Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package bind for openSUSE:Factory checked in at 2024-07-26 16:13:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/bind (Old) and /work/SRC/openSUSE:Factory/.bind.new.1882 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "bind" Fri Jul 26 16:13:58 2024 rev:209 rq:1189415 version:9.20.0 Changes: -------- --- /work/SRC/openSUSE:Factory/bind/bind.changes 2024-05-20 18:09:59.190757906 +0200 +++ /work/SRC/openSUSE:Factory/.bind.new.1882/bind.changes 2024-07-26 16:14:57.628401094 +0200 @@ -1,0 +2,61 @@ +Wed Jul 24 09:03:08 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com> + +- Update to new major version 9.20.0 + For a complete list of all changes see: + * https://bind9.readthedocs.io/en/v9.20.0/notes.html + * The CHANGES file in the source RPM + + Some noteworthy changes: + * Added new BuildRequires liburcu for lock free data structures. + * A new DNSSEC tool dnssec-ksr has been added to create Key + Signing Request (KSR) and Signed Key Response (SKR) files. + * /etc/bind.keys and /var/lib/named/named.root.key have been + removed as the correct defaults are pre-compiled and there is + no need to configure bind.keys manually. + * The functions that were in the libbind9 shared library have + been moved to the libisc and libisccfg libraries. The now-empty + libbind9 has been removed and is no longer installed. + * The irs_resconf module has been moved to the libdns shared + library. The now-empty libirs library has been removed and is + no longer installed. + + Security Fixes: + * A malicious DNS client that sent many queries over TCP but + never read the responses could cause a server to respond slowly + or not at all for other clients. This has been fixed. + (CVE-2024-0760) + [bsc#1228255] + * It is possible to craft excessively large resource records + sets, which have the effect of slowing down database + processing. This has been addressed by adding a configurable + limit to the number of records that can be stored per name and + type in a cache or zone database. The default is 100, which can + be tuned with the new max-records-per-type option. + * It is possible to craft excessively large numbers of resource + record types for a given owner name, which has the effect of + slowing down database processing. This has been addressed by + adding a configurable limit to the number of records that can + be stored per name and type in a cache or zone database. The + default is 100, which can be tuned with the new + max-types-per-name option. (CVE-2024-1737) + [bsc#1228256] + * Validating DNS messages signed using the SIG(0) protocol (RFC + 2931) could cause excessive CPU load, leading to a + denial-of-service condition. Support for SIG(0) message + validation was removed from this version of named. + (CVE-2024-1975) + [bsc#1228257] + * Due to a logic error, lookups that triggered serving stale data + and required lookups in local authoritative zone data could + have resulted in an assertion failure. This has been fixed. + * Potential data races were found in our DoH implementation, + related to HTTP/2 session object management and endpoints set + object management after reconfiguration. These issues have been + fixed. + * When looking up the NS records of parent zones as part of + looking up DS records, it was possible for named to trigger an + assertion failure if serve-stale was enabled. This has been + fixed. (CVE-2024-4076) + [bsc#1228258] + +------------------------------------------------------------------- Old: ---- bind-9.18.27.tar.xz bind-9.18.27.tar.xz.asc New: ---- bind-9.20.0.tar.xz bind-9.20.0.