diff --git a/.bind.metadata b/.bind.metadata
index 330e630..6b7575c 100644
--- a/.bind.metadata
+++ b/.bind.metadata
@@ -1,2 +1,2 @@
+8f72710c243b713ba56930e0348cd0157716574e SOURCES/config-12.tar.bz2
d7be390e6c2546f37a7280e1975e1cd134565f62 SOURCES/bind-9.9.4.tar.gz
-bece70f7e1d14d4a7ca23b4d111d736e10e5f1e2 SOURCES/config-11.tar.bz2
diff --git a/SOURCES/bind-9.9.1-P2-dlz-libdb.patch b/SOURCES/bind-9.9.1-P2-dlz-libdb.patch
new file mode 100644
index 0000000..7c62d87
--- /dev/null
+++ b/SOURCES/bind-9.9.1-P2-dlz-libdb.patch
@@ -0,0 +1,27 @@
+diff -up bind-9.9.4/contrib/dlz/config.dlz.in.libdb bind-9.9.4/contrib/dlz/config.dlz.in
+--- bind-9.9.4/contrib/dlz/config.dlz.in.libdb 2014-01-06 13:24:24.669256364 +0100
++++ bind-9.9.4/contrib/dlz/config.dlz.in 2014-01-06 13:26:29.861420493 +0100
+@@ -257,7 +257,7 @@ case "$use_dlz_bdb" in
+ # Check other locations for includes.
+ # Order is important (sigh).
+
+- bdb_incdirs="/ /db48/ /db47/ /db46/ /db45/ /db44/ /db43/ /db42/ /db41/ /db4/ /db/"
++ bdb_incdirs="/ /db48/ /db47/ /db46/ /db45/ /db44/ /db43/ /db42/ /db41/ /db4/ /libdb/ /db/"
+ for d in $bdb_incdirs
+ do
+ if test -f "$dd/include${d}db.h"
+@@ -283,13 +283,7 @@ case "$use_dlz_bdb" in
+ do
+ if test -f "$dd/${target_lib}/lib${d}.so"
+ then
+- if test "$dd" != "/usr"
+- then
+- dlz_bdb_libs="-L${dd}/${target_lib} "
+- else
+- dlz_bdb_libs=""
+- fi
+- dlz_bdb_libs="${dlz_bdb_libs}-l${d}"
++ dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}"
+ break
+ fi
+ done
diff --git a/SOURCES/bind-9.9.1-P2-dlz-libdb4.patch b/SOURCES/bind-9.9.1-P2-dlz-libdb4.patch
deleted file mode 100644
index 1099fa4..0000000
--- a/SOURCES/bind-9.9.1-P2-dlz-libdb4.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-diff -up bind-9.9.1-P2/contrib/dlz/config.dlz.in.libdb4 bind-9.9.1-P2/contrib/dlz/config.dlz.in
---- bind-9.9.1-P2/contrib/dlz/config.dlz.in.libdb4 2012-07-30 16:58:57.566418514 +0200
-+++ bind-9.9.1-P2/contrib/dlz/config.dlz.in 2012-07-30 17:30:10.930074108 +0200
-@@ -257,7 +257,7 @@ case "$use_dlz_bdb" in
- # Check other locations for includes.
- # Order is important (sigh).
