f693ed7e42
Fixes the following security issues:
- named could crash during recursive processing of DNAME records when
deny-answer-aliases was in use. This flaw is disclosed in CVE-2018-5740.
[GL #387]
- When recursion is enabled but the allow-recursion and allow-query-cache
ACLs are not specified, they should be limited to local networks, but they
were inadvertently set to match the default allow-query, thus allowing
remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
- Code change #4964, intended to prevent double signatures when deleting an
inactive zone DNSKEY in some situations, introduced a new problem during
zone processing in which some delegation glue RRsets are incorrectly
identified as needing RRSIGs, which are then created for them using the
current active ZSK for the zone. In some, but not all cases, the
newly-signed RRsets are added to the zone's NSEC/NSEC3 chain, but
incompletely -- this can result in a broken chain, affecting validation of
proof of nonexistence for records in the zone. [GL #771]
- named could crash if it managed a DNSSEC security root with managed-keys
and the authoritative zone rolled the key to an algorithm not supported by
BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780]
- named leaked memory when processing a request with multiple Key Tag EDNS
options present. ISC would like to thank Toshifumi Sakaguchi for bringing
this to our attention. This flaw is disclosed in CVE-2018-5744. [GL
#772]
- Zone transfer controls for writable DLZ zones were not effective as the
allowzonexfr method was not being called for such zones. This flaw is
disclosed in CVE-2019-6465. [GL #790]
For more details, see the release notes:
http://ftp.isc.org/isc/bind9/9.11.5-P4/RELEASE-NOTES-bind-9.11.5-P4.html
Change the upstream URL to HTTPS as the webserver uses HSTS:
>>> bind 9.11.5-P4 Downloading
URL transformed to HTTPS due to an HSTS policy
Update the hash of the license file to account for a change of copyright
year:
-Copyright (C) 1996-2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 1996-2019 Internet Systems Consortium, Inc. ("ISC")
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit
|
||
|---|---|---|
| arch | ||
| board | ||
| boot | ||
| configs | ||
| docs | ||
| fs | ||
| linux | ||
| package | ||
| support | ||
| system | ||
| toolchain | ||
| utils | ||
| .defconfig | ||
| .flake8 | ||
| .gitignore | ||
| .gitlab-ci.yml | ||
| .gitlab-ci.yml.in | ||
| CHANGES | ||
| Config.in | ||
| Config.in.legacy | ||
| COPYING | ||
| DEVELOPERS | ||
| Makefile | ||
| Makefile.legacy | ||
| README | ||
Buildroot is a simple, efficient and easy-to-use tool to generate embedded Linux systems through cross-compilation. The documentation can be found in docs/manual. You can generate a text document with 'make manual-text' and read output/docs/manual/manual.text. Online documentation can be found at http://buildroot.org/docs.html To build and use the buildroot stuff, do the following: 1) run 'make menuconfig' 2) select the target architecture and the packages you wish to compile 3) run 'make' 4) wait while it compiles 5) find the kernel, bootloader, root filesystem, etc. in output/images You do not need to be root to build or run buildroot. Have fun! Buildroot comes with a basic configuration for a number of boards. Run 'make list-defconfigs' to view the list of provided configurations. Please feed suggestions, bug reports, insults, and bribes back to the buildroot mailing list: buildroot@buildroot.org You can also find us on #buildroot on Freenode IRC. If you would like to contribute patches, please read https://buildroot.org/manual.html#submitting-patches