Commit Graph

107 Commits

Author SHA1 Message Date
Carlos Santos
f3d53bd049 package/bind: remove /usr/sbin/tsig-keygen if server is not selected
Otherwise it is left as a dangling symlink to ddns-confgen, which is
also removed.

Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-08-11 14:56:42 +02:00
Fabrice Fontaine
8935dae1d4 package/bind: remove threads dependency
Threads dependency has been added in 2015 with commit
07c1ad4647 however bind can be built
without threads thanks to --disable-threads

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-05-09 21:25:15 +02:00
Fabrice Fontaine
05cbc9a184 package/bind: enable static build
Static build has been disabled in 2014 with commit
6045904752 however bind can be built
statically thanks to --without-dlopen so enable it back

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-05-09 21:23:57 +02:00
Fabrice Fontaine
89e70a7077 package/bind: fix python build
A check for python-ply has been added as this is a dependency of the
dnssec-keymgr script so install host-python-ply to avoid a build failure
if python-ply is not installed on host

Fixes:
 - http://autobuild.buildroot.org/results/96815b1300547c976443bf74b762febdfcc8d3ba

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-29 09:28:29 +02:00
Peter Korsgaard
fc8ace0938 package/bind: security bump to version 9.11.6-P1
Fixes the following security issues:

 - CVE-2018-5743: Limiting simultaneous TCP clients is ineffective
   https://kb.isc.org/docs/cve-2018-5743

 - CVE-2019-6467: An error in the nxdomain redirect feature can cause
   BIND to exit with an INSIST assertion failure in query.c
   https://kb.isc.org/docs/cve-2019-6467

 - CVE-2019-6468: BIND Supported Preview Edition can exit with an
   assertion failure if nxdomain-redirect is used
   https://kb.isc.org/docs/cve-2019-6468

Add an upstream patch to fix building on architectures where bind does not
implement isc_atomic_*.

Upstream moved to a 2019 signing key, so update comment in .hash file.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-26 16:15:37 +02:00
Fabrice Fontaine
459dd99f02 package/bind: drop unneeded static openssl workarounds
bind can't be built statically since commit
6045904752

So drop uneeded LIBS="-lz" which was added by commit
80ebf12906 to fix static build with
openssl

Also, drop ac_cv_func_EVP_{sha256,sha384,sha512} that was also added to
fix tests in static build by commit
26aefa672c

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-04-13 21:15:42 +02:00
Peter Korsgaard
12f644e2c5 package/bind: security bump to version 9.11.5-P4
Fixes the following security issues:

- named could crash during recursive processing of DNAME records when
  deny-answer-aliases was in use.  This flaw is disclosed in CVE-2018-5740.
  [GL #387]

- When recursion is enabled but the allow-recursion and allow-query-cache
  ACLs are not specified, they should be limited to local networks, but they
  were inadvertently set to match the default allow-query, thus allowing
  remote queries.  This flaw is disclosed in CVE-2018-5738.  [GL #309]

- Code change #4964, intended to prevent double signatures when deleting an
  inactive zone DNSKEY in some situations, introduced a new problem during
  zone processing in which some delegation glue RRsets are incorrectly
  identified as needing RRSIGs, which are then created for them using the
  current active ZSK for the zone.  In some, but not all cases, the
  newly-signed RRsets are added to the zone's NSEC/NSEC3 chain, but
  incompletely -- this can result in a broken chain, affecting validation of
  proof of nonexistence for records in the zone.  [GL #771]

- named could crash if it managed a DNSSEC security root with managed-keys
  and the authoritative zone rolled the key to an algorithm not supported by
  BIND 9.  This flaw is disclosed in CVE-2018-5745.  [GL #780]

- named leaked memory when processing a request with multiple Key Tag EDNS
  options present.  ISC would like to thank Toshifumi Sakaguchi for bringing
  this to our attention.  This flaw is disclosed in CVE-2018-5744.  [GL
  #772]

- Zone transfer controls for writable DLZ zones were not effective as the
  allowzonexfr method was not being called for such zones.  This flaw is
  disclosed in CVE-2019-6465.  [GL #790]

