From ed7e9fe9c2c97215596d12888a7adc4a572a243b Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Thu, 12 Jul 2018 01:50:07 +0000 Subject: Thu Jul 12 01:50:07 UTC 2018 a/kernel-generic-4.14.55-x86_64-1.txz: Upgraded. a/kernel-huge-4.14.55-x86_64-1.txz: Upgraded. a/kernel-modules-4.14.55-x86_64-1.txz: Upgraded. d/kernel-headers-4.14.55-x86-1.txz: Upgraded. d/rust-1.27.1-x86_64-1.txz: Upgraded. k/kernel-source-4.14.55-noarch-1.txz: Upgraded. n/bind-9.13.2-x86_64-1.txz: Upgraded. This update fixes security issues: Fixed a bug where extraordinarily large zone transfers caused several problems, with possible outcomes including corrupted journal files or server exit due to assertion failure. Don't permit recursive query service to unauthorized clients. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5738 (* Security fix *) n/curl-7.61.0-x86_64-1.txz: Upgraded. This update fixes a buffer overflow in SMTP send. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0500 (* Security fix *) isolinux/initrd.img: Rebuilt. kernels/*: Upgraded. usb-and-pxe-installers/usbboot.img: Rebuilt. --- source/n/bind/bind.SlackBuild | 8 +- source/n/bind/bind.libidn.patch | 297 ---------------------------------------- source/n/curl/cacert.pem | 28 +--- 3 files changed, 5 insertions(+), 328 deletions(-) delete mode 100644 source/n/bind/bind.libidn.patch (limited to 'source/n') diff --git a/source/n/bind/bind.SlackBuild b/source/n/bind/bind.SlackBuild index a5e16245..8839e31a 100755 --- a/source/n/bind/bind.SlackBuild +++ b/source/n/bind/bind.SlackBuild @@ -23,8 +23,8 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=bind -VERSION=${VERSION:-9.11.3} -BUILD=${BUILD:-4} +VERSION=${VERSION:-9.13.2} +BUILD=${BUILD:-1} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then @@ -72,9 +72,6 @@ cd ${PKGNAM}-$VERSION || exit 1 # upstream already, but an explicit #undef SO_BSDCOMPAT does not hurt: zcat $CWD/bind.so_bsdcompat.diff.gz | patch -p1 --verbose || exit -# Thanks to Fedora for libidn support patch: -zcat $CWD/bind.libidn.patch.gz | patch -p1 --verbose || exit 1 - # Make sure ownerships and permissions are sane: chown -R root:root . find . \ @@ -91,6 +88,7 @@ CFLAGS="$SLKCFLAGS" \ --sysconfdir=/etc \ --localstatedir=/var \ --with-libtool \ + --with-libidn2 \ --mandir=/usr/man \ --enable-shared \ --disable-static \ diff --git a/source/n/bind/bind.libidn.patch b/source/n/bind/bind.libidn.patch deleted file mode 100644 index 6e042be7..00000000 --- a/source/n/bind/bind.libidn.patch +++ /dev/null @@ -1,297 +0,0 @@ -diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in -index bd219c5..f71685b 100644 ---- a/bin/dig/Makefile.in -+++ b/bin/dig/Makefile.in -@@ -38,10 +38,10 @@ DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} \ - ${ISCCFGDEPLIBS} ${LWRESDEPLIBS} - - LIBS = ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \ -- ${ISCLIBS} @IDNLIBS@ @LIBS@ -+ ${ISCLIBS} @IDNLIBS@ @LIBS@ -lidn - - NOSYMLIBS = ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \ -- ${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@ -+ ${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@ -lidn - - SUBDIRS = - -@@ -59,6 +59,8 @@ HTMLPAGES = dig.html host.html nslookup.html - - MANOBJS = ${MANPAGES} ${HTMLPAGES} - -+EXT_CFLAGS = -DWITH_LIBIDN -+ - @BIND9_MAKE_RULES@ - - dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS} -diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook -index 7a7e8e4..b36047f 100644 ---- a/bin/dig/dig.docbook -+++ b/bin/dig/dig.docbook -@@ -1251,8 +1251,8 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr - dig appropriately converts character encoding of - domain name before sending a request to DNS server or displaying a - reply from the server. -- If you'd like to turn off the IDN support for some reason, defines -- the IDN_DISABLE environment variable. -+ If you'd like to turn off the IDN support for some reason, define -+ the CHARSET=ASCII environment variable. - The IDN support is disabled if the variable is set when - dig runs. - -diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c -index 1f8bcf2..f657c30 100644 ---- a/bin/dig/dighost.c -+++ b/bin/dig/dighost.c -@@ -33,6 +33,11 @@ - #include - #endif - -+#ifdef WITH_LIBIDN -+#include -+#include -+#endif -+ - #include - #ifdef DIG_SIGCHASE - #include -@@ -158,6 +163,14 @@ static void idn_check_result(idn_result_t r, const char *msg); - int idnoptions = 0; - #endif - -+#ifdef WITH_LIBIDN -+static isc_result_t libidn_locale_to_utf8 (const char* from, char *to); -+static isc_result_t libidn_utf8_to_ascii (const char* from, char *to); -+static isc_result_t output_filter (isc_buffer_t *buffer, -+ unsigned int used_org, -+ isc_boolean_t absolute); -+#endif -+ - isc_socket_t *keep = NULL; - isc_sockaddr_t keepaddr; - -@@ -1448,8 +1461,15 @@ setup_system(isc_boolean_t ipv4only, isc_boolean_t ipv6only) { - - #ifdef WITH_IDN - initialize_idn(); -+ -+#endif -+#ifdef WITH_LIBIDN -+ result = dns_name_settotextfilter(output_filter); -+ check_result(result, "dns_name_settotextfilter"); -+#ifdef HAVE_SETLOCALE -+ setlocale (LC_ALL, ""); -+#endif - #endif -- - if (keyfile[0] != 0) - setup_file_key(); - else if (keysecret[0] != 0) -@@ -2231,8 +2251,11 @@ setup_lookup(dig_lookup_t *lookup) { - idn_result_t mr; - char utf8_textname[MXNAME], utf8_origin[MXNAME], idn_textname[MXNAME]; - #endif -+#ifdef WITH_LIBIDN -+ char utf8_str[MXNAME], utf8_name[MXNAME], ascii_name[MXNAME]; -+#endif - --#ifdef WITH_IDN -+#if defined (WITH_IDN) || defined (WITH_LIBIDN) - result = dns_name_settotextfilter(lookup->idnout ? - output_filter : NULL); - check_result(result, "dns_name_settotextfilter"); -@@ -2274,6 +2297,14 @@ setup_lookup(dig_lookup_t *lookup) { - mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP, lookup->textname, - utf8_textname, sizeof(utf8_textname)); - idn_check_result(mr, "convert textname to UTF-8"); -+#elif defined (WITH_LIBIDN) -+ result = libidn_locale_to_utf8 (lookup->textname, utf8_str); -+ check_result (result, "convert textname to UTF-8"); -+ len = strlen (utf8_str); -+ if (len < MXNAME) -+ (void) strcpy (utf8_name, utf8_str); -+ else -+ fatal ("Too long name"); - #endif - - /* -@@ -2286,15 +2317,11 @@ setup_lookup(dig_lookup_t *lookup) { - if (lookup->new_search) { - #ifdef WITH_IDN - if ((count_dots(utf8_textname) >= ndots) || !usesearch) { -- lookup->origin = NULL; /* Force abs lookup */ -- lookup->done_as_is = ISC_TRUE; -- lookup->need_search = usesearch; -- } else if (lookup->origin == NULL && usesearch) { -- lookup->origin = ISC_LIST_HEAD(search_list); -- lookup->need_search = ISC_FALSE; -- } -+#elif defined (WITH_LIBIDN) -+ if ((count_dots(utf8_name) >= ndots) || !usesearch) { - #else - if ((count_dots(lookup->textname) >= ndots) || !usesearch) { -+#endif - lookup->origin = NULL; /* Force abs lookup */ - lookup->done_as_is = ISC_TRUE; - lookup->need_search = usesearch; -@@ -2302,7 +2329,6 @@ setup_lookup(dig_lookup_t *lookup) { - lookup->origin = ISC_LIST_HEAD(search_list); - lookup->need_search = ISC_FALSE; - } --#endif - } - - #ifdef WITH_IDN -@@ -2319,6 +2345,20 @@ setup_lookup(dig_lookup_t *lookup) { - IDN_IDNCONV | IDN_LENCHECK, utf8_textname, - idn_textname, sizeof(idn_textname)); - idn_check_result(mr, "convert UTF-8 textname to IDN encoding"); -+#elif defined (WITH_LIBIDN) -+ if (lookup->origin != NULL) { -+ result = libidn_locale_to_utf8 (lookup->origin->origin, utf8_str); -+ check_result (result, "convert origin to UTF-8"); -+ if (len > 0 && utf8_name[len - 1] != '.') { -+ utf8_name[len++] = '.'; -+ if (len + strlen (utf8_str) < MXNAME) -+ (void) strcpy (utf8_name + len, utf8_str); -+ else -+ fatal ("Too long name + origin"); -+ } -+ } -+ -+ result = libidn_utf8_to_ascii (utf8_name, ascii_name); - #else - if (lookup->origin != NULL) { - debug("trying origin %s", lookup->origin->origin); -@@ -2389,6 +2429,13 @@ setup_lookup(dig_lookup_t *lookup) { - result = dns_name_fromtext(lookup->name, &b, - dns_rootname, 0, - &lookup->namebuf); -+#elif defined (WITH_LIBIDN) -+ len = strlen (ascii_name); -+ isc_buffer_init(&b, ascii_name, len); -+ isc_buffer_add(&b, len); -+ result = dns_name_fromtext(lookup->name, &b, -+ dns_rootname, 0, -+ &lookup->namebuf); - #else - len = (unsigned int) strlen(lookup->textname); - isc_buffer_init(&b, lookup->textname, len); -@@ -4377,7 +4424,7 @@ destroy_libs(void) { - void * ptr; - dig_message_t *chase_msg; - #endif --#ifdef WITH_IDN -+#if