Hello community,
here is the log from the commit of package bind.372 for openSUSE:13.1:Update checked in at 2016-01-22 14:38:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:13.1:Update/bind.372 (Old)
and /work/SRC/openSUSE:13.1:Update/.bind.372.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bind.372"
Changes:
--------
New Changes file:
--- /dev/null 2015-12-29 16:09:11.912035506 +0100
+++ /work/SRC/openSUSE:13.1:Update/.bind.372.new/bind.changes 2016-01-22 14:38:58.000000000 +0100
@@ -0,0 +1,1790 @@
+-------------------------------------------------------------------
+Wed Jan 20 10:12:42 UTC 2016 - max@suse.com
+
+- Fix Specific APL data could trigger an INSIST
+ (CVE-2015-8704, bsc#962189).
+
+-------------------------------------------------------------------
+Wed Dec 16 11:06:01 UTC 2015 - max@suse.com
+
+- Fix remote denial of service by misparsing incoming responses
+ (CVE-2015-8000, bsc#958861).
+
+-------------------------------------------------------------------
+Mon Sep 14 12:07:37 UTC 2015 - max@suse.com
+
+- Fix DoS against servers performing validation on DNSSEC-signed
+ records (CVE-2015-5722, bsc#944066).
+
+-------------------------------------------------------------------
+Mon Jul 27 16:16:46 UTC 2015 - max@suse.com
+
+- Fix DoS against authoritative and recursive servers.
+ bnc#939567, CVE-2015-5477
+
+-------------------------------------------------------------------
+Wed Jul 8 15:40:03 UTC 2015 - max@suse.com
+
+- A problem with trust anchor management can cause named to crash
+ (CVE-2015-1349, bsc#918330)
+- Fix resolver crash when validating (CVE-2015-4620, bsc#936476).
+- Make sure %version and %pkg_vers are in sync (bnc#937028).
+
+-------------------------------------------------------------------
+Tue Feb 11 13:39:10 UTC 2014 - max@suse.com
+
+- Fix generation of /etc/named.conf.include
+ (bnc#828678, bnc#848777, bnc#814978).
+
+-------------------------------------------------------------------
+Tue Jan 21 17:02:30 UTC 2014 - max@suse.com
+
+- Update to version 9.9.4P2
+ * Fixes named crash when handling malformed NSEC3-signed zones
+ (CVE-2014-0591, bnc#858639)
+ * Obsoletes workaround-compile-problem.diff
+- Replace rpz2+rl-9.9.3-P1.patch by rpz2-9.9.4.patch, rl is now
+ supported upstream (--enable-rrl).
+
+-------------------------------------------------------------------
+Wed Aug 7 15:19:10 UTC 2013 - max@suse.com
+
+- Systemd doesn't set $TERM, and hence breaks tput (bnc#823175).
+
+-------------------------------------------------------------------
+Tue Aug 6 10:09:22 UTC 2013 - max@suse.com
+
+- Improve pie_compile.diff (bnc#828874).
+- dnssec-checkds and dnssec-coverage need python-base.
+- disable rpath in libtool.
+
+-------------------------------------------------------------------
+Mon Aug 5 14:50:20 UTC 2013 - max@suse.com
+
+- Update to 9.9.3P2 fixes CVE-2013-4854, bnc#831899.
+ * Incorrect bounds checking on private type 'keydata' can lead
+ to a remotely triggerable REQUIRE failure.
+
+-------------------------------------------------------------------
+Wed Jul 24 15:37:09 UTC 2013 - max@suse.com
+
+- Remove non-working apparmor profiles (bnc#740327).
+
+-------------------------------------------------------------------
+Wed Jul 17 14:09:02 CEST 2013 - mls@suse.de
+
+- the README file is not a directory, drop the dir attribute
+
+-------------------------------------------------------------------
+Mon Jun 24 13:17:11 UTC 2013 - meissner@suse.com
+
+- Updated to 9.9.3-P1
+ Various bugfixes and some feature fixes. (see CHANGES files)
+ Security and maintenance issues:
+
+ - [security] Caching data from an incompletely signed zone could
+ trigger an assertion failure in resolver.c [RT #33690]
+ - [security] Support NAPTR regular expression validation on
+ all platforms without using libregex, which
+ can be vulnerable to memory exhaustion attack
+ (CVE-2013-2266). [RT #32688]
+ - [security] RPZ rules to generate A records (but not AAAA records)
+ could trigger an assertion failure when used in
+ conjunction with DNS64 (CVE-2012-5689). [RT #32141]
+ - [bug] Fixed several Coverity warnings.
+ Note: This change includes a fix for a bug that
+ was subsequently determined to be an exploitable
+ security vulnerability, CVE-2012-5688: named could
+ die on specific queries with dns64 enabled.
+ [RT #30996]
+
+ - [maint] Added AAAA for D.ROOT-SERVERS.NET.
+ - [maint] D.ROOT-SERVERS.NET is now 199.7.91.13.
+- Updated to current rate limiting + rpz patch from
+ http://ss.vix.su/~vjs/rrlrpz.html
+- moved dnssec-* helpers to bind-utils package. bnc#813911
+
+-------------------------------------------------------------------
+Wed May 8 08:21:52 UTC 2013 - schwab@suse.de
+
+- Use updated config.guess/sub in the embedded idnkit sources
+
+-------------------------------------------------------------------
+Wed Mar 27 12:33:34 UTC 2013 - meissner@suse.com
+
+- Updated to 9.9.2-P2 (bnc#811876)
+ Fix for: https://kb.isc.org/article/AA-00871 CVE-2013-2266
+
+ * Security Fixes
+ Removed the check for regex.h in configure in order to disable regex
+ syntax checking, as it exposes BIND to a critical flaw in libregex
+ on some platforms. [RT #32688]
+
+- added gpg key source verification
+
+-------------------------------------------------------------------
+Thu Dec 6 08:00:31 UTC 2012 - meissner@suse.com
+
+- Updated to 9.9.2-P1 (bnc#792926)
+ https://kb.isc.org/article/AA-00828
+ * Security Fixes
+
+ Prevents named from aborting with a require assertion failure on
+ servers with DNS64 enabled. These crashes might occur as a result of
+ specific queries that are received. (Note that this fix is a subset
+ of a series of updates that will be included in full in BIND 9.8.5
+ and 9.9.3 as change #3388, RT #30996). [CVE-2012-5688] [RT #30792]
+
+ A deliberately constructed combination of records could cause
+ named to hang while populating the additional section of a
+ response. [CVE-2012-5166] [RT #31090]
+
+ Prevents a named assert (crash) when queried for a record whose
+ RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416]
+
+ Prevents a named assert (crash) when validating caused by using
+ "Bad cache" data before it has been initialized. [CVE-2012-3817]
+ [RT #30025]
+
+ A condition has been corrected where improper handling of zero-length
+ RDATA could cause undesirable behavior, including termination of
+ the named process. [CVE-2012-1667] [RT #29644]
+
+ ISC_QUEUE handling for recursive clients was updated to address a race
+ condition that could cause a memory leak. This rarely occurred with
+ UDP clients, but could be a significant problem for a server handling
+ a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233]
+
+New Features
+
+ Elliptic Curve Digital Signature Algorithm keys and signatures in
+ DNSSEC are now supported per RFC 6605. [RT #21918]
+
+ Introduces a new tool "dnssec-checkds" command that checks a zone to
+ determine which DS records should be published in the parent zone,
+ or which DLV records should be published in a DLV zone, and queries
+ the DNS to ensure that it exists. (Note: This tool depends on python;
+ it will not be built or installed on systems that do not have a
+ python interpreter.) [RT #28099]
+
+ Introduces a new tool "dnssec-verify" that validates a signed zone,
+ checking for the correctness of signatures and NSEC/NSEC3 chains.