-
-- bdb_incdirs="/ /db48/ /db47/ /db46/ /db45/ /db44/ /db43/ /db42/ /db41/ /db4/ /db/"
-+ bdb_incdirs="/ /db48/ /db47/ /db46/ /db45/ /db44/ /db43/ /db42/ /db41/ /db4/ /libdb4/ /db/"
- for d in $bdb_incdirs
- do
- if test -f "$dd/include${d}db.h"
-@@ -281,15 +281,9 @@ case "$use_dlz_bdb" in
- bdb_libnames="db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
- for d in $bdb_libnames
- do
-- if test -f "$dd/${target_lib}/lib${d}.so"
-+ if test -f "$dd/${target_lib}/libdb4/lib${d}.so"
- then
-- if test "$dd" != "/usr"
-- then
-- dlz_bdb_libs="-L${dd}/${target_lib} "
-- else
-- dlz_bdb_libs=""
-- fi
-- dlz_bdb_libs="${dlz_bdb_libs}-l${d}"
-+ dlz_bdb_libs="-L${dd}/${target_lib}/libdb4 -l${d}"
- break
- fi
- done
diff --git a/SOURCES/bind99-CVE-2014-0591.patch b/SOURCES/bind99-CVE-2014-0591.patch
new file mode 100644
index 0000000..ba225b1
--- /dev/null
+++ b/SOURCES/bind99-CVE-2014-0591.patch
@@ -0,0 +1,53 @@
+diff -pruN bind-9.9.4-P1/bin/named/query.c bind-9.9.4-P2/bin/named/query.c
+--- bind-9.9.4-P1/bin/named/query.c 2013-10-16 01:04:32.000000000 +0200
++++ bind-9.9.4-P2/bin/named/query.c 2013-12-20 01:28:28.000000000 +0100
+@@ -5260,8 +5260,7 @@ query_findclosestnsec3(dns_name_t *qname
+ dns_fixedname_t fixed;
+ dns_hash_t hash;
+ dns_name_t name;
+- int order;
+- unsigned int count;
++ unsigned int skip = 0, labels;
+ dns_rdata_nsec3_t nsec3;
+ dns_rdata_t rdata = DNS_RDATA_INIT;
+ isc_boolean_t optout;
+@@ -5276,6 +5275,7 @@ query_findclosestnsec3(dns_name_t *qname
+
+ dns_name_init(&name, NULL);
+ dns_name_clone(qname, &name);
++ labels = dns_name_countlabels(&name);
+ dns_clientinfomethods_init(&cm, ns_client_sourceip);
+ dns_clientinfo_init(&ci, client);
+
+@@ -5309,13 +5309,14 @@ query_findclosestnsec3(dns_name_t *qname
+ dns_rdata_reset(&rdata);
+ optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0);
+ if (found != NULL && optout &&
+- dns_name_fullcompare(&name, dns_db_origin(db), &order,
+- &count) == dns_namereln_subdomain) {
++ dns_name_issubdomain(&name, dns_db_origin(db)))
++ {
+ dns_rdataset_disassociate(rdataset);
+ if (dns_rdataset_isassociated(sigrdataset))
+ dns_rdataset_disassociate(sigrdataset);
+- count = dns_name_countlabels(&name) - 1;
+- dns_name_getlabelsequence(&name, 1, count, &name);
++ skip++;
++ dns_name_getlabelsequence(qname, skip, labels - skip,
++ &name);
+ ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
+ NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3),
+ "looking for closest provable encloser");
+@@ -5333,7 +5334,11 @@ query_findclosestnsec3(dns_name_t *qname
+ ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
+ NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
+ "expected covering NSEC3, got an exact match");
+- if (found != NULL)
++ if (found == qname) {
++ if (skip != 0U)
++ dns_name_getlabelsequence(qname, skip, labels - skip,
++ found);
++ } else if (found != NULL)
+ dns_name_copy(&name, found, NULL);
+ return;
+ }
diff --git a/SOURCES/bind99-ISC-Bugs-35073.patch b/SOURCES/bind99-ISC-Bugs-35073.patch
new file mode 100644
index 0000000..c8be3ed
--- /dev/null
+++ b/SOURCES/bind99-ISC-Bugs-35073.patch
@@ -0,0 +1,31 @@
+diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
+index 486c102..dc12a85 100644
+--- a/bin/nsupdate/nsupdate.c
++++ b/bin/nsupdate/nsupdate.c
+@@ -1566,16 +1566,20 @@ evaluate_realm(char *cmdline) {
+ #ifdef GSSAPI
+ char *word;
+ char buf[1024];
++ int n;
+
+- word = nsu_strsep(&cmdline, " \t\r\n");
+- if (word == NULL || *word == 0) {
+- if (realm != NULL)
+- isc_mem_free(mctx, realm);
++ if (realm != NULL) {
++ isc_mem_free(mctx, realm);
+ realm = NULL;
+- return (STATUS_MORE);
+ }
+
+- snprintf(buf, sizeof(buf), "@%s", word);
++ word = nsu_strsep(&cmdline, " \t\r\n");
++ if (word == NULL || *word == 0)
++ return (STATUS_MORE);
++
++ n = snprintf(buf, sizeof(buf), "@%s", word);
++ if (n < 0 || (size_t)n >= sizeof(buf))
