Hello community, here is the log from the commit of package bind.4614 for openSUSE:13.1:Update checked in at 2016-03-19 09:02:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/bind.4614 (Old) and /work/SRC/openSUSE:13.1:Update/.bind.4614.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bind.4614" Changes: -------- New Changes file: --- /dev/null 2016-01-27 19:41:03.648095915 +0100 +++ /work/SRC/openSUSE:13.1:Update/.bind.4614.new/bind.changes 2016-03-19 09:02:09.000000000 +0100 @@ -0,0 +1,1805 @@ +------------------------------------------------------------------- +Fri Mar 11 18:41:44 UTC 2016 - mkube...@suse.cz + +- bind-CVE-2016-1285-1286.patch: + * remote DoS via malformed data over control channel + (CVE-2016-1285 bsc#970072) + * remote DoS via malformed DNAME record + (CVE-2016-1286 bsc#970073) + +------------------------------------------------------------------- +Sat Feb 20 14:04:41 UTC 2016 - astie...@suse.com + +- re-release binaries to resolve incident number sequencing issue + affecing subsequent tree builds (boo#967403) + +------------------------------------------------------------------- +Wed Jan 20 10:12:42 UTC 2016 - m...@suse.com + +- Fix Specific APL data could trigger an INSIST + (CVE-2015-8704, bsc#962189). + +------------------------------------------------------------------- +Wed Dec 16 11:06:01 UTC 2015 - m...@suse.com + +- Fix remote denial of service by misparsing incoming responses + (CVE-2015-8000, bsc#958861). + +------------------------------------------------------------------- +Mon Sep 14 12:07:37 UTC 2015 - m...@suse.com + +- Fix DoS against servers performing validation on DNSSEC-signed + records (CVE-2015-5722, bsc#944066). + +------------------------------------------------------------------- +Mon Jul 27 16:16:46 UTC 2015 - m...@suse.com + +- Fix DoS against authoritative and recursive servers. + bnc#939567, CVE-2015-5477 + +------------------------------------------------------------------- +Wed Jul 8 15:40:03 UTC 2015 - m...@suse.com + +- A problem with trust anchor management can cause named to crash + (CVE-2015-1349, bsc#918330) +- Fix resolver crash when validating (CVE-2015-4620, bsc#936476). +- Make sure %version and %pkg_vers are in sync (bnc#937028). + +------------------------------------------------------------------- +Tue Feb 11 13:39:10 UTC 2014 - m...@suse.com + +- Fix generation of /etc/named.conf.include + (bnc#828678, bnc#848777, bnc#814978). + +------------------------------------------------------------------- +Tue Jan 21 17:02:30 UTC 2014 - m...@suse.com + +- Update to version 9.9.4P2 + * Fixes named crash when handling malformed NSEC3-signed zones + (CVE-2014-0591, bnc#858639) + * Obsoletes workaround-compile-problem.diff +- Replace rpz2+rl-9.9.3-P1.patch by rpz2-9.9.4.patch, rl is now + supported upstream (--enable-rrl). + +------------------------------------------------------------------- +Wed Aug 7 15:19:10 UTC 2013 - m...@suse.com + +- Systemd doesn't set $TERM, and hence breaks tput (bnc#823175). + +------------------------------------------------------------------- +Tue Aug 6 10:09:22 UTC 2013 - m...@suse.com + +- Improve pie_compile.diff (bnc#828874). +- dnssec-checkds and dnssec-coverage need python-base. +- disable rpath in libtool. + +------------------------------------------------------------------- +Mon Aug 5 14:50:20 UTC 2013 - m...@suse.com + +- Update to 9.9.3P2 fixes CVE-2013-4854, bnc#831899. + * Incorrect bounds checking on private type 'keydata' can lead + to a remotely triggerable REQUIRE failure. + +------------------------------------------------------------------- +Wed Jul 24 15:37:09 UTC 2013 - m...@suse.com + +- Remove non-working apparmor profiles (bnc#740327). + +------------------------------------------------------------------- +Wed Jul 17 14:09:02 CEST 2013 - m...@suse.de + +- the README file is not a directory, drop the dir attribute + +------------------------------------------------------------------- +Mon Jun 24 13:17:11 UTC 2013 - meiss...@suse.com + +- Updated to 9.9.3-P1 + Various bugfixes and some feature fixes. (see CHANGES files) + Security and maintenance issues: + + - [security] Caching data from an incompletely signed zone could + trigger an assertion failure in resolver.c [RT #33690] + - [security] Support NAPTR regular expression validation on + all platforms without using libregex, which + can be vulnerable to memory exhaustion attack + (CVE-2013-2266). [RT #32688] + - [security] RPZ rules to generate A records (but not AAAA records) + could trigger an assertion failure when used in + conjunction with DNS64 (CVE-2012-5689). [RT #32141] + - [bug] Fixed several Coverity warnings. + Note: This change includes a fix for a bug that + was subsequently determined to be an exploitable + security vulnerability, CVE-2012-5688: named could + die on specific queries with dns64 enabled. + [RT #30996] + + - [maint] Added AAAA for D.ROOT-SERVERS.NET. + - [maint] D.ROOT-SERVERS.NET is now 199.7.91.13. +- Updated to current rate limiting + rpz patch from + http://ss.vix.su/~vjs/rrlrpz.html +- moved dnssec-* helpers to bind-utils package. bnc#813911 + +------------------------------------------------------------------- +Wed May 8 08:21:52 UTC 2013 - sch...@suse.de + +- Use updated config.guess/sub in the embedded idnkit sources + +------------------------------------------------------------------- +Wed Mar 27 12:33:34 UTC 2013 - meiss...@suse.com + +- Updated to 9.9.2-P2 (bnc#811876) + Fix for: https://kb.isc.org/article/AA-00871 CVE-2013-2266 + + * Security Fixes + Removed the check for regex.h in configure in order to disable regex + syntax checking, as it exposes BIND to a critical flaw in libregex + on some platforms. [RT #32688] + +- added gpg key source verification + +------------------------------------------------------------------- +Thu Dec 6 08:00:31 UTC 2012 - meiss...@suse.com + +- Updated to 9.9.2-P1 (bnc#792926) + https://kb.isc.org/article/AA-00828 + * Security Fixes + + Prevents named from aborting with a require assertion failure on + servers with DNS64 enabled. These crashes might occur as a result of + specific queries that are received. (Note that this fix is a subset + of a series of updates that will be included in full in BIND 9.8.5 + and 9.9.3 as change #3388, RT #30996). [CVE-2012-5688] [RT #30792] + + A deliberately constructed combination of records could cause + named to hang while populating the additional section of a + response. [CVE-2012-5166] [RT #31090] + + Prevents a named assert (crash) when queried for a record whose + RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416] + + Prevents a named assert (crash) when validating caused by using + "Bad cache" data before it has been initialized. [CVE-2012-3817] + [RT #30025] + + A condition has been corrected where improper handling of zero-length + RDATA could cause undesirable behavior, including termination of + the named process. [CVE-2012-1667] [RT #29644] + + ISC_QUEUE handling for recursive clients was updated to address a race + condition that could cause a memory leak. This rarely occurred with + UDP clients, but could be a significant problem for a server handling + a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233] + +New Features + + Elliptic Curve Digital Signature Algorithm keys and signatures in + DNSSEC are now supported per RFC 6605. [RT #21918] + + Introduces a new tool "dnssec-checkds" command that checks a zone to + determine which DS records should be published in the parent zone, + or which DLV records should be published in a DLV zone, and queries + the DNS to ensure that it exists. (Note: This tool depends on python; + it will not be built or installed on systems that do not have a + python interpreter.) [RT #28099] + + Introduces a new tool "dnssec-verify" that validates a signed zone, + checking for the correctness of signatures and NSEC/NSEC3 chains. + [RT #23673] + + Adds configuration option "max-rsa-exponent-size <value>;" that + can be used to specify the maximum rsa exponent size that will be + accepted when validating [RT #29228] + +Feature Changes + + Improves OpenSSL error logging [RT #29932] + nslookup now returns a nonzero exit code when it is unable to get + an answer. [RT #29492] ++++ 1608 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.bind.4614.new/bind.changes New: ---- Makefile.in.diff baselibs.conf bind-9.9.4-P2.tar.gz bind-9.9.4-P2.tar.gz.asc bind-CVE-2015-1349.patch bind-CVE-2015-4620.patch bind-CVE-2015-5477.patch bind-CVE-2015-5722.patch bind-CVE-2015-8000.patch bind-CVE-2015-8704.patch bind-CVE-2016-1285-1286.patch bind.changes bind.keyring bind.spec configure.in.diff configure.in.diff2 dlz-schema.txt dnszone-schema.txt named-bootconf.diff named.root perl-path.diff pid-path.diff pie_compile.diff rpz2-9.9.4.patch vendor-files.