+ [RT #23673]
+
+ Adds configuration option "max-rsa-exponent-size <value>;" that
+ can be used to specify the maximum rsa exponent size that will be
+ accepted when validating [RT #29228]
+
+Feature Changes
+
+ Improves OpenSSL error logging [RT #29932]
+ nslookup now returns a nonzero exit code when it is unable to get
+ an answer. [RT #29492]
+
+Bug Fixes
+
+ Uses binary mode to open raw files on Windows. [RT #30944]
+ When using DNSSEC inline signing with "rndc signing -nsec3param", a
+ salt value of "-" can now be used to indicate 'no salt'. [RT #30099]
+ Prevents race conditions (address use after free) that could be
+ encountered when named is shutting down and releasing structures
+ used to manage recursive clients. [RT #30241]
+ Static-stub zones now accept "forward" and "fowarders" options
+ (often needed for subdomains of the zone referenced to override
+ global forwarding options). These options are already available
+ with traditional stub zones and their omission from zones of type
+ "static-stub" was an inadvertent oversight. [RT #30482]
+ Limits the TTL of signed RRsets in cache when their RRSIGs are
++++ 1593 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:13.1:Update/.bind.372.new/bind.changes
New:
----
Makefile.in.diff
baselibs.conf
bind-9.9.4-P2.tar.gz
bind-9.9.4-P2.tar.gz.asc
bind-CVE-2015-1349.patch
bind-CVE-2015-4620.patch
bind-CVE-2015-5477.patch
bind-CVE-2015-5722.patch
bind-CVE-2015-8000.patch
bind-CVE-2015-8704.patch
bind.changes
bind.keyring
bind.spec
configure.in.diff
configure.in.diff2
dlz-schema.txt
dnszone-schema.txt
named-bootconf.diff
named.root
perl-path.diff
pid-path.diff
pie_compile.diff
rpz2-9.9.4.patch
vendor-files.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ bind.spec ++++++
++++ 746 lines (skipped)
++++++ Makefile.in.diff ++++++
Index: bind-9.9.3-P1/bin/named/Makefile.in
===================================================================
--- bind-9.9.3-P1.orig/bin/named/Makefile.in
+++ bind-9.9.3-P1/bin/named/Makefile.in
@@ -175,9 +175,7 @@ installdirs:
install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
(cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
- ${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
+ for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man$${m##*.}; done
@DLZ_DRIVER_RULES@
++++++ baselibs.conf ++++++
bind-libs
obsoletes "bind-utils-<targettype>"
provides "bind-utils-<targettype>"
arch ppc package bind-devel
requires -bind-<targettype>
requires "bind-libs-<targettype> = <version>"
arch sparcv9 package bind-devel
requires -bind-<targettype>
requires "bind-libs-<targettype> = <version>"
++++++ bind-CVE-2015-1349.patch ++++++
Index: bind-9.9.4-P2/lib/dns/zone.c
===================================================================
--- bind-9.9.4-P2.orig/lib/dns/zone.c 2015-07-08 15:58:17.098535220 +0200
+++ bind-9.9.4-P2/lib/dns/zone.c 2015-07-08 17:37:50.868674830 +0200
@@ -8456,6 +8456,12 @@
namebuf, tag);
trustkey = ISC_TRUE;
}
+ } else {
+ /*
+ * No previously known key, and the key is not
+ * secure, so skip it.
+ */
+ continue;
}
/* Delete old version */
@@ -8504,7 +8510,7 @@
trust_key(zone, keyname, &dnskey, mctx);
}
- if (!deletekey)
+ if (secure && !deletekey)
set_refreshkeytimer(zone, &keydata, now);
}
++++++ bind-CVE-2015-4620.patch ++++++
--- a/lib/dns/validator.c
+++ a/lib/dns/validator.c
@@ -1422,7 +1422,6 @@ compute_keytag(dns_rdata_t *rdata, dns_rdata_dnskey_t *key) {
*/
static isc_boolean_t
isselfsigned(dns_validator_t *val) {
- dns_fixedname_t fixed;
dns_rdataset_t *rdataset, *sigrdataset;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdata_t sigrdata = DNS_RDATA_INIT;
@@ -1478,8 +1477,7 @@ isselfsigned(dns_validator_t *val) {
result = dns_dnssec_verify3(name, rdataset, dstkey,
ISC_TRUE,
val->view->maxbits,
- mctx, &sigrdata,
- dns_fixedname_name(&fixed));
+ mctx, &sigrdata, NULL);
dst_key_free(&dstkey);
if (result != ISC_R_SUCCESS)
continue;
++++++ bind-CVE-2015-5477.patch ++++++
Index: lib/dns/tkey.c
===================================================================
--- lib/dns/tkey.c.orig 2015-07-28 15:06:08.763863486 +0200
+++ lib/dns/tkey.c 2015-07-28 15:07:01.031540449 +0200
@@ -650,6 +650,7 @@
* Try the answer section, since that's where Win2000
* puts it.