For more details, see the release notes:

http://ftp.isc.org/isc/bind9/9.11.5-P4/RELEASE-NOTES-bind-9.11.5-P4.html

Change the upstream URL to HTTPS as the webserver uses HSTS:

>>> bind 9.11.5-P4 Downloading
URL transformed to HTTPS due to an HSTS policy

Update the hash of the license file to account for a change of copyright
year:

-Copyright (C) 1996-2018  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 1996-2019  Internet Systems Consortium, Inc. ("ISC")

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-02-22 17:58:55 +01:00
Peter Korsgaard
955df7463b bind: security bump to version 9.11.5
Fixes the following security issues:

- CVE-2018-5738: Some versions of BIND can improperly permit recursive query
  service to unauthorized clients

- CVE-2018-5740: A flaw in the "deny-answer-aliases" feature can cause an
  INSIST assertion failure in named

For more details, see the release notes:

https://ftp.isc.org/isc/bind9/9.11.5/RELEASE-NOTES-bind-9.11.5.html

Drop patch 0003-Rename-ptrsize-to-ptr_size.patch as the uClibc-ng issue was
fixed upstream in commit 931fd627f6195 (mips: fix clashing symbols), which
is included in uclibc-1.0.12 (January 2016).

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-11-07 23:04:06 +01:00
Peter Korsgaard
63eb34fa12 bind: security bump to version 9.11.4-P2
>From the release notes
(http://ftp.isc.org/isc/bind9/9.11.4-P2/RELEASE-NOTES-bind-9.11.4-P2.txt):

 * There was a long-existing flaw in the documentation for ms-self,
   krb5-self, ms-subdomain, and krb5-subdomain rules in update-policy
   statements.  Though the policies worked as intended, operators who
   configured their servers according to the misleading documentation may
   have thought zone updates were more restricted than they were; users of
   these rule types are advised to review the documentation and correct
   their configurations if necessary.  New rule types matching the
   previously documented behavior will be introduced in a future maintenance
   release.  [GL !708]

 * named could crash during recursive processing of DNAME records when
   deny-answer-aliases was in use.  This flaw is disclosed in CVE-2018-5740.
   [GL #387]

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-09-30 10:34:13 +02:00
Bernd Kuhls
21d0077a2d package/bind: security bump to version 9.11.4-P1
Fixes CVE-2018-5740: https://ftp.isc.org/isc/bind9/9.11.4-P1/CHANGES

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-08-19 21:20:35 +02:00
Baruch Siach
ba3c7e806d bind: fix build with zlib
The bind configure.in now checks for "${with_zlib}/include/zlib.h".
Remove the redundant "include/".

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-07-19 09:04:57 +02:00
Baruch Siach
5a92bb63bf bind: fix build with openssl
The bind configure.in uses AC_TRY_RUN that is not compatible with cross
compile. Disable eddsa unconditionally since it requires a newer OpenSSL
version than we currently have. Enable aes; this is always supported in
current OpenSSL versions.

Fixes:
http://autobuild.buildroot.net/results/3ed/3edb1659954b00401b68ffc7e1c8b3c29581c0e4/
http://autobuild.buildroot.net/results/025/025e377b51b39ba34647636ad0d0661a3cb95572/
http://autobuild.buildroot.net/results/725/7250564e780e43e793ae6c8c526985e5519681f4/

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-07-19 09:04:45 +02:00
Baruch Siach
b36577a266 bind: security bump to 9.11.4
Fixes CVE-2018-5738: When recursion is enabled but the allow-recursion
and allow-query-cache ACLs are not specified, they should be limited to
local networks, but they were inadvertently set to match the default
allow-query, thus allowing remote queries.

Update license file hash; copyright year update.

Add reference to tarball signature key.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-07-17 21:49:55 +02:00
Christopher McCrory
716cfa6744 bind: use BIND_PKGDIR vairable
Use the BIND_PKGDIR variable instead of package/bind.

Signed-off-by: Christopher McCrory <chrismcc@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-02-27 22:22:14 +01:00
Peter Korsgaard
d72a2b9247 bind: security bump to version 9.11.2-P1
Fixes the following security issue:

CVE-2017-3145: Improper sequencing during cleanup can lead to a
use-after-free error, triggering an assertion failure and crash in
named.