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bind.spec ++++++ ++++ 748 lines (skipped) ++++++ Makefile.in.diff ++++++ Index: bind-9.9.3-P1/bin/named/Makefile.in =================================================================== --- bind-9.9.3-P1.orig/bin/named/Makefile.in +++ bind-9.9.3-P1/bin/named/Makefile.in @@ -175,9 +175,7 @@ installdirs: install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@) - ${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8 - ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8 - ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5 + for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man$${m##*.}; done @DLZ_DRIVER_RULES@ ++++++ baselibs.conf ++++++ bind-libs obsoletes "bind-utils-<targettype>" provides "bind-utils-<targettype>" arch ppc package bind-devel requires -bind-<targettype> requires "bind-libs-<targettype> = <version>" arch sparcv9 package bind-devel requires -bind-<targettype> requires "bind-libs-<targettype> = <version>" ++++++ bind-CVE-2015-1349.patch ++++++ Index: bind-9.9.4-P2/lib/dns/zone.c =================================================================== --- bind-9.9.4-P2.orig/lib/dns/zone.c 2015-07-08 15:58:17.098535220 +0200 +++ bind-9.9.4-P2/lib/dns/zone.c 2015-07-08 17:37:50.868674830 +0200 @@ -8456,6 +8456,12 @@ namebuf, tag); trustkey = ISC_TRUE; } + } else { + /* + * No previously known key, and the key is not + * secure, so skip it. + */ + continue; } /* Delete old version */ @@ -8504,7 +8510,7 @@ trust_key(zone, keyname, &dnskey, mctx); } - if (!deletekey) + if (secure && !deletekey) set_refreshkeytimer(zone, &keydata, now); } ++++++ bind-CVE-2015-4620.patch ++++++ --- a/lib/dns/validator.c +++ a/lib/dns/validator.c @@ -1422,7 +1422,6 @@ compute_keytag(dns_rdata_t *rdata, dns_rdata_dnskey_t *key) { */ static isc_boolean_t isselfsigned(dns_validator_t *val) { - dns_fixedname_t fixed; dns_rdataset_t *rdataset, *sigrdataset; dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_t sigrdata = DNS_RDATA_INIT; @@ -1478,8 +1477,7 @@ isselfsigned(dns_validator_t *val) { result = dns_dnssec_verify3(name, rdataset, dstkey, ISC_TRUE, val->view->maxbits, - mctx, &sigrdata, - dns_fixedname_name(&fixed)); + mctx, &sigrdata, NULL); dst_key_free(&dstkey); if (result != ISC_R_SUCCESS) continue; ++++++ bind-CVE-2015-5477.patch ++++++ Index: lib/dns/tkey.c =================================================================== --- lib/dns/tkey.c.orig 2015-07-28 15:06:08.763863486 +0200 +++ lib/dns/tkey.c 2015-07-28 15:07:01.031540449 +0200 @@ -650,6 +650,7 @@ * Try the answer section, since that's where Win2000 * puts it. */ + name = NULL; if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname, dns_rdatatype_tkey, 0, &name, &tkeyset) != ISC_R_SUCCESS) { ++++++ bind-CVE-2015-5722.patch ++++++ --- a/lib/dns/hmac_link.c +++ a/lib/dns/hmac_link.c @@ -76,7 +76,7 @@ hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) { hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t)); if (hmacmd5ctx == NULL) return (ISC_R_NOMEMORY); - isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH); + isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH); dctx->ctxdata.hmacmd5ctx = hmacmd5ctx; return (ISC_R_SUCCESS); } @@ -139,7 +139,7 @@ hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) { else if (hkey1 == NULL || hkey2 == NULL) return (ISC_FALSE); - if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH)) + if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH)) return (ISC_TRUE); else return (ISC_FALSE); @@ -150,17 +150,17 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) { isc_buffer_t b; isc_result_t ret; unsigned int bytes; - unsigned char data[ISC_SHA1_BLOCK_LENGTH]; + unsigned char data[ISC_MD5_BLOCK_LENGTH]; UNUSED(callback); bytes = (key->key_size + 7) / 8; - if (bytes > ISC_SHA1_BLOCK_LENGTH) { - bytes = ISC_SHA1_BLOCK_LENGTH; - key->key_size = ISC_SHA1_BLOCK_LENGTH * 8; + if (bytes > ISC_MD5_BLOCK_LENGTH) { + bytes = ISC_MD5_BLOCK_LENGTH; + key->key_size = ISC_MD5_BLOCK_LENGTH * 8; } - memset(data, 0, ISC_SHA1_BLOCK_LENGTH); + memset(data, 0, ISC_MD5_BLOCK_LENGTH); ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0)); if (ret != ISC_R_SUCCESS) @@ -169,7 +169,7 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) { isc_buffer_init(&b, data, bytes); isc_buffer_add(&b, bytes); ret = hmacmd5_fromdns(key, &b); - memset(data, 0, ISC_SHA1_BLOCK_LENGTH); + memset(data, 0, ISC_MD5_BLOCK_LENGTH); return (ret); } @@ -223,7 +223,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) { memset(hkey->key, 0, sizeof(hkey->key)); - if (r.length > ISC_SHA1_BLOCK_LENGTH) { + if (r.length > ISC_MD5_BLOCK_LENGTH) { isc_md5_init(&md5ctx); isc_md5_update(&md5ctx, r.base, r.length); isc_md5_final(&md5ctx, hkey->key); @@ -236,6 +236,8 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) { key->key_size = keylen * 8; key->keydata.hmacmd5 = hkey; + isc_buffer_forward(data, r.length); + return (ISC_R_SUCCESS); } @@ -512,6 +514,8 @@ hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) { key->key_size = keylen * 8; key->keydata.hmacsha1 = hkey; + isc_buffer_forward(data, r.length); + return (ISC_R_SUCCESS); } @@ -790,6 +794,8 @@ hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) { key->key_size = keylen * 8; key->keydata.hmacsha224 = hkey; + isc_buffer_forward(data, r.length); + return (ISC_R_SUCCESS); } @@ -1068,6 +1074,8 @@ hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) { key->key_size = keylen * 8; key->keydata.hmacsha256 = hkey; + isc_buffer_forward(data, r.length); + return (ISC_R_SUCCESS); } @@ -1346,6 +1354,8 @@ hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) { key->key_size = keylen * 8; key->keydata.hmacsha384 = hkey; + isc_buffer_forward(data, r.length); + return (ISC_R_SUCCESS); } @@ -1624,6 +1634,8 @@ hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) { key->key_size = keylen * 8; key->keydata.hmacsha512 = hkey; + isc_buffer_forward(data, r.length); + return (ISC_R_SUCCESS); } --- a/lib/dns/include/dst/dst.h +++ a/lib/dns/include/dst/dst.h @@ -69,6 +69,7 @@ typedef struct dst_context dst_context_t; #define DST_ALG_HMACSHA256 163 /* XXXMPA */ #define DST_ALG_HMACSHA384 164 /* XXXMPA */ #define DST_ALG_HMACSHA512 165 /* XXXMPA */ +#define DST_ALG_INDIRECT 252 #define DST_ALG_PRIVATE 254 #define DST_ALG_EXPAND 255 #define DST_MAX_ALGS 255 --- a/lib/dns/ncache.c +++ a/lib/dns/ncache.c @@ -614,13 +614,11 @@ dns_ncache_getsigrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name, dns_name_fromregion(&tname, &remaining); INSIST(remaining.length >= tname.length); isc_buffer_forward(&source, tname.length); - remaining.length -= tname.length; - remaining.base += tname.length; + isc_region_consume(&remaining, tname.length); INSIST(remaining.length >= 2); type = isc_buffer_getuint16(&source); - remaining.length -= 2; - remaining.base += 2; + isc_region_consume(&remaining, 2); if (type != dns_rdatatype_rrsig || !dns_name_equal(&tname, name)) { @@ -632,8 +630,7 @@ dns_ncache_getsigrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name, INSIST(remaining.length >= 1); trust = isc_buffer_getuint8(&source); INSIST(trust <= dns_trust_ultimate); - remaining.length -= 1; - remaining.base += 1; + isc_region_consume(&remaining, 1); raw = remaining.base; count = raw[0] * 256 + raw[1]; --- a/lib/dns/openssldh_link.c +++ a/lib/dns/openssldh_link.c @@ -266,8 +266,10 @@ openssldh_destroy(dst_key_t *key) { static void uint16_toregion(isc_uint16_t val, isc_region_t *region) { - *region->base++ = (val & 0xff00) >> 8; - *region->base++ = (val & 0x00ff); + *region->base = (val & 0xff00) >> 8; + isc_region_consume(region, 1); + *region->base = (val & 0x00ff); + isc_region_consume(region, 1); } static isc_uint16_t @@ -278,7 +280,8 @@ uint16_fromregion(isc_region_t *region) { val = ((unsigned int)(cp[0])) << 8; val |= ((unsigned int)(cp[1])); - region->base += 2; + isc_region_consume(region, 2); + return (val); } @@ -319,16 +322,16 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { } else BN_bn2bin(dh->p, r.base); - r.base += plen; + isc_region_consume(&r, plen); uint16_toregion(glen, &r); if (glen > 0) BN_bn2bin(dh->g, r.base); - r.base += glen; + isc_region_consume(&r, glen); uint16_toregion(publen, &r); BN_bn2bin(dh->pub_key, r.base); - r.base += publen; + isc_region_consume(&r, publen); isc_buffer_add(data, dnslen); @@ -369,10 +372,12 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { return (DST_R_INVALIDPUBLICKEY); } if (plen == 1 || plen == 2) { - if (plen == 1) - special = *r.base++; - else + if (plen == 1) { + special = *r.base; + isc_region_consume(&r, 1); + } else { special = uint16_fromregion(&r); + } switch (special) { case 1: dh->p = &bn768; @@ -387,10 +392,9 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { DH_free(dh); return (DST_R_INVALIDPUBLICKEY); } - } - else { + } else { dh->p = BN_bin2bn(r.base, plen, NULL); - r.base += plen; + isc_region_consume(&r, plen); } /* @@ -421,15 +425,14 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { return (DST_R_INVALIDPUBLICKEY); } } - } - else { + } else { if (glen == 0) { DH_free(dh); return (DST_R_INVALIDPUBLICKEY); } dh->g = BN_bin2bn(r.base, glen, NULL); } - r.base += glen; + isc_region_consume(&r, glen); if (r.length < 2) { DH_free(dh); @@ -441,7 +444,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { return (DST_R_INVALIDPUBLICKEY); } dh->pub_key = BN_bin2bn(r.base, publen, NULL); - r.base += publen; + isc_region_consume(&r, publen); key->key_size = BN_num_bits(dh->p); --- a/lib/dns/openssldsa_link.c +++ a/lib/dns/openssldsa_link.c @@ -29,8 +29,6 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id$ */ - #ifdef OPENSSL #ifndef USE_EVP #define USE_EVP 1 @@ -137,6 +135,7 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { DSA *dsa = key->keydata.dsa; isc_region_t r; DSA_SIG *dsasig; + unsigned int klen; #if USE_EVP EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; EVP_PKEY *pkey; @@ -188,6 +187,7 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { ISC_R_FAILURE)); } free(sigbuf); + #elif 0 /* Only use EVP for the Digest */ if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) { @@ -209,11 +209,17 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { "DSA_do_sign", DST_R_SIGNFAILURE)); #endif - *r.base++ = (key->key_size - 512)/64; + + klen = (key->key_size - 512)/64; + if (klen > 255) + return (ISC_R_FAILURE); + *r.base = klen; + isc_region_consume(&r, 1); + BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH); - r.base += ISC_SHA1_DIGESTLENGTH; + isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH); - r.base += ISC_SHA1_DIGESTLENGTH; + isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); DSA_SIG_free(dsasig); isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1); @@ -446,15 +452,16 @@ openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) { if (r.length < (unsigned int) dnslen) return (ISC_R_NOSPACE); - *r.base++ = t; + *r.base = t; + isc_region_consume(&r, 1); BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH); - r.base += ISC_SHA1_DIGESTLENGTH; + isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8); - r.base += p_bytes; + isc_region_consume(&r, p_bytes); BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8); - r.base += p_bytes; + isc_region_consume(&r, p_bytes); BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8); - r.base += p_bytes; + isc_region_consume(&r, p_bytes); isc_buffer_add(data, dnslen); @@ -479,29 +486,30 @@ openssldsa_fromdns(dst_key_t *key, isc_buffer_t *data) { return (ISC_R_NOMEMORY); dsa->flags &= ~DSA_FLAG_CACHE_MONT_P; - t = (unsigned int) *r.base++; + t = (unsigned int) *r.base; + isc_region_consume(&r, 1); if (t > 8) { DSA_free(dsa); return (DST_R_INVALIDPUBLICKEY); } p_bytes = 64 + 8 * t; - if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) { + if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) { DSA_free(dsa); return (DST_R_INVALIDPUBLICKEY); } dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL); - r.base += ISC_SHA1_DIGESTLENGTH; + isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); dsa->p = BN_bin2bn(r.base, p_bytes, NULL); - r.base += p_bytes; + isc_region_consume(&r, p_bytes); dsa->g = BN_bin2bn(r.base, p_bytes, NULL); - r.base += p_bytes; + isc_region_consume(&r, p_bytes); dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL); - r.base += p_bytes; + isc_region_consume(&r, p_bytes); key->key_size = p_bytes * 8; --- a/lib/dns/opensslecdsa_link.c +++ a/lib/dns/opensslecdsa_link.c @@ -14,8 +14,6 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id$ */ - #include <config.h> #ifdef HAVE_OPENSSL_ECDSA @@ -159,9 +157,9 @@ opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { "ECDSA_do_sign", DST_R_SIGNFAILURE)); BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2); - r.base += siglen / 2; + isc_region_consume(&r, siglen / 2); BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2); - r.base += siglen / 2; + isc_region_consume(&r, siglen / 2); ECDSA_SIG_free(ecdsasig); isc_buffer_add(sig, siglen); ret = ISC_R_SUCCESS; --- a/lib/dns/opensslrsa_link.c +++ a/lib/dns/opensslrsa_link.c @@ -965,6 +965,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { RSA *rsa; isc_region_t r; unsigned int e_bytes; + unsigned int length; #if USE_EVP EVP_PKEY *pkey; #endif @@ -972,6 +973,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { isc_buffer_remainingregion(data, &r); if (r.length == 0) return (ISC_R_SUCCESS); + length = r.length; rsa = RSA_new(); if (rsa == NULL) @@ -982,17 +984,18 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { RSA_free(rsa); return (DST_R_INVALIDPUBLICKEY); } - e_bytes = *r.base++; - r.length--; + e_bytes = *r.base; + isc_region_consume(&r, 1); if (e_bytes == 0) { if (r.length < 2) { RSA_free(rsa); return (DST_R_INVALIDPUBLICKEY); } - e_bytes = ((*r.base++) << 8); - e_bytes += *r.base++; - r.length -= 2; + e_bytes = (*r.base) << 8; + isc_region_consume(&r, 1); + e_bytes += *r.base; + isc_region_consume(&r, 1); } if (r.length < e_bytes) { @@ -1000,14 +1003,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { return (DST_R_INVALIDPUBLICKEY); } rsa->e = BN_bin2bn(r.base, e_bytes, NULL); - r.base += e_bytes; - r.length -= e_bytes; + isc_region_consume(&r, e_bytes); rsa->n = BN_bin2bn(r.base, r.length, NULL); key->key_size = BN_num_bits(rsa->n); - isc_buffer_forward(data, r.length); + isc_buffer_forward(data, length); #if USE_EVP pkey = EVP_PKEY_new(); --- a/lib/dns/resolver.c +++ a/lib/dns/resolver.c @@ -9058,6 +9058,12 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name, REQUIRE(VALID_RESOLVER(resolver)); + /* + * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1. + */ + if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT)) + return (ISC_FALSE); + #if USE_ALGLOCK RWLOCK(&resolver->alglock, isc_rwlocktype_read); #endif @@ -9077,6 +9083,7 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name, #endif if (found) return (ISC_FALSE); + return (dst_algorithm_supported(alg)); } ++++++ bind-CVE-2015-8000.patch ++++++ @@ -, +, @@ 4260. [security] Insufficient testing when parsing a message allowed records with an incorrect class to be be accepted, triggering a REQUIRE failure when those records were subsequently cached. (CVE-2015-8000) [RT #4098] (cherry picked from commit c8821d124c532e0a65752b378f924d4259499fd3) (cherry picked from commit 9631d0769e09c823acb68ed9795f220bf37800ca) Index: bind-9.9.4-P2/CHANGES =================================================================== --- bind-9.9.4-P2.orig/CHANGES +++ bind-9.9.4-P2/CHANGES @@ -1,3 +1,8 @@ +4260. [security] Insufficient testing when parsing a message allowed + records with an incorrect class to be be accepted, + triggering a REQUIRE failure when those records + were subsequently cached. (CVE-2015-8000) [RT #4098] + --- 9.9.4-P2 released --- 3693. [security] memcpy was incorrectly called with overlapping Index: bind-9.9.4-P2/bin/tests/system/start.pl =================================================================== --- bind-9.9.4-P2.orig/bin/tests/system/start.pl +++ bind-9.9.4-P2/bin/tests/system/start.pl @@ -68,6 +68,7 @@ my $LWRESD = $ENV{'LWRESD'}; my $DIG = $ENV{'DIG'}; my $PERL = $ENV{'PERL'}; +my $PYTHON = $ENV{'PYTHON'}; # Start the server(s) @@ -188,7 +189,9 @@ $pid_file = "lwresd.pid"; } elsif ($server =~ /^ans/) { $cleanup_files = "{ans.run}"; - if (-e "$testdir/$server/ans.pl") { + if (-e "$testdir/$server/ans.py") { + $command = "$PYTHON ans.py 10.53.0.$' 5300"; + } elsif (-e "$testdir/$server/ans.pl") { $command = "$PERL ans.pl"; } else { $command = "$PERL $topdir/ans.pl 10.53.0.$'"; Index: bind-9.9.4-P2/lib/dns/include/dns/message.h =================================================================== --- bind-9.9.4-P2.orig/lib/dns/include/dns/message.h +++ bind-9.9.4-P2/lib/dns/include/dns/message.h @@ -15,8 +15,6 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id$ */ - #ifndef DNS_MESSAGE_H #define DNS_MESSAGE_H 1 @@ -210,6 +208,8 @@ unsigned int verify_attempted : 1; unsigned int free_query : 1; unsigned int free_saved : 1; + unsigned int tkey : 1; + unsigned int rdclass_set : 1; unsigned int opt_reserved; unsigned int sig_reserved; @@ -1374,6 +1374,15 @@ * \li other. */ +void +dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass); +/*%< + * Set the expected class of records in the response. + * + * Requires: + * \li msg be a valid message with parsing intent. + */ + ISC_LANG_ENDDECLS #endif /* DNS_MESSAGE_H */ Index: bind-9.9.4-P2/lib/dns/message.c =================================================================== --- bind-9.9.4-P2.orig/lib/dns/message.c +++ bind-9.9.4-P2/lib/dns/message.c @@ -436,6 +436,8 @@ m->saved.base = NULL; m->saved.length = 0; m->free_saved = 0; + m->tkey = 0; + m->rdclass_set = 0; m->querytsig = NULL; } @@ -1086,13 +1088,19 @@ * If this class is different than the one we already read, * this is an error. */ - if (msg->state == DNS_SECTION_ANY) { - msg->state = DNS_SECTION_QUESTION; + if (msg->rdclass_set == 0) { msg->rdclass = rdclass; + msg->rdclass_set = 1; } else if (msg->rdclass != rdclass) DO_FORMERR; /* + * Is this a TKEY query? + */ + if (rdtype == dns_rdatatype_tkey) + msg->tkey = 1; + + /* * Can't ask the same question twice. */ result = dns_message_find(name, rdclass, rdtype, 0, NULL); @@ -1236,12 +1244,12 @@ * If there was no question section, we may not yet have * established a class. Do so now. */ - if (msg->state == DNS_SECTION_ANY && + if (msg->rdclass_set == 0 && rdtype != dns_rdatatype_opt && /* class is UDP SIZE */ rdtype != dns_rdatatype_tsig && /* class is ANY */ rdtype != dns_rdatatype_tkey) { /* class is undefined */ msg->rdclass = rdclass; - msg->state = DNS_SECTION_QUESTION; + msg->rdclass_set = 1; } /* @@ -1251,7 +1259,7 @@ if (msg->opcode != dns_opcode_update && rdtype != dns_rdatatype_tsig && rdtype != dns_rdatatype_opt - && rdtype != dns_rdatatype_dnskey /* in a TKEY query */ + && rdtype != dns_rdatatype_key /* in a TKEY query */ && rdtype != dns_rdatatype_sig /* SIG(0) */ && rdtype != dns_rdatatype_tkey /* Win2000 TKEY */ && msg->rdclass != dns_rdataclass_any @@ -1259,6 +1267,16 @@ DO_FORMERR; /* + * If this is not a TKEY query/response then the KEY + * record's class needs to match. + */ + if (msg->opcode != dns_opcode_update && !msg->tkey && + rdtype == dns_rdatatype_key && + msg->rdclass != dns_rdataclass_any && + msg->rdclass != rdclass) + DO_FORMERR; + + /* * Special type handling for TSIG, OPT, and TKEY. */ if (rdtype == dns_rdatatype_tsig) { @@ -1372,6 +1390,10 @@ skip_name_search = ISC_TRUE; skip_type_search = ISC_TRUE; issigzero = ISC_TRUE; + } else { + if (msg->rdclass != dns_rdataclass_any && + msg->rdclass != rdclass) + DO_FORMERR; } } else covers = 0; @@ -1610,6 +1632,7 @@ msg->counts[DNS_SECTION_ADDITIONAL] = isc_buffer_getuint16(source); msg->header_ok = 1; + msg->state = DNS_SECTION_QUESTION; /* * -1 means no EDNS. @@ -3550,3 +3573,15 @@ dns_message_puttemprdatalist(message, &rdatalist); return (result); } + +void +dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass) { + + REQUIRE(DNS_MESSAGE_VALID(msg)); + REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE); + REQUIRE(msg->state == DNS_SECTION_ANY); + REQUIRE(msg->rdclass_set == 0); + + msg->rdclass = rdclass; + msg->rdclass_set = 1; +} Index: bind-9.9.4-P2/lib/dns/resolver.c =================================================================== --- bind-9.9.4-P2.orig/lib/dns/resolver.c +++ bind-9.9.4-P2/lib/dns/resolver.c @@ -6907,6 +6907,8 @@ goto done; } + dns_message_setclass(message, fctx->res->rdclass); + result = dns_message_parse(message, &devent->buffer, 0); if (result != ISC_R_SUCCESS) { switch (result) { @@ -6979,6 +6981,12 @@ */ log_packet(message, ISC_LOG_DEBUG(10), fctx->res->mctx); + if (message->rdclass != fctx->res->rdclass) { + resend = ISC_TRUE; + FCTXTRACE("bad class"); + goto done; + } + /* * Process receive opt record. */ Index: bind-9.9.4-P2/lib/dns/xfrin.c =================================================================== --- bind-9.9.4-P2.orig/lib/dns/xfrin.c +++ bind-9.9.4-P2/lib/dns/xfrin.c @@ -1241,6 +1241,8 @@ msg->tsigctx = xfr->tsigctx; xfr->tsigctx = NULL; + dns_message_setclass(msg, xfr->rdclass); + if (xfr->nmsg > 0) msg->tcp_continuation = 1; ++++++ bind-CVE-2015-8704.patch ++++++ --- a/lib/dns/rdata/in_1/apl_42.c +++ a/lib/dns/rdata/in_1/apl_42.c @@ -116,7 +116,7 @@ totext_in_apl(ARGS_TOTEXT) { isc_uint8_t len; isc_boolean_t neg; unsigned char buf[16]; - char txt[sizeof(" !64000")]; + char txt[sizeof(" !64000:")]; const char *sep = ""; int n; @@ -140,7 +140,7 @@ totext_in_apl(ARGS_TOTEXT) { isc_region_consume(&sr, 1); INSIST(len <= sr.length); n = snprintf(txt, sizeof(txt), "%s%s%u:", sep, - neg ? "!": "", afi); + neg ? "!" : "", afi); INSIST(n < (int)sizeof(txt)); RETERR(str_totext(txt, target)); switch (afi) { ++++++ bind-CVE-2016-1285-1286.patch ++++++ diff --git a/bin/named/control.c b/bin/named/control.c index fabe442aabc3..06eadcea8360 100644 --- a/bin/named/control.c +++ b/bin/named/control.c @@ -69,7 +69,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { #endif data = isccc_alist_lookup(message, "_data"); - if (data == NULL) { + if (!isccc_alist_alistp(data)) { /* * No data section. */ diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c index c46a6e15f467..ef3279006221 100644 --- a/bin/named/controlconf.c +++ b/bin/named/controlconf.c @@ -396,7 +396,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { * Limit exposure to replay attacks. */ _ctrl = isccc_alist_lookup(request, "_ctrl"); - if (_ctrl == NULL) { + if (!isccc_alist_alistp(_ctrl)) { log_invalid(&conn->ccmsg, ISC_R_FAILURE); goto cleanup_request; } diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c index ba2c3f6d5598..9a007e2e6801 100644 --- a/bin/rndc/rndc.c +++ b/bin/rndc/rndc.c @@ -252,8 +252,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) { DO("parse