Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

bind-9.16.20-1.1 RPM for armv6hl

From OpenSuSE Ports Tumbleweed for armv6hl

Name: bind Distribution: openSUSE Tumbleweed
Version: 9.16.20 Vendor: openSUSE
Release: 1.1 Build date: Tue Aug 31 20:10:11 2021
Group: Productivity/Networking/DNS/Servers Build host: obs-arm-11
Size: 691544 Source RPM: bind-9.16.20-1.1.src.rpm
Packager: http://bugs.opensuse.org
Url: https://www.isc.org/bind/
Summary: Domain Name System (DNS) Server (named)
Berkeley Internet Name Domain (BIND) is an implementation of the Domain
Name System (DNS) protocols and provides an openly redistributable
reference implementation of the major components of the Domain Name
System.  This package includes the components to operate a DNS server.

Provides

Requires

License

MPL-2.0

Changelog

* Thu Aug 19 2021 Josef Möllers <josef.moellers@suse.com>
  - Upgrade to 9.16.20
    Bugs fixed:
    * An assertion failure occurred when named attempted to send a
      UDP packet that exceeded the MTU size, if Response Rate
      Limiting (RRL) was enabled.  (CVE-2021-25218)
    * Zones using KASP and inline-signed zones failed to apply
      changes from the unsigned zone to the signed zone under
      certain circumstances.
    * "rndc reload <zonename>" could trigger a redundant reload for
      an inline-signed zone whose zone file was not modified since
      the last "rndc reload".
    * named failed to check the opcode of responses when performing
      zone refreshes, stub zone updates, and UPDATE forwarding.
    * Some changes to "zone-statistics" settings were not properly
      processed by "rndc reconfig".
    * The "check DS" code failed to release all resources upon
      named shutdown when a refresh was in progress.
    * Authentication of rndc messages could fail if a "controls"
      statement was configured with multiple key algorithms for
      the same listener.
    More changes see CHANGES in the source package.
    [bsc#1189460, CVE-2021-25218]
* Thu Jul 29 2021 Paolo Stivanin <info@paolostivanin.com>
  - Update to 9.16.19
    * A race condition could occur where two threads were
      competing for the same set of key file locks, leading to
      a deadlock. This has been fixed. [GL #2786]
    * create_keydata() created an invalid placeholder keydata
      record upon a refresh failure, which prevented the
      database of managed keys from subsequently being read
      back. This has been fixed. [GL #2686]
    * KASP support was extended with the "check DS" feature.
      Zones with "dnssec-policy" and "parental-agents"
      configured now check for DS presence and can perform
      automatic KSK rollovers. [GL #1126]
    * Rescheduling a setnsec3param() task when a zone failed
      to load on startup caused a hang on shutdown. This has
      been fixed. [GL #2791]
    * The configuration-checking code failed to account for
      the inheritance rules of the "dnssec-policy" option.
      This has been fixed. [GL #2780]
    * If nsupdate sends an SOA request and receives a REFUSED
      response, it now fails over to the next available
      server. [GL #2758]
    * For UDP messages larger than the path MTU, named now
      sends an empty response with the TC (TrunCated) bit set.
      In addition, setting the DF (Don't Fragment) flag on
      outgoing UDP sockets was re-enabled. [GL #2790]
    * Views with recursion disabled are now configured with a
      default cache size of 2 MB unless "max-cache-size" is
      explicitly set. This prevents cache RBT hash tables from
      being needlessly preallocated for such views. [GL #2777]
    * Change 5644 inadvertently introduced a deadlock: when
      locking the key file mutex for each zone structure in a
      different view, the "in-view" logic was not considered.
      This has been fixed. [GL #2783]
    * Increasing "max-cache-size" for a running named instance
      (using "rndc reconfig") did not cause the hash tables
      used by cache databases to be grown accordingly. This
      has been fixed. [GL #2770]
    * Signed, insecure delegation responses prepared by named
      either lacked the necessary NSEC records or contained
      duplicate NSEC records when both wildcard expansion and
      CNAME chaining were required to prepare the response.
      This has been fixed. [GL #2759]
    * A bug that caused the NSEC3 salt to be changed on every
      restart for zones using KASP has been fixed. [GL #2725]
* Wed Jul 21 2021 Josef Möllers <josef.moellers@suse.com>
  - Since BIND 9.9, it has been easier to use tsig-keygen and
    ddns-confgen to generare TSIG keys. In 9.13, TSIG support was
    removed from dnssec-keygen, so now it is just for DNSKEY (and KEY
    for obscure cases). tsig-keygen is now used to generate DDNS keys.
