microsoft
/
CBL-Mariner
зеркало из https://github.com/microsoft/CBL-Mariner.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge 1.0 to dev branch 

This merge brings the latest SELinux and many packages and CVE fixes from the 1.0 branch.
This commit is contained in:
jslobodzian 2021-08-19 13:46:51 -07:00 коммит произвёл GitHub
Родитель 0931a2059f
Коммит 17b0e93e71
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
714 изменённых файлов: 48017 добавлений и 9829 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

8
.github/pull_request_template.md поставляемый
Просмотреть файл

@ -9,6 +9,7 @@ Feel free to delete sections of the template which do not apply to your PR, or a
- [ ] The toolchain has been rebuilt successfully (or no changes were made to it)
- [ ] The toolchain/worker package manifests are up-to-date
- [ ] Any updated packages successfully build (or no packages were changed)
- [ ] Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
- [ ] All package sources are available
- [ ] cgmanifest files are up-to-date and sorted (`./cgmanifest.json`, `./toolkit/tools/cgmanifest.json`, `./toolkit/scripts/toolchain/cgmanifest.json`, `.github/workflows/cgmanifest.json`)
- [ ] LICENSE-MAP files are up-to-date (`./SPECS/LICENSES-AND-NOTICES/data/licenses.json`, `./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md`, `./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON`)
@ -33,8 +34,9 @@ What does the PR accomplish, why was it needed?
###### Does this affect the toolchain? <!-- REQUIRED -->
<!-- Any packages which are included in the toolchain should be carefully considered. Make sure the toolchain builds with these changes if so. -->
**YES**
NO
<!-- Update: manifests/package/toolchain_*.txt, pkggen_core_*.txt, update_manifests.sh -->
<!-- To validate: make clean; make workplan REBUILD_TOOLCHAIN=y DISABLE_UPSTREAM_REPOS=y CONFIG_FILE="" ... -->
**YES/NO**
###### Associated issues <!-- optional -->
<!-- Link to Github issues if possible. -->
@ -45,5 +47,5 @@ NO
- https://nvd.nist.gov/vuln/detail/CVE-YYYY-XXXX
###### Test Methodology
<!-- How as this test validated? i.e. local build, pipeline build etc. -->
<!-- How was this test validated? i.e. local build, pipeline build etc. -->
- Pipeline build id: xxxx

5
.github/workflows/check-entangled-specs.yml поставляемый
Просмотреть файл

@ -5,16 +5,13 @@ name: Spec Entanglement Mismatch Check
on:
push:
paths:
- "**.spec"
branches: [main, dev, 1.0*]
pull_request:
paths:
- "**.spec"
branches: [main, dev, 1.0*]
jobs:
check:
name: Spec Entanglement Mismatch Check
runs-on: ubuntu-latest
steps:

1
.github/workflows/check-license-map.yml поставляемый
Просмотреть файл

@ -10,6 +10,7 @@ on:
jobs:
check:
name: Spec License Map Check
runs-on: ubuntu-latest
steps:

2
.github/workflows/check-package-cgmanifest.yml поставляемый
Просмотреть файл

@ -9,7 +9,7 @@ on:
jobs:
build:
name: Validate Manifests
name: Check Package CGManifests
runs-on: ubuntu-18.04
steps:

4
.github/workflows/check_entangled_specs.py поставляемый
Просмотреть файл

@ -28,6 +28,10 @@ version_matching_groups = [
"SPECS/hyperv-daemons/hyperv-daemons.spec",
"SPECS/kernel/kernel.spec",
"SPECS/kernel-hyperv/kernel-hyperv.spec"
]),
frozenset([
"SPECS/azure-iotedge/azure-iotedge.spec",
"SPECS/libiothsm-std/libiothsm-std.spec"
])
]

4
.github/workflows/go-test-coverage.yml поставляемый
Просмотреть файл

@ -1,4 +1,4 @@
name: Go
name: Go Test Coverage
on:
push:
@ -9,7 +9,7 @@ on:
jobs:
build:
name: Build
name: Go Test Coverage
runs-on: ubuntu-18.04
steps:

1
.github/workflows/lint-specs.yml поставляемый
Просмотреть файл

@ -12,6 +12,7 @@ on:
jobs:
spec-lint:
name: Spec Linting
runs-on: ubuntu-latest
steps:

22
.github/workflows/validate-cg-manifest.sh поставляемый
Просмотреть файл

@ -31,6 +31,11 @@ ignore_list=" \
python-sphinxcontrib-websupport \
python-yamlloader \
python-zope-interface \
python-nocasedict \
python-pywbem \
python-repoze-lru \
python-sphinxcontrib-websupport \
python-yamlloader \
qt5-rpm-macros \
runc \
grub2-efi-binary-signed-aarch64 \
@ -49,15 +54,14 @@ for spec in "$@"
do
echo Checking "$spec"
# Get the source0 for the package, it apears to always occur last in the list of sources
source0=$(rpmspec --srpm --define "with_check 0" --qf "[%{SOURCE}\n]" -q $spec 2>/dev/null | tail -1)
if [[ -z $source0 ]]
# Ensure spec can be parsed
name=$(rpmspec --srpm --define "with_check 0" --qf "%{NAME}" -q $spec 2>/dev/null )
if [[ -z $name ]]
then
echo " No source file listed for $name:$version, skipping"
echo " Not able to parse $spec, skipping"
continue
fi
name=$(rpmspec --srpm --define "with_check 0" --qf "%{NAME}" -q $spec 2>/dev/null )
# Some specs don't make sense to add, ignore them
if echo $ignore_list | grep -w "$name" > /dev/null
then
@ -67,6 +71,14 @@ do
version=$(rpmspec --srpm --define "with_check 0" --qf "%{VERSION}" -q $spec 2>/dev/null )
# Get the source0 for the package, it apears to always occur last in the list of sources
source0=$(rpmspec --srpm --define "with_check 0" --qf "[%{SOURCE}\n]" -q $spec 2>/dev/null | tail -1)
if [[ -z $source0 ]]
then
echo " No source file listed for $name:$version, skipping"
continue
fi
# Some source files have been renamed, look for a comment and also try that (while manually substituting the name/version)
source0alt=$(grep "^#[[:blank:]]*Source0:" $spec | awk '{print $NF}' | sed "s/%\?%{name}/$name/g" | sed "s/%\?%{version}/$version/g" )
# Some packages define a %url as well

61
SPECS-SIGNED/kernel-signed/kernel-signed.spec
Просмотреть файл

@ -1,4 +1,5 @@
%global debug_package %{nil}
%global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh
%ifarch x86_64
%global buildarch x86_64
%endif
@ -8,8 +9,8 @@
%define uname_r %{version}-%{release}
Summary: Signed Linux Kernel for %{buildarch} systems
Name: kernel-signed-%{buildarch}
Version: 5.10.28.1
Release: 6%{?dist}
Version: 5.10.52.1
Release: 1%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
Distribution: Mariner
@ -66,7 +67,10 @@ URL: https://github.com/microsoft/CBL-Mariner-Linux-Kernel
# 4. Build this spec
Source0: kernel-%{version}-%{release}.%{buildarch}.rpm
Source1: vmlinuz-%{uname_r}
Source2: sha512hmac-openssl.sh
BuildRequires: cpio
BuildRequires: openssl
BuildRequires: sed
%description
This package contains the Linux kernel package with kernel signed with the production key
@ -86,7 +90,6 @@ The kernel package contains the signed Linux kernel.
%build
# This spec's whole purpose is to inject the signed kernel binary
# Do not do anything extra.
rpm2cpio %{SOURCE0} | cpio -idmv
cp %{SOURCE1} ./boot/vmlinuz-%{uname_r}
@ -94,6 +97,10 @@ cp %{SOURCE1} ./boot/vmlinuz-%{uname_r}
# Don't use * wildcard. It does not copy over hidden files in the root folder...
cp -rp ./. %{buildroot}/
# Recalculate sha512hmac for FIPS
%{sha512hmac} %{buildroot}/boot/vmlinuz-%{uname_r} | sed -e "s,$RPM_BUILD_ROOT,," > %{buildroot}/boot/.vmlinuz-%{uname_r}.hmac
cp %{buildroot}/boot/.vmlinuz-%{uname_r}.hmac %{buildroot}/lib/modules/%{uname_r}/.vmlinuz.hmac
%triggerin -n kernel -- initramfs
mkdir -p %{_localstatedir}/lib/rpm-state/initramfs/pending
touch %{_localstatedir}/lib/rpm-state/initramfs/pending/%{uname_r}
@ -139,12 +146,54 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
%endif
%changelog
* Tue May 25 2021 Thomas Crain <thcrain@microsoft.com> - 5.10.28.1-6
- Bump release number to match kernel-headers release
* Tue Jul 20 2021 Rachel Menge <rachelmenge@microsoft.com> - 5.10.52.1-1
- Update source to 5.10.52.1
* Fri May 14 2021 Thomas Crain <thcrain@microsoft.com> - 5.10.28.1-5
* Mon Jul 19 2021 Chris Co <chrco@microsoft.com> - 5.10.47.1-2
- Bump release number to match kernel release
* Tue Jul 06 2021 Rachel Menge <rachelmenge@microsoft.com> - 5.10.47.1-1
- Update source to 5.10.47.1
* Wed Jun 30 2021 Chris Co <chrco@microsoft.com> - 5.10.42.1-4
- Bump release number to match kernel release
* Tue Jun 22 2021 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.10.42.1-3
- Bump release number to match kernel release
* Wed Jun 16 2021 Chris Co <chrco@microsoft.com> - 5.10.42.1-2
- Bump release number to match kernel release
* Tue Jun 08 2021 Rachel Menge <rachelmenge@microsoft.com> - 5.10.42.1-1
- Update source to 5.10.42.1
* Thu Jun 03 2021 Rachel Menge <rachelmenge@microsoft.com> - 5.10.37.1-2
- Bump release number to match kernel release
* Fri May 28 2021 Rachel Menge <rachelmenge@microsoft.com> - 5.10.37.1-1
- Update source to 5.10.37.1
* Thu May 27 2021 Chris Co <chrco@microsoft.com> - 5.10.32.1-7
- Bump release number to match kernel release
* Wed May 26 2021 Chris Co <chrco@microsoft.com> - 5.10.32.1-6
- Bump release number to match kernel release
* Tue May 25 2021 Daniel Mihai <dmihai@microsoft.com> - 5.10.32.1-5
- Bump release number to match kernel release
* Thu May 20 2021 Nicolas Ontiveros <niontive@microsoft.com> - 5.10.32.1-4
- Recalculate sha512hmac on signed kernel binary
* Tue May 17 2021 Andrew Phelps <anphel@microsoft.com> - 5.10.32.1-3
- Update to kernel release 5.10.32.1-3
* Thu May 13 2021 Rachel Menge <rachelmenge@microsoft.com> - 5.10.32.1-2
- Bump release number to match kernel release
* Mon May 03 2021 Rachel Menge <rachelmenge@microsoft.com> - 5.10.32.1-1
- Update source to 5.10.32.1
* Thu Apr 22 2021 Chris Co <chrco@microsoft.com> - 5.10.28.1-4
- Bump release number to match kernel release

6
SPECS-SIGNED/kernel-signed/sha512hmac-openssl.sh Normal file
Просмотреть файл

@ -0,0 +1,6 @@
#!/bin/bash
# Mocks sha512hmac using the openssl tool.
# Only for use during RPM build.
openssl sha512 -hmac FIPS-FTW-RHT2009 -hex "$1" | cut -f 2 -d ' ' | echo "$(cat -) $1"

5
SPECS/CUnit/CUnit.spec
Просмотреть файл

@ -4,7 +4,7 @@ Name: CUnit
Version: 2.1.3
Release: 23%{?dist}
Summary: Unit testing framework for C
Vendor: Microsoft
Vendor: Microsoft Corporation
Distribution: Mariner
License: LGPLv2+
URL: http://cunit.sourceforge.net/
@ -53,12 +53,12 @@ done
%postun -p /sbin/ldconfig
%files
%license %{_defaultdocdir}/%{name}/COPYING
%{_datadir}/%{name}/
%{_libdir}/libcunit.so.*
%dir %{_docdir}/%{name}
%{_docdir}/%{name}/AUTHORS
%{_docdir}/%{name}/ChangeLog
%{_docdir}/%{name}/COPYING
%{_docdir}/%{name}/NEWS
%{_docdir}/%{name}/README
%{_docdir}/%{name}/TODO
@ -74,6 +74,7 @@ done
%changelog
* Fri Aug 21 2020 Thomas Crain <thcrain@microsoft.com> - 2.1.3-23
- Initial CBL-Mariner import from Fedora 33 (license: MIT)
- License verified
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.3-22
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

13
SPECS/Cython/Cython.spec
Просмотреть файл

@ -25,15 +25,18 @@ Cython is an optimising static compiler for both the Python programming language
%description %{_description}
%package -n python3-%{name}
Summary: %{summary}
Summary: C extensions for Python 3
%{?python_provide:%python_provide python3-%{name}}
Provides: %{name} = %{version}-%{release}
Provides: %{name}%{?_isa} = %{version}-%{release}
Obsoletes: %{name} < %{version}-%{release}
BuildRequires: python3
BuildRequires: python3-devel
BuildRequires: python3-libs
BuildRequires: python3-xml
Requires: python3
%description -n python3-%{name} %{_description}
Python 3 version.
%description -n python3-%{name}
Cython is an optimising static compiler for both the Python programming language and the extended Cython programming language (based on Pyrex). It makes writing C extensions for Python as easy as Python itself.
%prep
%setup -n %{upname}-%{version}

50
SPECS/Cython/cython_testfix_with_outer_raising.patch Normal file
Просмотреть файл

@ -0,0 +1,50 @@
diff -ruN a/tests/run/generators_py35.py b/tests/run/generators_py35.py
--- a/tests/run/generators_py35.py 1969-12-31 16:00:00.000000000 -0800
+++ b/tests/run/generators_py35.py 2021-04-30 00:40:03.333141340 -0700
@@ -0,0 +1,24 @@
+# mode: run
+# tag: generators, pure3.5
+
+from __future__ import generator_stop
+
+# "generator_stop" was only added in Py3.5.
+
+
+def with_outer_raising(*args):
+ """
+ >>> x = with_outer_raising(1, 2, 3)
+ >>> try:
+ ... list(x())
+ ... except RuntimeError:
+ ... print("OK!")
+ ... else:
+ ... print("NOT RAISED!")
+ OK!
+ """
+ def generator():
+ for i in args:
+ yield i
+ raise StopIteration
+ return generator
\ No newline at end of file
diff -ruN a/tests/run/generators_py.py b/tests/run/generators_py.py
--- a/tests/run/generators_py.py 2021-04-30 00:38:33.905610251 -0700
+++ b/tests/run/generators_py.py 2021-04-30 00:40:43.292935879 -0700
@@ -81,17 +81,6 @@
yield i
return generator
-def with_outer_raising(*args):
- """
- >>> x = with_outer_raising(1, 2, 3)
- >>> list(x())
- [1, 2, 3]
- """
- def generator():
- for i in args:
- yield i
- raise StopIteration
- return generator
def test_close():
"""

2
SPECS/GSL/GSL.spec
Просмотреть файл

@ -50,7 +50,7 @@ rm -rf $RPM_BUILD_ROOT
%{_includedir}/gsl/*
%changelog
* Sat May 09 00:21:38 PST 2020 Nick Samson <nisamson@microsoft.com> - 2.0.0-3
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 2.0.0-3
- Added %%license line automatically
* Thu Apr 09 2020 Joe Schmitt <joschmit@microsoft.com> 2.0.0-2

10
SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

49
SPECS/LICENSES-AND-NOTICES/data/licenses.json
Просмотреть файл

@ -10,6 +10,7 @@
"origin": "Fedora",
"license": "[Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files)",
"specs": [
"archivemount",
"at",
"atf",
"attr",
@ -22,8 +23,11 @@
"byacc",
"calamares",
"catch",
"checkpolicy",
"chrony",
"conda",
"collectd",
"colm",
"conda",
"conntrack-tools",
"cpprest",
"cryptsetup",
@ -42,6 +46,7 @@
"firewalld",
"fmt",
"fribidi",
"fuse-zip",
"gcovr",
"glusterfs",
"gnu-efi",
@ -49,6 +54,7 @@
"heimdal",
"hwdata",
"hyperv-daemons",
"hyperscan",
"ipmitool",
"ipv6calc",
"iscsi-initiator-utils",
@ -76,22 +82,39 @@
"liblognorm",
"libpciaccess",
"libpwquality",
"libsemanage",
"libstoragemgmt",
"libvirt",
"libxcrypt",
"libzip",
"mailcap",
"mcstrans",
"mokutil",
"mozjs60",
"nftables",
"oath-toolkit",
"open-vm-tools",
"openssl",
"p7zip",
"p11-kit",
"patchelf",
"perl-JSON",
"perl-App-cpanminus",
"perl-CPAN-DistnameInfo",
"perl-CPAN-Meta-Check",
"perl-File-pushd",
"perl-local-lib",
"perl-Module-CPANfile",
"perl-Parse-PMFile",
"perl-Pod-Parser",
"perl-String-ShellQuote",
"picosat",
"pkgconf",
"policycoreutils",
"prometheus",
"pugixml",
"pycairo",
"pyelftools",
"python-async-generator",
"python-conda-package-handling",
"python-cpuinfo",
@ -104,7 +127,9 @@
"python-kubernetes",
"python-mock",
"python-nose",
"python-pexpect",
"python-process-tests",
"python-ptyprocess",
"python-pycosat",
"python-pytest-benchmark",
"python-pytest-cov",
@ -124,9 +149,15 @@
"qt5-qtsvg",
"qt5-qttools",
"qt5-rpm-macros",
"ragel",
"rdma-core",
"sanlock",
"re2",
"sanlock",
"secilc",
"selinux-policy",
"setools",
"sgml-common",
"sos",
"squashfs-tools",
"uclibc-ng",
"uuid",
@ -146,7 +177,6 @@
"license": "[Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md)",
"specs": [
"application-gateway-kubernetes-ingress",
"aspnetcore-runtime-3.1",
"auoms",
"azure-iot-sdk-c",
"azure-iotedge",
@ -208,6 +238,7 @@
"nlohmann-json",
"nmap",
"nmi",
"node-problem-detector",
"ntopng",
"oath-toolkit",
"omi",
@ -335,8 +366,6 @@
"docbook-dtd-xml",
"docbook-style-xsl",
"dosfstools",
"dotnet-runtime-3.1",
"dotnet-sdk-3.1",
"dracut",
"dstat",
"e2fsprogs",
@ -541,8 +570,7 @@
"nghttp2",
"nginx",
"ninja-build",
"nodejs-8.11.4",
"nodejs-9.11.2",
"nodejs",
"npth",
"nspr",
"nss",
@ -791,7 +819,10 @@
"origin": "Nvidia",
"license": "[ASL 2.0 License](http://www.apache.org/licenses/LICENSE-2.0)",
"specs": [
"nvidia-container-runtime"
"libnvidia-container",
"nvidia-container-runtime",
"nvidia-container-toolkit",
"nvidia-docker2"
]
},
{
@ -803,7 +834,7 @@
},
{
"origin": "Ceph Source",
"license": "[LGPLv2 License](https://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt)",
"license": "[LGPL2.1](https://github.com/ceph/ceph/blob/master/COPYING-LGPL2.1)",
"specs": [
"ceph"
]

28
SPECS/OpenIPMI/OpenIPMI.spec
Просмотреть файл

@ -187,24 +187,24 @@ echo "disable ipmi.service" > %{buildroot}%{_libdir}/systemd/system-preset/50-ip
* Tue Mar 02 2021 Henry Li <lihl@microsoft.com> - 2.0.25-6
- Provides python3-openipmi from OpenIPMI-python
* Sat May 09 00:21:40 PST 2020 Nick Samson <nisamson@microsoft.com> - 2.0.25-5
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 2.0.25-5
- Added %%license line automatically
* Fri Apr 17 2020 Nicolas Ontiveros <niontive@microsoft.com> 2.0.25-4
- Rename openipmi to OpenIPMI.
- Remove sha1 macro.
* Fri Apr 17 2020 Nicolas Ontiveros <niontive@microsoft.com> 2.0.25-4
- Rename openipmi to OpenIPMI.
- Remove sha1 macro.
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 2.0.25-3
- Initial CBL-Mariner import from Photon (license: Apache2).
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 2.0.25-3
- Initial CBL-Mariner import from Photon (license: Apache2).
* Tue Jan 08 2019 Alexey Makhalov <amakhalov@vmware.com> 2.0.25-2
- Added BuildRequires python2-devel
* Tue Jan 08 2019 Alexey Makhalov <amakhalov@vmware.com> 2.0.25-2
- Added BuildRequires python2-devel
* Mon Sep 10 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> 2.0.25-1
- Upgrade to 2.0.25
* Mon Sep 10 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> 2.0.25-1
- Upgrade to 2.0.25
* Fri Sep 15 2017 Xiaolin Li <xiaolinl@vmware.com> 2.0.24-2
- openipmi-devel requires ncurses-devel
* Fri Sep 15 2017 Xiaolin Li <xiaolinl@vmware.com> 2.0.24-2
- openipmi-devel requires ncurses-devel
* Mon Sep 11 2017 Xiaolin Li <xiaolinl@vmware.com> 2.0.24-1
- Initial build. First version
* Mon Sep 11 2017 Xiaolin Li <xiaolinl@vmware.com> 2.0.24-1
- Initial build. First version

2
SPECS/PyPAM/PyPAM.spec
Просмотреть файл

@ -85,7 +85,7 @@ popd
%{python3_sitelib}/*
%changelog
* Sat May 09 00:20:39 PST 2020 Nick Samson <nisamson@microsoft.com> - 0.5.0-8
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 0.5.0-8
- Added %%license line automatically
* Tue Apr 28 2020 Emre Girgin <mrgirgin@microsoft.com> 0.5.0-7

36
SPECS/PyYAML/PyYAML.spec
Просмотреть файл

@ -108,21 +108,21 @@ rm -rf $RPM_BUILD_ROOT
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 3.13-5
- Added %%license line automatically
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 3.13-4
- Initial CBL-Mariner import from Photon (license: Apache2).
* Tue Apr 16 2019 Tapas Kundu <tkundu@vmware.com> 3.13-3
- Added lib3 changes for CVE-2017-18342
- change default loader for yaml.add_constructor
- Add custom constructors to multiple loaders
* Thu Mar 28 2019 Ankit Jain <ankitja@vmware.com> 3.13-2
- Fix for CVE-2017-18342
* Thu Sep 20 2018 Tapas Kundu <tkundu@vmware.com> 3.13-1
- Updated to release 3.13
* Tue May 16 2017 Kumar Kaushik <kaushikk@vmware.com> 3.12-2
- Adding python3 support.
* Tue Apr 18 2017 Dheeraj Shetty <dheerajs@vmware.com> 3.12-1
- Updated version to 3.12
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 3.11-2
- GA - Bump release of all rpms
* Wed Mar 04 2015 Mahmoud Bassiouny <mbassiouny@vmware.com>
- Initial packaging for Photon
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 3.13-4
- Initial CBL-Mariner import from Photon (license: Apache2).
* Tue Apr 16 2019 Tapas Kundu <tkundu@vmware.com> 3.13-3
- Added lib3 changes for CVE-2017-18342
- change default loader for yaml.add_constructor
- Add custom constructors to multiple loaders
* Thu Mar 28 2019 Ankit Jain <ankitja@vmware.com> 3.13-2
- Fix for CVE-2017-18342
* Thu Sep 20 2018 Tapas Kundu <tkundu@vmware.com> 3.13-1
- Updated to release 3.13
* Tue May 16 2017 Kumar Kaushik <kaushikk@vmware.com> 3.12-2
- Adding python3 support.
* Tue Apr 18 2017 Dheeraj Shetty <dheerajs@vmware.com> 3.12-1
- Updated version to 3.12
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 3.11-2
- GA - Bump release of all rpms
* Wed Mar 04 2015 Mahmoud Bassiouny <mbassiouny@vmware.com>
- Initial packaging for Photon

2
SPECS/WALinuxAgent/WALinuxAgent.signatures.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"Signatures": {
"WALinuxAgent-2.2.52.tar.gz": "46f692edaa93f094eef6c0dc8d95f3ece5a7176e98ac6f3bce741da74946cd28"
"WALinuxAgent-2.2.54.2.tar.gz": "2c047d262ca55718268a0921c7bd04b6c1ab1032bd885e3e0949107f493e7b7c"
}
}

54
SPECS/WALinuxAgent/WALinuxAgent.spec
Просмотреть файл

@ -1,30 +1,29 @@
Summary: The Windows Azure Linux Agent
Name: WALinuxAgent
Version: 2.2.52
Release: 3%{?dist}
Version: 2.2.54.2
Release: 2%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
Group: System/Daemons
URL: https://github.com/Azure/WALinuxAgent
#Source0: https://github.com/Azure/WALinuxAgent/archive/v%{version}.tar.gz
Source0: https://github.com/Azure/WALinuxAgent/archive/%{name}-%{version}.tar.gz
Patch0: add-distro.patch
BuildRequires: python-distro
BuildRequires: python-setuptools
BuildRequires: python-xml
BuildRequires: python2
BuildRequires: python2-libs
#Source0: https://github.com/Azure/WALinuxAgent/archive/refs/tags/v%{version}.tar.gz
Source0: %{name}-%{version}.tar.gz
BuildRequires: python3-distro
BuildRequires: python3-setuptools
BuildRequires: python3-xml
BuildRequires: python3
BuildRequires: python3-libs
BuildRequires: systemd
Requires: /bin/grep
Requires: /bin/sed
Requires: iptables
Requires: openssh
Requires: openssl
Requires: python-pyasn1
Requires: python-xml
Requires: python2
Requires: python2-libs
Requires: python3-pyasn1
Requires: python3-xml
Requires: python3
Requires: python3-libs
Requires: sudo
Requires: systemd
Requires: util-linux
@ -36,23 +35,26 @@ VMs in the Windows Azure cloud. This package should be installed on Linux disk
images that are built to run in the Windows Azure environment.
%prep
%setup -q
%patch0 -p1
%setup -q -n %{name}-%{version}
%pre -p /bin/sh
%build
python2 setup.py build -b py2
python3 setup.py build -b py3
%install
python2 -tt setup.py build -b py2 install --prefix=%{_prefix} --lnx-distro='mariner' --root=%{buildroot} --force
python3 -tt setup.py build -b py3 install --prefix=%{_prefix} --lnx-distro='mariner' --root=%{buildroot} --force
mkdir -p %{buildroot}/%{_localstatedir}/log
mkdir -p -m 0700 %{buildroot}/%{_sharedstatedir}/waagent
mkdir -p %{buildroot}/%{_localstatedir}/log
touch %{buildroot}/%{_localstatedir}/log/waagent.log
# python refers to python2 version on CBL-Mariner hence update to use python3
sed -i 's,#!/usr/bin/env python,#!/usr/bin/python3,' %{buildroot}%{_bindir}/waagent
sed -i 's,#!/usr/bin/env python,#!/usr/bin/python3,' %{buildroot}%{_bindir}/waagent2.0
sed -i 's,/usr/bin/python ,/usr/bin/python3 ,' %{buildroot}%{_libdir}/systemd/system/waagent.service
%check
python2 setup.py check && python2 setup.py test
python3 setup.py check && python3 setup.py test
%post
%systemd_post waagent.service
@ -67,17 +69,23 @@ python2 setup.py check && python2 setup.py test
%{_libdir}/systemd/system/*
%defattr(0644,root,root,0755)
%license LICENSE.txt
%doc Changelog
%attr(0755,root,root) %{_sbindir}/waagent
%attr(0755,root,root) %{_sbindir}/waagent2.0
%attr(0755,root,root) %{_bindir}/waagent
%attr(0755,root,root) %{_bindir}/waagent2.0
%config %{_sysconfdir}/waagent.conf
%ghost %{_localstatedir}/log/waagent.log
%dir %attr(0700, root, root) %{_sharedstatedir}/waagent
%{_libdir}/python2.7/site-packages/*
%{python3_sitelib}/*
%changelog
* Tue Aug 17 2021 Thomas Crain <thcrain@microsoft.com> - 2.2.54.2-2
- Fix incorrect %%{_lib} macro usage
* Mon May 24 2021 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 2.2.54.2-1
- Upgrade to version 2.2.54.2 which has Mariner distro support.
* Mon Apr 26 2021 Thomas Crain <thcrain@microsoft.com> - 2.2.52-3
- Replace incorrect %%{_lib} usage with %%{_libdir}
- %{_lib}/python3.7/site-packages/*
* Mon Jan 25 2021 Henry Beberman <henry.beberman@microsoft.com> 2.2.52-2
- Remove log symlink and use /var/log/waagent.log directly

