When MD5 is disabled in library, it behaved like RSAMD5 were unknown.
But security-policy disables it explicitly. It failed to even start in
FIPS mode, because such algorithm were unknown. Fix disabled algorithm
to return disabled result code. Accept such algorithm only when
disabling it.
Signed-off-by: Petr Menšík <pemensik@redhat.com>
Contains:
5244. [security] Fixed a race condition in dns_dispatch_getnext()
that could cause an assertion failure if a
significant number of incoming packets were
rejected. (CVE-2019-6471) [GL #942]
5241. [bug] Fix Ed448 private and public key ASN.1 prefix blobs.
[GL #225]
5237. [bug] Recurse to find the root server list with 'dig +trace'.
[GL #1028]
Upstream no longer ships bundled libatf library and no longer uses ATF
in sources. kyua and cmocka are mandatory for unit tests now. Removes
--with KYUA, use --with UNITTEST on different builds when cmocka and
kyua are available.
Red Hat has alternative variant builds of named, which are not ever
tested by system tests. New variables make it relatively easy to test
alternative variants.
For sdb variant use:
export NAMED_VARIANT=-sdb DNSSEC_VARIANT=
For pkcs variant use:
export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11
followed by make test in build directory.
Note: PKCS11 tests are still skipped, it requires SLOT variable
exported. Fails in some cases.
System tests are failing for named, because it cannot detect it does not
support filesystem SDB. Move feature test to named directory, so it is
built for every variant.
Output produced by helper is multiline starting with comment. Unless it
is enclosed in quotes, it will be concatenated into single line.
Fixes commit fa1631eef7
Make default secure enough, no predefined pins are used. Generate pin
and save it into file protected by unix rights. HSM tools will probably
require it anyway. Use smart defaults.
Dig could be used to receive zone via AXFR. If IDN data are inside and
are decoded, it cannot be used as named zone file. Disable +idnout if
stdin is not a tty.
Unlike upstream, skip it also for DHCP.
Disable RAND_status also in non-threaded builds. DHCP is built without
threads and should not check RAND_status on dns library initialization.
Lack of entropy is possible state for dhclient, but it must not fail
even in this case. Because DHCP itself does not require custom random
generator, leave default RAND_OpenSSL configured. It should help TLS
connection to LDAP in single DHCP binary, while keeping secure random
data if needed.
Resolves: #1663318
(modified upstream commit 8a98277811ea50035ff37b744fa3dc5b75bee099)