    [bsc#1187921, vendor-files.tar.bz2]
* Thu Jun 24 2021 Hans-Peter Jansen <hpj@urpla.net>
  - Add patch bind-fix-build-with-older-sphinx.patch and sed fix
    in order to build with older distributions.
* Wed Jun 23 2021 Josef Möllers <josef.moellers@suse.com>
  - Upgrade to 9.16.18
    * The configuration-checking code failed to account for the
      inheritance rules of the "key-directory" option.
    * When preparing DNS responses, named could replace the letters
      'W' (uppercase) and 'w' (lowercase) with '\000'.
      This has been fixed.
      [bind-9.16.18.tar.xz, bind-9.16.18.tar.xz.sha512.asc]
* Sat Jun 19 2021 Callum Farmer <gmbr3@opensuse.org>
  - Add now working CONFIG parameter to sysusers generator
* Thu Jun 17 2021 Josef Möllers <josef.moellers@suse.com>
  - Upgrade to 9.16.17
    Major changes (bug fixes):
    * A copy-and-paste error caused the IP_DONTFRAG socket option to
      be enabled instead of disabled. This has been fixed.
    * The calculation of the estimated IXFR transaction size in
      dns_journal_iter_init() was invalid.
    * Fix a race condition in reading and writing key files for zones
      using KASP and configured in multiple views.
    * Zones which are configured in multiple views with different
      values set for "dnssec-policy" and with identical values set
      for "key-directory" are now detected and treated as a
      configuration error.
    * Address a potential memory leak in dst_key_fromnamedfile().
    * Check that the first and last SOA record of an AXFR are
      consistent.
    * Improvements related to network manager/task manager
      integration
    [bind-9.16.17.tar.xz, bind-9.16.17.tar.xz.sha512.asc]
* Fri May 21 2021 Josef Möllers <josef.moellers@suse.com>
  - vendor-files/system/named.prep was missing a $
    [bsc#1186278, vendor-files.tar.bz2]
* Thu May 20 2021 Josef Möllers <josef.moellers@suse.com>
  - Upgrade to bind 9.16.16
    * Feature Changes
      + DNSSEC responses containing NSEC3 records with iteration counts
      greater than 150 are now treated as insecure. [GL #2445]
      + The maximum supported number of NSEC3 iterations that can be
      configured for a zone has been reduced to 150. [GL #2642]
      + The default value of the max-ixfr-ratio option was changed to
      unlimited, for better backwards compatibility in the stable
      release series. [GL #2671]
      + Zones that want to transition from secure to insecure mode
      without becoming bogus in the process must now have their
      dnssec-policy changed first to insecure, rather than none. After
      the DNSSEC records have been removed from the zone, the
      dnssec-policy can be set to none or removed from the
      configuration. Setting the dnssec-policy to insecure causes CDS
      and CDNSKEY DELETE records to be published. [GL #2645]
      + The implementation of the ZONEMD RR type has been updated to
      match RFC 8976. [GL #2658]
      + The draft-vandijk-dnsop-nsec-ttl IETF draft was implemented:
      NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM
      value or the SOA TTL. [GL #2347]
    * Bug Fixes
      + It was possible for corrupt journal files generated by an earlier
      version of named to cause problems after an upgrade. This has been
      fixed. [GL #2670]
      + TTL values in cache dumps were reported incorrectly when
      stale-cache-enable was set to yes. This has been fixed.
      [GL #389] [GL #2289]
      + A deadlock could occur when multiple rndc addzone, rndc delzone,
      and/or rndc modzone commands were invoked simultaneously for
      different zones. This has been fixed. [GL #2626]
      + named and named-checkconf did not report an error when multiple
      zones with the dnssec-policy option set were using the same zone
      file. This has been fixed. [GL #2603]
      + If dnssec-policy was active and a private key file was temporarily
      offline during a rekey event, named could incorrectly introduce
      replacement keys and break a signed zone. This has been fixed.
      [GL #2596]
      + When generating zone signing keys, KASP now also checks for key
      ID conflicts among newly created keys, rather than just between
      new and existing ones. [GL #2628]
* Tue May 18 2021 Josef Möllers <josef.moellers@suse.com>
  - In /usr/libexec/bind/named.prep the order of arguments for
    "ln -s" was wrong.