++ fatal("realm is too long");
+ realm = isc_mem_strdup(mctx, buf);
+ if (realm == NULL)
+ fatal("out of memory");
diff --git a/SOURCES/bind99-ISC-Bugs-35080.patch b/SOURCES/bind99-ISC-Bugs-35080.patch
new file mode 100644
index 0000000..14c383f
--- /dev/null
+++ b/SOURCES/bind99-ISC-Bugs-35080.patch
@@ -0,0 +1,42 @@
+commit 3a2ea636103eaf40404fb82f228605d384c36434
+Author: Mark Andrews <marka@isc.org>
+Date: Tue Dec 17 09:08:59 2013 +1100
+
+ 3692. [bug] Two calls to dns_db_getoriginnode were fatal if there
+ was no data at the node. [RT #35080]
+
+ (cherry picked from commit 161e803a5608956271d8120be37a1b383d14b647)
+
+diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
+index 2dd4aa0..941b77e 100644
+--- a/lib/dns/rbtdb.c
++++ b/lib/dns/rbtdb.c
+@@ -1638,8 +1638,11 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+
+ nodelock = &rbtdb->node_locks[bucket];
+
++#define KEEP_NODE(n, r) \
++ ((n)->data != NULL || (n)->down != NULL || (n) == (r)->origin_node)
++
+ /* Handle easy and typical case first. */
+- if (!node->dirty && (node->data != NULL || node->down != NULL)) {
++ if (!node->dirty && KEEP_NODE(node, rbtdb)) {
+ dns_rbtnode_refdecrement(node, &nrefs);
+ INSIST((int)nrefs >= 0);
+ if (nrefs == 0) {
+@@ -1708,12 +1711,11 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+ isc_refcount_decrement(&nodelock->references, &refs);
+ INSIST((int)refs >= 0);
+
+- /*
+- * XXXDCL should this only be done for cache zones?
+- */
+- if (node->data != NULL || node->down != NULL)
++ if (KEEP_NODE(node, rbtdb))
+ goto restore_locks;
+
++#undef KEEP_NODE
++
+ if (write_locked) {
+ /*
+ * We can now delete the node.
diff --git a/SOURCES/named-chroot-setup.service b/SOURCES/named-chroot-setup.service
new file mode 100644
index 0000000..9870a88
--- /dev/null
+++ b/SOURCES/named-chroot-setup.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Set-up/destroy chroot environment for named (DNS)
+BindsTo=named-chroot.service
+Wants=named-setup-rndc.service
+After=named-setup-rndc.service
+
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot on
+ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot off
diff --git a/SOURCES/named-chroot.service b/SOURCES/named-chroot.service
index f11533c..39d3700 100644
--- a/SOURCES/named-chroot.service
+++ b/SOURCES/named-chroot.service
@@ -5,8 +5,10 @@
[Unit]
Description=Berkeley Internet Name Domain (DNS)
Wants=nss-lookup.target
+Requires=named-chroot-setup.service
Before=nss-lookup.target
After=network.target
+After=named-chroot-setup.service
[Service]
Type=forking
@@ -14,15 +16,12 @@ EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/var/named/chroot/run/named/named.pid
-ExecStartPre=/usr/libexec/generate-rndc-key.sh
-ExecStartPre=/usr/libexec/setup-named-chroot.sh /var/named/chroot on
ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot -z /etc/named.conf
ExecStart=/usr/sbin/named -u named -t /var/named/chroot $OPTIONS
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
-ExecStopPost=/usr/libexec/setup-named-chroot.sh /var/named/chroot off
PrivateTmp=false
diff --git a/SOURCES/named-sdb-chroot-setup.service b/SOURCES/named-sdb-chroot-setup.service
new file mode 100644
index 0000000..0967a60
--- /dev/null
+++ b/SOURCES/named-sdb-chroot-setup.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Set-up/destroy chroot environment for named-sdb
+BindsTo=named-sdb-chroot.service
+Wants=named-setup-rndc.service
+After=named-setup-rndc.service
+
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb on
+ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb off
diff --git a/SOURCES/named-sdb-chroot.service b/SOURCES/named-sdb-chroot.service
index 23b632b..09b7974 100644
--- a/SOURCES/named-sdb-chroot.service
+++ b/SOURCES/named-sdb-chroot.service
@@ -1,28 +1,27 @@
-# Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log"
+# Don't forget to add "$AddUnixListenSocket /var/named/chroot_sdb/dev/log"
