diff --git a/0001-CVE-2023-3341.patch b/0001-CVE-2023-3341.patch deleted file mode 100644 index a5d4f44bb31d143eabd6151a1951330e95bb4e73..0000000000000000000000000000000000000000 --- a/0001-CVE-2023-3341.patch +++ /dev/null @@ -1,151 +0,0 @@ -diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h -index 14146986f0..a43772e941 100644 ---- a/lib/isc/include/isc/result.h -+++ b/lib/isc/include/isc/result.h -@@ -270,8 +270,9 @@ - ISCCC_R_EXPIRED, - ISCCC_R_CLOCKSKEW, - ISCCC_R_DUPLICATE, -+ ISCCC_R_MAXDEPTH, - -- ISC_R_NRESULTS = ISCCC_R_DUPLICATE + 1, /*% The number of results. */ -+ ISC_R_NRESULTS = ISCCC_R_MAXDEPTH + 1, /*% The number of results. */ - ISC_R_MAKE_ENUM_32BIT = INT32_MAX, - } isc_result_t; - -diff --git a/lib/isc/result.c b/lib/isc/result.c -index b8a0c0da43..edbc8fd518 100644 ---- a/lib/isc/result.c -+++ b/lib/isc/result.c -@@ -268,6 +268,7 @@ static const char *description[ISC_R_NRESULTS] = { - [ISCCC_R_EXPIRED] = "expired", - [ISCCC_R_CLOCKSKEW] = "clock skew", - [ISCCC_R_DUPLICATE] = "duplicate", -+ [ISCCC_R_MAXDEPTH] = "max depth", - }; - - static const char *identifier[ISC_R_NRESULTS] = { -@@ -517,6 +518,7 @@ static const char *identifier[ISC_R_NRESULTS] = { - [ISCCC_R_EXPIRED] = "ISCCC_R_EXPIRED", - [ISCCC_R_CLOCKSKEW] = "ISCCC_R_CLOCKSKEW", - [ISCCC_R_DUPLICATE] = "ISCCC_R_DUPLICATE", -+ [ISCCC_R_MAXDEPTH] = "ISCCC_R_MAXDEPTH", - }; - - STATIC_ASSERT((DNS_R_SERVFAIL - DNS_R_NOERROR == 2), -diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c -index 52914ed5ae..cbd9badd3a 100644 ---- a/lib/isccc/cc.c -+++ b/lib/isccc/cc.c -@@ -52,6 +52,10 @@ - - #define MAX_TAGS 256 - #define DUP_LIFETIME 900 -+#ifndef ISCCC_MAXDEPTH -+#define ISCCC_MAXDEPTH \ -+ 10 /* Big enough for rndc which just sends a string each way. */ -+#endif - - typedef isccc_sexpr_t *sexpr_ptr; - -@@ -484,19 +488,25 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, - - static isc_result_t - table_fromwire(isccc_region_t *source, isccc_region_t *secret, -- uint32_t algorithm, isccc_sexpr_t **alistp); -+ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp); - - static isc_result_t --list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp); -+list_fromwire(isccc_region_t *source, unsigned int depth, -+ isccc_sexpr_t **listp); - - static isc_result_t --value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { -+value_fromwire(isccc_region_t *source, unsigned int depth, -+ isccc_sexpr_t **valuep) { - unsigned int msgtype; - uint32_t len; - isccc_sexpr_t *value; - isccc_region_t active; - isc_result_t result; - -+ if (depth > ISCCC_MAXDEPTH) { -+ return (ISCCC_R_MAXDEPTH); -+ } -+ - if (REGION_SIZE(*source) < 1 + 4) { - return (ISC_R_UNEXPECTEDEND); - } -@@ -517,9 +527,9 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { - result = ISC_R_NOMEMORY; - } - } else if (msgtype == ISCCC_CCMSGTYPE_TABLE) { -- result = table_fromwire(&active, NULL, 0, valuep); -+ result = table_fromwire(&active, NULL, 0, depth + 1, valuep); - } else if (msgtype == ISCCC_CCMSGTYPE_LIST) { -- result = list_fromwire(&active, valuep); -+ result = list_fromwire(&active, depth + 1, valuep); - } else { - result = ISCCC_R_SYNTAX; - } -@@ -529,7 +539,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { - - static isc_result_t - table_fromwire(isccc_region_t *source, isccc_region_t *secret, -- uint32_t algorithm, isccc_sexpr_t **alistp) { -+ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp) { - char key[256]; - uint32_t len; - isc_result_t result; -@@ -539,6 +549,10 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, - - REQUIRE(alistp != NULL && *alistp == NULL); - -+ if (depth > ISCCC_MAXDEPTH) { -+ return (ISCCC_R_MAXDEPTH); -+ } -+ - checksum_rstart = NULL; - first_tag = true; - alist = isccc_alist_create(); -@@ -555,7 +569,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, - GET_MEM(key, len, source->rstart); - key[len] = '\0'; /* Ensure NUL termination. */ - value = NULL; -- result = value_fromwire(source, &value); -+ result = value_fromwire(source, depth + 1, &value); - if (result != ISC_R_SUCCESS) { - goto bad; - } -@@ -593,14 +607,19 @@ bad: - } - - static isc_result_t --list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) { -+list_fromwire(isccc_region_t *source, unsigned int depth, -+ isccc_sexpr_t **listp) { - isccc_sexpr_t *list, *value; - isc_result_t result; - -+ if (depth > ISCCC_MAXDEPTH) { -+ return (ISCCC_R_MAXDEPTH); -+ } -+ - list = NULL; - while (!REGION_EMPTY(*source)) { - value = NULL; -- result = value_fromwire(source, &value); -+ result = value_fromwire(source, depth + 1, &value); - if (result != ISC_R_SUCCESS) { - isccc_sexpr_free(&list); - return (result); -@@ -632,7 +651,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp, - return (ISCCC_R_UNKNOWNVERSION); - } - -- return (table_fromwire(source, secret, algorithm, alistp)); -+ return (table_fromwire(source, secret, algorithm, 0, alistp)); - } - - static isc_result_t diff --git a/0002-CVE-2023-4236.patch b/0002-CVE-2023-4236.patch deleted file mode 100644 index 55e7dd85e63b51c49757c005faae141356d317b1..0000000000000000000000000000000000000000 --- a/0002-CVE-2023-4236.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff --git a/lib/isc/netmgr/tlsdns.c b/lib/isc/netmgr/tlsdns.c -index 52c72e0fca..4af4289be3 100644 ---- a/lib/isc/netmgr/tlsdns.c -+++ b/lib/isc/netmgr/tlsdns.c -@@ -1866,9 +1866,11 @@ tlsdns_send_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req) { - } - - result = tls_cycle(sock); -+ if (result != ISC_R_SUCCESS) { -+ return (result); -+ } - - requeue: -- - tlsdns_send_enqueue(sock, req); - - return (result); diff --git a/Bv9ARM.pdf b/Bv9ARM.pdf index 290158e11f9cddffd7b456d839a2af2b7a538ffb..0be8d640776f05616933fbd942a71729442583a2 100644 Binary files a/Bv9ARM.pdf and b/Bv9ARM.pdf differ diff --git a/bind-9.18.16.tar.xz b/bind-9.18.24.tar.xz similarity index 42% rename from bind-9.18.16.tar.xz rename to bind-9.18.24.tar.xz index 3cc21725a459df30f48dc5c9487a0ebd83dd5c26..5e78380accce3dcc94b5968dbbb617b00159663e 100644 Binary files a/bind-9.18.16.tar.xz and b/bind-9.18.24.tar.xz differ diff --git a/bind.spec b/bind.spec index 9593edcd79d2775598b4aad4a51dad3082f68bfe..e3147bdb75b424b400f71cefa23132b48cd44051 100644 --- a/bind.spec +++ b/bind.spec @@ -1,4 +1,4 @@ -%define anolis_release 2 +%define