Commit Graph

162 Commits

Author SHA1 Message Date
Petr Vorel
8d11c2dbb8 package/bind: bump version to 9.16.31
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2022-08-03 00:23:07 +02:00
Yann E. MORIN
d9ff62c4cd pacakge: drop remnants of $(HOST_DIR)/usr
It's been ages (5 years at the next release) that we've not installed
host packages in $(HOST_DIR)/usr, but we still have a few packages that
reference it or install things in there.

Drop all of those in one fell swoop.

The run-time test still succeeds, and the following defconfig, which
should exercise all touched packages [*], does build:

    BR2_x86_i686=y
    BR2_TOOLCHAIN_EXTERNAL=y
    BR2_INIT_NONE=y
    BR2_SYSTEM_BIN_SH_NONE=y
    # BR2_PACKAGE_BUSYBOX is not set
    BR2_PACKAGE_GAWK=y
    BR2_PACKAGE_GETTEXT=y
    BR2_PACKAGE_ABOOTIMG=y
    BR2_PACKAGE_DBUS_PYTHON=y
    BR2_PACKAGE_OLA=y
    BR2_PACKAGE_JIMTCL=y
    BR2_PACKAGE_LUA=y
    # BR2_PACKAGE_LUA_32BITS is not set
    BR2_PACKAGE_ARGPARSE=y
    BR2_PACKAGE_PERL=y
    BR2_PACKAGE_PHP=y
    BR2_PACKAGE_PHP_APCU=y
    BR2_PACKAGE_PHP_LUA=y
    BR2_PACKAGE_PHP_PAM=y
    BR2_PACKAGE_PHP_PECL_DBUS=y
    BR2_PACKAGE_PYTHON3=y
    BR2_PACKAGE_PYTHON_CRYPTOGRAPHY=y
    BR2_PACKAGE_PYTHON_PLY=y
    BR2_PACKAGE_PYTHON_PYBIND=y
    BR2_PACKAGE_LIBVA=y
    BR2_PACKAGE_BIND=y
    BR2_PACKAGE_BIND_SERVER=y
    BR2_PACKAGE_BIND_TOOLS=y
    BR2_PACKAGE_APPARMOR=y
    BR2_PACKAGE_APPARMOR_BINUTILS=y
    BR2_PACKAGE_APPARMOR_UTILS=y
    BR2_PACKAGE_APPARMOR_UTILS_EXTRA=y
    BR2_PACKAGE_APPARMOR_PROFILES=y
    BR2_PACKAGE_REFPOLICY=y
    BR2_PACKAGE_URANDOM_SCRIPTS=y
    BR2_PACKAGE_BASH=y
    # embiggen-disk to exercise go
    BR2_PACKAGE_EMBIGGEN_DISK=y
    BR2_TARGET_GRUB2=y
    BR2_TARGET_GRUB2_I386_PC=y
    BR2_TARGET_GRUB2_I386_EFI=y

[*] exceptions:
  - zfs was not tested: it needs a kernel to be built;
  - compiler-rt was not tsted: it needs llvm to be built, that takes
    ages, and other packages already reference the correct location for
    llvm-config, so it was assumed that is OK.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Angelo Compagnucci <angelo.compagnucci@gmail.com>
Cc: Anisse Astier <anisse@astier.eu>
Cc: Antoine Tenart <atenart@kernel.org>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Asaf Kahlon <asafka7@gmail.com>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Cc: Christian Stewart <christian@paral.in>
Cc: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
Cc: Francois Perrad <francois.perrad@gadz.org>
Cc: Guillaume William Brs <guillaume.bressaix@gmail.com>
Cc: Hervé Codina <herve.codina@bootlin.com>
Cc: James Hilliard <james.hilliard1@gmail.com>
Cc: José Luis Salvador Rufo <salvador.joseluis@gmail.com>
Cc: Julien Boibessot <julien.boibessot@armadeus.com>
Cc: Julien Olivain <ju.o@free.fr>
Cc: Matt Weber <matthew.weber@collins.com>
Cc: Nicolas Carrier <nicolas.carrier@orolia.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Vadim Kochan <vadim4j@gmail.com>
Cc: Yegor Yefremov <yegorslists@googlemail.com>
Reviewed-by: Romain Naour <romain.naour@smile.fr>

