Update to 9.19.11 (#2178718)

- removes libirs and libbind9 from libs and devel subpackages. https://downloads.isc.org/isc/bind9/9.19.11/RELEASE-NOTES-bind-9.19.11.html
2023-03-23 23:23:28 +01:00 · 2023-03-23 23:23:28 +01:00 · 93f304f6c9
parent 2f124983ed
commit 93f304f6c9
4 changed files with 8 additions and 319 deletions
--- a/.gitignore
+++ b/.gitignore
@ -200,3 +200,5 @@ bind-9.7.2b1.tar.gz
 /bind-9.19.9.tar.xz.asc
 /bind-9.19.10.tar.xz
 /bind-9.19.10.tar.xz.asc
+/bind-9.19.11.tar.xz
+/bind-9.19.11.tar.xz.asc
--- a/bind-9.11-fips-tests.patch
+++ b/bind-9.11-fips-tests.patch
@ -1,309 +0,0 @@
-From 75c029a38b59deb4f1b1861faf9113220e438253 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
-Date: Thu, 2 Aug 2018 23:46:45 +0200
-Subject: [PATCH] FIPS tests changes for RHEL
-
-Include MD5 feature detection in featuretest tool and use it in some
-places. When RHEL distribution or Fedora ELN is in FIPS mode, then MD5
-algorithm is unavailable completely and even hmac-md5 algorithm usage
-will always fail. Work that around by checking MD5 works and if not,
-skipping its usage.
-
-Those changes were dragged as downstream patch bind-9.11-fips-tests.patch
-in Fedora and RHEL.
---
- bin/tests/system/acl/tests.sh           |  2 +-
- bin/tests/system/feature-test.c         | 14 ++++++
- bin/tests/system/nsupdate/setup.sh      |  6 ++-
- bin/tests/system/nsupdate/tests.sh      | 11 +++-
- bin/tests/system/rndc/setup.sh          |  2 +-
- bin/tests/system/rndc/tests.sh          | 22 ++++----
- bin/tests/system/tsig/ns1/named.conf.in | 10 +---
- bin/tests/system/tsig/setup.sh          | 16 ++++++
- bin/tests/system/tsig/tests.sh          | 67 +++++++++++++++----------
- 9 files changed, 102 insertions(+), 48 deletions(-)
-
-diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
-index df23d6a2f1..0984d85ed9 100644
--- a/bin/tests/system/acl/tests.sh
-+++ b/bin/tests/system/acl/tests.sh
-@@ -98,7 +98,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
- # and other values? right out
- t=`expr $t + 1`
- $DIG $DIGOPTS tsigzone. \
-	@10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t}
-+	@10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" > dig.out.${t}
- grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
- 
- # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
-diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
-index b1adaedade..4dd76fb187 100644
--- a/bin/tests/system/feature-test.c
-+++ b/bin/tests/system/feature-test.c
-@@ -17,6 +17,7 @@
- #include <string.h>
- #include <unistd.h>
- 
-+#include <isc/md.h>
- #include <isc/net.h>
- #include <isc/print.h>
- #include <isc/util.h>
-@@ -143,6 +144,19 @@ main(int argc, char **argv) {
- #endif
- 	}
- 
-+	if (strcmp(argv[1], "--md5") == 0) {
-+		unsigned char digest[ISC_MAX_MD_SIZE];
-+		const unsigned char test[] = "test";
-+		unsigned int size = sizeof(digest);
-+
-+		if (isc_md(ISC_MD_MD5, test, sizeof(test), digest, &size) ==
-+		    ISC_R_SUCCESS) {
-+			return (0);
-+		} else {
-+			return (1);
-+		}
-+	}
-+
- 	if (strcmp(argv[1], "--ipv6only=no") == 0) {
- #if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY)
- 		int s;
-diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
-index b7d7b38107..25c4cb4d8b 100644
--- a/bin/tests/system/nsupdate/setup.sh
-+++ b/bin/tests/system/nsupdate/setup.sh
-@@ -73,7 +73,11 @@ EOF
- 
- $TSIGKEYGEN ddns-key.example.nil > ns1/ddns.key
- 
-$TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key
-+if $FEATURETEST --md5; then
-+	$TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key
-+else
-+	echo -n > ns1/md5.key
-+fi
- $TSIGKEYGEN -a hmac-sha1 sha1-key > ns1/sha1.key
- $TSIGKEYGEN -a hmac-sha224 sha224-key > ns1/sha224.key
- $TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key
-diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
-index 5adc99ce5c..54e1d531a6 100755
--- a/bin/tests/system/nsupdate/tests.sh
-+++ b/bin/tests/system/nsupdate/tests.sh
-@@ -959,7 +959,14 @@ fi
- n=$((n + 1))
- ret=0
- echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
-+if $FEATURETEST --md5
-+then
-+	ALGS="md5 sha1 sha224 sha256 sha384 sha512"
-+else
-+	ALGS="sha1 sha224 sha256 sha384 sha512"
-+	echo_i "skipping disabled md5 algorithm"
-+fi
-+for alg in $ALGS; do
-     $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
- server 10.53.0.1 ${PORT}
- update add ${alg}.keytests.nil. 600 A 10.10.10.3
-@@ -967,7 +974,7 @@ send
- END
- done
- sleep 2
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
-+for alg in $ALGS; do
-     $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
- done
- if [ $ret -ne 0 ]; then
-diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
-index a8793f36d9..e6714c0991 100644
--- a/bin/tests/system/rndc/setup.sh
-+++ b/bin/tests/system/rndc/setup.sh
-@@ -48,7 +48,7 @@ make_key () {
-             sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
- }
- 
-make_key 1 ${EXTRAPORT1} hmac-md5
-+$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5
- make_key 2 ${EXTRAPORT2} hmac-sha1
- make_key 3 ${EXTRAPORT3} hmac-sha224
- make_key 4 ${EXTRAPORT4} hmac-sha256
-diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
-index 424ac2befe..27219a3df8 100644
--- a/bin/tests/system/rndc/tests.sh