    [vendor-files/system/named.prep, bsc#1186057]
* Mon May 17 2021 Josef Möllers <josef.moellers@suse.com>
  - "systemctl reload named" does not work:
    * the "kill" command is in /usr/bin, not in /sbin,
    * the order of the options/arguments was wrong, and
    * the "-p" option is wrong (it's not like strace's "-p").
    [bsc#1186046, vendor-files/system/named.service]
* Mon May 10 2021 Ferdinand Thiessen <rpm@fthiessen.de>
  - SPEC file: Fixed outdated URL and use secured SourceURLs
* Mon May 03 2021 Josef Möllers <josef.moellers@suse.com>
  - Upgrade to bind 9.16.15
    Major changes:
    * A specially crafted GSS-TSIG query could cause a buffer
      overflow in the ISC implementation of SPNEGO.
      (CVE-2021-25216)
    * named crashed when a DNAME record placed in the ANSWER
      section during DNAME chasing turned out to be the final
      answer to a client query. (CVE-2021-25215)
    * Insufficient IXFR checks could result in named serving a
      zone without an SOA record at the apex, leading to a
      RUNTIME_CHECK assertion failure when the zone was
      subsequently refreshed. This has been fixed by adding an
      owner name check for all SOA records which are included
      in a zone transfer. (CVE-2021-25214)
    More changes see CHANGES in the source package.
    [bsc#1185345,CVE-2021-25214,CVE-2021-25215,CVE-2021-25216]
* Thu Apr 08 2021 Josef Möllers <josef.moellers@suse.com>
  - Rewrite of named service handling to better cope with systemd
    protection (see change from Thu Jan 21) by introducing a
    separate script "named.prep" which runs without restrictions
    prior to starting named.
    Removed all references to "lwresd" as "The lightweight resolver
    daemon and library (lwresd and liblwres) have been removed."
    (See CHANGES, item 4707)
    [bind.spec, vendor-files.tar.bz2]
* Tue Mar 23 2021 Jan Engelhardt <jengelh@inai.de>
  - Modernize specfile, and declare /bin/bash as required buildshell
    (use of {a,b} style expansion).
* Fri Mar 12 2021 Matthias Gerstner <matthias.gerstner@suse.com>
  - pass PIE compiler and linker flags via environment variables to make
    /usr/bin/delv in bind-tools also position independent (bsc#1183453).
  - drop pie_compile.diff: no longer needed, this patch is difficult to
    maintain, the environment variable approach is less error prone.
* Thu Feb 18 2021 Josef Möllers <josef.moellers@suse.com>
  - *** MAJOR CHANGES ***
    * The libraries shipped with bind are now named after the bind
      version (eg libisc-9.16.10.so), not some kind of artificial
      number (eg libisc.so.1608)!
    * For the time being (ie until the next upgrade),
      new BIND option "stale-answer-client-timeout"
      will be disabled (in /etc/named.conf): "stale-answer-enable no;"
    * All libraries are now in bind-utils as they are used by bind
      and bind-utils only and bind requires bind-utils.
      This affects libdns, libirs, libisc, libisccc, libisccfg,
      libns
    * Dropped the devel packages as the libraries are used
      internally only.
    * Update to 9.16.12
      Bugs fixed:
    - KASP incorrectly set signature validity to the value of
      the DNSKEY signature validity.
    - Fix off-by-one bug in ISC SPNEGO implementation.
      (CVE-2020-8625)
    - Dig now reports unknown dash options while pre-parsing
      the options. This prevents "-multi" instead of "+multi"
      from reporting memory usage before ending option parsing
      with "Invalid option: -lti".
    - Fixed a crash in "dnssec-keyfromlabel" when using ECDSA
      keys.
    - Emit useful error message when "rndc retransfer" is
      applied to a zone of inappropriate type.
    - Improve performance of the DNSSEC verification code by
      reducing the number of repeated calls to
      dns_dnssec_keyfromrdata().
    - named failed to start when its configuration included a
      zone with a non-builtin "allow-update" ACL attached.
    - Address potential double free in generatexml().
    - When migrating to KASP, BIND 9 considered keys with the
      "Inactive" and/or "Delete" timing metadata to be
      possible active keys.
    - Fix the "three is a crowd" key rollover bug in KASP by
      correctly implementing Equation (2) of the "Flexible and
      Robust Key Rollover" paper.
    * dnssec-keygen can no longer generate HMAC keys.
      Use tsig-keygen instead.
      genDDNSkey script was modified to reflect this.
