Threads dependency has been added in 2015 with commit
07c1ad4647 however bind can be built
without threads thanks to --disable-threads
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Static build has been disabled in 2014 with commit
6045904752 however bind can be built
statically thanks to --without-dlopen so enable it back
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
A check for python-ply has been added as this is a dependency of the
dnssec-keymgr script so install host-python-ply to avoid a build failure
if python-ply is not installed on host
Fixes:
- http://autobuild.buildroot.org/results/96815b1300547c976443bf74b762febdfcc8d3ba
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2018-5743: Limiting simultaneous TCP clients is ineffective
https://kb.isc.org/docs/cve-2018-5743
- CVE-2019-6467: An error in the nxdomain redirect feature can cause
BIND to exit with an INSIST assertion failure in query.c
https://kb.isc.org/docs/cve-2019-6467
- CVE-2019-6468: BIND Supported Preview Edition can exit with an
assertion failure if nxdomain-redirect is used
https://kb.isc.org/docs/cve-2019-6468
Add an upstream patch to fix building on architectures where bind does not
implement isc_atomic_*.
Upstream moved to a 2019 signing key, so update comment in .hash file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
bind can't be built statically since commit
6045904752
So drop uneeded LIBS="-lz" which was added by commit
80ebf12906 to fix static build with
openssl
Also, drop ac_cv_func_EVP_{sha256,sha384,sha512} that was also added to
fix tests in static build by commit
26aefa672c
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
- named could crash during recursive processing of DNAME records when
deny-answer-aliases was in use. This flaw is disclosed in CVE-2018-5740.
[GL #387]
- When recursion is enabled but the allow-recursion and allow-query-cache
ACLs are not specified, they should be limited to local networks, but they
were inadvertently set to match the default allow-query, thus allowing
remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
- Code change #4964, intended to prevent double signatures when deleting an
inactive zone DNSKEY in some situations, introduced a new problem during
zone processing in which some delegation glue RRsets are incorrectly
identified as needing RRSIGs, which are then created for them using the
current active ZSK for the zone. In some, but not all cases, the
newly-signed RRsets are added to the zone's NSEC/NSEC3 chain, but
incompletely -- this can result in a broken chain, affecting validation of
proof of nonexistence for records in the zone. [GL #771]
- named could crash if it managed a DNSSEC security root with managed-keys
and the authoritative zone rolled the key to an algorithm not supported by
BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780]
- named leaked memory when processing a request with multiple Key Tag EDNS
options present. ISC would like to thank Toshifumi Sakaguchi for bringing
this to our attention. This flaw is disclosed in CVE-2018-5744. [GL
#772]
- Zone transfer controls for writable DLZ zones were not effective as the
allowzonexfr method was not being called for such zones. This flaw is
disclosed in CVE-2019-6465. [GL #790]
For more details, see the release notes:
http://ftp.isc.org/isc/bind9/9.11.5-P4/RELEASE-NOTES-bind-9.11.5-P4.html
Change the upstream URL to HTTPS as the webserver uses HSTS:
>>> bind 9.11.5-P4 Downloading
URL transformed to HTTPS due to an HSTS policy
Update the hash of the license file to account for a change of copyright
year:
-Copyright (C) 1996-2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 1996-2019 Internet Systems Consortium, Inc. ("ISC")
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2018-5738: Some versions of BIND can improperly permit recursive query
service to unauthorized clients
- CVE-2018-5740: A flaw in the "deny-answer-aliases" feature can cause an
INSIST assertion failure in named
For more details, see the release notes:
https://ftp.isc.org/isc/bind9/9.11.5/RELEASE-NOTES-bind-9.11.5.html
Drop patch 0003-Rename-ptrsize-to-ptr_size.patch as the uClibc-ng issue was
fixed upstream in commit 931fd627f6195 (mips: fix clashing symbols), which
is included in uclibc-1.0.12 (January 2016).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From the release notes
(http://ftp.isc.org/isc/bind9/9.11.4-P2/RELEASE-NOTES-bind-9.11.4-P2.txt):
* There was a long-existing flaw in the documentation for ms-self,
krb5-self, ms-subdomain, and krb5-subdomain rules in update-policy
statements. Though the policies worked as intended, operators who
configured their servers according to the misleading documentation may
have thought zone updates were more restricted than they were; users of
these rule types are advised to review the documentation and correct
their configurations if necessary. New rule types matching the
previously documented behavior will be introduced in a future maintenance
release. [GL !708]
* named could crash during recursive processing of DNAME records when
deny-answer-aliases was in use. This flaw is disclosed in CVE-2018-5740.
