diff options
author | Patrick J Volkerding <volkerdi@slackware.com> | 2023-11-07 19:57:12 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2023-11-07 21:28:19 +0100 |
commit | 69753b9a1da83d78dab7943e3fcdb428ee74a254 (patch) | |
tree | 9c58cf752080a6715fe80639e22491bbb8be31d2 /source | |
parent | 16aecb6aa38eaab548b9aece32c6aa72f59e80b2 (diff) | |
download | current-69753b9a1da83d78dab7943e3fcdb428ee74a254.tar.gz current-69753b9a1da83d78dab7943e3fcdb428ee74a254.tar.xz |
Tue Nov 7 19:57:12 UTC 202320231107195712
ap/sudo-1.9.15-x86_64-1.txz: Upgraded.
The sudoers plugin has been modified to make it more resilient to ROWHAMMER
attacks on authentication and policy matching.
The sudoers plugin now constructs the user time stamp file path name using
the user-ID instead of the user name. This avoids a potential problem with
user names that contain a path separator ('/') being interpreted as part of
the path name.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-42465
https://www.cve.org/CVERecord?id=CVE-2023-42456
(* Security fix *)
ap/vim-9.0.2092-x86_64-1.txz: Upgraded.
l/libuv-1.47.0-x86_64-1.txz: Upgraded.
l/xapian-core-1.4.24-x86_64-1.txz: Upgraded.
n/bind-9.18.19-x86_64-2.txz: Rebuilt.
Don't go automatically chowning files in /var/named, since some users may
have special requirements. But in case anyone finds that behavior useful,
you may set NAMED_CHOWN=YES in /etc/default/named to turn it back on.
Unless anyone has a good objection to it, this change is considered pending
for the next BIND upgrades in -stable.
Thanks to Mig21.
xap/vim-gvim-9.0.2092-x86_64-1.txz: Upgraded.
Diffstat (limited to '')
-rwxr-xr-x | source/n/bind/bind.SlackBuild | 20 | ||||
-rw-r--r-- | source/n/bind/caching-example/named.ca | 92 | ||||
-rw-r--r-- | source/n/bind/caching-example/named.root | 6 | ||||
-rw-r--r-- | source/n/bind/default.named | 14 | ||||
-rw-r--r-- | source/n/bind/rc.bind | 12 |
5 files changed, 127 insertions, 17 deletions
diff --git a/source/n/bind/bind.SlackBuild b/source/n/bind/bind.SlackBuild index 856c86504..e32294b1f 100755 --- a/source/n/bind/bind.SlackBuild +++ b/source/n/bind/bind.SlackBuild @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2018, 2019, 2020, 2021 Patrick J. Volkerding, Sebeka, MN, USA +# Copyright 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2018, 2019, 2020, 2021, 2023 Patrick J. Volkerding, Sebeka, MN, USA # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=bind VERSION=${VERSION:-$(echo ${PKGNAM}-[0-9]*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then @@ -163,13 +163,18 @@ fi # Add sample config files for a simple caching nameserver: mkdir -p $PKG/var/named/caching-example -cat $CWD/caching-example/named.conf > $PKG/etc/named.conf.new -cat $CWD/caching-example/localhost.zone > $PKG/var/named/caching-example/localhost.zone -cat $CWD/caching-example/named.local > $PKG/var/named/caching-example/named.local -cat $CWD/caching-example/named.root > $PKG/var/named/caching-example/named.root +cp -a $CWD/caching-example/named.conf $PKG/etc/named.conf.new +cp -a $CWD/caching-example/localhost.zone $PKG/var/named/caching-example/localhost.zone +cp -a $CWD/caching-example/named.local $PKG/var/named/caching-example/named.local +cp -a $CWD/caching-example/named.root $PKG/var/named/caching-example/named.root # This name is deprecated, but having it here doesn't hurt in case # an old configuration file wants it: -cat $CWD/caching-example/named.root > $PKG/var/named/caching-example/named.ca +cp -a $CWD/caching-example/named.root $PKG/var/named/caching-example/named.ca +chown root:root $PKG/etc/named.conf.new +chmod 644 $PKG/var/named/caching-example/* + +# Make sure that everything in /var/named is owned by named:named: +chown -R named:named $PKG/var/named mkdir -p $PKG/install zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh @@ -177,4 +182,3 @@ cat $CWD/slack-desc > $PKG/install/slack-desc cd $PKG /sbin/makepkg -l y -c n $TMP/${PKGNAM}-$(echo $VERSION | tr - _)-$ARCH-$BUILD.txz - diff --git a/source/n/bind/caching-example/named.ca b/source/n/bind/caching-example/named.ca new file mode 100644 index 000000000..6db8239a2 --- /dev/null +++ b/source/n/bind/caching-example/named.ca @@ -0,0 +1,92 @@ +; This file holds the information on root name servers needed to +; initialize cache of Internet domain name servers +; (e.g. reference this file in the "cache . <file>" +; configuration file of BIND domain name servers). +; +; This file is made available by InterNIC +; under anonymous FTP as +; file /domain/named.cache +; on server FTP.INTERNIC.NET +; -OR- RS.INTERNIC.NET +; +; last update: October 24, 2023 +; related version of root zone: 2023102402 +; +; FORMERLY NS.INTERNIC.NET +; +. 3600000 NS A.ROOT-SERVERS.NET. +A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 +A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30 +; +; FORMERLY NS1.ISI.EDU +; +. 