folkslinux
/
CBL-Mariner
mirror of https://github.com/microsoft/CBL-Mariner.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update subversion, syslog-ng, systemtap, unbound (#1939) 

* Update subversion, syslog-ng, systemtap, unbound

* Remove obsolete cve patches
This commit is contained in:
Neha Agarwal 2022-01-20 14:42:03 -08:00 committed by GitHub
parent 5188d17a53
commit 84ae33d737
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 319 additions and 1286 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
SPECS/subversion/CVE-2020-17525.patch
View File

@ -1,16 +0,0 @@
Patch from https://subversion.apache.org/security/CVE-2020-17525-advisory.txt
Signed-off-by: Henry Beberman <henry.beberman@microsoft.com>
--- a/subversion/libsvn_repos/config_file.c
+++ b/subversion/libsvn_repos/config_file.c
@@ -237,6 +237,10 @@ get_repos_config(svn_stream_t **stream,
{
/* Search for a repository in the full path. */
repos_root_dirent = svn_repos_find_root_path(dirent, scratch_pool);
+ if (repos_root_dirent == NULL)
+ return svn_error_trace(handle_missing_file(stream, checksum, access,
+ url, must_exist,
+ svn_node_none));
/* Attempt to open a repository at repos_root_dirent. */
SVN_ERR(svn_repos_open3(&access->repos, repos_root_dirent, NULL,

2
SPECS/subversion/subversion.signatures.json
View File

@ -1,5 +1,5 @@
{
"Signatures": {
"subversion-1.14.0.tar.bz2": "6ba8e218f9f97a83a799e58a3c6da1221d034b18d9d8cbbcb6ec52ab11722102"
"subversion-1.14.1.tar.bz2": "2c5da93c255d2e5569fa91d92457fdb65396b0666fad4fd59b22e154d986e1a9"
}
}

167
SPECS/subversion/subversion.spec
View File

@ -1,15 +1,13 @@
Summary: The Apache Subversion control system
Name: subversion
Version: 1.14.0
Release: 4%{?dist}
Version: 1.14.1
Release: 1%{?dist}
License: ASL 2.0
URL: https://subversion.apache.org/
Group: Utilities/System
Vendor: Microsoft Corporation
Distribution: Mariner
Group: Utilities/System
URL: https://subversion.apache.org/
Source0: https://archive.apache.org/dist/%{name}/%{name}-%{version}.tar.bz2
Patch0: CVE-2020-17525.patch
BuildRequires: apr-devel
BuildRequires: apr-util
BuildRequires: apr-util-devel
@ -17,17 +15,16 @@ BuildRequires: expat-devel
BuildRequires: libserf-devel
BuildRequires: libtool
BuildRequires: lz4
BuildRequires: utf8proc-devel
BuildRequires: swig
BuildRequires: sqlite-devel
BuildRequires: perl(ExtUtils::Embed)
BuildRequires: sqlite-devel
BuildRequires: swig
BuildRequires: utf8proc-devel
%if %{with_check}
BuildRequires: python-xml
BuildRequires: python2
BuildRequires: shadow-utils
BuildRequires: sudo
%endif
Requires: apr
Requires: apr-util
Requires: libserf
@ -37,19 +34,20 @@ Requires: utf8proc
The Apache version control system.
%package devel
Summary: Header and development files for mesos
Requires: %{name} = %{version}
Summary: Header and development files for mesos
Requires: %{name} = %{version}
%description devel
subversion-devel package contains header files, libraries.
%package perl
Summary: Allows Perl scripts to directly use Subversion repositories.
Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
Requires: %{name} = %{version}
Summary: Allows Perl scripts to directly use Subversion repositories.
Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
Requires: %{name} = %{version}
%description perl
Provides Perl (SWIG) support for Subversion version control system.
%prep
%autosetup -p1
@ -71,9 +69,9 @@ make -j1 DESTDIR=%{buildroot} install
%find_lang %{name}
# For Perl bindings
make install-swig-pl-lib DESTDIR=$RPM_BUILD_ROOT
make install-swig-pl-lib DESTDIR=%{buildroot}
make pure_vendor_install -C subversion/bindings/swig/perl/native \
PERL_INSTALL_ROOT=$RPM_BUILD_ROOT
PERL_INSTALL_ROOT=%{buildroot}
%check
# subversion expect nonroot user to run tests
@ -105,61 +103,88 @@ sudo -u test make check && userdel test -r -f
%{_mandir}/man3/SVN*
%changelog
* Fri Jan 14 2022 Neha Agarwal <nehaagarwal@microsoft.com> - 1.14.1-1
- Update to version 1.14.1.
* Fri Apr 02 2021 Thomas Crain <thcrain@microsoft.com> - 1.14.0-4
- Merge the following releases from 1.0 to dev branch
- pawelwi@microsoft.com, 1.14.0-3: Adding 'BuildRequires' on 'python', 'shadow-utils' and 'sudo' to fix the package tests.
- henry.beberman@microsoft.com, 1.14.0-4: Patch CVE-2020-17525.
* Mon Oct 12 2020 Joe Schmitt <joschmit@microsoft.com> 1.14.0-3
- Use new perl package names.
- Add perl(ExtUtils::Embed) build requirement.
- Update perl installation and packaging to perl_vendorarch directory.
* Thu Jun 11 2020 Henry Beberman <henry.beberman@microsoft.com> 1.14.0-2
- Add -Wformat to fix the build because -Werror=format-security is enabled.
* Tue Jun 09 2020 Andrew Phelps <anphel@microsoft.com> 1.14.0-1
- Update to 1.14.0 to fix: CVE-2019-0203, CVE-2018-11782, CVE-2018-11803
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 1.10.2-7
- Added %%license line automatically
* Mon Apr 13 2020 Emre Girgin <mrgirgin@microsoft.com> 1.10.2-6
- Rename serf to libserf.
- Update Source0 and URL to use https. Update License. License verified.
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 1.10.2-5
- Initial CBL-Mariner import from Photon (license: Apache2).
* Tue Mar 05 2019 Siju Maliakkal <smaliakkal@vmware.com> 1.10.2-4
- Excluding conflicting perllocal.pod
* Tue Oct 02 2018 Siju Maliakkal <smaliakkal@vmware.com> 1.10.2-3
- Added Perl bindings
* Fri Sep 21 2018 Ankit Jain <ankitja@vmware.com> 1.10.2-2
- Added utf8proc as Requires.
* Wed Sep 19 2018 Ankit Jain <ankitja@vmware.com> 1.10.2-1
- Updated to version 1.10.2
* Mon Jan 22 2018 Xiaolin Li <xiaolinl@vmware.com> 1.9.7-2
- Compile subversion with https repository access module support
* Mon Aug 28 2017 Xiaolin Li <xiaolinl@vmware.com> 1.9.7-1
- Update to version 1.9.7.
* Thu Jun 15 2017 Xiaolin Li <xiaolinl@vmware.com> 1.9.5-2
- Fix make check issues.
* Wed Apr 12 2017 Vinay Kulkarni <kulkarniv@vmware.com> 1.9.5-1
- Update to version 1.9.5
* Tue Dec 27 2016 Xiaolin Li <xiaolinl@vmware.com> 1.9.4-2
- Moved pkgconfig/*.pc to devel subpackage.
* Wed Nov 23 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 1.9.4-1
- Upgraded to version 1.9.4, fixes CVE-2016-2167 CVE-2016-2168
* Wed Nov 16 2016 Alexey Makhalov <ppadmavilasom@vmware.com> 1.9.3-8
- Use sqlite-{devel,libs}
* Mon Oct 10 2016 ChangLee <changlee@vmware.com> 1.9.3-7
- Modified %check
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.9.3-6
- GA - Bump release of all rpms
* Tue Feb 23 2016 Xiaolin Li <xiaolinl@vmware.com> 1.9.3-1
- Updated to version 1.9.3
* Tue Nov 10 2015 Xiaolin Li <xiaolinl@vmware.com> 1.8.13-5
- Handled locale files with macro find_lang
* Tue Sep 22 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 1.8.13-4
- Updated build-requires after creating devel package for apr.
* Mon Sep 21 2015 Xiaolin Li <xiaolinl@vmware.com> 1.8.13-3
- Move .a, and .so files to devel pkg.
* Tue Sep 08 2015 Vinay Kulkarni <kulkarniv@vmware.com> 1.8.13-2
- Move headers into devel pkg.
* Fri Jun 26 2015 Sarah Choi <sarahc@vmware.com> 1.8.13-1
- Initial build. First version
* Mon Oct 12 2020 Joe Schmitt <joschmit@microsoft.com> 1.14.0-3
- Use new perl package names.
- Add perl(ExtUtils::Embed) build requirement.
- Update perl installation and packaging to perl_vendorarch directory.
* Thu Jun 11 2020 Henry Beberman <henry.beberman@microsoft.com> 1.14.0-2
- Add -Wformat to fix the build because -Werror=format-security is enabled.
* Tue Jun 09 2020 Andrew Phelps <anphel@microsoft.com> 1.14.0-1
- Update to 1.14.0 to fix: CVE-2019-0203, CVE-2018-11782, CVE-2018-11803
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 1.10.2-7
- Added %%license line automatically
* Mon Apr 13 2020 Emre Girgin <mrgirgin@microsoft.com> 1.10.2-6
- Rename serf to libserf.
- Update Source0 and URL to use https. Update License. License verified.
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 1.10.2-5
- Initial CBL-Mariner import from Photon (license: Apache2).
* Tue Mar 05 2019 Siju Maliakkal <smaliakkal@vmware.com> 1.10.2-4
- Excluding conflicting perllocal.pod
* Tue Oct 02 2018 Siju Maliakkal <smaliakkal@vmware.com> 1.10.2-3
- Added Perl bindings
* Fri Sep 21 2018 Ankit Jain <ankitja@vmware.com> 1.10.2-2
- Added utf8proc as Requires.
* Wed Sep 19 2018 Ankit Jain <ankitja@vmware.com> 1.10.2-1
- Updated to version 1.10.2
* Mon Jan 22 2018 Xiaolin Li <xiaolinl@vmware.com> 1.9.7-2
- Compile subversion with https repository access module support
* Mon Aug 28 2017 Xiaolin Li <xiaolinl@vmware.com> 1.9.7-1
- Update to version 1.9.7.
* Thu Jun 15 2017 Xiaolin Li <xiaolinl@vmware.com> 1.9.5-2
- Fix make check issues.
* Wed Apr 12 2017 Vinay Kulkarni <kulkarniv@vmware.com> 1.9.5-1
- Update to version 1.9.5
* Tue Dec 27 2016 Xiaolin Li <xiaolinl@vmware.com> 1.9.4-2
- Moved pkgconfig/*.pc to devel subpackage.
* Wed Nov 23 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 1.9.4-1
- Upgraded to version 1.9.4, fixes CVE-2016-2167 CVE-2016-2168
* Wed Nov 16 2016 Alexey Makhalov <ppadmavilasom@vmware.com> 1.9.3-8
- Use sqlite-{devel,libs}
* Mon Oct 10 2016 ChangLee <changlee@vmware.com> 1.9.3-7
- Modified %check
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.9.3-6
- GA - Bump release of all
* Tue Feb 23 2016 Xiaolin Li <xiaolinl@vmware.com> 1.9.3-1
- Updated to version 1.9.3
* Tue Nov 10 2015 Xiaolin Li <xiaolinl@vmware.com> 1.8.13-5
- Handled locale files with macro find_lang
* Tue Sep 22 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 1.8.13-4
- Updated build-requires after creating devel package for apr.
* Mon Sep 21 2015 Xiaolin Li <xiaolinl@vmware.com> 1.8.13-3
- Move .a, and .so files to devel pkg.
* Tue Sep 08 2015 Vinay Kulkarni <kulkarniv@vmware.com> 1.8.13-2
- Move headers into devel pkg.
* Fri Jun 26 2015 Sarah Choi <sarahc@vmware.com> 1.8.13-1
- Initial build. First version