# line to your /etc/rsyslog.conf file. Otherwise your logging becomes
# broken when rsyslogd daemon is restarted (due update, for example).
[Unit]
Description=Berkeley Internet Name Domain (DNS)
Wants=nss-lookup.target
+Requires=named-sdb-chroot-setup.service
Before=nss-lookup.target
After=network.target
+After=named-sdb-chroot-setup.service
[Service]
Type=forking
EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
-PIDFile=/var/named/chroot/run/named/named.pid
+PIDFile=/var/named/chroot_sdb/run/named/named.pid
-ExecStartPre=/usr/libexec/generate-rndc-key.sh
-ExecStartPre=/usr/libexec/setup-named-chroot.sh /var/named/chroot on
-ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot -z /etc/named.conf
-ExecStart=/usr/sbin/named-sdb -u named -t /var/named/chroot $OPTIONS
+ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot_sdb -z /etc/named.conf
+ExecStart=/usr/sbin/named-sdb -u named -t /var/named/chroot_sdb $OPTIONS
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
-ExecStopPost=/usr/libexec/setup-named-chroot.sh /var/named/chroot off
PrivateTmp=false
diff --git a/SOURCES/named-sdb.service b/SOURCES/named-sdb.service
index ef3f6ab..e0cd31c 100644
--- a/SOURCES/named-sdb.service
+++ b/SOURCES/named-sdb.service
@@ -1,8 +1,10 @@
[Unit]
Description=Berkeley Internet Name Domain (DNS)
Wants=nss-lookup.target
+Wants=named-setup-rndc.service
Before=nss-lookup.target
After=network.target
+After=named-setup-rndc.service
[Service]
Type=forking
@@ -10,7 +12,6 @@ EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/run/named/named.pid
-ExecStartPre=/usr/libexec/generate-rndc-key.sh
ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf
ExecStart=/usr/sbin/named-sdb -u named $OPTIONS
diff --git a/SOURCES/named-setup-rndc.service b/SOURCES/named-setup-rndc.service
new file mode 100644
index 0000000..ff85e3c
--- /dev/null
+++ b/SOURCES/named-setup-rndc.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Generate rndc key for BIND (DNS)
+
+[Service]
+Type=oneshot
+
+ExecStart=/usr/libexec/generate-rndc-key.sh
diff --git a/SOURCES/named.conf.sample b/SOURCES/named.conf.sample
index 038e712..aee040a 100644
--- a/SOURCES/named.conf.sample
+++ b/SOURCES/named.conf.sample
@@ -71,7 +71,10 @@ options
/* Enable DLV by default, use built-in ISC DLV key. */
dnssec-lookaside auto;
+ /* In RHEL-7 we use /run/named instead of default /var/run/named
+ so we have to configure paths properly. */
pid-file "/run/named/named.pid";
+ session-keyfile "/run/named/session.key";
managed-keys-directory "/var/named/dynamic";
};
diff --git a/SOURCES/named.rwtab b/SOURCES/named.rwtab
new file mode 100644
index 0000000..2cb3a41
--- /dev/null
+++ b/SOURCES/named.rwtab
@@ -0,0 +1,6 @@
+dirs /var/named
+
+files /var/named/named.ca
+files /var/named/named.empty
+files /var/named/named.localhost
+files /var/named/named.loopback
diff --git a/SOURCES/named.service b/SOURCES/named.service
index f04403b..7e48c89 100644
--- a/SOURCES/named.service
+++ b/SOURCES/named.service
@@ -1,8 +1,10 @@
[Unit]
Description=Berkeley Internet Name Domain (DNS)
Wants=nss-lookup.target