242
SPECS/WALinuxAgent/add-distro.patch
Просмотреть файл

@ -1,242 +0,0 @@
--- a/azurelinuxagent/common/osutil/factory.py 2020-09-29 11:31:13.000000000 -0700
+++ b/azurelinuxagent/common/osutil/factory.py 2020-12-08 14:54:58.878191794 -0800
@@ -24,6 +24,7 @@
from .arch import ArchUtil
from .bigip import BigIpOSUtil
from .clearlinux import ClearLinuxUtil
+from .mariner import MarinerOSUtil
from .coreos import CoreOSUtil
from .debian import DebianOSBaseUtil, DebianOSModernUtil
from .default import DefaultOSUtil
@@ -57,6 +58,9 @@
if "Clear Linux" in distro_full_name:
return ClearLinuxUtil()
+
+ if distro_name == "mariner":
+ return MarinerOSUtil()
if distro_name == "ubuntu":
if Version(distro_version) in [Version("12.04"), Version("12.10")]:
--- a/azurelinuxagent/common/osutil/mariner.py 2020-12-08 22:14:27.843117432 -0800
+++ b/azurelinuxagent/common/osutil/mariner.py 2020-12-08 22:52:05.926318033 -0800
@@ -0,0 +1,89 @@
+#
+# Copyright 2017 Microsoft Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Requires Python 2.4 and Openssl 1.0
+#
+
+import os
+import re
+import pwd
+import shutil
+import socket
+import array
+import struct
+import fcntl
+import time
+import base64
+import azurelinuxagent.common.conf as conf
+import azurelinuxagent.common.logger as logger
+import azurelinuxagent.common.utils.fileutil as fileutil
+import azurelinuxagent.common.utils.shellutil as shellutil
+import azurelinuxagent.common.utils.textutil as textutil
+from azurelinuxagent.common.osutil.default import DefaultOSUtil
+
+class MarinerOSUtil(DefaultOSUtil):
+ def __init__(self):
+ super(MarinerOSUtil, self).__init__()
+ self.agent_conf_file_path = '/etc/waagent.conf'
+ self.jit_enabled = True
+
+ def is_dhcp_enabled(self):
+ return True
+
+ def start_network(self) :
+ return shellutil.run("systemctl start systemd-networkd", chk_err=False)
+
+ def restart_if(self, iface):
+ shellutil.run("systemctl restart systemd-networkd")
+
+ def restart_ssh_service(self):
+ shellutil.run("systemctl restart sshd")
+
+ def stop_dhcp_service(self):
+ return shellutil.run("systemctl stop systemd-networkd", chk_err=False)
+
+ def start_dhcp_service(self):
+ return shellutil.run("systemctl start systemd-networkd", chk_err=False)
+
+ def start_agent_service(self):
+ return shellutil.run("systemctl start waagent", chk_err=False)
+
+ def stop_agent_service(self):
+ return shellutil.run("systemctl stop waagent", chk_err=False)
+
+ def get_dhcp_pid(self):
+ ret= shellutil.run_get_output("pidof systemd-networkd")
+ return ret[1] if ret[0] == 0 else None
+
+ def conf_sshd(self, disable_password):
+ pass
+
+ def del_root_password(self):
+ try:
+ passwd_file_path = conf.get_passwd_file_path()
+ try:
+ passwd_content = fileutil.read_file(passwd_file_path)
+ if not passwd_content:
+ raise FileNotFoundError
+ except FileNotFoundError:
+ new_passwd = ["root:*LOCK*:14600::::::"]
+ else:
+ passwd = passwd_content.split('\n')
+ new_passwd = [x for x in passwd if not x.startswith("root:")]
+ new_passwd.insert(0, "root:*LOCK*:14600::::::")
+ fileutil.write_file(passwd_file_path, "\n".join(new_passwd))
+ except IOError as e:
+ raise OSUtilError("Failed to delete root password:{0}".format(e))
+ pass
\ No newline at end of file
--- a/azurelinuxagent/common/version.py 2020-09-29 11:31:13.000000000 -0700
+++ b/azurelinuxagent/common/version.py 2020-12-08 14:58:51.840248635 -0800
@@ -100,6 +100,9 @@
if os.path.exists("/etc/euleros-release"):
osinfo[0] = "euleros"
+
+ if os.path.exists("/etc/mariner-release"):
+ osinfo[0] = "mariner"
# The platform.py lib has issue with detecting BIG-IP linux distribution.
# Merge the following patch provided by F5.
--- a/config/mariner/waagent.conf 2020-12-08 22:15:55.038466254 -0800
+++ b/config/mariner/waagent.conf 2020-12-08 15:06:48.272503589 -0800
@@ -0,0 +1,80 @@
+# Microsoft Azure Linux Agent Configuration
+#
+
+# Specified program is invoked with the argument "Ready" when we report ready status
+# to the endpoint server.
+Role.StateConsumer=None
+
+# Specified program is invoked with XML file argument specifying role
+# configuration.
+Role.ConfigurationConsumer=None
+
+# Specified program is invoked with XML file argument specifying role topology.
+Role.TopologyConsumer=None
+
+# Enable instance creation
+Provisioning.Enabled=n
+
+# Rely on cloud-init to provision
+Provisioning.UseCloudInit=y
+
+# Password authentication for root account will be unavailable.
+Provisioning.DeleteRootPassword=y
+
+# Generate fresh host key pair.
+Provisioning.RegenerateSshHostKeyPair=y
+
+# Supported values are "rsa", "dsa" and "ecdsa".
+Provisioning.SshHostKeyPairType=rsa
+
+# Monitor host name changes and publish changes via DHCP requests.
+Provisioning.MonitorHostName=y
+
+# Decode CustomData from Base64.
+Provisioning.DecodeCustomData=y
+
+# Execute CustomData after provisioning.
+Provisioning.ExecuteCustomData=n
+
+# Allow reset password of sys user
+Provisioning.AllowResetSysUser=n
+
+# Format if unformatted. If 'n', resource disk will not be mounted.
+ResourceDisk.Format=n
+
+# File system on the resource disk
+# Typically ext3 or ext4. FreeBSD images should use 'ufs2' here.
+ResourceDisk.Filesystem=ext4
+
+# Mount point for the resource disk
+ResourceDisk.MountPoint=/mnt/resource
+
+# Create and use swapfile on resource disk.
+ResourceDisk.EnableSwap=n
+
+# Size of the swapfile.
+ResourceDisk.SwapSizeMB=0
+
+# Enable verbose logging (y|n)
+Logs.Verbose=n
+
+# Is FIPS enabled
+OS.EnableFIPS=n
+
+# Root device timeout in seconds.
+OS.RootDeviceScsiTimeout=300
+
+# If "None", the system default version is used.
+OS.OpensslPath=None
+
+# Set the path to SSH keys and configuration files
+OS.SshDir=/etc/ssh
+
+# Enable or disable self-update, default is enabled
+AutoUpdate.Enabled=y
+AutoUpdate.GAFamily=Prod
+
+# Determine if the overprovisioning feature is enabled. If yes, hold extension
+# handling until inVMArtifactsProfile.OnHold is false.
+# Default is disabled
+# EnableOverProvisioning=n
--- a/init/mariner/waagent.service 2020-12-08 22:16:40.614123434 -0800
+++ b/init/mariner/waagent.service 2020-12-08 15:06:44.940529116 -0800
@@ -0,0 +1,16 @@
+[Unit]
+Description=Azure Linux Agent
+Wants=systemd-networkd-wait-online.service sshd.service sshd-keygen.service
+After=systemd-networkd-wait-online.service cloud-init.service
+
+ConditionFileIsExecutable=/usr/sbin/waagent
+ConditionPathExists=/etc/waagent.conf
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/python -u /usr/sbin/waagent -daemon
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
--- a/setup.py 2020-09-29 11:31:13.000000000 -0700
+++ b/setup.py 2020-12-08 15:04:44.289458366 -0800
@@ -116,6 +116,12 @@
src=["config/clearlinux/waagent.conf"])
set_systemd_files(data_files, dest='/usr/lib/systemd/system',
src=["init/clearlinux/waagent.service"])
+ elif name == 'mariner':
+ set_bin_files(data_files)
+ set_conf_files(data_files, dest="/etc",
+ src=["config/mariner/waagent.conf"])
+ set_systemd_files(data_files, dest='/usr/lib/systemd/system',
+ src=["init/mariner/waagent.service"])
elif name == 'ubuntu':
set_bin_files(data_files)
set_conf_files(data_files, src=["config/ubuntu/waagent.conf"])

2
SPECS/ansible/ansible.signatures.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"Signatures": {
"ansible-2.9.12.tar.gz": "7e95ddf719190b068fafc7d7c7877c218054cc5da4f6d9d794faf7bc66dab774"
"ansible-2.9.18.tar.gz": "55fee77729eab2dce854c94a7b6998f0fcb7b9a053bdaa7eb4057f01a0d5d93c"
}
}

5
SPECS/ansible/ansible.spec
Просмотреть файл

@ -1,7 +1,7 @@
%{!?python2_sitelib: %global python2_sitelib %(python2 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")}
Summary: Configuration-management, application deployment, cloud provisioning system
Name: ansible
Version: 2.9.12
Version: 2.9.18
Release: 1%{?dist}
License: GPLv3+
Vendor: Microsoft Corporation
@ -41,6 +41,9 @@ python2 setup.py test
%{python2_sitelib}/*
%changelog
* Tue Jun 15 2021 Nicolas Ontiveros <niontive@microsoft.com> - 2.9.18-1
- Upgrade to version 2.9.18, which resolves CVE-2021-20191 and CVE-2021-20178
* Wed Dec 30 2020 Nicolas Ontiveros <niontive@microsoft.com> - 2.9.12-1
- Upgrade to version 2.9.12, which resolves CVE-2020-10744

2
SPECS/apr-util/apr-util.spec
Просмотреть файл

@ -122,7 +122,7 @@ rm -rf %{buildroot}
%{_libdir}/apr-util-%{apuver}/apr_dbd_sqlite*
%changelog
* Sat May 09 00:21:10 PST 2020 Nick Samson <nisamson@microsoft.com> - 1.6.1-4
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 1.6.1-4
- Added %%license line automatically
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 1.6.1-3

5
SPECS/archivemount/archivemount.signatures.json Normal file
Просмотреть файл

@ -0,0 +1,5 @@
{
"Signatures": {
"archivemount-0.9.1.tar.gz": "c529b981cacb19541b48ddafdafb2ede47a40fcaf16c677c1e2cd198b159c5b3"
}
}

171
SPECS/archivemount/archivemount.spec Normal file
Просмотреть файл

@ -0,0 +1,171 @@
Name: archivemount
Version: 0.9.1
Release: 4%{?dist}
Summary: FUSE based filesystem for mounting compressed archives
Vendor: Microsoft Corporation
Distribution: Mariner
License: LGPLv2+
URL: https://www.cybernoia.de/software/archivemount.html
Source0: https://www.cybernoia.de/software/archivemount/%{name}-%{version}.tar.gz
BuildRequires: gcc
BuildRequires: fuse-devel
BuildRequires: libarchive-devel
BuildRequires: automake
BuildRequires: make
Requires: fuse
%description
Archivemount is a piece of glue code between libarchive and FUSE. It can be
used to mount a (possibly compressed) archive (as in .tar.gz or .tar.bz2)
and use it like an ordinary filesystem.
%prep
%autosetup -p1
%build
%configure --enable-debug
%make_build
%install
rm -rf $RPM_BUILD_ROOT
rm -f archivemount.1
%make_install
%files
%doc CHANGELOG README
%license COPYING
%{_mandir}/*/*
%{_bindir}/archivemount
%changelog
* Mon May 17 2021 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 0.9.1-4
- Initial CBL-Mariner import from Fedora 34 (license: MIT)
- License verified
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Apr 20 2020 Niels de Vos <devos@fedoraproject.org> - 0.9.1-1
- Update to version 0.9.1
* Mon Apr 20 2020 Niels de Vos <devos@fedoraproject.org> - 0.9.0-1
- Update to version 0.9.0 (#1825602)
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.12-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.12-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.12-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.12-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Mon Jun 18 2018 Vasiliy N. Glazov <vascom2@gmail.com> - 0.8.12-2
- Clean spec to match packaging guidelines
* Sun Apr 1 2018 Niels de Vos <devos@fedoraproject.org> - 0.8.12-1
- Update to version 0.8.12 (#1560985)
* Tue Mar 27 2018 Niels de Vos <devos@fedoraproject.org> - 0.8.11-1
- Update to version 0.8.11 (#1560985)
* Fri Mar 16 2018 Niels de Vos <devos@fedoraproject.org> - 0.8.10-1
- Update to version 0.8.10 (#1557308)
* Tue Mar 6 2018 Niels de Vos <devos@fedoraproject.org> - 0.8.9-1
- Update to version 0.8.9 (#1547963)
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.7-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.7-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.7-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.7-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Tue Nov 24 2015 Niels de Vos <devos@fedoraproject.org> - 0.8.7-1
- Update to version 0.8.7 (#1284705)
* Mon Nov 23 2015 Niels de Vos <devos@fedoraproject.org> - 0.8.6-1
- Update to version 0.8.6 (#1197053)
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Fri Aug 15 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Thu Oct 24 2013 Niels de Vos <devos@fedoraproject.org> - 0.8.3-1
- Update to version 0.8.3 (#1022856)
- Drop upstreamed patches
* Wed Oct 23 2013 Niels de Vos <devos@fedoraproject.org> - 0.8.2-1
- Update to version 0.8.2 (#1021347)
* Sun Oct 13 2013 Niels de Vos <devos@fedoraproject.org> - 0.8.1-2
- Do not call fuse_main() to prevent a confusing error message (#1018587)
* Mon Aug 19 2013 Niels de Vos <devos@fedoraproject.org> - 0.8.1-1
- Update to version 0.8.1 (#997779)
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6.1-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6.1-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Thu Jan 17 2013 Tomas Bzatek <tbzatek@redhat.com> - 0.6.1-10
- Rebuilt for new libarchive
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6.1-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Thu Jan 26 2012 Tomas Bzatek <tbzatek@redhat.com> - 0.6.1-8
- Rebuilt for new libarchive
* Sat Jan 07 2012 Niels de Vos <devos@fedoraproject.org> - 0.6.1-7
- Rebuild for new gcc-4.7
* Tue Nov 15 2011 Niels de Vos <devos@fedoraproject.org> - 0.6.1-6
- Rebuild for new libarchive
* Mon Feb 07 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Tue Jan 18 2011 Niels de Vos <ndevos@redhat.com> 0.6.1-4
- fix the -debuginfo package as suggested by Tomas Mraz (BZ#598688 comment #12)
* Fri Jan 14 2011 Niels de Vos <ndevos@redhat.com> 0.6.1-3
- fix the -debuginfo package (BZ#598688 comment #10)
* Mon Jan 10 2011 Niels de Vos <niels@nixpanic.net> 0.6.1-2
- force running in single threaded mode (much more stable)
- fix some points from BZ #598688 comment #7
* Thu Jun 24 2010 Niels de Vos <ndevos@redhat.com> 0.6.1-1
- upstream fixed licensing in the source to LGPL (v2 or newer)
- new source does not contain autom4te.cache anymore, no need to 'rm -rf' it
* Tue Jun 15 2010 Niels de Vos <ndevos@redhat.com> 0.6.0-2
- fix license to GNU Library General Public v2 or newer
- remove packaged autoconf/automake cache files
* Tue Jun 01 2010 Niels de Vos <ndevos@redhat.com> 0.6.0-1
- Initial package

5
SPECS/aspnetcore-runtime-3.1/aspnetcore-runtime-3.1.signatures.json
Просмотреть файл

@ -1,5 +0,0 @@
{
"Signatures": {
"aspnetcore-runtime-3.1.5-linux-x64.tar.gz": "bf202e612374eecf089b08db2085f36e54c09d6e93db0ff4244580ee47b9c61f"
}
}

41
SPECS/aspnetcore-runtime-3.1/aspnetcore-runtime-3.1.spec
Просмотреть файл

@ -1,41 +0,0 @@
%define debug_package %{nil}
Summary: Microsoft aspnetcore runtime
Name: aspnetcore-runtime-3.1
Version: 3.1.5
Release: 1%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
Group: Development/Tools
URL: https://github.com/dotnet/aspnetcore
Source0: https://download.visualstudio.microsoft.com/download/pr/6827d794-a218-4352-b3b3-a19ec773c975/e3e53bc2f20df220a29c6e09f74d8a00/aspnetcore-runtime-3.1.5-linux-x64.tar.gz
Requires: dotnet-runtime-3.1
ExclusiveArch: x86_64
%description
ASP.NET Core is an open-source and cross-platform framework for building
modern cloud based internet connected applications, such as web apps,
IoT apps and mobile backends
%prep
%setup -qc -T -a 0 dotnet-runtime-%{version}
%build
%install
mkdir -p %{buildroot}%{_libdir}/dotnet/shared
cp -r shared/Microsoft.AspNetCore.App %{buildroot}%{_libdir}/dotnet/shared
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files
%license LICENSE.txt ThirdPartyNotices.txt
%defattr(-,root,root,0755)
%{_libdir}/dotnet/shared/Microsoft.AspNetCore.App
%changelog
* Thu Nov 12 2020 Henry Beberman <henry.beberman@microsoft.com> - 3.1.5-1
- Add aspnetcore-runtime spec.
- License verified
- Original version for CBL-Mariner

2
SPECS/atftp/atftp.spec
Просмотреть файл

@ -131,7 +131,7 @@ fi
%changelog
* Sat May 09 00:21:18 PST 2020 Nick Samson <nisamson@microsoft.com> - 0.7.2-3
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 0.7.2-3
- Added %%license line automatically
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 0.7.2-2

110
SPECS/audit/audit.spec
Просмотреть файл

@ -1,9 +1,7 @@
%{!?python2_sitelib: %global python2_sitelib %(python2 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")}
%{!?python3_sitelib: %global python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")}
Summary: Kernel Audit Tool
Name: audit
Version: 3.0
Release: 5%{?dist}
Release: 6%{?dist}
License: GPLv2+
Vendor: Microsoft Corporation
Distribution: Mariner
@ -49,18 +47,6 @@ Provides: audit-libs-devel = %{version}-%{release}
%description devel
The libraries and header files needed for audit development.
%package python
Summary: Python bindings for libaudit
License: LGPLv2+
BuildRequires: python2-devel
BuildRequires: python2-libs
Requires: %{name} = %{version}-%{release}
Requires: python2
%description python
The audit-python package contains the python2 bindings for libaudit
and libauparse.
%package -n python3-audit
Summary: Python3 bindings for libaudit
License: LGPLv2+
@ -85,7 +71,6 @@ and libauparse.
--sbindir=%{_sbindir} \
--libdir=%{_libdir} \
--sysconfdir=%{_sysconfdir} \
--with-python=yes \
--with-python3=yes \
--with-libwrap \
--enable-gssapi-krb5=yes \
@ -165,78 +150,77 @@ make %{?_smp_mflags} check
%{_mandir}/man3/*
%{_datadir}/aclocal/audit.m4
%files python
%defattr(-,root,root)
%{python2_sitelib}/*
%files -n python3-audit
%defattr(-,root,root)
%{python3_sitelib}/*
%changelog
* Mon Nov 02 2020 Joe Schmitt <joschmit@microsoft.com> - 3.0-5
* Wed Aug 18 2021 Thomas Crian <thcrain@microsoft.com> - 3.0-6
- Remove python2 subpackage
* Mon Nov 02 2020 Joe Schmitt <joschmit@microsoft.com> - 3.0-5 (from dev branch)
- Provide audit-libs-devel from the devel subpackage.
- Provide audit-libs-python3 from the python3 subpackage.
* Thu May 14 2020 Nicolas Ontiveros <niontive@microsoft.com> 3.0-4
- Set "RefuseManualStop=no" in "auditd.service".
* Thu May 14 2020 Nicolas Ontiveros <niontive@microsoft.com> 3.0-4
- Set "RefuseManualStop=no" in "auditd.service".
* Sat May 09 00:21:30 PST 2020 Nick Samson <nisamson@microsoft.com> - 3.0-3
- Added %%license line automatically
* Sat May 09 00:21:30 PST 2020 Nick Samson <nisamson@microsoft.com> - 3.0-3
- Added %%license line automatically
* Thu Apr 30 2020 Emre Girgin <mrgirgin@microsoft.com> 3.0-2
- Renaming go to golang
* Thu Apr 30 2020 Emre Girgin <mrgirgin@microsoft.com> 3.0-2
- Renaming go to golang
* Wed Mar 18 2020 Emre Girgin <mrgirgin@microsoft.com> 3.0-1
- Updated to version 3.0-alpha8. Subpackage licenses updated.
* Wed Mar 18 2020 Emre Girgin <mrgirgin@microsoft.com> 3.0-1
- Updated to version 3.0-alpha8. Subpackage licenses updated.
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 2.8.4-2
- Initial CBL-Mariner import from Photon (license: Apache2).
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 2.8.4-2
- Initial CBL-Mariner import from Photon (license: Apache2).
* Mon Sep 3 2018 Keerthana K <keerthanak@vmware.com> 2.8.4-1
- Updated to version 2.8.4.
* Mon Sep 3 2018 Keerthana K <keerthanak@vmware.com> 2.8.4-1
- Updated to version 2.8.4.
* Thu Dec 28 2017 Divya Thaluru <dthaluru@vmware.com> 2.7.5-4
- Fixed the log file directory structure
* Thu Dec 28 2017 Divya Thaluru <dthaluru@vmware.com> 2.7.5-4
- Fixed the log file directory structure
* Thu Jun 29 2017 Divya Thaluru <dthaluru@vmware.com> 2.7.5-3
- Disabled audit service by default
* Thu Jun 29 2017 Divya Thaluru <dthaluru@vmware.com> 2.7.5-3
- Disabled audit service by default
* Thu May 18 2017 Xiaolin Li <xiaolinl@vmware.com> 2.7.5-2
- Move python2 requires to python subpackage and added python3.
* Thu May 18 2017 Xiaolin Li <xiaolinl@vmware.com> 2.7.5-2
- Move python2 requires to python subpackage and added python3.
* Fri Apr 14 2017 Alexey Makhalov <amakhalov@vmware.com> 2.7.5-1
- Version update.
* Fri Apr 14 2017 Alexey Makhalov <amakhalov@vmware.com> 2.7.5-1
- Version update.
* Wed Dec 07 2016 Xiaolin Li <xiaolinl@vmware.com> 2.5-7
- Moved man3 to devel subpackage.
* Wed Dec 07 2016 Xiaolin Li <xiaolinl@vmware.com> 2.5-7
- Moved man3 to devel subpackage.
* Thu Nov 24 2016 Alexey Makhalov <amakhalov@vmware.com> 2.5-6
- Required krb5-devel.
* Thu Nov 24 2016 Alexey Makhalov <amakhalov@vmware.com> 2.5-6
- Required krb5-devel.
* Fri Jul 22 2016 Xiaolin Li <xiaolinl@vmware.com> 2.5-5
- Add gawk requirement.
* Fri Jul 22 2016 Xiaolin Li <xiaolinl@vmware.com> 2.5-5
- Add gawk requirement.
* Thu May 26 2016 Divya Thaluru <dthaluru@vmware.com> 2.5-4
- Fixed logic to restart the active services after upgrade
* Thu May 26 2016 Divya Thaluru <dthaluru@vmware.com> 2.5-4
- Fixed logic to restart the active services after upgrade
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.5-3
- GA - Bump release of all rpms
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.5-3
- GA - Bump release of all rpms
* Tue May 3 2016 Divya Thaluru <dthaluru@vmware.com> 2.5-2
- Fixing spec file to handle rpm upgrade scenario correctly
* Tue May 3 2016 Divya Thaluru <dthaluru@vmware.com> 2.5-2
- Fixing spec file to handle rpm upgrade scenario correctly
* Tue Feb 23 2016 Anish Swaminathan <anishs@vmware.com> 2.5-1
- Upgrade to 2.5
* Tue Feb 23 2016 Anish Swaminathan <anishs@vmware.com> 2.5-1
- Upgrade to 2.5
* Fri Jan 29 2016 Anish Swaminathan <anishs@vmware.com> 2.4.4-4
- Add directories for auditd service.
* Fri Jan 29 2016 Anish Swaminathan <anishs@vmware.com> 2.4.4-4
- Add directories for auditd service.
* Tue Jan 12 2016 Anish Swaminathan <anishs@vmware.com> 2.4.4-3
- Change config file attributes.
* Tue Jan 12 2016 Anish Swaminathan <anishs@vmware.com> 2.4.4-3
- Change config file attributes.
* Wed Dec 09 2015 Anish Swaminathan <anishs@vmware.com> 2.4.4-2
- Add systemd requirement.
* Wed Dec 09 2015 Anish Swaminathan <anishs@vmware.com> 2.4.4-2
- Add systemd requirement.
* Fri Aug 28 2015 Divya Thaluru <dthaluru@vmware.com> 2.4.4-1
- Initial version
* Fri Aug 28 2015 Divya Thaluru <dthaluru@vmware.com> 2.4.4-1
- Initial version

2
SPECS/autoconf/autoconf.spec
Просмотреть файл

@ -51,7 +51,7 @@ make -k check %{?_smp_mflags} TESTSUITEFLAGS="1-37 39-500"
* Mon Oct 12 2020 Joe Schmitt <joschmit@microsoft.com> 2.69-10
- Use new perl package names.
* Sat May 09 00:21:00 PST 2020 Nick Samson <nisamson@microsoft.com> 2.69-9
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 2.69-9
- Added %%license line automatically
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 2.69-8
- Initial CBL-Mariner import from Photon (license: Apache2).

51
SPECS/autogen/autogen.spec
Просмотреть файл

@ -80,30 +80,31 @@ make %{?_smp_mflags} check
%exclude /usr/share/info/
%changelog
* Mon Oct 12 2020 Joe Schmitt <joschmit@microsoft.com> 5.18.16-6
- Add BuildRequires on perl.
* Sat May 09 00:20:48 PST 2020 Nick Samson <nisamson@microsoft.com> - 5.18.16-5
* Mon Oct 12 2020 Joe Schmitt <joschmit@microsoft.com> 5.18.16-6
- Add BuildRequires on perl.
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 5.18.16-5
- Added %%license line automatically
* Thu Feb 27 2020 Henry Beberman <hebeberm@microsoft.com> 5.18.16-4
- Add compiler flags for GCC9 compatibility. License verified.
* Thu Feb 27 2020 Henry Beberman <hebeberm@microsoft.com> 5.18.16-3
- Exclude /usr/share/info from the RPM
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 5.18.16-2
- Initial CBL-Mariner import from Photon (license: Apache2).
* Wed Sep 12 2018 Anish Swaminathan <anishs@vmware.com> 5.18.16-1
- Upgrade to 5.18.16
* Mon May 01 2017 Dheeraj Shetty <dheerajs@vmware.com> 5.18.12-2
- Adding Make Check
* Tue Apr 18 2017 Dheeraj Shetty <dheerajs@vmware.com> 5.18.12-1
- Updated version to 5.18.12
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 5.18.7-2
- GA - Bump release of all rpms
* Wed Feb 24 2016 Kumar Kaushik <kaushikk@vmware.com> 5.18.7-1
- Updated version tp 5.16.7.
* Thu Jan 21 2016 Xiaolin Li <xiaolinl@vmware.com> 5.18.6-1
- Updated to version 5.18.6
* Tue Sep 29 2015 Xiaolin Li <xiaolinl@vmware.com> 5.18.5-2
- Create a seperate libopts package.
* Thu Jun 18 2015 Divya Thaluru <dthaluru@vmware.com> 5.18.5-1
- Initial build. First version
* Thu Feb 27 2020 Henry Beberman <hebeberm@microsoft.com> 5.18.16-4
- Add compiler flags for GCC9 compatibility. License verified.
* Thu Feb 27 2020 Henry Beberman <hebeberm@microsoft.com> 5.18.16-3
- Exclude /usr/share/info from the RPM
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 5.18.16-2
- Initial CBL-Mariner import from Photon (license: Apache2).
* Wed Sep 12 2018 Anish Swaminathan <anishs@vmware.com> 5.18.16-1
- Upgrade to 5.18.16
* Mon May 01 2017 Dheeraj Shetty <dheerajs@vmware.com> 5.18.12-2
- Adding Make Check
* Tue Apr 18 2017 Dheeraj Shetty <dheerajs@vmware.com> 5.18.12-1
- Updated version to 5.18.12
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 5.18.7-2
- GA - Bump release of all rpms
* Wed Feb 24 2016 Kumar Kaushik <kaushikk@vmware.com> 5.18.7-1
- Updated version tp 5.16.7.
* Thu Jan 21 2016 Xiaolin Li <xiaolinl@vmware.com> 5.18.6-1
- Updated to version 5.18.6
* Tue Sep 29 2015 Xiaolin Li <xiaolinl@vmware.com> 5.18.5-2
- Create a seperate libopts package.
* Thu Jun 18 2015 Divya Thaluru <dthaluru@vmware.com> 5.18.5-1
- Initial build. First version

2
SPECS/automake/automake.spec
Просмотреть файл

@ -43,7 +43,7 @@ make %{?_smp_mflags} check
%{_defaultdocdir}/%{name}-%{version}/*
%{_mandir}/*/*
%changelog
* Sat May 09 00:21:00 PST 2020 Nick Samson <nisamson@microsoft.com> - 1.16.1-3
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 1.16.1-3
- Added %%license line automatically
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 1.16.1-2

2
SPECS/azure-iot-sdk-c/azure-iot-sdk-c.spec
Просмотреть файл

@ -97,7 +97,7 @@ rm -rf $RPM_BUILD_ROOT
- Removing the Conflict reference to azure-iot-sdk-c-public-preview.
* Sun May 31 2020 Henry Beberman <henry.beberman@microsoft.com> 2020.02.04.1-5
- Add -Wno-error to cflags to fix compilation with updated -Werror default.
* Sat May 09 00:20:46 PST 2020 Nick Samson <nisamson@microsoft.com> - 2020.02.04.1-4
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 2020.02.04.1-4
- Added %%license line automatically
* Mon May 04 2020 Eric Li <eli@microsoft.com> 2020.02.04.1-3
- Add #Source0: and license verified.