    [vendor-files/tools/bind.genDDNSkey, bsc#1180933, CVE-2020-8625,
    bsc#1182246, bsc#1182483]
* Thu Jan 21 2021 Josef Möllers <josef.moellers@suse.com>
  - Upgrade to version 9.16.11
    * Bug fixing (please check CHANGES file in the source RPM)
    * Functional change:
      policy none;", named now
      permits a safe transition to insecure mode and publishes
      the CDS and CDNSKEY DELETE records, as described in RFC 8078.
    Remove useless Makefiles and Makefile skeleton files in
    /usr/share/doc/packages/bind/contrib/
    [bind.spec, bsc#1179040]
    * ** MAJOR CHANGE ***
    Changed protection of/against "named" from chroot jail to
    systemd protection. This obsoletes subpackage named-chrootenv.
    Kudos to Matthias Gerstner <matthias.gerstner@suse.com>
    [bind.spec, bind-chrootenv.conf, vendor-files.tar.bz2, bsc#1180294]
* Tue Dec 29 2020 Dirk Müller <dmueller@suse.com>
  - update to 9.16.10:
    New Features:
    * NSEC3 support was added to KASP. A new option for dnssec-policy,
    nsec3param, can be used to set the desired NSEC3 parameters. NSEC3 salt
    collisions are automatically prevented during resalting. [GL #1620]
    * A new configuration option, stale-refresh-time, has been introduced. It allows
    a stale RRset to be served directly from cache for a period of time after a
    failed lookup, before a new attempt to refresh it is made. [GL #2066]
    Feature Changes:
    * The default value of max-recursion-queries was increased from 75 to 100.
    Since the queries sent towards root and TLD servers are now included in the
    count (as a result of the fix for CVE-2020-8616), max-recursion-queries has
    a higher chance of being exceeded by non-attack queries, which is the main
    reason for increasing its default value. [GL #2305]
    The default value of nocookie-udp-size was restored back to 4096 bytes. Since
    max-udp-size is the upper bound for nocookie-udp-size, this change relieves the
    operator from having to change nocookie-udp-size together with max-udp-size in
    order to increase the default EDNS buffer size limit. nocookie-udp-size can
    still be set to a value lower than max-udp-size, if desired. [GL #2250]
    Bug Fixes:
    Handling of missing DNS COOKIE responses over UDP was tightened by falling
    back to TCP. [GL #2275]
    The CNAME synthesized from a DNAME was incorrectly followed when the QTYPE was
    CNAME or ANY. [GL #2280]
    Building with native PKCS#11 support for AEP Keyper has been broken since BIND
    9.16.6. This has been fixed. [GL #2315]
    named could crash with an assertion failure if a TCP connection were closed
    while a request was still being processed. [GL #2227]
    named acting as a resolver could incorrectly treat signed zones with no DS
    record at the parent as bogus. Such zones should be treated as insecure. This
    has been fixed. [GL #2236]
    After a Negative Trust Anchor (NTA) is added, BIND performs periodic checks
    to see if it is still necessary. If BIND encountered a failure while creating a
    query to perform such a check, it attempted to dereference a NULL pointer,
    resulting in a crash. [GL #2244]
    A problem obtaining glue records could prevent a stub zone from functioning
    properly, if the authoritative server for the zone were configured for minimal
    responses. [GL #1736]
    UV_EOF is no longer treated as a TCP4RecvErr or a TCP6RecvErr. [GL #2208]
* Wed Nov 11 2020 Josef Möllers <josef.moellers@suse.com>
  - Added special make instruction for the "Administrator Reference
    Manual" which is built using python3-Sphinx
    [bsc#1177983, bind.spec]
  - Removed "Before=nss-lookup.target" from named.service as that
    leads to a systemd ordering cycle
    [bsc#1177491, bsc#1178626, bsc#1177991, vendor-files.tar.bz2]
* Wed Oct 28 2020 Josef Möllers <josef.moellers@suse.com>
  - Upgrade to version 9.16.8
    New Features:
    * Add a new rndc command, "rndc dnssec -rollover", which triggers a
      manual rollover for a specific key.
    * Add a new rndc command, "rndc dumpdb -expired", which dumps the
      cache database, including expired RRsets that are awaiting
      cleanup, to the dump-file for diagnostic purposes.
    Bug Fixes:
    * named reported an invalid memory size when running in an environment
      that did not properly report the number of available memory pages
      and/or the size of each memory page.
    * With multiple forwarders configured, named could fail the
      REQUIRE(msg->state == (-1)) assertion in lib/dns/message.c,
      causing it to crash. This has been fixed.
