej/max-types-per-rr-backport-9.16' into 'bind-9.16'
See merge request isc-projects/bind9!9178
Resolves: RHEL-49900
This aligns the fix for large number of RRs in RRSet with 9.18 and up
by backporting to `max-records-per-type` configuration option to
BIND 9.16.
Merge branch 'ondrej/max-records-per-type-backport-9.16' into 'bind-9.16'
See merge request isc-projects/bind9!9177
Remove also custom environment feature, which is not necessary with
proper config options backported.
Increase rightmost version to become higher than _4 suffix.
Resolves: RHEL-49900
Do not introduce new options into configuration file. But if limits are
hit in unexpected way, allow tuning them by environment variables
DNS_RDATASET_MAX_RECORDS and DNS_RBTDB_MAX_RTYPES. They accept number of
maximum records of types. Both defaults to 100.
These replaces max-records-per-type and max-types-per-name in later
versions. But can be configured only by environment and can be
configured only globally, not in each view or zone.
Related: RHEL-49900
6403. [security] qctx-zversion was not being cleared when it should have
been leading to an assertion failure if it needed to be
reused. (CVE-2024-4076) [GL #4507]
Resolves: RHEL-49940
6400. [security] Excessively large rdatasets can slow down database
query processing, so a limit has been placed on the
number of records that can be stored per rdataset
in a cache or zone database. This is configured
with the new "max-records-per-type" option, and
defaults to 100. (CVE-2024-1737)
[GL #497] [GL #3405]
6401. [security] An excessively large number of rrtypes per owner can
slow down database query processing, so a limit has been
placed on the number of rrtypes that can be stored per
owner (node) in a cache or zone database. This is
configured with the new "max-rrtypes-per-name" option,
and defaults to 100. (CVE-2024-1737)
[GL #3403] [GL #4548]
Does not change db methods like 9.18 fix. It makes limits set at build
time and fixed numbers, but does not need adjusting db interface to set
new limits.
Resolves: RHEL-49900
Extends even more change Downstream specific changes related to KeyTrap,
which added safety guards into hazard pointers. Because it seems they
are not still enough. Add fixed base to accomodate common threads like
main app thread and ldap worker threads. Multiply one more, just to be
sure. We do not want to hit maximal limit again.
Resolves: RHEL-39131
Builds were made, but did not hit public repositories. Errata for RHEL
were done before these could be published, but we need another errata
just for CentOS Stream.
Resolves: RHEL-25130 RHEL-25132 RHEL-25162 RHEL-25166 RHEL-25169 RHEL-25173
Fix of CVE-2023-6516 has changed format of map file and masterformat has
started crashing. Adjust test values to pass cleanly.
Related: RHEL-25375
; Related: CVE-2023-6516
Fix for CVE-2023-50387 introduced new additional thread. But because
isc_hp functions were removed from later bind 9.16 release, their
changes did not contain increase of hazard pointers max thread limit.
To prevent obscure memory corruption increase thread max size.
In addition place at least few INSISTs to check this is catched before
random memory overwrites begins. It would be quite difficult to track
without any check.
Resolves: RHEL-25386
; Resolves: CVE-2023-50387
This should make sure that the memory context is not destroyed
before the memory pool, which is using the context.
Related: RHEL-25386
; Related: CVE-2023-50387
Patch171 introduces undefined variables, which may fail some tests.
Define them to empty values. Also required python3-dns with SYSTEMTEST
feature enabled.
Related: RHEL-25342
; Related: CVE-2023-4408
More recent python3 module ply does not accept statements used in
isc/policy.py, which generates parsetab.py. Allow to skip that target on
local only fedora builds.
Related: RHEL-25342
; Related: CVE-2023-4408
KeyTrap - Extreme CPU consumption in DNSSEC validator. Preparing an
NSEC3 closest encloser proof can exhaust CPU resources.
6322. [security] Specific DNS answers could cause a denial-of-service
condition due to DNS validation taking a long time.
(CVE-2023-50387) [GL #4424]
Resolves: RHEL-25397 RHEL-25386
; Resolves: CVE-2023-50387 CVE-2023-50868
6319. [security] Query patterns that continuously triggered cache
database maintenance could exhaust all available memory
on the host running named. (CVE-2023-6516) [GL #4383]
Resolves: RHEL-25375
; Resolves: CVE-2023-6516
Enabling both DNS64 and serve-stale may cause an assertion failure
during recursive resolution.
6317. [security] Restore DNS64 state when handling a serve-stale timeout.
(CVE-2023-5679) [GL #4334]
Resolves: RHEL-25364
; Resolves: CVE-2023-5679
RFC 1918 reverse zones
6316. [security] Specific queries could trigger an assertion check with
nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281]
Resolves: RHEL-25353
; Resolves: CVE-2023-5517
6315. [security] Speed up parsing of DNS messages with many different
names. (CVE-2023-4408) [GL #4234]
6321. [security] Change 6315 inadvertently introduced regressions that
could cause named to crash. [GL #4234]
6343. [bug] Fix case insensitive setting for isc_ht hashtable.
Resolves: RHEL-25342
; Resolves: CVE-2023-4408
6192. [security] A query that prioritizes stale data over lookup
triggers a fetch to refresh the stale data in cache.
If the fetch is aborted for exceeding the recursion
quota, it was possible for 'named' to enter an infinite
callback loop and crash due to stack overflow. This has
been fixed. (CVE-2023-2911) [GL #4089]
Resolves: CVE-2023-2911
6190. [security] Improve the overmem cleaning process to prevent the
cache going over the configured limit. (CVE-2023-2828)
[GL #4055]
Resolves: CVE-2023-2828
verify that updates are refused when the client is disallowed by
allow-query, and update forwarding is refused when the client is
is disallowed by update-forwarding.
verify that "too many DNS UPDATEs" appears in the log file when too
many simultaneous updates are processing.
Related: CVE-2022-3094
6064. [security] An UPDATE message flood could cause named to exhaust all
available memory. This flaw was addressed by adding a
new "update-quota" statement that controls the number of
simultaneous UPDATE messages that can be processed or
forwarded. The default is 100. A stats counter has been
added to record events when the update quota is
exceeded, and the XML and JSON statistics version
numbers have been updated. (CVE-2022-3094) [GL #3523]
Resolves: CVE-2022-3094
