diff --git a/SOURCES/bind99-CVE-2015-1349.patch b/SOURCES/bind99-CVE-2015-1349.patch new file mode 100644 index 0000000..e484587 --- /dev/null +++ b/SOURCES/bind99-CVE-2015-1349.patch @@ -0,0 +1,25 @@ +diff -up bind-9.9.4/lib/dns/zone.c.CVE-2015-1349 bind-9.9.4/lib/dns/zone.c +--- bind-9.9.4/lib/dns/zone.c.CVE-2015-1349 2015-03-02 11:18:36.138872044 +0100 ++++ bind-9.9.4/lib/dns/zone.c 2015-03-02 11:20:15.941032102 +0100 +@@ -8456,6 +8456,12 @@ keyfetch_done(isc_task_t *task, isc_even + namebuf, tag); + trustkey = ISC_TRUE; + } ++ } else { ++ /* ++ * No previously known key, and the key is not ++ * secure, so skip it. ++ */ ++ continue; + } + + /* Delete old version */ +@@ -8504,7 +8510,7 @@ keyfetch_done(isc_task_t *task, isc_even + trust_key(zone, keyname, &dnskey, mctx); + } + +- if (!deletekey) ++ if (secure && !deletekey) + set_refreshkeytimer(zone, &keydata, now); + } + diff --git a/SPECS/bind.spec b/SPECS/bind.spec index 1f0f345..62c42f0 100644 --- a/SPECS/bind.spec +++ b/SPECS/bind.spec @@ -29,7 +29,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: ISC Version: 9.9.4 -Release: 18%{?PATCHVER}%{?PREVER}%{?dist} +Release: 18%{?PATCHVER}%{?PREVER}%{?dist}.1 Epoch: 32 Url: http://www.isc.org/products/BIND/ Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -97,6 +97,7 @@ Patch144:bind99-rh1067424.patch Patch145:bind99-rh1072379.patch Patch146:bind99-rh1098959.patch Patch147:bind99-CVE-2014-8500.patch +Patch148:bind99-CVE-2015-1349.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -323,6 +324,7 @@ popd %patch145 -p1 -b .rh1072379 %patch146 -p1 -b .rh1098959 %patch147 -p1 -b .CVE-2014-8500 +%patch148 -p1 -b .CVE-2015-1349 %if %{SDB} %patch101 -p1 -b .old-api @@ -942,6 +944,9 @@ rm -rf ${RPM_BUILD_ROOT} %endif %changelog +* Mon Mar 02 2015 Tomas Hozza - 32:9.9.4-18.1 +- Fix CVE-2015-1349 + * Wed Dec 10 2014 Tomas Hozza - 32:9.9.4-18 - Fix CVE-2014-8500 (#1171976)