4
SPECS/azure-iotedge/azure-iotedge.signatures.json
Просмотреть файл

@ -1,6 +1,6 @@
{
"Signatures": {
"azure-iotedge-1.1.0-cargo.tar.gz": "94d8d7a8d2834eb4d5ec47f76c37a0a1e7a90979f8fabca556db808a60d7b310",
"azure-iotedge-1.1.0.tar.gz": "c8cd6b70786057a3e599a7649478dcd478726a4125d9e69ddea6314916fe060b"
"azure-iotedge-1.1.2-cargo.tar.gz": "eec1a83f6d30bb88679f6ef73e9ceaf2f3ca3d6cfe7cec02fc94c383997dd8ea",
"azure-iotedge-1.1.2.tar.gz": "23c0efe1f720ed3a27060cab0cae83fecfe73f017063b1bdb94a4bbce34c87b5"
}
}

7
SPECS/azure-iotedge/azure-iotedge.spec
Просмотреть файл

@ -1,7 +1,7 @@
Summary: Azure IoT Edge Security Daemon
Name: azure-iotedge
Version: 1.1.0
Release: 4%{?dist}
Version: 1.1.2
Release: 1%{?dist}
# A buildable azure-iotedge environments needs functioning submodules that do not work from the archive download
# To recreate the tar.gz run the following
@ -166,6 +166,9 @@ echo "==========================================================================
%doc %{_docdir}/iotedge-%{version}/trademark
%changelog
* Fri May 14 2021 Andrew Phelps <anphel@microsoft.com> - 1.1.2-1
- Update to version 1.1.2
* Mon Apr 26 2021 Thomas Crain <thcrain@microsoft.com> - 1.1.0-4
- Bump release to rebuild with rust 1.47.0-3 (security update)

2
SPECS/babel/babel.spec
Просмотреть файл

@ -95,7 +95,7 @@ popd
%{python3_sitelib}/*
%changelog
* Sat May 09 00:21:26 PST 2020 Nick Samson <nisamson@microsoft.com>
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com>
- Added %%license line automatically
* Thu Apr 30 2020 Emre Girgin <mrgirgin@microsoft.com> 2.6.0-7

191
SPECS/bind/CVE-2020-8618.patch
Просмотреть файл

@ -1,191 +0,0 @@
diff --git a/lib/ns/client.c b/lib/ns/client.c
index 04a8da7d3e..2d568e30c4 100644
--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@@ -286,45 +286,20 @@ client_senddone(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) {
isc_nmhandle_unref(handle);
}
-/*%
- * We only want to fail with ISC_R_NOSPACE when called from
- * ns_client_sendraw() and not when called from ns_client_send(),
- * tcpbuffer is NULL when called from ns_client_sendraw() and
- * length != 0. tcpbuffer != NULL when called from ns_client_send()
- * and length == 0.
- */
-
-static isc_result_t
+static void
client_allocsendbuf(ns_client_t *client, isc_buffer_t *buffer,
- isc_buffer_t *tcpbuffer, uint32_t length,
unsigned char **datap) {
unsigned char *data;
uint32_t bufsize;
- isc_result_t result;
REQUIRE(datap != NULL);
- REQUIRE((tcpbuffer == NULL && length != 0) ||
- (tcpbuffer != NULL && length == 0));
if (TCP_CLIENT(client)) {
INSIST(client->tcpbuf == NULL);
- if (length + 2 > NS_CLIENT_TCP_BUFFER_SIZE) {
- result = ISC_R_NOSPACE;
- goto done;
- }
client->tcpbuf = isc_mem_get(client->mctx,
NS_CLIENT_TCP_BUFFER_SIZE);
data = client->tcpbuf;
- if (tcpbuffer != NULL) {
- isc_buffer_init(tcpbuffer, data,
- NS_CLIENT_TCP_BUFFER_SIZE);
- isc_buffer_init(buffer, data,
- NS_CLIENT_TCP_BUFFER_SIZE);
- } else {
- isc_buffer_init(buffer, data,
- NS_CLIENT_TCP_BUFFER_SIZE);
- INSIST(length <= 0xffff);
- }
+ isc_buffer_init(buffer, data, NS_CLIENT_TCP_BUFFER_SIZE);
} else {
data = client->sendbuf;
if ((client->attributes & NS_CLIENTATTR_HAVECOOKIE) == 0) {
@@ -342,17 +317,9 @@ client_allocsendbuf(ns_client_t *client, isc_buffer_t *buffer,
if (bufsize > NS_CLIENT_SEND_BUFFER_SIZE) {
bufsize = NS_CLIENT_SEND_BUFFER_SIZE;
}
- if (length > bufsize) {
- result = ISC_R_NOSPACE;
- goto done;
- }
isc_buffer_init(buffer, data, bufsize);
}
*datap = data;
- result = ISC_R_SUCCESS;
-
-done:
- return (result);
}
static isc_result_t
@@ -384,8 +351,10 @@ ns_client_sendraw(ns_client_t *client, dns_message_t *message) {
goto done;
}
- result = client_allocsendbuf(client, &buffer, NULL, mr->length, &data);
- if (result != ISC_R_SUCCESS) {
+ client_allocsendbuf(client, &buffer, &data);
+
+ if (mr->length > isc_buffer_length(&buffer)) {
+ result = ISC_R_NOSPACE;
goto done;
}
@@ -421,7 +390,6 @@ ns_client_send(ns_client_t *client) {
isc_result_t result;
unsigned char *data;
isc_buffer_t buffer = { .magic = 0 };
- isc_buffer_t tcpbuffer = { .magic = 0 };
isc_region_t r;
dns_compress_t cctx;
bool cleanup_cctx = false;
@@ -490,13 +458,7 @@ ns_client_send(ns_client_t *client) {
}
}
- /*
- * XXXRTH The following doesn't deal with TCP buffer resizing.
- */
- result = client_allocsendbuf(client, &buffer, &tcpbuffer, 0, &data);
- if (result != ISC_R_SUCCESS) {
- goto done;
- }
+ client_allocsendbuf(client, &buffer, &data);
result = dns_compress_init(&cctx, -1, client->mctx);
if (result != ISC_R_SUCCESS) {
@@ -618,7 +580,6 @@ renderend:
client->sendcb(&buffer);
} else if (TCP_CLIENT(client)) {
isc_buffer_usedregion(&buffer, &r);
- isc_buffer_add(&tcpbuffer, r.length);
#ifdef HAVE_DNSTAP
if (client->view != NULL) {
dns_dt_send(client->view, dtmsgtype, &client->peeraddr,
@@ -627,11 +588,10 @@ renderend:
}
#endif /* HAVE_DNSTAP */
- /* don't count the 2-octet length header */
- respsize = isc_buffer_usedlength(&tcpbuffer) - 2;
+ respsize = isc_buffer_usedlength(&buffer);
isc_nmhandle_ref(client->handle);
- result = client_sendpkg(client, &tcpbuffer);
+ result = client_sendpkg(client, &buffer);
if (result != ISC_R_SUCCESS) {
/* We won't get a callback to clean it up */
isc_nmhandle_unref(client->handle);
diff --git a/lib/ns/include/ns/client.h b/lib/ns/include/ns/client.h
index 61612a32ea..74c435b0c6 100644
--- a/lib/ns/include/ns/client.h
+++ b/lib/ns/include/ns/client.h
@@ -81,7 +81,7 @@
*** Types
***/
-#define NS_CLIENT_TCP_BUFFER_SIZE (65535 + 2)
+#define NS_CLIENT_TCP_BUFFER_SIZE 65535
#define NS_CLIENT_SEND_BUFFER_SIZE 4096
/*!
diff --git a/lib/ns/xfrout.c b/lib/ns/xfrout.c
index a92783cf1b..717d142ce2 100644
--- a/lib/ns/xfrout.c
+++ b/lib/ns/xfrout.c
@@ -648,14 +648,13 @@ typedef struct {
dns_db_t *db;
dns_dbversion_t *ver;
isc_quota_t *quota;
- rrstream_t *stream; /* The XFR RR stream */
- bool question_added; /* QUESTION section sent? */
- bool end_of_stream; /* EOS has been reached */
- isc_buffer_t buf; /* Buffer for message owner
- * names and rdatas */
- isc_buffer_t txlenbuf; /* Transmit length buffer */
- isc_buffer_t txbuf; /* Transmit message buffer */
- size_t cbytes; /* Length of current message */
+ rrstream_t *stream; /* The XFR RR stream */
+ bool question_added; /* QUESTION section sent? */
+ bool end_of_stream; /* EOS has been reached */
+ isc_buffer_t buf; /* Buffer for message owner
+ * names and rdatas */
+ isc_buffer_t txbuf; /* Transmit message buffer */
+ size_t cbytes; /* Length of current message */
void *txmem;
unsigned int txmemlen;
dns_tsigkey_t *tsigkey; /* Key used to create TSIG */
@@ -1231,12 +1230,11 @@ xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id,
/*
* Allocate another temporary buffer for the compressed
- * response message and its TCP length prefix.
+ * response message.
*/
- len = 2 + 65535;
+ len = NS_CLIENT_TCP_BUFFER_SIZE;
mem = isc_mem_get(mctx, len);
- isc_buffer_init(&xfr->txlenbuf, mem, 2);
- isc_buffer_init(&xfr->txbuf, (char *)mem + 2, len - 2);
+ isc_buffer_init(&xfr->txbuf, (char *)mem, len);
xfr->txmem = mem;
xfr->txmemlen = len;
@@ -1286,7 +1284,6 @@ sendstream(xfrout_ctx_t *xfr) {
int n_rrs;
isc_buffer_clear(&xfr->buf);
- isc_buffer_clear(&xfr->txlenbuf);
isc_buffer_clear(&xfr->txbuf);
is_tcp = ((xfr->client->attributes & NS_CLIENTATTR_TCP) != 0);

530
SPECS/bind/CVE-2020-8619.patch
Просмотреть файл

@ -1,530 +0,0 @@
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index d6d0e87a80..6d8f4e0d63 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -1857,8 +1857,13 @@ delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
* Caller must be holding the node lock.
*/
static inline void
-new_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
- INSIST(!ISC_LINK_LINKED(node, deadlink));
+new_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+ isc_rwlocktype_t locktype) {
+ if (locktype == isc_rwlocktype_write && ISC_LINK_LINKED(node, deadlink))
+ {
+ ISC_LIST_UNLINK(rbtdb->deadnodes[node->locknum], node,
+ deadlink);
+ }
if (isc_refcount_increment0(&node->references) == 0) {
/* this is the first reference to the node */
isc_refcount_increment0(
@@ -1876,13 +1881,14 @@ is_leaf(dns_rbtnode_t *node) {
}
static inline void
-send_to_prune_tree(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
+send_to_prune_tree(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+ isc_rwlocktype_t locktype) {
isc_event_t *ev;
dns_db_t *db;
ev = isc_event_allocate(rbtdb->common.mctx, NULL, DNS_EVENT_RBTPRUNE,
prune_tree, node, sizeof(isc_event_t));
- new_reference(rbtdb, node);
+ new_reference(rbtdb, node, locktype);
db = NULL;
attach((dns_db_t *)rbtdb, &db);
ev->ev_sender = db;
@@ -1918,7 +1924,7 @@ cleanup_dead_nodes(dns_rbtdb_t *rbtdb, int bucketnum) {
node->data == NULL);
if (is_leaf(node) && rbtdb->task != NULL) {
- send_to_prune_tree(rbtdb, node);
+ send_to_prune_tree(rbtdb, node, isc_rwlocktype_write);
} else if (node->down == NULL && node->data == NULL) {
/*
* Not a interior node and not needing to be
@@ -1986,7 +1992,7 @@ reactivate_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
}
}
- new_reference(rbtdb, node);
+ new_reference(rbtdb, node, locktype);
NODE_UNLOCK(nodelock, locktype);
}
@@ -2121,15 +2127,17 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
* periodic walk-through).
*/
if (!pruning && is_leaf(node) && rbtdb->task != NULL) {
- send_to_prune_tree(rbtdb, node);
+ send_to_prune_tree(rbtdb, node, isc_rwlocktype_write);
no_reference = false;
} else {
delete_node(rbtdb, node);
}
} else {
INSIST(node->data == NULL);
- INSIST(!ISC_LINK_LINKED(node, deadlink));
- ISC_LIST_APPEND(rbtdb->deadnodes[bucket], node, deadlink);
+ if (!ISC_LINK_LINKED(node, deadlink)) {
+ ISC_LIST_APPEND(rbtdb->deadnodes[bucket], node,
+ deadlink);
+ }
}
restore_locks:
@@ -2199,16 +2207,13 @@ prune_tree(isc_task_t *task, isc_event_t *event) {
/*
* We need to gain a reference to the node before
- * decrementing it in the next iteration. In addition,
- * if the node is in the dead-nodes list, extract it
- * from the list beforehand as we do in
- * reactivate_node().
+ * decrementing it in the next iteration.
*/
if (ISC_LINK_LINKED(parent, deadlink)) {
ISC_LIST_UNLINK(rbtdb->deadnodes[locknum],
parent, deadlink);
}
- new_reference(rbtdb, parent);
+ new_reference(rbtdb, parent, isc_rwlocktype_write);
} else {
parent = NULL;
}
@@ -2975,7 +2980,7 @@ zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
* We increment the reference count on node to ensure that
* search->zonecut_rdataset will still be valid later.
*/
- new_reference(search->rbtdb, node);
+ new_reference(search->rbtdb, node, isc_rwlocktype_read);
search->zonecut = node;
search->zonecut_rdataset = found;
search->need_cleanup = true;
@@ -3027,7 +3032,8 @@ zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
static inline void
bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, rdatasetheader_t *header,
- isc_stdtime_t now, dns_rdataset_t *rdataset) {
+ isc_stdtime_t now, isc_rwlocktype_t locktype,
+ dns_rdataset_t *rdataset) {
unsigned char *raw; /* RDATASLAB */
/*
@@ -3042,7 +3048,7 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, rdatasetheader_t *header,
return;
}
- new_reference(rbtdb, node);
+ new_reference(rbtdb, node, locktype);
INSIST(rdataset->methods == NULL); /* We must be disassociated. */
@@ -3147,12 +3153,12 @@ setup_delegation(rbtdb_search_t *search, dns_dbnode_t **nodep,
NODE_LOCK(&(search->rbtdb->node_locks[node->locknum].lock),
isc_rwlocktype_read);
bind_rdataset(search->rbtdb, node, search->zonecut_rdataset,
- search->now, rdataset);
+ search->now, isc_rwlocktype_read, rdataset);
if (sigrdataset != NULL && search->zonecut_sigrdataset != NULL)
{
bind_rdataset(search->rbtdb, node,
search->zonecut_sigrdataset, search->now,
- sigrdataset);
+ isc_rwlocktype_read, sigrdataset);
}
NODE_UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock),
isc_rwlocktype_read);
@@ -3817,18 +3823,21 @@ again:
foundname, NULL);
if (result == ISC_R_SUCCESS) {
if (nodep != NULL) {
- new_reference(search->rbtdb,
- node);
+ new_reference(
+ search->rbtdb, node,
+ isc_rwlocktype_read);
*nodep = node;
}
bind_rdataset(search->rbtdb, node,
found, search->now,
+ isc_rwlocktype_read,
rdataset);
if (foundsig != NULL) {
- bind_rdataset(search->rbtdb,
- node, foundsig,
- search->now,
- sigrdataset);
+ bind_rdataset(
+ search->rbtdb, node,
+ foundsig, search->now,
+ isc_rwlocktype_read,
+ sigrdataset);
}
}
} else if (found == NULL && foundsig == NULL) {
@@ -4107,7 +4116,8 @@ found:
* ensure that search->zonecut_rdataset will
* still be valid later.
*/
- new_reference(search.rbtdb, node);
+ new_reference(search.rbtdb, node,
+ isc_rwlocktype_read);
search.zonecut = node;
search.zonecut_rdataset = header;
search.zonecut_sigrdataset = NULL;
@@ -4285,7 +4295,7 @@ found:
goto node_exit;
}
if (nodep != NULL) {
- new_reference(search.rbtdb, node);
+ new_reference(search.rbtdb, node, isc_rwlocktype_read);
*nodep = node;
}
if ((search.rbtversion->secure == dns_db_secure &&
@@ -4293,10 +4303,10 @@ found:
(search.options & DNS_DBFIND_FORCENSEC) != 0)
{
bind_rdataset(search.rbtdb, node, nsecheader, 0,
- rdataset);
+ isc_rwlocktype_read, rdataset);
if (nsecsig != NULL) {
bind_rdataset(search.rbtdb, node, nsecsig, 0,
- sigrdataset);
+ isc_rwlocktype_read, sigrdataset);
}
}
if (wild) {
@@ -4369,7 +4379,7 @@ found:
if (nodep != NULL) {
if (!at_zonecut) {
- new_reference(search.rbtdb, node);
+ new_reference(search.rbtdb, node, isc_rwlocktype_read);
} else {
search.need_cleanup = false;
}
@@ -4377,10 +4387,11 @@ found:
}
if (type != dns_rdatatype_any) {
- bind_rdataset(search.rbtdb, node, found, 0, rdataset);
+ bind_rdataset(search.rbtdb, node, found, 0, isc_rwlocktype_read,
+ rdataset);
if (foundsig != NULL) {
bind_rdataset(search.rbtdb, node, foundsig, 0,
- sigrdataset);
+ isc_rwlocktype_read, sigrdataset);
}
}
@@ -4563,8 +4574,7 @@ cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
* We increment the reference count on node to ensure that
* search->zonecut_rdataset will still be valid later.
*/
- new_reference(search->rbtdb, node);
- INSIST(!ISC_LINK_LINKED(node, deadlink));
+ new_reference(search->rbtdb, node, locktype);
search->zonecut = node;
search->zonecut_rdataset = dname_header;
search->zonecut_sigrdataset = sigdname_header;
@@ -4672,14 +4682,15 @@ find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node,
}
result = DNS_R_DELEGATION;
if (nodep != NULL) {
- new_reference(search->rbtdb, node);
+ new_reference(search->rbtdb, node, locktype);
*nodep = node;
}
bind_rdataset(search->rbtdb, node, found, search->now,
- rdataset);
+ locktype, rdataset);
if (foundsig != NULL) {
bind_rdataset(search->rbtdb, node, foundsig,
- search->now, sigrdataset);
+ search->now, locktype,
+ sigrdataset);
}
if (need_headerupdate(found, search->now) ||
(foundsig != NULL &&
@@ -4788,13 +4799,13 @@ find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
if (result != ISC_R_SUCCESS) {
goto unlock_node;
}
- bind_rdataset(search->rbtdb, node, found, now,
+ bind_rdataset(search->rbtdb, node, found, now, locktype,
rdataset);
if (foundsig != NULL) {
bind_rdataset(search->rbtdb, node, foundsig,
- now, sigrdataset);
+ now, locktype, sigrdataset);
}
- new_reference(search->rbtdb, node);
+ new_reference(search->rbtdb, node, locktype);
*nodep = node;
result = DNS_R_COVERINGNSEC;
} else if (!empty_node) {
@@ -5019,18 +5030,18 @@ cache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
if ((search.options & DNS_DBFIND_COVERINGNSEC) != 0 &&
nsecheader != NULL) {
if (nodep != NULL) {
- new_reference(search.rbtdb, node);
- INSIST(!ISC_LINK_LINKED(node, deadlink));
+ new_reference(search.rbtdb, node, locktype);
*nodep = node;
}
bind_rdataset(search.rbtdb, node, nsecheader,
- search.now, rdataset);
+ search.now, locktype, rdataset);
if (need_headerupdate(nsecheader, search.now)) {
update = nsecheader;
}
if (nsecsig != NULL) {
bind_rdataset(search.rbtdb, node, nsecsig,
- search.now, sigrdataset);
+ search.now, locktype,
+ sigrdataset);
if (need_headerupdate(nsecsig, search.now)) {
updatesig = nsecsig;
}
@@ -5045,18 +5056,18 @@ cache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
*/
if (nsheader != NULL) {
if (nodep != NULL) {
- new_reference(search.rbtdb, node);
- INSIST(!ISC_LINK_LINKED(node, deadlink));
+ new_reference(search.rbtdb, node, locktype);
*nodep = node;
}
bind_rdataset(search.rbtdb, node, nsheader, search.now,
- rdataset);
+ locktype, rdataset);
if (need_headerupdate(nsheader, search.now)) {
update = nsheader;
}
if (nssig != NULL) {
bind_rdataset(search.rbtdb, node, nssig,
- search.now, sigrdataset);
+ search.now, locktype,
+ sigrdataset);
if (need_headerupdate(nssig, search.now)) {
updatesig = nssig;
}
@@ -5077,8 +5088,7 @@ cache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
*/
if (nodep != NULL) {
- new_reference(search.rbtdb, node);
- INSIST(!ISC_LINK_LINKED(node, deadlink));
+ new_reference(search.rbtdb, node, locktype);
*nodep = node;
}
@@ -5110,13 +5120,14 @@ cache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
if (type != dns_rdatatype_any || result == DNS_R_NCACHENXDOMAIN ||
result == DNS_R_NCACHENXRRSET)
{
- bind_rdataset(search.rbtdb, node, found, search.now, rdataset);
+ bind_rdataset(search.rbtdb, node, found, search.now, locktype,
+ rdataset);
if (need_headerupdate(found, search.now)) {
update = found;
}
if (!NEGATIVE(found) && foundsig != NULL) {
bind_rdataset(search.rbtdb, node, foundsig, search.now,
- sigrdataset);
+ locktype, sigrdataset);
if (need_headerupdate(foundsig, search.now)) {
updatesig = foundsig;
}
@@ -5275,15 +5286,15 @@ cache_findzonecut(dns_db_t *db, const dns_name_t *name, unsigned int options,
}
if (nodep != NULL) {
- new_reference(search.rbtdb, node);
- INSIST(!ISC_LINK_LINKED(node, deadlink));
+ new_reference(search.rbtdb, node, locktype);
*nodep = node;
}
- bind_rdataset(search.rbtdb, node, found, search.now, rdataset);
+ bind_rdataset(search.rbtdb, node, found, search.now, locktype,
+ rdataset);
if (foundsig != NULL) {
bind_rdataset(search.rbtdb, node, foundsig, search.now,
- sigrdataset);
+ locktype, sigrdataset);
}
if (need_headerupdate(found, search.now) ||
@@ -5646,10 +5657,11 @@ zone_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
}
}
if (found != NULL) {
- bind_rdataset(rbtdb, rbtnode, found, now, rdataset);
+ bind_rdataset(rbtdb, rbtnode, found, now, isc_rwlocktype_read,
+ rdataset);
if (foundsig != NULL) {
bind_rdataset(rbtdb, rbtnode, foundsig, now,
- sigrdataset);
+ isc_rwlocktype_read, sigrdataset);
}
}
@@ -5740,9 +5752,9 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
}
}
if (found != NULL) {
- bind_rdataset(rbtdb, rbtnode, found, now, rdataset);
+ bind_rdataset(rbtdb, rbtnode, found, now, locktype, rdataset);
if (!NEGATIVE(found) && foundsig != NULL) {
- bind_rdataset(rbtdb, rbtnode, foundsig, now,
+ bind_rdataset(rbtdb, rbtnode, foundsig, now, locktype,
sigrdataset);
}
}
@@ -5910,6 +5922,9 @@ resign_insert(dns_rbtdb_t *rbtdb, int idx, rdatasetheader_t *newheader) {
return (result);
}
+/*
+ * node write lock must be held.
+ */
static void
resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
rdatasetheader_t *header) {
@@ -5921,7 +5936,8 @@ resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
header->heap_index);
header->heap_index = 0;
if (version != NULL) {
- new_reference(rbtdb, header->node);
+ new_reference(rbtdb, header->node,
+ isc_rwlocktype_write);
ISC_LIST_APPEND(version->resigned_list, header, link);
}
}
@@ -5952,6 +5968,9 @@ update_recordsandbytes(bool add, rbtdb_version_t *rbtversion,
RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
}
+/*
+ * write lock on rbtnode must be held.
+ */
static isc_result_t
add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
rdatasetheader_t *newheader, unsigned int options, bool loading,
@@ -6080,9 +6099,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
free_rdataset(rbtdb, rbtdb->common.mctx,
newheader);
if (addedrdataset != NULL) {
- bind_rdataset(rbtdb, rbtnode,
- topheader, now,
- addedrdataset);
+ bind_rdataset(
+ rbtdb, rbtnode,
+ topheader, now,
+ isc_rwlocktype_write,
+ addedrdataset);
}
return (DNS_R_UNCHANGED);
}
@@ -6142,6 +6163,7 @@ find_header:
free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
if (addedrdataset != NULL) {
bind_rdataset(rbtdb, rbtnode, header, now,
+ isc_rwlocktype_write,
addedrdataset);
}
return (DNS_R_UNCHANGED);
@@ -6253,6 +6275,7 @@ find_header:
free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
if (addedrdataset != NULL) {
bind_rdataset(rbtdb, rbtnode, header, now,
+ isc_rwlocktype_write,
addedrdataset);
}
return (ISC_R_SUCCESS);
@@ -6302,6 +6325,7 @@ find_header:
free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
if (addedrdataset != NULL) {
bind_rdataset(rbtdb, rbtnode, header, now,
+ isc_rwlocktype_write,
addedrdataset);
}
return (ISC_R_SUCCESS);
@@ -6499,7 +6523,8 @@ find_header:
}
if (addedrdataset != NULL) {
- bind_rdataset(rbtdb, rbtnode, newheader, now, addedrdataset);
+ bind_rdataset(rbtdb, rbtnode, newheader, now,
+ isc_rwlocktype_write, addedrdataset);
}
return (ISC_R_SUCCESS);
@@ -7042,13 +7067,15 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
}
if (result == ISC_R_SUCCESS && newrdataset != NULL) {
- bind_rdataset(rbtdb, rbtnode, newheader, 0, newrdataset);
+ bind_rdataset(rbtdb, rbtnode, newheader, 0,
+ isc_rwlocktype_write, newrdataset);
}
if (result == DNS_R_NXRRSET && newrdataset != NULL &&
(options & DNS_DBSUB_WANTOLD) != 0)
{
- bind_rdataset(rbtdb, rbtnode, header, 0, newrdataset);
+ bind_rdataset(rbtdb, rbtnode, header, 0, isc_rwlocktype_write,
+ newrdataset);
}
unlock:
@@ -7935,8 +7962,7 @@ getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) {
/* Note that the access to origin_node doesn't require a DB lock */
onode = (dns_rbtnode_t *)rbtdb->origin_node;
if (onode != NULL) {
- new_reference(rbtdb, onode);
-
+ new_reference(rbtdb, onode, isc_rwlocktype_none);
*nodep = rbtdb->origin_node;
} else {
INSIST(IS_CACHE(rbtdb));
@@ -8129,7 +8155,8 @@ getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, dns_name_t *foundname) {
* Found something; pass back the answer and unlock
* the bucket.
*/
- bind_rdataset(rbtdb, header->node, header, 0, rdataset);
+ bind_rdataset(rbtdb, header->node, header, 0,
+ isc_rwlocktype_read, rdataset);
if (foundname != NULL) {
dns_rbt_fullnamefromnode(header->node, foundname);
@@ -9136,7 +9163,7 @@ rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) {
isc_rwlocktype_read);
bind_rdataset(rbtdb, rbtnode, header, rbtiterator->common.now,
- rdataset);
+ isc_rwlocktype_read, rdataset);
NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
isc_rwlocktype_read);
@@ -9591,7 +9618,7 @@ dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
result = ISC_R_SUCCESS;
}
- new_reference(rbtdb, node);
+ new_reference(rbtdb, node, isc_rwlocktype_none);
*nodep = rbtdbiter->node;
@@ -10504,7 +10531,7 @@ expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, bool tree_locked,
* We first need to gain a new reference to the node to meet a
* requirement of decrement_reference().
*/
- new_reference(rbtdb, header->node);
+ new_reference(rbtdb, header->node, isc_rwlocktype_write);
decrement_reference(rbtdb, header->node, 0,
isc_rwlocktype_write,
tree_locked ? isc_rwlocktype_write

