Hello community, here is the log from the commit of package bind for openSUSE:Factory checked in at 2020-08-31 17:14:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/bind (Old) and /work/SRC/openSUSE:Factory/.bind.new.3399 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "bind" Mon Aug 31 17:14:50 2020 rev:155 rq:830242 version:9.16.6 Changes: -------- --- /work/SRC/openSUSE:Factory/bind/bind.changes 2020-08-20 22:24:33.995861713 +0200 +++ /work/SRC/openSUSE:Factory/.bind.new.3399/bind.changes 2020-08-31 17:14:55.717043468 +0200 @@ -1,0 +2,39 @@ +Fri Aug 28 09:38:11 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org> + +- Require /sbin/start_daemon: both init scripts, the one used in + systemd context as well as legacy sysv, make use of start_daemon. + +------------------------------------------------------------------- +Tue Aug 18 12:13:49 UTC 2020 - Josef Möllers <josef.moellers@suse.com> + +- Upgrade to version 9.16.6 + Fixes five vilnerabilities: + 5481. [security] "update-policy" rules of type "subdomain" were + incorrectly treated as "zonesub" rules, which allowed + keys used in "subdomain" rules to update names outside + of the specified subdomains. The problem was fixed by + making sure "subdomain" rules are again processed as + described in the ARM. (CVE-2020-8624) [GL #2055] + + 5480. [security] When BIND 9 was compiled with native PKCS#11 support, it + was possible to trigger an assertion failure in code + determining the number of bits in the PKCS#11 RSA public + key with a specially crafted packet. (CVE-2020-8623) + [GL #2037] + + 5479. [security] named could crash in certain query resolution scenarios + where QNAME minimization and forwarding were both + enabled. (CVE-2020-8621) [GL #1997] + + 5478. [security] It was possible to trigger an assertion failure by + sending a specially crafted large TCP DNS message. + (CVE-2020-8620) [GL #1996] + + 5476. [security] It was possible to trigger an assertion failure when + verifying the response to a TSIG-signed request. + (CVE-2020-8622) [GL #2028] + For the less severe bugs fixed, see the CHANGES file. + [bsc#1175443, CVE-2020-8624, CVE-2020-8623, CVE-2020-8621, + CVE-2020-8620, CVE-2020-8622] + +------------------------------------------------------------------- Old: ---- bind-9.16.5.tar.xz bind-9.16.5.tar.xz.sha512.asc New: ---- bind-9.16.6.tar.xz bind-9.16.6.tar.xz.sha512.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bind.spec ++++++ --- /var/tmp/diff_new_pack.XgNIjO/_old 2020-08-31 17:14:56.905044075 +0200 +++ /var/tmp/diff_new_pack.XgNIjO/_new 2020-08-31 17:14:56.909044078 +0200 @@ -24,7 +24,7 @@ %define libdns libdns%{dns_sonum} %define irs_sonum 1601 %define libirs libirs%{irs_sonum} -%define isc_sonum 1605 +%define isc_sonum 1606 %define libisc libisc%{isc_sonum} %define isccc_sonum 1600 %define libisccc libisccc%{isccc_sonum} @@ -60,7 +60,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: bind -Version: 9.16.5 +Version: 9.16.6 Release: 0 Summary: Domain Name System (DNS) Server (named) License: MPL-2.0 @@ -106,6 +106,8 @@ Provides: dns_daemon Obsoletes: bind8 < %{version} Obsoletes: bind9 < %{version} +# named.init (systemd) and init/named both call start_daemon, so unconditional require it +Requires: /sbin/start_daemon %if %{with_systemd} BuildRequires: systemd-rpm-macros BuildRequires: sysuser-shadow @@ -524,6 +526,7 @@ %{_datadir}/bind/ldapdump %ghost %{_rundir}/named %{_fillupdir}/sysconfig.named-named +%attr(1775,root,named) %dir %{_var}/lib/named %dir %{_var}/lib/named/master %attr(-,named,named) %dir %{_var}/lib/named/dyn %attr(-,named,named) %dir %{_var}/lib/named/slave @@ -559,7 +562,6 @@ %if %{with_systemd} %{_prefix}/lib/tmpfiles.d/bind-chrootenv.conf %endif -%attr(1775,root,named) %dir %{_var}/lib/named %dir %{_var}/lib/named%{_sysconfdir} %dir %{_var}/lib/named%{_sysconfdir}/named.d %dir %{_var}/lib/named/dev ++++++ baselibs.conf ++++++ --- /var/tmp/diff_new_pack.XgNIjO/_old 2020-08-31 17:14:56.961044104 +0200 +++ /var/tmp/diff_new_pack.XgNIjO/_new 2020-08-31 17:14:56.961044104 +0200 @@ -1,7 +1,7 @@ libbind9-1600 libdns1605 libirs1601 -libisc1605 +libisc1606 obsoletes "bind-libs-<targettype> = <version>" provides "bind-libs-<targettype> = <version>" libisccc1600 @@ -11,6 +11,6 @@ requires "libbind9-1600-<targettype> = <version>" requires "libdns1605-<targettype> = <version>" requires "libirs1601-<targettype> = <version>" - requires "libisc1605-<targettype> = <version>" + requires "libisc1606-<targettype> = <version>" requires "libisccc1600-<targettype> = <version>" requires "libisccfg1600-<targettype> = <version>" ++++++ bind-9.16.5.tar.xz -> bind-9.16.6.tar.xz ++++++ ++++ 7632 lines of diff (skipped)