kumquat-buildroot/package/bind/bind.mk

140 lines
3.8 KiB
Makefile
Raw Normal View History

################################################################################
2006-01-25 21:56:55 +01:00
#
# bind
#
################################################################################
BIND_VERSION = 9.16.26
BIND_SOURCE= bind-$(BIND_VERSION).tar.xz
package/bind: security bump to version 9.11.5-P4 Fixes the following security issues: - named could crash during recursive processing of DNAME records when deny-answer-aliases was in use. This flaw is disclosed in CVE-2018-5740. [GL #387] - When recursion is enabled but the allow-recursion and allow-query-cache ACLs are not specified, they should be limited to local networks, but they were inadvertently set to match the default allow-query, thus allowing remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309] - Code change #4964, intended to prevent double signatures when deleting an inactive zone DNSKEY in some situations, introduced a new problem during zone processing in which some delegation glue RRsets are incorrectly identified as needing RRSIGs, which are then created for them using the current active ZSK for the zone. In some, but not all cases, the newly-signed RRsets are added to the zone's NSEC/NSEC3 chain, but incompletely -- this can result in a broken chain, affecting validation of proof of nonexistence for records in the zone. [GL #771] - named could crash if it managed a DNSSEC security root with managed-keys and the authoritative zone rolled the key to an algorithm not supported by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780] - named leaked memory when processing a request with multiple Key Tag EDNS options present. ISC would like to thank Toshifumi Sakaguchi for bringing this to our attention. This flaw is disclosed in CVE-2018-5744. [GL #772] - Zone transfer controls for writable DLZ zones were not effective as the allowzonexfr method was not being called for such zones. This flaw is disclosed in CVE-2019-6465. [GL #790] For more details, see the release notes: http://ftp.isc.org/isc/bind9/9.11.5-P4/RELEASE-NOTES-bind-9.11.5-P4.html Change the upstream URL to HTTPS as the webserver uses HSTS: >>> bind 9.11.5-P4 Downloading URL transformed to HTTPS due to an HSTS policy Update the hash of the license file to account for a change of copyright year: -Copyright (C) 1996-2018 Internet Systems Consortium, Inc. ("ISC") +Copyright (C) 1996-2019 Internet Systems Consortium, Inc. ("ISC") Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-02-22 14:40:38 +01:00
BIND_SITE = https://ftp.isc.org/isc/bind9/$(BIND_VERSION)
# bind does not support parallel builds.
BIND_MAKE = $(MAKE1)
BIND_INSTALL_STAGING = YES
BIND_LICENSE = MPL-2.0
BIND_LICENSE_FILES = COPYRIGHT
BIND_CPE_ID_VENDOR = isc
BIND_SELINUX_MODULES = bind
# Only applies to RHEL6.x with DNSSEC validation on
BIND_IGNORE_CVES = CVE-2017-3139
# Library CVE and not used by bind but used by ISC DHCP
BIND_IGNORE_CVES += CVE-2019-6470
BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage
BIND_TARGET_SERVER_SBIN += dnssec-importkey dnssec-keygen dnssec-revoke