---
Changes v1 -> v2:
  - fix new instance that have crept in  (Romain)
2022-07-24 11:30:40 +02:00
Fabrice Fontaine
fbdcd55134 package/bind: add json-c optional dependency
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2022-07-24 10:58:26 +02:00
Fabrice Fontaine
75a287a4fa package/bind: add libidn2 optional dependency
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2022-07-24 10:58:26 +02:00
Fabrice Fontaine
25eea4424f package/bind: add libmaxminddb optional dependency
Add libmaxminddb optional dependency (which is enabled by default), two
options must be used to enable/disable this dependency:
 [pairwise: --enable-geoip --with-maxminddb=auto, --enable-geoip --with-maxminddb=yes, --disable-geoip]

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2022-07-20 23:25:41 +02:00
Fabrice Fontaine
3acd6452fb package/bind: disable cmocka
Disable cmocka (wich is enabled by default)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2022-07-20 23:25:30 +02:00
Fabrice Fontaine
9e6e84f0c6 package/bind: drop unrecognized options
--enable-threads, --with-randomdev, --enable-filter-aaaa, --with-ecdsa,
--with-eddsa, --with-aes, --with-gost are all unrecognized since bump to
version 9.16.26 in commit 8adeaec8af:

configure: WARNING: unrecognized options: --disable-gtk-doc, --disable-gtk-doc-html, --disable-doc, --disable-docs, --disable-documentation, --with-xmlto, --with-fop, --disable-dependency-tracking, --enable-ipv6, --enable-nls, --enable-threads, --with-randomdev, --enable-filter-aaaa, --with-ecdsa, --with-eddsa, --with-aes, --with-gost

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2022-07-20 23:25:24 +02:00
Danomi Manchego
0d566b8cc7 package/bind: fix indentation of options in menuconfig
Move kconfig comment below the "if BR2_PACKAGE_BIND...endif" block so
that the two sub-options are presented in menuconfig as subordinate to
"bind" package selection rather than equal to it as if they were
unrelated.

Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2022-07-06 23:45:44 +02:00
Peter Korsgaard
1fe5029122 package/bind: security bump to version 9.16.27
Fixes the following security issues:

- The rules for acceptance of records into the cache have been tightened to
  prevent the possibility of poisoning if forwarders send records outside
  the configured bailiwick.  (CVE-2021-25220)

- TCP connections with keep-response-order enabled could leave the TCP
  sockets in the CLOSE_WAIT state when the client did not properly shut down
  the connection.  (CVE-2022-0396)

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2022-04-11 09:15:59 +02:00
Fabrice Fontaine
33413b7e53 package/bind: fix libxml2 build
Fix the following build failure with libxml2 raised since bump to
version 9.16.26 in commit 8adeaec8af:

configure: error: Specifying libxml2 installation path is not supported, adjust PKG_CONFIG_PATH instead

Fixes:
 - http://autobuild.buildroot.org/results/648d29e4cfa6a40bb6e54793c044e9c834f03a1b

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2022-03-21 22:15:16 +01:00
Fabrice Fontaine
4b127b0c1b package/bind: reorder openssl variables
openssl is mandatory since bump to version 9.16.26 in commit
8adeaec8af so move openssl variables in
the beginning of bind.mk instead of keeping them in the middle of the
file. Moreover, drop "BIND_DEPENDENCIES += host-pkgconf zlib" as
host-pkgconf is already mandatory

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2022-03-21 22:13:59 +01:00
Petr Vorel
8adeaec8af package/bind: bump to version 9.16.26
BIND 9.11 EOL in March, 2022. BIND 9.16 is current Stable/ESV version.

