buildroot/package/bind/bind.mk, branch 2017.02.2

bind: bump version to 9.11.0-P5 (security)

2017-04-24T14:22:20+00:00

Security Fixes: - rndc "" could trigger an assertion failure in named. This flaw is disclosed in (CVE-2017-3138). [RT #44924] - Some chaining (i.e., type CNAME or DNAME) responses to upstream queries could trigger assertion failures. This flaw is disclosed in CVE-2017-3137. [RT #44734] - dns64 with break-dnssec yes; can result in an assertion failure. This flaw is disclosed in CVE-2017-3136. [RT #44653] - If a server is configured with a response policy zone (RPZ) that rewrites an answer with local data, and is also configured for DNS64 address mapping, a NULL pointer can be read triggering a server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434] - A coding error in the nxdomain-redirect feature could lead to an assertion failure if the redirection namespace was served from a local authoritative data source such as a local zone or a DLZ instead of via recursive lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837] - named could mishandle authority sections with missing RRSIGs, triggering an assertion failure. This flaw is disclosed in CVE-2016-9444. [RT #43632] - named mishandled some responses where covering RRSIG records were returned without the requested data, resulting in an assertion failure. This flaw is disclosed in CVE-2016-9147. [RT #43548] - named incorrectly tried to cache TKEY records which could trigger an assertion failure when there was a class mismatch. This flaw is disclosed in CVE-2016-9131. [RT #43522] - It was possible to trigger assertions when processing responses containing answers of type DNAME. This flaw is disclosed in CVE-2016-8864. [RT #43465] Full release notes: ftp://ftp.isc.org/isc/bind9/9.11.0-P5/RELEASE-NOTES-bind-9.11.0-P5.html Also, remove --enable-rrl configure option from bind.mk as it doesn't exist anymore. Signed-off-by: Vicente Olivert Riera Signed-off-by: Thomas Petazzoni (cherry picked from commit 1727ea972bb8202ba15247e53bc54b47fa76c69e) Signed-off-by: Peter Korsgaard

bind: security bump to version 9.11.0-P3

2017-02-13T17:01:14+00:00

Fixes CVE-2017-3135: Combination of DNS64 and RPZ Can Lead to Crash: https://kb.isc.org/article/AA-01453 Signed-off-by: Peter Korsgaard

bind: security bump to version 9.11.0-P2

2017-01-13T15:15:42+00:00

Bugfixes: - CVE-2016-9131: A malformed response to an ANY query can cause an assertion failure during recursion - CVE-2016-9147: An error handling a query response containing inconsistent DNSSEC information could cause an assertion failure - CVE-2016-9444: An unusually-formed DS record response could cause an assertion failure - CVE-2016-9778: An error handling certain queries using the nxdomain-redirect feature could cause a REQUIRE assertion failure in db.c Signed-off-by: Peter Korsgaard

bind: security bump to version 9.11.0-P1

2016-11-02T16:26:58+00:00

Fixes: CVE-2016-8864 - denial-of-service vector which can potentially be exploited against BIND 9 servers. Signed-off-by: Gustavo Zacarias [Thomas: fix hash URL in .hash file, noticed by Vicente.] Signed-off-by: Thomas Petazzoni

bind: don't lookup zlib.h in host headers

2016-10-19T09:23:00+00:00

configure.in looks in host headers for zlib.h, unless given a headers directory as --with-zlib parameter. Note: a bug in the zlib.h header lookup logic causes configure.in to add -l$(STAGING_DIR)/usr/include/include, and -L$(STAGING_DIR)/usr/include/lib. But this does not affect us. Fixes: http://autobuild.buildroot.net/results/e96/e96a36c4da3c3be4b79a27af75a70bb8955c31a9/ http://autobuild.buildroot.net/results/e0b/e0bd7df5c19c7c65ce0009b7c2b4d4104a5c3109/ http://autobuild.buildroot.net/results/e99/e993940067f7ae841132765f91bfee7248ab125f/ Signed-off-by: Baruch Siach Signed-off-by: Peter Korsgaard

bind: bump version to 9.11.0

2016-10-15T09:46:33+00:00

- With the release of BIND 9.11.0, ISC is changing the open source license for BIND from the ISC license to the Mozilla Public License (MPL 2.0). See release notes: http://ftp.isc.org/isc/bind9/9.11.0/RELEASE-NOTES-bind-9.11.0.html - Explicitly enable/disable zlib support, otherwise the configure script will fail like this: checking for zlib library... yes checking for library containing deflate... no configure: error: found zlib include but not library. Signed-off-by: Vicente Olivert Riera Signed-off-by: Peter Korsgaard

bind: bump version to 9.10.4-P3

2016-09-28T11:39:18+00:00

Signed-off-by: Vicente Olivert Riera Signed-off-by: Peter Korsgaard

bind: bump version to 9.10.4-P2

2016-07-19T09:50:22+00:00

Security fixes: CVE-2016-2775 Signed-off-by: Vicente Olivert Riera Signed-off-by: Thomas Petazzoni

bind: security bump to version 9.10.4

2016-05-04T20:47:43+00:00

Fixes: CVE-2016-2088 - Duplicate EDNS COOKIE options in a response could trigger an assertion failure. Drop libressl support patch since it's upstream now. Signed-off-by: Gustavo Zacarias Signed-off-by: Peter Korsgaard

bind: security bump to version 9.10.3-P4

2016-03-10T19:49:52+00:00

Fixes: CVE-2016-1285 - An error parsing input received by the rndc control channel can cause an assertion failure in sexpr.c or alist.c CVE-2016-1286 - A problem parsing resource record signatures for DNAME resource records can lead to an assertion failure in resolver.c or db.c CVE-2016-2088 - A response containing multiple DNS cookies causes servers with cookie support enabled to exit with an assertion failure. Signed-off-by: Gustavo Zacarias Signed-off-by: Peter Korsgaard