*/
+ name = NULL;
if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
dns_rdatatype_tkey, 0, &name,
&tkeyset) != ISC_R_SUCCESS) {
++++++ bind-CVE-2015-5722.patch ++++++
--- a/lib/dns/hmac_link.c
+++ a/lib/dns/hmac_link.c
@@ -76,7 +76,7 @@ hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) {
hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
if (hmacmd5ctx == NULL)
return (ISC_R_NOMEMORY);
- isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
+ isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH);
dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
return (ISC_R_SUCCESS);
}
@@ -139,7 +139,7 @@ hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) {
else if (hkey1 == NULL || hkey2 == NULL)
return (ISC_FALSE);
- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH))
+ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH))
return (ISC_TRUE);
else
return (ISC_FALSE);
@@ -150,17 +150,17 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
isc_buffer_t b;
isc_result_t ret;
unsigned int bytes;
- unsigned char data[ISC_SHA1_BLOCK_LENGTH];
+ unsigned char data[ISC_MD5_BLOCK_LENGTH];
UNUSED(callback);
bytes = (key->key_size + 7) / 8;
- if (bytes > ISC_SHA1_BLOCK_LENGTH) {
- bytes = ISC_SHA1_BLOCK_LENGTH;
- key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
+ if (bytes > ISC_MD5_BLOCK_LENGTH) {
+ bytes = ISC_MD5_BLOCK_LENGTH;
+ key->key_size = ISC_MD5_BLOCK_LENGTH * 8;
}
- memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
+ memset(data, 0, ISC_MD5_BLOCK_LENGTH);
ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
if (ret != ISC_R_SUCCESS)
@@ -169,7 +169,7 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
isc_buffer_init(&b, data, bytes);
isc_buffer_add(&b, bytes);
ret = hmacmd5_fromdns(key, &b);
- memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
+ memset(data, 0, ISC_MD5_BLOCK_LENGTH);
return (ret);
}
@@ -223,7 +223,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
memset(hkey->key, 0, sizeof(hkey->key));
- if (r.length > ISC_SHA1_BLOCK_LENGTH) {
+ if (r.length > ISC_MD5_BLOCK_LENGTH) {
isc_md5_init(&md5ctx);
isc_md5_update(&md5ctx, r.base, r.length);
isc_md5_final(&md5ctx, hkey->key);
@@ -236,6 +236,8 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
key->key_size = keylen * 8;
key->keydata.hmacmd5 = hkey;
+ isc_buffer_forward(data, r.length);
+
return (ISC_R_SUCCESS);
}
@@ -512,6 +514,8 @@ hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {
key->key_size = keylen * 8;
key->keydata.hmacsha1 = hkey;
+ isc_buffer_forward(data, r.length);
+
return (ISC_R_SUCCESS);
}
@@ -790,6 +794,8 @@ hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {
key->key_size = keylen * 8;
key->keydata.hmacsha224 = hkey;
+ isc_buffer_forward(data, r.length);
+
return (ISC_R_SUCCESS);
}
@@ -1068,6 +1074,8 @@ hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {
key->key_size = keylen * 8;
key->keydata.hmacsha256 = hkey;
+ isc_buffer_forward(data, r.length);
+
return (ISC_R_SUCCESS);
}
@@ -1346,6 +1354,8 @@ hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {
key->key_size = keylen * 8;
key->keydata.hmacsha384 = hkey;
+ isc_buffer_forward(data, r.length);
+
return (ISC_R_SUCCESS);
}
@@ -1624,6 +1634,8 @@ hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {
key->key_size = keylen * 8;
key->keydata.hmacsha512 = hkey;
+ isc_buffer_forward(data, r.length);
+
return (ISC_R_SUCCESS);
}
--- a/lib/dns/include/dst/dst.h
+++ a/lib/dns/include/dst/dst.h
@@ -69,6 +69,7 @@ typedef struct dst_context dst_context_t;
#define DST_ALG_HMACSHA256 163 /* XXXMPA */
#define DST_ALG_HMACSHA384 164 /* XXXMPA */
#define DST_ALG_HMACSHA512 165 /* XXXMPA */
+#define DST_ALG_INDIRECT 252
#define DST_ALG_PRIVATE 254
#define DST_ALG_EXPAND 255
#define DST_MAX_ALGS 255
--- a/lib/dns/ncache.c
+++ a/lib/dns/ncache.c
@@ -614,13 +614,11 @@ dns_ncache_getsigrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
dns_name_fromregion(&tname, &remaining);
INSIST(remaining.length >= tname.length);
isc_buffer_forward(&source, tname.length);
- remaining.length -= tname.length;
- remaining.base += tname.length;
+ isc_region_consume(&remaining, tname.length);
INSIST(remaining.length >= 2);
type = isc_buffer_getuint16(&source);
- remaining.length -= 2;
- remaining.base += 2;
+ isc_region_consume(&remaining, 2);
if (type != dns_rdatatype_rrsig ||
!dns_name_equal(&tname, name)) {
@@ -632,8 +630,7 @@ dns_ncache_getsigrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
INSIST(remaining.length >= 1);
trust = isc_buffer_getuint8(&source);
INSIST(trust <= dns_trust_ultimate);
- remaining.length -= 1;
- remaining.base += 1;
+ isc_region_consume(&remaining, 1);
raw = remaining.base;
count = raw[0] * 256 + raw[1];
--- a/lib/dns/openssldh_link.c
+++ a/lib/dns/openssldh_link.c
@@ -266,8 +266,10 @@ openssldh_destroy(dst_key_t *key) {
static void
uint16_toregion(isc_uint16_t val, isc_region_t *region) {
- *region->base++ = (val & 0xff00) >> 8;
- *region->base++ = (val & 0x00ff);
+ *region->base = (val & 0xff00) >> 8;
+ isc_region_consume(region, 1);
+ *region->base = (val & 0x00ff);
+ isc_region_consume(region, 1);
}
static isc_uint16_t
@@ -278,7 +280,8 @@ uint16_fromregion(isc_region_t *region) {
val = ((unsigned int)(cp[0])) << 8;
val |= ((unsigned int)(cp[1]));
- region->base += 2;
+ isc_region_consume(region, 2);
+
return (val);
}
@@ -319,16 +322,16 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
}
else
BN_bn2bin(dh->p, r.base);
- r.base += plen;
+ isc_region_consume(&r, plen);
uint16_toregion(glen, &r);
if (glen > 0)
BN_bn2bin(dh->g, r.base);
- r.base += glen;
+ isc_region_consume(&r, glen);
uint16_toregion(publen, &r);
BN_bn2bin(dh->pub_key, r.base);
- r.base += publen;
+ isc_region_consume(&r, publen);
isc_buffer_add(data, dnslen);
@@ -369,10 +372,12 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
return (DST_R_INVALIDPUBLICKEY);
}
if (plen == 1 || plen == 2) {
- if (plen == 1)
- special = *r.base++;
- else
+ if (plen == 1) {
+ special = *r.base;
+ isc_region_consume(&r, 1);