    * named erroneously performed continuous key rollovers for KASP
      policies that used algorithm Ed25519 or Ed448 due to a mismatch
      between created key size and expected key size.
    * Updating contents of an RPZ zone which contained names spelled
      using varying letter case could cause some processing rules in
      that RPZ zone to be erroneously ignored.
    Local changes:
    * Add /usr/lib64/named to the files and directories in
      bind-chrootenv.conf. This directory contains plugins loaded
      after the chroot().
    [bsc#1177913,bsc#1178078,bsc#1177603,bind-chrootenv.conf]
* Fri Oct 23 2020 Josef Möllers <josef.moellers@suse.com>
  - Removed "dnssec-enable" from named.conf as it has been obsoleted.
    Added a comment for reference which should be removed
    in the future.
  - Added a comment to the "dnssec-validation" in named.conf
    with a reference to forwarders which do not return signed responses.
  - Replaced named's dependency on time-sync with a dependency on time-set
    in named.service.
    [bsc#1177790,bsc#1175894,bsc#1177915,vendor-files.tar.bz2]
* Wed Oct 21 2020 Josef Möllers <josef.moellers@suse.com>
  - Upgrade to version 9.16.7
    * Fix (non-)publication of CDS and CDNSKEY records.
    * 'dig +bufsize=0' failed to disable EDNS.
    * Address a TSAN report by ensuring each rate limiter
      object holds a reference to its task.
    * With query minimization enabled, named failed to
      resolve ip6.arpa. names that had extra labels to the
      left of the IPv6 part.
    * Silence the EPROTO syslog message on older systems.
    * Fix off-by-one error when calculating new hash table size.
    * Tighten LOC parsing to reject a period (".") and/or "m"
      as a value. Fix handling of negative altitudes which are
      not whole meters.
    * rbtversion->glue_table_size could be read without the
      appropriate lock being held.
    * Named erroneously accepted certain invalid resource
      records that were incorrectly processed after
      subsequently being written to disk and loaded back, as
      the wire format differed. Such records include: CERT,
      IPSECKEY, NSEC3, NSEC3PARAM, NXT, SIG, TLSA, WKS, and X25.
    * NTA code needed to have a weak reference on its
      associated view to prevent the latter from being deleted
      while NTA tests were being performed.
    * replace an INSIST() (which calls abort()) with a check and
      an error message.
    [bsc#1177913, bind-9.16.7.tar.xz]
* Fri Sep 18 2020 Josef Möllers <josef.moellers@suse.com>
  - Removed "-r /dev/urandom" from all invocations of rndc-confgen
    (init/named system/lwresd.init system/named.init in vendor-files)
    as this option is deprecated and causes rndc-confgen to fail.
    [bsc#1173311, bsc#1176674, bsc#1170713, vendor-files.tar.bz2]
* Tue Sep 15 2020 Josef Möllers <josef.moellers@suse.com>
  - /usr/bin/genDDNSkey: Removing the use of the -r option in the call
    of /usr/sbin/dnssec-keygen as BIND now uses the random number
    functions provided by the crypto library (i.e., OpenSSL or a
    PKCS#11 provider) as a source of randomness rather than /dev/random.
    Therefore the -r command line option no longer has any effect on
    dnssec-keygen. Leaving the option in genDDNSkey as to not break
    compatibility. Patch provided by Stefan Eisenwiener.
    [bsc#1171313, vendor-files.tar.bz2]
* Fri Sep 04 2020 Reinhard Max <max@suse.com>
  - Put libns into a separate subpackage to avoid file conflicts
    in the libisc subpackage due to different sonums (bsc#1176092).
* Fri Aug 28 2020 Dominique Leuenberger <dimstar@opensuse.org>
  - Require /sbin/start_daemon: both init scripts, the one used in
    systemd context as well as legacy sysv, make use of start_daemon.
* Tue Aug 18 2020 Josef Möllers <josef.moellers@suse.com>
  - Upgrade to version 9.16.6
    Fixes five vilnerabilities:
    5481.   [security]      "update-policy" rules of type "subdomain" were
      incorrectly treated as "zonesub" rules, which allowed
      keys used in "subdomain" rules to update names outside
      of the specified subdomains. The problem was fixed by
      making sure "subdomain" rules are again processed as
      described in the ARM. (CVE-2020-8624) [GL #2055]
    5480.   [security]      When BIND 9 was compiled with native PKCS#11 support, it
      was possible to trigger an assertion failure in code
      determining the number of bits in the PKCS#11 RSA public
      key with a specially crafted packet. (CVE-2020-8623)
      [GL #2037]
    5479.   [security]      named could crash in certain query resolution scenarios
      where QNAME minimization and forwarding were both
      enabled. (CVE-2020-8621) [GL #1997]
    5478.   [security]      It was possible to trigger an assertion failure by
      sending a specially crafted large TCP DNS message.