message", isccc_cc_fromwire(&source, &response, &secret)); data = isccc_alist_lookup(response, "_data"); - if (data == NULL) - fatal("no data section in response"); + if (!isccc_alist_alistp(data)) + fatal("bad or missing data section in response"); result = isccc_cc_lookupstring(data, "err", &errormsg); if (result == ISC_R_SUCCESS) { failed = ISC_TRUE; @@ -316,8 +316,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) { DO("parse message", isccc_cc_fromwire(&source, &response, &secret)); _ctrl = isccc_alist_lookup(response, "_ctrl"); - if (_ctrl == NULL) - fatal("_ctrl section missing"); + if (!isccc_alist_alistp(_ctrl)) + fatal("bad or missing ctrl section in response"); nonce = 0; if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS) nonce = 0; diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 2c23aa8b8daa..f24ccb139d3b 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -5351,14 +5351,11 @@ cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) { } static inline isc_result_t -dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname, - dns_name_t *oname, dns_fixedname_t *fixeddname) +dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, + unsigned int nlabels, dns_fixedname_t *fixeddname) { isc_result_t result; dns_rdata_t rdata = DNS_RDATA_INIT; - unsigned int nlabels; - int order; - dns_namereln_t namereln; dns_rdata_dname_t dname; dns_fixedname_t prefix; @@ -5373,21 +5370,6 @@ dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname, if (result != ISC_R_SUCCESS) return (result); - /* - * Get the prefix of qname. - */ - namereln = dns_name_fullcompare(qname, oname, &order, &nlabels); - if (namereln != dns_namereln_subdomain) { - char qbuf[DNS_NAME_FORMATSIZE]; - char obuf[DNS_NAME_FORMATSIZE]; - - dns_rdata_freestruct(&dname); - dns_name_format(qname, qbuf, sizeof(qbuf)); - dns_name_format(oname, obuf, sizeof(obuf)); - log_formerr(fctx, "unrelated DNAME in answer: " - "%s is not in %s", qbuf, obuf); - return (DNS_R_FORMERR); - } dns_fixedname_init(&prefix); dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL); dns_fixedname_init(fixeddname); @@ -6000,13 +5982,13 @@ static isc_result_t answer_response(fetchctx_t *fctx) { isc_result_t result; dns_message_t *message; - dns_name_t *name, *qname, tname, *ns_name; + dns_name_t *name, *dname = NULL, *qname, tname, *ns_name; dns_rdataset_t *rdataset, *ns_rdataset; isc_boolean_t done, external, chaining, aa, found, want_chaining; isc_boolean_t have_answer, found_cname, found_type, wanted_chaining; unsigned int aflag; dns_rdatatype_t type; - dns_fixedname_t dname, fqname; + dns_fixedname_t fdname, fqname; dns_view_t *view; FCTXTRACE("answer_response"); @@ -6034,10 +6016,15 @@ answer_response(fetchctx_t *fctx) { view = fctx->res->view; result = dns_message_firstname(message, DNS_SECTION_ANSWER); while (!done && result == ISC_R_SUCCESS) { + dns_namereln_t namereln; + int order; + unsigned int nlabels; + name = NULL; dns_message_currentname(message, DNS_SECTION_ANSWER, &name); external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); - if (dns_name_equal(name, qname)) { + namereln = dns_name_fullcompare(qname, name, &order, &nlabels); + if (namereln == dns_namereln_equal) { wanted_chaining = ISC_FALSE; for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; @@ -6162,10 +6149,11 @@ answer_response(fetchctx_t *fctx) { */ INSIST(!external); if (aflag == - DNS_RDATASETATTR_ANSWER) + DNS_RDATASETATTR_ANSWER) { have_answer = ISC_TRUE; - name->attributes |= - DNS_NAMEATTR_ANSWER; + name->attributes |= + DNS_NAMEATTR_ANSWER; + } rdataset->attributes |= aflag; if (aa) rdataset->trust = @@ -6220,6 +6208,8 @@ answer_response(fetchctx_t *fctx) { if (wanted_chaining) chaining = ISC_TRUE; } else { + dns_rdataset_t *dnameset = NULL; + /* * Look for a DNAME (or its SIG). Anything else is * ignored. @@ -6227,32 +6217,56 @@ answer_response(fetchctx_t *fctx) { wanted_chaining = ISC_FALSE; for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; - rdataset = ISC_LIST_NEXT(rdataset, link)) { - isc_boolean_t found_dname = ISC_FALSE; - dns_name_t *dname_name; + rdataset = ISC_LIST_NEXT(rdataset, link)) + { + /* + * Only pass DNAME or RRSIG(DNAME). + */ + if (rdataset->type != dns_rdatatype_dname && + (rdataset->type != dns_rdatatype_rrsig || + rdataset->covers != dns_rdatatype_dname)) + continue; + + /* + * If we're not chaining, then the DNAME and + * its signature should not be external. + */ + if (!chaining && external) { + char qbuf[DNS_NAME_FORMATSIZE]; + char obuf[DNS_NAME_FORMATSIZE]; + + dns_name_format(name, qbuf, + sizeof(qbuf)); + dns_name_format(&fctx->domain, obuf, + sizeof(obuf)); + log_formerr(fctx, "external DNAME or " + "RRSIG covering DNAME " + "in answer: %s is " + "not in %s", qbuf, obuf); + return (DNS_R_FORMERR); + } + + if (namereln != dns_namereln_subdomain) { + char qbuf[DNS_NAME_FORMATSIZE]; + char obuf[DNS_NAME_FORMATSIZE]; + + dns_name_format(qname, qbuf, + sizeof(qbuf)); + dns_name_format(name, obuf, + sizeof(obuf)); + log_formerr(fctx, "unrelated DNAME " + "in answer: %s is " + "not in %s", qbuf, obuf); + return (DNS_R_FORMERR); + } - found = ISC_FALSE; aflag = 0; if (rdataset->type == dns_rdatatype_dname) { - /* - * We're looking for something else, - * but we found a DNAME. - * - * If we're not chaining, then the - * DNAME should not be external. - */ - if (!chaining && external) { - log_formerr(fctx, - "external DNAME"); - return (DNS_R_FORMERR); - } - found = ISC_TRUE; want_chaining = ISC_TRUE; POST(want_chaining); aflag = DNS_RDATASETATTR_ANSWER; - result = dname_target(fctx, rdataset, - qname, name, - &dname); + result = dname_target(rdataset, qname, + nlabels, &fdname); if (result == ISC_R_NOSPACE) { /* * We can't construct the @@ -6264,90 +6278,73 @@ answer_response(fetchctx_t *fctx) { } else if (result != ISC_R_SUCCESS) return (result); else - found_dname = ISC_TRUE; + dnameset = rdataset; - dname_name = dns_fixedname_name(&dname); + dname = dns_fixedname_name(&fdname); if (!is_answertarget_allowed(view, - qname, - rdataset->type, - dname_name, - &fctx->domain)) { + qname, rdataset->type, + dname, &fctx->domain)) { return (DNS_R_SERVFAIL); } - } else if (rdataset->type == dns_rdatatype_rrsig - && rdataset->covers == - dns_rdatatype_dname) { + } else { /* * We've found a signature that * covers the DNAME. */ - found = ISC_TRUE; aflag = DNS_RDATASETATTR_ANSWERSIG; } - if (found) { + /* + * We've found an answer to our + * question. + */ + name->attributes |= DNS_NAMEATTR_CACHE; + rdataset->attributes |= DNS_RDATASETATTR_CACHE; + rdataset->trust = dns_trust_answer; + if (!chaining) { /* - * We've found an answer to our - * question. + * This data is "the" answer to + * our question only if we're + * not chaining. */ - name->attributes |= - DNS_NAMEATTR_CACHE; - rdataset->attributes |= - DNS_RDATASETATTR_CACHE; - rdataset->trust = dns_trust_answer; - if (!chaining) { - /* - * This data is "the" answer - * to our question only if - * we're not chaining. - */ - INSIST(!external); - if (aflag == - DNS_RDATASETATTR_ANSWER) - have_answer = ISC_TRUE; + INSIST(!external); + if (aflag == DNS_RDATASETATTR_ANSWER) { + have_answer = ISC_TRUE; name->attributes |= DNS_NAMEATTR_ANSWER; - rdataset->attributes |= aflag; - if (aa) - rdataset->trust = - dns_trust_authanswer; - } else if (external) { - rdataset->attributes |= - DNS_RDATASETATTR_EXTERNAL; - } - - /* - * DNAME chaining. - */ - if (found_dname) { - /* - * Copy the dname into the - * qname fixed name. - * - * Although we check for - * failure of the copy - * operation, in practice it - * should never fail since - * we already know that the - * result fits in a fixedname. - */ - dns_fixedname_init(&fqname); - result = dns_name_copy( - dns_fixedname_name(&dname), - dns_fixedname_name(&fqname), - NULL); - if (result != ISC_R_SUCCESS) - return (result); - wanted_chaining = ISC_TRUE; - name->attributes |= - DNS_NAMEATTR_CHAINING; - rdataset->attributes |= - DNS_RDATASETATTR_CHAINING; - qname = dns_fixedname_name( - &fqname); } + rdataset->attributes |= aflag; + if (aa) + rdataset->trust = + dns_trust_authanswer; + } else if (external) { + rdataset->attributes |= + DNS_RDATASETATTR_EXTERNAL; } } + + /* + * DNAME chaining. + */ + if (dnameset != NULL) { + /* + * Copy the dname into the qname fixed name. + * + * Although we check for failure of the copy + * operation, in practice it should never fail + * since we already know that the result fits + * in a fixedname. + */ + dns_fixedname_init(&fqname); + qname = dns_fixedname_name(&fqname); + result = dns_name_copy(dname, qname, NULL); + if (result != ISC_R_SUCCESS) + return (result); + wanted_chaining = ISC_TRUE; + name->attributes |= DNS_NAMEATTR_CHAINING; + dnameset->attributes |= + DNS_RDATASETATTR_CHAINING; + } if (wanted_chaining) chaining = ISC_TRUE; } diff --git a/lib/dns/resolver.c.orig b/lib/dns/resolver.c.orig index afc588c63dff..2c23aa8b8daa 100644 --- a/lib/dns/resolver.c.orig +++ b/lib/dns/resolver.c.orig @@ -6907,6 +6907,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) { goto done; } + dns_message_setclass(message, fctx->res->rdclass); + result = dns_message_parse(message, &devent->buffer, 0); if (result != ISC_R_SUCCESS) { switch (result) { @@ -6979,6 +6981,12 @@ resquery_response(isc_task_t *task, isc_event_t *event) { */ log_packet(message, ISC_LOG_DEBUG(10), fctx->res->mctx); + if (message->rdclass != fctx->res->rdclass) { + resend = ISC_TRUE; + FCTXTRACE("bad class"); + goto done; + } + /* * Process receive opt record. */ @@ -8878,6 +8886,12 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name, REQUIRE(VALID_RESOLVER(resolver)); + /* + * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1. + */ + if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT)) + return (ISC_FALSE); + #if USE_ALGLOCK RWLOCK(&resolver->alglock, isc_rwlocktype_read); #endif @@ -8897,6 +8911,7 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name, #endif if (found) return (ISC_FALSE); + return (dst_algorithm_supported(alg)); } diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c index ae5391a5e54b..10e5dc9c9dda 100644 --- a/lib/isccc/cc.c +++ b/lib/isccc/cc.c @@ -286,10 +286,10 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, * Extract digest. */ _auth = isccc_alist_lookup(alist, "_auth"); - if (_auth == NULL) + if (!isccc_alist_alistp(_auth)) return (ISC_R_FAILURE); hmd5 = isccc_alist_lookup(_auth, "hmd5"); - if (hmd5 == NULL) + if (!isccc_sexpr_binaryp(hmd5)) return (ISC_R_FAILURE); /* * Compute digest. @@ -543,7 +543,7 @@ isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok, REQUIRE(ackp != NULL && *ackp == NULL); _ctrl = isccc_alist_lookup(message, "_ctrl"); - if (_ctrl == NULL || + if (!isccc_alist_alistp(_ctrl) || isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS || isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS) return (ISC_R_FAILURE); @@ -588,7 +588,7 @@ isccc_cc_isack(isccc_sexpr_t *message) isccc_sexpr_t *_ctrl; _ctrl = isccc_alist_lookup(message, "_ctrl"); - if (_ctrl == NULL) + if (!isccc_alist_alistp(_ctrl)) return (ISC_FALSE); if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS) return (ISC_TRUE); @@ -601,7 +601,7 @@ isccc_cc_isreply(isccc_sexpr_t *message) isccc_sexpr_t *_ctrl; _ctrl = isccc_alist_lookup(message, "_ctrl"); - if (_ctrl == NULL) + if (!isccc_alist_alistp(_ctrl)) return (ISC_FALSE); if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS) return (ISC_TRUE); @@ -621,7 +621,7 @@ isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now, _ctrl = isccc_alist_lookup(message, "_ctrl"); _data = isccc_alist_lookup(message, "_data"); - if (_ctrl == NULL || _data == NULL || + if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) || isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS || isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS) return (ISC_R_FAILURE); @@ -810,7 +810,7 @@ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message, isccc_sexpr_t *_ctrl; _ctrl = isccc_alist_lookup(message, "_ctrl"); - if (_ctrl == NULL || + if (!isccc_alist_alistp(_ctrl) || isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS || isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS) return (ISC_R_FAILURE); ++++++ configure.in.diff ++++++ --- bind-9.9.3-P1/configure.in.xx 2013-06-26 14:23:25.536177163 +0200 +++ bind-9.9.3-P1/configure.in 2013-06-26 14:23:26.401175186 +0200 @@ -3099,7 +3099,7 @@ # empty). The variable VARIABLE will be substituted into output files. # -AC_DEFUN(NOM_PATH_FILE, [ +AC_DEFUN([NOM_PATH_FILE], [ $1="" AC_MSG_CHECKING(for $2) for d in $3 ++++++ configure.in.diff2 ++++++ --- a/configure.in +++ a/configure.in 2011/04/21 13:34:11 @@ -280,7 +280,7 @@ AC_C_INLINE AC_C_VOLATILE AC_CHECK_FUNC(sysctlbyname, AC_DEFINE(HAVE_SYSCTLBYNAME)) -AC_C_FLEXIBLE_ARRAY_MEMBER +#AC_C_FLEXIBLE_ARRAY_MEMBER # # UnixWare 7.1.1 with the feature supplement to the UDK compiler ++++++ dlz-schema.txt ++++++ # # # 1.3.6.1.4.1.18420.1.1.X is reserved for attribute types declared by the DLZ project. # 1.3.6.1.4.1.18420.1.2.X is reserved for object classes declared by the DLZ project. # 1.3.6.1.4.1.18420.1.3.X is reserved for PRIVATE extensions to the DLZ attribute # types and object classes that may be needed by end users # to add security, etc. Attributes and object classes using # this OID MUST NOT be published outside of an organization # except to offer them for consideration to become part of the # standard attributes and object classes published by the DLZ project. attributetype ( 1.3.6.1.4.1.18420.1.1.10 NAME 'dlzZoneName' DESC 'DNS zone name - domain name not including host name' SUP name SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.18420.1.1.20 NAME 'dlzHostName' DESC 'Host portion of a domain name' SUP name SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.18420.1.1.30 NAME 'dlzData' DESC 'Data for the resource record' SUP name SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.18420.1.1.40 NAME 'dlzType' DESC 'DNS record type - A, SOA, NS, MX, etc...' SUP name SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.18420.1.1.50 NAME 'dlzSerial' DESC 'SOA record serial number' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.18420.1.1.60 NAME 'dlzRefresh' DESC 'SOA record refresh time in seconds' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.18420.1.1.70 NAME 'dlzRetry' DESC 'SOA retry time in seconds' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.18420.1.1.80 NAME 'dlzExpire' DESC 'SOA expire time in seconds' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.18420.1.1.90 NAME 'dlzMinimum' DESC 'SOA minimum time in seconds' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.18420.1.1.100 NAME 'dlzAdminEmail' DESC 'E-mail address of person responsible for this zone - @ should be replaced with . (period)' SUP name SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.18420.1.1.110 NAME 'dlzPrimaryNS' DESC 'Primary name server for this zone - should be host name not IP address' SUP name SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.18420.1.1.120 NAME 'dlzIPAddr' DESC 'IP address - IPV4 should be in dot notation xxx.xxx.xxx.xxx IPV6 should be in colon notation xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{40} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.18420.1.1.130 NAME 'dlzCName' DESC 'DNS cname' SUP name SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.18420.1.1.140 NAME 'dlzPreference' DESC 'DNS MX record preference. Lower numbers have higher preference' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.18420.1.1.150 NAME 'dlzTTL' DESC 'DNS time to live - how long this record can be cached by caching DNS servers' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.18420.1.1.160 NAME 'dlzRecordID' DESC 'Unique ID for each DLZ resource record' SUP name SINGLE-VALUE ) #------------------------------------------------------------------------------ # Object class definitions #------------------------------------------------------------------------------ objectclass ( 1.3.6.1.4.1.18420.1.2.10 NAME 'dlzZone' DESC 'Zone name portion of a domain name' SUP top STRUCTURAL MUST ( objectclass $ dlzZoneName ) ) objectclass ( 1.3.6.1.4.1.18420.1.2.20 NAME 'dlzHost' DESC 'Host name portion of a domain name' SUP top STRUCTURAL MUST ( objectclass $ dlzHostName ) ) objectclass ( 1.3.6.1.4.1.18420.1.2.30 NAME 'dlzAbstractRecord' DESC 'Data common to all DNS record types' SUP top ABSTRACT MUST ( objectclass $ dlzRecordID $ dlzHostName $ dlzType $ dlzTTL ) ) objectclass ( 1.3.6.1.4.1.18420.1.2.40 NAME 'dlzGenericRecord' DESC 'Generic DNS record - useful when a specific object class has not been defined for a DNS record' SUP dlzAbstractRecord STRUCTURAL MUST ( dlzData ) ) objectclass ( 1.3.6.1.4.1.18420.1.2.50 NAME 'dlzARecord' DESC 'DNS A record' SUP dlzAbstractrecord STRUCTURAL MUST ( dlzIPAddr ) ) objectclass ( 1.3.6.1.4.1.18420.1.2.60 NAME 'dlzNSRecord' DESC 'DNS NS record' SUP dlzGenericRecord STRUCTURAL ) objectclass ( 1.3.6.1.4.1.18420.1.2.70 NAME 'dlzMXRecord' DESC 'DNS MX record' SUP dlzGenericRecord STRUCTURAL MUST ( dlzPreference ) ) objectclass ( 1.3.6.1.4.1.18420.1.2.80 NAME 'dlzSOARecord' DESC 'DNS SOA record' SUP dlzAbstractRecord STRUCTURAL MUST ( dlzSerial $ dlzRefresh $ dlzRetry $ dlzExpire $ dlzMinimum $ dlzAdminEmail $ dlzPrimaryNS ) ) objectclass ( 1.3.6.1.4.1.18420.1.2.90 NAME 'dlzTextRecord' DESC 'Text data with spaces should be wrapped in double quotes' SUP dlzGenericRecord STRUCTURAL ) objectclass ( 1.3.6.1.4.1.18420.1.2.100 NAME 'dlzPTRRecord' DESC 'DNS PTR record' SUP dlzGenericRecord STRUCTURAL ) objectclass ( 1.3.6.1.4.1.18420.1.2.110 NAME 'dlzCNameRecord' DESC 'DNS CName record' SUP dlzGenericRecord STRUCTURAL ) objectclass ( 1.3.6.1.4.1.18420.1.2.120 NAME 'dlzXFR' DESC 'Host allowed to perform zone transfer' SUP top STRUCTURAL MUST ( objectclass $ dlzRecordID $ dlzIPAddr ) ) ++++++ dnszone-schema.txt ++++++ # A schema for storing DNS zones in LDAP # attributetype ( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL' DESC 'An integer denoting time to live' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass' DESC 'The class of a resource record' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.0.2 NAME 'zoneName' DESC 'The name of a zone, i.e. the name of the highest node in the zone' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.0.3 NAME 'relativeDomainName' DESC 'The starting labels of a domain name' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord' DESC 'domain name pointer, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord' DESC 'host information, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord' DESC 'mailbox or mail list information, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord' DESC 'text string, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord' DESC 'for AFS Data Base location, RFC 1183' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord' DESC 'Signature, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord' DESC 'Key, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord' DESC 'IPv6 address, RFC 1886' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord' DESC 'Location, RFC 1876' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord' DESC 'non-existant, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord' DESC 'service location, RFC 2782' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord' DESC 'Naming Authority Pointer, RFC 2915' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord' DESC 'Key Exchange Delegation, RFC 2230' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord' DESC 'certificate, RFC 2538' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record' DESC 'A6 Record Type, RFC 2874' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord' DESC 'Non-Terminal DNS Name Redirection, RFC 2672' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord' DESC 'Delegation Signer, RFC 3658' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord' DESC 'SSH Key Fingerprint, draft-ietf-secsh-dns-05.txt' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord' DESC 'RRSIG, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord' DESC 'NSEC, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) objectclass ( 1.3.6.1.4.1.2428.20.3 NAME 'dNSZone' SUP top STRUCTURAL MUST ( zoneName $ relativeDomainName ) MAY ( DNSTTL $ DNSClass $ ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord $ PTRRecord $ HINFORecord $ MINFORecord $ TXTRecord $ AFSDBRecord $ SIGRecord $ KEYRecord $ AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $ DNAMERecord $ DSRecord $ SSHFPRecord $ RRSIGRecord $ NSECRecord ) ) ++++++ named-bootconf.diff ++++++ Index: contrib/named-bootconf/named-bootconf.sh =================================================================== --- contrib/named-bootconf/named-bootconf.sh.orig +++ contrib/named-bootconf/named-bootconf.sh @@ -54,7 +54,8 @@ # POSSIBILITY OF SUCH DAMAGE. if [ ${OPTIONFILE-X} = X ]; then - WORKDIR=/tmp/`date +%s`.$$ + TMPDIR=`mktemp -p /tmp/ -d named-bootconf.XXXXXXXXXX` || exit 1 + WORKDIR=$TMPDIR/`date +%s`.$$ ( umask 077 ; mkdir $WORKDIR ) || { echo "unable to create work directory '$WORKDIR'" >&2 exit 1 @@ -308,7 +309,7 @@ if [ $DUMP -eq 1 ]; then cat $ZONEFILE $COMMENTFILE rm -f $OPTIONFILE $ZONEFILE $COMMENTFILE - rmdir $WORKDIR + rm -rf $TMPDIR fi exit 0 ++++++ named.root ++++++ ; This file holds the information on root name servers needed to ; initialize cache of Internet domain name servers ; (e.g. reference this file in the "cache . <file>" ; configuration file of BIND domain name servers). ; ; This file is made available by InterNIC ; under anonymous FTP as ; file /domain/named.cache ; on server FTP.INTERNIC.NET ; -OR- RS.INTERNIC.NET ; ; last update: Jan 3, 2013 ; related version of root zone: 2013010300 ; ; formerly NS.INTERNIC.NET ; . 3600000 IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30 ; ; FORMERLY NS1.ISI.EDU ; . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 ; ; FORMERLY C.PSI.NET ; . 3600000 NS C.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 ; ; FORMERLY TERP.UMD.EDU ; . 3600000 NS D.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13 D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D ; ; FORMERLY NS.NASA.GOV ; . 3600000 NS E.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 ; ; FORMERLY NS.ISC.ORG ; . 3600000 NS F.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F ; ; FORMERLY NS.NIC.DDN.MIL ; . 3600000 NS G.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 ; ; FORMERLY AOS.ARL.ARMY.MIL ; . 3600000 NS H.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235 ; ; FORMERLY NIC.NORDU.NET ; . 3600000 NS I.ROOT-SERVERS.NET. I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53 ; ; OPERATED BY VERISIGN, INC. ; . 3600000 NS J.ROOT-SERVERS.NET. J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30 ; ; OPERATED BY RIPE NCC ; . 3600000 NS K.ROOT-SERVERS.NET. K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1 ; ; OPERATED BY ICANN ; . 3600000 NS L.ROOT-SERVERS.NET. L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42 ; ; OPERATED BY WIDE ; . 3600000 NS M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35 ; End of File ++++++ perl-path.diff ++++++ Index: bin/tests/t_api.pl =================================================================== --- bin/tests/t_api.pl.orig +++ bin/tests/t_api.