+ } else {
special = uint16_fromregion(&r);
+ }
switch (special) {
case 1:
dh->p = &bn768;
@@ -387,10 +392,9 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
DH_free(dh);
return (DST_R_INVALIDPUBLICKEY);
}
- }
- else {
+ } else {
dh->p = BN_bin2bn(r.base, plen, NULL);
- r.base += plen;
+ isc_region_consume(&r, plen);
}
/*
@@ -421,15 +425,14 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
return (DST_R_INVALIDPUBLICKEY);
}
}
- }
- else {
+ } else {
if (glen == 0) {
DH_free(dh);
return (DST_R_INVALIDPUBLICKEY);
}
dh->g = BN_bin2bn(r.base, glen, NULL);
}
- r.base += glen;
+ isc_region_consume(&r, glen);
if (r.length < 2) {
DH_free(dh);
@@ -441,7 +444,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
return (DST_R_INVALIDPUBLICKEY);
}
dh->pub_key = BN_bin2bn(r.base, publen, NULL);
- r.base += publen;
+ isc_region_consume(&r, publen);
key->key_size = BN_num_bits(dh->p);
--- a/lib/dns/openssldsa_link.c
+++ a/lib/dns/openssldsa_link.c
@@ -29,8 +29,6 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id$ */
-
#ifdef OPENSSL
#ifndef USE_EVP
#define USE_EVP 1
@@ -137,6 +135,7 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
DSA *dsa = key->keydata.dsa;
isc_region_t r;
DSA_SIG *dsasig;
+ unsigned int klen;
#if USE_EVP
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
EVP_PKEY *pkey;
@@ -188,6 +187,7 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
ISC_R_FAILURE));
}
free(sigbuf);
+
#elif 0
/* Only use EVP for the Digest */
if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
@@ -209,11 +209,17 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
"DSA_do_sign",
DST_R_SIGNFAILURE));
#endif
- *r.base++ = (key->key_size - 512)/64;
+
+ klen = (key->key_size - 512)/64;
+ if (klen > 255)
+ return (ISC_R_FAILURE);
+ *r.base = klen;
+ isc_region_consume(&r, 1);
+
BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH);
- r.base += ISC_SHA1_DIGESTLENGTH;
+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH);
- r.base += ISC_SHA1_DIGESTLENGTH;
+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
DSA_SIG_free(dsasig);
isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
@@ -446,15 +452,16 @@ openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) {
if (r.length < (unsigned int) dnslen)
return (ISC_R_NOSPACE);
- *r.base++ = t;
+ *r.base = t;
+ isc_region_consume(&r, 1);
BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH);
- r.base += ISC_SHA1_DIGESTLENGTH;
+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8);
- r.base += p_bytes;
+ isc_region_consume(&r, p_bytes);
BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8);
- r.base += p_bytes;
+ isc_region_consume(&r, p_bytes);
BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8);
- r.base += p_bytes;
+ isc_region_consume(&r, p_bytes);
isc_buffer_add(data, dnslen);
@@ -479,29 +486,30 @@ openssldsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
return (ISC_R_NOMEMORY);
dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
- t = (unsigned int) *r.base++;
+ t = (unsigned int) *r.base;
+ isc_region_consume(&r, 1);
if (t > 8) {
DSA_free(dsa);
return (DST_R_INVALIDPUBLICKEY);
}
p_bytes = 64 + 8 * t;
- if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
+ if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
DSA_free(dsa);
return (DST_R_INVALIDPUBLICKEY);
}
dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
- r.base += ISC_SHA1_DIGESTLENGTH;
+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
dsa->p = BN_bin2bn(r.base, p_bytes, NULL);
- r.base += p_bytes;
+ isc_region_consume(&r, p_bytes);
dsa->g = BN_bin2bn(r.base, p_bytes, NULL);
- r.base += p_bytes;
+ isc_region_consume(&r, p_bytes);
dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL);
- r.base += p_bytes;
+ isc_region_consume(&r, p_bytes);
key->key_size = p_bytes * 8;
--- a/lib/dns/opensslecdsa_link.c
+++ a/lib/dns/opensslecdsa_link.c
@@ -14,8 +14,6 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id$ */
-
#include
#ifdef HAVE_OPENSSL_ECDSA
@@ -159,9 +157,9 @@ opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
"ECDSA_do_sign",
DST_R_SIGNFAILURE));
BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2);
- r.base += siglen / 2;
+ isc_region_consume(&r, siglen / 2);
BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2);
- r.base += siglen / 2;
+ isc_region_consume(&r, siglen / 2);
ECDSA_SIG_free(ecdsasig);
isc_buffer_add(sig, siglen);
ret = ISC_R_SUCCESS;
--- a/lib/dns/opensslrsa_link.c
+++ a/lib/dns/opensslrsa_link.c
@@ -965,6 +965,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
RSA *rsa;
isc_region_t r;
unsigned int e_bytes;
+ unsigned int length;
#if USE_EVP
EVP_PKEY *pkey;
#endif
@@ -972,6 +973,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
isc_buffer_remainingregion(data, &r);
if (r.length == 0)
return (ISC_R_SUCCESS);
+ length = r.length;
rsa = RSA_new();
if (rsa == NULL)
@@ -982,17 +984,18 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
RSA_free(rsa);
return (DST_R_INVALIDPUBLICKEY);
}
- e_bytes = *r.base++;
- r.length--;
+ e_bytes = *r.base;
+ isc_region_consume(&r, 1);
if (e_bytes == 0) {
if (r.length < 2) {
RSA_free(rsa);
return (DST_R_INVALIDPUBLICKEY);
}
- e_bytes = ((*r.base++) << 8);
- e_bytes += *r.base++;
- r.length -= 2;
+ e_bytes = (*r.base) << 8;
+ isc_region_consume(&r, 1);
+ e_bytes += *r.base;
+ isc_region_consume(&r, 1);
}
if (r.length < e_bytes) {
@@ -1000,14 +1003,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
return (DST_R_INVALIDPUBLICKEY);
}
rsa->e = BN_bin2bn(r.base, e_bytes, NULL);
- r.base += e_bytes;
- r.length -= e_bytes;
+ isc_region_consume(&r, e_bytes);
rsa->n = BN_bin2bn(r.base, r.length, NULL);
key->key_size = BN_num_bits(rsa->n);
- isc_buffer_forward(data, r.length);
+ isc_buffer_forward(data, length);
#if USE_EVP
pkey = EVP_PKEY_new();
--- a/lib/dns/resolver.c
+++ a/lib/dns/resolver.c
@@ -9058,6 +9058,12 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
REQUIRE(VALID_RESOLVER(resolver));
+ /*
+ * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1.