-+++ b/bin/tests/system/rndc/tests.sh
-@@ -350,15 +350,19 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
- status=$((status+ret))
- 
- n=$((n+1))
-echo_i "testing rndc with hmac-md5 ($n)"
-ret=0
-$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
-for i in 2 3 4 5 6
-do
-        $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
-done
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status+ret))
-+if $FEATURETEST --md5; then
-+	echo_i "testing rndc with hmac-md5 ($n)"
-+	ret=0
-+	$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
-+	for i in 2 3 4 5 6
-+	do
-+	        $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
-+	done
-+	if [ $ret != 0 ]; then echo_i "failed"; fi
-+	status=$((status+ret))
-+else
-+	echo_i "skipping rndc with hmac-md5 ($n)"
-+fi
- 
- n=$((n+1))
- echo_i "testing rndc with hmac-sha1 ($n)"
-diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
-index 76cf970397..22637af901 100644
--- a/bin/tests/system/tsig/ns1/named.conf.in
-+++ b/bin/tests/system/tsig/ns1/named.conf.in
-@@ -23,10 +23,7 @@ options {
- 	notify no;
- };
- 
-key "md5" {
-	secret "97rnFx24Tfna4mHPfgnerA==";
-	algorithm hmac-md5;
-};
-+# md5 key appended by setup.sh at the end
- 
- key "sha1" {
- 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
-@@ -53,10 +50,7 @@ key "sha512" {
- 	algorithm hmac-sha512;
- };
- 
-key "md5-trunc" {
-	secret "97rnFx24Tfna4mHPfgnerA==";
-	algorithm hmac-md5-80;
-};
-+# md5-trunc key appended by setup.sh at the end
- 
- key "sha1-trunc" {
- 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
-diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
-index 34cc73bf53..6a739f7eb1 100644
--- a/bin/tests/system/tsig/setup.sh
-+++ b/bin/tests/system/tsig/setup.sh
-@@ -16,3 +16,19 @@
- $SHELL clean.sh
- 
- copy_setports ns1/named.conf.in ns1/named.conf
-+
-+if $FEATURETEST --md5
-+then
-+	cat >> ns1/named.conf << EOF
-+# Conditionally included when support for MD5 is available
-+key "md5" {
-+        secret "97rnFx24Tfna4mHPfgnerA==";
-+        algorithm hmac-md5;
-+};
-+
-+key "md5-trunc" {
-+        secret "97rnFx24Tfna4mHPfgnerA==";
-+        algorithm hmac-md5-80;
-+};
-+EOF
-+fi
-diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
-index 106722741c..ee05e838c1 100644
--- a/bin/tests/system/tsig/tests.sh
-+++ b/bin/tests/system/tsig/tests.sh
-@@ -27,20 +27,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
- 
- status=0
- 
-echo_i "fetching using hmac-md5 (old form)"
-ret=0
-$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
-if [ $ret -eq 1 ] ; then
-	echo_i "failed"; status=1
-fi
-
-echo_i "fetching using hmac-md5 (new form)"
-ret=0
-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
-if [ $ret -eq 1 ] ; then
-	echo_i "failed"; status=1
-+if $FEATURETEST --md5
-+then
-+	echo_i "fetching using hmac-md5 (old form)"
-+	ret=0
-+	$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
-+	grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
-+	if [ $ret -eq 1 ] ; then
-+		echo_i "failed"; status=1
-+	fi
-+
-+	echo_i "fetching using hmac-md5 (new form)"
-+	ret=0
-+	$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
-+	grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
-+	if [ $ret -eq 1 ] ; then
-+		echo_i "failed"; status=1
-+	fi
-+else
-+	echo_i "skipping using hmac-md5"
- fi
- 
- echo_i "fetching using hmac-sha1"
-@@ -88,12 +93,17 @@ fi
- #	Truncated TSIG
- #
- #
-echo_i "fetching using hmac-md5 (trunc)"
-ret=0
-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
-grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
-if [ $ret -eq 1 ] ; then
-	echo_i "failed"; status=1
-+if $FEATURETEST --md5
-+then
-+	echo_i "fetching using hmac-md5 (trunc)"
-+	ret=0
-+	$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
-+	grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
-+	if [ $ret -eq 1 ] ; then
-+		echo_i "failed"; status=1
-+	fi
-+else
-+	echo_i "skipping using hmac-md5 (trunc)"
- fi
- 
- echo_i "fetching using hmac-sha1 (trunc)"
-@@ -142,12 +152,17 @@ fi
- #	Check for bad truncation.
- #
- #
-echo_i "fetching using hmac-md5-80 (BADTRUNC)"
-ret=0
-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
-grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
-if [ $ret -eq 1 ] ; then
-	echo_i "failed"; status=1
-+if $FEATURETEST --md5
-+then
-+	echo_i "fetching using hmac-md5-80 (BADTRUNC)" 
-+	ret=0
-+	$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
-+	grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
-+	if [ $ret -eq 1 ] ; then
-+		echo_i "failed"; status=1
-+	fi
-+else
-+	echo_i "skipping using hmac-md5-80 (BADTRUNC)" 
- fi
- 
- echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
-- 
-2.39.0
-
--- a/bind9-next.spec
+++ b/bind9-next.spec
@ -55,7 +55,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind9-next
 License:  MPL-2.0 AND ISC AND BSD-3-clause AND Expat AND BSD-2-clause
 #
-Version:  9.19.10
+Version:  9.19.11
 Release:  1%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
@ -90,8 +90,6 @@ Source49: named-chroot.files
 # Common patches
 # Red Hat specific documentation is not relevant to upstream
 Patch1: bind-9.16-redhat_doc.patch
-# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/7417
-Patch2: bind-9.11-fips-tests.patch

