packages/unbound
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
unbound/unbound.spec
eaglegai 2eac5440cc fix CVE-2024-33655
2024-09-26 09:21:10 +00:00

363 lines
12 KiB
RPMSpec
Raw Blame History

%{!?delete_la: %global delete_la find $RPM_BUILD_ROOT -type f -name "*.la" -delete}
Name: unbound
Version: 1.11.0
Release: 15
Summary: Unbound is a validating, recursive, caching DNS resolver
License: BSD
Url: https://nlnetlabs.nl/projects/unbound/about/
Source: https://nlnetlabs.nl/downloads/unbound/%{name}-%{version}.tar.gz
Source1: unbound.service
Source2: unbound.conf
Source3: root.key
Source4: unbound-keygen.service
Source5: tmpfiles-unbound.conf
Source6: example.com.key
Source7: example.com.conf
Source8: block-example.com.conf
Source9: https://data.iana.org/root-anchors/icannbundle.pem
Source10: root.anchor
Source11: unbound.sysconfig
Source12: unbound-anchor.timer
Source13: unbound-anchor.service
Patch0: CVE-2020-28935.patch
Patch1: backport-fix-610-undefine-shift-in-sldns_str2wire_hip_buf.patch
Patch2: backport-fix-for-611-integer-overflow-in-sldns_wire2str_pkt_s.patch
Patch3: backport-fix-q-doesnt-work-when-use-with-unbound-control-stats_shm.patch
Patch4: backport-0001-CVE-2022-30698-and-CVE-2022-30699.patch
Patch5: backport-0002-CVE-2022-30698-and-CVE-2022-30699.patch
Patch6: backport-CVE-2022-3204.patch
Patch7: backport-CVE-2023-50387_CVE-2023-50868.patch
Patch8: unbound-remove-buildin-key.patch
Patch9: backport-CVE-2024-43167.patch
Patch10: backport-001-CVE-2024-43168.patch
Patch11: backport-002-CVE-2024-43168.patch
Patch12: backport-003-CVE-2024-43168.patch
Patch13: backport-004-CVE-2024-43168.patch
Patch14: backport-CVE-2024-33655.patch
BuildRequires: make byacc flex swig pkgconfig systemd python-unversioned-command
BuildRequires: libevent-devel expat-devel openssl-devel python3-devel
%{?systemd_requires}
Requires: %{name}-libs = %{version}-%{release}
%description
Unbound is a validating, recursive, caching DNS resolver. It is designed
to be fast and lean and incorporates modern features based on open standards.
To help increase online privacy, Unbound supports DNS-over-TLS which allows
clients to encrypt their communication. Unbound is available for most platforms
such as FreeBSD, OpenBSD, NetBSD, MacOS, Linux and Microsoft Windows.
Unbound is a totally free, open source software under the BSD license. It doesn't
make custom builds or provide specific features to paying customers only.
%package libs
Summary: Libraries for %{name}
%{?systemd_requires}
Requires: shadow-utils
%description libs
Libraries for %{name}.
%package devel
Summary: Libraries and header files
Requires: %{name}-libs = %{version}-%{release} openssl-devel pkgconfig
%description devel
Package devel includes libraries and header files for development with unbound.
%package -n python3-%{name}
Summary: The python3 module of unbound DNS resolver
Requires: %{name}-libs = %{version}-%{release}
%description -n python3-unbound
The python3 module of unbound DNS resolver.
%package help
Summary: Man pages for unbound
%description help
Package help includes includes man pages for unbound.