For more details, see the advisory:
https://lists.isc.org/pipermail/bind-announce/2018-January/001072.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-17 14:07:41 +01:00
Peter Korsgaard
771bb2d58d bind: use http:// instead of ftp:// for site
To avoid issues with firewalls blocking ftp.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-09-22 23:28:10 +02:00
Peter Korsgaard
f3e3b36159 bind: bump to version 9.11.2
Adds support for the new ICANN DNSSEC root key for the upcoming KSK rollover
(Oct 11):

https://www.icann.org/resources/pages/ksk-rollover

For more details, see the release notes:
https://kb.isc.org/article/AA-01522

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-09-22 23:28:06 +02:00
Thomas Petazzoni
6b268180c1 Revert "bind: fix compilation when lmdb.h is present on host"
This reverts commit 7c0ecd4d75, as it is
in fact a duplicate of commit
bb95fef1e0.

Reported-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-09-10 17:16:15 +02:00
Robin Jarry
7c0ecd4d75 bind: fix compilation when lmdb.h is present on host
Bind autoconf scripts look for lmdb.h in /usr/include (even when
cross-compiling). When liblmdb-dev is installed, this causes the
following error:

    ...
    checking for lmdb library... yes
    checking for library containing mdb_env_create... no
    configure: error: found lmdb include but not library.

Fix this by disabling explicitly lmdb support.

Signed-off-by: Robin Jarry <robin.jarry@6wind.com>
Signed-off-by: Julien Floret <julien.floret@6wind.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-09-09 22:25:02 +02:00
Peter Seiderer
bb95fef1e0 bind: fix configure in case lmdb devel files are present on the host
Fix configure failure in case lmdb devel files are present on the host
by adding --without-lmdb option (reported [1] and fix tested [2],[3] by
grunpferd@netscape.net).

Fixes:

  checking for lmdb library... yes
  checking for library containing mdb_env_create... no
  configure: error: found lmdb include but not library.

[1] http://lists.busybox.net/pipermail/buildroot/2017-August/199945.html
[2] http://lists.busybox.net/pipermail/buildroot/2017-August/199963.html
[3] http://lists.busybox.net/pipermail/buildroot/2017-August/199964.html

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2017-08-08 20:45:07 +02:00
Peter Korsgaard
c237f1d1c5 bind: bump version to bugfix release 9.11.1-P3
BIND 9.11.1-P3 addresses a TSIG regression introduced in the 9.11.1-P2
security bump:

https://lists.isc.org/pipermail/bind-announce/2017-July/001057.html

Also add a hash for the license file while we're at it.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-07-24 18:33:42 +02:00
Peter Korsgaard
a0c53973f8 bind: security bump to version 9.11.1-P2
Fixes the following security issues:

CVE-2017-3142: An error in TSIG authentication can permit unauthorized zone
transfers

An attacker who is able to send and receive messages to an authoritative DNS
server and who has knowledge of a valid TSIG key name may be able to
circumvent TSIG authentication of AXFR requests via a carefully constructed
request packet. A server that relies solely on TSIG keys for protection with
no other ACL protection could be manipulated into:

* providing an AXFR of a zone to an unauthorized recipient
* accepting bogus NOTIFY packets

https://kb.isc.org/article/AA-01504/74/CVE-2017-3142

CVE-2017-3041: An error in TSIG authentication can permit unauthorized dynamic
updates

An attacker who is able to send and receive messages to an authoritative DNS
server and who has knowledge of a valid TSIG key name for the zone and service
being targeted may be able to manipulate BIND into accepting an unauthorized
dynamic update.

https://kb.isc.org/article/AA-01503/74/CVE-2017-3143

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-07-02 23:48:41 +02:00
Peter Korsgaard
e14d89d5e0 bind: security bump to version 9.11-P1
Fixes the following security issues:

CVE-2017-3140 is a denial-of-service vulnerability affecting 9.9.10,
9.10.5, 9.11.0->9.11.1, 9.9.10-S1, and 9.10.5-S1 when configured with
Response Policy Zones (RPZ) utilizing NSIP or NSDNAME rules.