3600000 NS B.ROOT-SERVERS.NET. +B.ROOT-SERVERS.NET. 3600000 A 199.9.14.201 +B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:200::b +; +; FORMERLY C.PSI.NET +; +. 3600000 NS C.ROOT-SERVERS.NET. +C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 +C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c +; +; FORMERLY TERP.UMD.EDU +; +. 3600000 NS D.ROOT-SERVERS.NET. +D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13 +D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d +; +; FORMERLY NS.NASA.GOV +; +. 3600000 NS E.ROOT-SERVERS.NET. +E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 +E.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:a8::e +; +; FORMERLY NS.ISC.ORG +; +. 3600000 NS F.ROOT-SERVERS.NET. +F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 +F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f +; +; FORMERLY NS.NIC.DDN.MIL +; +. 3600000 NS G.ROOT-SERVERS.NET. +G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 +G.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:12::d0d +; +; FORMERLY AOS.ARL.ARMY.MIL +; +. 3600000 NS H.ROOT-SERVERS.NET. +H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53 +H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53 +; +; FORMERLY NIC.NORDU.NET +; +. 3600000 NS I.ROOT-SERVERS.NET. +I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 +I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53 +; +; OPERATED BY VERISIGN, INC. +; +. 3600000 NS J.ROOT-SERVERS.NET. +J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 +J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30 +; +; OPERATED BY RIPE NCC +; +. 3600000 NS K.ROOT-SERVERS.NET. +K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 +K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1 +; +; OPERATED BY ICANN +; +. 3600000 NS L.ROOT-SERVERS.NET. +L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 +L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42 +; +; OPERATED BY WIDE +; +. 3600000 NS M.ROOT-SERVERS.NET. +M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 +M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35 +; End of file
\ No newline at end of file diff --git a/source/n/bind/caching-example/named.root b/source/n/bind/caching-example/named.root index dba9ed9ea..6db8239a2 100644 --- a/source/n/bind/caching-example/named.root +++ b/source/n/bind/caching-example/named.root @@ -8,9 +8,9 @@ ; file /domain/named.cache ; on server FTP.INTERNIC.NET ; -OR- RS.INTERNIC.NET -; -; last update: July 30, 2019 -; related version of root zone: 2019073000 +; +; last update: October 24, 2023 +; related version of root zone: 2023102402 ; ; FORMERLY NS.INTERNIC.NET ; diff --git a/source/n/bind/default.named b/source/n/bind/default.named index 50e18664b..5c59298df 100644 --- a/source/n/bind/default.named +++ b/source/n/bind/default.named @@ -1,7 +1,7 @@ # User to run named as: NAMED_USER=named -# Group to use for chowning named related files and directories. +# Group to use for named related files and directories. # By default, named will also run as the primary group of $NAMED_USER, # which will usually be the same as what's listed below, but not # necessarily if something other than the default of "named" is used. @@ -10,3 +10,15 @@ NAMED_GROUP=named # Options to run named with. At least -u $NAMED_USER is required, but # additional options may be added if needed. NAMED_OPTIONS="-u $NAMED_USER" + +# If this is set to YES, then before starting named the startup script +# will make sure that /etc/rndc.key (if it exists) and the enitre contents +# of /var/named are chowned to $NAMED_USER:$NAMED_GROUP. If some of these +# files are improperly owned, named will refuse to start or may now work +# properly. This is also a useful setting when upgrading from an older BIND +# package that would run as root. +# +# If NAMED_CHOWN is set to anything else (or is unset), then these files +# will not be chowned automatically and the admin will handle any required +# file ownerships. +NAMED_CHOWN=NO diff --git a/source/n/bind/rc.bind b/source/n/bind/rc.bind index 169db8126..1b0b4d6fb 100644 --- a/source/n/bind/rc.bind +++ b/source/n/bind/rc.bind @@ -42,11 +42,13 @@ bind_start() { mkdir -p /var/run/named # Make sure that /var/run/named has correct ownership: chown -R ${NAMED_USER}:${NAMED_GROUP} /var/run/named - # Make sure that /var/named has correct ownership: - chown -R ${NAMED_USER}:${NAMED_GROUP} /var/named - if [ -r /etc/rndc.key ]; then - # Make sure that /etc/rndc.key has correct ownership: - chown ${NAMED_USER}:${NAMED_GROUP} /etc/rndc.key + if [ "$NAMED_CHOWN" = "YES" ]; then + # Make sure that /var/named has correct ownership: + chown -R ${NAMED_USER}:${NAMED_GROUP} /var/named + if [ -r /etc/rndc.key ]; then + # Make sure that /etc/rndc.key has correct ownership: + chown ${NAMED_USER}:${NAMED_GROUP} /etc/rndc.key + fi fi # Start named: if [ -x /usr/sbin/named ]; then |