BIND_TARGET_SERVER_SBIN += dnssec-settime dnssec-verify genrandom
BIND_TARGET_SERVER_SBIN += isc-hmac-fixup named-journalprint nsec3hash
BIND_TARGET_SERVER_SBIN += lwresd named named-checkconf named-checkzone
BIND_TARGET_SERVER_SBIN += named-compilezone rndc rndc-confgen dnssec-dsfromkey
BIND_TARGET_SERVER_SBIN += dnssec-keyfromlabel dnssec-signzone tsig-keygen
BIND_TARGET_TOOLS_BIN = dig host nslookup nsupdate
BIND_CONF_ENV = \
BUILD_CC="$(TARGET_CC)" \
BUILD_CFLAGS="$(TARGET_CFLAGS)"
BIND_CONF_OPTS = \
$(if $(BR2_TOOLCHAIN_HAS_THREADS),--enable-threads,--disable-threads) \
--without-lmdb \
--with-json-c=no \
--with-randomdev=/dev/urandom \
--enable-epoll \
--enable-filter-aaaa \
--disable-backtrace
BIND_DEPENDENCIES = libuv
ifeq ($(BR2_PACKAGE_ZLIB),y)
BIND_CONF_OPTS += --with-zlib
BIND_DEPENDENCIES += zlib
BIND_DEPENDENCIES += host-pkgconf zlib
else
BIND_CONF_OPTS += --without-zlib
endif
ifeq ($(BR2_PACKAGE_LIBCAP),y)
BIND_CONF_OPTS += --enable-linux-caps
BIND_DEPENDENCIES += libcap
else
BIND_CONF_OPTS += --disable-linux-caps
endif
ifeq ($(BR2_PACKAGE_LIBKRB5),y)
BIND_CONF_OPTS += --with-gssapi=$(STAGING_DIR)/usr/bin/krb5-config
BIND_DEPENDENCIES += libkrb5
else
BIND_CONF_OPTS += --with-gssapi=no
endif
ifeq ($(BR2_PACKAGE_LIBXML2),y)
BIND_CONF_OPTS += --with-libxml2=$(STAGING_DIR)/usr
BIND_DEPENDENCIES += libxml2
else
BIND_CONF_OPTS += --with-libxml2=no
endif
BIND_DEPENDENCIES += host-pkgconf openssl
BIND_CONF_OPTS += \
--with-openssl=$(STAGING_DIR)/usr \
--with-ecdsa=yes \
--with-eddsa=no \
--with-aes=yes
BIND_CONF_ENV += LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl`
# GOST cipher support requires openssl extra engines
ifeq ($(BR2_PACKAGE_OPENSSL_ENGINES),y)
BIND_CONF_OPTS += --with-gost=yes
else
BIND_CONF_OPTS += --with-gost=no
endif
2006-01-25 21:56:55 +01:00
# Used by dnssec-keymgr
ifeq ($(BR2_PACKAGE_PYTHON_PLY),y)
BIND_DEPENDENCIES += host-python-ply
BIND_CONF_OPTS += --with-python=$(HOST_DIR)/usr/bin/python
else
BIND_CONF_OPTS += --with-python=no
endif
ifeq ($(BR2_PACKAGE_READLINE),y)
BIND_DEPENDENCIES += readline
else
BIND_CONF_OPTS += --with-readline=no
endif
ifeq ($(BR2_STATIC_LIBS),y)
BIND_CONF_OPTS += \
--without-dlopen \
--without-libtool
else
BIND_CONF_OPTS += \
--with-dlopen \
--with-libtool
endif
define BIND_TARGET_REMOVE_SERVER
rm -rf $(addprefix $(TARGET_DIR)/usr/sbin/, $(BIND_TARGET_SERVER_SBIN))
endef
define BIND_TARGET_REMOVE_TOOLS
rm -rf $(addprefix $(TARGET_DIR)/usr/bin/, $(BIND_TARGET_TOOLS_BIN))
endef
ifeq ($(BR2_PACKAGE_BIND_SERVER),y)
define BIND_INSTALL_INIT_SYSV
$(INSTALL) -m 0755 -D $(BIND_PKGDIR)/S81named \
$(TARGET_DIR)/etc/init.d/S81named
endef
define BIND_INSTALL_INIT_SYSTEMD
$(INSTALL) -D -m 644 $(BIND_PKGDIR)/named.service \
$(TARGET_DIR)/usr/lib/systemd/system/named.service
endef
else
BIND_POST_INSTALL_TARGET_HOOKS += BIND_TARGET_REMOVE_SERVER
endif
ifeq ($(BR2_PACKAGE_BIND_TOOLS),)
BIND_POST_INSTALL_TARGET_HOOKS += BIND_TARGET_REMOVE_TOOLS
endif
2006-01-25 21:56:55 +01:00
define BIND_USERS
named -1 named -1 * /etc/bind - - BIND daemon
endef
$(eval $(autotools-package))