anolis_release 1 # bcond_without is built by default, unless --without X is passed # bcond_with is built only when --with X is passed to build %bcond_with SYSTEMTEST @@ -30,7 +30,7 @@ Name: bind License: MPLv2.0 -Version: 9.18.16 +Version: 9.18.24 Release: %{anolis_release}%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ @@ -62,21 +62,19 @@ Source46: named-setup-rndc.service Source48: setup-named-softhsm.sh Source49: named-chroot.files -Patch0: 0001-CVE-2023-3341.patch -Patch1: 0002-CVE-2023-4236.patch - %{?systemd_ordering} Requires: coreutils Requires(pre): shadow-utils Requires(post): shadow-utils Requires(post): glibc-common Requires(post): grep -Requires: bind-libs = %{epoch}:%{version}-%{release} +Requires: bind-libs = %{EVR} # This wild require should satisfy %%selinux_set_boolean macro only # in case it needs to be used Requires(post): ((policycoreutils-python-utils and libselinux-utils) if (selinux-policy-targeted or selinux-policy-mls)) Requires(post): ((selinux-policy and selinux-policy-base) if (selinux-policy-targeted or selinux-policy-mls)) Recommends: bind-utils bind-dnssec-utils +Obsoletes: bind9.16 < %{EVR} BuildRequires: git, gcc, make BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel BuildRequires: libidn2-devel, libxml2-devel @@ -139,9 +137,10 @@ tools for verifying that the DNS server is operating properly. %package libs Summary: Libraries used by the BIND DNS packages -Requires: bind-license = %{epoch}:%{version}-%{release} -Provides: bind-libs-lite = %{epoch}:%{version}-%{release} +Requires: bind-license = %{EVR} +Provides: bind-libs-lite = %{EVR} Obsoletes: bind-libs-lite < 32:9.16.13 +Obsoletes: bind9.16-libs < %{EVR} %description libs Contains heavyweight version of BIND suite libraries used by both named DNS @@ -150,15 +149,17 @@ server and utilities in bind-utils package. %package license Summary: License of the BIND DNS suite BuildArch:noarch +Obsoletes: bind9.16-license < %{EVR} %description license Contains license of the BIND DNS suite. %package utils Summary: Utilities for querying DNS name servers -Requires: bind-libs = %{epoch}:%{version}-%{release} +Requires: bind-libs = %{EVR} # For compatibility with Debian package -Provides: dnsutils = %{epoch}:%{version}-%{release} +Provides: dnsutils = %{EVR} +Obsoletes: bind9.16-utils < %{EVR} %description utils Bind-utils contains a collection of utilities for querying DNS (Domain @@ -172,9 +173,10 @@ servers. %package dnssec-utils Summary: DNSSEC keys and zones management utilities -Requires: bind-libs = %{epoch}:%{version}-%{release} +Requires: bind-libs = %{EVR} Recommends: bind-utils -Requires: bind-dnssec-doc = %{epoch}:%{version}-%{release} +Requires: bind-dnssec-doc = %{EVR} +Obsoletes: bind9.16-dnssec-utils < %{EVR} %description dnssec-utils Bind-dnssec-utils contains a collection of utilities for editing @@ -186,19 +188,21 @@ or maintain keys for it. %package dnssec-doc Summary: Manual pages of DNSSEC utilities -Requires: bind-license = %{epoch}:%{version}-%{release} -BuildArch:noarch +Requires: bind-license = %{EVR} +BuildArch: noarch +Obsoletes: bind9.16-dnssec-doc < %{EVR} %description dnssec-doc