148
SPECS/bind/CVE-2020-8620.patch
Просмотреть файл

@ -1,148 +0,0 @@
diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h
index cb3da7fc71..a0c3ce1b4b 100644
--- a/lib/isc/netmgr/netmgr-int.h
+++ b/lib/isc/netmgr/netmgr-int.h
@@ -560,16 +560,6 @@ isc__nm_enqueue_ievent(isc__networker_t *worker, isc__netievent_t *event);
* way to use an isc__networker_t from another thread.)
*/
-void
-isc__nm_alloc_cb(uv_handle_t *handle, size_t size, uv_buf_t *buf);
-/*%<
- * Allocator for recv operations.
- *
- * Note that as currently implemented, this doesn't actually
- * allocate anything, it just assigns the the isc__networker's UDP
- * receive buffer to a socket, and marks it as "in use".
- */
-
void
isc__nm_free_uvbuf(isc_nmsocket_t *sock, const uv_buf_t *buf);
/*%<
diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
index 8ac42822c2..6606d076d3 100644
--- a/lib/isc/netmgr/netmgr.c
+++ b/lib/isc/netmgr/netmgr.c
@@ -976,23 +976,6 @@ isc__nmsocket_init(isc_nmsocket_t *sock, isc_nm_t *mgr, isc_nmsocket_type type,
sock->magic = NMSOCK_MAGIC;
}
-void
-isc__nm_alloc_cb(uv_handle_t *handle, size_t size, uv_buf_t *buf) {
- isc_nmsocket_t *sock = uv_handle_get_data(handle);
- isc__networker_t *worker = NULL;
-
- REQUIRE(VALID_NMSOCK(sock));
- REQUIRE(isc__nm_in_netthread());
- REQUIRE(size <= ISC_NETMGR_RECVBUF_SIZE);
-
- worker = &sock->mgr->workers[sock->tid];
- INSIST(!worker->recvbuf_inuse);
-
- buf->base = worker->recvbuf;
- worker->recvbuf_inuse = true;
- buf->len = ISC_NETMGR_RECVBUF_SIZE;
-}
-
void
isc__nm_free_uvbuf(isc_nmsocket_t *sock, const uv_buf_t *buf) {
isc__networker_t *worker = NULL;
@@ -1005,7 +988,7 @@ isc__nm_free_uvbuf(isc_nmsocket_t *sock, const uv_buf_t *buf) {
worker = &sock->mgr->workers[sock->tid];
REQUIRE(worker->recvbuf_inuse);
- if (buf->base > worker->recvbuf &&
+ if (sock->type == isc_nm_udpsocket && buf->base > worker->recvbuf &&
buf->base <= worker->recvbuf + ISC_NETMGR_RECVBUF_SIZE)
{
/* Can happen in case of out-of-order recvmmsg in libuv1.36 */
diff --git a/lib/isc/netmgr/tcp.c b/lib/isc/netmgr/tcp.c
index c572777662..d34461950c 100644
--- a/lib/isc/netmgr/tcp.c
+++ b/lib/isc/netmgr/tcp.c
@@ -519,6 +519,30 @@ isc__nm_tcp_read(isc_nmhandle_t *handle, isc_nm_recv_cb_t cb, void *cbarg) {
return (ISC_R_SUCCESS);
}
+/*%<
+ * Allocator for TCP read operations. Limited to size 2^16.
+ *
+ * Note this doesn't actually allocate anything, it just assigns the
+ * worker's receive buffer to a socket, and marks it as "in use".
+ */
+static void
+tcp_alloc_cb(uv_handle_t *handle, size_t size, uv_buf_t *buf) {
+ isc_nmsocket_t *sock = uv_handle_get_data(handle);
+ isc__networker_t *worker = NULL;
+
+ REQUIRE(VALID_NMSOCK(sock));
+ REQUIRE(sock->type == isc_nm_tcpsocket);
+ REQUIRE(isc__nm_in_netthread());
+ REQUIRE(size <= 65536);
+
+ worker = &sock->mgr->workers[sock->tid];
+ INSIST(!worker->recvbuf_inuse);
+
+ buf->base = worker->recvbuf;
+ buf->len = size;
+ worker->recvbuf_inuse = true;
+}
+
void
isc__nm_async_tcp_startread(isc__networker_t *worker, isc__netievent_t *ev0) {
isc__netievent_startread_t *ievent = (isc__netievent_startread_t *)ev0;
@@ -536,7 +560,7 @@ isc__nm_async_tcp_startread(isc__networker_t *worker, isc__netievent_t *ev0) {
0);
}
- r = uv_read_start(&sock->uv_handle.stream, isc__nm_alloc_cb, read_cb);
+ r = uv_read_start(&sock->uv_handle.stream, tcp_alloc_cb, read_cb);
if (r != 0) {
isc__nm_incstats(sock->mgr, sock->statsindex[STATID_RECVFAIL]);
}
diff --git a/lib/isc/netmgr/udp.c b/lib/isc/netmgr/udp.c
index 6e2d2098cf..c1e69027fb 100644
--- a/lib/isc/netmgr/udp.c
+++ b/lib/isc/netmgr/udp.c
@@ -132,6 +132,32 @@ isc_nm_listenudp(isc_nm_t *mgr, isc_nmiface_t *iface, isc_nm_recv_cb_t cb,
return (ISC_R_SUCCESS);
}
+/*%<
+ * Allocator for UDP recv operations. Limited to size 20 * (2^16 + 2),
+ * which allows enough space for recvmmsg() to get multiple messages at
+ * a time.
+ *
+ * Note this doesn't actually allocate anything, it just assigns the
+ * worker's receive buffer to a socket, and marks it as "in use".
+ */
+static void
+udp_alloc_cb(uv_handle_t *handle, size_t size, uv_buf_t *buf) {
+ isc_nmsocket_t *sock = uv_handle_get_data(handle);
+ isc__networker_t *worker = NULL;
+
+ REQUIRE(VALID_NMSOCK(sock));
+ REQUIRE(sock->type == isc_nm_udpsocket);
+ REQUIRE(isc__nm_in_netthread());
+ REQUIRE(size <= ISC_NETMGR_RECVBUF_SIZE);
+
+ worker = &sock->mgr->workers[sock->tid];
+ INSIST(!worker->recvbuf_inuse);
+
+ buf->base = worker->recvbuf;
+ buf->len = ISC_NETMGR_RECVBUF_SIZE;
+ worker->recvbuf_inuse = true;
+}
+
/*
* handle 'udplisten' async call - start listening on a socket.
*/
@@ -178,7 +204,7 @@ isc__nm_async_udplisten(isc__networker_t *worker, isc__netievent_t *ev0) {
uv_send_buffer_size(&sock->uv_handle.handle,
&(int){ ISC_SEND_BUFFER_SIZE });
#endif
- uv_udp_recv_start(&sock->uv_handle.udp, isc__nm_alloc_cb, udp_recv_cb);
+ uv_udp_recv_start(&sock->uv_handle.udp, udp_alloc_cb, udp_recv_cb);
}
static void

20
SPECS/bind/CVE-2020-8621.patch
Просмотреть файл

@ -1,20 +0,0 @@
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 7d443fd55b..3c0e3013aa 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -4020,6 +4020,15 @@ fctx_nextaddress(fetchctx_t *fctx) {
addrinfo->flags |= FCTX_ADDRINFO_MARK;
fctx->find = NULL;
fctx->forwarding = true;
+
+ /*
+ * QNAME minimization is disabled when
+ * forwarding, and has to remain disabled if
+ * we switch back to normal recursion; otherwise
+ * forwarding could leave us in an inconsistent
+ * state.
+ */
+ fctx->minimized = false;
return (addrinfo);
}
}

37
SPECS/bind/CVE-2020-8622.patch
Просмотреть файл

@ -1,37 +0,0 @@
diff --git a/lib/dns/message.c b/lib/dns/message.c
index dd9dd23a12..97425c753b 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -1709,6 +1709,16 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
msg->header_ok = 0;
msg->question_ok = 0;
+ if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) {
+ isc_buffer_usedregion(&origsource, &msg->saved);
+ } else {
+ msg->saved.length = isc_buffer_usedlength(&origsource);
+ msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
+ memmove(msg->saved.base, isc_buffer_base(&origsource),
+ msg->saved.length);
+ msg->free_saved = 1;
+ }
+
isc_buffer_remainingregion(source, &r);
if (r.length < DNS_MESSAGE_HEADERLEN) {
return (ISC_R_UNEXPECTEDEND);
@@ -1793,15 +1803,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
}
truncated:
- if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) {
- isc_buffer_usedregion(&origsource, &msg->saved);
- } else {
- msg->saved.length = isc_buffer_usedlength(&origsource);
- msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
- memmove(msg->saved.base, isc_buffer_base(&origsource),
- msg->saved.length);
- msg->free_saved = 1;
- }
if (ret == ISC_R_UNEXPECTEDEND && ignore_tc) {
return (DNS_R_RECOVERABLE);

14
SPECS/bind/CVE-2020-8624.patch
Просмотреть файл

@ -1,14 +0,0 @@
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 41c1a598db..752c0d2770 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -252,7 +252,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
str = cfg_obj_asstring(matchtype);
CHECK(dns_ssu_mtypefromstring(str, &mtype));
- if (mtype == dns_ssumatchtype_subdomain) {
+ if (mtype == dns_ssumatchtype_subdomain &&
+ strcasecmp(str, "zonesub") == 0) {
usezone = true;
}

12
SPECS/bind/CVE-2020-8625.patch
Просмотреть файл

@ -1,12 +0,0 @@
diff -urN bind-9.16.3-original/lib/dns/spnego.c bind-9.16.3/lib/dns/spnego.c
--- bind-9.16.3-original/lib/dns/spnego.c 2021-03-01 08:56:47.639826977 -0800
+++ bind-9.16.3/lib/dns/spnego.c 2021-03-01 08:58:57.223786168 -0800
@@ -842,7 +842,7 @@
return (ASN1_OVERRUN);
}
- data->components = malloc(len * sizeof(*data->components));
+ data->components = malloc((len + 1) * sizeof(*data->components));
if (data->components == NULL) {
return (ENOMEM);
}

204
SPECS/bind/bind-9.10-dist-native-pkcs11.patch
Просмотреть файл

@ -1,3 +1,24 @@
From 8f232dac49cbb143a30a5c807f9085f3ef251f0e Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Thu, 21 Jan 2021 10:46:20 +0100
Subject: [PATCH] Enable custom pkcs11 native build
Share common parts like libisc, libcc and others. But provide native
pkcs11 libraries as a new copy of libdns and libns.
---
bin/Makefile.in | 2 +-
bin/confgen/Makefile.in | 2 +-
bin/dnssec-pkcs11/Makefile.in | 39 +++++++++++++++++---------------
bin/named-pkcs11/Makefile.in | 33 ++++++++++++++-------------
configure.ac | 19 ++++++++++++++++
lib/Makefile.in | 2 +-
lib/dns-pkcs11/Makefile.in | 22 +++++++++---------
lib/dns-pkcs11/tests/Makefile.in | 8 +++----
lib/ns-pkcs11/Makefile.in | 26 ++++++++++-----------
lib/ns-pkcs11/tests/Makefile.in | 12 +++++-----
make/includes.in | 7 ++++++
11 files changed, 101 insertions(+), 71 deletions(-)
diff --git a/bin/Makefile.in b/bin/Makefile.in
index 9ad7f62..094775a 100644
--- a/bin/Makefile.in
@ -12,7 +33,7 @@ index 9ad7f62..094775a 100644
TARGETS =
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
index ef3e70c..1f5165a 100644
index c126bf3..1b7512d 100644
--- a/bin/confgen/Makefile.in
+++ b/bin/confgen/Makefile.in
@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
@ -25,7 +46,7 @@ index ef3e70c..1f5165a 100644
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
index 05fdb55..433d4f4 100644
index ace0e5a..e0f6a00 100644
--- a/bin/dnssec-pkcs11/Makefile.in
+++ b/bin/dnssec-pkcs11/Makefile.in
@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@
@ -40,11 +61,11 @@ index 05fdb55..433d4f4 100644
+CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" -DUSE_PKCS11=1
CWARNINGS =
-DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_PK11_LIBS@
-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS}
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS}
ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
@ -65,14 +86,14 @@ index 05fdb55..433d4f4 100644
- dnssec-settime@EXEEXT@ dnssec-signzone@EXEEXT@ \
- dnssec-verify@EXEEXT@
+TARGETS = dnssec-cds${EXEEXT} dnssec-dsfromkey${EXEEXT} \
+ dnssec-importkey${EXEEXT} dnssec-keyfromlabel${EXEEXT} \
+ dnssec-keygen${EXEEXT} dnssec-revoke${EXEEXT} \
+ dnssec-settime${EXEEXT} dnssec-signzone${EXEEXT} \
+ dnssec-verify${EXEEXT}
+ dnssec-importkey${EXEEXT} dnssec-keyfromlabel${EXEEXT} \
+ dnssec-keygen${EXEEXT} dnssec-revoke${EXEEXT} \
+ dnssec-settime${EXEEXT} dnssec-signzone${EXEEXT} \
+ dnssec-verify${EXEEXT}
OBJS = dnssectool.@O@
@@ -64,19 +67,19 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
@@ -52,19 +55,19 @@ SRCS = dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \
@BIND9_MAKE_RULES@
@ -96,26 +117,26 @@ index 05fdb55..433d4f4 100644
export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
${FINALBUILDCMD}
@@ -84,7 +87,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
@@ -72,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-signzone.c
-dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
+dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
+dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
${FINALBUILDCMD}
@@ -92,19 +95,19 @@ dnssec-verify.@O@: dnssec-verify.c
@@ -80,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-verify.c
-dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
+dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
+dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \
${FINALBUILDCMD}
-dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
+dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
+dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-revoke.@O@ ${OBJS} ${LIBS}
@ -129,22 +150,8 @@ index 05fdb55..433d4f4 100644
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-importkey.@O@ ${OBJS} ${LIBS}
@@ -115,14 +118,12 @@ docclean manclean maintainer-clean::
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install:: ${TARGETS} installdirs
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done
for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done
uninstall::
- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done
for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t || exit 1; done
clean distclean::
diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.inindex f66bc9a..6d6c1c7 100644
diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
index 98125dd..518a75f 100644
--- a/bin/named-pkcs11/Makefile.in
+++ b/bin/named-pkcs11/Makefile.in
@@ -37,13 +37,14 @@ DBDRIVER_LIBS =
@ -155,10 +162,10 @@ diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.inindex f6
-DLZDRIVER_SRCS = @DLZ_DRIVER_SRCS@
-DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
-DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
+# Skip building on PKCS11 variant
+DLZDRIVER_OBJS =
+DLZDRIVER_SRCS =
+DLZDRIVER_INCLUDES =
+# Skip building on PKCS11 variant
+DLZDRIVER_OBJS =
+DLZDRIVER_SRCS =
+DLZDRIVER_INCLUDES =
+DLZDRIVER_LIBS =
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
@ -167,21 +174,21 @@ diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.inindex f6
${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \
${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \
${DBDRIVER_INCLUDES} \
@@ -53,24 +54,24 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${MAXMINDDB_CFLAGS} \
${ZLIB_CFLAGS}
@@ -56,24 +57,24 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${LIBXML2_CFLAGS} \
${MAXMINDDB_CFLAGS}
-CDEFINES = @CONTRIB_DLZ@
+CDEFINES =
CWARNINGS =
-DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_PK11_LIBS@
-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS}
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS}
ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
-NSLIBS = ../../lib/ns/libns.@A@
+NSLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@
@ -197,7 +204,7 @@ diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.inindex f6
DEPLIBS = ${NSDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
@@ -87,7 +88,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \
@@ -93,7 +94,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \
SUBDIRS = unix
@ -206,7 +213,7 @@ diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.inindex f6
GEOIP2LINKOBJS = geoip.@O@
@@ -147,7 +148,7 @@ server.@O@: server.c
@@ -151,7 +152,7 @@ server.@O@: server.c
-DPRODUCT=\"${PRODUCT}\" \
-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
@ -215,30 +222,26 @@ diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.inindex f6
export MAKE_SYMTABLE="yes"; \
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
@@ -173,15 +174,15 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
@@ -180,11 +181,11 @@ statschannel.@O@: bind9.xsl.h
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
-install:: named@EXEEXT@ installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
+install:: named-pkcs11@EXEEXT@ installdirs
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
uninstall::
rm -f ${DESTDIR}${mandir}/man5/named.conf.5
rm -f ${DESTDIR}${mandir}/man8/named.8
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@
@DLZ_DRIVER_RULES@
diff --git a/configure.ac b/configure.ac
index de6a248..e95ef36 100644
index da99e85..55680ea 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1196,12 +1196,14 @@ AC_SUBST(USE_GSSAPI)
@@ -1251,12 +1251,14 @@ AC_SUBST(USE_GSSAPI)
AC_SUBST(DST_GSSAPI_INC)
AC_SUBST(DNS_GSSAPI_LIBS)
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS"
@ -253,7 +256,7 @@ index de6a248..e95ef36 100644
#
# was --with-lmdb specified?
@@ -2296,6 +2298,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE)
@@ -2327,6 +2329,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE)
AC_SUBST(BIND9_NS_BUILDINCLUDE)
AC_SUBST(BIND9_BIND9_BUILDINCLUDE)
AC_SUBST(BIND9_IRS_BUILDINCLUDE)
@ -262,7 +265,7 @@ index de6a248..e95ef36 100644
if test "X$srcdir" != "X"; then
BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
@@ -2304,6 +2308,8 @@ if test "X$srcdir" != "X"; then
@@ -2335,6 +2339,8 @@ if test "X$srcdir" != "X"; then
BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include"
BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include"
@ -271,7 +274,7 @@ index de6a248..e95ef36 100644
else
BIND9_ISC_BUILDINCLUDE=""
BIND9_ISCCC_BUILDINCLUDE=""
@@ -2312,6 +2318,8 @@ else
@@ -2343,6 +2349,8 @@ else
BIND9_NS_BUILDINCLUDE=""
BIND9_BIND9_BUILDINCLUDE=""
BIND9_IRS_BUILDINCLUDE=""
@ -280,7 +283,7 @@ index de6a248..e95ef36 100644
fi
AC_SUBST_FILE(BIND9_MAKE_INCLUDES)
@@ -2771,8 +2779,11 @@ AC_CONFIG_FILES([
@@ -2798,8 +2806,11 @@ AC_CONFIG_FILES([
bin/delv/Makefile
bin/dig/Makefile
bin/dnssec/Makefile
@ -292,7 +295,7 @@ index de6a248..e95ef36 100644
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/plugins/Makefile
@@ -2843,6 +2854,10 @@ AC_CONFIG_FILES([
@@ -2861,6 +2872,10 @@ AC_CONFIG_FILES([
lib/dns/include/dns/Makefile
lib/dns/include/dst/Makefile
lib/dns/tests/Makefile
@ -303,7 +306,7 @@ index de6a248..e95ef36 100644
lib/irs/Makefile
lib/irs/include/Makefile
lib/irs/include/irs/Makefile
@@ -2875,6 +2890,10 @@ AC_CONFIG_FILES([
@@ -2893,6 +2908,10 @@ AC_CONFIG_FILES([
lib/ns/include/Makefile
lib/ns/include/ns/Makefile
lib/ns/tests/Makefile
@ -328,28 +331,29 @@ index ffa2d5a..6fbc192 100644
@BIND9_MAKE_RULES@
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
index 0ef3b5f..80683c2 100644
index 58bda3c..d6a45df 100644
--- a/lib/dns-pkcs11/Makefile.in
+++ b/lib/dns-pkcs11/Makefile.in
@@ -26,14 +26,14 @@ VERSION=@BIND9_VERSION@
@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
${ISC_INCLUDES} \
${FSTRM_CFLAGS} \
${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \
${JSON_C_CFLAGS} \
${LIBXML2_CFLAGS} \
@@ -32,7 +32,7 @@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
${LMDB_CFLAGS} \
${MAXMINDDB_CFLAGS}
-CDEFINES = @USE_GSSAPI@ ${USE_ISC_SPNEGO}
+CDEFINES = @USE_GSSAPI@ ${USE_ISC_SPNEGO} @USE_PKCS11@
-CDEFINES = @USE_GSSAPI@
+CDEFINES = @USE_GSSAPI@ @USE_PKCS11@
CWARNINGS =
@@ -139,15 +139,15 @@ version.@O@: version.c
-DLIBAGE=${LIBAGE} \
@@ -135,15 +135,15 @@ version.@O@: version.c
-DMAPAPI=\"${MAPAPI}\" \
-c ${srcdir}/version.c
-libdns.@SA@: ${OBJS}
@ -362,13 +366,13 @@ index 0ef3b5f..80683c2 100644
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-release "${VERSION}" \
- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
include: gen
${MAKE} include/dns/enumtype.h
@@ -178,22 +178,22 @@ gen: gen.c
@@ -174,22 +174,22 @@ gen: gen.c
${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
${BUILD_LIBS} ${LFS_LIBS}
@ -397,61 +401,63 @@ index 0ef3b5f..80683c2 100644
rm -f include/dns/rdatastruct.h
rm -f dnstap.pb-c.c dnstap.pb-c.h
diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
index fd8ebb9..9384a4f 100644
index 3bb5e01..c96fe7d 100644
--- a/lib/dns-pkcs11/tests/Makefile.in
+++ b/lib/dns-pkcs11/tests/Makefile.in
@@ -15,14 +15,14 @@ VERSION=@BIND9_VERSION@
@@ -15,15 +15,15 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
+CINCLUDES = -I. -Iinclude ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
${OPENSSL_CFLAGS} ${MAXMINDDB_CFLAGS} @CMOCKA_CFLAGS@
${FSTRM_CFLAGS} ${OPENSSL_CFLAGS} \
${PROTOBUF_C_CFLAGS} ${MAXMINDDB_CFLAGS} @CMOCKA_CFLAGS@
-CDEFINES = -DTESTS="\"${top_builddir}/lib/dns/tests/\""
+CDEFINES = @USE_PKCS11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
ISCLIBS = ../../isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS}
ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
ISCDEPLIBS = ../../isc/libisc.@A@
-DNSLIBS = ../libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
-DNSLIBS = ../libdns.@A@ @NO_LIBTOOL_DNSLIBS@
-DNSDEPLIBS = ../libdns.@A@
+DNSLIBS = ../libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_PK11_LIBS@
+DNSLIBS = ../libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSDEPLIBS = ../libdns-pkcs11.@A@
LIBS = @LIBS@ @CMOCKA_LIBS@
diff --git a/lib/ns-pkcs11/Makefile.in b/lib/ns-pkcs11/Makefile.in
index 97aaaf6..c7ffc7b 100644
index bc683ce..7a9d2f2 100644
--- a/lib/ns-pkcs11/Makefile.in
+++ b/lib/ns-pkcs11/Makefile.in
@@ -20,11 +20,11 @@ VERSION=@BIND9_VERSION@
@@ -16,12 +16,12 @@ VERSION=@BIND9_VERSION@
USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = -I. -I${top_srcdir}/lib/ns -Iinclude \
- ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+CINCLUDES = -I. -I${top_srcdir}/lib/ns-pkcs11 -Iinclude \
+ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
${OPENSSL_CFLAGS} @DST_GSSAPI_INC@
${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \
${FSTRM_CFLAGS}
-CDEFINES = -DNAMED_PLUGINDIR=\"${plugindir}\"
+CDEFINES = @USE_PKCS11@ -DNAMED_PLUGINDIR=\"${plugindir}\"
CWARNINGS =
@@ -32,9 +32,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS
@@ -29,9 +29,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
-DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_PK11_LIBS@
-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
LIBS = @LIBS@
@@ -66,28 +66,28 @@ version.@O@: version.c
-DLIBAGE=${LIBAGE} \
@@ -60,28 +60,28 @@ version.@O@: version.c
-DMAJOR=\"${MAJOR}\" \
-c ${srcdir}/version.c
-libns.@SA@: ${OBJS}
@ -464,9 +470,9 @@ index 97aaaf6..c7ffc7b 100644
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns.la -rpath ${libdir} \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns-pkcs11.la -rpath ${libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
-release "${VERSION}" \
- ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+ ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
-timestamp: libns.@A@
+timestamp: libns-pkcs11.@A@
@ -488,27 +494,27 @@ index 97aaaf6..c7ffc7b 100644
- rm -f libns.@A@ timestamp
+ rm -f libns-pkcs11.@A@ timestamp
diff --git a/lib/ns-pkcs11/tests/Makefile.in b/lib/ns-pkcs11/tests/Makefile.in
index 70c77a4..87955a7 100644
index 4c3e694..c1b6d99 100644
--- a/lib/ns-pkcs11/tests/Makefile.in
+++ b/lib/ns-pkcs11/tests/Makefile.in
@@ -21,17 +21,17 @@ WRAP_NAME = -Wl,-install_name,${top_builddir}/lib/ns/tests/$@
WRAP_RPATH = -Wl,-rpath,${top_builddir}/lib/ns/tests
WRAP_LIB = -L${top_builddir}/lib/ns/tests -lwrap
@@ -17,17 +17,17 @@ VERSION=@BIND9_VERSION@
WRAP_OPTIONS = -Wl,--wrap=isc__nmhandle_detach -Wl,--wrap=isc__nmhandle_attach
-CINCLUDES = -I. -Iinclude ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+CINCLUDES = -I. -Iinclude ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
${OPENSSL_CFLAGS} \
@CMOCKA_CFLAGS@
-CDEFINES = -DTESTS="\"${top_builddir}/lib/ns/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\"
+CDEFINES = -DTESTS="\"${top_builddir}/lib/ns/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" @USE_PKCS11@
+CDEFINES = -DTESTS="\"${top_builddir}/lib/ns-pkcs11/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" @USE_PKCS11@
ISCLIBS = ../../isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS}
ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
ISCDEPLIBS = ../../isc/libisc.@A@
-DNSLIBS = ../../dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
-DNSLIBS = ../../dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
-DNSDEPLIBS = ../../dns/libdns.@A@
-NSLIBS = ../libns.@A@
-NSDEPLIBS = ../libns.@A@
+DNSLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_PK11_LIBS@
+DNSLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSDEPLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@
+NSLIBS = ../libns-pkcs11.@A@
+NSDEPLIBS = ../libns-pkcs11.@A@
@ -516,7 +522,7 @@ index 70c77a4..87955a7 100644
LIBS = @LIBS@ @CMOCKA_LIBS@
diff --git a/make/includes.in b/make/includes.in
index 48cdaf7..7b17738 100644
index b8317d3..b73b0c4 100644
--- a/make/includes.in
+++ b/make/includes.in
@@ -39,3 +39,10 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
@ -530,3 +536,5 @@ index 48cdaf7..7b17738 100644
+NS_PKCS11_INCLUDES = @BIND9_NS_PKCS11_BUILDINCLUDE@ \
+ -I${top_srcdir}/lib/ns-pkcs11/include
+
--
2.26.3

9
SPECS/bind/bind-9.14-config-pkcs11.patch
Просмотреть файл

@ -29,9 +29,9 @@ diff --git a/configure.ac b/configure.ac
index fde41dc..e5cc3cd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -889,10 +889,14 @@ AS_CASE([$enable_native_pkcs11],
AC_SUBST([PKCS11_TEST])
@@ -935,10 +935,14 @@ AS_CASE([$enable_native_pkcs11],
AC_SUBST([PKCS11_TOOLS])
AC_SUBST([PKCS11_MANS])
+USE_PKCS11='-DUSE_PKCS11=0'
+USE_OPENSSL='-DUSE_OPENSSL=0'
@ -64,9 +64,9 @@ index 116e2d2..99bdf5b 100644
#if USE_PKCS11
#include <pk11/pk11.h>
#include <pk11/site.h>
@@ -98,11 +105,10 @@ struct dst_key {
@@ -113,11 +120,10 @@ struct dst_key {
void *generic;
gss_ctx_id_t gssctx;
dns_gss_ctx_id_t gssctx;
DH *dh;
-#if USE_OPENSSL
- EVP_PKEY *pkey;
@ -80,4 +80,3 @@ index 116e2d2..99bdf5b 100644
} keydata; /*%< pointer to key in crypto pkg fmt */
--
2.21.1

2
SPECS/bind/bind.signatures.json
Просмотреть файл

@ -1,6 +1,6 @@
{
"Signatures": {
"bind-9.16.3.tar.xz": "27ac6513de5f8d0db34b9f241da53baa15a14b2ad21338d0cde0826eaf564f7e",
"bind-9.16.15.tar.xz": "98b6f432d878a7bf8f57eb7b3c28be27278cf6b9989154bfe6c81104b38e7839",
"generate-rndc-key.sh": "da0964516a9abe4074e262a1d0b7f63e63b2150c4cc2dddaaca029010383c422",
"named-chroot.files": "5dbc7bd2a21836fb86cb740a2d4d72eb9f2b4f341996cd0c8ae9c39e95c0d76c",
"named.conf.sample": "1807f11df688de4eb8cdcc97bd1a8863d81b03b1f24af96f3639de40bc8e538a",