+Wants=named-setup-rndc.service
Before=nss-lookup.target
After=network.target
+After=named-setup-rndc.service
[Service]
Type=forking
@@ -10,7 +12,6 @@ EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/run/named/named.pid
-ExecStartPre=/usr/libexec/generate-rndc-key.sh
ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf
ExecStart=/usr/sbin/named -u named $OPTIONS
diff --git a/SOURCES/setup-named-chroot.sh b/SOURCES/setup-named-chroot.sh
index 6071f75..8de494b 100755
--- a/SOURCES/setup-named-chroot.sh
+++ b/SOURCES/setup-named-chroot.sh
@@ -44,7 +44,7 @@ mount_chroot_conf()
# Mount source is a directory. Mount it only if directory in chroot is
# empty.
if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
- mount --bind "$all" "$ROOTDIR$all"
+ mount --bind --make-private "$all" "$ROOTDIR$all"
fi
fi
done
diff --git a/SPECS/bind.spec b/SPECS/bind.spec
index 461cb86..aa4cc64 100644
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
@@ -21,12 +21,15 @@
%{?!DEVEL: %global DEVEL 1}
%global bind_dir /var/named
%global chroot_prefix %{bind_dir}/chroot
+%if %{SDB}
+%global chroot_sdb_prefix %{bind_dir}/chroot_sdb
+%endif
#
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
Name: bind
License: ISC
Version: 9.9.4
-Release: 4%{?PATCHVER}%{?PREVER}%{?dist}
+Release: 14%{?PATCHVER}%{?PREVER}%{?dist}
Epoch: 32
Url: http://www.isc.org/products/BIND/
Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -40,7 +43,7 @@ Source7: bind-9.3.1rc1-sdb_tools-Makefile.in
Source8: dnszone.schema
Source12: README.sdb_pgsql
Source25: named.conf.sample
-Source28: config-11.tar.bz2
+Source28: config-12.tar.bz2
Source30: ldap2zone.c
Source31: ldap2zone.1
Source32: named-sdb.8
@@ -54,6 +57,10 @@ Source39: named-sdb.service
Source40: named-sdb-chroot.service
Source41: setup-named-chroot.sh
Source42: generate-rndc-key.sh
+Source43: named.rwtab
+Source44: named-chroot-setup.service
+Source45: named-sdb-chroot-setup.service
+Source46: named-setup-rndc.service
# Common patches
Patch5: bind-nonexec.patch
@@ -74,7 +81,7 @@ Patch123:bind98-rh735103.patch
Patch124:nslookup-norec.patch
Patch125:bind99-buildfix.patch
Patch127:bind99-forward.patch
-Patch130:bind-9.9.1-P2-dlz-libdb4.patch
+Patch130:bind-9.9.1-P2-dlz-libdb.patch
Patch131:bind-9.9.1-P2-multlib-conflict.patch
Patch133:bind99-rh640538.patch
Patch134:bind97-rh669163.patch
@@ -83,6 +90,9 @@ Patch137:bind99-rrl.patch
Patch138:bind-9.9.3-include-update-h.patch
Patch139:bind99-ISC-Bugs-34738.patch
Patch140:bind99-ISC-Bugs-34870-v3.patch
+Patch141:bind99-ISC-Bugs-35073.patch
+Patch142:bind99-ISC-Bugs-35080.patch
+Patch143:bind99-CVE-2014-0591.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -119,7 +129,7 @@ BuildRequires: libidn-devel, libxml2-devel
BuildRequires: systemd-units
%if %{SDB}
BuildRequires: openldap-devel, postgresql-devel, sqlite-devel, mysql-devel
-BuildRequires: db4-devel
+BuildRequires: libdb-devel
%endif
%if %{test}
BuildRequires: net-tools
@@ -246,6 +256,21 @@ This package contains a tree of files which can be used as a
chroot(2) jail for the named(8) program from the BIND package.
Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz>
+%if %{SDB}
+%package sdb-chroot
+Summary: A chroot runtime environment for the ISC BIND DNS server, named-sdb(8)
+Group: System Environment/Daemons
+Prefix: %{chroot_prefix}
+Requires: bind-sdb
+Requires: systemd-units
+
+%description sdb-chroot
+This package contains a tree of files which can be used as a
+chroot(2) jail for the named-sdb(8) program from the BIND package.
+Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz>
+%endif
+
+
%prep
%setup -q -n %{name}-%{VERSION}
@@ -277,12 +302,15 @@ pushd bin/dig
popd
%patch125 -p1 -b .buildfix
%patch127 -p1 -b .forward
-%patch130 -p1 -b .libdb4
+%patch130 -p1 -b .libdb
%patch131 -p1 -b .multlib-conflict
%patch137 -p1 -b .rrl
%patch138 -p1 -b .update
%patch139 -p1 -b .journal
%patch140 -p1 -b .send_buffers
+%patch141 -p1 -b .leak_35073
+%patch142 -p1 -b .rbt_crash
+%patch143 -p1 -b .CVE-2014-059
%if %{SDB}
%patch101 -p1 -b .old-api
@@ -344,6 +372,7 @@ libtoolize -c -f; aclocal -I libtool.m4 --force; autoconf -f
--localstatedir=/var \
--enable-threads \
--enable-ipv6 \
+ --enable-filter-aaaa \
--enable-rrl \
--with-pic \
--disable-static \
@@ -416,6 +445,12 @@ mkdir -p ${RPM_BUILD_ROOT}/var/log
#chroot
mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/{dev,etc,var,run/named}
mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/var/{log,named,tmp}
+
+# create symlink as it is on real filesystem
+pushd ${RPM_BUILD_ROOT}/%{chroot_prefix}/var
+ln -s ../run run
+popd
+
mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/{pki/dnssec-keys,named}
mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/%{_libdir}/bind
# these are required to prevent them being erased during upgrade of previous
@@ -428,6 +463,29 @@ touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/localtime
touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/named.conf
#end chroot
+#sdb-chroot
+%if %{SDB}
+mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/{dev,etc,var,run/named}
+mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/var/{log,named,tmp}
+
+# create symlink as it is on real filesystem
+pushd ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/var
+ln -s ../run run
+popd
+
+mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/etc/{pki/dnssec-keys,named}
+mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/%{_libdir}/bind
+# these are required to prevent them being erased during upgrade of previous
+# versions that included them (bug #130121):
+touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/dev/null
+touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/dev/random
+touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/dev/zero
+touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/etc/localtime
+
+touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/etc/named.conf
+%endif
+#end sdb-chroot
+
make DESTDIR=${RPM_BUILD_ROOT} install
# Remove unwanted files
@@ -437,10 +495,14 @@ rm -f ${RPM_BUILD_ROOT}/etc/bind.keys
mkdir -p ${RPM_BUILD_ROOT}%{_unitdir}
install -m 644 %{SOURCE37} ${RPM_BUILD_ROOT}%{_unitdir}