%prep
%autosetup -c -N -n %{name}-%{version}
pushd %{name}-%{version}
%autopatch -p1
cp -pr doc pythonmod libunbound ../
popd
%build
%global configure_args --with-libevent --with-pthreads --with-ssl \\\
--disable-rpath --disable-static \\\
--enable-relro-now --enable-pie \\\
--enable-subnet --enable-ipsecmod \\\
--with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\
--with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \\\
--enable-sha2 --disable-gost --enable-ecdsa \\\
--with-rootkey-file=%{_sharedstatedir}/unbound/root.key
pushd %{name}-%{version}
%configure --with-pythonmodule --with-pyunbound PYTHON=%{__python3} \%{configure_args}
%make_build
%make_build streamtcp
popd
%install
pushd %{name}-%{version}
%make_install unbound-event-install
install -m 0755 streamtcp $RPM_BUILD_ROOT%{_sbindir}/unbound-streamtcp
install -d -m 0755 $RPM_BUILD_ROOT%{_unitdir} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig
install -m 0644 testcode/streamtcp.1 $RPM_BUILD_ROOT%{_mandir}/man1/unbound-streamtcp.1
install -D -m 0644 contrib/libunbound.pc $RPM_BUILD_ROOT%{_libdir}/pkgconfig/libunbound.pc
popd
install -d -m 0755 $RPM_BUILD_ROOT%{_tmpfilesdir} $RPM_BUILD_ROOT%{_sharedstatedir}/unbound
install -m 0644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/unbound/
install -m 0644 %{SOURCE5} $RPM_BUILD_ROOT%{_tmpfilesdir}/unbound.conf
install -m 0644 %{SOURCE10} $RPM_BUILD_ROOT%{_sharedstatedir}/unbound/root.key
install -p -m 0644 %{SOURCE1} $RPM_BUILD_ROOT%{_unitdir}/unbound.service
install -p -m 0755 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/unbound
install -p -m 0644 %{SOURCE4} $RPM_BUILD_ROOT%{_unitdir}/unbound-keygen.service
install -p -m 0644 %{SOURCE9} $RPM_BUILD_ROOT%{_sysconfdir}/unbound
install -p -m 0644 %{SOURCE11} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/unbound
install -p -m 0644 %{SOURCE12} $RPM_BUILD_ROOT%{_unitdir}/unbound-anchor.timer
install -p -m 0644 %{SOURCE13} $RPM_BUILD_ROOT%{_unitdir}/unbound-anchor.service
%delete_la
for mpage in ub_ctx ub_result ub_ctx_create ub_ctx_delete ub_ctx_set_option ub_ctx_get_option ub_ctx_config ub_ctx_set_fwd ub_ctx_resolvconf ub_ctx_hosts ub_ctx_add_ta ub_ctx_add_ta_file ub_ctx_trustedkeys ub_ctx_debugout ub_ctx_debuglevel ub_ctx_async ub_poll ub_wait ub_fd ub_process ub_resolve ub_resolve_async ub_cancel ub_resolve_free ub_strerror ub_ctx_print_local_zones ub_ctx_zone_add ub_ctx_zone_remove ub_ctx_data_add ub_ctx_data_remove;
do
echo ".so man3/libunbound.3" > $RPM_BUILD_ROOT%{_mandir}/man3/$mpage ;
done
install -d $RPM_BUILD_ROOT%{_localstatedir}/run/unbound
install -d $RPM_BUILD_ROOT%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
install -p %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}/unbound/keys.d/
install -p %{SOURCE7} $RPM_BUILD_ROOT%{_sysconfdir}/unbound/conf.d/
install -p %{SOURCE8} $RPM_BUILD_ROOT%{_sysconfdir}/unbound/local.d/
echo ".so man8/unbound-control.8" > $RPM_BUILD_ROOT/%{_mandir}/man8/unbound-control-setup.8
%pre libs
getent group unbound >/dev/null || groupadd -r unbound
getent passwd unbound >/dev/null || \
useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \
-c "Unbound DNS resolver" unbound
%post
%systemd_post unbound.service
%systemd_post unbound-keygen.service
%post libs
%{?ldconfig}
%systemd_post unbound-anchor.timer
if [ "$1" -eq 1 ]; then
/bin/systemctl start unbound-anchor.timer >/dev/null 2>&1 || :
fi
%preun
%systemd_preun unbound.service
%systemd_preun unbound-keygen.service
%preun libs
%systemd_preun unbound-anchor.timer
%postun
%systemd_postun_with_restart unbound.service
%systemd_postun unbound-keygen.service
%postun libs
%{?ldconfig}
%systemd_postun_with_restart unbound-anchor.timer
%triggerun -- unbound < 1.4.12-4
/usr/bin/systemd-sysv-convert --save unbound >/dev/null 2>&1 ||:
/sbin/chkconfig --del unbound >/dev/null 2>&1 || :
/bin/systemctl try-restart unbound.service >/dev/null 2>&1 || :
/bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :
%check
pushd %{name}-%{version}
make check
popd
%files
%defattr(-,root,root)
%doc doc/CREDITS doc/FEATURES doc/README doc/LICENSE
%attr(0644,root,root) %{_tmpfilesdir}/unbound.conf
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d
%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key
%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d
