diff --git a/bind.spec b/bind.spec index d4065cf..5c5712d 100644 --- a/bind.spec +++ b/bind.spec @@ -27,7 +27,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: ISC Version: 9.9.4 -Release: 17.%{?PATCHVER}%{?PREVER}%{?dist} +Release: 18.%{?PATCHVER}%{?PREVER}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -96,6 +96,7 @@ Patch143:bind-99-ISC-Bugs-35495.patch # [ISC-Bugs #35385] Patch144:bind-99-ISC-Bugs-35385.patch Patch145:bind99-CVE-2014-8500.patch +Patch146:bind99-CVE-2015-1349.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -303,6 +304,7 @@ popd %patch143 -p1 -b .dlz_segfault %patch144 -p1 -b .fetch_race_cond %patch145 -p1 -b .CVE-2014-8500 +%patch146 -p1 -b .CVE-2015-1349 %if %{SDB} %patch101 -p1 -b .old-api @@ -825,6 +827,9 @@ rm -rf ${RPM_BUILD_ROOT} %endif %changelog +* Mon Feb 23 2015 Tomas Hozza 32:9.9.4-18.P2 +- Include fix for CVE-2015-1349 + * Wed Dec 10 2014 Tomas Hozza 32:9.9.4-17.P2 - Fix CVE-2014-8500 (#1171913) diff --git a/bind99-CVE-2015-1349.patch b/bind99-CVE-2015-1349.patch new file mode 100644 index 0000000..36a3e4a --- /dev/null +++ b/bind99-CVE-2015-1349.patch @@ -0,0 +1,25 @@ +diff -up bind-9.9.4-P2/lib/dns/zone.c.CVE-2015-1349 bind-9.9.4-P2/lib/dns/zone.c +--- bind-9.9.4-P2/lib/dns/zone.c.CVE-2015-1349 2013-12-20 01:28:28.000000000 +0100 ++++ bind-9.9.4-P2/lib/dns/zone.c 2015-02-23 10:28:03.495089085 +0100 +@@ -8456,6 +8456,12 @@ keyfetch_done(isc_task_t *task, isc_even + namebuf, tag); + trustkey = ISC_TRUE; + } ++ } else { ++ /* ++ * No previously known key, and the key is not ++ * secure, so skip it. ++ */ ++ continue; + } + + /* Delete old version */ +@@ -8504,7 +8510,7 @@ keyfetch_done(isc_task_t *task, isc_even + trust_key(zone, keyname, &dnskey, mctx); + } + +- if (!deletekey) ++ if (secure && !deletekey) + set_refreshkeytimer(zone, &keydata, now); + } +