defined (WITH_IDN) || defined (WITH_LIBIDN) - isc_result_t result; - #endif - -@@ -4418,6 +4465,10 @@ destroy_libs(void) { - result = dns_name_settotextfilter(NULL); - check_result(result, "dns_name_settotextfilter"); - #endif -+#ifdef WITH_LIBIDN -+ result = dns_name_settotextfilter (NULL); -+ check_result(result, "clearing dns_name_settotextfilter"); -+#endif - dns_name_destroy(); - - if (commctx != NULL) { -@@ -4603,6 +4654,97 @@ idn_check_result(idn_result_t r, const char *msg) { - } - } - #endif /* WITH_IDN */ -+#ifdef WITH_LIBIDN -+static isc_result_t -+libidn_locale_to_utf8 (const char *from, char *to) { -+ char *utf8_str; -+ -+ debug ("libidn_locale_to_utf8"); -+ utf8_str = stringprep_locale_to_utf8 (from); -+ if (utf8_str != NULL) { -+ (void) strcpy (to, utf8_str); -+ free (utf8_str); -+ return ISC_R_SUCCESS; -+ } -+ -+ debug ("libidn_locale_to_utf8: failure"); -+ return ISC_R_FAILURE; -+} -+static isc_result_t -+libidn_utf8_to_ascii (const char *from, char *to) { -+ char *ascii; -+ int iresult; -+ -+ debug ("libidn_utf8_to_ascii"); -+ iresult = idna_to_ascii_8z (from, &ascii, 0); -+ if (iresult != IDNA_SUCCESS) { -+ debug ("idna_to_ascii_8z: %s", idna_strerror (iresult)); -+ return ISC_R_FAILURE; -+ } -+ -+ (void) strcpy (to, ascii); -+ free (ascii); -+ return ISC_R_SUCCESS; -+} -+ -+static isc_result_t -+output_filter (isc_buffer_t *buffer, unsigned int used_org, -+ isc_boolean_t absolute) { -+ -+ char tmp1[MXNAME], *tmp2; -+ size_t fromlen, tolen; -+ isc_boolean_t end_with_dot; -+ int iresult; -+ -+ debug ("output_filter"); -+ -+ fromlen = isc_buffer_usedlength (buffer) - used_org; -+ if (fromlen >= MXNAME) -+ return ISC_R_SUCCESS; -+ memcpy (tmp1, (char *) isc_buffer_base (buffer) + used_org, fromlen); -+ end_with_dot = (tmp1[fromlen - 1] == '.') ? ISC_TRUE : ISC_FALSE; -+ if (absolute && !end_with_dot) { -+ fromlen++; -+ if (fromlen >= MXNAME) -+ return ISC_R_SUCCESS; -+ tmp1[fromlen - 1] = '.'; -+ } -+ tmp1[fromlen] = '\0'; -+ -+ iresult = idna_to_unicode_8z8z (tmp1, &tmp2, 0); -+ if (iresult != IDNA_SUCCESS) { -+ debug ("output_filter: %s", idna_strerror (iresult)); -+ return ISC_R_SUCCESS; -+ } -+ -+ (void) strcpy (tmp1, tmp2); -+ free (tmp2); -+ -+ tmp2 = stringprep_utf8_to_locale (tmp1); -+ if (tmp2 == NULL) { -+ debug ("output_filter: stringprep_utf8_to_locale failed"); -+ return ISC_R_SUCCESS; -+ } -+ -+ (void) strcpy (tmp1, tmp2); -+ free (tmp2); -+ -+ tolen = strlen (tmp1); -+ if (absolute && !end_with_dot && tmp1[tolen - 1] == '.') -+ tolen--; -+ -+ if (isc_buffer_length (buffer) < used_org + tolen) -+ return ISC_R_NOSPACE; -+ -+ debug ("%s", tmp1); -+ -+ isc_buffer_subtract (buffer, isc_buffer_usedlength (buffer) - used_org); -+ memcpy (isc_buffer_used (buffer), tmp1, tolen); -+ isc_buffer_add (buffer, tolen); -+ -+ return