https://kb.isc.org/article/AA-01495/74/CVE-2017-3140

CVE-2017-3141 is a Windows privilege escalation vector affecting
9.2.6-P2+, 9.3.2-P1+, 9.4.x, 9.5.x, 9.6.x, 9.7.x, 9.8.x, 9.9.0->9.9.10,
9.10.0->9.10.5, 9.11.0->9.11.1, 9.9.3-S1->9.9.10-S1, and 9.10.5-S1.  The
BIND Windows installer failed to properly quote the service paths,
possibly allowing a local user to achieve privilege escalation, if
allowed by file system permissions.

https://kb.isc.org/article/AA-01496/74/CVE-2017-3141

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-06-20 23:14:16 +02:00
Vicente Olivert Riera
b9e147dd5e bind: bump version to 9.11.1
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-04-20 21:47:07 +02:00
Vicente Olivert Riera
1727ea972b bind: bump version to 9.11.0-P5 (security)
Security Fixes:
 - rndc "" could trigger an assertion failure in named. This flaw is
   disclosed in (CVE-2017-3138). [RT #44924]
 - Some chaining (i.e., type CNAME or DNAME) responses to upstream
   queries could trigger assertion failures. This flaw is disclosed in
   CVE-2017-3137. [RT #44734]
 - dns64 with break-dnssec yes; can result in an assertion failure. This
   flaw is disclosed in CVE-2017-3136. [RT #44653]
 - If a server is configured with a response policy zone (RPZ) that
   rewrites an answer with local data, and is also configured for DNS64
   address mapping, a NULL pointer can be read triggering a server
   crash. This flaw is disclosed in CVE-2017-3135. [RT #44434]
 - A coding error in the nxdomain-redirect feature could lead to an
   assertion failure if the redirection namespace was served from a
   local authoritative data source such as a local zone or a DLZ instead
   of via recursive lookup. This flaw is disclosed in CVE-2016-9778.
   [RT #43837]
 - named could mishandle authority sections with missing RRSIGs,
   triggering an assertion failure. This flaw is disclosed in
   CVE-2016-9444. [RT #43632]
 - named mishandled some responses where covering RRSIG records were
   returned without the requested data, resulting in an assertion
   failure. This flaw is disclosed in CVE-2016-9147. [RT #43548]
 - named incorrectly tried to cache TKEY records which could trigger an
   assertion failure when there was a class mismatch. This flaw is
   disclosed in CVE-2016-9131. [RT #43522]
 - It was possible to trigger assertions when processing responses
   containing answers of type DNAME. This flaw is disclosed in
   CVE-2016-8864. [RT #43465]

Full release notes:

  ftp://ftp.isc.org/isc/bind9/9.11.0-P5/RELEASE-NOTES-bind-9.11.0-P5.html

Also, remove --enable-rrl configure option from bind.mk as it doesn't
exist anymore.

Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-04-13 21:31:56 +02:00
Rahul Bedarkar
f33fd75afc package: use SPDX short identifier for MPL family licenses
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for MPLv1.0/MPLv1.1/MPLv2.0 is MPL-1.0/MPL-1.1/
MPL-2.0.

This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/MPLv([1-2]\.[0-1])/MPL-\1/g'

Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-04-01 15:27:47 +02:00
Peter Korsgaard
b9141fc88b bind: security bump to version 9.11.0-P3
Fixes CVE-2017-3135: Combination of DNS64 and RPZ Can Lead to Crash:

https://kb.isc.org/article/AA-01453

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-02-13 18:01:14 +01:00
Peter Korsgaard
4bab93be70 bind: security bump to version 9.11.0-P2
Bugfixes:

 - CVE-2016-9131: A malformed response to an ANY query can cause an
   assertion failure during recursion

 - CVE-2016-9147: An error handling a query response containing inconsistent
   DNSSEC information could cause an assertion failure

 - CVE-2016-9444: An unusually-formed DS record response could cause an
   assertion failure

 - CVE-2016-9778: An error handling certain queries using the
   nxdomain-redirect feature could cause a REQUIRE assertion failure in db.c

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-01-13 16:15:42 +01:00
Gustavo Zacarias
4a9f2cb2ee bind: security bump to version 9.11.0-P1
Fixes:
CVE-2016-8864 - denial-of-service vector which can potentially be
exploited against BIND 9 servers.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
[Thomas: fix hash URL in .hash file, noticed by Vicente.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-11-02 17:26:58 +01:00
Baruch Siach
8ec6dae302 bind: don't lookup zlib.h in host headers
configure.in looks in host headers for zlib.h, unless given a headers
directory as --with-zlib parameter.