37
SPECS/bind/bind.spec
Просмотреть файл

@ -8,8 +8,8 @@
%{!?_export_dir:%global _export_dir /bind9-export/}
Summary: Domain Name System software
Name: bind
Version: 9.16.3
Release: 5%{?dist}
Version: 9.16.15
Release: 1%{?dist}
License: ISC
Vendor: Microsoft Corporation
Distribution: Mariner
@ -33,20 +33,16 @@ Source14: setup-named-softhsm.sh
Source15: named-chroot.files
# CVE-2019-6470 is fixed by updating the dhcp package to 4.4.1 or greater
Patch0: CVE-2019-6470.nopatch
Patch1: CVE-2020-8618.patch
Patch2: CVE-2020-8619.patch
Patch3: CVE-2020-8620.patch
Patch4: CVE-2020-8621.patch
Patch5: CVE-2020-8622.patch
# CVE-2020-8623 only impacts package built with "--enable-native-pkcs11"
Patch6: CVE-2020-8623.nopatch
Patch7: CVE-2020-8624.patch
Patch8: CVE-2020-8625.patch
Patch1: CVE-2020-8623.nopatch
Patch9: bind-9.14-config-pkcs11.patch
Patch10: bind-9.10-dist-native-pkcs11.patch
BuildRequires: gcc
BuildRequires: json-c-devel
BuildRequires: krb5-devel
Requires(pre): /usr/sbin/useradd /usr/sbin/groupadd
Requires(postun):/usr/sbin/userdel /usr/sbin/groupdel
BuildRequires: openssl-devel
BuildRequires: libcap-devel
BuildRequires: libtool
BuildRequires: libuv-devel
@ -201,13 +197,6 @@ Summary: BIND utilities
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1 -b .config-pkcs11
cp -r bin/named{,-pkcs11}
@ -426,7 +415,7 @@ fi;
%dir /run/named
%files libs
%{_libdir}/*so.*
%{_libdir}/*-%{version}*.so
%exclude %{_libdir}/libdns-pkcs11*
%exclude %{_libdir}/libns-pkcs11*
@ -546,11 +535,16 @@ fi;
%{_tmpfilesdir}/named.conf
%changelog
* Tue Jul 27 2021 Jon Slobodzian <joslobo@microsoft.com> - 9.16.15-1
- Update version to 9.16.15 to fix CVE-2021-25215
- Remove unprovided soname version of libraries
- Include versioned library names in libs subpackage
* Fri May 14 2021 Thomas Crain <thcrain@microsoft.com> - 9.16.3-5
- Merge the following releases from 1.0 to dev branch
- nicolasg@microsoft.com, 9.16.3-3: Fixes CVE-2020-8625
* Thu May 13 2021 Henry Li <lihl@microsoft.com> - 9.16.3-4
* Thu May 13 2021 Henry Li <lihl@microsoft.com> - 9.16.3-4
- Fix file path error caused by linting
- Remove duplicate %files section for bind-license
- Remove named.conf from main package, which is already provided by bind-utils
@ -560,6 +554,9 @@ fi;
bind-pkcs11-utils, bind-pkcs11-devel, bind-dnssec-utils, bind-dnssec-doc,
bind-python3-bind and bind-chroot packages
* Mon Mar 01 2021 Nicolas Guibourge <nicolasg@microsoft.com> - 9.16.3-3
- Fixes CVE-2020-8625
* Fri Sep 11 2020 Ruying Chen <v-ruyche@microsoft.com> - 9.16.3-2
- Fixes CVE-2020-8618, CVE-2020-8619, CVE-2020-8620,
- CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624
@ -567,7 +564,7 @@ fi;
* Wed May 27 2020 Daniel McIlvaney <damcilva@microsoft.com> - 9.16.3-1
- Update to version 9.16.3, fixes CVE-2018-5743, CVE-2018-5744, CVE-2019-6465, CVE-2019-6467, CVE-2019-6471, CVE-2020-8616, CVE-2020-8617
* Sat May 09 00:21:20 PST 2020 Nick Samson <nisamson@microsoft.com> - 9.13.3-4
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 9.13.3-4
- Added %%license line automatically
* Fri May 1 2020 Emre Girgin <mrgirgin@microsoft.com> 9.13.3-3

12
SPECS/binutils/CVE-2019-12972.patch
Просмотреть файл

@ -1,12 +0,0 @@
--- a/bfd/elfcode.h
+++ b/bfd/elfcode.h
@@ -755,7 +755,8 @@
/* A further sanity check. */
if (i_ehdrp->e_shnum != 0)
{
- if (i_ehdrp->e_shstrndx >= elf_numsections (abfd))
+ if (i_ehdrp->e_shstrndx >= elf_numsections (abfd)
+ || i_shdrp[i_ehdrp->e_shstrndx].sh_type != SHT_STRTAB)
{
/* PR 2257:
We used to just goto got_wrong_format_error here

17
SPECS/binutils/CVE-2019-14250.patch
Просмотреть файл

@ -1,17 +0,0 @@
--- a/libiberty/simple-object-elf.c
+++ b/libiberty/simple-object-elf.c
@@ -548,6 +548,14 @@
XDELETE (eor);
return NULL;
}
+
+ if (!eor->shstrndx)
+ {
+ *errmsg = "invalid ELF shstrndx == 0";
+ *err = 0;
+ XDELETE (eor);
+ return NULL;
+ }
return (void *) eor;
}

11
SPECS/binutils/CVE-2019-14444.patch
Просмотреть файл

@ -1,11 +0,0 @@
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -13213,7 +13213,7 @@
}
rloc = start + rp->r_offset;
- if ((rloc + reloc_size) > end || (rloc < start))
+ if (rloc >= end || (rloc + reloc_size) > end || (rloc < start))
{
warn (_("skipping invalid relocation offset 0x%lx in section %s\n"),
(unsigned long) rp->r_offset,

72
SPECS/binutils/CVE-2019-17450.patch
Просмотреть файл

@ -1,72 +0,0 @@
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -2803,13 +2803,13 @@
}
static bfd_boolean
-find_abstract_instance (struct comp_unit * unit,
- bfd_byte * orig_info_ptr,
- struct attribute * attr_ptr,
- const char ** pname,
- bfd_boolean * is_linkage,
- char ** filename_ptr,
- int * linenumber_ptr)
+find_abstract_instance (struct comp_unit *unit,
+ struct attribute *attr_ptr,
+ unsigned int recur_count,
+ const char **pname,
+ bfd_boolean *is_linkage,
+ char **filename_ptr,
+ int *linenumber_ptr)
{
bfd *abfd = unit->abfd;
bfd_byte *info_ptr;
@@ -2820,6 +2820,14 @@
struct attribute attr;
const char *name = NULL;
+ if (recur_count == 100)
+ {
+ _bfd_error_handler
+ (_("DWARF error: abstract instance recursion detected"));
+ bfd_set_error (bfd_error_bad_value);
+ return FALSE;
+ }
+
/* DW_FORM_ref_addr can reference an entry in a different CU. It
is an offset from the .debug_info section, not the current CU. */
if (attr_ptr->form == DW_FORM_ref_addr)
@@ -2939,15 +2947,6 @@
info_ptr, info_ptr_end);
if (info_ptr == NULL)
break;
- /* It doesn't ever make sense for DW_AT_specification to
- refer to the same DIE. Stop simple recursion. */
- if (info_ptr == orig_info_ptr)
- {
- _bfd_error_handler
- (_("DWARF error: abstract instance recursion detected"));
- bfd_set_error (bfd_error_bad_value);
- return FALSE;
- }
switch (attr.name)
{
case DW_AT_name:
@@ -2961,7 +2960,7 @@
}
break;
case DW_AT_specification:
- if (!find_abstract_instance (unit, info_ptr, &attr,
+ if (!find_abstract_instance (unit, &attr, recur_count + 1,
&name, is_linkage,
filename_ptr, linenumber_ptr))
return FALSE;
@@ -3175,7 +3174,7 @@
case DW_AT_abstract_origin:
case DW_AT_specification:
- if (!find_abstract_instance (unit, info_ptr, &attr,
+ if (!find_abstract_instance (unit, &attr, 0,
&func->name,
&func->is_linkage,
&func->file,

20
SPECS/binutils/CVE-2019-17451.patch
Просмотреть файл

@ -1,20 +0,0 @@
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -4426,7 +4425,16 @@
for (total_size = 0;
msec;
msec = find_debug_info (debug_bfd, debug_sections, msec))
- total_size += msec->size;
+ {
+ /* Catch PR25070 testcase overflowing size calculation here. */
+ if (total_size + msec->size < total_size
+ || total_size + msec->size < msec->size)
+ {
+ bfd_set_error (bfd_error_no_memory);
+ return FALSE;
+ }
+ total_size += msec->size;
+ }
stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
if (stash->info_ptr_memory == NULL)

110
SPECS/binutils/CVE-2019-9071.patch
Просмотреть файл

@ -1,110 +0,0 @@
--- a/libiberty/cp-demangle.c
+++ b/libiberty/cp-demangle.c
@@ -861,7 +861,7 @@
int
cplus_demangle_fill_name (struct demangle_component *p, const char *s, int len)
{
- if (p == NULL || s == NULL || len == 0)
+ if (p == NULL || s == NULL || len <= 0)
return 0;
p->d_printing = 0;
p->type = DEMANGLE_COMPONENT_NAME;
@@ -4055,7 +4055,7 @@
are larger than the actual numbers encountered. */
static void
-d_count_templates_scopes (int *num_templates, int *num_scopes,
+d_count_templates_scopes (struct d_print_info *dpi,
const struct demangle_component *dc)
{
if (dc == NULL)
@@ -4075,13 +4075,13 @@
break;
case DEMANGLE_COMPONENT_TEMPLATE:
- (*num_templates)++;
+ dpi->num_copy_templates++;
goto recurse_left_right;
case DEMANGLE_COMPONENT_REFERENCE:
case DEMANGLE_COMPONENT_RVALUE_REFERENCE:
if (d_left (dc)->type == DEMANGLE_COMPONENT_TEMPLATE_PARAM)
- (*num_scopes)++;
+ dpi->num_saved_scopes++;
goto recurse_left_right;
case DEMANGLE_COMPONENT_QUAL_NAME:
@@ -4146,42 +4146,42 @@
case DEMANGLE_COMPONENT_TAGGED_NAME:
case DEMANGLE_COMPONENT_CLONE:
recurse_left_right:
- d_count_templates_scopes (num_templates, num_scopes,
- d_left (dc));
- d_count_templates_scopes (num_templates, num_scopes,
- d_right (dc));
+ /* PR 89394 - Check for too much recursion. */
+ if (dpi->recursion > DEMANGLE_RECURSION_LIMIT)
+ /* FIXME: There ought to be a way to report to the
+ user that the recursion limit has been reached. */
+ return;
+
+ ++ dpi->recursion;
+ d_count_templates_scopes (dpi, d_left (dc));
+ d_count_templates_scopes (dpi, d_right (dc));
+ -- dpi->recursion;
break;
case DEMANGLE_COMPONENT_CTOR:
- d_count_templates_scopes (num_templates, num_scopes,
- dc->u.s_ctor.name);
+ d_count_templates_scopes (dpi, dc->u.s_ctor.name);
break;
case DEMANGLE_COMPONENT_DTOR:
- d_count_templates_scopes (num_templates, num_scopes,
- dc->u.s_dtor.name);
+ d_count_templates_scopes (dpi, dc->u.s_dtor.name);
break;
case DEMANGLE_COMPONENT_EXTENDED_OPERATOR:
- d_count_templates_scopes (num_templates, num_scopes,
- dc->u.s_extended_operator.name);
+ d_count_templates_scopes (dpi, dc->u.s_extended_operator.name);
break;
case DEMANGLE_COMPONENT_FIXED_TYPE:
- d_count_templates_scopes (num_templates, num_scopes,
- dc->u.s_fixed.length);
+ d_count_templates_scopes (dpi, dc->u.s_fixed.length);
break;
case DEMANGLE_COMPONENT_GLOBAL_CONSTRUCTORS:
case DEMANGLE_COMPONENT_GLOBAL_DESTRUCTORS:
- d_count_templates_scopes (num_templates, num_scopes,
- d_left (dc));
+ d_count_templates_scopes (dpi, d_left (dc));
break;
case DEMANGLE_COMPONENT_LAMBDA:
case DEMANGLE_COMPONENT_DEFAULT_ARG:
- d_count_templates_scopes (num_templates, num_scopes,
- dc->u.s_unary_num.sub);
+ d_count_templates_scopes (dpi, dc->u.s_unary_num.sub);
break;
}
}
@@ -4216,8 +4216,12 @@
dpi->next_copy_template = 0;
dpi->num_copy_templates = 0;
- d_count_templates_scopes (&dpi->num_copy_templates,
- &dpi->num_saved_scopes, dc);
+ d_count_templates_scopes (dpi, dc);
+ /* If we did not reach the recursion limit, then reset the
+ current recursion value back to 0, so that we can print
+ the templates. */
+ if (dpi->recursion < DEMANGLE_RECURSION_LIMIT)
+ dpi->recursion = 0;
dpi->num_copy_templates *= dpi->num_saved_scopes;
dpi->current_template = NULL;

13
SPECS/binutils/CVE-2019-9073.patch
Просмотреть файл

@ -1,13 +0,0 @@
--- a/binutils/objdump.c
+++ b/binutils/objdump.c
@@ -3178,7 +3178,9 @@
static void
dump_bfd_private_header (bfd *abfd)
{
- bfd_print_private_bfd_data (abfd, stdout);
+ if (!bfd_print_private_bfd_data (abfd, stdout))
+ non_fatal (_("warning: private headers incomplete: %s"),
+ bfd_errmsg (bfd_get_error ()));
}
static void

33
SPECS/binutils/CVE-2019-9074.patch
Просмотреть файл

@ -1,33 +0,0 @@
--- a/bfd/pei-x86_64.c
+++ b/bfd/pei-x86_64.c
@@ -541,7 +541,7 @@
/* virt_size might be zero for objects. */
if (stop == 0 && strcmp (abfd->xvec->name, "pe-x86-64") == 0)
{
- stop = (datasize / onaline) * onaline;
+ stop = datasize;
virt_size_is_zero = TRUE;
}
else if (datasize < stop)
@@ -551,8 +551,8 @@
_("Warning: %s section size (%ld) is smaller than virtual size (%ld)\n"),
pdata_section->name, (unsigned long) datasize,
(unsigned long) stop);
- /* Be sure not to read passed datasize. */
- stop = datasize / onaline;
+ /* Be sure not to read past datasize. */
+ stop = datasize;
}
/* Display functions table. */
@@ -724,8 +724,7 @@
altent += imagebase;
if (altent >= pdata_vma
- && (altent + PDATA_ROW_SIZE <= pdata_vma
- + pei_section_data (abfd, pdata_section)->virt_size))
+ && altent - pdata_vma + PDATA_ROW_SIZE <= stop)
{
pex64_get_runtime_function
(abfd, &arf, &pdata[altent - pdata_vma]);

89
SPECS/binutils/CVE-2019-9075.patch
Просмотреть файл

@ -1,89 +0,0 @@
Patch for CVE-2019-9075.
Adapted from upstream: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8abac8031ed369a2734b1cdb7df28a39a54b4b49
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,13 @@
+2019-02-20 Alan Modra <amodra@gmail.com>
+
+ PR 24236
+ * archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding
+ sentinel NUL to string buffer nearer to loop where it is used.
+ Don't go past sentinel when scanning strings, and don't write
+ NUL again.
+ * archive.c (do_slurp_coff_armap): Simplify string handling to
+ archive64.c style.
+
2019-02-02 Nick Clifton <nickc@redhat.com>
2.32 Release
--- a/bfd/archive.c
+++ b/bfd/archive.c
@@ -1012,6 +1012,7 @@ do_slurp_coff_armap (bfd *abfd)
int *raw_armap, *rawptr;
struct artdata *ardata = bfd_ardata (abfd);
char *stringbase;
+ char *stringend;
bfd_size_type stringsize;
bfd_size_type parsed_size;
carsym *carsyms;
@@ -1071,22 +1072,18 @@ do_slurp_coff_armap (bfd *abfd)
}
/* OK, build the carsyms. */
- for (i = 0; i < nsymz && stringsize > 0; i++)
+ stringend = stringbase + stringsize;
+ *stringend = 0;
+ for (i = 0; i < nsymz; i++)
{
- bfd_size_type len;
-
rawptr = raw_armap + i;
carsyms->file_offset = swap ((bfd_byte *) rawptr);
carsyms->name = stringbase;
- /* PR 17512: file: 4a1d50c1. */
- len = strnlen (stringbase, stringsize);
- if (len < stringsize)
- len ++;
- stringbase += len;
- stringsize -= len;
+ stringbase += strlen (stringbase);
+ if (stringbase != stringend)
+ ++stringbase;
carsyms++;
}
- *stringbase = 0;
ardata->symdef_count = nsymz;
ardata->first_file_filepos = bfd_tell (abfd);
--- a/bfd/archive64.c
+++ b/bfd/archive64.c
@@ -100,8 +100,6 @@
return FALSE;
carsyms = ardata->symdefs;
stringbase = ((char *) ardata->symdefs) + carsym_size;
- stringbase[stringsize] = 0;
- stringend = stringbase + stringsize;
raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize);
if (raw_armap == NULL)
@@ -115,15 +113,17 @@
goto release_raw_armap;
}
+ stringend = stringbase + stringsize;
+ *stringend = 0;
for (i = 0; i < nsymz; i++)
{
carsyms->file_offset = bfd_getb64 (raw_armap + i * 8);
carsyms->name = stringbase;
- if (stringbase < stringend)
- stringbase += strlen (stringbase) + 1;
+ stringbase += strlen (stringbase);
+ if (stringbase != stringend)
+ ++stringbase;
++carsyms;
}
- *stringbase = '\0';
ardata->symdef_count = nsymz;
ardata->first_file_filepos = bfd_tell (abfd);

29
SPECS/binutils/CVE-2019-9077.patch
Просмотреть файл

@ -1,29 +0,0 @@
Patch for CVE-2019.9077.
Adapted from: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7fc0c668f2aceb8582d74db1ad2528e2bba8a921
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2019-02-20 Nick Clifton <nickc@redhat.com>
+
+ PR 24243
+ * readelf.c (process_mips_specific): Check for an options section
+ that is too small to even contain a single option.
+
2018-06-24 Nick Clifton <nickc@redhat.com>
2.32 branch created.
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -16178,6 +16178,12 @@
error (_("No MIPS_OPTIONS header found\n"));
return FALSE;
}
+ /* PR 24243 */
+ if (sect->sh_size < sizeof (* eopt))
+ {
+ error (_("The MIPS options section is too small.\n"));
+ return FALSE;
+ }
eopt = (Elf_External_Options *) get_data (NULL, filedata, options_offset, 1,
sect->sh_size, _("options"));

30
SPECS/binutils/CVE-2020-35493.patch
Просмотреть файл

@ -1,30 +0,0 @@
From f2a3559d54602cecfec6d90f792be4a70ad918ab Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Fri, 3 Jan 2020 16:17:53 +0000
Subject: [PATCH] Fix potential illegal memory access when parsing a corrupt
PEF format file.
PR 25307
(bfd_pef_parse_function_stubs): Correct the test that ensures that
there is enough data remaining in the code buffer before
attempting to read a function stub.
---
bfd/pef.c | 2 +-
1 files changed, 1 insertions(+), 1 deletion(-)
diff --git a/bfd/pef.c b/bfd/pef.c
index 726b8d7493..574d9bcb5d 100644
--- a/bfd/pef.c
+++ b/bfd/pef.c
@@ -806,7 +806,7 @@ bfd_pef_parse_function_stubs (bfd *abfd,
codepos += 4;
}
- if ((codepos + 4) > codelen)
+ if ((codepos + 24) > codelen)
break;
ret = bfd_pef_parse_function_stub (abfd, codebuf + codepos, 24, &sym_index);
--
2.25.1

27
SPECS/binutils/CVE-2020-35494-helper.patch
Просмотреть файл

@ -1,27 +0,0 @@
From 8c5e259235a4e4546910245b170de1e29a711034 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Sun, 29 Dec 2019 12:56:29 +1030
Subject: [PATCH] Usage of unitialized heap in tic4x_print_cond
PR 25319
* tic4x-dis.c (tic4x_print_cond): Init all of condtable.
---
opcodes/tic4x-dis.c | 2 +-
1 files changed, 1 insertions(+), 1 deletion(-)
diff --git a/opcodes/tic4x-dis.c b/opcodes/tic4x-dis.c
index d9f95c9410..01cfa1e060 100644
--- a/opcodes/tic4x-dis.c
+++ b/opcodes/tic4x-dis.c
@@ -277,7 +277,7 @@ tic4x_print_cond (struct disassemble_info *info, unsigned int cond)
if (condtable == NULL)
{
- condtable = xmalloc (sizeof (tic4x_cond_t *) * 32);
+ condtable = xcalloc (sizeof (tic4x_cond_t *), 32);
for (i = 0; i < tic4x_num_conds; i++)
condtable[tic4x_conds[i].cond] = (tic4x_cond_t *)(tic4x_conds + i);
}
--
2.25.1

27
SPECS/binutils/CVE-2020-35494.patch
Просмотреть файл

@ -1,27 +0,0 @@
From 2c5b6e1a1c406cbe06e2d6f77861764ebd01b9ce Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Mon, 30 Dec 2019 09:19:25 +1030
Subject: [PATCH] Re: Usage of unitialized heap in tic4x_print_cond
PR 25319
* tic4x-dis.c (tic4x_print_cond): Correct order of xcalloc args.
---
opcodes/tic4x-dis.c | 2 +-
1 files changed, 1 insertions(+), 1 deletion(-)
diff --git a/opcodes/tic4x-dis.c b/opcodes/tic4x-dis.c
index 01cfa1e060..e058fdc9f8 100644
--- a/opcodes/tic4x-dis.c
+++ b/opcodes/tic4x-dis.c
@@ -277,7 +277,7 @@ tic4x_print_cond (struct disassemble_info *info, unsigned int cond)
if (condtable == NULL)
{
- condtable = xcalloc (sizeof (tic4x_cond_t *), 32);
+ condtable = xcalloc (32, sizeof (tic4x_cond_t *));
for (i = 0; i < tic4x_num_conds; i++)
condtable[tic4x_conds[i].cond] = (tic4x_cond_t *)(tic4x_conds + i);
}
--
2.25.1

203
SPECS/binutils/CVE-2020-35495.patch
Просмотреть файл

@ -1,203 +0,0 @@
From 7a0fb7be96e0ce79e1ae429bc1ba913e5244d537 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Fri, 3 Jan 2020 14:41:02 +0000
Subject: [PATCH] Fix potential illegal memory access failures in the BFD
library by ensuring that the return value from bfd_malloc() is checked before
it is used.
PR 25308
* elf-properties.c (_bfd_elf_convert_gnu_properties): Check the
return value from bfd_malloc.
* elf32-arm.c (bfd_elf32_arm_vfp11_fix_veneer_locations): Likewise.
(bfd_elf32_arm_stm32l4xx_fix_veneer_locations): Likewise.
(elf32_arm_filter_cmse_symbols): Likewise.
(elf32_arm_write_section): Likewise.
* mach-o.c (bfd_mach_o_core_fetch_environment): Likewise.
(bfd_mach_o_follow_dsym): Likewise.
* pef.c (bfd_pef_print_loader_section): Likewise.
(bfd_pef_scan_start_address): Likewise.
(bfd_pef_parse_function_stubs): Likewise.
(bfd_pef_parse_symbols): Likewise.
---
bfd/elf-properties.c | 2 ++
bfd/elf32-arm.c | 11 ++++++-----
bfd/mach-o.c | 7 +++++++
bfd/pef.c | 11 +++++++++++
4 files changed, 26 insertions(+), 5 deletions(-)
diff --git a/bfd/elf-properties.c b/bfd/elf-properties.c
index a42abc44dd..76ddad6037 100644
--- a/bfd/elf-properties.c
+++ b/bfd/elf-properties.c
@@ -703,6 +703,8 @@ _bfd_elf_convert_gnu_properties (bfd *ibfd, asection *isec,
if (size > bfd_get_section_size (isec))
{
contents = (bfd_byte *) bfd_malloc (size);
+ if (contents == NULL)
+ return FALSE;
free (*ptr);
*ptr = contents;
}
diff --git a/bfd/elf32-arm.c b/bfd/elf32-arm.c
index ae8a269426..2bf355a331 100644
--- a/bfd/elf32-arm.c
+++ b/bfd/elf32-arm.c
@@ -7148,7 +7148,6 @@ find_arm_glue (struct bfd_link_info *link_info,
tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen (name)
+ strlen (ARM2THUMB_GLUE_ENTRY_NAME) + 1);
-
BFD_ASSERT (tmp_name);
sprintf (tmp_name, ARM2THUMB_GLUE_ENTRY_NAME, name);
@@ -7323,7 +7322,6 @@ record_arm_to_thumb_glue (struct bfd_link_info * link_info,
tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen (name)
+ strlen (ARM2THUMB_GLUE_ENTRY_NAME) + 1);
-
BFD_ASSERT (tmp_name);
sprintf (tmp_name, ARM2THUMB_GLUE_ENTRY_NAME, name);
@@ -7401,7 +7399,6 @@ record_arm_bx_glue (struct bfd_link_info * link_info, int reg)
/* Add symbol for veneer. */
tmp_name = (char *)
bfd_malloc ((bfd_size_type) strlen (ARM_BX_GLUE_ENTRY_NAME) + 1);
-
BFD_ASSERT (tmp_name);
sprintf (tmp_name, ARM_BX_GLUE_ENTRY_NAME, reg);
@@ -7493,7 +7490,6 @@ record_vfp11_erratum_veneer (struct bfd_link_info *link_info,
tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen
(VFP11_ERRATUM_VENEER_ENTRY_NAME) + 10);
-
BFD_ASSERT (tmp_name);
sprintf (tmp_name, VFP11_ERRATUM_VENEER_ENTRY_NAME,
@@ -7613,7 +7609,6 @@ record_stm32l4xx_erratum_veneer (struct bfd_link_info *link_info,
tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen
(STM32L4XX_ERRATUM_VENEER_ENTRY_NAME) + 10);
-
BFD_ASSERT (tmp_name);
sprintf (tmp_name, STM32L4XX_ERRATUM_VENEER_ENTRY_NAME,
@@ -8644,6 +8639,7 @@ bfd_elf32_arm_vfp11_fix_veneer_locations (bfd *abfd,
tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen
(VFP11_ERRATUM_VENEER_ENTRY_NAME) + 10);
+ BFD_ASSERT (tmp_name);
for (sec = abfd->sections; sec != NULL; sec = sec->next)
{
@@ -8731,6 +8727,7 @@ bfd_elf32_arm_stm32l4xx_fix_veneer_locations (bfd *abfd,
tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen
(STM32L4XX_ERRATUM_VENEER_ENTRY_NAME) + 10);
+ BFD_ASSERT (tmp_name);
for (sec = abfd->sections; sec != NULL; sec = sec->next)
{
@@ -18505,6 +18502,8 @@ elf32_arm_filter_cmse_symbols (bfd *abfd ATTRIBUTE_UNUSED,
maxnamelen = 128;
cmse_name = (char *) bfd_malloc (maxnamelen);
+ BFD_ASSERT (cmse_name);
+
for (src_count = 0; src_count < symcount; src_count++)
{
struct elf32_arm_link_hash_entry *cmse_hash;
@@ -19700,6 +19699,8 @@ elf32_arm_write_section (bfd *output_bfd,
unsigned int in_index, out_index;
bfd_vma add_to_offsets = 0;
+ if (edited_contents == NULL)
+ return FALSE;
for (in_index = 0, out_index = 0; in_index * 8 < input_size || edit_node;)
{
if (edit_node)
diff --git a/bfd/mach-o.c b/bfd/mach-o.c
index b494a77690..3b6fbb5788 100644
--- a/bfd/mach-o.c
+++ b/bfd/mach-o.c
@@ -5752,6 +5752,8 @@ bfd_mach_o_core_fetch_environment (bfd *abfd,
unsigned char *buf = bfd_malloc (1024);
unsigned long size = 1024;
+ if (buf == NULL)
+ return -1;
for (;;)
{
bfd_size_type nread = 0;
@@ -5797,6 +5799,8 @@ bfd_mach_o_core_fetch_environment (bfd *abfd,
bottom = seg->fileoff + seg->filesize - offset;
top = seg->fileoff + seg->filesize - 4;
*rbuf = bfd_malloc (top - bottom);
+ if (*rbuf == NULL)
+ return -1;
*rlen = top - bottom;
memcpy (*rbuf, buf + size - *rlen, *rlen);
@@ -5941,6 +5945,9 @@ bfd_mach_o_follow_dsym (bfd *abfd)
dsym_filename = (char *)bfd_malloc (strlen (base_bfd->filename)
+ strlen (dsym_subdir) + 1
+ strlen (base_basename) + 1);
+ if (dsym_filename == NULL)
+ return NULL;
+
sprintf (dsym_filename, "%s%s/%s",
base_bfd->filename, dsym_subdir, base_basename);
diff --git a/bfd/pef.c b/bfd/pef.c
index d88fed7138..726b8d7493 100644
--- a/bfd/pef.c
+++ b/bfd/pef.c
@@ -447,6 +447,8 @@ bfd_pef_print_loader_section (bfd *abfd, FILE *file)
loaderlen = loadersec->size;
loaderbuf = bfd_malloc (loaderlen);
+ if (loaderbuf == NULL)
+ return -1;
if (bfd_seek (abfd, loadersec->filepos, SEEK_SET) < 0
|| bfd_bread ((void *) loaderbuf, loaderlen, abfd) != loaderlen
@@ -478,6 +480,9 @@ bfd_pef_scan_start_address (bfd *abfd)
loaderlen = loadersec->size;
loaderbuf = bfd_malloc (loaderlen);
+ if (loaderbuf == NULL)
+ goto end;
+
if (bfd_seek (abfd, loadersec->filepos, SEEK_SET) < 0)
goto error;
if (bfd_bread ((void *) loaderbuf, loaderlen, abfd) != loaderlen)
@@ -753,6 +758,8 @@ bfd_pef_parse_function_stubs (bfd *abfd,
(header.imported_library_count * sizeof (bfd_pef_imported_library));
imports = bfd_malloc
(header.total_imported_symbol_count * sizeof (bfd_pef_imported_symbol));
+ if (libraries == NULL || imports == NULL)
+ goto error;
if (loaderlen < (56 + (header.imported_library_count * 24)))
goto error;
@@ -897,6 +904,8 @@ bfd_pef_parse_symbols (bfd *abfd, asymbol **csym)
{
codelen = codesec->size;
codebuf = bfd_malloc (codelen);
+ if (codebuf == NULL)
+ goto end;
if (bfd_seek (abfd, codesec->filepos, SEEK_SET) < 0)
goto end;
if (bfd_bread ((void *) codebuf, codelen, abfd) != codelen)
@@ -908,6 +917,8 @@ bfd_pef_parse_symbols (bfd *abfd, asymbol **csym)
{
loaderlen = loadersec->size;
loaderbuf = bfd_malloc (loaderlen);
+ if (loaderbuf == NULL)
+ goto end;
if (bfd_seek (abfd, loadersec->filepos, SEEK_SET) < 0)
goto end;
if (bfd_bread ((void *) loaderbuf, loaderlen, abfd) != loaderlen)
--
2.25.1