ISC_R_SUCCESS; -+} -+#endif /* WITH_LIBIDN*/ - - #ifdef DIG_SIGCHASE - void diff --git a/source/n/curl/cacert.pem b/source/n/curl/cacert.pem index 45654c0b..ee25bee1 100644 --- a/source/n/curl/cacert.pem +++ b/source/n/curl/cacert.pem @@ -1,7 +1,7 @@ ## ## Bundle of CA Root Certificates ## -## Certificate data from Mozilla as of: Wed Mar 7 04:12:06 2018 GMT +## Certificate data from Mozilla as of: Wed Jun 20 03:12:06 2018 GMT ## ## This is a bundle of X.509 certificates of public Certificate Authorities ## (CA). These were automatically extracted from Mozilla's root certificates @@ -14,7 +14,7 @@ ## Just configure this file as the SSLCACertificateFile. ## ## Conversion done with mk-ca-bundle.pl version 1.27. -## SHA256: 704f02707ec6b4c4a7597a8c6039b020def11e64f3ef0605a9c3543d48038a57 +## SHA256: c80f571d9f4ebca4a91e0ad3a546f263153d71afffc845c6f8f52ce9d1a2e8ec ## @@ -2635,30 +2635,6 @@ kbcFgKyLmZJ956LYBws2J+dIeWCKw9cTXPhyQN9Ky8+ZAAoACxGV2lZFA4gKn2fQ1XmxqI1AbQ3C ekD6819kR5LLU7m7Wc5P/dAVUwHY3+vZ5nbv0CO7O6l5s9UCKc2Jo5YPSjXnTkLAdc0Hz+Ys63su -----END CERTIFICATE----- -TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 -==================================================== ------BEGIN CERTIFICATE----- -MIIEJzCCAw+gAwIBAgIHAI4X/iQggTANBgkqhkiG9w0BAQsFADCBsTELMAkGA1UEBhMCVFIxDzAN -BgNVBAcMBkFua2FyYTFNMEsGA1UECgxEVMOcUktUUlVTVCBCaWxnaSDEsGxldGnFn2ltIHZlIEJp -bGnFn2ltIEfDvHZlbmxpxJ9pIEhpem1ldGxlcmkgQS7Fni4xQjBABgNVBAMMOVTDnFJLVFJVU1Qg -RWxla3Ryb25payBTZXJ0aWZpa2EgSGl6bWV0IFNhxJ9sYXnEsWPEsXPEsSBINTAeFw0xMzA0MzAw -ODA3MDFaFw0yMzA0MjgwODA3MDFaMIGxMQswCQYDVQQGEwJUUjEPMA0GA1UEBwwGQW5rYXJhMU0w -SwYDVQQKDERUw5xSS1RSVVNUIEJpbGdpIMSwbGV0acWfaW0gdmUgQmlsacWfaW0gR8O8dmVubGnE -n2kgSGl6bWV0bGVyaSBBLsWeLjFCMEAGA1UEAww5VMOcUktUUlVTVCBFbGVrdHJvbmlrIFNlcnRp -ZmlrYSBIaXptZXQgU2HEn2xhecSxY8Sxc8SxIEg1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEApCUZ4WWe60ghUEoI5RHwWrom/4NZzkQqL/7hzmAD/I0Dpe3/a6i6zDQGn1k19uwsu537 -jVJp45wnEFPzpALFp/kRGml1bsMdi9GYjZOHp3GXDSHHmflS0yxjXVW86B8BSLlg/kJK9siArs1m -ep5Fimh34khon6La8eHBEJ/rPCmBp+EyCNSgBbGM+42WAA4+Jd9ThiI7/PS98wl+d+yG6w8z5UNP -9FR1bSmZLmZaQ9/LXMrI5Tjxfjs1nQ/0xVqhzPMggCTTV+wVunUlm+hkS7M0hO8EuPbJbKoCPrZV -4jI3X/xml1/N1p7HIL9Nxqw/dV8c7TKcfGkAaZHjIxhT6QIDAQABo0IwQDAdBgNVHQ4EFgQUVpkH -HtOsDGlktAxQR95DLL4gwPswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI -hvcNAQELBQADggEBAJ5FdnsXSDLyOIspve6WSk6BGLFRRyDN0GSxDsnZAdkJzsiZ3GglE9Rc8qPo -BP5yCccLqh0lVX6Wmle3usURehnmp349hQ71+S4pL+f5bFgWV1Al9j4uPqrtd3GqqpmWRgqujuwq -URawXs3qZwQcWDD1YIq9pr1N5Za0/EKJAWv2cMhQOQwt1WbZyNKzMrcbGW3LM/nfpeYVhDfwwvJl -lpKQd/Ct9JDpEXjXk4nAPQu6KfTomZ1yju2dL+6SfaHx/126M2CFYv4HAqGEVka+lgqaE9chTLd8 -B59OTj+RdPsnnRHM3eaxynFNExc5JsUpISuTKWqW+qtB4Uu2NQvAmxU= ------END CERTIFICATE----- - Certinomis - Root CA ==================== -----BEGIN CERTIFICATE----- -- cgit v1.2.3