+ */
+ if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT))
+ return (ISC_FALSE);
+
#if USE_ALGLOCK
RWLOCK(&resolver->alglock, isc_rwlocktype_read);
#endif
@@ -9077,6 +9083,7 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
#endif
if (found)
return (ISC_FALSE);
+
return (dst_algorithm_supported(alg));
}
++++++ bind-CVE-2015-8000.patch ++++++
@@ -, +, @@
4260. [security] Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #4098]
(cherry picked from commit c8821d124c532e0a65752b378f924d4259499fd3)
(cherry picked from commit 9631d0769e09c823acb68ed9795f220bf37800ca)
Index: bind-9.9.4-P2/CHANGES
===================================================================
--- bind-9.9.4-P2.orig/CHANGES
+++ bind-9.9.4-P2/CHANGES
@@ -1,3 +1,8 @@
+4260. [security] Insufficient testing when parsing a message allowed
+ records with an incorrect class to be be accepted,
+ triggering a REQUIRE failure when those records
+ were subsequently cached. (CVE-2015-8000) [RT #4098]
+
--- 9.9.4-P2 released ---
3693. [security] memcpy was incorrectly called with overlapping
Index: bind-9.9.4-P2/bin/tests/system/start.pl
===================================================================
--- bind-9.9.4-P2.orig/bin/tests/system/start.pl
+++ bind-9.9.4-P2/bin/tests/system/start.pl
@@ -68,6 +68,7 @@
my $LWRESD = $ENV{'LWRESD'};
my $DIG = $ENV{'DIG'};
my $PERL = $ENV{'PERL'};
+my $PYTHON = $ENV{'PYTHON'};
# Start the server(s)
@@ -188,7 +189,9 @@
$pid_file = "lwresd.pid";
} elsif ($server =~ /^ans/) {
$cleanup_files = "{ans.run}";
- if (-e "$testdir/$server/ans.pl") {
+ if (-e "$testdir/$server/ans.py") {
+ $command = "$PYTHON ans.py 10.53.0.$' 5300";
+ } elsif (-e "$testdir/$server/ans.pl") {
$command = "$PERL ans.pl";
} else {
$command = "$PERL $topdir/ans.pl 10.53.0.$'";
Index: bind-9.9.4-P2/lib/dns/include/dns/message.h
===================================================================
--- bind-9.9.4-P2.orig/lib/dns/include/dns/message.h
+++ bind-9.9.4-P2/lib/dns/include/dns/message.h
@@ -15,8 +15,6 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id$ */
-
#ifndef DNS_MESSAGE_H
#define DNS_MESSAGE_H 1
@@ -210,6 +208,8 @@
unsigned int verify_attempted : 1;
unsigned int free_query : 1;
unsigned int free_saved : 1;
+ unsigned int tkey : 1;
+ unsigned int rdclass_set : 1;
unsigned int opt_reserved;
unsigned int sig_reserved;
@@ -1374,6 +1374,15 @@
* \li other.
*/
+void
+dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass);
+/*%<
+ * Set the expected class of records in the response.
+ *
+ * Requires:
+ * \li msg be a valid message with parsing intent.
+ */
+
ISC_LANG_ENDDECLS
#endif /* DNS_MESSAGE_H */
Index: bind-9.9.4-P2/lib/dns/message.c
===================================================================
--- bind-9.9.4-P2.orig/lib/dns/message.c
+++ bind-9.9.4-P2/lib/dns/message.c
@@ -436,6 +436,8 @@
m->saved.base = NULL;
m->saved.length = 0;
m->free_saved = 0;
+ m->tkey = 0;
+ m->rdclass_set = 0;
m->querytsig = NULL;
}
@@ -1086,13 +1088,19 @@
* If this class is different than the one we already read,
* this is an error.
*/
- if (msg->state == DNS_SECTION_ANY) {
- msg->state = DNS_SECTION_QUESTION;
+ if (msg->rdclass_set == 0) {
msg->rdclass = rdclass;
+ msg->rdclass_set = 1;
} else if (msg->rdclass != rdclass)
DO_FORMERR;
/*
+ * Is this a TKEY query?
+ */
+ if (rdtype == dns_rdatatype_tkey)
+ msg->tkey = 1;
+
+ /*
* Can't ask the same question twice.
*/
result = dns_message_find(name, rdclass, rdtype, 0, NULL);
@@ -1236,12 +1244,12 @@
* If there was no question section, we may not yet have
* established a class. Do so now.
*/
- if (msg->state == DNS_SECTION_ANY &&
+ if (msg->rdclass_set == 0 &&
rdtype != dns_rdatatype_opt && /* class is UDP SIZE */
rdtype != dns_rdatatype_tsig && /* class is ANY */
rdtype != dns_rdatatype_tkey) { /* class is undefined */
msg->rdclass = rdclass;
- msg->state = DNS_SECTION_QUESTION;
+ msg->rdclass_set = 1;
}
/*
@@ -1251,7 +1259,7 @@
if (msg->opcode != dns_opcode_update
&& rdtype != dns_rdatatype_tsig
&& rdtype != dns_rdatatype_opt
- && rdtype != dns_rdatatype_dnskey /* in a TKEY query */
+ && rdtype != dns_rdatatype_key /* in a TKEY query */
&& rdtype != dns_rdatatype_sig /* SIG(0) */
&& rdtype != dns_rdatatype_tkey /* Win2000 TKEY */
&& msg->rdclass != dns_rdataclass_any
@@ -1259,6 +1267,16 @@
DO_FORMERR;
/*
+ * If this is not a TKEY query/response then the KEY
+ * record's class needs to match.
+ */
+ if (msg->opcode != dns_opcode_update && !msg->tkey &&
+ rdtype == dns_rdatatype_key &&
+ msg->rdclass != dns_rdataclass_any &&
+ msg->rdclass != rdclass)
+ DO_FORMERR;
+
+ /*
* Special type handling for TSIG, OPT, and TKEY.
*/
if (rdtype == dns_rdatatype_tsig) {
@@ -1372,6 +1390,10 @@
skip_name_search = ISC_TRUE;
skip_type_search = ISC_TRUE;
issigzero = ISC_TRUE;
+ } else {
+ if (msg->rdclass != dns_rdataclass_any &&
+ msg->rdclass != rdclass)
+ DO_FORMERR;
}
} else
covers = 0;
@@ -1610,6 +1632,7 @@
msg->counts[DNS_SECTION_ADDITIONAL] = isc_buffer_getuint16(source);
msg->header_ok = 1;
+ msg->state = DNS_SECTION_QUESTION;
/*
* -1 means no EDNS.
@@ -3550,3 +3573,15 @@
dns_message_puttemprdatalist(message, &rdatalist);
return (result);
}
+
+void
+dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass) {
+
+ REQUIRE(DNS_MESSAGE_VALID(msg));
+ REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
+ REQUIRE(msg->state == DNS_SECTION_ANY);
+ REQUIRE(msg->rdclass_set == 0);
+
+ msg->rdclass = rdclass;
+ msg->rdclass_set = 1;
+}
Index: bind-9.9.4-P2/lib/dns/resolver.c
===================================================================
--- bind-9.9.4-P2.orig/lib/dns/resolver.c
+++ bind-9.9.4-P2/lib/dns/resolver.c
@@ -6907,6 +6907,8 @@
goto done;
}
+ dns_message_setclass(message, fctx->res->rdclass);
+
result = dns_message_parse(message, &devent->buffer, 0);
if (result != ISC_R_SUCCESS) {
switch (result) {
@@ -6979,6 +6981,12 @@
*/
log_packet(message, ISC_LOG_DEBUG(10), fctx->res->mctx);
+ if (message->rdclass != fctx->res->rdclass) {
+ resend = ISC_TRUE;
+ FCTXTRACE("bad class");
+ goto done;
+ }
+
/*
* Process receive opt record.