Changes:
* libuv (new dependency)
* openssl is now mandatory
* zlib must be detected with PKG_CONFIG_PATH (specifying zlib
  installation path is not supported)
* bind9-config and isc-config.sh removed
* updated COPYRIGHT hash

Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2022-03-12 20:44:08 +01:00
Fabrice Fontaine
130a28d446 package/bind: add gssapi support
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-11-14 14:15:55 +01:00
Peter Korsgaard
4e4bf1cf09 package/bind: security bump to version 9.11.36
Fixes the following security issues:

- CVE-2021-25219: Lame cache can be abused to severely degrade resolver
  performance

For details, see the advisory:
https://kb.isc.org/docs/cve-2021-25219

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-11-02 20:09:43 +01:00
Petr Vorel
6977ee6e0e package/bind: bump version to 9.11.35
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-09-18 17:28:47 +02:00
Fabrice Fontaine
c7fd40c7d8 package/bind: add SELinux module
Support for bind is added by the services/bind module in the SELinux
refpolicy.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-07-21 21:07:42 +02:00
Peter Korsgaard
862609b389 package/bind: security bump to version 9.11.31
Fixes the following security issues:

- A malformed incoming IXFR transfer could trigger an assertion failure in
  named, causing it to quit abnormally.  (CVE-2021-25214)

- named crashed when a DNAME record placed in the ANSWER section during
  DNAME chasing turned out to be the final answer to a client query.
  (CVE-2021-25215)

- When a server's configuration set the tkey-gssapi-keytab or
  tkey-gssapi-credential option, a specially crafted GSS-TSIG query could
  cause a buffer overflow in the ISC implementation of SPNEGO (a protocol
  enabling negotiation of the security mechanism used for GSSAPI
  authentication).  This flaw could be exploited to crash named binaries
  compiled for 64-bit platforms, and could enable remote code execution when
  named was compiled for 32-bit platforms.  (CVE-2021-25216)

For more details, see the release notes:
https://downloads.isc.org/isc/bind9/9.11.31/RELEASE-NOTES-bind-9.11.31.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-05-01 14:57:33 +02:00
Matt Weber
23fb8dd2d0 package/bind: ignore CVE-2019-6470
There had existed in one of the ISC BIND libraries a bug in a
function that was used by dhcpd when operating in DHCPv6 mode.
There was also a bug in dhcpd relating to the use of this function
per its documentation, but the bug in the library function
prevented this from causing any harm. All releases of dhcpd from
ISC contain copies of this, and other, BIND libraries in
combinations that have been tested prior to release and are known
to not present issues like this.

Affects: Builds of dhcpd versions prior to version 4.4.1 when
using BIND versions 9.11.2 or later.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6470

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-24 11:25:29 +02:00
Matt Weber
357dd51bbd package/bind: ignore CVE-2017-3139
This CVE is only relevant to the configuration of a specific
RHEL release (6.x).

https://bugzilla.redhat.com/show_bug.cgi?id=1447743

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-24 11:25:26 +02:00
Peter Korsgaard
6376decbda package/bind: security bump to version 9.11.28
Fixes the following security issue:

- CVE-2020-8625: When tkey-gssapi-keytab or tkey-gssapi-credential was
  configured, a specially crafted GSS-TSIG query could cause a buffer
  overflow in the ISC implementation of SPNEGO (a protocol enabling
  negotiation of the security mechanism to use for GSSAPI authentication).
  This flaw could be exploited to crash named.  Theoretically, it also
  enabled remote code execution, but achieving the latter is very difficult
  in real-world conditions

For details, see the advisory:
https://kb.isc.org/docs/cve-2020-8625

In addition, 9.11.26-27 fixed a number of issues, see the release notes for
details:
https://downloads.isc.org/isc/bind9/9.11.28/RELEASE-NOTES-bind-9.11.28.html

Drop now upstreamed patches, update the GPG key for the 2021-2022 variant
and update the COPYRIGHT hash for a change of year:

-Copyright (C) 1996-2020  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 1996-2021  Internet Systems Consortium, Inc. ("ISC")

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-22 14:35:10 +01:00
Matt Weber
63332c33aa package: provide CPE ID details for numerous packages
This patch adds CPE ID information for a significant number of
packages.