12
SPECS/syslog-ng/syslog-ng.signatures.json
View File

@ -1,7 +1,7 @@
{
"Signatures": {
"60-syslog-ng-journald.conf" : "c4c875396276951b491e799e9cdb5a090b2ca82a754967c7f310888373e51c40",
"syslog-ng-3.23.1.tar.gz" : "fb36cfc1982831f74143b77a924ee79714745b5e2b3ff59d086d09a77d0acd38",
"syslog-ng.service" : "8cdd00693233eef334bc943efdce634008911796681c8fc3454346a3bb0111b2"
}
}
"Signatures": {
"60-syslog-ng-journald.conf": "c4c875396276951b491e799e9cdb5a090b2ca82a754967c7f310888373e51c40",
"syslog-ng-3.33.2.tar.gz": "0b786a06077b9150191d714f45a1b4b3792952cb58163a3af336f074da9fb14b",
"syslog-ng.service": "8cdd00693233eef334bc943efdce634008911796681c8fc3454346a3bb0111b2"
}
}

172
SPECS/syslog-ng/syslog-ng.spec
View File

@ -2,37 +2,34 @@
%{!?python3_sitelib: %global python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")}
Summary: Next generation system logger facilty
Name: syslog-ng
Version: 3.23.1
Release: 4%{?dist}
License: BSD and GPLv2+ and LGPLv2+
URL: https://syslog-ng.org/
Group: System Environment/Daemons
Version: 3.33.2
Release: 1%{?dist}
License: BSD AND GPLv2+ AND LGPLv2+
Vendor: Microsoft Corporation
Distribution: Mariner
Group: System Environment/Daemons
URL: https://syslog-ng.org/
Source0: https://github.com/balabit/%{name}/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
Source1: 60-syslog-ng-journald.conf
Source2: syslog-ng.service
Requires: glib
Requires: json-glib
Requires: json-c
Requires: systemd
BuildRequires: glib-devel
BuildRequires: json-glib-devel
BuildRequires: json-c-devel
BuildRequires: systemd-devel
BuildRequires: python2-devel
BuildRequires: json-glib-devel
BuildRequires: python2
BuildRequires: python2-devel
BuildRequires: python2-libs
BuildRequires: python3
BuildRequires: python3-devel
BuildRequires: python3-libs
BuildRequires: systemd-devel
%if %{with_check}
BuildRequires: curl-devel
BuildRequires: python3-pip
%endif
Requires: glib
Requires: json-c
Requires: json-glib
Requires: systemd
Obsoletes: eventlog
%description
@ -60,6 +57,7 @@ Python 3 version.
%package devel
Summary: Header and development files for syslog-ng
Requires: %{name} = %{version}-%{release}
%description devel
syslog-ng-devel package contains header files, pkfconfig files, and libraries
needed to build applications using syslog-ng APIs.
@ -68,13 +66,14 @@ Requires: %{name} = %{version}-%{release}
%setup -q
rm -rf ../p3dir
cp -a . ../p3dir
%build
%configure \
CFLAGS="%{optflags}" \
CXXFLAGS="%{optflags}" \
--disable-silent-rules \
--sysconfdir=/etc/syslog-ng \
--sysconfdir=%{_sysconfdir}/syslog-ng \
--enable-systemd \
--with-systemdsystemunitdir=%{_libdir}/systemd/system \
--enable-json=yes \
@ -82,7 +81,7 @@ cp -a . ../p3dir
--disable-java \
--disable-redis \
--with-python=2 \
PKG_CONFIG_PATH=/usr/local/lib/pkgconfig/
PKG_CONFIG_PATH=%{_prefix}/local/lib/pkgconfig/
make %{?_smp_mflags}
pushd ../p3dir
@ -90,7 +89,7 @@ pushd ../p3dir
CFLAGS="%{optflags}" \
CXXFLAGS="%{optflags}" \
--disable-silent-rules \
--sysconfdir=/etc/syslog-ng \
--sysconfdir=%{_sysconfdir}/syslog-ng \
--enable-systemd \
--with-systemdsystemunitdir=%{_libdir}/systemd/system \
--enable-json=yes \
@ -99,7 +98,7 @@ pushd ../p3dir
--disable-redis \
--with-python=3 \
PYTHON=/bin/python3 \
PKG_CONFIG_PATH=/usr/local/lib/pkgconfig/
PKG_CONFIG_PATH=%{_prefix}/local/lib/pkgconfig/
make %{?_smp_mflags}
popd
@ -127,7 +126,7 @@ install -vdm755 %{buildroot}%{_libdir}/systemd/system-preset
echo "disable syslog-ng.service" > %{buildroot}%{_libdir}/systemd/system-preset/50-syslog-ng.preset
%check
easy_install_2=$(ls /usr/bin |grep easy_install |grep 2)
easy_install_2=$(ls %{_bindir} |grep easy_install |grep 2)
$easy_install_2 unittest2
$easy_install_2 nose
$easy_install_2 ply
@ -140,7 +139,7 @@ popd
%post
if [ $1 -eq 1 ] ; then
mkdir -p /usr/var/
mkdir -p %{_prefix}%{_var}/
fi
%systemd_post syslog-ng.service
@ -158,10 +157,10 @@ fi
%{_sysconfdir}/systemd/journald.conf.d/*
%{_libdir}/systemd/system/syslog-ng.service
%{_libdir}/systemd/system-preset/50-syslog-ng.preset
/usr/bin/*
/usr/sbin/syslog-ng
/usr/sbin/syslog-ng-ctl
/usr/sbin/syslog-ng-debun
%{_bindir}/*
%{_sbindir}/syslog-ng
%{_sbindir}/syslog-ng-ctl
%{_sbindir}/syslog-ng-debun
%{_libdir}/libsyslog-ng-*.so.*
%{_libdir}/libevtlog-*.so.*
%{_libdir}/libloggen_helper*
@ -169,7 +168,19 @@ fi
%{_libdir}/libsecret-storage*
%{_libdir}/%{name}/loggen/*
%{_libdir}/syslog-ng/lib*.so
/usr/share/syslog-ng/*
%{_mandir}/man1/dqtool.1.gz
%{_mandir}/man1/loggen.1.gz
%{_mandir}/man1/pdbtool.1.gz
%{_mandir}/man1/persist-tool.1.gz
%{_mandir}/man1/slogencrypt.1.gz
%{_mandir}/man1/slogkey.1.gz
%{_mandir}/man1/slogverify.1.gz
%{_mandir}/man1/syslog-ng-ctl.1.gz
%{_mandir}/man1/syslog-ng-debun.1.gz
%{_mandir}/man5/syslog-ng.conf.5.gz
%{_mandir}/man7/secure-logging.7.gz
%{_mandir}/man8/syslog-ng.8.gz
%{_datadir}/syslog-ng/*
%files -n python2-syslog-ng
%defattr(-,root,root)
@ -188,52 +199,75 @@ fi
%{_libdir}/pkgconfig/*
%changelog
* Fri Jan 14 2022 Neha Agarwal <nehaagarwal@microsoft.com> - 3.33.2-1
- Update to version 3.33.2.
* Thu Dec 16 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 3.23.1-4
- Removing the explicit %%clean stage.
* Fri Dec 03 2021 Thomas Crain <thcrain@microsoft.com> - 3.23.1-3
- Replace easy_install usage with pip in %%check sections
* Tue Oct 13 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 3.23.1-2
- Added the %%license macro.
- License verified.
* Wed Mar 18 2020 Henry Beberman <henry.beberman@microsoft.com> 3.23.1-1
- Update to 3.23.1. License fixed.
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 3.17.2-2
- Initial CBL-Mariner import from Photon (license: Apache2).
* Wed Oct 10 2018 Ankit Jain <ankitja@vmware.com> 3.17.2-1
- Update to version 3.17.2
* Mon Sep 11 2017 Dheeraj Shetty <dheerajs@vmware.com> 3.11.1-3
- Obsolete eventlog.
* Mon Sep 04 2017 Dheeraj Shetty <dheerajs@vmware.com> 3.11.1-2
- Use old service file.
* Fri Aug 18 2017 Dheeraj Shetty <dheerajs@vmware.com> 3.11.1-1
- Update to version 3.11.1
* Thu Jun 29 2017 Divya Thaluru <dthaluru@vmware.com> 3.9.1-3
- Disabled syslog-ng service by default
* Thu May 18 2017 Xiaolin Li <xiaolinl@vmware.com> 3.9.1-2
- Move python2 requires to python2 subpackage and added python3 binding.
* Tue Apr 11 2017 Vinay Kulkarni <kulkarniv@vmware.com> 3.9.1-1
- Update to version 3.9.1
* Tue Oct 04 2016 ChangLee <changlee@vmware.com> 3.6.4-6
- Modified %check
* Thu May 26 2016 Divya Thaluru <dthaluru@vmware.com> 3.6.4-5
- Fixed logic to restart the active services after upgrade
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 3.6.4-4
- GA - Bump release of all rpms
* Wed May 4 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 3.6.4-3
- Fix for upgrade issues
* Wed Feb 17 2016 Anish Swaminathan <anishs@vmware.com> 3.6.4-2
- Add journald conf file.
* Wed Jan 20 2016 Anish Swaminathan <anishs@vmware.com> 3.6.4-1
- Upgrade version.
* Tue Jan 12 2016 Anish Swaminathan <anishs@vmware.com> 3.6.2-5
- Change config file attributes.
* Wed Dec 09 2015 Mahmoud Bassiouny <mbassiouny@vmware.com> 3.6.2-4
- Moving files from devel rpm to the main package.
* Wed Aug 05 2015 Kumar Kaushik <kaushikk@vmware.com> 3.6.2-3
- Adding preun section.
* Sat Jul 18 2015 Vinay Kulkarni <kulkarniv@vmware.com> 3.6.2-2
- Split headers and unshared libs over to devel package.
* Thu Jun 4 2015 Vinay Kulkarni <kulkarniv@vmware.com> 3.6.2-1
- Add syslog-ng support to photon.
* Tue Oct 13 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 3.23.1-2
- Added the %%license macro.
- License verified.
* Wed Mar 18 2020 Henry Beberman <henry.beberman@microsoft.com> 3.23.1-1
- Update to 3.23.1. License fixed.
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 3.17.2-2
- Initial CBL-Mariner import from Photon (license: Apache2).
* Wed Oct 10 2018 Ankit Jain <ankitja@vmware.com> 3.17.2-1
- Update to version 3.17.2
* Mon Sep 11 2017 Dheeraj Shetty <dheerajs@vmware.com> 3.11.1-3
- Obsolete eventlog.
* Mon Sep 04 2017 Dheeraj Shetty <dheerajs@vmware.com> 3.11.1-2
- Use old service file.
* Fri Aug 18 2017 Dheeraj Shetty <dheerajs@vmware.com> 3.11.1-1
- Update to version 3.11.1
* Thu Jun 29 2017 Divya Thaluru <dthaluru@vmware.com> 3.9.1-3
- Disabled syslog-ng service by default
* Thu May 18 2017 Xiaolin Li <xiaolinl@vmware.com> 3.9.1-2
- Move python2 requires to python2 subpackage and added python3 binding.
* Tue Apr 11 2017 Vinay Kulkarni <kulkarniv@vmware.com> 3.9.1-1
- Update to version 3.9.1
* Tue Oct 04 2016 ChangLee <changlee@vmware.com> 3.6.4-6
- Modified %check
* Thu May 26 2016 Divya Thaluru <dthaluru@vmware.com> 3.6.4-5
- Fixed logic to restart the active services after upgrade
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 3.6.4-4
- GA - Bump release of all rpms
* Wed May 4 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 3.6.4-3
- Fix for upgrade issues
* Wed Feb 17 2016 Anish Swaminathan <anishs@vmware.com> 3.6.4-2
- Add journald conf file.
* Wed Jan 20 2016 Anish Swaminathan <anishs@vmware.com> 3.6.4-1
- Upgrade version.
* Tue Jan 12 2016 Anish Swaminathan <anishs@vmware.com> 3.6.2-5
- Change config file attributes.
* Wed Dec 09 2015 Mahmoud Bassiouny <mbassiouny@vmware.com> 3.6.2-4
- Moving files from devel rpm to the main package.
* Wed Aug 05 2015 Kumar Kaushik <kaushikk@vmware.com> 3.6.2-3
- Adding preun section.
* Sat Jul 18 2015 Vinay Kulkarni <kulkarniv@vmware.com> 3.6.2-2
- Split headers and unshared libs over to devel package.
* Thu Jun 4 2015 Vinay Kulkarni <kulkarniv@vmware.com> 3.6.2-1
- Add syslog-ng support to photon.