*/
Index: bind-9.9.4-P2/lib/dns/xfrin.c
===================================================================
--- bind-9.9.4-P2.orig/lib/dns/xfrin.c
+++ bind-9.9.4-P2/lib/dns/xfrin.c
@@ -1241,6 +1241,8 @@
msg->tsigctx = xfr->tsigctx;
xfr->tsigctx = NULL;
+ dns_message_setclass(msg, xfr->rdclass);
+
if (xfr->nmsg > 0)
msg->tcp_continuation = 1;
++++++ bind-CVE-2015-8704.patch ++++++
--- a/lib/dns/rdata/in_1/apl_42.c
+++ a/lib/dns/rdata/in_1/apl_42.c
@@ -116,7 +116,7 @@ totext_in_apl(ARGS_TOTEXT) {
isc_uint8_t len;
isc_boolean_t neg;
unsigned char buf[16];
- char txt[sizeof(" !64000")];
+ char txt[sizeof(" !64000:")];
const char *sep = "";
int n;
@@ -140,7 +140,7 @@ totext_in_apl(ARGS_TOTEXT) {
isc_region_consume(&sr, 1);
INSIST(len <= sr.length);
n = snprintf(txt, sizeof(txt), "%s%s%u:", sep,
- neg ? "!": "", afi);
+ neg ? "!" : "", afi);
INSIST(n < (int)sizeof(txt));
RETERR(str_totext(txt, target));
switch (afi) {
++++++ configure.in.diff ++++++
--- bind-9.9.3-P1/configure.in.xx 2013-06-26 14:23:25.536177163 +0200
+++ bind-9.9.3-P1/configure.in 2013-06-26 14:23:26.401175186 +0200
@@ -3099,7 +3099,7 @@
# empty). The variable VARIABLE will be substituted into output files.
#
-AC_DEFUN(NOM_PATH_FILE, [
+AC_DEFUN([NOM_PATH_FILE], [
$1=""
AC_MSG_CHECKING(for $2)
for d in $3
++++++ configure.in.diff2 ++++++
--- a/configure.in
+++ a/configure.in 2011/04/21 13:34:11
@@ -280,7 +280,7 @@
AC_C_INLINE
AC_C_VOLATILE
AC_CHECK_FUNC(sysctlbyname, AC_DEFINE(HAVE_SYSCTLBYNAME))
-AC_C_FLEXIBLE_ARRAY_MEMBER
+#AC_C_FLEXIBLE_ARRAY_MEMBER
#
# UnixWare 7.1.1 with the feature supplement to the UDK compiler
++++++ dlz-schema.txt ++++++
#
#
# 1.3.6.1.4.1.18420.1.1.X is reserved for attribute types declared by the DLZ project.
# 1.3.6.1.4.1.18420.1.2.X is reserved for object classes declared by the DLZ project.
# 1.3.6.1.4.1.18420.1.3.X is reserved for PRIVATE extensions to the DLZ attribute
# types and object classes that may be needed by end users
# to add security, etc. Attributes and object classes using
# this OID MUST NOT be published outside of an organization
# except to offer them for consideration to become part of the
# standard attributes and object classes published by the DLZ project.
attributetype ( 1.3.6.1.4.1.18420.1.1.10
NAME 'dlzZoneName'
DESC 'DNS zone name - domain name not including host name'
SUP name
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.20
NAME 'dlzHostName'
DESC 'Host portion of a domain name'
SUP name
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.30
NAME 'dlzData'
DESC 'Data for the resource record'
SUP name
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.40
NAME 'dlzType'
DESC 'DNS record type - A, SOA, NS, MX, etc...'
SUP name
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.50
NAME 'dlzSerial'
DESC 'SOA record serial number'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.60
NAME 'dlzRefresh'
DESC 'SOA record refresh time in seconds'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.70
NAME 'dlzRetry'
DESC 'SOA retry time in seconds'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.80
NAME 'dlzExpire'
DESC 'SOA expire time in seconds'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.90
NAME 'dlzMinimum'
DESC 'SOA minimum time in seconds'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.100
NAME 'dlzAdminEmail'
DESC 'E-mail address of person responsible for this zone - @ should be replaced with . (period)'
SUP name
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.110
NAME 'dlzPrimaryNS'
DESC 'Primary name server for this zone - should be host name not IP address'
SUP name
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.120
NAME 'dlzIPAddr'
DESC 'IP address - IPV4 should be in dot notation xxx.xxx.xxx.xxx IPV6 should be in colon notation xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{40}
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.130
NAME 'dlzCName'
DESC 'DNS cname'
SUP name
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.140
NAME 'dlzPreference'
DESC 'DNS MX record preference. Lower numbers have higher preference'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.150
NAME 'dlzTTL'
DESC 'DNS time to live - how long this record can be cached by caching DNS servers'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.160
NAME 'dlzRecordID'
DESC 'Unique ID for each DLZ resource record'
SUP name
SINGLE-VALUE )
#------------------------------------------------------------------------------
# Object class definitions
#------------------------------------------------------------------------------
objectclass ( 1.3.6.1.4.1.18420.1.2.10
NAME 'dlzZone'
DESC 'Zone name portion of a domain name'
SUP top STRUCTURAL
MUST ( objectclass $ dlzZoneName ) )
objectclass ( 1.3.6.1.4.1.18420.1.2.20
NAME 'dlzHost'
DESC 'Host name portion of a domain name'
SUP top STRUCTURAL
MUST ( objectclass $ dlzHostName ) )
objectclass ( 1.3.6.1.4.1.18420.1.2.30
NAME 'dlzAbstractRecord'
DESC 'Data common to all DNS record types'
SUP top ABSTRACT
MUST ( objectclass $ dlzRecordID $ dlzHostName $ dlzType $ dlzTTL ) )
objectclass ( 1.3.6.1.4.1.18420.1.2.40
NAME 'dlzGenericRecord'
DESC 'Generic DNS record - useful when a specific object class has not been defined for a DNS record'
SUP dlzAbstractRecord STRUCTURAL