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-01-04 21:43:54 +01:00
Peter Seiderer
700674b45c package/bind: disable backtrace support
Disable backtrace support, fixes linking failure for uclibc/musl based
toolchains.

Fixes:

  - http://autobuild.buildroot.net/results/7a1a140314bc8d134f9eeb95ef2e46e7fb0ce9fd/

  .../arm-buildroot-linux-uclibcgnueabi/bin/ld: ../isc/.libs/libisc.so: undefined reference to `_Unwind_GetIP'

  - http://autobuild.buildroot.net/results/f0db5fe7fc6860b7270c784989c451e2e7aa2afb/

  .../arm-buildroot-linux-uclibcgnueabi/bin/ld: ../isc/.libs/libisc.so: undefined reference to `_Unwind_GetIP'

  - http://autobuild.buildroot.net/results/cb963298885df37f1e5c4d3ab3989773c01c54fc/

  .../arm-buildroot-linux-musleabihf/bin/ld: ../isc/.libs/libisc.so: undefined reference to `_Unwind_GetIP'

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-01-03 21:49:47 +01:00
Peter Seiderer
e4af234d3c package/bind: fix compile/linking failure
Fixes:

  - http://autobuild.buildroot.net/results/966a3de94aa97fa8e9895eede29c9cbfb4bd7301

  .../host/lib/gcc/arm-buildroot-linux-musleabihf/9.3.0/../../../../arm-buildroot-linux-musleabihf/bin/ld: warning: libisccfg.so.163, needed by ../../lib/bind9/.libs/libbind9.so, not found (try using -rpath or -rpath-link)
  .../host/lib/gcc/arm-buildroot-linux-musleabihf/9.3.0/../../../../arm-buildroot-linux-musleabihf/bin/ld: ../../lib/bind9/.libs/libbind9.so: undefined reference to `cfg_obj_line'

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[Peter: replace by upstream patches]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-23 14:24:08 +01:00
Fabrice Fontaine
a2be92afc2 package/bind: drop unrecognized option
Drop --enable-newstats option which is not recognized

Unrecognized options:
    --disable-gtk-doc, --disable-gtk-doc-html, --disable-doc, --disable-docs, --disable-documentation, --with-xmlto, --with-fop, --disable-dependency-tracking, --disable-nls, --enable-newstats

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-23 13:36:39 +01:00
Bernd Kuhls
39b582eba4 package/bind: bump version to 9.11.25
Release notes:
https://ftp.isc.org/isc/bind9/9.11.25/RELEASE-NOTES-bind-9.11.25.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-23 13:35:51 +01:00
Fabrice Fontaine
ac6dbae320 package/bind: fix license hash
Commit 9679d3f021 forgot to update hash of
COPYRIGHT which was updated to replace http by https:
400171aee8

Fixes:
 - http://autobuild.buildroot.org/results/db614a6fa1e17af2fa5c1d4a0d51cdf770893ca9

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-01 22:39:48 +01:00
Petr Vorel
9679d3f021 package/bind: bump to version 9.11.24
Turn 0001-cross.patch into git patch.

Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-05 09:43:29 +01:00
Peter Korsgaard
4b126afd27 package/bind: security bump to version 9.11.22
Fixes the following security issues:

CVE-2020-8622: A truncated TSIG response can lead to an assertion failure
https://kb.isc.org/docs/cve-2020-8622

CVE-2020-8623: A flaw in native PKCS#11 code can lead to a remotely
triggerable assertion failure in pk11.c
https://kb.isc.org/docs/cve-2020-8623

CVE-2020-8624: update-policy rules of type "subdomain" are enforced incorrectly
https://kb.isc.org/docs/cve-2020-8624

For more details, see the release notes:
https://downloads.isc.org/isc/bind9/9.11.22/RELEASE-NOTES-bind-9.11.22.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-08-23 15:30:56 +02:00
Stefan Sørensen
cc7740825a package/bind: security bump to version 9.11.20
Fixes the following security issue:
 * CVE-2020-8619: It was possible to trigger an INSIST failure when a
   zone with an interior wildcard label was queried in a certain
   pattern.

Release notes:
https://ftp.isc.org/isc/bind9/cur/9.11/RELEASE-NOTES-bind-9.11.20.txt

Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-07-14 22:44:22 +02:00
Peter Korsgaard
89a5d21627 package/bind: security bump to version 9.11.19
Fixes the following security issues:

- (9.11.18) DNS rebinding protection was ineffective when BIND 9 is
  configured as a forwarding DNS server.  Found and responsibly reported by
  Tobias Klein.  [GL #1574]

- (9.11.19) To prevent exhaustion of server resources by a maliciously
  configured domain, the number of recursive queries that can be triggered
  by a request before aborting recursion has been further limited.  Root and
  top-level domain servers are no longer exempt from the
  max-recursion-queries limit.  Fetches for missing name server address
  records are limited to 4 for any domain.  This issue was disclosed in
  CVE-2020-8616.  [GL #1388]

- (9.11.19) Replaying a TSIG BADTIME response as a request could trigger an
  assertion failure.  This was disclosed in CVE-2020-8617.  [GL #1703]

Also update the COPYRIGHT hash for a change of copyright year and adjust the
spacing for the new agreements.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-05-25 21:57:30 +02:00
Jérémy Rosen
3e092163e5 package: rely on systemctl preset-all for buildroot-provided services
All the packages in this list have the following properties
* units are provided by buildroot in the package directory
* the SYSTEMD_INSTALL_INIT_HOOK is exactly equivalent to what the
  [Install] section of the unit does

The fix removes the soflinking in the .mk file

Signed-off-by: Jérémy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2019-12-18 18:27:41 +01:00
Mark Corbin
e2bbf689bd package/bind: update the upstream URL in Config.in
Update the upstream URL in the help text in Config.in. This
addresses the 'Invalid(404)' URL status in the package stats
web page output.

Signed-off-by: Mark Corbin <mark@dibsco.co.uk>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-11-25 21:51:53 +01:00
Peter Korsgaard
0432e5713a package/bind: security bump to version 9.11.13
Fixes the following security vulnerabilities:

- CVE-2019-6477: TCP-pipelined queries can bypass tcp-clients limit

For details, see the release notes:
https://downloads.isc.org/isc/bind9/9.11.13/RELEASE-NOTES-bind-9.11.13.html

(9.11.11..12 were not released)

Upstream moved to a 2019-2020 signing key, so update comment in hash file.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-11-25 15:14:55 +01:00
Fabrice Fontaine
395ad387e0 package/bind: security bump to version 9.11.10
- Remove all patches except first one (already in version)
- Update first patch
- Fix CVE-2019-6471: A race condition when discarding malformed packets
  can cause BIND to exit with an assertion failure

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-19 22:41:04 +02:00
Carlos Santos
f3d53bd049 package/bind: remove /usr/sbin/tsig-keygen if server is not selected
Otherwise it is left as a dangling symlink to ddns-confgen, which is
also removed.

Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-08-11 14:56:42 +02:00
Fabrice Fontaine
39cd8cc9be package/bind: don't enable server by default
Don't enable server by default as dhcp will now select bind to use the
bind libraries

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-05-09 21:25:32 +02:00
Fabrice Fontaine
8935dae1d4 package/bind: remove threads dependency
Threads dependency has been added in 2015 with commit
07c1ad4647 however bind can be built
without threads thanks to --disable-threads

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-05-09 21:25:15 +02:00
Fabrice Fontaine
05cbc9a184 package/bind: enable static build
Static build has been disabled in 2014 with commit
6045904752 however bind can be built
statically thanks to --without-dlopen so enable it back

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-05-09 21:23:57 +02:00
Fabrice Fontaine
89e70a7077 package/bind: fix python build
A check for python-ply has been added as this is a dependency of the
dnssec-keymgr script so install host-python-ply to avoid a build failure
if python-ply is not installed on host

Fixes:
 - http://autobuild.buildroot.org/results/96815b1300547c976443bf74b762febdfcc8d3ba

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-29 09:28:29 +02:00
Peter Korsgaard
fc8ace0938 package/bind: security bump to version 9.11.6-P1
Fixes the following security issues:

 - CVE-2018-5743: Limiting simultaneous TCP clients is ineffective
   https://kb.isc.org/docs/cve-2018-5743

 - CVE-2019-6467: An error in the nxdomain redirect feature can cause
   BIND to exit with an INSIST assertion failure in query.c
   https://kb.isc.org/docs/cve-2019-6467

 - CVE-2019-6468: BIND Supported Preview Edition can exit with an
   assertion failure if nxdomain-redirect is used
   https://kb.isc.org/docs/cve-2019-6468

Add an upstream patch to fix building on architectures where bind does not
implement isc_atomic_*.

Upstream moved to a 2019 signing key, so update comment in .hash file.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-26 16:15:37 +02:00
Fabrice Fontaine
459dd99f02 package/bind: drop unneeded static openssl workarounds
bind can't be built statically since commit
6045904752

So drop uneeded LIBS="-lz" which was added by commit
80ebf12906 to fix static build with
openssl

Also, drop ac_cv_func_EVP_{sha256,sha384,sha512} that was also added to
fix tests in static build by commit
26aefa672c

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-04-13 21:15:42 +02:00
Peter Korsgaard
12f644e2c5 package/bind: security bump to version 9.11.5-P4
Fixes the following security issues:

- named could crash during recursive processing of DNAME records when
  deny-answer-aliases was in use.  This flaw is disclosed in CVE-2018-5740.
  [GL #387]

- When recursion is enabled but the allow-recursion and allow-query-cache
  ACLs are not specified, they should be limited to local networks, but they
  were inadvertently set to match the default allow-query, thus allowing
  remote queries.  This flaw is disclosed in CVE-2018-5738.  [GL #309]

- Code change #4964, intended to prevent double signatures when deleting an
  inactive zone DNSKEY in some situations, introduced a new problem during
  zone processing in which some delegation glue RRsets are incorrectly
  identified as needing RRSIGs, which are then created for them using the
  current active ZSK for the zone.  In some, but not all cases, the
  newly-signed RRsets are added to the zone's NSEC/NSEC3 chain, but
  incompletely -- this can result in a broken chain, affecting validation of
  proof of nonexistence for records in the zone.  [GL #771]

- named could crash if it managed a DNSSEC security root with managed-keys
  and the authoritative zone rolled the key to an algorithm not supported by
  BIND 9.  This flaw is disclosed in CVE-2018-5745.  [GL #780]

- named leaked memory when processing a request with multiple Key Tag EDNS
  options present.  ISC would like to thank Toshifumi Sakaguchi for bringing
  this to our attention.  This flaw is disclosed in CVE-2018-5744.  [GL
  #772]

- Zone transfer controls for writable DLZ zones were not effective as the
  allowzonexfr method was not being called for such zones.  This flaw is
  disclosed in CVE-2019-6465.  [GL #790]

For more details, see the release notes:

http://ftp.isc.org/isc/bind9/9.11.5-P4/RELEASE-NOTES-bind-9.11.5-P4.html

Change the upstream URL to HTTPS as the webserver uses HSTS:

>>> bind 9.11.5-P4 Downloading
URL transformed to HTTPS due to an HSTS policy

Update the hash of the license file to account for a change of copyright
year:

-Copyright (C) 1996-2018  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 1996-2019  Internet Systems Consortium, Inc. ("ISC")

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-02-22 17:58:55 +01:00
Peter Korsgaard
955df7463b bind: security bump to version 9.11.5
Fixes the following security issues:

- CVE-2018-5738: Some versions of BIND can improperly permit recursive query
  service to unauthorized clients

- CVE-2018-5740: A flaw in the "deny-answer-aliases" feature can cause an
  INSIST assertion failure in named

For more details, see the release notes:

https://ftp.isc.org/isc/bind9/9.11.5/RELEASE-NOTES-bind-9.11.5.html

Drop patch 0003-Rename-ptrsize-to-ptr_size.patch as the uClibc-ng issue was
fixed upstream in commit 931fd627f6195 (mips: fix clashing symbols), which
is included in uclibc-1.0.12 (January 2016).

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-11-07 23:04:06 +01:00
Peter Korsgaard
63eb34fa12 bind: security bump to version 9.11.4-P2
>From the release notes
(http://ftp.isc.org/isc/bind9/9.11.4-P2/RELEASE-NOTES-bind-9.11.4-P2.txt):

 * There was a long-existing flaw in the documentation for ms-self,
   krb5-self, ms-subdomain, and krb5-subdomain rules in update-policy
   statements.  Though the policies worked as intended, operators who
   configured their servers according to the misleading documentation may
   have thought zone updates were more restricted than they were; users of
   these rule types are advised to review the documentation and correct
   their configurations if necessary.  New rule types matching the
   previously documented behavior will be introduced in a future maintenance
   release.  [GL !708]

 * named could crash during recursive processing of DNAME records when
   deny-answer-aliases was in use.  This flaw is disclosed in CVE-2018-5740.
   [GL #387]

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-09-30 10:34:13 +02:00
Bernd Kuhls
21d0077a2d package/bind: security bump to version 9.11.4-P1
Fixes CVE-2018-5740: https://ftp.isc.org/isc/bind9/9.11.4-P1/CHANGES

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-08-19 21:20:35 +02:00
Baruch Siach
ba3c7e806d bind: fix build with zlib
The bind configure.in now checks for "${with_zlib}/include/zlib.h".
Remove the redundant "include/".

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-07-19 09:04:57 +02:00
Baruch Siach
5a92bb63bf bind: fix build with openssl
The bind configure.in uses AC_TRY_RUN that is not compatible with cross
compile. Disable eddsa unconditionally since it requires a newer OpenSSL
version than we currently have. Enable aes; this is always supported in
current OpenSSL versions.

Fixes:
http://autobuild.buildroot.net/results/3ed/3edb1659954b00401b68ffc7e1c8b3c29581c0e4/
http://autobuild.buildroot.net/results/025/025e377b51b39ba34647636ad0d0661a3cb95572/
http://autobuild.buildroot.net/results/725/7250564e780e43e793ae6c8c526985e5519681f4/

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-07-19 09:04:45 +02:00
Baruch Siach
b36577a266 bind: security bump to 9.11.4
Fixes CVE-2018-5738: When recursion is enabled but the allow-recursion
and allow-query-cache ACLs are not specified, they should be limited to
local networks, but they were inadvertently set to match the default
allow-query, thus allowing remote queries.

Update license file hash; copyright year update.

Add reference to tarball signature key.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-07-17 21:49:55 +02:00
Carlos Santos
f59d73426b bind: don't test if the binary exists in the init script
The test doesn't make sense. It just exits without any error if the
binary doesn't exist, which is silly.

Signed-off-by: Carlos Santos <casantos@datacom.ind.br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-04-16 07:34:33 +02:00
Christopher McCrory
716cfa6744 bind: use BIND_PKGDIR vairable
Use the BIND_PKGDIR variable instead of package/bind.

Signed-off-by: Christopher McCrory <chrismcc@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-02-27 22:22:14 +01:00