 %{?systemd_ordering}
 Requires:       coreutils
@ -828,11 +826,9 @@ fi;
 %dir /run/named

 %files libs
-%{_libdir}/libbind9-%{version}*.so
 %{_libdir}/libisccc-%{version}*.so
 %{_libdir}/libns-%{version}*.so
 %{_libdir}/libdns-%{version}*.so
-%{_libdir}/libirs-%{version}*.so
 %{_libdir}/libisc-%{version}*.so
 %{_libdir}/libisccfg-%{version}*.so

@ -880,15 +876,12 @@ fi;
 %{_mandir}/man1/dnssec*.1*

 %files devel
-%{_libdir}/libbind9.so
 %{_libdir}/libisccc.so
 %{_libdir}/libns.so
 %{_libdir}/libdns.so
-%{_libdir}/libirs.so
 %{_libdir}/libisc.so
 %{_libdir}/libisccfg.so
 %dir %{_includedir}/bind9
-%{_includedir}/bind9/bind9
 %{_includedir}/bind9/isccc
 %{_includedir}/bind9/ns
 %{_includedir}/bind9/dns
@ -966,6 +959,9 @@ fi;
 %endif

 %changelog
+* Thu Mar 23 2023 Petr Menšík <pemensik@redhat.com> - 32:9.19.11-1
+- Update to 9.19.11 (#2178718)
+
 * Mon Mar 06 2023 Petr Menšík <pemensik@redhat.com> - 32:9.19.10-1
 - Update to 9.19.10 (#2170097)
 - Update license tag to SPDX tag
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (bind-9.19.10.tar.xz) = 185afd57c1606862764aa4f211126b52bbbe65fb82f1b01b8cf8fb3692d58a8e47b2d1c83d39c8fe026a2da75eeb3059b877f7b34fea76bbacd0bd303f0ba6af
-SHA512 (bind-9.19.10.tar.xz.asc) = a2b729ec8d3a3998887276f2080601ae87443b83c3cc85ccf2af767e972e45c868454cb3db0fe1dd30c0f7aec2a9844b4e46b824130cb64a18735c79a9404127
+SHA512 (bind-9.19.11.tar.xz) = 52b5779b9f7951e1e367684cb18aeb7186199e380d44ec0b2b05ff9f1c28447d72d95138fbd49f0ac0e5e7c959f9ece70b4fcbe8557db2a45536cd1f83f28091
+SHA512 (bind-9.19.11.tar.xz.asc) = 37ce98e46cec1061d59a12ad39649223f824006e2612d902304f781494ca3b186dbbb8ce06ba9fe5d365a7c28bec9b0f9983ba652722d9ac06b84150ca227f82