MUST ( dlzData ) )
objectclass ( 1.3.6.1.4.1.18420.1.2.50
NAME 'dlzARecord'
DESC 'DNS A record'
SUP dlzAbstractrecord STRUCTURAL
MUST ( dlzIPAddr ) )
objectclass ( 1.3.6.1.4.1.18420.1.2.60
NAME 'dlzNSRecord'
DESC 'DNS NS record'
SUP dlzGenericRecord STRUCTURAL )
objectclass ( 1.3.6.1.4.1.18420.1.2.70
NAME 'dlzMXRecord'
DESC 'DNS MX record'
SUP dlzGenericRecord STRUCTURAL
MUST ( dlzPreference ) )
objectclass ( 1.3.6.1.4.1.18420.1.2.80
NAME 'dlzSOARecord'
DESC 'DNS SOA record'
SUP dlzAbstractRecord STRUCTURAL
MUST ( dlzSerial $ dlzRefresh $ dlzRetry
$ dlzExpire $ dlzMinimum $ dlzAdminEmail $ dlzPrimaryNS ) )
objectclass ( 1.3.6.1.4.1.18420.1.2.90
NAME 'dlzTextRecord'
DESC 'Text data with spaces should be wrapped in double quotes'
SUP dlzGenericRecord STRUCTURAL )
objectclass ( 1.3.6.1.4.1.18420.1.2.100
NAME 'dlzPTRRecord'
DESC 'DNS PTR record'
SUP dlzGenericRecord STRUCTURAL )
objectclass ( 1.3.6.1.4.1.18420.1.2.110
NAME 'dlzCNameRecord'
DESC 'DNS CName record'
SUP dlzGenericRecord STRUCTURAL )
objectclass ( 1.3.6.1.4.1.18420.1.2.120
NAME 'dlzXFR'
DESC 'Host allowed to perform zone transfer'
SUP top STRUCTURAL
MUST ( objectclass $ dlzRecordID $ dlzIPAddr ) )
++++++ dnszone-schema.txt ++++++
# A schema for storing DNS zones in LDAP
#
attributetype ( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL'
DESC 'An integer denoting time to live'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass'
DESC 'The class of a resource record'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.0.2 NAME 'zoneName'
DESC 'The name of a zone, i.e. the name of the highest node in the zone'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.0.3 NAME 'relativeDomainName'
DESC 'The starting labels of a domain name'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord'
DESC 'domain name pointer, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord'
DESC 'host information, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord'
DESC 'mailbox or mail list information, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord'
DESC 'text string, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord'
DESC 'for AFS Data Base location, RFC 1183'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord'
DESC 'Signature, RFC 2535'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord'
DESC 'Key, RFC 2535'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord'
DESC 'IPv6 address, RFC 1886'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord'
DESC 'Location, RFC 1876'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord'
DESC 'non-existant, RFC 2535'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord'
DESC 'service location, RFC 2782'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord'
DESC 'Naming Authority Pointer, RFC 2915'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord'
DESC 'Key Exchange Delegation, RFC 2230'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord'
DESC 'certificate, RFC 2538'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record'
DESC 'A6 Record Type, RFC 2874'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord'
DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord'
DESC 'Delegation Signer, RFC 3658'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord'
DESC 'SSH Key Fingerprint, draft-ietf-secsh-dns-05.txt'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord'
DESC 'RRSIG, RFC 3755'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord'
DESC 'NSEC, RFC 3755'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
objectclass ( 1.3.6.1.4.1.2428.20.3 NAME 'dNSZone'
SUP top STRUCTURAL
MUST ( zoneName $ relativeDomainName )
MAY ( DNSTTL $ DNSClass $
ARecord $ MDRecord $ MXRecord $ NSRecord $
SOARecord $ CNAMERecord $ PTRRecord $ HINFORecord $
MINFORecord $ TXTRecord $ AFSDBRecord $ SIGRecord $
KEYRecord $ AAAARecord $ LOCRecord $ NXTRecord $
SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $
A6Record $ DNAMERecord $ DSRecord $ SSHFPRecord $
RRSIGRecord $ NSECRecord ) )
++++++ named-bootconf.diff ++++++
Index: contrib/named-bootconf/named-bootconf.sh
===================================================================
--- contrib/named-bootconf/named-bootconf.sh.orig
+++ contrib/named-bootconf/named-bootconf.sh
@@ -54,7 +54,8 @@
# POSSIBILITY OF SUCH DAMAGE.
if [ ${OPTIONFILE-X} = X ]; then
- WORKDIR=/tmp/`date +%s`.$$
+ TMPDIR=`mktemp -p /tmp/ -d named-bootconf.XXXXXXXXXX` || exit 1
+ WORKDIR=$TMPDIR/`date +%s`.$$
( umask 077 ; mkdir $WORKDIR ) || {
echo "unable to create work directory '$WORKDIR'" >&2
exit 1
@@ -308,7 +309,7 @@ if [ $DUMP -eq 1 ]; then
cat $ZONEFILE $COMMENTFILE
rm -f $OPTIONFILE $ZONEFILE $COMMENTFILE
- rmdir $WORKDIR
+ rm -rf $TMPDIR
fi
exit 0
++++++ named.root ++++++
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: Jan 3, 2013
; related version of root zone: 2013010300
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35
; End of File
++++++ perl-path.diff ++++++
Index: bin/tests/t_api.pl
===================================================================
--- bin/tests/t_api.pl.orig
+++ bin/tests/t_api.pl
@@ -1,4 +1,4 @@
-#!/usr/local/bin/perl
+#!/usr/bin/perl
#
# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1999-2001 Internet Software Consortium.