Note: a bug in the zlib.h header lookup logic causes configure.in to add
-l$(STAGING_DIR)/usr/include/include, and -L$(STAGING_DIR)/usr/include/lib.
But this does not affect us.

Fixes:
http://autobuild.buildroot.net/results/e96/e96a36c4da3c3be4b79a27af75a70bb8955c31a9/
http://autobuild.buildroot.net/results/e0b/e0bd7df5c19c7c65ce0009b7c2b4d4104a5c3109/
http://autobuild.buildroot.net/results/e99/e993940067f7ae841132765f91bfee7248ab125f/

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-10-19 11:23:00 +02:00
Vicente Olivert Riera
e662416d84 bind: bump version to 9.11.0
- With the release of BIND 9.11.0, ISC is changing the open source
  license for BIND from the ISC license to the Mozilla Public License
  (MPL 2.0). See release notes:
  http://ftp.isc.org/isc/bind9/9.11.0/RELEASE-NOTES-bind-9.11.0.html

- Explicitly enable/disable zlib support, otherwise the configure script
  will fail like this:

  checking for zlib library... yes
  checking for library containing deflate... no
  configure: error: found zlib include but not library.

Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-10-15 11:46:33 +02:00
Vicente Olivert Riera
a808500f2a bind: bump version to 9.10.4-P3
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-09-28 13:39:18 +02:00
Vicente Olivert Riera
c5a55f79c0 bind: bump version to 9.10.4-P2
Security fixes: CVE-2016-2775

Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-07-19 11:50:22 +02:00
Gustavo Zacarias
80c0d7ce1c bind: security bump to version 9.10.4
Fixes:
CVE-2016-2088 - Duplicate EDNS COOKIE options in a response could
trigger an assertion failure.

Drop libressl support patch since it's upstream now.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-05-04 22:47:43 +02:00
Gustavo Zacarias
67245dcbe1 bind: security bump to version 9.10.3-P4
Fixes:
CVE-2016-1285 - An error parsing input received by the rndc control
channel can cause an assertion failure in sexpr.c or alist.c
CVE-2016-1286 - A problem parsing resource record signatures for DNAME
resource records can lead to an assertion failure in resolver.c or db.c
CVE-2016-2088 - A response containing multiple DNS cookies causes
servers with cookie support enabled to exit with an assertion failure.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-03-10 20:49:52 +01:00
Jan Heylen
e4749b826c bind: fix intermittent build issues with high BR2_JLEVEL
Build sometimes breaks with:

libtool: link: `unix/os.lo' is not a valid libtool object
make[3]: *** [rndc-confgen] Error 1
make[3]: *** Waiting for unfinished jobs....
make[4]: Leaving directory `/scratch/peko/build/bind-9.6-ESV-R4/bin/rndc/unix'

So disable parallel builds.

This patch was removed with commit
c36b5d89c5 by Gustavo Zacarias
<gustavo@zacarias.com.ar> but the problem still occurs, so disabling
parallel builds again.

Fixes:
http://autobuild.buildroot.org/results/220/2201f04170ea8ef0961e907efce07c041a57c229/

Signed-off-by: Jan Heylen <heyleke@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-02-06 10:45:15 +01:00
Gustavo Zacarias
0a7cea9b80 bind: security bump to version 9.10.3-P3
Fixes:

CVE-2015-8704 - apl_42.c in ISC BIND 9.x before 9.9.8-P3 and 9.9.x and
9.10.x before 9.10.3-P3 allows remote authenticated users to cause a
denial of service (INSIST assertion failure and daemon exit) via a
malformed Address Prefix List (APL) record.