2
SPECS/systemtap/systemtap.signatures.json
View File

@ -1,5 +1,5 @@
{
"Signatures": {
"systemtap-4.1.tar.gz": "8efa1ee2b34f1c6b2f33a25313287d59c8ed1b00265e900aea874da8baca1e1d"
"systemtap-4.5.tar.gz": "75078ed37e0dd2a769c9d1f9394170b2d9f4d7daa425f43ca80c13bad6cfc925"
}
}

175
SPECS/systemtap/systemtap.spec
View File

@ -1,5 +1,4 @@
%define _unpackaged_files_terminate_build 0
%define with_boost 1
%define with_crash 1
%define with_docs 0
@ -7,54 +6,52 @@
%define with_pie 1
%define with_rpm 0
%define with_sqlite 1
Name: systemtap
Version: 4.1
Release: 9%{?dist}
Summary: Programmable system-wide instrumentation system
Group: Development/System
Summary: Programmable system-wide instrumentation system
Name: systemtap
Version: 4.5
Release: 1%{?dist}
License: GPLv2+
Vendor: Microsoft Corporation
Distribution: Mariner
URL: https://sourceware.org/systemtap/
Source0: https://sourceware.org/systemtap/ftp/releases/systemtap-%{version}.tar.gz
License: GPLv2+
BuildRequires: elfutils-devel
BuildRequires: glibc-devel
BuildRequires: elfutils-libelf-devel
BuildRequires: libgcc
BuildRequires: nspr-devel
BuildRequires: nss-devel
BuildRequires: sqlite-devel
BuildRequires: libstdc++-devel
BuildRequires: libtirpc-devel
BuildRequires: libxml2-devel
BuildRequires: perl
BuildRequires: python3-setuptools
BuildRequires: nss
BuildRequires: shadow-utils
BuildRequires: python3-devel
Group: Development/System
URL: https://sourceware.org/systemtap/
Source0: https://sourceware.org/systemtap/ftp/releases/systemtap-%{version}.tar.gz
BuildRequires: elfutils-devel
BuildRequires: elfutils-libelf-devel
BuildRequires: glibc-devel
BuildRequires: libgcc
BuildRequires: libstdc++-devel
BuildRequires: libtirpc-devel
BuildRequires: libxml2-devel
BuildRequires: nspr-devel
BuildRequires: nss
BuildRequires: nss-devel
BuildRequires: perl
BuildRequires: pkg-config
BuildRequires: python3-devel
BuildRequires: python3-setuptools
BuildRequires: shadow-utils
BuildRequires: sqlite-devel
%if %with_boost
BuildRequires: boost-devel
BuildRequires: boost-devel
%endif
%if %with_crash
BuildRequires: crash-devel
BuildRequires: zlib-devel
Requires: crash
%if %{with_crash}
BuildRequires: crash-devel
BuildRequires: zlib-devel
Requires: crash
%endif
BuildRequires: pkg-config
%if %with_rpm
BuildRequires: rpm-devel
%if %{with_rpm}
BuildRequires: rpm-devel
%endif
Requires: gcc
Requires: kernel-devel
Requires: make
Requires: elfutils
Requires: %{name}-runtime = %{version}-%{release}
Requires: elfutils
Requires: gcc
Requires: kernel-devel
Requires: make
Requires: %{name}-runtime = %{version}-%{release}
Requires(pre): /usr/sbin/useradd /usr/sbin/groupadd
Requires(postun):/usr/sbin/userdel /usr/sbin/groupdel
BuildRoot: %{_tmppath}/%{name}-%{version}-root
BuildRoot: %{_tmppath}/%{name}-%{version}-root
%description
SystemTap is an instrumentation system for systems running Linux.
@ -62,54 +59,52 @@ Developers can write instrumentation scripts to collect data on
the operation of the system. The base systemtap package contains/requires
the components needed to locally develop and execute systemtap scripts.
%package initscript
Group: System/Tools
Summary: Systemtap Initscript
Requires: %{name}-runtime = %{version}-%{release}
Requires: initscripts
Summary: Systemtap Initscript
Group: System/Tools
Requires: %{name}-runtime = %{version}-%{release}
Requires: initscripts
%description initscript
Initscript for Systemtap scripts.
%package python
Group: System/Tools
Summary: Python interface for systemtap
Requires: python3
Summary: Python interface for systemtap
Group: System/Tools
Requires: python3
%description python
This packages has the python interface to systemtap
%package runtime
Group: System/Tools
Summary: Instrumentation System Runtime
Requires: kernel-devel
Summary: Instrumentation System Runtime
Group: System/Tools
Requires: kernel-devel
%description runtime
SystemTap runtime is the runtime component of an instrumentation system for systems running Linux.
%package sdt-devel
Group: System/Tools
Summary: Static probe support tools
Requires: %{name} = %{version}-%{release}
Summary: Static probe support tools
Group: System/Tools
Requires: %{name} = %{version}-%{release}
%description sdt-devel
Support tools to allow applications to use static probes.
%package server
Group: System/Tools
Summary: Instrumentation System Server
Requires: %{name} = %{version}-%{release}
Requires: %{name}-runtime = %{version}-%{release}
Requires: coreutils
Requires: nss
Requires: unzip
Requires: gzip
Summary: Instrumentation System Server
Group: System/Tools
Requires: %{name} = %{version}-%{release}
Requires: %{name}-runtime = %{version}-%{release}
Requires: coreutils
Requires: gzip
Requires: nss
Requires: unzip
%description server
SystemTap server is the server component of an instrumentation system for systems running Linux.
%prep
%setup -q
sed -i "s#"kernel"#"linux"#g" stap-prep
@ -117,23 +112,23 @@ sed -i "s#"devel"#"dev"#g" stap-prep
%build
%configure \
%if %with_crash
%if %{with_crash}
--enable-crash \
%else
--disable-crash \
%endif
--disable-docs \
%if %with_sqlite
%if %{with_sqlite}
--enable-sqlite \
%else
--disable-sqlite \
%endif
%if %with_rpm
%if %{with_rpm}
--with-rpm \
%else
--without-rpm \
%endif
%if %with_pie
%if %{with_pie}
--enable-pie \
%else
--disable-pie \
@ -147,7 +142,7 @@ sed -i "s#"devel"#"dev"#g" stap-prep
make
%install
[ "%{buildroot}" != / ] && rm -rf ""
[ %{buildroot} != / ] && rm -rf ""
%makeinstall
mv %{buildroot}%{_datadir}/systemtap/examples examples
@ -158,7 +153,6 @@ chmod 755 %{buildroot}%{_bindir}/staprun
install -c -m 755 stap-prep %{buildroot}%{_bindir}/stap-prep
mkdir -p %{buildroot}%{_sysconfdir}//rc.d/init.d/
install -m 755 initscript/systemtap %{buildroot}%{_sysconfdir}/rc.d/init.d/
mkdir -p %{buildroot}%{_sysconfdir}/systemtap
@ -168,11 +162,11 @@ install -m 644 initscript/config.systemtap %{buildroot}%{_sysconfdir}/systemtap/
mkdir -p %{buildroot}%{_localstatedir}/cache/systemtap
mkdir -p %{buildroot}%{_localstatedir}/run/systemtap
%if %with_docs
%if %{with_docs}
mkdir docs.installed
mv %{buildroot}%{_datadir}/systemtap/*.pdf docs.installed/
mv %{buildroot}%{_datadir}/systemtap/tapsets docs.installed/
%if %with_publican
%if %{with_publican}
mv %{buildroot}%{_datadir}/systemtap/SystemTap_Beginners_Guide docs.installed/
%endif
%endif
@ -204,8 +198,8 @@ exit 0
%pre server
getent passwd stap-server >/dev/null || \
/usr/sbin/useradd -c "Systemtap Compile Server" -u 155 -g stap-server -d %{_localstatedir}/lib/stap-server -m -r -s /sbin/nologin stap-server || \
/usr/sbin/useradd -c "Systemtap Compile Server" -g stap-server -d %{_localstatedir}/lib/stap-server -m -r -s /sbin/nologin stap-server
%{_sbindir}/useradd -c "Systemtap Compile Server" -u 155 -g stap-server -d %{_localstatedir}/lib/stap-server -m -r -s /sbin/nologin stap-server || \
%{_sbindir}/useradd -c "Systemtap Compile Server" -g stap-server -d %{_localstatedir}/lib/stap-server -m -r -s /sbin/nologin stap-server
test -e ~stap-server && chmod 755 ~stap-server
exit 0
@ -273,6 +267,7 @@ fi
%files -f %{name}.lang
%defattr(-,root,root)
%doc AUTHORS
%license COPYING
%{_bindir}/stap
%{_bindir}/stap-merge
@ -293,15 +288,16 @@ fi
%{_datadir}/systemtap/runtime/linux/uprobes/*
%dir %{_datadir}/systemtap/runtime/linux/uprobes2
%{_datadir}/systemtap/runtime/linux/uprobes2/*
%{_datadir}/systemtap/runtime/softfloat/*.h
%{_datadir}/systemtap/tapset
%{_mandir}/man1
%{_mandir}/man3/stap*.3stap*
%{_mandir}/man7/warning::buildid.7stap.gz
%{_mandir}/man7/warning::symbols.7stap*
%{_mandir}/man7/stappaths.7*
%{_mandir}/man8/stapsh.8*
%{_mandir}/man8/systemtap.8*
%{_mandir}/man8/stapbpf.8*
%doc AUTHORS COPYING
%{_bindir}/dtrace
%files initscript
@ -317,15 +313,13 @@ fi
%files python
%defattr(-,root,root)
%{python3_sitelib}/*
%{_libexecdir}/systemtap/python/stap-resolve-module-function.py
%files runtime
%defattr(-,root,root)
%attr(4111,root,root) %{_bindir}/staprun
%{_libexecdir}/systemtap/stapio
%{_libexecdir}/systemtap/stap-env
%{_libexecdir}/systemtap/stap-authorize-cert
%if %with_crash
%if %{with_crash}
%{_libdir}/systemtap/staplog.so*
%endif
%{_mandir}/man8/staprun.8*
@ -358,6 +352,9 @@ fi
%{_mandir}/man8/systemtap-service.8*
%changelog
* Fri Jan 14 2022 Neha Agarwal <nehaagarwal@microsoft.com> - 4.5-1
- Update to version 4.5.
* Thu Dec 16 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 4.1-9
- Removing the explicit %%clean stage.
@ -376,52 +373,76 @@ fi
* Tue Apr 28 2020 Emre Girgin <mrgirgin@microsoft.com> 4.1-4
- Renaming linux to kernel
* Fri Apr 17 2020 Emre Girgin <mrgirgin@microsoft.com> 4.1-3
- Rename shadow to shadow-utils.
* Thu Apr 09 2020 Nicolas Ontiveros <niontive@microsoft.com> 4.1-2
- Remove toybox and only use coreutils for requires.
* Wed Mar 18 2020 Henry Beberman <henry.beberman@microsoft.com> 4.1-1
- Update to 4.1. License verified.
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 4.0-3
- Initial CBL-Mariner import from Photon (license: Apache2).
* Thu Jan 10 2019 Alexey Makhalov <amakhalov@vmware.com> 4.0-2
- Added BuildRequires python2-devel
* Tue Dec 04 2018 Keerthana K <keerthanak@vmware.com> 4.0-1
- Updated to version 4.0
* Mon Sep 10 2018 Keerthana K <keerthanak@vmware.com> 3.3-1
- Updated to version 3.3
* Tue Jan 23 2018 Divya Thaluru <dthaluru@vmware.com> 3.2-1
- Updated to version 3.2
* Thu Dec 28 2017 Divya Thaluru <dthaluru@vmware.com> 3.1-5
- Fixed the log file directory structure
* Mon Sep 18 2017 Alexey Makhalov <amakhalov@vmware.com> 3.1-4
- Remove shadow from requires and use explicit tools for post actions
* Mon Sep 18 2017 Alexey Makhalov <amakhalov@vmware.com> 3.1-3
- Requires coreutils or toybox
* Thu Aug 10 2017 Alexey Makhalov <amakhalov@vmware.com> 3.1-2
- systemtap-sdt-devel requires systemtap
* Tue Apr 11 2017 Vinay Kulkarni <kulkarniv@vmware.com> 3.1-1
- Update to version 3.1
* Mon Nov 21 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 3.0-4
- add shadow to requires
* Wed Nov 16 2016 Alexey Makhalov <amakhalov@vmware.com> 3.0-3
- Use sqlite-{devel,libs}
* Tue Oct 04 2016 ChangLee <changlee@vmware.com> 3.0-2
- Modified %check
* Fri Jul 22 2016 Divya Thaluru <dthaluru@vmware.com> 3.0-1
- Updated version to 3.0
- Removing patch to enable kernel (fix is present in upstream)
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.9-5
- GA - Bump release of all rpms
* Mon May 23 2016 Harish Udaiya KUmar <hudaiyakumar@vmware.com> 2.9-4
- Added the patch to enable kernel building with Kernel 4.4
* Fri May 20 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 2.9-3
- Fixed the stap-prep script to be compatible with Photon
* Wed May 4 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.9-2
- Fix for upgrade issues
* Wed Dec 16 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 2.9-1
- Updated version to 2.9
* Fri Dec 11 2015 Xiaolin Li <xiaolinl@vmware.com> 2.7-2
- Move dtrace to the main package.
* Wed Nov 18 2015 Anish Swaminathan <anishs@vmware.com> 2.7-1
- Initial build. First version