Bind-dnssec-doc contains manual pages for bind-dnssec-utils. %package devel Summary: Header files and libraries needed for bind-dyndb-ldap -Provides: bind-lite-devel = %{epoch}:%{version}-%{release} +Provides: bind-lite-devel = %{EVR} Obsoletes: bind-lite-devel < 32:9.16.6-3 -Requires: bind-libs = %{epoch}:%{version}-%{release} +Requires: bind-libs = %{EVR} Requires: openssl-devel libxml2-devel Requires: libcap-devel +Obsoletes: bind9.16-devel < %{EVR} %if %{with GSSTSIG} Requires: krb5-devel %endif @@ -225,7 +229,8 @@ Summary: A chroot runtime environment for the ISC BIND DNS server, named( Prefix: %{chroot_prefix} # grep is required due to setup-named-chroot.sh script Requires: grep -Requires: bind = %{epoch}:%{version}-%{release} +Requires: bind = %{EVR} +Obsoletes: bind9.16-chroot < %{EVR} %description chroot This package contains a tree of files which can be used as a @@ -236,22 +241,22 @@ Based on the code from Jan "Yenya" Kasprzak %if %{with DLZ} %package dlz-filesystem Summary: BIND server filesystem DLZ module -Requires: bind = %{epoch}:%{version}-%{release} +Requires: bind = %{EVR} %description dlz-filesystem Dynamic Loadable Zones filesystem module for BIND server. %package dlz-ldap Summary: BIND server ldap DLZ module -Requires: bind = %{epoch}:%{version}-%{release} +Requires: bind = %{EVR} %description dlz-ldap Dynamic Loadable Zones LDAP module for BIND server. %package dlz-mysql Summary: BIND server mysql and mysqldyn DLZ modules -Requires: bind = %{epoch}:%{version}-%{release} -Provides: %{name}-dlz-mysqldyn = %{epoch}:%{version}-%{release} +Requires: bind = %{EVR} +Provides: %{name}-dlz-mysqldyn = %{EVR} Obsoletes: %{name}-dlz-mysqldyn < 32:9.16.6-3 %description dlz-mysql @@ -264,8 +269,9 @@ Contains also mysqldyn module with dynamic DNS updates (DDNS) support. %if %{with DOC} %package doc Summary: BIND 9 Administrator Reference Manual -Requires: bind-license = %{epoch}:%{version}-%{release} +Requires: bind-license = %{EVR} Requires: python3-sphinx_rtd_theme +Obsoletes: bind9.16-doc < %{EVR} BuildArch: noarch %description doc @@ -315,7 +321,6 @@ LIBDIR_SUFFIX= export LIBDIR_SUFFIX %configure \ --enable-largefile \ - --enable-epoll \ --localstatedir=%{_var} \ --with-pic \ --with-json-c=yes \ @@ -570,7 +575,6 @@ fi; :; %post -%?ldconfig if [ -e "%{_sysconfdir}/selinux/config" ]; then %selinux_set_booleans -s targeted %{selinuxbooleans} %selinux_set_booleans -s mls %{selinuxbooleans} @@ -605,7 +609,6 @@ fi %systemd_preun named.service %postun -%?ldconfig # Package upgrade, not uninstall %systemd_postun_with_restart named.service if [ -e "%{_sysconfdir}/selinux/config" ]; then @@ -629,8 +632,6 @@ fi /sbin/chkconfig --del named >/dev/null 2>&1 || : /bin/systemctl try-restart named.service >/dev/null 2>&1 || : -%ldconfig_scriptlets libs - %post chroot %systemd_post named-chroot.service %chroot_fix_devices %{chroot_prefix} @@ -846,6 +847,10 @@ fi; %doc %{_pkgdocdir}/Bv9ARM.pdf %changelog +* Tue Feb 13 2024 Funda Wang - 32:9.18.24-1 +- New version 9.18.24 +- Add upgrade path from bind9.16 in anolis 8 + * Wed Dec 27 2023 Caspar Zhang - 32:9.18.16-2 - Fix CVE-2023-3341 and CVE-2023-4236