OpenPOWER buildroot sources https://git.raptorcs.com/git/buildroot/atom?h=2016.08 2016-07-19T09:50:22+00:00 2016-07-19T09:50:22+00:00 Vicente Olivert Riera Vincent.Riera@imgtec.com 2016-07-19T09:29:06+00:00 urn:sha1:c5a55f79c0ca5fc1a649e69b15cadb1ce5a74c14 Security fixes: CVE-2016-2775 Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-05-04T20:47:43+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2016-05-03T15:42:04+00:00 urn:sha1:80c0d7ce1c49854bbf1f2c5daf4a358548193a2c Fixes: CVE-2016-2088 - Duplicate EDNS COOKIE options in a response could trigger an assertion failure. Drop libressl support patch since it's upstream now. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2016-03-10T19:49:52+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2016-03-10T17:22:28+00:00 urn:sha1:67245dcbe14c2e98f44dcc717cfefedd6b7294d9 Fixes: CVE-2016-1285 - An error parsing input received by the rndc control channel can cause an assertion failure in sexpr.c or alist.c CVE-2016-1286 - A problem parsing resource record signatures for DNAME resource records can lead to an assertion failure in resolver.c or db.c CVE-2016-2088 - A response containing multiple DNS cookies causes servers with cookie support enabled to exit with an assertion failure. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2016-02-06T09:45:15+00:00 Jan Heylen heyleke@gmail.com 2016-02-06T09:00:07+00:00 urn:sha1:e4749b826c04cda213768332f67ffb82f06105b2 Build sometimes breaks with: libtool: link: `unix/os.lo' is not a valid libtool object make[3]: *** [rndc-confgen] Error 1 make[3]: *** Waiting for unfinished jobs.... make[4]: Leaving directory `/scratch/peko/build/bind-9.6-ESV-R4/bin/rndc/unix' So disable parallel builds. This patch was removed with commit c36b5d89c5616f7ca0a7295cbb5c231606beb71e by Gustavo Zacarias <gustavo@zacarias.com.ar> but the problem still occurs, so disabling parallel builds again. Fixes: http://autobuild.buildroot.org/results/220/2201f04170ea8ef0961e907efce07c041a57c229/ Signed-off-by: Jan Heylen <heyleke@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-01-26T22:05:40+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2016-01-22T12:28:11+00:00 urn:sha1:0a7cea9b80cffc0c0c16f5b59980518362b7b154 Fixes: CVE-2015-8704 - apl_42.c in ISC BIND 9.x before 9.9.8-P3 and 9.9.x and 9.10.x before 9.10.3-P3 allows remote authenticated users to cause a denial of service (INSIST assertion failure and daemon exit) via a malformed Address Prefix List (APL) record. CVE-2015-8705 - buffer.c in named in ISC BIND 9.10.x before 9.10.3-P3, when debug logging is enabled, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit, or daemon crash) or possibly have unspecified other impact via (1) OPT data or (2) an ECS option. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2015-12-30T18:22:51+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2015-12-30T16:51:04+00:00 urn:sha1:6e8f91f346c3fefd5e9115881813f96ae422b5a7 It conflicts with jsoncpp, bind probes for json/json.h first, but that header is installed by jsoncpp, which is completely different from json-c. Since it's not clear who's correct here (there might be some other json-c predecessor/version that installs there as well) and the same functionality (stats channel) is provided by libxml2 as well, just disable libjson support completely. Fixes: http://autobuild.buildroot.net/results/226/2262c9b46663ea7a45e128a5fd7ff30417c2c2a7/build-end.log (indirectly, it was probing aboslute directories while searching for it) Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2015-12-30T13:54:10+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2015-12-30T13:39:29+00:00 urn:sha1:07c1ad4647b6a8e60338fc01ddcb2d629de0ad14 Leave the LTS series for the latest stable version for libressl compatibility. Unfortunately this means threads are now required, but this shouldn't be a problem for a fully-featured resolver. Drop 0001-disable-tests.patch since it's no longer required, genrandom isn't run unless the tests are called upon. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2015-12-17T21:48:46+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2015-12-17T21:43:55+00:00 urn:sha1:c3e119e09307eff7ef702f7f860ecbc9b156715e Fixes: Named is potentially vulnerable to the OpenSSL vulnerabilty described in CVE-2015-3193. CVE-2015-8461 - Incorrect reference counting could result in an INSIST failure if a socket error occurred while performing a lookup. CVE-2015-8000 - Insufficient testing when parsing a message allowed records with an incorrect class to be be accepted, triggering a REQUIRE failure when those records were subsequently cached. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2015-10-09T13:23:46+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2015-10-08T20:16:33+00:00 urn:sha1:e5fa81e745b2bc6f9beb6656b973ebb5a9dc5585 Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Reviewed-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Tested-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2015-09-04T14:07:37+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2015-09-04T12:39:52+00:00 urn:sha1:38d1a66bda57cb4c47156021ee976c2583b55822 Fixes: CVE-2015-5722 - denial-of-service vector which can be exploited remotely against a BIND server that is performing validation on DNSSEC-signed records. CVE-2015-5986 - denial-of-service vector which can be used against a BIND server that is performing recursion and (under limited conditions) an authoritative-only nameserver. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Reviewed-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Tested-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>