%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/*.conf
%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/local.d
%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d/*.conf
%{_unitdir}/%{name}.service
%{_unitdir}/%{name}-keygen.service
%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem
%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.key
%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.pem
%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key
%{_sbindir}/*
%exclude %{_sbindir}/unbound-anchor
%files libs
%defattr(-,root,root)
%dir %attr(0755,root,root) %{_sysconfdir}/%{name}
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
%attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key
%{_sysconfdir}/%{name}/icannbundle.pem
%{_sbindir}/unbound-anchor
%{_libdir}/libunbound.so.*
%{_unitdir}/unbound-anchor.timer
%{_unitdir}/unbound-anchor.service
%files -n python3-unbound
%defattr(-,root,root)
%doc pythonmod/examples/* libunbound/python/examples/* pythonmod/LICENSE
%{python3_sitearch}/*
%files devel
%defattr(-,root,root)
%{_libdir}/libunbound.so
%{_libdir}/pkgconfig/*.pc
%{_includedir}/*
%files help
%defattr(-,root,root)
%{_mandir}/man*
%changelog
* Thu Sep 26 2024 gaihuiying <eaglegai@163.com> - 1.11.0-15
- Type:CVE
- CVE:CVE-2024-33655
- SUG:NA
- DESC:fix CVE-2024-33655
* Mon Aug 26 2024 gaihuiying <eaglegai@163.com> - 1.11.0-14
- Type:cves
- CVE:CVE-2024-43168
- SUG:NA
- DESC:fix CVE-2024-43168 better
* Mon Aug 19 2024 gaihuiying <eaglegai@163.com> - 1.11.0-13
- Type:cves
- CVE:CVE-2024-43167 CVE-2024-43168
- SUG:NA
- DESC:fix CVE-2024-43167 CVE-2024-43168
* Tue Mar 05 2024 gaihuiying <eaglegai@163.com> - 1.11.0-12
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:change ExecReload to fix reload failure
* Fri Mar 01 2024 gaihuiying <eaglegai@163.com> - 1.11.0-11
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:synchronize a patch from SP1 to remove default buildin key
* Tue Feb 27 2024 gaihuiying <eaglegai@163.com> - 1.11.0-10
- Type:cves
- CVE:CVE-2024-1488
- SUG:NA
- DESC:fix CVE-2024-1488
* Fri Feb 23 2024 gaihuiying <eaglegai@163.com> - 1.11.0-9
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:fix CVE-2023-50387 CVE-2023-50868
* Thu Sep 22 2022 xingwei <xingwei14@h-partners.com> - 1.11.0-8
- Type:cves
- CVE:CVE-2022-3204
- SUG:NA
- DESC:fix CVE-2022-3204
* Mon Sep 05 2022 gaihuiying <eaglegai@163.com> - 1.11.0-7
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:delete useless files
* Thu Aug 04 2022 yanglu<yanglu72@h-partners.com> - 1.11.0-6
- Type:cves
- CVE:CVE-2022-30698 CVE-2022-30699
- SUG:NA
- DESC:fix CVE-2022-30698 and CVE-2022-30699
* Wed Mar 23 2022 zengweifeng<zwfeng@huawei.com> - 1.11.0-5
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:fix -q doesn't work when use with 'unbound-control stats_shm'
* Mon Feb 07 2022 jiangheng<jiangheng12@huawei.com> - 1.11.0-4
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:fix integer overflow in sldns_wire2str_pkt_scan
* Tue Jan 25 2022 jiangheng<jiangheng12@huawei.com> - 1.11.0-3
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:fix Undefine-shift in sldns_str2wire_hip_buf
* Tue Feb 23 2021 zhouyihang <zhouyihang3@huawei.com> - 1.11.0-2
- Type:CVE
- ID:NA
- SUG:NA
- DESC:fix CVE-2020-28935
* Sat Aug 29 2020 xiaqirong <xiaqirong1@huawei.com> - 1.11.0-1
- Type:requirement
- ID:NA
- SUG:NA
- DESC:update unbound version to 1.11.0
* Fri Jul 24 2020 zhangnaru <zhangnaru@huawei.com> - 1.7.3-15
- Type:cves
- ID:CVE-2020-12662 CVE-2020-12663
- SUG:NA
- DESC:fix CVE-2020-12662 CVE-2020-12663
* Wed Feb 19 2020 hexiujun <hexiujun1@huawei.com> - 1.7.3-14
- Type:enhancement
- ID:NA
- SUG:NA
- DESC:unpack libs subpackage
* Sat Jan 11 2020 zhangrui<zhangrui182@huawei.com> - 1.7.3-13
- Type:cves
- ID:CVE-2019-18934
- SUG:restart
- DESC:fix CVE-2019-18934
* Tue Dec 24 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.7.3-12
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:change the jurisdiction for some path of files
* Wed Nov 20 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.7.3-11
- Type: enhancement
- ID: NA
- SUG: NA
- DESC:modify the contents of help package
* Wed Sep 25 2019 Zaiwang Li <lizaiwang1@huawei.com> - 1.7.3-10
- Init Package
Reference in New Issue View Git Blame Copy Permalink