install -m 644 %{SOURCE38} ${RPM_BUILD_ROOT}%{_unitdir}
+install -m 644 %{SOURCE44} ${RPM_BUILD_ROOT}%{_unitdir}
+install -m 644 %{SOURCE46} ${RPM_BUILD_ROOT}%{_unitdir}
+
%if %{SDB}
install -m 644 %{SOURCE39} ${RPM_BUILD_ROOT}%{_unitdir}
-%endif
install -m 644 %{SOURCE40} ${RPM_BUILD_ROOT}%{_unitdir}
+install -m 644 %{SOURCE45} ${RPM_BUILD_ROOT}%{_unitdir}
+%endif
mkdir -p ${RPM_BUILD_ROOT}%{_libexecdir}
install -m 755 %{SOURCE41} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-chroot.sh
@@ -511,6 +573,9 @@ done
mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/tmpfiles.d
install -m 644 %{SOURCE35} ${RPM_BUILD_ROOT}%{_sysconfdir}/tmpfiles.d/named.conf
+mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d
+install -m 644 %{SOURCE43} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named
+
%pre
if [ "$1" -eq 1 ]; then
/usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :;
@@ -574,7 +639,6 @@ fi
%post chroot
%systemd_post named-chroot.service
-%systemd_post named-sdb-chroot.service
if [ "$1" -gt 0 ]; then
[ -e %{chroot_prefix}/dev/random ] || \
/bin/mknod %{chroot_prefix}/dev/random c 1 8
@@ -595,7 +659,6 @@ fi;
%preun chroot
%systemd_preun named-chroot.service
-%systemd_preun named-sdb-chroot.service
if [ "$1" -eq 0 ]; then
# Package removal, not upgrade
rm -f %{chroot_prefix}/dev/{random,zero,null}
@@ -606,8 +669,45 @@ fi
%postun chroot
# Package upgrade, not uninstall
%systemd_postun_with_restart named-chroot.service
+
+
+%if %{SDB}
+
+%post sdb-chroot
+%systemd_post named-sdb-chroot.service
+if [ "$1" -gt 0 ]; then
+ [ -e %{chroot_sdb_prefix}/dev/random ] || \
+ /bin/mknod %{chroot_sdb_prefix}/dev/random c 1 8
+ [ -e %{chroot_sdb_prefix}/dev/zero ] || \
+ /bin/mknod %{chroot_sdb_prefix}/dev/zero c 1 5
+ [ -e %{chroot_sdb_prefix}/dev/null ] || \
+ /bin/mknod %{chroot_sdb_prefix}/dev/null c 1 3
+ rm -f %{chroot_sdb_prefix}/etc/localtime
+ cp /etc/localtime %{chroot_sdb_prefix}/etc/localtime
+fi;
+:;
+
+%posttrans sdb-chroot
+if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
+ [ -x /sbin/restorecon ] && /sbin/restorecon %{chroot_sdb_prefix}/dev/* > /dev/null 2>&1;
+fi;
+:;
+
+%preun sdb-chroot
+%systemd_preun named-sdb-chroot.service
+if [ "$1" -eq 0 ]; then
+ # Package removal, not upgrade
+ rm -f %{chroot_sdb_prefix}/dev/{random,zero,null}
+ rm -f %{chroot_sdb_prefix}/etc/localtime
+fi
+:;
+
+%postun sdb-chroot
+# Package upgrade, not uninstall
%systemd_postun_with_restart named-sdb-chroot.service
+%endif
+
%clean
rm -rf ${RPM_BUILD_ROOT}
:;
@@ -619,7 +719,9 @@ rm -rf ${RPM_BUILD_ROOT}
%config(noreplace) %attr(0644,root,named) %{_sysconfdir}/named.iscdlv.key
%config(noreplace) %attr(0644,root,named) %{_sysconfdir}/named.root.key
%{_sysconfdir}/tmpfiles.d/named.conf
+%{_sysconfdir}/rwtab.d/named
%{_unitdir}/named.service
+%{_unitdir}/named-setup-rndc.service
%{_sysconfdir}/NetworkManager/dispatcher.d/13-named
%{_sbindir}/arpaname
%{_sbindir}/ddns-confgen
@@ -749,7 +851,7 @@ rm -rf ${RPM_BUILD_ROOT}
%files chroot
%defattr(-,root,root,-)
%{_unitdir}/named-chroot.service
-%{_unitdir}/named-sdb-chroot.service
