2013-07-22 07:56:13 +02:00
|
|
|
################################################################################
|
2006-01-25 21:56:55 +01:00
|
|
|
#
|
|
|
|
# bind
|
|
|
|
#
|
2013-06-06 01:53:30 +02:00
|
|
|
################################################################################
|
2009-12-03 17:19:27 +01:00
|
|
|
|
bind: security bump to version 9.11-P1
Fixes the following security issues:
CVE-2017-3140 is a denial-of-service vulnerability affecting 9.9.10,
9.10.5, 9.11.0->9.11.1, 9.9.10-S1, and 9.10.5-S1 when configured with
Response Policy Zones (RPZ) utilizing NSIP or NSDNAME rules.
https://kb.isc.org/article/AA-01495/74/CVE-2017-3140
CVE-2017-3141 is a Windows privilege escalation vector affecting
9.2.6-P2+, 9.3.2-P1+, 9.4.x, 9.5.x, 9.6.x, 9.7.x, 9.8.x, 9.9.0->9.9.10,
9.10.0->9.10.5, 9.11.0->9.11.1, 9.9.3-S1->9.9.10-S1, and 9.10.5-S1. The
BIND Windows installer failed to properly quote the service paths,
possibly allowing a local user to achieve privilege escalation, if
allowed by file system permissions.
https://kb.isc.org/article/AA-01496/74/CVE-2017-3141
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-06-20 22:55:34 +02:00
|
|
|
BIND_VERSION = 9.11.1-P1
|
2009-03-05 13:11:36 +01:00
|
|
|
BIND_SITE = ftp://ftp.isc.org/isc/bind9/$(BIND_VERSION)
|
2016-02-06 10:00:07 +01:00
|
|
|
# bind does not support parallel builds.
|
|
|
|
BIND_MAKE = $(MAKE1)
|
2013-07-24 12:34:31 +02:00
|
|
|
BIND_INSTALL_STAGING = YES
|
2014-06-10 12:18:25 +02:00
|
|
|
BIND_CONFIG_SCRIPTS = bind9-config isc-config.sh
|
2017-03-30 15:43:42 +02:00
|
|
|
BIND_LICENSE = MPL-2.0
|
2013-01-22 04:35:47 +01:00
|
|
|
BIND_LICENSE_FILES = COPYRIGHT
|
2014-06-10 12:18:25 +02:00
|
|
|
BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage
|
|
|
|
BIND_TARGET_SERVER_SBIN += dnssec-importkey dnssec-keygen dnssec-revoke
|
|
|
|
BIND_TARGET_SERVER_SBIN += dnssec-settime dnssec-verify genrandom
|
|
|
|
BIND_TARGET_SERVER_SBIN += isc-hmac-fixup named-journalprint nsec3hash
|
|
|
|
BIND_TARGET_SERVER_SBIN += lwresd named named-checkconf named-checkzone
|
|
|
|
BIND_TARGET_SERVER_SBIN += named-compilezone rndc rndc-confgen dnssec-dsfromkey
|
|
|
|
BIND_TARGET_SERVER_SBIN += dnssec-keyfromlabel dnssec-signzone
|
|
|
|
BIND_TARGET_TOOLS_BIN = dig host nslookup nsupdate
|
2014-12-30 08:36:23 +01:00
|
|
|
BIND_CONF_ENV = \
|
|
|
|
