From a6201e964a652e2cfb95e0cb2c5eee88c2c62c55 Mon Sep 17 00:00:00 2001 From: CBL-Mariner Servicing Account Date: Tue, 4 Feb 2025 06:15:09 +0000 Subject: [PATCH 1/6] Upgrade bind to 9.20.5 to fix CVE-2024-12705 & CVE-2024-11187 --- SPECS/bind/bind.signatures.json | 34 ++++++++++++++++----------------- SPECS/bind/bind.spec | 5 ++++- cgmanifest.json | 4 ++-- 3 files changed, 23 insertions(+), 20 deletions(-) diff --git a/SPECS/bind/bind.signatures.json b/SPECS/bind/bind.signatures.json index 7c3a36178c6..9c0bd8b2fdb 100644 --- a/SPECS/bind/bind.signatures.json +++ b/SPECS/bind/bind.signatures.json @@ -1,18 +1,18 @@ { - "Signatures": { - "bind-9.20.0.tar.xz": "cc580998017b51f273964058e8cb3aa5482bc785243dea71e5556ec565a13347", - "generate-rndc-key.sh": "da0964516a9abe4074e262a1d0b7f63e63b2150c4cc2dddaaca029010383c422", - "named-chroot.files": "5dbc7bd2a21836fb86cb740a2d4d72eb9f2b4f341996cd0c8ae9c39e95c0d76c", - "named.conf.sample": "1807f11df688de4eb8cdcc97bd1a8863d81b03b1f24af96f3639de40bc8e538a", - "named.empty": "44e2cc6e10328cd3604148763458978f547ee54c3ff46468944d535644fc6da1", - "named.localhost": "9a2aa18c87202a691cc641f0c7e027dff3a2bb30917990f1b04c237e667530c8", - "named.logrotate": "748dd5d967d309d69b44f5451e2ce9d982af1b62448182f38ff76e83e45a4d61", - "named.loopback": "58a0c65ef763372a1d85e63766194526bfe19f496a413db40d9febea777ba4c9", - "named.rfc1912.zones": "61d2e64b8523e7d83c7cf9908538bf74b2f8f6993d52d7ab9c56cad25c23a92a", - "named.root": "36bf9aa06206b6b82c58a55ab74920d8901938e4cf79b754b239bb0e5dc0951c", - "named.root.key": "2a91cc1a1c3dd805aa149d8df6d9849d5e2ac0ad2c2ed93ddaf0234358e8c383", - "named.rwtab": "6a4c84b6709211d09f2d71491d4c66d1d4c0115a9db247a5ed2a9db10e575735", - "named.sysconfig": "8f8eff846667b7811358e289e9fe594de17d0e47f2b8cebf7840ad8db7f34816", - "setup-named-chroot.sh": "786fbc88c7929fadf217cf2286f2eb03b6fba14843e5da40ad43c0022dd71c3a" - } -} \ No newline at end of file + "Signatures": { + "generate-rndc-key.sh": "da0964516a9abe4074e262a1d0b7f63e63b2150c4cc2dddaaca029010383c422", + "named-chroot.files": "5dbc7bd2a21836fb86cb740a2d4d72eb9f2b4f341996cd0c8ae9c39e95c0d76c", + "named.conf.sample": "1807f11df688de4eb8cdcc97bd1a8863d81b03b1f24af96f3639de40bc8e538a", + "named.empty": "44e2cc6e10328cd3604148763458978f547ee54c3ff46468944d535644fc6da1", + "named.localhost": "9a2aa18c87202a691cc641f0c7e027dff3a2bb30917990f1b04c237e667530c8", + "named.logrotate": "748dd5d967d309d69b44f5451e2ce9d982af1b62448182f38ff76e83e45a4d61", + "named.loopback": "58a0c65ef763372a1d85e63766194526bfe19f496a413db40d9febea777ba4c9", + "named.rfc1912.zones": "61d2e64b8523e7d83c7cf9908538bf74b2f8f6993d52d7ab9c56cad25c23a92a", + "named.root": "36bf9aa06206b6b82c58a55ab74920d8901938e4cf79b754b239bb0e5dc0951c", + "named.root.key": "2a91cc1a1c3dd805aa149d8df6d9849d5e2ac0ad2c2ed93ddaf0234358e8c383", + "named.rwtab": "6a4c84b6709211d09f2d71491d4c66d1d4c0115a9db247a5ed2a9db10e575735", + "named.sysconfig": "8f8eff846667b7811358e289e9fe594de17d0e47f2b8cebf7840ad8db7f34816", + "setup-named-chroot.sh": "786fbc88c7929fadf217cf2286f2eb03b6fba14843e5da40ad43c0022dd71c3a", + "bind-9.20.5.tar.xz": "19274fd739c023772b4212a0b6c201cf4364855fa7e6a7d3db49693f55db1ab8" + } +} diff --git a/SPECS/bind/bind.spec b/SPECS/bind/bind.spec index be8608222e2..9a3757d9448 100644 --- a/SPECS/bind/bind.spec +++ b/SPECS/bind/bind.spec @@ -9,7 +9,7 @@ Summary: Domain Name System software Name: bind -Version: 9.20.0 +Version: 9.20.5 Release: 1%{?dist} License: ISC Vendor: Microsoft Corporation @@ -523,6 +523,9 @@ fi; %{_mandir}/man1/named-nzd2nzf.1* %changelog +* Tue Feb 04 2025 CBL-Mariner Servicing Account - 9.20.5-1 +- Auto-upgrade to 9.20.5 - to fix CVE-2024-12705 & CVE-2024-11187 + * Wed Jul 24 2024 Muhammad Falak - 9.20.0-1 - Upgrade version to 9.20.0 to address CVE-CVE-2024-0760, CVE-2024-1737, CVE-2024-1975 & CVE-2024-4076 - Refresh patches to apply cleanly diff --git a/cgmanifest.json b/cgmanifest.json index fcc4a46f5cd..a18e988cdb5 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -1087,8 +1087,8 @@ "type": "other", "other": { "name": "bind", - "version": "9.20.0", - "downloadUrl": "https://ftp.isc.org/isc/bind9/9.20.0/bind-9.20.0.tar.xz" + "version": "9.20.5", + "downloadUrl": "https://ftp.isc.org/isc/bind9/9.20.5/bind-9.20.5.tar.xz" } } }, From dc13a0ce252173d8eab5b7319addcf7f07b12759 Mon Sep 17 00:00:00 2001 From: Kanishk Bansal Date: Tue, 4 Feb 2025 06:51:43 +0000 Subject: [PATCH 2/6] Refresh nongit-fix patch to apply cleanly. --- SPECS/bind/bind.spec | 1 + SPECS/bind/nongit-fix.patch | 17 +++++++---------- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/SPECS/bind/bind.spec b/SPECS/bind/bind.spec index 9a3757d9448..0f3f1e00972 100644 --- a/SPECS/bind/bind.spec +++ b/SPECS/bind/bind.spec @@ -525,6 +525,7 @@ fi; %changelog * Tue Feb 04 2025 CBL-Mariner Servicing Account - 9.20.5-1 - Auto-upgrade to 9.20.5 - to fix CVE-2024-12705 & CVE-2024-11187 +- Refresh nongit-fix patch to apply cleanly. * Wed Jul 24 2024 Muhammad Falak - 9.20.0-1 - Upgrade version to 9.20.0 to address CVE-CVE-2024-0760, CVE-2024-1737, CVE-2024-1975 & CVE-2024-4076 diff --git a/SPECS/bind/nongit-fix.patch b/SPECS/bind/nongit-fix.patch index f1acabf6b91..39d8c152a26 100644 --- a/SPECS/bind/nongit-fix.patch +++ b/SPECS/bind/nongit-fix.patch @@ -1,25 +1,22 @@ -From 431fa0dcec199512effecb4842a889eee5884c72 Mon Sep 17 00:00:00 2001 -From: alejandro-microsoft -Date: Fri, 1 Mar 2024 17:49:51 -0800 +From a93a15295ac2690f587711b26af84d6292d2aa1b Mon Sep 17 00:00:00 2001 +From: Kanishk Bansal +Date: Tue, 4 Feb 2025 06:49:17 +0000 Subject: [PATCH] Fix issue where bind directory isn't downloaded via git -Ported to v.9.20.0 from v9.19.21 by @mfrw on 24-July-2024 - -Signed-off-by: Muhammad Falak R Wani --- configure.ac | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac -index a911163..b58d5be 100644 +index 168a77a..37c0acd 100644 --- a/configure.ac +++ b/configure.ac @@ -19,7 +19,7 @@ m4_define([bind_VERSION_MINOR], 20)dnl - m4_define([bind_VERSION_PATCH], 0)dnl + m4_define([bind_VERSION_PATCH], 5)dnl m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Stable Release)])dnl -m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl -+m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD 2>/dev/null || echo "unsetID" | cut -b1-7])])dnl ++m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD 2>/dev/null || echo "unsetID" | cut -b1-7])])dnl