diff options
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/dns.scm | 5 | ||||
-rw-r--r-- | gnu/packages/patches/bind-CVE-2018-5738.patch | 100 |
3 files changed, 2 insertions, 104 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 979c3b4b93..9e875263ac 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -584,7 +584,6 @@ dist_patch_DATA = \ %D%/packages/patches/bash-completion-directories.patch \ %D%/packages/patches/bazaar-CVE-2017-14176.patch \ %D%/packages/patches/beignet-correct-file-names.patch \ - %D%/packages/patches/bind-CVE-2018-5738.patch \ %D%/packages/patches/binutils-aarch64-symbol-relocation.patch \ %D%/packages/patches/binutils-loongson-workaround.patch \ %D%/packages/patches/blast+-fix-makefile.patch \ diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm index 9d728c3464..086012e88e 100644 --- a/gnu/packages/dns.scm +++ b/gnu/packages/dns.scm @@ -99,16 +99,15 @@ and BOOTP/TFTP for network booting of diskless machines.") (define-public isc-bind (package (name "bind") - (version "9.12.1-P2") + (version "9.12.2") (source (origin (method url-fetch) (uri (string-append "ftp://ftp.isc.org/isc/bind9/" version "/" name "-" version ".tar.gz")) - (patches (search-patches "bind-CVE-2018-5738.patch")) (sha256 (base32 - "0a9dvyg1dk7vpqn9gz7p5jas3bz7z22bjd66b98g1qk16i2w7rqd")))) + "0ll46igs9xfq2qclc5wzqsnj3zv7ssga0544gm24s1m7765lqslz")))) (build-system gnu-build-system) (outputs `("out" "utils")) (inputs diff --git a/gnu/packages/patches/bind-CVE-2018-5738.patch b/gnu/packages/patches/bind-CVE-2018-5738.patch deleted file mode 100644 index ddef014651..0000000000 --- a/gnu/packages/patches/bind-CVE-2018-5738.patch +++ /dev/null @@ -1,100 +0,0 @@ -Fix CVE-2018-5738: - -https://kb.isc.org/article/AA-01616/0/CVE-2018-5738 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5738 - -diff --git a/bin/named/server.c b/bin/named/server.c -index f63554e..847c4ff 100644 ---- a/bin/named/server.c -+++ b/bin/named/server.c -@@ -3725,10 +3725,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, - CHECKM(named_config_getport(config, &port), "port"); - dns_view_setdstport(view, port); - -- CHECK(configure_view_acl(vconfig, config, named_g_config, -- "allow-query", NULL, actx, -- named_g_mctx, &view->queryacl)); -- - /* - * Make the list of response policy zone names for a view that - * is used for real lookups and so cares about hints. -@@ -4692,21 +4688,35 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, - "allow-query-cache-on", NULL, actx, - named_g_mctx, &view->cacheonacl)); - /* -- * Set "allow-query-cache", "allow-recursion", and -- * "allow-recursion-on" acls if configured in named.conf. -- * (Ignore the global defaults for now, because these ACLs -- * can inherit from each other when only some of them set at -- * the options/view level.) -+ * Set the "allow-query", "allow-query-cache", "allow-recursion", -+ * and "allow-recursion-on" ACLs if configured in named.conf, but -+ * NOT from the global defaults. This is done by leaving the third -+ * argument to configure_view_acl() NULL. -+ * -+ * We ignore the global defaults here because these ACLs -+ * can inherit from each other. If any are still unset after -+ * applying the inheritance rules, we'll look up the defaults at -+ * that time. - */ -- CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache", -- NULL, actx, named_g_mctx, &view->cacheacl)); -+ -+ /* named.conf only */ -+ CHECK(configure_view_acl(vconfig, config, NULL, -+ "allow-query", NULL, actx, -+ named_g_mctx, &view->queryacl)); -+ -+ /* named.conf only */ -+ CHECK(configure_view_acl(vconfig, config, NULL, -+ "allow-query-cache", NULL, actx, -+ named_g_mctx, &view->cacheacl)); - - if (strcmp(view->name, "_bind") != 0 && - view->rdclass != dns_rdataclass_chaos) - { -+ /* named.conf only */ - CHECK(configure_view_acl(vconfig, config, NULL, - "allow-recursion", NULL, actx, - named_g_mctx, &view->recursionacl)); -+ /* named.conf only */ - CHECK(configure_view_acl(vconfig, config, NULL, - "allow-recursion-on", NULL, actx, - named_g_mctx, &view->recursiononacl)); -@@ -4744,18 +4754,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, - * the global config. - */ - if (view->recursionacl == NULL) { -+ /* global default only */ - CHECK(configure_view_acl(NULL, NULL, named_g_config, - "allow-recursion", NULL, - actx, named_g_mctx, - &view->recursionacl)); - } - if (view->recursiononacl == NULL) { -+ /* global default only */ - CHECK(configure_view_acl(NULL, NULL, named_g_config, - "allow-recursion-on", NULL, - actx, named_g_mctx, - &view->recursiononacl)); - } - if (view->cacheacl == NULL) { -+ /* global default only */ - CHECK(configure_view_acl(NULL, NULL, named_g_config, - "allow-query-cache", NULL, - actx, named_g_mctx, -@@ -4769,6 +4782,14 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, - CHECK(dns_acl_none(mctx, &view->cacheacl)); - } - -+ if (view->queryacl == NULL) { -+ /* global default only */ -+ CHECK(configure_view_acl(NULL, NULL, named_g_config, -+ "allow-query", NULL, -+ actx, named_g_mctx, -+ &view->queryacl)); -+ } -+ - /* - * Ignore case when compressing responses to the specified - * clients. This causes case not always to be preserved, |