BUILD_CC="$(TARGET_CC)" \
|
|
|
|
BUILD_CFLAGS="$(TARGET_CFLAGS)"
|
2014-10-18 00:36:33 +02:00
|
|
|
BIND_CONF_OPTS = \
|
2015-12-30 17:51:04 +01:00
|
|
|
--with-libjson=no \
|
2014-12-22 09:12:05 +01:00
|
|
|
--with-randomdev=/dev/urandom \
|
2014-12-30 08:36:23 +01:00
|
|
|
--enable-epoll \
|
|
|
|
--with-libtool \
|
|
|
|
--with-gssapi=no \
|
2015-07-06 18:55:45 +02:00
|
|
|
--enable-filter-aaaa
|
2014-06-10 12:18:25 +02:00
|
|
|
|
2016-10-11 14:54:23 +02:00
|
|
|
ifeq ($(BR2_PACKAGE_ZLIB),y)
|
2016-10-19 10:24:12 +02:00
|
|
|
BIND_CONF_OPTS += --with-zlib=$(STAGING_DIR)/usr/include
|
2016-10-11 14:54:23 +02:00
|
|
|
BIND_DEPENDENCIES += zlib
|
|
|
|
else
|
|
|
|
BIND_CONF_OPTS += --without-zlib
|
|
|
|
endif
|
|
|
|
|
2014-06-10 12:18:25 +02:00
|
|
|
ifeq ($(BR2_PACKAGE_LIBCAP),y)
|
2015-03-31 09:21:57 +02:00
|
|
|
BIND_CONF_OPTS += --enable-linux-caps
|
|
|
|
BIND_DEPENDENCIES += libcap
|
2014-06-10 12:18:25 +02:00
|
|
|
else
|
2015-03-31 09:21:57 +02:00
|
|
|
BIND_CONF_OPTS += --disable-linux-caps
|
2014-06-10 12:18:25 +02:00
|
|
|
endif
|
2011-05-03 20:33:42 +02:00
|
|
|
|
|
|
|
ifeq ($(BR2_PACKAGE_LIBXML2),y)
|
2015-03-31 09:21:57 +02:00
|
|
|
BIND_CONF_OPTS += --with-libxml2=$(STAGING_DIR)/usr --enable-newstats
|
|
|
|
BIND_DEPENDENCIES += libxml2
|
2011-05-03 20:33:42 +02:00
|
|
|
else
|
2015-03-31 09:21:57 +02:00
|
|
|
BIND_CONF_OPTS += --with-libxml2=no
|
2011-05-03 20:33:42 +02:00
|
|
|
endif
|
|
|
|
|
|
|
|
ifeq ($(BR2_PACKAGE_OPENSSL),y)
|
2015-03-31 09:21:57 +02:00
|
|
|
BIND_DEPENDENCIES += openssl
|
|
|
|
BIND_CONF_ENV += \
|
|
|
|
ac_cv_func_EVP_sha256=yes \
|
|
|
|
ac_cv_func_EVP_sha384=yes \
|
|
|
|
ac_cv_func_EVP_sha512=yes
|
|
|
|
BIND_CONF_OPTS += \
|
|
|
|
--with-openssl=$(STAGING_DIR)/usr LIBS="-lz" \
|
|
|
|
--with-ecdsa=yes
|
2014-06-10 12:18:25 +02:00
|
|
|
# GOST cipher support requires openssl extra engines
|
|
|
|
ifeq ($(BR2_PACKAGE_OPENSSL_ENGINES),y)
|
2015-03-31 09:21:57 +02:00
|
|
|
BIND_CONF_OPTS += --with-gost=yes
|
2014-06-10 12:18:25 +02:00
|
|
|
else
|
2015-03-31 09:21:57 +02:00
|
|
|
BIND_CONF_OPTS += --with-gost=no
|
2014-06-10 12:18:25 +02:00
|
|
|
endif
|
2011-05-03 20:33:42 +02:00
|
|
|
else
|
2015-03-31 09:21:57 +02:00
|
|
|
BIND_CONF_OPTS += --with-openssl=no
|
2011-05-03 20:33:42 +02:00
|
|
|
endif
|
2006-01-25 21:56:55 +01:00
|
|
|
|
2014-06-10 12:18:25 +02:00
|
|
|