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bind.spec ++++++ --- /var/tmp/diff_new_pack.RJukT7/_old 2024-07-26 16:14:58.440433804 +0200 +++ /var/tmp/diff_new_pack.RJukT7/_new 2024-07-26 16:14:58.444433965 +0200 @@ -56,7 +56,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: bind -Version: 9.18.27 +Version: 9.20.0 Release: 0 Summary: Domain Name System (DNS) Server (named) License: MPL-2.0 @@ -92,6 +92,7 @@ BuildRequires: pkgconfig(libidn2) BuildRequires: pkgconfig(libmaxminddb) BuildRequires: pkgconfig(libnghttp2) +BuildRequires: pkgconfig(liburcu) BuildRequires: pkgconfig(libuv) BuildRequires: pkgconfig(libxml-2.0) Requires: %{name}-utils @@ -375,7 +376,6 @@ install -D -m 0644 %{SOURCE70} %{buildroot}%{_prefix}/lib/tmpfiles.d/bind.conf install -D -m 0644 %{_sourcedir}/named.root %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named/root.hint install -m 0644 vendor-files/config/{127.0.0,localhost}.zone %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named - install -m 0644 bind.keys %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named/named.root.key install -d -m 0755 %{buildroot}/%{_unitdir}/named.service.d %else for file in named; do @@ -422,7 +422,6 @@ # --------------------------------------------------------------------------- # remove useless Makefiles and Makefile skeletons find %{buildroot}/%{_defaultdocdir}/bind \( -name Makefile -o -name Makefile.in \) -exec rm {} + -install -m 0644 bind.keys %{buildroot}%{_localstatedir}/lib/named/named.root.key %if %{with_systemd} mkdir -p %{buildroot}%{_sysusersdir} install -m 644 %{SOURCE72} %{buildroot}%{_sysusersdir}/ @@ -532,7 +531,6 @@ %config %{_var}/lib/named/root.hint %config %{_var}/lib/named/127.0.0.zone %config %{_var}/lib/named/localhost.zone -%config %{_var}/lib/named/named.root.key %dir %{_libexecdir}/bind %{_libexecdir}/bind/named.prep %dir %{_libdir}/bind-plugins @@ -571,7 +569,6 @@ %files utils %dir %{_sysconfdir}/named.d %config(noreplace) %{_sysconfdir}/named.d/rndc-access.conf -%config(noreplace) %{_sysconfdir}/bind.keys %dir %{_sysconfdir}/openldap %dir %{_sysconfdir}/openldap/schema %attr(0444,root,root) %config %{_sysconfdir}/openldap/schema/dnszone.schema @@ -594,20 +591,17 @@ %{_bindir}/dnssec-verify %{_bindir}/dnssec-cds %{_bindir}/dnstap-read +%{_bindir}/dnssec-ksr %{_sbindir}/ddns-confgen %{_sbindir}/rndc %{_sbindir}/rndc-confgen %{_sbindir}/tsig-keygen -%{_libdir}/libbind9-%{version}.so %{_libdir}/libdns-%{version}.so -%{_libdir}/libirs-%{version}.so %{_libdir}/libisc-%{version}.so %{_libdir}/libisccc-%{version}.so %{_libdir}/libisccfg-%{version}.so %{_libdir}/libns-%{version}.so -%{_libdir}/libbind9.so %{_libdir}/libdns.so -%{_libdir}/libirs.so %{_libdir}/libisc.so %{_libdir}/libisccc.so %{_libdir}/libisccfg.so @@ -634,6 +628,7 @@ %{_mandir}/man1/named-journalprint.1%{ext_man} %{_mandir}/man1/nsec3hash.1%{ext_man} %{_mandir}/man1/dnstap-read.1%{ext_man} +%{_mandir}/man1/dnssec-ksr.1.gz %{_mandir}/man5/rndc.conf.5%{ext_man} %{_mandir}/man8/ddns-confgen.8%{ext_man} %{_mandir}/man8/rndc.8%{ext_man} ++++++ bind-9.18.27.tar.xz -> bind-9.20.0.tar.xz ++++++ ++++ 352923 lines of diff (skipped) ++++++ vendor-files.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/config/named.conf new/vendor-files/config/named.conf --- old/vendor-files/config/named.conf 2023-09-11 10:15:38.619721976 +0200 +++ new/vendor-files/config/named.conf 2024-07-24 14:45:25.545686611 +0200 @@ -23,14 +23,6 @@ directory "/var__NSD__/named"; - # enable DNSSEC validation - # - # If BIND logs error messages about the root key being expired, you - # will need to update your keys. See https://www.isc.org/bind-keys - # - # The dnssec-enable option has been obsoleted and no longer has any effect. - # DNSSEC responses are always enabled if signatures and other DNSSEC data are present. - # dnssec-validation yes (default), indicates that a resolver # (a caching or caching-only name server) will attempt to validate # replies from DNSSEC enabled (signed) zones. To perform this task