+%{_unitdir}/named-chroot-setup.service
%{_libexecdir}/setup-named-chroot.sh
%ghost %{chroot_prefix}/dev/null
%ghost %{chroot_prefix}/dev/random
@@ -771,9 +873,41 @@ rm -rf ${RPM_BUILD_ROOT}
%dir %{chroot_prefix}/run/named
%dir %{chroot_prefix}/var/tmp
%dir %{chroot_prefix}/var/log
+%{chroot_prefix}/var/run
%dir %{chroot_prefix}/usr
%dir %{chroot_prefix}/%{_libdir}
+%if %{SDB}
+%files sdb-chroot
+%defattr(-,root,root,-)
+%{_unitdir}/named-sdb-chroot.service
+%{_unitdir}/named-sdb-chroot-setup.service
+%{_libexecdir}/setup-named-chroot.sh
+%ghost %{chroot_sdb_prefix}/dev/null
+%ghost %{chroot_sdb_prefix}/dev/random
+%ghost %{chroot_sdb_prefix}/dev/zero
+%ghost %{chroot_sdb_prefix}/etc/localtime
+%defattr(0640,root,named,0750)
+%dir %{chroot_sdb_prefix}
+%dir %{chroot_sdb_prefix}/dev
+%dir %{chroot_sdb_prefix}/etc
+%dir %{chroot_sdb_prefix}/etc/named
+%dir %{chroot_sdb_prefix}/etc/pki
+%dir %{chroot_sdb_prefix}/etc/pki/dnssec-keys
+%dir %{chroot_sdb_prefix}/var
+%dir %{chroot_sdb_prefix}/run
+%dir %{chroot_sdb_prefix}/var/named
+%dir %{chroot_sdb_prefix}/%{_libdir}/bind
+%ghost %config(noreplace) %{chroot_sdb_prefix}/etc/named.conf
+%defattr(0660,named,named,0770)
+%dir %{chroot_sdb_prefix}/run/named
+%dir %{chroot_sdb_prefix}/var/tmp
+%dir %{chroot_sdb_prefix}/var/log
+%{chroot_sdb_prefix}/var/run
+%dir %{chroot_sdb_prefix}/usr
+%dir %{chroot_sdb_prefix}/%{_libdir}
+%endif
+
%if %{PKCS11}
%files pkcs11
%defattr(-,root,root,-)
@@ -785,6 +919,40 @@ rm -rf ${RPM_BUILD_ROOT}
%endif
%changelog
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 32:9.9.4-14
+- Mass rebuild 2014-01-24
+
+* Wed Jan 15 2014 Honza Horak <hhorak@redhat.com> - 32:9.9.4-13
+- Rebuild for mariadb-libs
+ Related: #1045013
+
+* Tue Jan 14 2014 Tomas Hozza <thozza@redhat.com> 32:9.9.4-12
+- Fix CVE-2014-0591
+
+* Mon Jan 06 2014 Tomas Hozza <thozza@redhat.com> 32:9.9.4-11
+- Build against libdb instead of libdb4 (#1044990)
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 32:9.9.4-10
+- Mass rebuild 2013-12-27
+
+* Wed Dec 18 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-9
+- Fix crash in rbtdb after two sucessive getoriginnode() calls (#1044026)
+
+* Tue Dec 17 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-8
+- Split chroot package for named and named-sdb
+- Extract setting-up/destroying of chroot to a separate systemd service (#1004300)
+
+* Thu Dec 05 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-7
+- Create symlink /var/named/chroot/var/run -> /var/named/chroot/run (#1024384)
+- Added session-keyfile statement into default named.conf since we use /run/named (#1024384)
+
+* Thu Nov 28 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-6
+- Fixed memory leak in nsupdate if 'realm' was used multiple times (#1034824)
+
+* Tue Nov 12 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-5
+- Install configuration for rwtab and fix chroot setup script (#1028189)
+- use --enable-filter-aaaa when building bind to enable filter-aaaa-on-v4 option (#1025245)
+
* Thu Oct 31 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-4
- Correct the patch for #1020683