update to 9.9.3-P2 (fix for CVE-2013-4854)

- update RRL patch to 9.9.3-P2-rl.13207.22

Signed-off-by: Tomas Hozza <thozza@redhat.com>

4 files changed, 16 insertions, 8 deletions

diff --git a/.gitignore b/.gitignore
index a137e07..6417023 100644
--- a/.gitignore
+++ b/.gitignore
@@ -35,3 +35,4 @@ bind-9.7.2b1.tar.gz
 /bind-9.9.3rc2.tar.gz
 /bind-9.9.3.tar.gz
 /bind-9.9.3-P1.tar.gz
+/bind-9.9.3-P2.tar.gz
diff --git a/bind.spec b/bind.spec
index 06868e0..1753b62 100644
--- a/bind.spec
+++ b/bind.spec
@@ -2,7 +2,7 @@
 # Red Hat BIND package .spec file
 #
 
-%global PATCHVER P1
+%global PATCHVER P2
 #%%global PREVER rc2
 #%%global VERSION %{version}%{PREVER}
 #%%global VERSION %{version}
@@ -26,7 +26,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  ISC
 Version:  9.9.3
-Release:  4.%{?PATCHVER}%{?dist}
+Release:  5.%{?PATCHVER}%{?dist}
 Epoch:    32
 Url:      http://www.isc.org/products/BIND/
 Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -79,7 +79,7 @@ Patch131:bind-9.9.1-P2-multlib-conflict.patch
 Patch132:bind99-stat.patch
 Patch133:bind99-rh640538.patch
 Patch134:bind97-rh669163.patch
-Patch136:rl-9.9.3-P1.patch
+Patch136:rl-9.9.3-P2.patch
 Patch137:bind99-rrl.patch
 # Install dns/update.h header for bind-dyndb-ldap plugin
 Patch138:bind-9.9.3-include-update-h.patch
@@ -779,6 +779,10 @@ rm -rf ${RPM_BUILD_ROOT}
 %endif
 
 %changelog
+* Sun Jul 28 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.3-5.P2
+- update to 9.9.3-P2 (fix for CVE-2013-4854)
+- update RRL patch to 9.9.3-P2-rl.13207.22
+
 * Thu Jul 18 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.3-4.P1
 - Fix script for setting up chroot so it unmounts everything successfully
 
diff --git a/rl-9.9.3-P1.patch b/rl-9.9.3-P2.patch
index 493c4da..0b4388b 100644
--- a/rl-9.9.3-P1.patch
+++ b/rl-9.9.3-P2.patch
@@ -120,7 +120,7 @@ diff -r -u bin/named/query.c-orig bin/named/query.c
  	 * answer counter, preventing double-counting.
  	 */
  	if (counter == dns_nsstatscounter_authans) {
-@@ -5865,6 +5865,128 @@
+@@ -5865,6 +5865,131 @@
   resume:
  	CTRACE("query_find: resume");
  
@@ -131,12 +131,15 @@ diff -r -u bin/named/query.c-orig bin/named/query.c
 +	 * Delay handling delegations for which we are certain to recurse and
 +	 *	return here (DNS_R_DELEGATION, not a child of one of our
 +	 *	own zones, and recursion enabled)
++	 * Don't mess with responses rewritten by RPZ
 +	 * Count each response at most once.
 +	 */
 +	if (client->view->rrl != NULL &&
 +	    ((fname != NULL && dns_name_isabsolute(fname)) ||
 +	     (result == ISC_R_NOTFOUND && !RECURSIONOK(client))) &&
 +	    !(result == DNS_R_DELEGATION && !is_zone && RECURSIONOK(client)) &&
++	    (client->query.rpz_st == NULL ||
++	     (client->query.rpz_st->state & DNS_RPZ_REWRITTEN) == 0)&&
 +	    (client->query.attributes & NS_QUERYATTR_RRL_CHECKED) == 0) {
 +		dns_rdataset_t nc_rdataset;
 +		isc_boolean_t wouldlog;
@@ -249,7 +252,7 @@ diff -r -u bin/named/query.c-orig bin/named/query.c
  	if (!ISC_LIST_EMPTY(client->view->rpz_zones) &&
  	    (RECURSIONOK(client) || !client->view->rpz_recursive_only) &&
  	    rpz_ck_dnssec(client, result, rdataset, sigrdataset) &&
-@@ -7318,12 +7440,14 @@
+@@ -7318,12 +7443,14 @@
  	}
  
  	if (eresult != ISC_R_SUCCESS &&
@@ -3325,6 +3328,6 @@ diff -r -u version-orig version
  MAJORVER=9
  MINORVER=9
 -PATCHVER=3
-+PATCHVER=3-rl.156.01
++PATCHVER=3-rl.13207.22
  RELEASETYPE=-P
- RELEASEVER=1
+ RELEASEVER=2
diff --git a/sources b/sources
index 22e98e8..4b03009 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-cf9cd9238d7bc15f1b4a5a5fff90f0d4  bind-9.9.3-P1.tar.gz
+943f6de6bfdfd821aa444242c02c1322  bind-9.9.3-P2.tar.gz
 d64062a182bf71dbcae7b2e2fe2cd55b  config-11.tar.bz2