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/perl # # Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1999-2001 Internet Software Consortium. Index: contrib/idn/idnkit-1.0-src/util/generate_nameprep_data.pl =================================================================== --- contrib/idn/idnkit-1.0-src/util/generate_nameprep_data.pl.orig +++ contrib/idn/idnkit-1.0-src/util/generate_nameprep_data.pl @@ -1,4 +1,4 @@ -#! /usr/local/bin/perl -w +#! /usr/bin/perl -w # $Id: generate_nameprep_data.pl,v 1.1 2003/06/04 00:27:54 marka Exp $ # # Copyright (c) 2001 Japan Network Information Center. All rights reserved. Index: contrib/idn/idnkit-1.0-src/util/generate_normalize_data.pl =================================================================== --- contrib/idn/idnkit-1.0-src/util/generate_normalize_data.pl.orig +++ contrib/idn/idnkit-1.0-src/util/generate_normalize_data.pl @@ -1,4 +1,4 @@ -#! /usr/local/bin/perl -w +#! /usr/bin/perl -w # $Id: generate_normalize_data.pl,v 1.1 2003/06/04 00:27:55 marka Exp $ # # Copyright (c) 2000,2001 Japan Network Information Center. ++++++ pid-path.diff ++++++ Index: bin/named/include/named/globals.h =================================================================== --- bin/named/include/named/globals.h.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/named/include/named/globals.h 2013-08-05 14:14:28.152275375 +0200 @@ -139,9 +139,9 @@ "lwresd.pid"); #else EXTERN const char * ns_g_defaultpidfile INIT(NS_LOCALSTATEDIR - "/run/named.pid"); + "/run/named/named.pid"); EXTERN const char * lwresd_g_defaultpidfile INIT(NS_LOCALSTATEDIR - "/run/lwresd.pid"); + "/run/named/lwresd.pid"); #endif EXTERN const char * ns_g_username INIT(NULL); Index: contrib/nanny/nanny.pl =================================================================== --- contrib/nanny/nanny.pl.orig 2013-07-17 00:13:06.000000000 +0200 +++ contrib/nanny/nanny.pl 2013-08-05 14:14:28.153275387 +0200 @@ -19,7 +19,7 @@ # A simple nanny to make sure named stays running. -$pid_file_location = '/var/run/named.pid'; +$pid_file_location = '/var/run/named/named.pid'; $nameserver_location = 'localhost'; $dig_program = 'dig'; $named_program = 'named'; ++++++ pie_compile.diff ++++++ Index: bin/check/Makefile.in =================================================================== --- bin/check/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/check/Makefile.in 2013-08-06 12:08:19.492457714 +0200 @@ -57,8 +57,12 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES} +EXT_CFLAGS = -fPIE -static + @BIND9_MAKE_RULES@ +LDFLAGS += -pie + named-checkconf.@O@: named-checkconf.c ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ -DVERSION=\"${VERSION}\" \ Index: bin/confgen/Makefile.in =================================================================== --- bin/confgen/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/confgen/Makefile.in 2013-08-06 12:08:19.492457714 +0200 @@ -64,8 +64,12 @@ UOBJS = unix/os.@O@ +EXT_CFLAGS = -fPIE -static + @BIND9_MAKE_RULES@ +LDFLAGS += -pie + rndc-confgen.@O@: rndc-confgen.c ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ -DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \ Index: bin/confgen/unix/Makefile.in =================================================================== --- bin/confgen/unix/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/confgen/unix/Makefile.in 2013-08-06 12:08:19.492457714 +0200 @@ -32,4 +32,8 @@ TARGETS = ${OBJS} +EXT_CFLAGS = -fPIE -static + @BIND9_MAKE_RULES@ + +LDFLAGS += -pie Index: bin/dig/Makefile.in =================================================================== --- bin/dig/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/dig/Makefile.in 2013-08-06 12:08:19.492457714 +0200 @@ -69,8 +69,12 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES} +EXT_CFLAGS = -fPIE -static + @BIND9_MAKE_RULES@ +LDFLAGS += -pie + dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS} export BASEOBJS="dig.@O@ dighost.@O@ ${UOBJS}"; \ ${FINALBUILDCMD} Index: bin/dnssec/Makefile.in =================================================================== --- bin/dnssec/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/dnssec/Makefile.in 2013-08-06 12:08:19.493457729 +0200 @@ -64,8 +64,12 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES} +EXT_CFLAGS = -fPIE -static + @BIND9_MAKE_RULES@ +LDFLAGS += -pie + dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \ ${FINALBUILDCMD} Index: bin/Makefile.in =================================================================== --- bin/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/Makefile.in 2013-08-06 12:08:19.493457729 +0200 @@ -23,4 +23,8 @@ check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@ TARGETS = +EXT_CFLAGS = -fPIE -static + @BIND9_MAKE_RULES@ + +LDFLAGS += -pie Index: bin/named/Makefile.in =================================================================== --- bin/named/Makefile.in.orig 2013-08-06 12:08:17.653432490 +0200 +++ bin/named/Makefile.in 2013-08-06 12:08:19.493457729 +0200 @@ -115,8 +115,12 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES} +EXT_CFLAGS = -fPIE -static + @BIND9_MAKE_RULES@ +LDFLAGS += -pie + main.@O@: main.c ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ -DVERSION=\"${VERSION}\" \ Index: bin/named/unix/Makefile.in =================================================================== --- bin/named/unix/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/named/unix/Makefile.in 2013-08-06 12:08:19.493457729 +0200 @@ -34,4 +34,6 @@ TARGETS = ${OBJS} +EXT_CFLAGS = -fPIE -static + @BIND9_MAKE_RULES@ Index: bin/nsupdate/Makefile.in =================================================================== --- bin/nsupdate/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/nsupdate/Makefile.in 2013-08-06 12:08:19.493457729 +0200 @@ -66,8 +66,12 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES} +EXT_CFLAGS = -fPIE -static + @BIND9_MAKE_RULES@ +LDFLAGS += -pie + nsupdate.@O@: nsupdate.c ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ -DSESSION_KEYFILE=\"${localstatedir}/run/named/session.key\" \ Index: bin/rndc/Makefile.in =================================================================== --- bin/rndc/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/rndc/Makefile.in 2013-08-06 12:08:19.493457729 +0200 @@ -59,8 +59,12 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES} +EXT_CFLAGS = -fPIE -static + @BIND9_MAKE_RULES@ +LDFLAGS += -pie + rndc.@O@: rndc.c ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ -DVERSION=\"${VERSION}\" \ Index: bin/tools/Makefile.in =================================================================== --- bin/tools/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/tools/Makefile.in 2013-08-06 12:08:19.493457729 +0200 @@ -53,8 +53,12 @@ genrandom.html isc-hmac-fixup.html MANOBJS = ${MANPAGES} ${HTMLPAGES} +EXT_CFLAGS = -fPIE -static + @BIND9_MAKE_RULES@ +LDFLAGS += -pie + arpaname@EXEEXT@: arpaname.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ arpaname.@O@ \ ${ISCLIBS} ${LIBS} Index: contrib/idn/idnkit-1.0-src/tools/idnconv/Makefile.in =================================================================== --- contrib/idn/idnkit-1.0-src/tools/idnconv/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 +++ contrib/idn/idnkit-1.0-src/tools/idnconv/Makefile.in 2013-08-06 12:08:19.493457729 +0200 @@ -68,8 +68,8 @@ INCS = -I$(srcdir) -I$(srcdir)/../../include -I../../include $(ICONVINC) DEFS = -CFLAGS = $(INCS) $(DEFS) @CPPFLAGS@ @CFLAGS@ -LDFLAGS = @LDFLAGS@ +CFLAGS = $(INCS) $(DEFS) @CPPFLAGS@ @CFLAGS@ -fPIE +LDFLAGS = @LDFLAGS@ -pie SRCS = idnconv.c util.c selectiveencode.c OBJS = idnconv.o util.o selectiveencode.o Index: contrib/zkt/Makefile.in =================================================================== --- contrib/zkt/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 +++ contrib/zkt/Makefile.in 2013-08-06 12:08:19.494457743 +0200 @@ -13,11 +13,11 @@ OPTIM = # -O3 -DNDEBUG #CFLAGS ?= @CFLAGS@ @DEFS@ -I@top_srcdir@ -CFLAGS += -g @DEFS@ -I@top_srcdir@ +CFLAGS += -g @DEFS@ -I@top_srcdir@ -fPIE CFLAGS += -Wall #-DDBG CFLAGS += -Wmissing-prototypes CFLAGS += $(PROFILE) $(OPTIM) -LDFLAGS += $(PROFILE) +LDFLAGS += $(PROFILE) -fPIE -pie LIBS = @LIBS@ PROJECT = @PACKAGE_TARNAME@ ++++++ rpz2-9.9.4.patch ++++++ ++++ 7699 lines (skipped)