[GL #387]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The bind configure.in now checks for "${with_zlib}/include/zlib.h".
Remove the redundant "include/".
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes CVE-2018-5738: When recursion is enabled but the allow-recursion
and allow-query-cache ACLs are not specified, they should be limited to
local networks, but they were inadvertently set to match the default
allow-query, thus allowing remote queries.
Update license file hash; copyright year update.
Add reference to tarball signature key.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Use the BIND_PKGDIR variable instead of package/bind.
Signed-off-by: Christopher McCrory <chrismcc@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issue:
CVE-2017-3145: Improper sequencing during cleanup can lead to a
use-after-free error, triggering an assertion failure and crash in
named.
For more details, see the advisory:
https://lists.isc.org/pipermail/bind-announce/2018-January/001072.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This reverts commit 7c0ecd4d75, as it is
in fact a duplicate of commit
bb95fef1e0.
Reported-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Bind autoconf scripts look for lmdb.h in /usr/include (even when
cross-compiling). When liblmdb-dev is installed, this causes the
following error:
...
checking for lmdb library... yes
checking for library containing mdb_env_create... no
configure: error: found lmdb include but not library.
Fix this by disabling explicitly lmdb support.
Signed-off-by: Robin Jarry <robin.jarry@6wind.com>
Signed-off-by: Julien Floret <julien.floret@6wind.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
BIND 9.11.1-P3 addresses a TSIG regression introduced in the 9.11.1-P2
security bump:
https://lists.isc.org/pipermail/bind-announce/2017-July/001057.html
Also add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes the following security issues:
CVE-2017-3142: An error in TSIG authentication can permit unauthorized zone
transfers
An attacker who is able to send and receive messages to an authoritative DNS
server and who has knowledge of a valid TSIG key name may be able to
circumvent TSIG authentication of AXFR requests via a carefully constructed
request packet. A server that relies solely on TSIG keys for protection with
no other ACL protection could be manipulated into:
* providing an AXFR of a zone to an unauthorized recipient
* accepting bogus NOTIFY packets
https://kb.isc.org/article/AA-01504/74/CVE-2017-3142
CVE-2017-3041: An error in TSIG authentication can permit unauthorized dynamic
updates
An attacker who is able to send and receive messages to an authoritative DNS
server and who has knowledge of a valid TSIG key name for the zone and service
being targeted may be able to manipulate BIND into accepting an unauthorized
dynamic update.
https://kb.isc.org/article/AA-01503/74/CVE-2017-3143
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes the following security issues:
CVE-2017-3140 is a denial-of-service vulnerability affecting 9.9.10,
9.10.5, 9.11.0->9.11.1, 9.9.10-S1, and 9.10.5-S1 when configured with
Response Policy Zones (RPZ) utilizing NSIP or NSDNAME rules.
https://kb.isc.org/article/AA-01495/74/CVE-2017-3140
CVE-2017-3141 is a Windows privilege escalation vector affecting
9.2.6-P2+, 9.3.2-P1+, 9.4.x, 9.5.x, 9.6.x, 9.7.x, 9.8.x, 9.9.0->9.9.10,
9.10.0->9.10.5, 9.11.0->9.11.1, 9.9.3-S1->9.9.10-S1, and 9.10.5-S1. The
BIND Windows installer failed to properly quote the service paths,
possibly allowing a local user to achieve privilege escalation, if
allowed by file system permissions.