0
SPECS/binutils/CVE-2020-35507.nopatch
Просмотреть файл

2
SPECS/binutils/binutils.signatures.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"Signatures": {
"binutils-2.32.tar.xz": "0ab6c55dd86a92ed561972ba15b9b70a8b9f75557f896446c82e8b36e473ee04"
"binutils-2.36.1.tar.xz": "e81d9edf373f193af428a0f256674aea62a9d74dfe93f65192d4eae030b0f3b0"
}
}

55
SPECS/binutils/binutils.spec
Просмотреть файл

@ -1,36 +1,13 @@
Summary: Contains a linker, an assembler, and other tools
Name: binutils
Version: 2.32
Release: 5%{?dist}
Version: 2.36.1
Release: 1%{?dist}
License: GPLv2+
Vendor: Microsoft Corporation
Distribution: Mariner
Group: System Environment/Base
URL: https://www.gnu.org/software/binutils
Source0: https://ftp.gnu.org/gnu/binutils/%{name}-%{version}.tar.xz
Patch0: CVE-2019-9070.nopatch
Patch1: CVE-2019-9075.patch
Patch2: CVE-2019-9077.patch
Patch3: CVE-2019-12972.patch
Patch4: CVE-2019-14250.patch
Patch5: CVE-2019-14444.patch
Patch6: CVE-2019-9071.patch
# Binutils commmunity does not consider this a bug
Patch7: CVE-2019-9072.nopatch
Patch8: CVE-2019-9073.patch
Patch9: CVE-2019-9074.patch
# Binutils community does not consider this a bug
Patch10: CVE-2019-9076.nopatch
Patch11: CVE-2019-17450.patch
Patch12: CVE-2019-17451.patch
Patch13: CVE-2020-35493.patch
Patch14: CVE-2020-35494-helper.patch
Patch15: CVE-2020-35494.patch
Patch16: CVE-2020-35495.patch
# Fix is included in CVE-2020-35495.patch.
Patch17: CVE-2020-35496.nopatch
# Fix is included in CVE-2020-35495.patch.
Patch18: CVE-2020-35507.nopatch
%description
The Binutils package contains a linker, an assembler,
@ -124,19 +101,33 @@ make %{?_smp_mflags} check
%{_includedir}/dis-asm.h
%{_includedir}/bfd_stdint.h
%{_includedir}/diagnostics.h
%{_includedir}/ctf-api.h
%{_includedir}/ctf.h
%{_libdir}/libbfd.a
%{_libdir}/libopcodes.a
%{_libdir}/libbfd.so
%{_libdir}/libopcodes.so
%{_libdir}/bfd-plugins/libdep.so
%{_libdir}/libctf-nobfd.a
%{_libdir}/libctf-nobfd.so
%{_libdir}/libctf-nobfd.so.0
%{_libdir}/libctf-nobfd.so.0.*
%{_libdir}/libctf.a
%{_libdir}/libctf.so
%{_libdir}/libctf.so.0
%{_libdir}/libctf.so.0.*
%changelog
* Mon Jan 11 2021 Emre Girgin <mrgirgin@microsoft.com> - 2.32-5
- Update URL and Source0 to use https.
- Fix CVE-2020-35493.
- Fix CVE-2020-35494.
- Fix CVE-2020-35495.
- Fix CVE-2020-35496.
- Fix CVE-2020-35507.
* Tue May 11 2021 Andrew Phelps <anphel@microsoft.com> 2.36.1-1
- Update to version 2.36.1
* Mon Jan 11 2021 Emre Girgin <mrgirgin@microsoft.com> 2.32-5
- Update URL and Source0 to use https.
- Fix CVE-2020-35493.
- Fix CVE-2020-35494.
- Fix CVE-2020-35495.
- Fix CVE-2020-35496.
- Fix CVE-2020-35507.
* Thu Oct 22 2020 Nicolas Ontiveros <niontive@microsoft.com> 2.32-4
- Use autosetup

5
SPECS/bison/bison.spec
Просмотреть файл

@ -51,10 +51,11 @@ make %{?_smp_mflags} check
* Fri Aug 21 2020 Thomas Crain <thcrain@microsoft.com> 3.1-4
- Remove yacc command for compatibility with byacc package
- Remove sha hash
* Sat May 09 00:21:04 PST 2020 Nick Samson <nisamson@microsoft.com> 3.1-3
- License verified
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 3.1-3
- Added %%license line automatically
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 3.1-2
- Initial import from Photon (license: dual Apache2/GPL2).
- Initial CBL-Mariner import from Photon (license: Apache2).
* Tue Sep 18 2018 Tapas Kundu <tkundu@vmware.com> 3.1-1
- Updated to release 3.1
* Sun Sep 09 2018 Alexey Makhalov <amakhalov@vmware.com> 3.0.4-4

26
SPECS/blktrace/blktrace.spec
Просмотреть файл

@ -42,23 +42,23 @@ rm -rf %{buildroot}/*
* Mon Jan 11 2021 Ruying Chen <v-ruyche@microsoft.com> - 1.2.0-6
- Provide iowatcher.
* Sat May 09 00:21:09 PST 2020 Nick Samson <nisamson@microsoft.com> - 1.2.0-5
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 1.2.0-5
- Added %%license line automatically
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 1.2.0-4
- Initial CBL-Mariner import from Photon (license: Apache2).
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 1.2.0-4
- Initial CBL-Mariner import from Photon (license: Apache2).
* Thu Jan 24 2019 Tapas Kundu <tkundu@vmware.com> 1.2.0-3
- Fix for CVE-2018-10689.
* Thu Jan 24 2019 Tapas Kundu <tkundu@vmware.com> 1.2.0-3
- Fix for CVE-2018-10689.
* Sun Sep 23 2018 Sujay G <gsujay@vmware.com> 1.2.0-2
- Bump blktrace version to 1.2.0
* Sun Sep 23 2018 Sujay G <gsujay@vmware.com> 1.2.0-2
- Bump blktrace version to 1.2.0
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.1.0-2
- GA - Bump release of all rpms
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.1.0-2
- GA - Bump release of all rpms
* Thu Jan 21 2016 Xiaolin Li <xiaolinl@vmware.com> 1.1.0-1
- Updated to version 1.1.0
* Thu Jan 21 2016 Xiaolin Li <xiaolinl@vmware.com> 1.1.0-1
- Updated to version 1.1.0
* Mon Nov 30 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 1.0.5-1
- Initial build. First version
* Mon Nov 30 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 1.0.5-1
- Initial build. First version

6
SPECS/blobfuse/blobfuse.spec
Просмотреть файл

@ -1,7 +1,7 @@
Summary: FUSE adapter - Azure Storage Blobs
Name: blobfuse
Version: 1.3.6
Release: 1%{?dist}
Release: 3%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
@ -47,6 +47,10 @@ rm -rf %{buildroot}
%{_bindir}/blobfuse
%changelog
* Tue Jun 08 2021 Henry Beberman <henry.beberman@microsoft.com> 1.3.6-3
- Increment release to force republishing using golang 1.15.13.
* Mon Apr 26 2021 Nicolas Guibourge <nicolasg@microsoft.com> 1.3.6-2
- Increment release to force republishing using golang 1.15.11.
* Tue Feb 02 2021 Henry Beberman <henry.beberman@microsoft.com> 1.3.6-1
- Add blobfuse spec
- License verified

2
SPECS/bridge-utils/bridge-utils.spec
Просмотреть файл

@ -27,7 +27,7 @@ make DESTDIR=%{buildroot} install
%{_mandir}/man8/*
%changelog
* Sat May 09 00:20:34 PST 2020 Nick Samson <nisamson@microsoft.com> - 1.6-4
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 1.6-4
- Added %%license line automatically
* Thu Apr 09 2020 Joe Schmitt <joschmit@microsoft.com> 1.6-3

2
SPECS/btrfs-progs/btrfs-progs.spec
Просмотреть файл

@ -75,7 +75,7 @@ rm -rf %{buildroot}
%{_libdir}/libbtrfsutil.so
%changelog
* Sat May 09 00:21:31 PST 2020 Nick Samson <nisamson@microsoft.com> - 4.19-3
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 4.19-3
- Added %%license line automatically
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 4.19-2

5
SPECS/byacc/byacc.spec
Просмотреть файл

@ -5,8 +5,8 @@ Name: byacc
Version: 1.9.%{byaccdate}
Release: 3%{?dist}
License: Public Domain
URL: http://invisible-island.net/byacc/byacc.html
Vendor: Microsoft
URL: https://invisible-island.net/byacc/byacc.html
Vendor: Microsoft Corporation
Distribution: Mariner
#Source0: https://invisible-mirror.net/archives/%{name}/%{name}-%{byaccdate}.tgz
Source0: %{name}-%{version}.tar.gz
@ -56,6 +56,7 @@ echo ====================TESTING END=====================
%changelog
* Fri Aug 21 2020 Thomas Crain <thcrain@microsoft.com> - 1.9.20200330-4
- Initial CBL-Mariner import from Fedora 33 (license: MIT)
- License verified
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.20200330-3
- Second attempt - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

2
SPECS/bzip2/bzip2.spec
Просмотреть файл

@ -108,7 +108,7 @@ make %{?_smp_mflags} check
- Don't stomp on CFLAGS.
* Tue May 26 2020 Emre Girgin <mrgirgin@microsoft.com> 1.0.6-14
- Fix CVE-2019-12900. This was erroneously named CVE-2019-1353 before, which is not even related to bzip2.
* Sat May 09 00:21:38 PST 2020 Nick Samson <nisamson@microsoft.com> - 1.0.6-13
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 1.0.6-13
- Added %%license line automatically
* Wed Apr 22 2020 Emre Girgin <mrgirgin@microsoft.com> 1.0.6-12
- Fix CVE-2019-1353.

2
SPECS/ca-certificates/ca-certificates.signatures.json
Просмотреть файл

@ -14,7 +14,7 @@
"ca-legacy.8.txt": "4fef2b8fed41d21ae559803b06074ca61a3f46648f174832542e3223d16dabf4",
"ca-legacy.conf": "400b96da374503fa6b6350a867347082d0c90e05ba4d02cc6b51b11229199c4d",
"certdata.base.txt": "76c4cd1860b9a6f6ee9c2a0dcddcef46f65950b7ec12d2a7eeabeedca4e379f9",
"certdata.microsoft.txt": "80f8c0f75356730bea953a6f0317a70856c98991bced06d86c0eab9cfc8c4b85",
"certdata.microsoft.txt": "37a832a646e56f75cd8a128d40bdb20a23b4e8794692b1b2d9ae243351c4d255",
"certdata.txt": "cc6408bd4be7fbfb8699bdb40ccb7f6de5780d681d87785ea362646e4dad5e8e",
"certdata2pem.py": "0be02cecc27a6e55e1cad1783033b147f502b26f9fb1bb5a53e7a43bbcb68fa0",
"nssckbi.h": "9d916fe1586259d94632f186a736449e8344b8a18f7ac97253f13efc764d77ea",

8
SPECS/ca-certificates/ca-certificates.spec
Просмотреть файл

@ -71,7 +71,7 @@ Name: ca-certificates
# When updating, "Version" AND "Release" tags must be updated in the "prebuilt-ca-certificates" package as well.
Version: 20200720
Release: 13%{?dist}
Release: 15%{?dist}
License: MPLv2.0
Vendor: Microsoft Corporation
Distribution: Mariner
@ -415,6 +415,12 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
%{_bindir}/bundle2pem.sh
%changelog
* Wed Jul 07 2021 CBL-Mariner Service Account <cblmargh@microsoft.com> - 20200720-15
- Updating Microsoft trusted root CAs.
* Thu Jun 03 2021 CBL-Mariner Service Account <cblmargh@microsoft.com> - 20200720-14
- Updating Microsoft trusted root CAs.
* Fri Mar 12 2021 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 20200720-13
- Updating Microsoft trusted root CAs.

3536
SPECS/ca-certificates/certdata.microsoft.txt
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

2
SPECS/cdrkit/cdrkit.spec
Просмотреть файл

@ -49,7 +49,7 @@ ln -s genisoimage %{buildroot}%{_prefix}/bin/mkisofs
- Add an explicit provides for `genisoimage`
* Sun May 31 2020 Henry Beberman <henry.beberman@microsoft.com> - 1.1.11-8
- Add patch to fix format-security errors.
* Sat May 09 00:20:47 PST 2020 Nick Samson <nisamson@microsoft.com> - 1.1.11-7
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 1.1.11-7
- Added %%license line automatically
* Mon Apr 27 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 1.1.11-6
- Fixed the 'Source0' tags.

2
SPECS/ceph/ceph.signatures.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"Signatures": {
"ceph-15.2.4.tar.gz": "5d51297d5f0358f6fc386ecf3d6e3093a044ef4714ed6c0f0d13af90c96dc54b"
"ceph-16.2.0.tar.gz": "dfeee542536607220dc2ca49f47c41127c8562dea234a886625e0f7ee1524904"
}
}

54
SPECS/ceph/ceph.spec
Просмотреть файл

@ -1,14 +1,17 @@
#disable debuginfo because ceph-debuginfo rpm is too large
%define debug_package %{nil}
%global _python_bytecompile_extra 1
Summary: User space components of the Ceph file system
Name: ceph
Version: 15.2.4
Release: 2%{?dist}
License: LGPLv2 and LGPLv3 and CC-BY-SA and GPLv2 and Boost and BSD and MIT
Version: 16.2.0
Release: 3%{?dist}
License: LGPLv2 and LGPLv3 and CC-BY-SA and GPLv2 and Boost and BSD and MIT and Public Domain and GPLv3 and ASL-2.0
URL: https://ceph.io/
Vendor: Microsoft
Vendor: Microsoft Corporation
Distribution: Mariner
Source0: https://download.ceph.com/tarballs/%{name}-%{version}.tar.gz
%global _python_bytecompile_extra 1
#
# Copyright (C) 2004-2019 The Ceph Project Developers. See COPYING file
@ -70,14 +73,17 @@ Requires(post): binutils
Requires: systemd
BuildRequires: cryptsetup
BuildRequires: cryptsetup-devel
BuildRequires: expat-devel
BuildRequires: fuse-devel
BuildRequires: gcc
BuildRequires: gdbm
BuildRequires: gperf
BuildRequires: icu-devel
BuildRequires: keyutils-devel
BuildRequires: leveldb-devel > 1.2
BuildRequires: libaio-devel
BuildRequires: lua-devel
BuildRequires: util-linux-libs
BuildRequires: libcap-ng-devel
BuildRequires: curl-devel
@ -943,7 +949,6 @@ install -m 0644 -D udev/50-rbd.rules %{buildroot}%{_udevrulesdir}/50-rbd.rules
# sudoers.d
install -m 0600 -D sudoers.d/ceph-osd-smartctl %{buildroot}%{_sysconfdir}/sudoers.d/ceph-osd-smartctl
install -m 0600 -D sudoers.d/cephadm %{buildroot}%{_sysconfdir}/sudoers.d/cephadm
#set up placeholder directories
mkdir -p %{buildroot}%{_sysconfdir}/ceph
@ -1054,7 +1059,6 @@ exit 0
%files -n cephadm
%{_sbindir}/cephadm
%{_mandir}/man8/cephadm.8*
%{_sysconfdir}/sudoers.d/cephadm
%attr(0700,cephadm,cephadm) %dir %{_sharedstatedir}/cephadm
%attr(0700,cephadm,cephadm) %dir %{_sharedstatedir}/cephadm/.ssh
%attr(0600,cephadm,cephadm) %{_sharedstatedir}/cephadm/.ssh/authorized_keys
@ -1071,6 +1075,8 @@ exit 0
%{_bindir}/ceph-syn
%{_bindir}/cephfs-data-scan
%{_bindir}/cephfs-journal-tool
%{_bindir}/cephfs-mirror
%{_bindir}/cephfs-top
%{_bindir}/cephfs-table-tool
%{_bindir}/rados
%{_bindir}/radosgw-admin
@ -1079,6 +1085,8 @@ exit 0
%{_bindir}/rbd-replay-many
%{_bindir}/rbdmap
%{_sbindir}/mount.ceph
%{_unitdir}/cephfs-mirror@.service
%{_unitdir}/cephfs-mirror.target
%if %{with lttng}
%{_bindir}/rbd-replay-prep
%endif
@ -1101,6 +1109,9 @@ exit 0
%{_mandir}/man8/rbd-replay-many.8*
%{_mandir}/man8/rbd-replay-prep.8*
%{_mandir}/man8/rgw-orphan-list.8*
%{_mandir}/man8/cephfs-mirror.8*
%{_mandir}/man8/cephfs-top.8*
%{python3_sitelib}/cephfs_top-*.egg-info
%dir %{_datadir}/ceph/
%{_datadir}/ceph/known_hosts_drop.ceph.com
%{_datadir}/ceph/id_rsa_drop.ceph.com
@ -1116,6 +1127,8 @@ exit 0
%{_udevrulesdir}/50-rbd.rules
%attr(3770,ceph,ceph) %dir %{_localstatedir}/log/ceph/
%attr(750,ceph,ceph) %dir %{_localstatedir}/lib/ceph/
%exclude %{_includedir}/libcephsqlite.h
%exclude %{_libdir}/libcephsqlite.so
%pre common
CEPH_GROUP_ID=167
@ -1235,6 +1248,8 @@ fi
%{_datadir}/ceph/mgr/insights
%{_datadir}/ceph/mgr/iostat
%{_datadir}/ceph/mgr/localpool
%{_datadir}/ceph/mgr/mds_autoscaler
%{_datadir}/ceph/mgr/mirroring
%{_datadir}/ceph/mgr/orchestrator
%{_datadir}/ceph/mgr/osd_perf_query
%{_datadir}/ceph/mgr/osd_support
@ -1244,6 +1259,8 @@ fi
%{_datadir}/ceph/mgr/rbd_support
%{_datadir}/ceph/mgr/restful
%{_datadir}/ceph/mgr/selftest
%{_datadir}/ceph/mgr/snap_schedule
%{_datadir}/ceph/mgr/stats
%{_datadir}/ceph/mgr/status
%{_datadir}/ceph/mgr/telegraf
%{_datadir}/ceph/mgr/telemetry
@ -1324,6 +1341,7 @@ fi
%files fuse
%{_bindir}/ceph-fuse
%{_mandir}/man8/ceph-fuse.8*
%{_mandir}/man8/mount.fuse.ceph.8*
%{_sbindir}/mount.fuse.ceph
%{_unitdir}/ceph-fuse@.service
%{_unitdir}/ceph-fuse.target
@ -1402,6 +1420,8 @@ fi
%{_bindir}/radosgw-es
%{_bindir}/radosgw-object-expirer
%{_bindir}/rgw-orphan-list
%{_bindir}/rgw-gap-list
%{_bindir}/rgw-gap-list-comparator
%{_libdir}/libradosgw.so*
%{_mandir}/man8/radosgw.8*
%dir %{_localstatedir}/lib/ceph/radosgw
@ -1436,6 +1456,7 @@ fi
%files osd
%{_bindir}/ceph-clsinfo
%{_bindir}/ceph-bluestore-tool
%{_bindir}/ceph-erasure-code-tool
%{_bindir}/ceph-objectstore-tool
%{_bindir}/ceph-osdomap-tool
%{_bindir}/ceph-osd
@ -1556,6 +1577,7 @@ fi
%if %{with lttng}
%{_libdir}/librbd_tp.so.*
%endif
%{_libdir}/ceph/librbd/libceph_*.so*
%post -n librbd1 -p /sbin/ldconfig
@ -1573,7 +1595,6 @@ fi
%files -n librgw2
%{_libdir}/librgw.so.*
%{_libdir}/librgw_admin_user.so.*
%if %{with lttng}
%{_libdir}/librgw_op_tp.so.*
%{_libdir}/librgw_rados_tp.so.*
@ -1586,10 +1607,8 @@ fi
%files -n librgw-devel
%dir %{_includedir}/rados
%{_includedir}/rados/librgw.h
%{_includedir}/rados/librgw_admin_user.h
%{_includedir}/rados/rgw_file.h
%{_libdir}/librgw.so
%{_libdir}/librgw_admin_user.so
%if %{with lttng}
%{_libdir}/librgw_op_tp.so
%{_libdir}/librgw_rados_tp.so
@ -1616,6 +1635,7 @@ fi
%{_includedir}/cephfs/libcephfs.h
%{_includedir}/cephfs/ceph_ll_client.h
%{_libdir}/libcephfs.so
%{_includedir}/cephfs/metrics/Types.h
%files -n python%{python3_pkgversion}-cephfs
%{python3_sitearch}/cephfs.cpython*.so
@ -1784,8 +1804,18 @@ exit 0
%config %{_sysconfdir}/prometheus/ceph/ceph_default_alerts.yml
%changelog
* Wed Aug 18 2021 Thomas Crain <thcrain@microsoft.com> - 16.2.0-3
- Enable python byte compilation for directories outside of %%python3_site{lib,arch}
* Thu Jun 17 2021 Neha Agarwal <nehaagarwal@microsoft.com> 16.2.0-2
- Disable debuginfo because ceph-debuginfo rpm is too large
* Fri May 21 2021 Neha Agarwal <nehaagarwal@microsoft.com> 16.2.0-1
- Update package version to fix CVE-2020-25660, CVE-2020-25678 and CVE-2020-27781
* Fri Feb 05 2021 Joe Schmitt <joschmit@microsoft.com> - 15.2.4-2
- Include python bytecompiled files in the resulting package.
* Fri Aug 21 2020 Thomas Crain <thcrain@microsoft.com> 15.2.4-1
- Initial CBL-Mariner import from Ceph source (license: LGPLv2.1)
* Fri Aug 21 2020 Thomas Crain <thcrain@microsoft.com> 15.2.4-1
- Initial CBL-Mariner import from Ceph source (license: LGPLv2.1)
- License verified

46
SPECS/check/check.spec
Просмотреть файл

@ -46,22 +46,30 @@ make %{?_smp_mflags} check
/usr/share/aclocal/*
%changelog
* Mon Sep 28 2020 Ruying Chen <v-ruyche@microsoft.com> 0.12.0-5
- Provide check-devel
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 0.12.0-4
- Added %%license line automatically
* Thu Apr 23 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 0.12.0-3
- License verified.
- Updated 'Url' and 'Source0' tags.
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 0.12.0-2
- Initial CBL-Mariner import from Photon (license: Apache2).
* Wed Sep 19 2018 Ajay Kaher <akaher@vmware.com> 0.12.0-1
- Upgraded to version 0.12.0
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 0.10.0-2
- GA - Bump release of all rpms
* Tue Feb 23 2016 Xiaolin Li <xiaolinl@vmware.com> 0.10.0-1
- Updated to version 0.10.0
* Wed May 20 2015 Touseef Liaqat <tliaqat@vmware.com> 0.9.14-2
- Updated group.
* Tue Nov 25 2014 Divya Thaluru <dthaluru@vmware.com> 0.9.14-1
- Initial build. First version
* Mon Sep 28 2020 Ruying Chen <v-ruyche@microsoft.com> 0.12.0-5
- Provide check-devel
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 0.12.0-4
- Added %%license line automatically
* Thu Apr 23 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 0.12.0-3
- License verified.
- Updated 'Url' and 'Source0' tags.
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 0.12.0-2
- Initial CBL-Mariner import from Photon (license: Apache2).
* Wed Sep 19 2018 Ajay Kaher <akaher@vmware.com> 0.12.0-1
- Upgraded to version 0.12.0
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 0.10.0-2
- GA - Bump release of all rpms
* Tue Feb 23 2016 Xiaolin Li <xiaolinl@vmware.com> 0.10.0-1
- Updated to version 0.10.0
* Wed May 20 2015 Touseef Liaqat <tliaqat@vmware.com> 0.9.14-2
- Updated group.
* Tue Nov 25 2014 Divya Thaluru <dthaluru@vmware.com> 0.9.14-1
- Initial build. First version

5
SPECS/checkpolicy/checkpolicy.signatures.json Normal file
Просмотреть файл

@ -0,0 +1,5 @@
{
"Signatures": {
"checkpolicy-3.2.tar.gz": "9b1c81fa86fe3867842164448d90c8e7ea94b2987497809c65d4caa87a5c5bc8"
}
}