CVE-2015-8705 - buffer.c in named in ISC BIND 9.10.x before 9.10.3-P3,
when debug logging is enabled, allows remote attackers to cause a denial
of service (REQUIRE assertion failure and daemon exit, or daemon crash)
or possibly have unspecified other impact via (1) OPT data or (2) an ECS
option.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-01-26 23:05:40 +01:00
Gustavo Zacarias
6e8f91f346 bind: disable libjson support
It conflicts with jsoncpp, bind probes for json/json.h first, but that
header is installed by jsoncpp, which is completely different from
json-c.
Since it's not clear who's correct here (there might be some other
json-c predecessor/version that installs there as well) and the same
functionality (stats channel) is provided by libxml2 as well, just
disable libjson support completely.

Fixes:
http://autobuild.buildroot.net/results/226/2262c9b46663ea7a45e128a5fd7ff30417c2c2a7/build-end.log
(indirectly, it was probing aboslute directories while searching for it)

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-12-30 19:22:51 +01:00
Gustavo Zacarias
07c1ad4647 bind: bump to version 9.10.3-P2
Leave the LTS series for the latest stable version for libressl
compatibility.
Unfortunately this means threads are now required, but this shouldn't be
a problem for a fully-featured resolver.

Drop 0001-disable-tests.patch since it's no longer required, genrandom
isn't run unless the tests are called upon.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-12-30 14:54:10 +01:00
Gustavo Zacarias
c3e119e093 bind: security bump to version 9.9.8-P2
Fixes:

Named is potentially vulnerable to the OpenSSL vulnerabilty described in
CVE-2015-3193.

CVE-2015-8461 - Incorrect reference counting could result in an INSIST
failure if a socket error occurred while performing a lookup.

CVE-2015-8000 - Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted, triggering a REQUIRE
failure when those records were subsequently cached.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-12-17 22:48:46 +01:00
Gustavo Zacarias
e5fa81e745 bind: bump to version 9.9.8
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Reviewed-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Tested-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-10-09 15:23:46 +02:00
Gustavo Zacarias
38d1a66bda bind: security bump to version 9.9.7-P3
Fixes:
CVE-2015-5722 - denial-of-service vector which can be exploited remotely
against a BIND server that is performing validation on DNSSEC-signed
records.
CVE-2015-5986 - denial-of-service vector which can be used against a
BIND server that is performing recursion and (under limited conditions)
an authoritative-only nameserver.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Reviewed-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Tested-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-09-04 16:07:37 +02:00
Gustavo Zacarias
948a1d4000 bind: security bump to version 9.9.7-P2
Fixes CVE-2015-5477 - An error in handling TKEY queries can cause named
to exit with a REQUIRE assertion failure.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-07-29 13:01:42 +02:00
Gustavo Zacarias
f70f45a43c bind: security bump to version 9.9.7-P1
Fixes:
CVE-2015-4620 - On servers configured to perform DNSSEC validation an
assertion failure could be triggered on answers from a specially
configured server.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-07-08 23:46:06 +02:00
Nathaniel Roach
0b067e2737 package/bind: Enable filter-aaaa-on-v4 option
This allows usage of the filter-aaaa-on-v4 configuration option.
This option disables responding with AAAA records when the request
	is made over ipv4. This may be useful on networks with
	ipv6 inside, but no ISP ipv6 (when combined with only
	listening on ipv4).

See https://kb.isc.org/article/AA-00576/
	Filter-AAAA-option-in-BIND-9-.html
	for more information.

Signed-off-by: Nathaniel Roach <nroach44@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-07-07 07:37:49 +02:00
Jerzy Grzegorek
bd8c733fb4 packages: indentation cleanup
This commit doesn't touch infra packages.

Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-03-31 13:57:41 +02:00
Gustavo Zacarias
cb10752548 bind: bump to version 9.9.7
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-03-03 08:36:01 +01:00
Gustavo Zacarias
7f484d8a1b bind: security bump to version 9.9.6-P2
Fixes CVE-2015-1349 - Revoking a managed trust anchor and supplying an
untrusted replacement could cause namedto crash with an assertion
failure.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-02-19 21:27:04 +01:00
Nathaniel Roach
c45c3ed8ad bind: Add systemd unit file and install it to run at startup.
The unit file is taken from debian, but tested working.
We'll call it named.service to match the sysV initscript.

Signed-off-by: Nathaniel Roach <nroach44@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-01-12 22:22:20 +01:00
Jerzy Grzegorek
27dd32942e package: indentation cleanup
Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-12-30 11:17:03 +01:00