947
SPECS/unbound/CVE-2020-12662.patch
View File

@ -1,947 +0,0 @@
diff --git a/iterator/iter_delegpt.c b/iterator/iter_delegpt.c
index f88b3e11..9a672b0a 100644
--- a/iterator/iter_delegpt.c
+++ b/iterator/iter_delegpt.c
@@ -84,7 +84,7 @@ struct delegpt* delegpt_copy(struct delegpt* dp, struct regional* region)
}
for(a = dp->target_list; a; a = a->next_target) {
if(!delegpt_add_addr(copy, region, &a->addr, a->addrlen,
- a->bogus, a->lame, a->tls_auth_name))
+ a->bogus, a->lame, a->tls_auth_name, NULL))
return NULL;
}
return copy;
@@ -161,7 +161,7 @@ delegpt_find_addr(struct delegpt* dp, struct sockaddr_storage* addr,
int
delegpt_add_target(struct delegpt* dp, struct regional* region,
uint8_t* name, size_t namelen, struct sockaddr_storage* addr,
- socklen_t addrlen, uint8_t bogus, uint8_t lame)
+ socklen_t addrlen, uint8_t bogus, uint8_t lame, int* additions)
{
struct delegpt_ns* ns = delegpt_find_ns(dp, name, namelen);
log_assert(!dp->dp_type_mlc);
@@ -176,13 +176,14 @@ delegpt_add_target(struct delegpt* dp, struct regional* region,
if(ns->got4 && ns->got6)
ns->resolved = 1;
}
- return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame, NULL);
+ return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame, NULL,
+ additions);
}
int
delegpt_add_addr(struct delegpt* dp, struct regional* region,
struct sockaddr_storage* addr, socklen_t addrlen, uint8_t bogus,
- uint8_t lame, char* tls_auth_name)
+ uint8_t lame, char* tls_auth_name, int* additions)
{
struct delegpt_addr* a;
log_assert(!dp->dp_type_mlc);
@@ -194,6 +195,8 @@ delegpt_add_addr(struct delegpt* dp, struct regional* region,
a->lame = 0;
return 1;
}
+ if(additions)
+ *additions = 1;
a = (struct delegpt_addr*)regional_alloc(region,
sizeof(struct delegpt_addr));
@@ -382,10 +385,10 @@ delegpt_from_message(struct dns_msg* msg, struct regional* region)
continue;
if(ntohs(s->rk.type) == LDNS_RR_TYPE_A) {
- if(!delegpt_add_rrset_A(dp, region, s, 0))
+ if(!delegpt_add_rrset_A(dp, region, s, 0, NULL))
return NULL;
} else if(ntohs(s->rk.type) == LDNS_RR_TYPE_AAAA) {
- if(!delegpt_add_rrset_AAAA(dp, region, s, 0))
+ if(!delegpt_add_rrset_AAAA(dp, region, s, 0, NULL))
return NULL;
}
}
@@ -416,7 +419,7 @@ delegpt_rrset_add_ns(struct delegpt* dp, struct regional* region,
int
delegpt_add_rrset_A(struct delegpt* dp, struct regional* region,
- struct ub_packed_rrset_key* ak, uint8_t lame)
+ struct ub_packed_rrset_key* ak, uint8_t lame, int* additions)
{
struct packed_rrset_data* d=(struct packed_rrset_data*)ak->entry.data;
size_t i;
@@ -432,7 +435,7 @@ delegpt_add_rrset_A(struct delegpt* dp, struct regional* region,
memmove(&sa.sin_addr, d->rr_data[i]+2, INET_SIZE);
if(!delegpt_add_target(dp, region, ak->rk.dname,
ak->rk.dname_len, (struct sockaddr_storage*)&sa,
- len, (d->security==sec_status_bogus), lame))
+ len, (d->security==sec_status_bogus), lame, additions))
return 0;
}
return 1;
@@ -440,7 +443,7 @@ delegpt_add_rrset_A(struct delegpt* dp, struct regional* region,
int
delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* region,
- struct ub_packed_rrset_key* ak, uint8_t lame)
+ struct ub_packed_rrset_key* ak, uint8_t lame, int* additions)
{
struct packed_rrset_data* d=(struct packed_rrset_data*)ak->entry.data;
size_t i;
@@ -456,7 +459,7 @@ delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* region,
memmove(&sa.sin6_addr, d->rr_data[i]+2, INET6_SIZE);
if(!delegpt_add_target(dp, region, ak->rk.dname,
ak->rk.dname_len, (struct sockaddr_storage*)&sa,
- len, (d->security==sec_status_bogus), lame))
+ len, (d->security==sec_status_bogus), lame, additions))
return 0;
}
return 1;
@@ -464,20 +467,33 @@ delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* region,
int
delegpt_add_rrset(struct delegpt* dp, struct regional* region,
- struct ub_packed_rrset_key* rrset, uint8_t lame)
+ struct ub_packed_rrset_key* rrset, uint8_t lame, int* additions)
{
if(!rrset)
return 1;
if(ntohs(rrset->rk.type) == LDNS_RR_TYPE_NS)
return delegpt_rrset_add_ns(dp, region, rrset, lame);
else if(ntohs(rrset->rk.type) == LDNS_RR_TYPE_A)
- return delegpt_add_rrset_A(dp, region, rrset, lame);
+ return delegpt_add_rrset_A(dp, region, rrset, lame, additions);
else if(ntohs(rrset->rk.type) == LDNS_RR_TYPE_AAAA)
- return delegpt_add_rrset_AAAA(dp, region, rrset, lame);
+ return delegpt_add_rrset_AAAA(dp, region, rrset, lame,
+ additions);
log_warn("Unknown rrset type added to delegpt");
return 1;
}
+void delegpt_mark_neg(struct delegpt_ns* ns, uint16_t qtype)
+{
+ if(ns) {
+ if(qtype == LDNS_RR_TYPE_A)
+ ns->got4 = 2;
+ else if(qtype == LDNS_RR_TYPE_AAAA)
+ ns->got6 = 2;
+ if(ns->got4 && ns->got6)
+ ns->resolved = 1;
+ }
+}
+
void delegpt_add_neg_msg(struct delegpt* dp, struct msgreply_entry* msg)
{
struct reply_info* rep = (struct reply_info*)msg->entry.data;
@@ -487,14 +503,7 @@ void delegpt_add_neg_msg(struct delegpt* dp, struct msgreply_entry* msg)
if(FLAGS_GET_RCODE(rep->flags) != 0 || rep->an_numrrsets == 0) {
struct delegpt_ns* ns = delegpt_find_ns(dp, msg->key.qname,
msg->key.qname_len);
- if(ns) {
- if(msg->key.qtype == LDNS_RR_TYPE_A)
- ns->got4 = 1;
- else if(msg->key.qtype == LDNS_RR_TYPE_AAAA)
- ns->got6 = 1;
- if(ns->got4 && ns->got6)
- ns->resolved = 1;
- }
+ delegpt_mark_neg(ns, msg->key.qtype);
}
}
diff --git a/iterator/iter_delegpt.h b/iterator/iter_delegpt.h
index 6c088264..138eb6e1 100644
--- a/iterator/iter_delegpt.h
+++ b/iterator/iter_delegpt.h
@@ -106,9 +106,10 @@ struct delegpt_ns {
* and marked true if got4 and got6 are both true.
*/
int resolved;
- /** if the ipv4 address is in the delegpt */
+ /** if the ipv4 address is in the delegpt, 0=not, 1=yes 2=negative,
+ * negative means it was done, but no content. */
uint8_t got4;
- /** if the ipv6 address is in the delegpt */
+ /** if the ipv6 address is in the delegpt, 0=not, 1=yes 2=negative */
uint8_t got6;
/**
* If the name is parent-side only and thus dispreferred.
@@ -215,11 +216,12 @@ int delegpt_rrset_add_ns(struct delegpt* dp, struct regional* regional,
* @param addrlen: the length of addr.
* @param bogus: security status for the address, pass true if bogus.
* @param lame: address is lame.
+ * @param additions: will be set to 1 if a new address is added
* @return false on error.
*/
int delegpt_add_target(struct delegpt* dp, struct regional* regional,
uint8_t* name, size_t namelen, struct sockaddr_storage* addr,
- socklen_t addrlen, uint8_t bogus, uint8_t lame);
+ socklen_t addrlen, uint8_t bogus, uint8_t lame, int* additions);
/**
* Add A RRset to delegpt.
@@ -227,10 +229,11 @@ int delegpt_add_target(struct delegpt* dp, struct regional* regional,
* @param regional: where to allocate the info.
* @param rrset: RRset A to add.
* @param lame: rrset is lame, disprefer it.
+ * @param additions: will be set to 1 if a new address is added
* @return 0 on alloc error.
*/
int delegpt_add_rrset_A(struct delegpt* dp, struct regional* regional,
- struct ub_packed_rrset_key* rrset, uint8_t lame);
+ struct ub_packed_rrset_key* rrset, uint8_t lame, int* additions);
/**
* Add AAAA RRset to delegpt.
@@ -238,10 +241,11 @@ int delegpt_add_rrset_A(struct delegpt* dp, struct regional* regional,
* @param regional: where to allocate the info.
* @param rrset: RRset AAAA to add.
* @param lame: rrset is lame, disprefer it.
+ * @param additions: will be set to 1 if a new address is added
* @return 0 on alloc error.
*/
int delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* regional,
- struct ub_packed_rrset_key* rrset, uint8_t lame);
+ struct ub_packed_rrset_key* rrset, uint8_t lame, int* additions);
/**
* Add any RRset to delegpt.
@@ -250,10 +254,11 @@ int delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* regional,
* @param regional: where to allocate the info.
* @param rrset: RRset to add, NS, A, AAAA.
* @param lame: rrset is lame, disprefer it.
+ * @param additions: will be set to 1 if a new address is added
* @return 0 on alloc error.
*/
int delegpt_add_rrset(struct delegpt* dp, struct regional* regional,
- struct ub_packed_rrset_key* rrset, uint8_t lame);
+ struct ub_packed_rrset_key* rrset, uint8_t lame, int* additions);
/**
* Add address to the delegation point. No servername is associated or checked.
@@ -264,11 +269,12 @@ int delegpt_add_rrset(struct delegpt* dp, struct regional* regional,
* @param bogus: if address is bogus.
* @param lame: if address is lame.
* @param tls_auth_name: TLS authentication name (or NULL).
+ * @param additions: will be set to 1 if a new address is added
* @return false on error.
*/
int delegpt_add_addr(struct delegpt* dp, struct regional* regional,
struct sockaddr_storage* addr, socklen_t addrlen,
