diff --git a/Fix-CVE-2023-7008.patch b/Fix-CVE-2023-7008.patch new file mode 100644 index 0000000000000000000000000000000000000000..ffe3aaefb9a218b93ead0d53c886e8eee5f2009b --- /dev/null +++ b/Fix-CVE-2023-7008.patch @@ -0,0 +1,39 @@ +From 3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Wed, 20 Dec 2023 16:44:14 +0100 +Subject: [PATCH] resolved: actually check authenticated flag of SOA + transaction + +Fixes #25676 + +Conflict:code context adaptation +Reference:https://github.com/systemd/systemd/commit/3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1 +--- + src/resolve/resolved-dns-transaction.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index 262f63c..3a3c078 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -2459,7 +2459,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * + if (r == 0) + continue; + +- return t->answer_authenticated; ++ return dt->answer_authenticated; + } + + return true; +@@ -2489,7 +2489,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * + * RR for us. This means we are not at a zone cut. In + * this case, we require authentication if the SOA + * lookup was authenticated too. */ +- return t->answer_authenticated; ++ return dt->answer_authenticated; + } + + return true; +-- +2.33.0 + diff --git a/systemd.spec b/systemd.spec index cb2f21b1badabefd1e04d3f29c6930c187d0a43a..af7e4240cb8aeef0146b95080cf855bd5bc51662 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1,4 +1,4 @@ -%define anolis_release .0.6 +%define anolis_release .0.7 #global gitcommit 10e465b5321bd53c1fc59ffab27e724535c6bc0f %{?gitcommit:%global gitcommitshort %(c=%{gitcommit}; echo ${c:0:7})} @@ -1060,6 +1060,8 @@ Patch10024: 10024-fileio-teach-read_full_file_full-to-read-from-offse.patch Patch10025: 10025-cryptsetup-port-cryptsetup-s-main-key-file-logic-ov.patch Patch10026: 10026-umount-check-LO_FLAGS_AUTOCLEAR-after-LOOP_CLR_FD-cl.patch Patch10027: 10027-fix-compilation-without-utmp.patch +# Fix-CVE-2023-7008 Upstream fix:https://github.com/systemd/systemd/commit/3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1 +Patch10028: Fix-CVE-2023-7008.patch Patch20001: 20001-hwdb-parse_hwdb_dot_py.patch # Patch20002: 20002-cgroup-do-not-refresh-cgroup-devices-config-when-dae.patch @@ -1795,6 +1797,9 @@ fi %files tests -f .file-list-tests %changelog +* Fri Jun 07 2024 Kai Song - 239-78.0.7 +- Fix CVE-2023-7008 + * Thu Apr 18 2024 Weisson - 239-78.0.6 - add seccomp support for sw_64. - add test-seccomp support for sw_64.