      (CVE-2020-8620) [GL #1996]
    5476.   [security]      It was possible to trigger an assertion failure when
      verifying the response to a TSIG-signed request.
      (CVE-2020-8622) [GL #2028]
    For the less severe bugs fixed, see the CHANGES file.
    [bsc#1175443, CVE-2020-8624, CVE-2020-8623, CVE-2020-8621,
    CVE-2020-8620, CVE-2020-8622]
* Thu Aug 06 2020 Josef Möllers <josef.moellers@suse.com>
  - Added "/etc/bind.keys" to NAMED_CONF_INCLUDE_FILES in
    /etc/sysconfig/named to suppress warning message re
    missing file.
    [vendor-files.tar.bz2, bsc#1173983]
* Tue Jul 21 2020 Josef Möllers <josef.moellers@suse.com>
  - Upgrade to version bind-9.16.5
    * The "primary" and "secondary" keywords, when used
      as parameters for "check-names", were not
      processed correctly and were being ignored.
    * 'rndc dnstap -roll <value>' did not limit the number of
      saved files to <value>.
    * Add 'rndc dnssec -status' command.
    * Addressed a couple of situations where named could crash
    For the full list, see the CHANGES file in the source RPM.
* Tue Jun 30 2020 Josef Möllers <josef.moellers@suse.com>
  - Changed /var/lib/named to owner root:named and perms rwxrwxr-t
    so that named, being a/the only member of the "named" group
    has full r/w access yet cannot change directories owned by root
    in the case of a compromized named.
    [bsc#1173307, bind-chrootenv.conf]
* Thu Jun 18 2020 Josef Möllers <josef.moellers@suse.com>
  - Upgrade to version bind-9.16.4
    Fixing two security problems:
    * It was possible to trigger an INSIST when determining
      whether a record would fit into a TCP message buffer.
      (CVE-2020-8618)
    * It was possible to trigger an INSIST in
      lib/dns/rbtdb.c:new_reference() with a particular zone
      content and query patterns. (CVE-2020-8619)
    Also the following functional changes:
    * Reject DS records at the zone apex when loading
      master files. Log but otherwise ignore attempts to
      add DS records at the zone apex via UPDATE.
    * The default value of "max-stale-ttl" has been changed
      from 1 week to 12 hours.
    * Zone timers are now exported via statistics channel.
      Thanks to Paul Frieden, Verizon Media.
    Added support for idn2 to spec file (Thanks to Holger Bruenjes
    <holgerbruenjes@gmx.net>).
    More internal changes see the CHANGES file in the source RPM
    This update obsoletes Makefile.in.diff
    [bsc#1172958, CVE-2020-8618, CVE-2020-8619, Makefile.in.diff
    bind.spec]
* Fri May 15 2020 Josef Möllers <josef.moellers@suse.com>
  - Upgrade to version bind-9.16.3
    Fixing two security problems:
    * Further limit the number of queries that can be triggered from
      a request.  Root and TLD servers are no longer exempt
      from max-recursion-queries.  Fetches for missing name server
      address records are limited to 4 for any domain. (CVE-2020-8616)
    * Replaying a TSIG BADTIME response as a request could trigger an
      assertion failure. (CVE-2020-8617)
    Also
    * Add engine support to OpenSSL EdDSA implementation.
    * Add engine support to OpenSSL ECDSA implementation.
    * Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
    * Warn about AXFR streams with inconsistent message IDs.
    * Make ISC rwlock implementation the default again.
    For more see CHANGS file in source RPM.
    [CVE-2020-8616, CVE-2020-8617, bsc#1171740, bind-9.16.3.tar.xz]
* Fri May 08 2020 Josef Möllers <josef.moellers@suse.com>
  - bind needs an accurate clock, so wait for the time-sync.target
    to be reached before starting bind.
    [bsc#1170667, bsc#1170713, vendor-files.tar.bz2]
* Sat Mar 21 2020 Thorsten Kukuk <kukuk@suse.com>
  - Use sysusers.d to create named user
  - Have only one package creating the user
* Fri Mar 20 2020 Thorsten Kukuk <kukuk@suse.com>
  - coreutils are not used in %post, remove Requires.
