diff --git a/10028-fix-CVE-2023-7008.patch b/10028-fix-CVE-2023-7008.patch new file mode 100644 index 0000000000000000000000000000000000000000..84343fb42abe020f13bda10dbd53c9f36f9df607 --- /dev/null +++ b/10028-fix-CVE-2023-7008.patch @@ -0,0 +1,34 @@ +From 224b448151075a4400531c6b813273733f0c3563 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Thu, 11 Jul 2024 19:43:48 +0800 +Subject: [PATCH] fix CVE-2023-7008 + +--- + src/resolve/resolved-dns-transaction.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index c975215..6f614d7 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -2520,7 +2520,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * + if (r == 0) + continue; + +- return t->answer_authenticated; ++ return dt->answer_authenticated; + } + + return true; +@@ -2550,7 +2550,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * + * RR for us. This means we are not at a zone cut. In + * this case, we require authentication if the SOA + * lookup was authenticated too. */ +- return t->answer_authenticated; ++ return dt->answer_authenticated; + } + + return true; +-- +2.43.5 + diff --git a/systemd.spec b/systemd.spec index cb2f21b1badabefd1e04d3f29c6930c187d0a43a..6d40be3eb2580b61d2956a56537718b35bd1b091 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1,4 +1,4 @@ -%define anolis_release .0.6 +%define anolis_release .0.7 #global gitcommit 10e465b5321bd53c1fc59ffab27e724535c6bc0f %{?gitcommit:%global gitcommitshort %(c=%{gitcommit}; echo ${c:0:7})} @@ -1060,6 +1060,7 @@ Patch10024: 10024-fileio-teach-read_full_file_full-to-read-from-offse.patch Patch10025: 10025-cryptsetup-port-cryptsetup-s-main-key-file-logic-ov.patch Patch10026: 10026-umount-check-LO_FLAGS_AUTOCLEAR-after-LOOP_CLR_FD-cl.patch Patch10027: 10027-fix-compilation-without-utmp.patch +Patch10028: 10028-fix-CVE-2023-7008.patch Patch20001: 20001-hwdb-parse_hwdb_dot_py.patch # Patch20002: 20002-cgroup-do-not-refresh-cgroup-devices-config-when-dae.patch @@ -1795,6 +1796,9 @@ fi %files tests -f .file-list-tests %changelog +* Thu Jul 11 2024 Wenlong Zhang - 239-78.0.7 +- fix CVE-2023-7008 + * Thu Apr 18 2024 Weisson - 239-78.0.6 - add seccomp support for sw_64. - add test-seccomp support for sw_64.