Index: contrib/idn/idnkit-1.0-src/util/generate_nameprep_data.pl
===================================================================
--- contrib/idn/idnkit-1.0-src/util/generate_nameprep_data.pl.orig
+++ contrib/idn/idnkit-1.0-src/util/generate_nameprep_data.pl
@@ -1,4 +1,4 @@
-#! /usr/local/bin/perl -w
+#! /usr/bin/perl -w
# $Id: generate_nameprep_data.pl,v 1.1 2003/06/04 00:27:54 marka Exp $
#
# Copyright (c) 2001 Japan Network Information Center. All rights reserved.
Index: contrib/idn/idnkit-1.0-src/util/generate_normalize_data.pl
===================================================================
--- contrib/idn/idnkit-1.0-src/util/generate_normalize_data.pl.orig
+++ contrib/idn/idnkit-1.0-src/util/generate_normalize_data.pl
@@ -1,4 +1,4 @@
-#! /usr/local/bin/perl -w
+#! /usr/bin/perl -w
# $Id: generate_normalize_data.pl,v 1.1 2003/06/04 00:27:55 marka Exp $
#
# Copyright (c) 2000,2001 Japan Network Information Center.
++++++ pid-path.diff ++++++
Index: bin/named/include/named/globals.h
===================================================================
--- bin/named/include/named/globals.h.orig 2013-07-17 00:13:06.000000000 +0200
+++ bin/named/include/named/globals.h 2013-08-05 14:14:28.152275375 +0200
@@ -139,9 +139,9 @@
"lwresd.pid");
#else
EXTERN const char * ns_g_defaultpidfile INIT(NS_LOCALSTATEDIR
- "/run/named.pid");
+ "/run/named/named.pid");
EXTERN const char * lwresd_g_defaultpidfile INIT(NS_LOCALSTATEDIR
- "/run/lwresd.pid");
+ "/run/named/lwresd.pid");
#endif
EXTERN const char * ns_g_username INIT(NULL);
Index: contrib/nanny/nanny.pl
===================================================================
--- contrib/nanny/nanny.pl.orig 2013-07-17 00:13:06.000000000 +0200
+++ contrib/nanny/nanny.pl 2013-08-05 14:14:28.153275387 +0200
@@ -19,7 +19,7 @@
# A simple nanny to make sure named stays running.
-$pid_file_location = '/var/run/named.pid';
+$pid_file_location = '/var/run/named/named.pid';
$nameserver_location = 'localhost';
$dig_program = 'dig';
$named_program = 'named';
++++++ pie_compile.diff ++++++
Index: bin/check/Makefile.in
===================================================================
--- bin/check/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ bin/check/Makefile.in 2013-08-06 12:08:19.492457714 +0200
@@ -57,8 +57,12 @@
MANOBJS = ${MANPAGES} ${HTMLPAGES}
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
+LDFLAGS += -pie
+
named-checkconf.@O@: named-checkconf.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
Index: bin/confgen/Makefile.in
===================================================================
--- bin/confgen/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ bin/confgen/Makefile.in 2013-08-06 12:08:19.492457714 +0200
@@ -64,8 +64,12 @@
UOBJS = unix/os.@O@
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
+LDFLAGS += -pie
+
rndc-confgen.@O@: rndc-confgen.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
Index: bin/confgen/unix/Makefile.in
===================================================================
--- bin/confgen/unix/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ bin/confgen/unix/Makefile.in 2013-08-06 12:08:19.492457714 +0200
@@ -32,4 +32,8 @@
TARGETS = ${OBJS}
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
+
+LDFLAGS += -pie
Index: bin/dig/Makefile.in
===================================================================
--- bin/dig/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ bin/dig/Makefile.in 2013-08-06 12:08:19.492457714 +0200
@@ -69,8 +69,12 @@
MANOBJS = ${MANPAGES} ${HTMLPAGES}
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
+LDFLAGS += -pie
+
dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
export BASEOBJS="dig.@O@ dighost.@O@ ${UOBJS}"; \
${FINALBUILDCMD}
Index: bin/dnssec/Makefile.in
===================================================================
--- bin/dnssec/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ bin/dnssec/Makefile.in 2013-08-06 12:08:19.493457729 +0200
@@ -64,8 +64,12 @@
MANOBJS = ${MANPAGES} ${HTMLPAGES}
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
+LDFLAGS += -pie
+
dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
${FINALBUILDCMD}
Index: bin/Makefile.in
===================================================================
--- bin/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ bin/Makefile.in 2013-08-06 12:08:19.493457729 +0200
@@ -23,4 +23,8 @@
check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@
TARGETS =
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
+
+LDFLAGS += -pie
Index: bin/named/Makefile.in
===================================================================
--- bin/named/Makefile.in.orig 2013-08-06 12:08:17.653432490 +0200
+++ bin/named/Makefile.in 2013-08-06 12:08:19.493457729 +0200
@@ -115,8 +115,12 @@
MANOBJS = ${MANPAGES} ${HTMLPAGES}
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
+LDFLAGS += -pie
+
main.@O@: main.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
Index: bin/named/unix/Makefile.in
===================================================================
--- bin/named/unix/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ bin/named/unix/Makefile.in 2013-08-06 12:08:19.493457729 +0200
@@ -34,4 +34,6 @@
TARGETS = ${OBJS}
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
Index: bin/nsupdate/Makefile.in
===================================================================
--- bin/nsupdate/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ bin/nsupdate/Makefile.in 2013-08-06 12:08:19.493457729 +0200
@@ -66,8 +66,12 @@
MANOBJS = ${MANPAGES} ${HTMLPAGES}
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
+LDFLAGS += -pie
+
nsupdate.@O@: nsupdate.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DSESSION_KEYFILE=\"${localstatedir}/run/named/session.key\" \
Index: bin/rndc/Makefile.in
===================================================================
--- bin/rndc/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ bin/rndc/Makefile.in 2013-08-06 12:08:19.493457729 +0200
@@ -59,8 +59,12 @@
MANOBJS = ${MANPAGES} ${HTMLPAGES}
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
+LDFLAGS += -pie
+
rndc.@O@: rndc.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
Index: bin/tools/Makefile.in
===================================================================
--- bin/tools/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ bin/tools/Makefile.in 2013-08-06 12:08:19.493457729 +0200
@@ -53,8 +53,12 @@
genrandom.html isc-hmac-fixup.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
+LDFLAGS += -pie
+
arpaname@EXEEXT@: arpaname.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ arpaname.@O@ \
${ISCLIBS} ${LIBS}
Index: contrib/idn/idnkit-1.0-src/tools/idnconv/Makefile.in
===================================================================
--- contrib/idn/idnkit-1.0-src/tools/idnconv/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ contrib/idn/idnkit-1.0-src/tools/idnconv/Makefile.in 2013-08-06 12:08:19.493457729 +0200
@@ -68,8 +68,8 @@
INCS = -I$(srcdir) -I$(srcdir)/../../include -I../../include $(ICONVINC)
DEFS =
-CFLAGS = $(INCS) $(DEFS) @CPPFLAGS@ @CFLAGS@
-LDFLAGS = @LDFLAGS@
+CFLAGS = $(INCS) $(DEFS) @CPPFLAGS@ @CFLAGS@ -fPIE
+LDFLAGS = @LDFLAGS@ -pie
SRCS = idnconv.c util.c selectiveencode.c
OBJS = idnconv.o util.o selectiveencode.o
Index: contrib/zkt/Makefile.in
===================================================================
--- contrib/zkt/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ contrib/zkt/Makefile.in 2013-08-06 12:08:19.494457743 +0200
@@ -13,11 +13,11 @@
OPTIM = # -O3 -DNDEBUG
#CFLAGS ?= @CFLAGS@ @DEFS@ -I@top_srcdir@
-CFLAGS += -g @DEFS@ -I@top_srcdir@
+CFLAGS += -g @DEFS@ -I@top_srcdir@ -fPIE
CFLAGS += -Wall #-DDBG
CFLAGS += -Wmissing-prototypes
CFLAGS += $(PROFILE) $(OPTIM)
-LDFLAGS += $(PROFILE)
+LDFLAGS += $(PROFILE) -fPIE -pie
LIBS = @LIBS@
PROJECT = @PACKAGE_TARNAME@
++++++ rpz2-9.9.4.patch ++++++
++++ 7699 lines (skipped)