m4_define([bind_PKG_VERSION], [[bind_VERSION_MAJOR.bind_VERSION_MINOR.bind_VERSION_PATCH]bind_VERSION_EXTRA])dnl # @@ -35,5 +32,5 @@ index a911163..b58d5be 100644 # -- -2.40.1 +2.43.0 From 7b922b8a0534761eb3a199ac7ff74c27d933ebd2 Mon Sep 17 00:00:00 2001 From: Kanishk Bansal Date: Wed, 5 Feb 2025 13:58:51 +0000 Subject: [PATCH 3/6] Fix Spec --- SPECS/bind/bind.spec | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/SPECS/bind/bind.spec b/SPECS/bind/bind.spec index 0f3f1e00972..7a8e292dabe 100644 --- a/SPECS/bind/bind.spec +++ b/SPECS/bind/bind.spec @@ -201,9 +201,11 @@ mv backup/* . rmdir backup %build +ls -l /usr/lib/ +ls -l /usr/lib/dlz/ + # DLZ modules do not support oot builds. Copy files into build mkdir -p build/contrib/dlz -cp -frp contrib/dlz/modules build/contrib/dlz/modules ./configure \ --prefix=%{_prefix} \ From 9225033d3172610b241be81015a13b9f8f930795 Mon Sep 17 00:00:00 2001 From: Muhammad Falak R Wani Date: Thu, 6 Feb 2025 14:50:26 +0000 Subject: [PATCH 4/6] bind: add dlz-modules as a source dependency Signed-off-by: Muhammad Falak R Wani --- SPECS/bind/bind.spec | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/SPECS/bind/bind.spec b/SPECS/bind/bind.spec index 7a8e292dabe..3c488bcd6fa 100644 --- a/SPECS/bind/bind.spec +++ b/SPECS/bind/bind.spec @@ -30,6 +30,8 @@ Source11: setup-named-chroot.sh Source12: generate-rndc-key.sh Source13: named.rwtab Source14: named-chroot.files +Source15: https://gitlab.isc.org/isc-projects/dlz-modules/-/archive/main/dlz-modules-main.tar.gz + Patch0: nongit-fix.patch BuildRequires: gcc @@ -196,16 +198,17 @@ Summary: BIND utilities # so we need to save a backup of these files. mkdir backup mv compile depcomp missing backup/ -libtoolize -c -f; %{_bindir}/aclocal -I m4 --force; %{_bindir}/autoconf -f +libtoolize -c -f; %{_bindir}/aclocal -I m4 --force; %{_bindir}/autoconf -f mv backup/* . rmdir backup %build -ls -l /usr/lib/ -ls -l /usr/lib/dlz/ - # DLZ modules do not support oot builds. Copy files into build mkdir -p build/contrib/dlz +pushd build/contrib/dlz +tar --no-same-owner -xf %{SOURCE15} +mv dlz-modules-main/modules ./ +popd ./configure \ --prefix=%{_prefix} \ From e3db02ecbbeeffa64f32b01b1fbb8a91ae1885fa Mon Sep 17 00:00:00 2001 From: Muhammad Falak R Wani Date: Thu, 6 Feb 2025 20:27:53 +0530 Subject: [PATCH 5/6] bind: add dlz-modules to signature file Signed-off-by: Muhammad Falak R Wani --- SPECS/bind/bind.signatures.json | 35 +++++++++++++++++---------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/SPECS/bind/bind.signatures.json b/SPECS/bind/bind.signatures.json index 9c0bd8b2fdb..13e9243d3ec 100644 --- a/SPECS/bind/bind.signatures.json +++ b/SPECS/bind/bind.signatures.json @@ -1,18 +1,19 @@ { - "Signatures": { - "generate-rndc-key.sh": "da0964516a9abe4074e262a1d0b7f63e63b2150c4cc2dddaaca029010383c422", - "named-chroot.files": "5dbc7bd2a21836fb86cb740a2d4d72eb9f2b4f341996cd0c8ae9c39e95c0d76c", - "named.conf.sample": "1807f11df688de4eb8cdcc97bd1a8863d81b03b1f24af96f3639de40bc8e538a", - "named.empty": "44e2cc6e10328cd3604148763458978f547ee54c3ff46468944d535644fc6da1", - "named.localhost": "9a2aa18c87202a691cc641f0c7e027dff3a2bb30917990f1b04c237e667530c8", - "named.logrotate": "748dd5d967d309d69b44f5