- uint8_t bogus, uint8_t lame, char* tls_auth_name);
+ uint8_t bogus, uint8_t lame, char* tls_auth_name, int* additions);
/**
* Find NS record in name list of delegation point.
@@ -341,6 +347,14 @@ size_t delegpt_count_targets(struct delegpt* dp);
struct delegpt* delegpt_from_message(struct dns_msg* msg,
struct regional* regional);
+/**
+ * Mark negative return in delegation point for specific nameserver.
+ * sets the got4 or got6 to negative, updates the ns->resolved.
+ * @param ns: the nameserver in the delegpt.
+ * @param qtype: A or AAAA (host order).
+ */
+void delegpt_mark_neg(struct delegpt_ns* ns, uint16_t qtype);
+
/**
* Add negative message to delegation point.
* @param dp: delegation point.
diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
index cceec3d5..aae934dd 100644
--- a/iterator/iter_scrub.c
+++ b/iterator/iter_scrub.c
@@ -185,8 +185,9 @@ mark_additional_rrset(sldns_buffer* pkt, struct msg_parse* msg,
/** Get target name of a CNAME */
static int
parse_get_cname_target(struct rrset_parse* rrset, uint8_t** sname,
- size_t* snamelen)
+ size_t* snamelen, sldns_buffer* pkt)
{
+ size_t oldpos, dlen;
if(rrset->rr_count != 1) {
struct rr_parse* sig;
verbose(VERB_ALGO, "Found CNAME rrset with "
@@ -204,6 +205,19 @@ parse_get_cname_target(struct rrset_parse* rrset, uint8_t** sname,
*sname = rrset->rr_first->ttl_data + sizeof(uint32_t)
+ sizeof(uint16_t); /* skip ttl, rdatalen */
*snamelen = rrset->rr_first->size - sizeof(uint16_t);
+
+ if(rrset->rr_first->outside_packet) {
+ if(!dname_valid(*sname, *snamelen))
+ return 0;
+ return 1;
+ }
+ oldpos = sldns_buffer_position(pkt);
+ sldns_buffer_set_position(pkt, (size_t)(*sname - sldns_buffer_begin(pkt)));
+ dlen = pkt_dname_len(pkt);
+ sldns_buffer_set_position(pkt, oldpos);
+ if(dlen == 0)
+ return 0; /* parse fail on the rdata name */
+ *snamelen = dlen;
return 1;
}
@@ -215,7 +229,7 @@ synth_cname(uint8_t* qname, size_t qnamelen, struct rrset_parse* dname_rrset,
/* we already know that sname is a strict subdomain of DNAME owner */
uint8_t* dtarg = NULL;
size_t dtarglen;
- if(!parse_get_cname_target(dname_rrset, &dtarg, &dtarglen))
+ if(!parse_get_cname_target(dname_rrset, &dtarg, &dtarglen, pkt))
return 0;
if(qnamelen <= dname_rrset->dname_len)
return 0;
@@ -388,7 +402,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
/* check next cname */
uint8_t* t = NULL;
size_t tlen = 0;
- if(!parse_get_cname_target(nx, &t, &tlen))
+ if(!parse_get_cname_target(nx, &t, &tlen, pkt))
return 0;
if(dname_pkt_compare(pkt, alias, t) == 0) {
/* it's OK and better capitalized */
@@ -439,7 +453,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
size_t tlen = 0;
if(synth_cname(sname, snamelen, nx, alias,
&aliaslen, pkt) &&
- parse_get_cname_target(rrset, &t, &tlen) &&
+ parse_get_cname_target(rrset, &t, &tlen, pkt) &&
dname_pkt_compare(pkt, alias, t) == 0) {
/* the synthesized CNAME equals the
* current CNAME. This CNAME is the
@@ -460,7 +474,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
}
/* move to next name in CNAME chain */
- if(!parse_get_cname_target(rrset, &sname, &snamelen))
+ if(!parse_get_cname_target(rrset, &sname, &snamelen, pkt))
return 0;
prev = rrset;
rrset = rrset->rrset_all_next;
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index 2ab55ceb..3c14de86 100644
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -1142,7 +1142,7 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env,
log_rrset_key(VERB_ALGO, "found parent-side", akey);
ns->done_pside4 = 1;
/* a negative-cache-element has no addresses it adds */
- if(!delegpt_add_rrset_A(dp, region, akey, 1))
+ if(!delegpt_add_rrset_A(dp, region, akey, 1, NULL))
log_err("malloc failure in lookup_parent_glue");
lock_rw_unlock(&akey->entry.lock);
}
@@ -1154,7 +1154,7 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env,
log_rrset_key(VERB_ALGO, "found parent-side", akey);
ns->done_pside6 = 1;
/* a negative-cache-element has no addresses it adds */
- if(!delegpt_add_rrset_AAAA(dp, region, akey, 1))
+ if(!delegpt_add_rrset_AAAA(dp, region, akey, 1, NULL))
log_err("malloc failure in lookup_parent_glue");
lock_rw_unlock(&akey->entry.lock);
}
diff --git a/iterator/iterator.c b/iterator/iterator.c
index 1e0113a8..9d36660c 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -72,6 +72,8 @@
/* in msec */
int UNKNOWN_SERVER_NICENESS = 376;
+static void target_count_increase_nx(struct iter_qstate* iq, int num);
+
int
iter_init(struct module_env* env, int id)
{
@@ -150,6 +152,7 @@ iter_new(struct module_qstate* qstate, int id)
iq->sent_count = 0;
iq->ratelimit_ok = 0;
iq->target_count = NULL;
+ iq->dp_target_count = 0;
iq->wait_priming_stub = 0;
iq->refetch_glue = 0;
iq->dnssec_expected = 0;
@@ -221,6 +224,7 @@ final_state(struct iter_qstate* iq)
static void
error_supers(struct module_qstate* qstate, int id, struct module_qstate* super)
{
+ struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id];
struct iter_qstate* super_iq = (struct iter_qstate*)super->minfo[id];
if(qstate->qinfo.qtype == LDNS_RR_TYPE_A ||
@@ -246,7 +250,11 @@ error_supers(struct module_qstate* qstate, int id, struct module_qstate* super)
super->region, super_iq->dp))
log_err("out of memory adding missing");
}
+ delegpt_mark_neg(dpns, qstate->qinfo.qtype);
dpns->resolved = 1; /* mark as failed */
+ if((dpns->got4 == 2 || !ie->supports_ipv4) &&
+ (dpns->got6 == 2 || !ie->supports_ipv6))
+ target_count_increase_nx(super_iq, 1);
}
if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS) {
/* prime failed to get delegation */
@@ -621,7 +629,7 @@ static void
target_count_create(struct iter_qstate* iq)
{
if(!iq->target_count) {
- iq->target_count = (int*)calloc(2, sizeof(int));
+ iq->target_count = (int*)calloc(3, sizeof(int));
/* if calloc fails we simply do not track this number */
if(iq->target_count)
iq->target_count[0] = 1;
@@ -634,6 +642,15 @@ target_count_increase(struct iter_qstate* iq, int num)
target_count_create(iq);
if(iq->target_count)
iq->target_count[1] += num;
+ iq->dp_target_count++;
+}
+
+static void
+target_count_increase_nx(struct iter_qstate* iq, int num)
+{
+ target_count_create(iq);
+ if(iq->target_count)
+ iq->target_count[2] += num;
}
/**
@@ -656,13 +673,15 @@ target_count_increase(struct iter_qstate* iq, int num)
* @param subq_ret: if newly allocated, the subquerystate, or NULL if it does
* not need initialisation.
* @param v: if true, validation is done on the subquery.
+ * @param detached: true if this qstate should not attach to the subquery
* @return false on error (malloc).
*/
static int
generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype,
uint16_t qclass, struct module_qstate* qstate, int id,
struct iter_qstate* iq, enum iter_state initial_state,
- enum iter_state finalstate, struct module_qstate** subq_ret, int v)
+ enum iter_state finalstate, struct module_qstate** subq_ret, int v,
+ int detached)
{
struct module_qstate* subq = NULL;
struct iter_qstate* subiq = NULL;
@@ -689,11 +708,23 @@ generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype,
valrec = 1;
}
- /* attach subquery, lookup existing or make a new one */
- fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub));
- if(!(*qstate->env->attach_sub)(qstate, &qinf, qflags, prime, valrec,
- &subq)) {
- return 0;
+ if(detached) {
+ struct mesh_state* sub = NULL;
+ fptr_ok(fptr_whitelist_modenv_add_sub(
+ qstate->env->add_sub));
+ if(!(*qstate->env->add_sub)(qstate, &qinf,
+ qflags, prime, valrec, &subq, &sub)){
+ return 0;
+ }
+ }
+ else {
+ /* attach subquery, lookup existing or make a new one */
+ fptr_ok(fptr_whitelist_modenv_attach_sub(
+ qstate->env->attach_sub));
+ if(!(*qstate->env->attach_sub)(qstate, &qinf, qflags, prime,
+ valrec, &subq)) {
+ return 0;
+ }
}
*subq_ret = subq;
if(subq) {
@@ -716,6 +747,7 @@ generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype,
subiq->target_count = iq->target_count;
if(iq->target_count)
iq->target_count[0] ++; /* extra reference */
+ subiq->dp_target_count = 0;
subiq->num_current_queries = 0;
subiq->depth = iq->depth+1;
outbound_list_init(&subiq->outlist);
@@ -759,7 +791,7 @@ prime_root(struct module_qstate* qstate, struct iter_qstate* iq, int id,
* the normal INIT state logic (which would cause an infloop). */
if(!generate_sub_request((uint8_t*)"\000", 1, LDNS_RR_TYPE_NS,
qclass, qstate, id, iq, QUERYTARGETS_STATE, PRIME_RESP_STATE,
- &subq, 0)) {
+ &subq, 0, 0)) {
verbose(VERB_ALGO, "could not prime root");
return 0;
}
@@ -850,7 +882,7 @@ prime_stub(struct module_qstate* qstate, struct iter_qstate* iq, int id,
* redundant INIT state processing. */