939
SPECS/checkpolicy/checkpolicy.spec Normal file
Просмотреть файл

@ -0,0 +1,939 @@
%define libselinuxver 3.2-1
%define libsepolver 3.2-1
Summary: SELinux policy compiler
Name: checkpolicy
Version: 3.2
Release: 1%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
Distribution: Mariner
URL: https://github.com/SELinuxProject/selinux/wiki
Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz
BuildRequires: bison
BuildRequires: flex
BuildRequires: flex-devel
BuildRequires: gcc
BuildRequires: libselinux-devel >= %{libselinuxver}
BuildRequires: libsepol-devel >= %{libsepolver}
%description
Security-enhanced Linux is a feature of the Linux® kernel and a number
of utilities with enhanced security functionality designed to add
mandatory access controls to Linux. The Security-enhanced Linux
kernel contains new architectural components originally developed to
improve the security of the Flask operating system. These
architectural components provide general support for the enforcement
of many kinds of mandatory access control policies, including those
based on the concepts of Type Enforcement®, Role-based Access
Control, and Multi-level Security.
This package contains checkpolicy, the SELinux policy compiler.
Only required for building policies.
%prep
%autosetup -p1
%build
%make_build clean
%make_build LIBDIR="%{_libdir}" CFLAGS="%{build_cflags} -fno-semantic-interposition"
pushd test
%make_build LIBDIR="%{_libdir}" CFLAGS="%{build_cflags} -fno-semantic-interposition"
popd
%install
mkdir -p %{buildroot}%{_bindir}
%make_install LIBDIR="%{_libdir}"
install test/dismod %{buildroot}%{_bindir}/sedismod
install test/dispol %{buildroot}%{_bindir}/sedispol
%files
%license COPYING
%{_bindir}/checkpolicy
%{_bindir}/checkmodule
%{_bindir}/sedismod
%{_bindir}/sedispol
%{_mandir}/man8/checkpolicy.8.gz
%{_mandir}/man8/checkmodule.8.gz
%{_mandir}/ru/man8/checkpolicy.8.gz
%{_mandir}/ru/man8/checkmodule.8.gz
%changelog
* Fri Aug 13 2021 Thomas Crain <thcrain@microsoft.com> - 3.2-1
- Upgrade to latest upstream version
- Add -fno-semantic-interposition to CFLAGS as recommended by upstream
- Update source URL to new format
- Lint spec
- License verified
* Wed Aug 19 2020 Daniel Burgener <Daniel.Burgener@microsoft.com> - 2.9-3
- Initial CBL-Mariner import from Fedora 31 (license: MIT)
- License verified
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon Mar 18 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-1
- SELinux userspace 2.9 release
* Mon Mar 11 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc2.1
- SELinux userspace 2.9-rc2 release
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-0.rc1.1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jan 25 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc1.1
- SELinux userspace 2.9-rc1 release
* Mon Jan 21 2019 Petr Lautrbach <plautrba@redhat.com> - 2.8-3
- Check the result value of hashtable_search
- Destroy the class datum if it fails to initialize
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri May 25 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-1
- SELinux userspace 2.8 release
* Tue May 15 2018 Petr Lautrbach <plautrba@workstation> - 2.8-0.rc3.1
- SELinux userspace 2.8-rc3 release candidate
* Mon Apr 23 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc1.1
- SELinux userspace 2.8-rc1 release candidate
* Wed Mar 21 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-7
- Add support for the SCTP portcon keyword
* Tue Mar 13 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-6
- build: follow standard semantics for DESTDIR and PREFIX
* Thu Feb 22 2018 Florian Weimer <fweimer@redhat.com> - 2.7-5
- Use LDFLAGS from redhat-rpm-config
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.7-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Wed Nov 22 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-3
- Rebuild with libsepol-2.7-3 and libselinux-2.7-6
* Fri Oct 20 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-2
- Rebuilt with libsepol-2.7-2
* Mon Aug 07 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-1
- Update to upstream release 2017-08-04
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Wed Feb 15 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-1
- Update to upstream release 2016-10-14
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.5-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Mon Oct 03 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-8
- Add types associated to a role in the current scope when parsing
* Mon Aug 01 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-7
- Extend checkpolicy pathname matching
- Rebuilt with libsepol-2.5-9
* Mon Jun 27 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-6
- Fix typos in sedispol
* Thu Jun 23 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-5
- Set flex as default lexer
- Fix checkmodule output message
* Wed May 11 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-4
- Rebuilt with libsepol-2.5-6
* Fri Apr 29 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-3
- Build policy on systems not supporting DCCP protocol
- Fail if module name different than output base filename
* Fri Apr 08 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-2
- Add support for portcon dccp protocol
* Tue Feb 23 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-1
- Update to upstream release 2016-02-23
* Sun Feb 21 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-0.1.rc1
- Update to upstream rc1 release 2016-01-07
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.4-2.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Tue Jul 21 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-1.1
- Update to 2.4 release
* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Fri Jul 11 2014 Tom Callaway <spot@fedoraproject.org> - 2.3-3
- fix license handling
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Tue May 6 2014 Dan Walsh <dwalsh@redhat.com> - 2.3-1
- Update to upstream
* Add Android support for building dispol.
* Report source file and line information for neverallow failures.
* Prevent incompatible option combinations for checkmodule.
* Drop -lselinux from LDLIBS for test programs; not used.
* Add debug feature to display constraints/validatetrans from Richard Haines.
* Thu Oct 31 2013 Dan Walsh <dwalsh@redhat.com> - 2.2-1
- Update to upstream
* Fix hyphen usage in man pages from Laurent Bigonville.
* handle-unknown / -U required argument fix from Laurent Bigonville.
* Support overriding Makefile PATH and LIBDIR from Laurent Bigonville.
* Support space and : in filenames from Dan Walsh.
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.12-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Tue Jul 16 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-4
- Fix a segmentation fault if the --handle-unknown option was set without
arguments.
- Thanks to Alexandre Rebert and his team at Carnegie Mellon University
for detecting this crash.
* Tue Mar 19 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-3
- ":" should be allowed for file trans names
* Tue Mar 12 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-2
- Space should be allowed for file trans names
* Thu Feb 7 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-1
- Update to upstream
* Fix errors found by coverity
* implement default type policy syntax
* Free allocated memory when clean up / exit.
* Sat Jan 5 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.11-3
- Update to latest patches from eparis/Upstream
- checkpolicy: libsepol: implement default type policy syntax
-
- We currently have a mechanism in which the default user, role, and range
- can be picked up from the source or the target object. This implements
- the same thing for types. The kernel will override this with type
- transition rules and similar. This is just the default if nothing
- specific is given.
* Wed Sep 19 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.11-2
- Rebuild with fixed libsepol
* Thu Sep 13 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.11-1
- Update to upstream
* fd leak reading policy
* check return code on ebitmap_set_bit
* Mon Jul 30 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.10-4
- Rebuild to grab latest libsepol
* Tue Jul 24 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.10-3
- Rebuild to grab latest libsepol
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.10-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Wed Jul 4 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.10-1
- Update to upstream
* sepolgen: We need to support files that have a + in them
* Android/MacOS X build support
* Mon Apr 23 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-4
- Rebuild to get latest libsepol which fixes the file_name transition problems
* Tue Apr 17 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-3
- Recompile with libsepol that has support for ptrace_child
* Tue Apr 3 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-2
- Allow checkpolicy to use + in a file name
* Thu Mar 29 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-1
- Update to upstream
* implement new default labeling behaviors for usr, role, range
* Fix dead links to www.nsa.gov/selinux
* Mon Jan 16 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.8-3
- Fix man page to link to www.nsa.giv/research/selinux
* Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Wed Dec 21 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-1
-Update to upstream
* add ignoredirs config for genhomedircon
* Fallback_user_level can be NULL if you are not using MLS
* Wed Dec 21 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.7-3
- default_rules should be optional
* Thu Dec 15 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.7-2
- Rebuild with latest libsepol
* Tue Dec 6 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.7-1
- Upgrade to upstream
* dis* fixed signed vs unsigned errors
* dismod: fix unused parameter errors
* test: Makefile: include -W and -Werror
* allow ~ in filename transition rules
- Allow policy to specify the source of target for generating the default user,role
- or mls label for a new target.
* Mon Nov 14 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.6-2
- Allow ~ in a filename
* Fri Nov 4 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.6-1
- Upgrade to upstream
* Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules"
* drop libsepol dynamic link in checkpolicy
* Tue Sep 20 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-2
- Fix checkpolicy to ignore '"' in filename trans rules
* Mon Sep 19 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-1
-Update to upstream
* Separate tunable from boolean during compile.
* Tue Aug 30 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.4-0
-Update to upstream
* checkpolicy: fix spacing in output message
* Thu Aug 18 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.3-0
* add missing ; to attribute_role_def
*Redo filename/filesystem syntax to support filename trans
* Wed Aug 3 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.2-0
-Update to upstream
* .gitignore changes
* dispol output of role trans
* man page update: build a module with an older policy version
* Thu Jul 28 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.1-0
-Update to upstream
* Minor updates to filename trans rule output in dis{mod,pol}
* Thu Jul 28 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.0-1
-Update to upstream
* Mon May 23 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.26-1
-Update to upstream
* Wrap file names in filename transitions with quotes by Steve Lawrence.
* Allow filesystem names to start with a digit by James Carter.
* Add support for using the last path compnent in type transitions by Eric
* Thu Apr 21 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.24-2
* Fixes for new role_transition class field by Eric Paris.
* Fri Apr 15 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.24-2
- Add "-" as a file type
* Tue Apr 12 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.24-1
-Update to upstream
* Add new class field in role_transition by Harry Ciao.
* Mon Apr 11 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.23-5
- Fix type_transition to allow all files
* Tue Mar 29 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.23-4
- Patches from Eric Paris
We just use random numbers to make menu selections. Use #defines and
names that make some sense instead.
This patch adds support for using the last path component as part of the
information in making labeling decisions for new objects. A example
rule looks like so:
type_transition unconfined_t etc_t:file system_conf_t eric;
This rule says if unconfined_t creates a file in a directory labeled
etc_t and the last path component is "eric" (no globbing, no matching
magic, just exact strcmp) it should be labeled system_conf_t.
The kernel and policy representation does not have support for such
rules in conditionals, and thus policy explicitly notes that fact if
such a rule is added to a conditional.
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.23-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Wed Jan 12 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.23-2
- Add James Carters Patch
*This patch is needed because some filesystem names (such as 9p) start
with a digit.
* Tue Dec 21 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.23-1
- Latest update from NSA
* Remove unused variables to fix compliation under GCC 4.6 by Justin Mattock
* Wed Dec 8 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.22-2
- Rebuild to make sure it will build in Fedora
* Wed Jun 16 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.22-1
- Latest update from NSA
* Update checkmodule man page and usage by Daniel Walsh and Steve Lawrence
- Allow policy version to be one number
* Mon May 3 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.21-2
- Fix checkmodule man page and usage statements
* Sun Nov 1 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.21-1
- Latest update from NSA
* Add support for building Xen policies from Paul Nuzzi.
* Add long options to checkpolicy and checkmodule by Guido
Trentalancia <guido@trentalancia.com>
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.19-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.19-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Wed Feb 18 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.19-1
- Latest update from NSA
* Fix alias field in module format, caused by boundary format change
from Caleb Case.
* Fri Jan 30 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.18-1
- Latest update from NSA
* Properly escape regex symbols in the lexer from Stephen Smalley.
* Add bounds support from KaiGai Kohei.
* Tue Oct 28 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.16-4
* Mon Jul 7 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.16-3
- Rebuild with new libsepol
* Wed May 28 2008 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.16-2
- fix license tag
* Wed May 28 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.16-1
- Latest update from NSA
* Update checkpolicy for user and role mapping support from Joshua Brindle.
* Fri May 2 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.15-1
- Latest update from NSA
* Fix for policy module versions that look like IPv4 addresses from Jim Carter.
Resolves bug 444451.
* Fri May 2 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.14-2
- Allow modules with 4 sections or more
* Thu Mar 27 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.14-1
- Latest update from NSA
* Add permissive domain support from Eric Paris.
* Thu Mar 13 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.13-1
- Latest update from NSA
* Split out non-grammar parts of policy_parse.yacc into
policy_define.c and policy_define.h from Todd C. Miller.
* Initialize struct policy_file before using it, from Todd C. Miller.
* Remove unused define, move variable out of .y file, simplify COND_ERR, from Todd C. Miller.
* Thu Feb 28 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.10-1
- Latest update from NSA
* Use yyerror2() where appropriate from Todd C. Miller.
- Build against latest libsepol
* Fri Feb 22 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.9-2
- Start shipping sedismod and sedispol
* Mon Feb 4 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.9-1
- Latest update from NSA
* Update dispol for libsepol avtab changes from Stephen Smalley.
* Fri Jan 25 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.8-1
- Latest update from NSA
* Deprecate role dominance in parser.
* Mon Jan 21 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.7-2
- Update to use libsepol-static library
* Fri Jan 11 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.7-1
- Latest update from NSA
* Added support for policy capabilities from Todd Miller.
* Thu Nov 15 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.6-1
- Latest update from NSA
* Initialize the source file name from the command line argument so that checkpolicy/checkmodule report something more useful than "unknown source".
* Merged remove use of REJECT and trailing context in lex rules; make ipv4 address parsing like ipv6 from James Carter.
* Tue Sep 18 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.4-1
* Merged handle unknown policydb flag support from Eric Paris.
Adds new command line options -U {allow, reject, deny} for selecting
the flag when a base module or kernel policy is built.
* Tue Aug 28 2007 Fedora Release Engineering <rel-eng at fedoraproject dot org> - 2.0.3-3
- Rebuild for selinux ppc32 issue.
* Mon Jun 18 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.3-2
- Rebuild with the latest libsepol
* Sun Jun 17 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.3-1
- Latest update from NSA
* Merged fix for segfault on duplicate require of sensitivity from Caleb Case.
* Merged fix for dead URLs in checkpolicy man pages from Dan Walsh.
* Thu Apr 12 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.2-1
- Latest update from NSA
* Merged checkmodule man page fix from Dan Walsh.
* Fri Mar 30 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.1-3
- Rebuild with new libsepol
* Wed Mar 28 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.1-2
- Rebuild with new libsepol
* Mon Nov 20 2006 Dan Walsh <dwalsh@redhat.com> - 2.0.1-1
- Latest update from NSA
* Merged patch to allow dots in class identifiers from Caleb Case.
* Tue Nov 14 2006 Dan Walsh <dwalsh@redhat.com> - 2.0.0-1
- Latest update from NSA
* Merged patch to use new libsepol error codes by Karl MacMillan.
* Updated version for stable branch.
* Tue Nov 14 2006 Dan Walsh <dwalsh@redhat.com> - 1.33.1-2
- Rebuild for new libraries
* Tue Nov 14 2006 Dan Walsh <dwalsh@redhat.com> - 1.33.1-1
- Latest update from NSA
* Collapse user identifiers and identifiers together.
* Tue Oct 17 2006 Dan Walsh <dwalsh@redhat.com> - 1.32-1
- Latest update from NSA
* Updated version for release.
* Thu Sep 28 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.12-1
- Latest update from NSA
* Merged user and range_transition support for modules from
Darrel Goeddel
* Wed Sep 6 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.11-1
- Latest update from NSA
* merged range_transition enhancements and user module format
changes from Darrel Goeddel
* Merged symtab datum patch from Karl MacMillan.
* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 1.30.9-1.1
- rebuild
* Tue Jul 4 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.8-1
- Latest upgrade from NSA
* Lindent.
* Merged patch to remove TE rule conflict checking from the parser
from Joshua Brindle. This can only be done properly by the
expander.
* Merged patch to make checkpolicy/checkmodule handling of
duplicate/conflicting TE rules the same as the expander
from Joshua Brindle.
* Merged optionals in base take 2 patch set from Joshua Brindle.
* Tue May 23 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.5-1
- Latest upgrade from NSA
* Merged compiler cleanup patch from Karl MacMillan.
* Merged fix warnings patch from Karl MacMillan.
* Wed Apr 5 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.4-1
- Latest upgrade from NSA
* Changed require_class to reject permissions that have not been
declared if building a base module.
* Tue Mar 28 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.3-1
- Latest upgrade from NSA
* Fixed checkmodule to call link_modules prior to expand_module
to handle optionals.
* Fixed require_class to avoid shadowing permissions already defined
in an inherited common definition.
* Mon Mar 27 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.1-2
- Rebuild with new libsepol
* Thu Mar 23 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.1-1
- Latest upgrade from NSA
* Moved processing of role and user require statements to 2nd pass.
* Fri Mar 17 2006 Dan Walsh <dwalsh@redhat.com> - 1.30-1
- Latest upgrade from NSA
* Updated version for release.
* Fixed bug in role dominance (define_role_dom).
* Fri Feb 17 2006 Dan Walsh <dwalsh@redhat.com> - 1.29.4-1
- Latest upgrade from NSA
* Added a check for failure to declare each sensitivity in
a level definition.
* Changed to clone level data for aliased sensitivities to
avoid double free upon sens_destroy. Bug reported by Kevin
Carr of Tresys Technology.
* Mon Feb 13 2006 Dan Walsh <dwalsh@redhat.com> - 1.29.2-1
- Latest upgrade from NSA
* Merged optionals in base patch from Joshua Brindle.
* Mon Feb 13 2006 Dan Walsh <dwalsh@redhat.com> - 1.29.1-1.2
- Need to build againi
* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1.29.1-1.1
- bump again for double-long bug on ppc(64)
* Tue Feb 07 2006 Dan Walsh <dwalsh@redhat.com> 1.29.1-1
- Latest upgrade from NSA
* Merged sepol_av_to_string patch from Joshua Brindle.
* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 1.28-5.1
- rebuilt for new gcc4.1 snapshot and glibc changes
* Fri Jan 13 2006 Dan Walsh <dwalsh@redhat.com> 1.28-5
- Rebuild to get latest libsepol
* Fri Jan 13 2006 Dan Walsh <dwalsh@redhat.com> 1.28-5
- Rebuild to get latest libsepol
* Thu Jan 5 2006 Dan Walsh <dwalsh@redhat.com> 1.28-4
- Rebuild to get latest libsepol
* Wed Jan 4 2006 Dan Walsh <dwalsh@redhat.com> 1.28-3
- Rebuild to get latest libsepol
* Fri Dec 16 2005 Dan Walsh <dwalsh@redhat.com> 1.28-2
- Rebuild to get latest libsepol
* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
- rebuilt
* Fri Dec 9 2005 Dan Walsh <dwalsh@redhat.com> 1.28-1
- Latest upgrade from NSA
* Sun Dec 4 2005 Dan Walsh <dwalsh@redhat.com> 1.27.20-1
- Latest upgrade from NSA
* Merged checkmodule man page from Dan Walsh, and edited it.
* Thu Dec 1 2005 Dan Walsh <dwalsh@redhat.com> 1.27.19-1
- Latest upgrade from NSA
* Added error checking of all ebitmap_set_bit calls for out of
memory conditions.
* Merged removal of compatibility handling of netlink classes
(requirement that policies with newer versions include the
netlink class definitions, remapping of fine-grained netlink
classes in newer source policies to single netlink class when
generating older policies) from George Coker.
* Tue Nov 8 2005 Dan Walsh <dwalsh@redhat.com> 1.27.17-7
- Rebuild to get latest libsepol
* Tue Oct 25 2005 Dan Walsh <dwalsh@redhat.com> 1.27.17-1
- Latest upgrade from NSA
* Merged dismod fix from Joshua Brindle.
* Thu Oct 20 2005 Dan Walsh <dwalsh@redhat.com> 1.27.16-1
- Latest upgrade from NSA
* Removed obsolete cond_check_type_rules() function and call and
cond_optimize_lists() call from checkpolicy.c; these are handled
during parsing and expansion now.
* Updated calls to expand_module for interface change.
* Changed checkmodule to verify that expand_module succeeds
when building base modules.
* Merged module compiler fixes from Joshua Brindle.
* Removed direct calls to hierarchy_check_constraints() and
check_assertions() from checkpolicy since they are now called
internally by expand_module().
* Tue Oct 18 2005 Dan Walsh <dwalsh@redhat.com> 1.27.11-1
- Latest upgrade from NSA
* Updated for changes to sepol policydb_index_others interface.
* Tue Oct 18 2005 Dan Walsh <dwalsh@redhat.com> 1.27.10-1
- Latest upgrade from NSA
* Updated for changes to sepol expand_module and link_modules interfaces.
* Sat Oct 15 2005 Dan Walsh <dwalsh@redhat.com> 1.27.9-2
- Rebuild to get latest libsepol
* Fri Oct 14 2005 Dan Walsh <dwalsh@redhat.com> 1.27.9-1
- Latest upgrade from NSA
* Merged support for require blocks inside conditionals from
Joshua Brindle (Tresys).
* Wed Oct 12 2005 Karsten Hopp <karsten@redhat.de> 1.27.8-2
- add buildrequirement for libselinux-devel for dispol
* Mon Oct 10 2005 Dan Walsh <dwalsh@redhat.com> 1.27.8-1
- Latest upgrade from NSA
* Updated for changes to libsepol.
* Fri Oct 7 2005 Dan Walsh <dwalsh@redhat.com> 1.27.7-2
- Rebuild to get latest libsepol
* Thu Oct 6 2005 Dan Walsh <dwalsh@redhat.com> 1.27.7-1
- Latest upgrade from NSA
* Merged several bug fixes from Joshua Brindle (Tresys).
* Tue Oct 4 2005 Dan Walsh <dwalsh@redhat.com> 1.27.6-1
- Latest upgrade from NSA
* Merged MLS in modules patch from Joshua Brindle (Tresys).
* Mon Oct 3 2005 Dan Walsh <dwalsh@redhat.com> 1.27.5-2
- Rebuild to get latest libsepol
* Wed Sep 28 2005 Dan Walsh <dwalsh@redhat.com> 1.27.5-1
- Latest upgrade from NSA
* Merged error handling improvement in checkmodule from Karl MacMillan (Tresys).
* Tue Sep 27 2005 Dan Walsh <dwalsh@redhat.com> 1.27.4-1
- Latest upgrade from NSA
* Merged bugfix for dup role transition error messages from
Karl MacMillan (Tresys).
* Fri Sep 23 2005 Dan Walsh <dwalsh@redhat.com> 1.27.3-1
- Latest upgrade from NSA
* Merged policyver/modulever patches from Joshua Brindle (Tresys).
* Wed Sep 21 2005 Dan Walsh <dwalsh@redhat.com> 1.27.2-2
- Rebuild to get latest libsepol
* Wed Sep 21 2005 Dan Walsh <dwalsh@redhat.com> 1.27.2-1
- Latest upgrade from NSA
* Fixed parse_categories handling of undefined category.
* Tue Sep 20 2005 Dan Walsh <dwalsh@redhat.com> 1.27.1-2
- Rebuild to get latest libsepol
* Sat Sep 17 2005 Dan Walsh <dwalsh@redhat.com> 1.27.1-1
- Latest upgrade from NSA
* Merged bug fix for role dominance handling from Darrel Goeddel (TCS).
* Wed Sep 14 2005 Dan Walsh <dwalsh@redhat.com> 1.26-2
- Rebuild to get latest libsepol
* Mon Sep 12 2005 Dan Walsh <dwalsh@redhat.com> 1.26-1
- Latest upgrade from NSA
* Updated version for release.
- Rebuild to get latest libsepol
* Thu Sep 1 2005 Dan Walsh <dwalsh@redhat.com> 1.25.12-3
- Rebuild to get latest libsepol
* Mon Aug 29 2005 Dan Walsh <dwalsh@redhat.com> 1.25.12-2
- Rebuild to get latest libsepol
* Mon Aug 22 2005 Dan Walsh <dwalsh@redhat.com> 1.25.12-1
- Update to NSA Release
* Fixed handling of validatetrans constraint expressions.
Bug reported by Dan Walsh for checkpolicy -M.
* Mon Aug 22 2005 Dan Walsh <dwalsh@redhat.com> 1.25.11-2
- Fix mls crash
* Fri Aug 19 2005 Dan Walsh <dwalsh@redhat.com> 1.25.11-1
- Update to NSA Release
* Merged use-after-free fix from Serge Hallyn (IBM).
Bug found by Coverity.
* Sun Aug 14 2005 Dan Walsh <dwalsh@redhat.com> 1.25.10-1
- Update to NSA Release
* Fixed further memory leaks found by valgrind.
* Changed checkpolicy to destroy the policydbs prior to exit
to allow leak detection.
* Fixed several memory leaks found by valgrind.
* Sun Aug 14 2005 Dan Walsh <dwalsh@redhat.com> 1.25.8-3
- Rebuild to get latest libsepol changes
* Sat Aug 13 2005 Dan Walsh <dwalsh@redhat.com> 1.25.8-2
- Rebuild to get latest libsepol changes
* Thu Aug 11 2005 Dan Walsh <dwalsh@redhat.com> 1.25.8-1
- Update to NSA Release
* Updated checkpolicy and dispol for the new avtab format.
Converted users of ebitmaps to new inline operators.
Note: The binary policy format version has been incremented to
version 20 as a result of these changes. To build a policy
for a kernel that does not yet include these changes, use
the -c 19 option to checkpolicy.
* Merged patch to prohibit use of "self" as a type name from Jason Tang (Tresys).
* Merged patch to fix dismod compilation from Joshua Brindle (Tresys).
* Wed Aug 10 2005 Dan Walsh <dwalsh@redhat.com> 1.25.5-1
- Update to NSA Release
* Fixed call to hierarchy checking code to pass the right policydb.
* Merged patch to update dismod for the relocation of the
module read/write code from libsemanage to libsepol, and
to enable build of test subdirectory from Jason Tang (Tresys).
* Thu Jul 28 2005 Dan Walsh <dwalsh@redhat.com> 1.25.3-1
- Update to NSA Release
* Merged hierarchy check fix from Joshua Brindle (Tresys).
* Thu Jul 7 2005 Dan Walsh <dwalsh@redhat.com> 1.25.2-1
- Update to NSA Release
* Merged loadable module support from Tresys Technology.
* Merged patch to prohibit the use of * and ~ in type sets
(other than in neverallow statements) and in role sets
from Joshua Brindle (Tresys).
* Updated version for release.
* Fri May 20 2005 Dan Walsh <dwalsh@redhat.com> 1.23-4-1
- Update to NSA Release
* Merged cleanup patch from Dan Walsh.
* Thu May 19 2005 Dan Walsh <dwalsh@redhat.com> 1.23-3-1
- Update to NSA Release
* Added sepol_ prefix to Flask types to avoid namespace
collision with libselinux.
* Sat May 7 2005 Dan Walsh <dwalsh@redhat.com> 1.23-2-1
- Update to NSA Release
* Merged identifier fix from Joshua Brindle (Tresys).
* Thu Apr 14 2005 Dan Walsh <dwalsh@redhat.com> 1.23,1-1
* Merged hierarchical type/role patch from Tresys Technology.
* Merged MLS fixes from Darrel Goeddel of TCS.
* Thu Mar 10 2005 Dan Walsh <dwalsh@redhat.com> 1.22-1
- Update to NSA Release
* Tue Mar 1 2005 Dan Walsh <dwalsh@redhat.com> 1.21.4-2
- Rebuild for FC4
* Thu Feb 17 2005 Dan Walsh <dwalsh@redhat.com> 1.21.4-1
* Merged define_user() cleanup patch from Darrel Goeddel (TCS).
* Moved genpolusers utility to libsepol.
* Merged range_transition support from Darrel Goeddel (TCS).
* Thu Feb 10 2005 Dan Walsh <dwalsh@redhat.com> 1.21.2-1
- Latest from NSA
* Changed relabel Makefile target to use restorecon.
* Mon Feb 7 2005 Dan Walsh <dwalsh@redhat.com> 1.21.1-1
- Latest from NSA
* Merged enhanced MLS support from Darrel Goeddel (TCS).
* Fri Jan 7 2005 Dan Walsh <dwalsh@redhat.com> 1.20.1-1
- Update for version increase at NSA
* Mon Dec 20 2004 Dan Walsh <dwalsh@redhat.com> 1.19.2-1
- Latest from NSA
* Merged typeattribute statement patch from Darrel Goeddel of TCS.
* Changed genpolusers to handle multiple user config files.
* Merged nodecon ordering patch from Chad Hanson of TCS.
* Thu Nov 11 2004 Dan Walsh <dwalsh@redhat.com> 1.19.1-1
- Latest from NSA
* Merged nodecon ordering patch from Chad Hanson of TCS.
* Thu Nov 4 2004 Dan Walsh <dwalsh@redhat.com> 1.18.1-1
- Latest from NSA
* MLS build fix.
* Sat Sep 4 2004 Dan Walsh <dwalsh@redhat.com> 1.17.5-1
- Latest from NSA
* Fixed Makefile dependencies (Chris PeBenito).
* Sat Sep 4 2004 Dan Walsh <dwalsh@redhat.com> 1.17.4-1
- Latest from NSA
* Fixed Makefile dependencies (Chris PeBenito).
* Sat Sep 4 2004 Dan Walsh <dwalsh@redhat.com> 1.17.3-1
- Latest from NSA
* Merged fix for role dominance ordering issue from Chad Hanson of TCS.
* Mon Aug 30 2004 Dan Walsh <dwalsh@redhat.com> 1.17.2-1
- Latest from NSA
* Thu Aug 26 2004 Dan Walsh <dwalsh@redhat.com> 1.16.3-1
- Fix NSA package to not include y.tab files.
* Tue Aug 24 2004 Dan Walsh <dwalsh@redhat.com> 1.16.2-1
- Latest from NSA
- Allow port ranges to overlap
* Sun Aug 22 2004 Dan Walsh <dwalsh@redhat.com> 1.16.1-1
- Latest from NSA
* Mon Aug 16 2004 Dan Walsh <dwalsh@redhat.com> 1.15.6-1
- Latest from NSA
* Fri Aug 13 2004 Dan Walsh <dwalsh@redhat.com> 1.15.5-1
- Latest from NSA
* Wed Aug 11 2004 Dan Walsh <dwalsh@redhat.com> 1.15.4-1
- Latest from NSA
* Sat Aug 7 2004 Dan Walsh <dwalsh@redhat.com> 1.15.3-1
- Latest from NSA
* Wed Aug 4 2004 Dan Walsh <dwalsh@redhat.com> 1.15.2-1
- Latest from NSA
* Sat Jul 31 2004 Dan Walsh <dwalsh@redhat.com> 1.15.1-1
- Latest from NSA
* Tue Jul 27 2004 Dan Walsh <dwalsh@redhat.com> 1.14.2-1
- Latest from NSA
* Wed Jun 30 2004 Dan Walsh <dwalsh@redhat.com> 1.14.1-1
- Latest from NSA
* Fri Jun 18 2004 Dan Walsh <dwalsh@redhat.com> 1.12.2-1
- Latest from NSA
* Thu Jun 17 2004 Dan Walsh <dwalsh@redhat.com> 1.12.1-1
- Update to latest from NSA
* Wed Jun 16 2004 Dan Walsh <dwalsh@redhat.com> 1.12-1
- Update to latest from NSA
* Wed Jun 16 2004 Dan Walsh <dwalsh@redhat.com> 1.10-5
- Add nlclass patch
* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Fri Jun 4 2004 Dan Walsh <dwalsh@redhat.com> 1.10-3
- Add BuildRequires flex
* Thu Apr 8 2004 Dan Walsh <dwalsh@redhat.com> 1.10-2
- Add BuildRequires byacc
* Thu Apr 8 2004 Dan Walsh <dwalsh@redhat.com> 1.10-1
- Upgrade to the latest from NSA
* Mon Mar 15 2004 Dan Walsh <dwalsh@redhat.com> 1.8-1
- Upgrade to the latest from NSA
* Tue Feb 24 2004 Dan Walsh <dwalsh@redhat.com> 1.6-1
- Upgrade to the latest from NSA
* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Tue Jan 20 2004 Dan Walsh <dwalsh@redhat.com> 1.4-6
- Add typealias patch
* Tue Jan 20 2004 Dan Walsh <dwalsh@redhat.com> 1.4-5
- Update excludetypes with negset-final patch
* Wed Jan 14 2004 Dan Walsh <dwalsh@redhat.com> 1.4-4
- Add excludetypes patch
* Wed Jan 14 2004 Dan Walsh <dwalsh@redhat.com> 1.4-3
- Add Colin Walter's lineno patch
* Wed Jan 7 2004 Dan Walsh <dwalsh@redhat.com> 1.4-2
- Remove check for roles transition
* Sat Dec 6 2003 Dan Walsh <dwalsh@redhat.com> 1.4-1
- upgrade to 1.4
* Wed Oct 1 2003 Dan Walsh <dwalsh@redhat.com> 1.2-1
- upgrade to 1.2
* Thu Aug 28 2003 Dan Walsh <dwalsh@redhat.com> 1.1-2
- upgrade to 1.1
* Mon Jun 2 2003 Dan Walsh <dwalsh@redhat.com> 1.0-1
- Initial version