# Used by dnssec-checkds and dnssec-coverage
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON)$(BR2_PACKAGE_PYTHON3),)
|
2015-03-31 09:21:57 +02:00
|
|
|
BIND_CONF_OPTS += --with-python=no
|
2014-06-10 12:18:25 +02:00
|
|
|
endif
|
2010-09-01 17:04:32 +02:00
|
|
|
|
2014-06-10 12:18:25 +02:00
|
|
|
ifeq ($(BR2_PACKAGE_READLINE),y)
|
2015-03-31 09:21:57 +02:00
|
|
|
BIND_DEPENDENCIES += readline
|
2014-06-10 12:18:25 +02:00
|
|
|
else
|
2015-03-31 09:21:57 +02:00
|
|
|
BIND_CONF_OPTS += --with-readline=no
|
2014-06-10 12:18:25 +02:00
|
|
|
endif
|
2010-09-01 17:04:32 +02:00
|
|
|
|
2011-10-15 05:07:31 +02:00
|
|
|
define BIND_TARGET_REMOVE_SERVER
|
2014-06-10 12:18:25 +02:00
|
|
|
rm -rf $(addprefix $(TARGET_DIR)/usr/sbin/, $(BIND_TARGET_SERVER_SBIN))
|
2011-10-15 05:07:31 +02:00
|
|
|
endef
|
|
|
|
|
2010-09-01 17:04:32 +02:00
|
|
|
define BIND_TARGET_REMOVE_TOOLS
|
2014-06-10 12:18:25 +02:00
|
|
|
rm -rf $(addprefix $(TARGET_DIR)/usr/bin/, $(BIND_TARGET_TOOLS_BIN))
|
2010-09-01 17:04:32 +02:00
|
|
|
endef
|
|
|
|
|
2014-06-10 12:18:25 +02:00
|
|
|
ifeq ($(BR2_PACKAGE_BIND_SERVER),y)
|
|
|
|
define BIND_INSTALL_INIT_SYSV
|
2014-10-25 20:29:31 +02:00
|
|
|
$(INSTALL) -m 0755 -D package/bind/S81named \
|
|
|
|
$(TARGET_DIR)/etc/init.d/S81named
|
2014-06-10 12:18:25 +02:00
|
|
|
endef
|
2015-01-11 06:31:36 +01:00
|
|
|
define BIND_INSTALL_INIT_SYSTEMD
|
|
|
|
$(INSTALL) -D -m 644 package/bind/named.service \
|
|
|
|
$(TARGET_DIR)/usr/lib/systemd/system/named.service
|
|
|
|
|
|
|
|
mkdir -p $(TARGET_DIR)/etc/systemd/system/multi-user.target.wants
|
|
|
|
|
|
|
|
ln -sf /usr/lib/systemd/system/named.service \
|
|
|
|
$(TARGET_DIR)/etc/systemd/system/multi-user.target.wants/named.service
|
|
|
|
endef
|
2014-06-10 12:18:25 +02:00
|
|
|
else
|
2011-10-15 05:07:31 +02:00
|
|
|
BIND_POST_INSTALL_TARGET_HOOKS += BIND_TARGET_REMOVE_SERVER
|
|
|
|
endif
|
|
|
|
|
2014-06-10 12:18:25 +02:00
|
|
|
ifeq ($(BR2_PACKAGE_BIND_TOOLS),)
|
2010-09-01 17:04:32 +02:00
|
|
|
BIND_POST_INSTALL_TARGET_HOOKS += BIND_TARGET_REMOVE_TOOLS
|
2009-03-05 13:11:36 +01:00
|
|
|
endif
|
2006-01-25 21:56:55 +01:00
|
|
|
|
2014-06-10 12:18:25 +02:00
|
|
|
define BIND_USERS
|
2014-11-03 00:39:51 +01:00
|
|
|
named -1 named -1 * /etc/bind - - BIND daemon
|
2014-06-10 12:18:25 +02:00
|
|
|
endef
|
|
|
|
|
2012-07-03 00:07:32 +02:00
|
|
|
$(eval $(autotools-package))
|