if(!generate_sub_request(stub_dp->name, stub_dp->namelen,
LDNS_RR_TYPE_NS, qclass, qstate, id, iq,
- QUERYTARGETS_STATE, PRIME_RESP_STATE, &subq, 0)) {
+ QUERYTARGETS_STATE, PRIME_RESP_STATE, &subq, 0, 0)) {
verbose(VERB_ALGO, "could not prime stub");
errinf(qstate, "could not generate lookup for stub prime");
(void)error_response(qstate, id, LDNS_RCODE_SERVFAIL);
@@ -1025,7 +1057,7 @@ generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq,
if(!generate_sub_request(s->rk.dname, s->rk.dname_len,
ntohs(s->rk.type), ntohs(s->rk.rrset_class),
qstate, id, iq,
- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) {
+ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1, 0)) {
verbose(VERB_ALGO, "could not generate addr check");
return;
}
@@ -1069,7 +1101,7 @@ generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id)
iq->dp->name, LDNS_RR_TYPE_NS, iq->qchase.qclass);
if(!generate_sub_request(iq->dp->name, iq->dp->namelen,
LDNS_RR_TYPE_NS, iq->qchase.qclass, qstate, id, iq,
- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) {
+ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1, 0)) {
verbose(VERB_ALGO, "could not generate ns check");
return;
}
@@ -1126,7 +1158,7 @@ generate_dnskey_prefetch(struct module_qstate* qstate,
iq->dp->name, LDNS_RR_TYPE_DNSKEY, iq->qchase.qclass);
if(!generate_sub_request(iq->dp->name, iq->dp->namelen,
LDNS_RR_TYPE_DNSKEY, iq->qchase.qclass, qstate, id, iq,
- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0)) {
+ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0, 0)) {
/* we'll be slower, but it'll work */
verbose(VERB_ALGO, "could not generate dnskey prefetch");
return;
@@ -1315,6 +1347,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
iq->refetch_glue = 0;
iq->query_restart_count++;
iq->sent_count = 0;
+ iq->dp_target_count = 0;
sock_list_insert(&qstate->reply_origin, NULL, 0, qstate->region);
if(qstate->env->cfg->qname_minimisation)
iq->minimisation_state = INIT_MINIMISE_STATE;
@@ -1693,7 +1726,7 @@ generate_parentside_target_query(struct module_qstate* qstate,
{
struct module_qstate* subq;
if(!generate_sub_request(name, namelen, qtype, qclass, qstate,
- id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0))
+ id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0, 0))
return 0;
if(subq) {
struct iter_qstate* subiq =
@@ -1744,7 +1777,7 @@ generate_target_query(struct module_qstate* qstate, struct iter_qstate* iq,
{
struct module_qstate* subq;
if(!generate_sub_request(name, namelen, qtype, qclass, qstate,
- id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0))
+ id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0, 0))
return 0;
log_nametypeclass(VERB_QUERY, "new target", name, qtype, qclass);
return 1;
@@ -1783,6 +1816,14 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq,
"number of glue fetches %d", s, iq->target_count[1]);
return 0;
}
+ if(iq->dp_target_count > MAX_DP_TARGET_COUNT) {
+ char s[LDNS_MAX_DOMAINLEN+1];
+ dname_str(qstate->qinfo.qname, s);
+ verbose(VERB_QUERY, "request %s has exceeded the maximum "
+ "number of glue fetches %d to a single delegation point",
+ s, iq->dp_target_count);
+ return 0;
+ }
iter_mark_cycle_targets(qstate, iq->dp);
missing = (int)delegpt_count_missing_targets(iq->dp);
@@ -1896,7 +1937,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
for(a = p->target_list; a; a=a->next_target) {
(void)delegpt_add_addr(iq->dp, qstate->region,
&a->addr, a->addrlen, a->bogus,
- a->lame, a->tls_auth_name);
+ a->lame, a->tls_auth_name, NULL);
}
}
iq->dp->has_parent_side_NS = 1;
@@ -1913,6 +1954,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
iq->refetch_glue = 1;
iq->query_restart_count++;
iq->sent_count = 0;
+ iq->dp_target_count = 0;
if(qstate->env->cfg->qname_minimisation)
iq->minimisation_state = INIT_MINIMISE_STATE;
return next_state(iq, INIT_REQUEST_STATE);
@@ -2078,7 +2120,7 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id)
iq->dsns_point, LDNS_RR_TYPE_NS, iq->qchase.qclass);
if(!generate_sub_request(iq->dsns_point, iq->dsns_point_len,
LDNS_RR_TYPE_NS, iq->qchase.qclass, qstate, id, iq,
- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0)) {
+ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0, 0)) {
errinf_dname(qstate, "for DS query parent-child nameserver search, could not generate NS lookup for", iq->dsns_point);
return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
}
@@ -2136,6 +2178,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
errinf(qstate, "exceeded the maximum number of sends");
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
}
+ if(iq->target_count && iq->target_count[2] > MAX_TARGET_NX) {
+ verbose(VERB_QUERY, "request has exceeded the maximum "
+ " number of nxdomain nameserver lookups with %d",
+ iq->target_count[2]);
+ errinf(qstate, "exceeded the maximum nameserver nxdomains");
+ return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+ }
/* Make sure we have a delegation point, otherwise priming failed
* or another failure occurred */
@@ -2240,12 +2289,41 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
iq->qinfo_out.qtype, iq->qinfo_out.qclass,
qstate->query_flags, qstate->region,
qstate->env->scratch, 0);
- if(msg && msg->rep->an_numrrsets == 0
- && FLAGS_GET_RCODE(msg->rep->flags) ==
+ if(msg && FLAGS_GET_RCODE(msg->rep->flags) ==
LDNS_RCODE_NOERROR)
/* no need to send query if it is already
- * cached as NOERROR/NODATA */
+ * cached as NOERROR */
return 1;
+ if(msg && FLAGS_GET_RCODE(msg->rep->flags) ==
+ LDNS_RCODE_NXDOMAIN &&
+ qstate->env->need_to_validate &&
+ qstate->env->cfg->harden_below_nxdomain) {
+ if(msg->rep->security == sec_status_secure) {
+ iq->response = msg;
+ return final_state(iq);
+ }
+ if(msg->rep->security == sec_status_unchecked) {
+ struct module_qstate* subq = NULL;
+ if(!generate_sub_request(
+ iq->qinfo_out.qname,
+ iq->qinfo_out.qname_len,
+ iq->qinfo_out.qtype,
+ iq->qinfo_out.qclass,
+ qstate, id, iq,
+ INIT_REQUEST_STATE,
+ FINISHED_STATE, &subq, 1, 1))
+ verbose(VERB_ALGO,
+ "could not validate NXDOMAIN "
+ "response");
+ }
+ }
+ if(msg && FLAGS_GET_RCODE(msg->rep->flags) ==
+ LDNS_RCODE_NXDOMAIN) {
+ /* return and add a label in the next
+ * minimisation iteration.
+ */
+ return 1;
+ }
}
}
if(iq->minimisation_state == SKIP_MINIMISE_STATE) {
@@ -2321,6 +2399,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
* generated query will immediately be discarded due to depth and
* that servfail is cached, which is not good as opportunism goes. */
if(iq->depth < ie->max_dependency_depth
+ && iq->num_target_queries == 0
+ && (!iq->target_count || iq->target_count[2]==0)
&& iq->sent_count < TARGET_FETCH_STOP) {
tf_policy = ie->target_fetch_policy[iq->depth];
}
@@ -2366,6 +2446,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
iq->num_current_queries++; /* RespState decrements it*/
iq->referral_count++; /* make sure we don't loop */
iq->sent_count = 0;
+ iq->dp_target_count = 0;
iq->state = QUERY_RESP_STATE;
return 1;
}
@@ -2453,6 +2534,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
iq->num_current_queries++; /* RespState decrements it*/
iq->referral_count++; /* make sure we don't loop */
iq->sent_count = 0;
+ iq->dp_target_count = 0;
iq->state = QUERY_RESP_STATE;
return 1;
}
@@ -2747,7 +2829,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
/* Make subrequest to validate intermediate
* NXDOMAIN if harden-below-nxdomain is
* enabled. */
- if(qstate->env->cfg->harden_below_nxdomain) {
+ if(qstate->env->cfg->harden_below_nxdomain &&
+ qstate->env->need_to_validate) {
struct module_qstate* subq = NULL;
log_query_info(VERB_QUERY,
"schedule NXDOMAIN validation:",
@@ -2759,16 +2842,10 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
iq->response->qinfo.qclass,
qstate, id, iq,
INIT_REQUEST_STATE,
- FINISHED_STATE, &subq, 1))
+ FINISHED_STATE, &subq, 1, 1))
verbose(VERB_ALGO,
"could not validate NXDOMAIN "
"response");
- outbound_list_clear(&iq->outlist);
- iq->num_current_queries = 0;
- fptr_ok(fptr_whitelist_modenv_detach_subs(
- qstate->env->detach_subs));
- (*qstate->env->detach_subs)(qstate);
- iq->num_target_queries = 0;
}
}
return next_state(iq, QUERYTARGETS_STATE);
@@ -2852,6 +2929,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
/* Count this as a referral. */
iq->referral_count++;
iq->sent_count = 0;
+ iq->dp_target_count = 0;
/* see if the next dp is a trust anchor, or a DS was sent
* along, indicating dnssec is expected for next zone */
iq->dnssec_expected = iter_indicates_dnssec(qstate->env,
@@ -2928,6 +3006,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
iq->dsns_point = NULL;