451e2ce9d982af1b62448182f38ff76e83e45a4d61", - "named.loopback": "58a0c65ef763372a1d85e63766194526bfe19f496a413db40d9febea777ba4c9", - "named.rfc1912.zones": "61d2e64b8523e7d83c7cf9908538bf74b2f8f6993d52d7ab9c56cad25c23a92a", - "named.root": "36bf9aa06206b6b82c58a55ab74920d8901938e4cf79b754b239bb0e5dc0951c", - "named.root.key": "2a91cc1a1c3dd805aa149d8df6d9849d5e2ac0ad2c2ed93ddaf0234358e8c383", - "named.rwtab": "6a4c84b6709211d09f2d71491d4c66d1d4c0115a9db247a5ed2a9db10e575735", - "named.sysconfig": "8f8eff846667b7811358e289e9fe594de17d0e47f2b8cebf7840ad8db7f34816", - "setup-named-chroot.sh": "786fbc88c7929fadf217cf2286f2eb03b6fba14843e5da40ad43c0022dd71c3a", - "bind-9.20.5.tar.xz": "19274fd739c023772b4212a0b6c201cf4364855fa7e6a7d3db49693f55db1ab8" - } -} + "Signatures": { + "bind-9.20.5.tar.xz": "19274fd739c023772b4212a0b6c201cf4364855fa7e6a7d3db49693f55db1ab8", + "dlz-modules-main.tar.gz": "884bef3535317a7757ad0e3556a27e2ed1a80f5b1040bce4074780c8719667d0", + "generate-rndc-key.sh": "da0964516a9abe4074e262a1d0b7f63e63b2150c4cc2dddaaca029010383c422", + "named-chroot.files": "5dbc7bd2a21836fb86cb740a2d4d72eb9f2b4f341996cd0c8ae9c39e95c0d76c", + "named.conf.sample": "1807f11df688de4eb8cdcc97bd1a8863d81b03b1f24af96f3639de40bc8e538a", + "named.empty": "44e2cc6e10328cd3604148763458978f547ee54c3ff46468944d535644fc6da1", + "named.localhost": "9a2aa18c87202a691cc641f0c7e027dff3a2bb30917990f1b04c237e667530c8", + "named.logrotate": "748dd5d967d309d69b44f5451e2ce9d982af1b62448182f38ff76e83e45a4d61", + "named.loopback": "58a0c65ef763372a1d85e63766194526bfe19f496a413db40d9febea777ba4c9", + "named.rfc1912.zones": "61d2e64b8523e7d83c7cf9908538bf74b2f8f6993d52d7ab9c56cad25c23a92a", + "named.root": "36bf9aa06206b6b82c58a55ab74920d8901938e4cf79b754b239bb0e5dc0951c", + "named.root.key": "2a91cc1a1c3dd805aa149d8df6d9849d5e2ac0ad2c2ed93ddaf0234358e8c383", + "named.rwtab": "6a4c84b6709211d09f2d71491d4c66d1d4c0115a9db247a5ed2a9db10e575735", + "named.sysconfig": "8f8eff846667b7811358e289e9fe594de17d0e47f2b8cebf7840ad8db7f34816", + "setup-named-chroot.sh": "786fbc88c7929fadf217cf2286f2eb03b6fba14843e5da40ad43c0022dd71c3a" + } +} \ No newline at end of file From 0bba8bea8b69654dca69e9e291e90047db74ef34 Mon Sep 17 00:00:00 2001 From: Muhammad Falak R Wani Date: Thu, 6 Feb 2025 20:49:02 +0530 Subject: [PATCH 6/6] bind: fix build Signed-off-by: Muhammad Falak R Wani --- SPECS/bind/bind.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/SPECS/bind/bind.spec b/SPECS/bind/bind.spec index 3c488bcd6fa..63571d255b4 100644 --- a/SPECS/bind/bind.spec +++ b/SPECS/bind/bind.spec @@ -405,7 +405,7 @@ fi; %{_mandir}/man1/named-journalprint.1* %{_mandir}/man8/filter-aaaa.8.gz %{_mandir}/man8/filter-a.8.gz -%doc CHANGES README.md named.conf.default +%doc README.md named.conf.default %doc sample/ %defattr(0660,root,named,01770) @@ -440,11 +440,11 @@ fi; %files dlz-ldap %{_libdir}/{named,bind}/dlz_ldap_dynamic.so -%doc contrib/dlz/modules/ldap/testing/* +%doc build/contrib/dlz/modules/ldap/testing/* %files dlz-sqlite3 %{_libdir}/{named,bind}/dlz_sqlite3_dynamic.so -%doc contrib/dlz/modules/sqlite3/testing/* +%doc build/contrib/dlz/modules/sqlite3/testing/* %files libs %{_libdir}/*-%{version}*.so