  - Use systemd_ordering instead of hard requiring systemd
* Fri Mar 20 2020 Josef Möllers <josef.moellers@suse.com>
  - Upgrade to version 9.16.1
    * UDP network ports used for listening can no longer simultaneously
      be used for sending traffic.
    * The system-provided POSIX Threads read-write lock implementation
      is now used by default instead of the native BIND 9 implementation.
    * Fixed re-signing issues with inline zones which resulted in records
      being re-signed late or not at all.
    [bind-9.16.1.tar.xz]
* Sat Feb 22 2020 Tomáš Chvátal <tchvatal@suse.com>
  - Update download urls
  - Do not enable geoip on old distros, the geoip db was shut down
    so we need to use geoip2 everywhere
* Thu Feb 20 2020 Josef Möllers <josef.moellers@suse.com>
  - Upgrade to version 9.16.0
    Major upgrade, see
    https://downloads.isc.org/isc/bind9/9.16.0/RELEASE-NOTES-bind-9.16.0.html
    and
    CHANGES file in the source tree.
    Major functional change:
    * What was set with --with-tuning=large option in older BIND9
      versions is now a default, and a --with-tuning=small option was
      added for small (e.g. OpenWRT) systems.
    * A new "dnssec-policy" option has been added to named.conf to
      implement a key and signing policy (KASP) for zones.
    * The command (and manpage) bind9-config have been dropped as the
      BIND 9 libraries are now purely internal.
    No patches became obsolete through the upgrade.
    [bind-9.16.0.tar.xz]
* Wed Jan 08 2020 Josef Möllers <josef.moellers@suse.com>
  - Upgrade to bind-9.14.9
    bug fixes and feature improvements
* Tue Nov 19 2019 Josef Möllers <josef.moellers@suse.com>
  - Upgrade to version 9.14.8:
    * Set a limit on the number of concurrently served pipelined TCP
      queries.
    * Some other bug fixing, see CHANGES file.
    [CVE-2019-6477, bsc#1157051]
* Fri Nov 08 2019 Josef Möllers <josef.moellers@suse.com>
  - Upgrade to version 9.14.7
    * removed dnsperf, idn, nslint, perftcpdns, query-loc-0.4.0,
      queryperf, sdb, zkt from contrib as they are not supported
      any more
    * Added support for the GeoIP2 API from MaxMind
    * See CHANGES file in the source RPM.
    * obsoletes bind-CVE-2018-5745.patch (bsc#1126068)
    * obsoletes bind-CVE-2019-6465.patch (bsc#1126069)
    * obsoletes bind-CVE-2018-5743.patch (bsc#1133185)
    * obsoletes bind-CVE-2019-6471.patch (bsc#1138687)
    [bsc#1111722, bsc#1156205, bsc#1126068, bsc#1126069, bsc#1133185,
    bsc#1138687, CVE-2019-6476, CVE-2019-6475,
    CVE-2019-6471, CVE-2018-5743, CVE-2019-6467, CVE-2019-6465,
    CVE-2018-5745, CVE-2018-5744, CVE-2018-5740, CVE-2018-5738,
    CVE-2018-5737, CVE-2018-5736, CVE-2017-3145, CVE-2017-3136,
    configure.in.diff, bind-99-libidn.patch, perl-path.diff,
    bind-sdb-ldap.patch, bind-CVE-2017-3145.patch,
    bug-4697-Restore-workaro]und-for-Microsoft-Windows-T.patch,
    bind-fix-fips.patch, bind-CVE-2018-5745.patch,
    bind-CVE-2019-6465.patch, bind-CVE-2018-5743.patch,
    bind-CVE-2019-6471.patch, CVE-2016-6170, bsc#1018700,
    bsc#1018701, bsc#1018702, bsc#1033466, bsc#1033467, bsc#1033468,
    bsc#1040039, bsc#1047184, bsc#1104129, bsc#906079, bsc#918330,
    bsc#936476, bsc#937028, bsc#939567, bsc#977657, bsc#983505,
    bsc#987866, bsc#989528, fate#320694, fate#324357, bnc#1127583,
    bnc#1127583, bnc#1109160]
* Fri Jul 12 2019 matthias.gerstner@suse.com
  - removal of SuSEfirewall2 service from Factory, since SuSEfirewall2 has been
    replaced by firewalld, see [1].