iq->auth_zone_response = 0;
iq->sent_count = 0;
+ iq->dp_target_count = 0;
if(iq->minimisation_state != MINIMISE_STATE)
/* Only count as query restart when it is not an extra
* query as result of qname minimisation. */
@@ -3120,7 +3199,7 @@ processPrimeResponse(struct module_qstate* qstate, int id)
if(!generate_sub_request(qstate->qinfo.qname,
qstate->qinfo.qname_len, qstate->qinfo.qtype,
qstate->qinfo.qclass, qstate, id, iq,
- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) {
+ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1, 0)) {
verbose(VERB_ALGO, "could not generate prime check");
}
generate_a_aaaa_check(qstate, iq, id);
@@ -3148,6 +3227,7 @@ static void
processTargetResponse(struct module_qstate* qstate, int id,
struct module_qstate* forq)
{
+ struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id];
struct iter_qstate* iq = (struct iter_qstate*)qstate->minfo[id];
struct iter_qstate* foriq = (struct iter_qstate*)forq->minfo[id];
struct ub_packed_rrset_key* rrset;
@@ -3185,7 +3265,7 @@ processTargetResponse(struct module_qstate* qstate, int id,
log_rrset_key(VERB_ALGO, "add parentside glue to dp",
iq->pside_glue);
if(!delegpt_add_rrset(foriq->dp, forq->region,
- iq->pside_glue, 1))
+ iq->pside_glue, 1, NULL))
log_err("out of memory adding pside glue");
}
@@ -3196,6 +3276,7 @@ processTargetResponse(struct module_qstate* qstate, int id,
* response type was ANSWER. */
rrset = reply_find_answer_rrset(&iq->qchase, qstate->return_msg->rep);
if(rrset) {
+ int additions = 0;
/* if CNAMEs have been followed - add new NS to delegpt. */
/* BTW. RFC 1918 says NS should not have got CNAMEs. Robust. */
if(!delegpt_find_ns(foriq->dp, rrset->rk.dname,
@@ -3207,13 +3288,23 @@ processTargetResponse(struct module_qstate* qstate, int id,
}
/* if dpns->lame then set the address(es) lame too */
if(!delegpt_add_rrset(foriq->dp, forq->region, rrset,
- dpns->lame))
+ dpns->lame, &additions))
log_err("out of memory adding targets");
+ if(!additions) {
+ /* no new addresses, increase the nxns counter, like
+ * this could be a list of wildcards with no new
+ * addresses */
+ target_count_increase_nx(foriq, 1);
+ }
verbose(VERB_ALGO, "added target response");
delegpt_log(VERB_ALGO, foriq->dp);
} else {
verbose(VERB_ALGO, "iterator TargetResponse failed");
+ delegpt_mark_neg(dpns, qstate->qinfo.qtype);
dpns->resolved = 1; /* fail the target */
+ if((dpns->got4 == 2 || !ie->supports_ipv4) &&
+ (dpns->got6 == 2 || !ie->supports_ipv6))
+ target_count_increase_nx(foriq, 1);
}
}
@@ -3387,7 +3478,7 @@ processCollectClass(struct module_qstate* qstate, int id)
qstate->qinfo.qname_len, qstate->qinfo.qtype,
c, qstate, id, iq, INIT_REQUEST_STATE,
FINISHED_STATE, &subq,
- (int)!(qstate->query_flags&BIT_CD))) {
+ (int)!(qstate->query_flags&BIT_CD), 0)) {
errinf(qstate, "could not generate class ANY"
" lookup query");
return error_response(qstate, id,
diff --git a/iterator/iterator.h b/iterator/iterator.h
index a2f1b570..53dcab3b 100644
--- a/iterator/iterator.h
+++ b/iterator/iterator.h
@@ -55,6 +55,11 @@ struct rbtree_type;
/** max number of targets spawned for a query and its subqueries */
#define MAX_TARGET_COUNT 64
+/** max number of target lookups per qstate, per delegation point */
+#define MAX_DP_TARGET_COUNT 16
+/** max number of nxdomains allowed for target lookups for a query and
+ * its subqueries */
+#define MAX_TARGET_NX 5
/** max number of query restarts. Determines max number of CNAME chain. */
#define MAX_RESTART_COUNT 8
/** max number of referrals. Makes sure resolver does not run away */
@@ -305,9 +310,14 @@ struct iter_qstate {
int sent_count;
/** number of target queries spawned in [1], for this query and its
- * subqueries, the malloced-array is shared, [0] refcount. */
+ * subqueries, the malloced-array is shared, [0] refcount.
+ * in [2] the number of nxdomains is counted. */
int* target_count;
+ /** number of target lookups per delegation point. Reset to 0 after
+ * receiving referral answer. Not shared with subqueries. */
+ int dp_target_count;
+
/** if true, already tested for ratelimiting and passed the test */
int ratelimit_ok;
diff --git a/services/cache/dns.c b/services/cache/dns.c
index 2a5bca4a..7b6e142c 100644
--- a/services/cache/dns.c
+++ b/services/cache/dns.c
@@ -273,7 +273,7 @@ find_add_addrs(struct module_env* env, uint16_t qclass,
akey = rrset_cache_lookup(env->rrset_cache, ns->name,
ns->namelen, LDNS_RR_TYPE_A, qclass, 0, now, 0);
if(akey) {
- if(!delegpt_add_rrset_A(dp, region, akey, 0)) {
+ if(!delegpt_add_rrset_A(dp, region, akey, 0, NULL)) {
lock_rw_unlock(&akey->entry.lock);
return 0;
}
@@ -293,7 +293,7 @@ find_add_addrs(struct module_env* env, uint16_t qclass,
akey = rrset_cache_lookup(env->rrset_cache, ns->name,
ns->namelen, LDNS_RR_TYPE_AAAA, qclass, 0, now, 0);
if(akey) {
- if(!delegpt_add_rrset_AAAA(dp, region, akey, 0)) {
+ if(!delegpt_add_rrset_AAAA(dp, region, akey, 0, NULL)) {
lock_rw_unlock(&akey->entry.lock);
return 0;
}
@@ -327,7 +327,8 @@ cache_fill_missing(struct module_env* env, uint16_t qclass,
akey = rrset_cache_lookup(env->rrset_cache, ns->name,
ns->namelen, LDNS_RR_TYPE_A, qclass, 0, now, 0);
if(akey) {
- if(!delegpt_add_rrset_A(dp, region, akey, ns->lame)) {
+ if(!delegpt_add_rrset_A(dp, region, akey, ns->lame,
+ NULL)) {
lock_rw_unlock(&akey->entry.lock);
return 0;
}
@@ -347,7 +348,8 @@ cache_fill_missing(struct module_env* env, uint16_t qclass,
akey = rrset_cache_lookup(env->rrset_cache, ns->name,
ns->namelen, LDNS_RR_TYPE_AAAA, qclass, 0, now, 0);
if(akey) {
- if(!delegpt_add_rrset_AAAA(dp, region, akey, ns->lame)) {
+ if(!delegpt_add_rrset_AAAA(dp, region, akey, ns->lame,
+ NULL)) {
lock_rw_unlock(&akey->entry.lock);
return 0;
}
diff --git a/util/data/dname.c b/util/data/dname.c
index c8f09ddb..76b2ec7d 100644
--- a/util/data/dname.c
+++ b/util/data/dname.c
@@ -233,17 +233,28 @@ int
dname_pkt_compare(sldns_buffer* pkt, uint8_t* d1, uint8_t* d2)
{
uint8_t len1, len2;
+ int count1 = 0, count2 = 0;
log_assert(pkt && d1 && d2);
len1 = *d1++;
len2 = *d2++;
while( len1 != 0 || len2 != 0 ) {
/* resolve ptrs */
if(LABEL_IS_PTR(len1)) {
+ if((size_t)PTR_OFFSET(len1, *d1)
+ >= sldns_buffer_limit(pkt))
+ return -1;
+ if(count1++ > MAX_COMPRESS_PTRS)
+ return -1;
d1 = sldns_buffer_at(pkt, PTR_OFFSET(len1, *d1));
len1 = *d1++;
continue;
}
if(LABEL_IS_PTR(len2)) {
+ if((size_t)PTR_OFFSET(len2, *d2)
+ >= sldns_buffer_limit(pkt))
+ return 1;
+ if(count2++ > MAX_COMPRESS_PTRS)
+ return 1;
d2 = sldns_buffer_at(pkt, PTR_OFFSET(len2, *d2));
len2 = *d2++;
continue;
@@ -302,12 +313,18 @@ dname_pkt_hash(sldns_buffer* pkt, uint8_t* dname, hashvalue_type h)
uint8_t labuf[LDNS_MAX_LABELLEN+1];
uint8_t lablen;
int i;
+ int count = 0;
/* preserve case of query, make hash label by label */
lablen = *dname++;
while(lablen) {
if(LABEL_IS_PTR(lablen)) {
/* follow pointer */
+ if((size_t)PTR_OFFSET(lablen, *dname)
+ >= sldns_buffer_limit(pkt))
+ return h;
+ if(count++ > MAX_COMPRESS_PTRS)
+ return h;
dname = sldns_buffer_at(pkt, PTR_OFFSET(lablen, *dname));
lablen = *dname++;
continue;
@@ -341,6 +358,9 @@ void dname_pkt_copy(sldns_buffer* pkt, uint8_t* to, uint8_t* dname)
return;
}
/* follow pointer */
+ if((size_t)PTR_OFFSET(lablen, *dname)
+ >= sldns_buffer_limit(pkt))
+ return;
dname = sldns_buffer_at(pkt, PTR_OFFSET(lablen, *dname));
lablen = *dname++;
continue;
@@ -369,6 +389,7 @@ void dname_pkt_copy(sldns_buffer* pkt, uint8_t* to, uint8_t* dname)
void dname_print(FILE* out, struct sldns_buffer* pkt, uint8_t* dname)
{
uint8_t lablen;
+ int count = 0;
if(!out) out = stdout;
if(!dname) return;
@@ -382,6 +403,15 @@ void dname_print(FILE* out, struct sldns_buffer* pkt, uint8_t* dname)
fputs("??compressionptr??", out);
return;
}
+ if((size_t)PTR_OFFSET(lablen, *dname)
+ >= sldns_buffer_limit(pkt)) {
+ fputs("??compressionptr??", out);
+ return;
+ }
+ if(count++ > MAX_COMPRESS_PTRS) {
+ fputs("??compressionptr??", out);
+ return;
+ }
dname = sldns_buffer_at(pkt, PTR_OFFSET(lablen, *dname));
lablen = *dname++;
continue;
diff --git a/util/data/msgparse.c b/util/data/msgparse.c
index fb312370..7c32618a 100644
--- a/util/data/msgparse.c
+++ b/util/data/msgparse.c
@@ -55,7 +55,11 @@ smart_compare(sldns_buffer* pkt, uint8_t* dnow,
{
if(LABEL_IS_PTR(*dnow)) {
/* ptr points to a previous dname */
- uint8_t* p = sldns_buffer_at(pkt, PTR_OFFSET(dnow[0], dnow[1]));
+ uint8_t* p;
+ if((size_t)PTR_OFFSET(dnow[0], dnow[1])
+ >= sldns_buffer_limit(pkt))
+ return -1;
+ p = sldns_buffer_at(pkt, PTR_OFFSET(dnow[0], dnow[1]));
if( p == dprfirst || p == dprlast )
return 0;
/* prev dname is also a ptr, both ptrs are the same. */