https://kb.isc.org/article/AA-01496/74/CVE-2017-3141
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Security Fixes:
- rndc "" could trigger an assertion failure in named. This flaw is
disclosed in (CVE-2017-3138). [RT #44924]
- Some chaining (i.e., type CNAME or DNAME) responses to upstream
queries could trigger assertion failures. This flaw is disclosed in
CVE-2017-3137. [RT #44734]
- dns64 with break-dnssec yes; can result in an assertion failure. This
flaw is disclosed in CVE-2017-3136. [RT #44653]
- If a server is configured with a response policy zone (RPZ) that
rewrites an answer with local data, and is also configured for DNS64
address mapping, a NULL pointer can be read triggering a server
crash. This flaw is disclosed in CVE-2017-3135. [RT #44434]
- A coding error in the nxdomain-redirect feature could lead to an
assertion failure if the redirection namespace was served from a
local authoritative data source such as a local zone or a DLZ instead
of via recursive lookup. This flaw is disclosed in CVE-2016-9778.
[RT #43837]
- named could mishandle authority sections with missing RRSIGs,
triggering an assertion failure. This flaw is disclosed in
CVE-2016-9444. [RT #43632]
- named mishandled some responses where covering RRSIG records were
returned without the requested data, resulting in an assertion
failure. This flaw is disclosed in CVE-2016-9147. [RT #43548]
- named incorrectly tried to cache TKEY records which could trigger an
assertion failure when there was a class mismatch. This flaw is
disclosed in CVE-2016-9131. [RT #43522]
- It was possible to trigger assertions when processing responses
containing answers of type DNAME. This flaw is disclosed in
CVE-2016-8864. [RT #43465]
Full release notes:
ftp://ftp.isc.org/isc/bind9/9.11.0-P5/RELEASE-NOTES-bind-9.11.0-P5.html
Also, remove --enable-rrl configure option from bind.mk as it doesn't
exist anymore.
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for MPLv1.0/MPLv1.1/MPLv2.0 is MPL-1.0/MPL-1.1/
MPL-2.0.
This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/MPLv([1-2]\.[0-1])/MPL-\1/g'
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes CVE-2017-3135: Combination of DNS64 and RPZ Can Lead to Crash:
https://kb.isc.org/article/AA-01453
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfixes:
- CVE-2016-9131: A malformed response to an ANY query can cause an
assertion failure during recursion
- CVE-2016-9147: An error handling a query response containing inconsistent
DNSSEC information could cause an assertion failure
- CVE-2016-9444: An unusually-formed DS record response could cause an
assertion failure
- CVE-2016-9778: An error handling certain queries using the
nxdomain-redirect feature could cause a REQUIRE assertion failure in db.c
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2016-8864 - denial-of-service vector which can potentially be
exploited against BIND 9 servers.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
[Thomas: fix hash URL in .hash file, noticed by Vicente.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
- With the release of BIND 9.11.0, ISC is changing the open source
license for BIND from the ISC license to the Mozilla Public License
(MPL 2.0). See release notes:
http://ftp.isc.org/isc/bind9/9.11.0/RELEASE-NOTES-bind-9.11.0.html
- Explicitly enable/disable zlib support, otherwise the configure script
will fail like this:
checking for zlib library... yes
checking for library containing deflate... no
configure: error: found zlib include but not library.
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2016-2088 - Duplicate EDNS COOKIE options in a response could
trigger an assertion failure.