    [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html
* Tue Apr 16 2019 Navin Kukreja <navin.kukreja@suse.com>
  - Add FIPS patch back into bind (bsc#1128220)
  - File: bind-fix-fips.patch
* Mon Dec 10 2018 Franck Bui <fbui@suse.com>
  - Don't rely on /etc/insserv.conf anymore for proper dependencies
    against nss-lookup.target in named.service and lwresd.service
    (bsc#1118367 bsc#1118368)
* Tue Sep 25 2018 Christophe Giboudeaux <christophe@krop.fr>
  - Update named.root. One of the root servers IP has changed.
  - Install the LICENSE file.
* Fri Jul 06 2018 kukuk@suse.de
  - Add bind.conf and bind-chrootenv.conf to install the default
    files in /var/lib/named and create chroot environment on systems
    using transactional-updates [bsc#1100369] [FATE#325524].
* Fri Jun 22 2018 kukuk@suse.de
  - Cleanup pre/post install: remove all old code which was needed to
    update to SLES8.
* Wed Jun 06 2018 navin.kukreja@suse.com
  - Fix a patch error in dnszone-schema file (bsc#901577)
* Tue Jun 05 2018 navin.kukreja@suse.com
  - Add SPF records in dnszone-schema file (bsc#901577)
* Tue Jun 05 2018 navin.kukreja@suse.com
  - Fix the hostname in ldapdump to be valid (bsc#965748)
  - Patch file - bind-ldapdump-use-valid-host.patch
* Mon May 21 2018 scabrero@suse.de
  - Add bug-4697-Restore-workaround-for-Microsoft-Windows-T.patch
    Fixes dynamic DNS updates against samba and Microsoft DNS servers
    (bsc#1094236).
* Thu May 17 2018 navin.kukreja@suse.com
  - Move chroot related files from bind to bind-chrootenv
    (bsc#1093338)
* Wed May 16 2018 navin.kukreja@suse.com
  - Remove rndc.key generation from bind.spec file because bind
    should create it on first boot (bsc#1092283)
  - Add misisng rndc.key check and generation code is lwresd.init
    script
* Mon Feb 26 2018 sweet_f_a@gmx.de
  - build with --enable-filter-aaaa to make it possible to use
    config option "filter-aaaa-on-v4 yes". Useful to workaround
    broken websites like netflix which block traffic from certain
    IPv6 tunnel providers. (bsc#1069633)
* Fri Feb 16 2018 bwiedemann@suse.com
  - Add /dev/urandom to chroot env
* Wed Feb 07 2018 navin.kukreja@suse.com
  - Implement systemd init scripts for bind and lwresd (fate#323155)
* Tue Jan 23 2018 navin.kukreja@suse.com
  - Apply bind-CVE-2017-3145.patch to fix CVE-2017-3145 (bsc#1076118)

Files

/etc/named.conf
/etc/slp.reg.d
/etc/slp.reg.d/bind.reg
/run/named
/usr/bin/named-rrchecker
/usr/lib/named
/usr/lib/named/filter-aaaa.so
/usr/lib/systemd/system/named.service
/usr/lib/sysusers.d/named.conf
/usr/lib/tmpfiles.d/bind.conf
/usr/libexec/bind
/usr/libexec/bind/named.prep
/usr/sbin/named
/usr/sbin/named-checkconf
/usr/sbin/named-checkzone
/usr/sbin/named-compilezone
/usr/sbin/rcnamed
/usr/share/bind
/usr/share/bind/ldapdump
/usr/share/factory
/usr/share/factory/var
/usr/share/factory/var/lib
/usr/share/factory/var/lib/named
/usr/share/factory/var/lib/named/127.0.0.zone
/usr/share/factory/var/lib/named/localhost.zone
/usr/share/factory/var/lib/named/named.root.key
/usr/share/factory/var/lib/named/root.hint
/usr/share/fillup-templates/sysconfig.named-named
/usr/share/licenses/bind
/usr/share/licenses/bind/LICENSE
/usr/share/man/man1/named-rrchecker.1.gz
/usr/share/man/man5/named.conf.5.gz
/usr/share/man/man8/filter-aaaa.8.gz
/usr/share/man/man8/named-checkconf.8.gz
/usr/share/man/man8/named-checkzone.8.gz
/usr/share/man/man8/named.8.gz
/var/lib/named
/var/lib/named/127.0.0.zone
/var/lib/named/dyn
/var/lib/named/localhost.zone
/var/lib/named/master
/var/lib/named/named.root.key
/var/lib/named/root.hint
/var/lib/named/slave


Generated by rpm2html 1.8.1

Fabrice Bellet, Thu Sep 9 11:12:34 2021