7
SPECS/chrony/chrony.spec
Просмотреть файл

@ -4,7 +4,7 @@
Name: chrony
Version: 3.5.1
Release: 4%{?dist}
Release: 5%{?dist}
Summary: An NTP client/server
Vendor: Microsoft Corporation
Distribution: Mariner
@ -91,6 +91,8 @@ cat >> chrony.conf << EOF
# Setting larger 'maxdistance' to tolerate time.windows.com delay
maxdistance 16.0
# Disable listening on UDP port (leaving only Unix socket interface).
cmdport 0
EOF
touch -r examples/chrony.conf.example2 examples/chrony-wait.service chrony.conf
@ -201,6 +203,9 @@ systemctl start chronyd.service
%dir %attr(-,chrony,chrony) %{_localstatedir}/log/chrony
%changelog
* Wed Jun 23 2021 Mateusz Malisz <mamalisz@microsoft.com> - 3.5.1-5
- Make chronyd not listen on UDP port by default.
* Tue Apr 13 2021 Rachel Menge <rachelmenge@microsoft.com> - 3.5.1-4
- Bump release to rebuild with new nettle (3.7.2)

2
SPECS/chrpath/chrpath.spec
Просмотреть файл

@ -35,7 +35,7 @@ rm -rf %{buildroot}/usr/doc
%{_mandir}/man1/chrpath.1*
%changelog
* Sat May 09 00:20:45 PST 2020 Nick Samson <nisamson@microsoft.com> - 0.16-4
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 0.16-4
- Added %%license line automatically
* Tue Apr 07 2020 Paul Monson <paulmon@microsoft.com> 0.16-3

263
SPECS/cifs-utils/CVE-2021-20208.patch Normal file
Просмотреть файл

@ -0,0 +1,263 @@
From cb8b6a8b8ea983844584d8ada4d9aa4c88c997fb Mon Sep 17 00:00:00 2001
From: Alastair Houghton <alastair@alastairs-place.net>
Date: Tue, 29 Dec 2020 14:02:39 +0000
Subject: [PATCH] cifs.upcall: try to use container ipc/uts/net/pid/mnt/user
namespaces
In certain scenarios (e.g. kerberos multimount), when a process does
syscalls, the kernel sometimes has to query information or trigger
some actions in userspace. To do so it calls the cifs.upcall binary
with information on the process that triggered the syscall in the
first place.
ls(pid=10) ====> open("foo") ====> kernel
that user doesn't have an SMB
session, lets create one using his
kerberos credential cache
call cifs.upcall and ask for krb info
for whoever owns pid=10
|
cifs.upcall --pid 10 <=================+
...gather info...
return binary blob used
when establishing SMB session
===================> kernel
open SMB session, handle
open() syscall
ls <=================================== return open() result to ls
On a system using containers, the kernel is still calling the host
cifs.upcall and using the host configuration (for network, pid, etc).
This patch changes the behaviour of cifs.upcall so that it uses the
calling process namespaces (ls in the example) when doing its
job.
Note that the kernel still calls the binary in the host, but the
binary will place itself the contexts of the calling process
namespaces.
This code makes use of (but shouldn't require) the following kernel
config options and syscall flags:
approx. year |
introduced | config/flags
---------------+----------------
2008 | CONFIG_NAMESPACES=y
2007 | CONFIG_UTS_NS=y
2020 | CONFIG_TIME_NS=y
2006 | CONFIG_IPC_NS=y
2007 | CONFIG_USER_NS
2008 | CONFIG_PID_NS=y
2007 | CONFIG_NET_NS=y
2007 | CONFIG_CGROUPS
2016 | CLONE_NEWCGROUP setns() flag
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
---
cifs.upcall.c | 172 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 172 insertions(+)
diff --git a/cifs.upcall.c b/cifs.upcall.c
index 89563fd..9718d00 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -51,6 +51,7 @@
#include <grp.h>
#include <stdbool.h>
#include <errno.h>
+#include <sched.h>
#include "data_blob.h"
#include "spnego.h"
@@ -227,6 +228,164 @@ err_cache:
return credtime;
}
+static struct namespace_file {
+ int nstype;
+ const char *name;
+ int fd;
+} namespace_files[] = {
+
+#ifdef CLONE_NEWCGROUP
+ { CLONE_NEWCGROUP, "cgroup", -1 },
+#endif
+
+#ifdef CLONE_NEWIPC
+ { CLONE_NEWIPC, "ipc", -1 },
+#endif
+
+#ifdef CLONE_NEWUTS
+ { CLONE_NEWUTS, "uts", -1 },
+#endif
+
+#ifdef CLONE_NEWNET
+ { CLONE_NEWNET, "net", -1 },
+#endif
+
+#ifdef CLONE_NEWPID
+ { CLONE_NEWPID, "pid", -1 },
+#endif
+
+#ifdef CLONE_NEWTIME
+ { CLONE_NEWTIME, "time", -1 },
+#endif
+
+#ifdef CLONE_NEWNS
+ { CLONE_NEWNS, "mnt", -1 },
+#endif
+
+#ifdef CLONE_NEWUSER
+ { CLONE_NEWUSER, "user", -1 },
+#endif
+};
+
+#define NS_PATH_FMT "/proc/%d/ns/%s"
+#define NS_PATH_MAXLEN (6 + 10 + 4 + 6 + 1)
+
+/**
+ * in_same_user_ns - return true if two processes are in the same user
+ * namespace.
+ * @pid_a: the pid of the first process
+ * @pid_b: the pid of the second process
+ *
+ * Works by comparing the inode numbers for /proc/<pid>/user.
+ */
+static int
+in_same_user_ns(pid_t pid_a, pid_t pid_b)
+{
+ char path[NS_PATH_MAXLEN];
+ ino_t a_ino, b_ino;
+ struct stat st;
+
+ snprintf(path, sizeof(path), NS_PATH_FMT, pid_a, "user");
+ if (stat(path, &st) != 0)
+ return 0;
+ a_ino = st.st_ino;
+
+ snprintf(path, sizeof(path), NS_PATH_FMT, pid_b, "user");
+ if (stat(path, &st) != 0)
+ return 0;
+ b_ino = st.st_ino;
+
+ return a_ino == b_ino;
+}
+
+/**
+ * switch_to_process_ns - change the namespace to the one for the specified
+ * process.
+ * @pid: initiating pid value from the upcall string
+ *
+ * Uses setns() to switch process namespace.
+ * This ensures that we have the same access and configuration as the
+ * process that triggered the lookup.
+ */
+static int
+switch_to_process_ns(pid_t pid)
+{
+ int count = sizeof(namespace_files) / sizeof(struct namespace_file);
+ int n, err = 0;
+ int rc = 0;
+
+ /* First, open all the namespace fds. We do this first because
+ the namespace changes might prohibit us from opening them. */
+ for (n = 0; n < count; ++n) {
+ char nspath[NS_PATH_MAXLEN];
+ int ret, fd;
+
+#ifdef CLONE_NEWUSER
+ if (namespace_files[n].nstype == CLONE_NEWUSER
+ && in_same_user_ns(getpid(), pid)) {
+ /* Switching to the same user namespace is forbidden,
+ because switching to a user namespace grants all
+ capabilities in that namespace regardless of uid. */
+ namespace_files[n].fd = -1;
+ continue;
+ }
+#endif
+
+ ret = snprintf(nspath, NS_PATH_MAXLEN, NS_PATH_FMT,
+ pid, namespace_files[n].name);
+ if (ret >= NS_PATH_MAXLEN) {
+ syslog(LOG_DEBUG, "%s: unterminated path!\n", __func__);
+ err = ENAMETOOLONG;
+ rc = -1;
+ goto out;
+ }
+
+ fd = open(nspath, O_RDONLY);
+ if (fd < 0 && errno != ENOENT) {
+ /*
+ * don't stop on non-existing ns
+ * but stop for other errors
+ */
+ err = errno;
+ rc = -1;
+ goto out;
+ }
+
+ namespace_files[n].fd = fd;
+ }
+
+ /* Next, call setns for each of them */
+ for (n = 0; n < count; ++n) {
+ /* skip non-existing ns */
+ if (namespace_files[n].fd < 0)
+ continue;
+
+ rc = setns(namespace_files[n].fd, namespace_files[n].nstype);
+
+ if (rc < 0) {
+ syslog(LOG_DEBUG, "%s: setns() failed for %s\n",
+ __func__, namespace_files[n].name);
+ err = errno;
+ goto out;
+ }
+ }
+
+out:
+ /* Finally, close all the fds */
+ for (n = 0; n < count; ++n) {
+ if (namespace_files[n].fd != -1) {
+ close(namespace_files[n].fd);
+ namespace_files[n].fd = -1;
+ }
+ }
+
+ if (rc != 0) {
+ errno = err;
+ }
+
+ return rc;
+}
+
#define ENV_PATH_FMT "/proc/%d/environ"
#define ENV_PATH_MAXLEN (6 + 10 + 8 + 1)
@@ -1052,6 +1211,19 @@ int main(const int argc, char *const argv[])
env_cachename =
get_cachename_from_process_env(env_probe ? arg.pid : 0);
+ /*
+ * Change to the process's namespace. This means that things will work
+ * acceptably in containers, because we'll be looking at the correct
+ * filesystem and have the correct network configuration.
+ */
+ rc = switch_to_process_ns(arg.pid);
+ if (rc == -1) {
+ syslog(LOG_ERR, "unable to switch to process namespace: %s",
+ strerror(errno));
+ rc = 1;
+ goto out;
+ }
+
rc = setuid(uid);
if (rc == -1) {
syslog(LOG_ERR, "setuid: %s", strerror(errno));
--
2.17.1

70
SPECS/cifs-utils/cifs-utils.spec
Просмотреть файл

@ -1,18 +1,16 @@
Summary: cifs client utils
Name: cifs-utils
Version: 6.8
Release: 4%{?dist}
License: GPLv3
URL: http://wiki.samba.org/index.php/LinuxCIFS_utils
Group: Applications/Nfs-utils-client
Source0: https://ftp.samba.org/pub/linux-cifs/cifs-utils/cifs-utils-%{version}.tar.bz2
Patch0: CVE-2020-14342.patch
Patch1: CVE-2020-14342-fix.patch
Summary: cifs client utils
Name: cifs-utils
Version: 6.8
Release: 5%{?dist}
License: GPLv3
Vendor: Microsoft Corporation
Distribution: Mariner
Group: Applications/Nfs-utils-client
URL: https://wiki.samba.org/index.php/LinuxCIFS_utils
Source0: https://ftp.samba.org/pub/linux-cifs/cifs-utils/cifs-utils-%{version}.tar.bz2
Patch0: CVE-2020-14342.patch
Patch1: CVE-2020-14342-fix.patch
Patch2: CVE-2021-20208.patch
BuildRequires: libcap-ng-devel
BuildRequires: libtalloc-devel
Requires: libcap-ng
@ -20,11 +18,10 @@ Requires: libcap-ng
%description
Cifs-utils, a package of utilities for doing and managing mounts of the Linux CIFS filesystem.
%package devel
Summary: The libraries and header files needed for Cifs-Utils development.
Group: Development/Libraries
Requires: cifs-utils = %{version}-%{release}
Summary: The libraries and header files needed for Cifs-Utils development.
Group: Development/Libraries
Requires: cifs-utils = %{version}-%{release}
%description devel
Provides header files needed for Cifs-Utils development.
@ -52,17 +49,28 @@ make %{?_smp_mflags} check
%{_includedir}/cifsidmap.h
%changelog
* Wed Sep 30 2020 Henry Beberman <henry.beberman@microsoft.com> 6.8-4
- Add patch for CVE-2020-14342
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 6.8-3
- Added %%license line automatically
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 6.8-2
- Initial CBL-Mariner import from Photon (license: Apache2).
* Fri Sep 07 2017 Ajay Kaher <akaher@vmware.com> 6.8-1
- Upgraded to version 6.8
* Thu Apr 06 2017 Anish Swaminathan <anishs@vmware.com> 6.7-1
- Upgraded to version 6.7
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 6.4-2
- GA - Bump release of all rpms
* Mon Jan 25 2016 Divya Thaluru <dthaluru@vmware.com> 6.4-1
- Initial build. First version
* Mon May 03 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 6.8-5
- Adding a patch fo CVE-2021-20208.
- Updated "URL" tag to use HTTPS.
- License verified.
* Wed Sep 30 2020 Henry Beberman <henry.beberman@microsoft.com> - 6.8-4
- Add patch for CVE-2020-14342
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 6.8-3
- Added %%license line automatically
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 6.8-2
- Initial CBL-Mariner import from Photon (license: Apache2).
* Fri Sep 07 2017 Ajay Kaher <akaher@vmware.com> - 6.8-1
- Upgraded to version 6.8
* Thu Apr 06 2017 Anish Swaminathan <anishs@vmware.com> - 6.7-1
- Upgraded to version 6.7
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 6.4-2
- GA - Bump release of all rpms
* Mon Jan 25 2016 Divya Thaluru <dthaluru@vmware.com> - 6.4-1
- Initial build. First version

32
SPECS/clang/clang.spec
Просмотреть файл

@ -86,26 +86,26 @@ rm -rf %{buildroot}/*
* Tue Apr 27 2021 Henry Li <lihl@microsoft.com> - 8.0.1-4
- Enable eh/rtti, which are required by lldb.
* Fri Jun 12 2020 Henry Beberman <henry.beberman@microsoft.com> 8.0.1-3
- Temporarily disable generation of debug symbols.
* Fri Jun 12 2020 Henry Beberman <henry.beberman@microsoft.com> 8.0.1-3
- Temporarily disable generation of debug symbols.
* Sat May 09 00:21:24 PST 2020 Nick Samson <nisamson@microsoft.com> - 8.0.1-2
- Added %%license line automatically
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 8.0.1-2
- Added %%license line automatically
* Tue Mar 17 2020 Henry Beberman <henry.beberman@microsoft.com> 8.0.1-1
- Update to 8.0.1. Fix Source0 URL. License verified.
* Tue Mar 17 2020 Henry Beberman <henry.beberman@microsoft.com> 8.0.1-1
- Update to 8.0.1. Fix Source0 URL. License verified.
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 6.0.1-2
- Initial CBL-Mariner import from Photon (license: Apache2).
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 6.0.1-2
- Initial CBL-Mariner import from Photon (license: Apache2).
* Thu Aug 09 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 6.0.1-1
- Update to version 6.0.1 to get it to build with gcc 7.3
* Thu Aug 09 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 6.0.1-1
- Update to version 6.0.1 to get it to build with gcc 7.3
* Wed Jun 28 2017 Chang Lee <changlee@vmware.com> 4.0.0-2
- Updated %check
* Wed Jun 28 2017 Chang Lee <changlee@vmware.com> 4.0.0-2
- Updated %check
* Fri Apr 7 2017 Alexey Makhalov <amakhalov@vmware.com> 4.0.0-1
- Version update
* Fri Apr 7 2017 Alexey Makhalov <amakhalov@vmware.com> 4.0.0-1
- Version update
* Wed Jan 11 2017 Xiaolin Li <xiaolinl@vmware.com> 3.9.1-1
- Initial build.
* Wed Jan 11 2017 Xiaolin Li <xiaolinl@vmware.com> 3.9.1-1
- Initial build.

7
SPECS/cloud-utils-growpart/cloud-utils-growpart.spec
Просмотреть файл

@ -1,14 +1,13 @@
Summary: Shell script to auto detect free size on disk and grow partition.
Name: cloud-utils-growpart
Version: 0.32
Release: 2%{?dist}
Release: 3%{?dist}
License: GPLv3
Vendor: Microsoft Corporation
Distribution: Mariner
Group: System Environment
URL: https://launchpad.net/cloud-utils
Source0: https://launchpad.net/cloud-utils/trunk/%{version}/+download/cloud-utils-%{version}.tar.gz
Patch0: growpart-remove-flock-disk-locking.patch
Requires: gawk
Requires: gptfdisk
Requires: util-linux
@ -21,7 +20,6 @@ This is generally used by cloud-init for disk space manangement on cloud images.
%prep
%setup -q -n cloud-utils-%{version}
%patch0 -p1
%build
@ -37,6 +35,9 @@ cp man/growpart.* $RPM_BUILD_ROOT/%{_mandir}/man1/
%doc %{_mandir}/man1/growpart.*
%changelog
* Thu Jun 03 2021 Chris Co <chrco@microsoft.com> - 0.32-3
- Remove patch now that unexpected timeout was root caused and fixed
* Tue Apr 27 2021 Chris Co <chrco@microsoft.com> - 0.32-2
- Add patch to handle unexpected timeout

60
SPECS/cloud-utils-growpart/growpart-remove-flock-disk-locking.patch
Просмотреть файл

@ -1,60 +0,0 @@
From 1baf9aed12e35e7c032499081ea1c9887e65626a Mon Sep 17 00:00:00 2001
From: Chris Co <chrco@microsoft.com>
Date: Wed, 28 Apr 2021 05:58:02 +0000
Subject: [PATCH] growpart: remove flock disk locking
Regression identified when using flock disk locking with 5.10 kernel and
systemd-239. During unlock_disk_and_settle(), udevadm settle will not
complete and eventually timeout after 2 minutes. When looking at the
systemd-udevd logs, the daemon crashes and produces the following stack
trace:
Stack trace of thread 1531:
#0 0x00007fd73d9be405 recvmsg (libpthread.so.0)
#1 0x00007fd73dab33b8 udev_monitor_receive_device (libsystemd-shared-239.so)
#2 0x0000600347316201 on_uevent (systemd-udevd)
#3 0x0000600347316667 on_inotify (systemd-udevd)
#4 0x00007fd73dbad6d7 source_dispatch (libsystemd-shared-239.so)
#5 0x00007fd73dbaf4e5 sd_event_dispatch (libsystemd-shared-239.so)
#6 0x00007fd73dbaf678 sd_event_run (libsystemd-shared-239.so)
#7 0x00007fd73dbaf89f sd_event_loop (libsystemd-shared-239.so)
#8 0x00006003473132df run (systemd-udevd)
#9 0x00007fd73d80e133 __libc_start_main (libc.so.6)
#10 0x0000600347313efe _start (systemd-udevd)
The failing behavior appears to be directly linked to the "exec FD"
actions. A quick way to replicate this issue in the repro environment:
exec 9<>$disk
exec 9>&-
udevadm settle
This patch comments out the initial lock_disk() call, which makes
unlock_disk_and_settle() return early because ${FLOCK_DISK_FD} is not
set to a valid FD, avoiding the file descriptor actions that lead to
the failing behavior.
Note that this change does re-introduce the possibility of udev race
conditions during the disk operations, effectively reverting this
behavior to pre-0.32 behavior.
Signed-off-by: Chris Co <chrco@microsoft.com>
---
bin/growpart | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/bin/growpart b/bin/growpart
index 994b258..90fa016 100755
--- a/bin/growpart
+++ b/bin/growpart
@@ -954,7 +954,7 @@ get_resizer "$format" "$resizer" ||
fail "failed to get a resizer for format '$format'"
resizer=$_RET
-lock_disk $DISK
+#lock_disk $DISK
debug 1 "resizing $PART on $DISK using $resizer"
"$resizer"
ret=$?
--
2.17.1

2
SPECS/cmake/cmake.spec
Просмотреть файл

@ -88,7 +88,7 @@ make %{?_smp_mflags} test
* Fri Jun 12 2020 Henry Beberman <henry.beberman@microsoft.com> 3.12.1-7
- Temporarily disable generation of debug symbols.
* Sat May 09 00:20:40 PST 2020 Nick Samson <nisamson@microsoft.com> - 3.12.1-6
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 3.12.1-6
- Added %%license line automatically
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 3.12.1-5

6
SPECS/cni/cni.spec
Просмотреть файл

@ -1,7 +1,7 @@
Summary: Container Network Interface (CNI) plugins
Name: cni
Version: 0.7.5
Release: 5%{?dist}
Release: 7%{?dist}
License: ASL 2.0
# cni moved to https://github.com/containernetworking/cni/issues/667#issuecomment-491693752
URL: https://github.com/containernetworking/plugins
@ -39,6 +39,10 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck}
%{_default_cni_plugins_dir}/*
%changelog
* Tue Jun 08 2021 Henry Beberman <henry.beberman@microsoft.com> 0.7.5-7
- Increment release to force republishing using golang 1.15.13.
* Mon Apr 26 2021 Nicolas Guibourge <nicolasg@microsoft.com> 0.7.5-6
- Increment release to force republishing using golang 1.15.11.
* Thu Dec 10 2020 Andrew Phelps <anphel@microsoft.com> 0.7.5-5
- Increment release to force republishing using golang 1.15.
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 0.7.5-4

7
SPECS/collectd/apache.conf Normal file
Просмотреть файл

@ -0,0 +1,7 @@
LoadPlugin apache
#<Plugin apache>
# URL "http://localhost/status?auto"
# User "www-user"
# Password "secret"
# CACert "/etc/ssl/ca.crt"
#</Plugin>

26
SPECS/collectd/collectd-gcc11.patch Normal file
Просмотреть файл

@ -0,0 +1,26 @@
diff --git a/configure b/configure
index 5bc55f8..3bc1ea2 100755
--- a/configure
+++ b/configure
@@ -103142,7 +103142,7 @@ main ()
{
netsnmp_variable_list *key = SNMP_MALLOC_TYPEDEF(netsnmp_variable_list);;
- int val;
+ int val = 0;
u_char type = ASN_INTEGER;
snmp_set_var_value(key, &val, sizeof(val));
snmp_set_var_typed_value(key, type, &val, sizeof(val));
diff --git a/configure.ac b/configure.ac
index 2a3152c..5288fcd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3872,7 +3872,7 @@ if test "x$with_libnetsnmp" = "xyes"; then
]],
[[
netsnmp_variable_list *key = SNMP_MALLOC_TYPEDEF(netsnmp_variable_list);;
- int val;
+ int val = 0;
u_char type = ASN_INTEGER;
snmp_set_var_value(key, &val, sizeof(val));
snmp_set_var_typed_value(key, type, &val, sizeof(val));

30
SPECS/collectd/collectd-httpd.conf Normal file
Просмотреть файл

@ -0,0 +1,30 @@
# Configuration for collectd.
Alias /collectd/ /usr/share/collectd/collection3/
<Directory "/usr/share/collectd/collection3/">
Require local
# Require all granted
DirectoryIndex bin/index.cgi
DirectoryIndexRedirect on
</Directory>
<Directory "/usr/share/collectd/collection3/etc/">
Require all denied
</Directory>
<Directory "/usr/share/collectd/collection3/lib/">
Require all denied
</Directory>
<Directory "/usr/share/collectd/collection3/share/">
Require local
# Require all granted
</Directory>
<Directory "/usr/share/collectd/collection3/bin/">
Options ExecCGI
AddHandler cgi-script .cgi
Require local
# Require all granted
</Directory>

30
SPECS/collectd/collectd-include-collectd.d.patch Normal file
Просмотреть файл

@ -0,0 +1,30 @@
From ab946c74080ef9608a324f9fca85ae6c6d1eef69 Mon Sep 17 00:00:00 2001
From: Ruben Kerkhof <ruben@rubenkerkhof.com>
Date: Sat, 30 Jan 2016 17:18:05 +0100
Subject: [PATCH] Disable rrdtool, include /etc/collectd.d
---
src/collectd.conf.in | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/collectd.conf.in b/src/collectd.conf.in
index 07d66cd7595e..b91350ca16f4 100644
--- a/src/collectd.conf.in
+++ b/src/collectd.conf.in
@@ -168,7 +168,7 @@
#@BUILD_PLUGIN_REDIS_TRUE@LoadPlugin redis
#@BUILD_PLUGIN_ROUTEROS_TRUE@LoadPlugin routeros
#@BUILD_PLUGIN_RRDCACHED_TRUE@LoadPlugin rrdcached
-@LOAD_PLUGIN_RRDTOOL@LoadPlugin rrdtool
+#@LOAD_PLUGIN_RRDTOOL@LoadPlugin rrdtool
#@BUILD_PLUGIN_SENSORS_TRUE@LoadPlugin sensors
#@BUILD_PLUGIN_SERIAL_TRUE@LoadPlugin serial
#@BUILD_PLUGIN_SIGROK_TRUE@LoadPlugin sigrok
@@ -1497,3 +1497,4 @@
# </Type>
# </Host>
#</Plugin>
+Include "/etc/collectd.d"
--
2.5.0

13
SPECS/collectd/collectd.service Normal file
Просмотреть файл

@ -0,0 +1,13 @@
[Unit]
Description=Collectd statistics daemon
Documentation=man:collectd(1) man:collectd.conf(5)
After=local-fs.target network-online.target
Requires=local-fs.target network-online.target
[Service]
ExecStart=/usr/sbin/collectd
Restart=on-failure
Type=notify
[Install]
WantedBy=multi-user.target

15
SPECS/collectd/collectd.signatures.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"Signatures": {
"collectd-5.12.0.tar.bz2": "5bae043042c19c31f77eb8464e56a01a5454e0b39fa07cf7ad0f1bfc9c3a09d6",
"collectd-httpd.conf": "1167c286b7329331f648182d2639024aa9accd183306c0edb47a8a25ce85dec4",
"collectd.service": "8a2e52f27c31ff99e973132046acabe9d69406c985da0171c9178e7d35deaa4f",
"apache.conf": "725464f17b42367e902c6c87d465d295a4f1677925596f1a4e5424e8808eeffb",
"email.conf": "5612c78046e21e929dc571c49334dd36f1d02718fc5921c13ce0cacb90924d5f",
"mysql.conf": "246271021223c6a3e2071dde288808fa20488293f78644ac226e9dee4378e0b4",
"nginx.conf": "553189b9c9fbeda231a8c372d0e5e1e7c8fd82b05b9d5c49f7913af11327b429",
"sensors.conf": "0dd219e933d2fb275140e99a32c01ddb9e2fefae3500a0e120386748aa980022",
"snmp.conf": "e07805b4395ee048838d03be49d352da00d2d06616f157eaa17644f868e5c64e",
"rrdtool.conf": "f958c6910c382d75d200f1b6f0bb8ed881113eb457c77df141e72ec574fb4e23",
"onewire.conf": "9f8bc954f158b1e6f682665bb0a0e38c4b164aca6abd6e030f89f928b5caec2e"
}
}

1595
SPECS/collectd/collectd.spec Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

7
SPECS/collectd/email.conf Normal file
Просмотреть файл

@ -0,0 +1,7 @@
LoadPlugin email
#<Plugin email>
# SocketFile "/usr/var/run/collectd-email"
# SocketGroup "collectd"
# SocketPerms "0770"
# MaxConns 5
#</Plugin>

7
SPECS/collectd/mysql.conf Normal file
Просмотреть файл

@ -0,0 +1,7 @@
LoadPlugin mysql
#<Plugin mysql>
# Host "database.serv.er"
# User "db_user"
# Password "secret"
# Database "db_name"
#</Plugin>

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше