From 96141ea48f76b3865506a41f29cc2f73a68d0c10 Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Dec 19 2007 15:59:19 +0000 Subject: - CVE-2007-6283 --- diff --git a/bind.spec b/bind.spec index 6bca3d8..d48dd08 100644 --- a/bind.spec +++ b/bind.spec @@ -21,7 +21,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: ISC Version: 9.5.0 -Release: 19.2.%{RELEASEVER}%{?dist} +Release: 20.%{RELEASEVER}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -416,7 +416,7 @@ for f in my.internal.zone.db slaves/my.slave.internal.zone.db slaves/my.ddns.int echo '@ in soa localhost. root 1 3H 15M 1W 1D ns localhost.' > sample/var/named/$f; done -/usr/bin/tail -n '+'`/bin/egrep -n '\\$Id: bind.spec,v 1.233 2007/12/12 13:28:21 atkac Exp $/+1/' | bc` bin/rndc/rndc.conf | sed '/Sample rndc configuration file./{p;i\ +/usr/bin/tail -n '+'`/bin/egrep -n '\\$Id: bind.spec,v 1.234 2007/12/19 15:59:19 atkac Exp $/+1/' | bc` bin/rndc/rndc.conf | sed '/Sample rndc configuration file./{p;i\ *\ * NOTE: you only need to create this file if it is to\ * differ from the following default contents: @@ -448,6 +448,9 @@ if [ "$1" -eq 1 ]; then /bin/sed -i -e 's^@KEY@^'`/usr/sbin/dns-keygen`'^' /etc/rndc.key ; fi [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ; + # rndc.key has to have correct perms and ownership, CVE-2007-6283 + [ -e /etc/rndc.key] && chown root:named /etc/rndc.key + [ -e /etc/rndc.key] && chmod 0640 /etc/rndc.key [ -x /usr/sbin/bind-chroot-admin ] && /usr/sbin/bind-chroot-admin --sync; fi :; @@ -493,6 +496,12 @@ if [ "$1" -gt 0 ]; then fi :; +%triggerpostun -n bind -- bind <= 32:9.5.0-20.b1 +if [ "$1" -gt 0 ]; then + [ -e /etc/rndc.key ] && chown root:named /etc/rndc.key + [ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key +fi +:; %post libs -p /sbin/ldconfig @@ -667,6 +676,9 @@ rm -rf ${RPM_BUILD_ROOT} %{_sbindir}/bind-chroot-admin %changelog +* Wed Dec 19 2007 Adam Tkac 32:9.5.0-20.b1 +- CVE-2007-6283 + * Wed Dec 12 2007 Adam Tkac 32:9.5.0-19.2.b1 - added dst/gssapi.h to -devel subpackage (#419091) - improved fix for (#417431)