0
SPECS/unbound/CVE-2020-12663.nopatch
View File

83
SPECS/unbound/CVE-2020-28935.patch
View File

@ -1,83 +0,0 @@
diff --git a/daemon/unbound.c b/daemon/unbound.c
index cd0fd69..bc6d2bc 100644
--- a/daemon/unbound.c
+++ b/daemon/unbound.c
@@ -337,22 +337,44 @@ readpid (const char* file)
/** write pid to file.
* @param pidfile: file name of pid file.
* @param pid: pid to write to file.
+ * @return false on failure
*/
-static void
+static int
writepid (const char* pidfile, pid_t pid)
{
- FILE* f;
+ int fd;
+ char pidbuf[32];
+ size_t count = 0;
+ snprintf(pidbuf, sizeof(pidbuf), "%lu\n", (unsigned long)pid);
- if ((f = fopen(pidfile, "w")) == NULL ) {
+ if((fd = open(pidfile, O_WRONLY | O_CREAT | O_TRUNC
+#ifdef O_NOFOLLOW
+ | O_NOFOLLOW
+#endif
+ , 0644)) == -1) {
log_err("cannot open pidfile %s: %s",
pidfile, strerror(errno));
- return;
+ return 0;
}
- if(fprintf(f, "%lu\n", (unsigned long)pid) < 0) {
- log_err("cannot write to pidfile %s: %s",
- pidfile, strerror(errno));
+ while(count < strlen(pidbuf)) {
+ ssize_t r = write(fd, pidbuf+count, strlen(pidbuf)-count);
+ if(r == -1) {
+ if(errno == EAGAIN || errno == EINTR)
+ continue;
+ log_err("cannot write to pidfile %s: %s",
+ pidfile, strerror(errno));
+ close(fd);
+ return 0;
+ } else if(r == 0) {
+ log_err("cannot write any bytes to pidfile %s: "
+ "write returns 0 bytes written", pidfile);
+ close(fd);
+ return 0;
+ }
+ count += r;
}
- fclose(f);
+ close(fd);
+ return 1;
}
/**
@@ -506,16 +528,17 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
/* write new pidfile (while still root, so can be outside chroot) */
#ifdef HAVE_KILL
if(cfg->pidfile && cfg->pidfile[0] && need_pidfile) {
- writepid(daemon->pidfile, getpid());
- if(cfg->username && cfg->username[0] && cfg_uid != (uid_t)-1 &&
- pidinchroot) {
+ if(writepid(daemon->pidfile, getpid())) {
+ if(cfg->username && cfg->username[0] && cfg_uid != (uid_t)-1 &&
+ pidinchroot) {
# ifdef HAVE_CHOWN
- if(chown(daemon->pidfile, cfg_uid, cfg_gid) == -1) {
- verbose(VERB_QUERY, "cannot chown %u.%u %s: %s",
- (unsigned)cfg_uid, (unsigned)cfg_gid,
- daemon->pidfile, strerror(errno));
- }
+ if(chown(daemon->pidfile, cfg_uid, cfg_gid) == -1) {
+ verbose(VERB_QUERY, "cannot chown %u.%u %s: %s",
+ (unsigned)cfg_uid, (unsigned)cfg_gid,
+ daemon->pidfile, strerror(errno));
+ }
# endif /* HAVE_CHOWN */
+ }
}
}
#else

2
SPECS/unbound/unbound.signatures.json
View File

@ -1,6 +1,6 @@
{
"Signatures": {
"unbound-release-1.10.0.tar.gz": "f6107a5019ec920f827603ad51550d7024fd03b8274582945addab4a95a90579",
"unbound-release-1.13.2.tar.gz": "110d63dc7c4ad08dbad22af581ac26bf1a4f1778461c1708a4b382ec234ce872",
"unbound.service": "563389e2bf92e13541d68c7bcac6bc6635931aa86509d45393864d24aacc7147"
}
}

11
SPECS/unbound/unbound.spec
View File

@ -1,7 +1,7 @@
Summary: unbound dns server
Name: unbound
Version: 1.10.0
Release: 5%{?dist}
Version: 1.13.2
Release: 1%{?dist}
License: BSD
Vendor: Microsoft Corporation
Distribution: Mariner
@ -10,10 +10,6 @@ URL: https://nlnetlabs.nl/projects/unbound/about/
#Source0: https://github.com/NLnetLabs/%{name}/archive/release-%{version}.tar.gz
Source0: %{name}-release-%{version}.tar.gz
Source1: %{name}.service
# CVE-2020-12662.patch also fixes CVE-2020-12663
Patch0: CVE-2020-12662.patch
Patch1: CVE-2020-12663.nopatch
Patch2: CVE-2020-28935.patch
BuildRequires: expat-devel
BuildRequires: python3-devel
BuildRequires: swig
@ -98,6 +94,9 @@ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \
%{_mandir}/*
%changelog
* Fri Jan 14 2022 Neha Agarwal <nehaagarwal@microsoft.com> - 1.13.2-1
- Update to version 1.13.2.
* Fri Jul 23 2021 Thomas Crain <thcrain@microsoft.com> - 1.10.0-5
- Add provides for libs subpackage from base package
- Add python3 modules subpackage

16
cgmanifest.json
View File

@ -27717,8 +27717,8 @@
"type": "other",
"other": {
"name": "subversion",
"version": "1.14.0",
"downloadUrl": "https://archive.apache.org/dist/subversion/subversion-1.14.0.tar.bz2"
"version": "1.14.1",
"downloadUrl": "https://archive.apache.org/dist/subversion/subversion-1.14.1.tar.bz2"
}
}
},
@ -27827,8 +27827,8 @@
"type": "other",
"other": {
"name": "syslog-ng",
"version": "3.23.1",
"downloadUrl": "https://github.com/balabit/syslog-ng/releases/download/syslog-ng-3.23.1/syslog-ng-3.23.1.tar.gz"
"version": "3.33.2",
"downloadUrl": "https://github.com/balabit/syslog-ng/releases/download/syslog-ng-3.33.2/syslog-ng-3.33.2.tar.gz"
}
}
},
@ -27887,8 +27887,8 @@
"type": "other",
"other": {
"name": "systemtap",
"version": "4.1",
"downloadUrl": "https://sourceware.org/systemtap/ftp/releases/systemtap-4.1.tar.gz"
"version": "4.5",
"downloadUrl": "https://sourceware.org/systemtap/ftp/releases/systemtap-4.5.tar.gz"
}
}
},
@ -28607,8 +28607,8 @@
"type": "other",
"other": {
"name": "unbound",
"version": "1.10.0",
"downloadUrl": "https://github.com/NLnetLabs/unbound/archive/release-1.10.0.tar.gz"
"version": "1.13.2",
"downloadUrl": "https://github.com/NLnetLabs/unbound/archive/release-1.13.2.tar.gz"
}
}
},