Drop libressl support patch since it's upstream now.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2016-1285 - An error parsing input received by the rndc control
channel can cause an assertion failure in sexpr.c or alist.c
CVE-2016-1286 - A problem parsing resource record signatures for DNAME
resource records can lead to an assertion failure in resolver.c or db.c
CVE-2016-2088 - A response containing multiple DNS cookies causes
servers with cookie support enabled to exit with an assertion failure.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Build sometimes breaks with:
libtool: link: `unix/os.lo' is not a valid libtool object
make[3]: *** [rndc-confgen] Error 1
make[3]: *** Waiting for unfinished jobs....
make[4]: Leaving directory `/scratch/peko/build/bind-9.6-ESV-R4/bin/rndc/unix'
So disable parallel builds.
This patch was removed with commit
c36b5d89c5 by Gustavo Zacarias
<gustavo@zacarias.com.ar> but the problem still occurs, so disabling
parallel builds again.
Fixes:
http://autobuild.buildroot.org/results/220/2201f04170ea8ef0961e907efce07c041a57c229/
Signed-off-by: Jan Heylen <heyleke@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2015-8704 - apl_42.c in ISC BIND 9.x before 9.9.8-P3 and 9.9.x and
9.10.x before 9.10.3-P3 allows remote authenticated users to cause a
denial of service (INSIST assertion failure and daemon exit) via a
malformed Address Prefix List (APL) record.
CVE-2015-8705 - buffer.c in named in ISC BIND 9.10.x before 9.10.3-P3,
when debug logging is enabled, allows remote attackers to cause a denial
of service (REQUIRE assertion failure and daemon exit, or daemon crash)
or possibly have unspecified other impact via (1) OPT data or (2) an ECS
option.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
It conflicts with jsoncpp, bind probes for json/json.h first, but that
header is installed by jsoncpp, which is completely different from
json-c.
Since it's not clear who's correct here (there might be some other
json-c predecessor/version that installs there as well) and the same
functionality (stats channel) is provided by libxml2 as well, just
disable libjson support completely.
Fixes:
http://autobuild.buildroot.net/results/226/2262c9b46663ea7a45e128a5fd7ff30417c2c2a7/build-end.log
(indirectly, it was probing aboslute directories while searching for it)
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Leave the LTS series for the latest stable version for libressl
compatibility.
Unfortunately this means threads are now required, but this shouldn't be
a problem for a fully-featured resolver.
Drop 0001-disable-tests.patch since it's no longer required, genrandom
isn't run unless the tests are called upon.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
Named is potentially vulnerable to the OpenSSL vulnerabilty described in
CVE-2015-3193.
CVE-2015-8461 - Incorrect reference counting could result in an INSIST
failure if a socket error occurred while performing a lookup.
CVE-2015-8000 - Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted, triggering a REQUIRE
failure when those records were subsequently cached.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2015-5722 - denial-of-service vector which can be exploited remotely
against a BIND server that is performing validation on DNSSEC-signed
records.
CVE-2015-5986 - denial-of-service vector which can be used against a
BIND server that is performing recursion and (under limited conditions)
an authoritative-only nameserver.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Reviewed-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Tested-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2015-5477 - An error in handling TKEY queries can cause named
to exit with a REQUIRE assertion failure.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2015-4620 - On servers configured to perform DNSSEC validation an
assertion failure could be triggered on answers from a specially
configured server.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This allows usage of the filter-aaaa-on-v4 configuration option.
This option disables responding with AAAA records when the request
is made over ipv4. This may be useful on networks with
ipv6 inside, but no ISP ipv6 (when combined with only
listening on ipv4).
See https://kb.isc.org/article/AA-00576/
Filter-AAAA-option-in-BIND-9-.html
for more information.
Signed-off-by: Nathaniel Roach <nroach44@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit doesn't touch infra packages.
Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes CVE-2015-1349 - Revoking a managed trust anchor and supplying an
untrusted replacement could cause namedto crash with an assertion
failure.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The unit file is taken from debian, but tested working.
We'll call it named.service to match the sysV initscript.
Signed-off-by: Nathaniel Roach <nroach44@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
