OpenPOWER buildroot sources https://git.raptorcs.com/git/buildroot/atom?h=2017.08 2017-08-08T18:45:07+00:00 2017-08-08T18:45:07+00:00 Peter Seiderer ps.report@gmx.net 2017-08-08T16:57:58+00:00 urn:sha1:bb95fef1e0bec4ebc0584001f337438b17c4744d Fix configure failure in case lmdb devel files are present on the host by adding --without-lmdb option (reported [1] and fix tested [2],[3] by grunpferd@netscape.net). Fixes: checking for lmdb library... yes checking for library containing mdb_env_create... no configure: error: found lmdb include but not library. [1] http://lists.busybox.net/pipermail/buildroot/2017-August/199945.html [2] http://lists.busybox.net/pipermail/buildroot/2017-August/199963.html [3] http://lists.busybox.net/pipermail/buildroot/2017-August/199964.html Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> 2017-07-24T16:33:42+00:00 Peter Korsgaard peter@korsgaard.com 2017-07-24T09:16:10+00:00 urn:sha1:c237f1d1c5447af3b967304d7929cf115ea1aa5d BIND 9.11.1-P3 addresses a TSIG regression introduced in the 9.11.1-P2 security bump: https://lists.isc.org/pipermail/bind-announce/2017-July/001057.html Also add a hash for the license file while we're at it. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-07-02T21:48:41+00:00 Peter Korsgaard peter@korsgaard.com 2017-07-02T15:01:48+00:00 urn:sha1:a0c53973f87928ae51ca58926951c386c74fc023 Fixes the following security issues: CVE-2017-3142: An error in TSIG authentication can permit unauthorized zone transfers An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name may be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into: * providing an AXFR of a zone to an unauthorized recipient * accepting bogus NOTIFY packets https://kb.isc.org/article/AA-01504/74/CVE-2017-3142 CVE-2017-3041: An error in TSIG authentication can permit unauthorized dynamic updates An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND into accepting an unauthorized dynamic update. https://kb.isc.org/article/AA-01503/74/CVE-2017-3143 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-06-20T21:14:16+00:00 Peter Korsgaard peter@korsgaard.com 2017-06-20T20:55:34+00:00 urn:sha1:e14d89d5e08c47e4e93074cd85cb412af9eafa5e Fixes the following security issues: CVE-2017-3140 is a denial-of-service vulnerability affecting 9.9.10, 9.10.5, 9.11.0->9.11.1, 9.9.10-S1, and 9.10.5-S1 when configured with Response Policy Zones (RPZ) utilizing NSIP or NSDNAME rules. https://kb.isc.org/article/AA-01495/74/CVE-2017-3140 CVE-2017-3141 is a Windows privilege escalation vector affecting 9.2.6-P2+, 9.3.2-P1+, 9.4.x, 9.5.x, 9.6.x, 9.7.x, 9.8.x, 9.9.0->9.9.10, 9.10.0->9.10.5, 9.11.0->9.11.1, 9.9.3-S1->9.9.10-S1, and 9.10.5-S1. The BIND Windows installer failed to properly quote the service paths, possibly allowing a local user to achieve privilege escalation, if allowed by file system permissions. https://kb.isc.org/article/AA-01496/74/CVE-2017-3141 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-05-11T21:26:49+00:00 Adam Duskett Aduskett@gmail.com 2017-05-05T14:08:06+00:00 urn:sha1:4db9bbb475daf96e1d5638b8cbee096691672a55 The check-package script when ran gives warnings on text wrapping on all of these Config files. This patch cleans up all warnings related to the text wrapping for the Config files starting with the letter b in the package directory. The appropriate indentation is: <tab><2 spaces><62 chars> See http://nightly.buildroot.org/#writing-rules-config-in for more information. Signed-off-by: Adam Duskett <aduskett@codeblue.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-04-20T19:47:07+00:00 Vicente Olivert Riera Vincent.Riera@imgtec.com 2017-04-20T12:32:19+00:00 urn:sha1:b9e147dd5e2098ed4e3a772ca3ababb624e4aae6 Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-04-13T19:31:56+00:00 Vicente Olivert Riera Vincent.Riera@imgtec.com 2017-04-13T13:32:09+00:00 urn:sha1:1727ea972bb8202ba15247e53bc54b47fa76c69e Security Fixes: - rndc "" could trigger an assertion failure in named. This flaw is disclosed in (CVE-2017-3138). [RT #44924] - Some chaining (i.e., type CNAME or DNAME) responses to upstream queries could trigger assertion failures. This flaw is disclosed in CVE-2017-3137. [RT #44734] - dns64 with break-dnssec yes; can result in an assertion failure. This flaw is disclosed in CVE-2017-3136. [RT #44653] - If a server is configured with a response policy zone (RPZ) that rewrites an answer with local data, and is also configured for DNS64 address mapping, a NULL pointer can be read triggering a server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434] - A coding error in the nxdomain-redirect feature could lead to an assertion failure if the redirection namespace was served from a local authoritative data source such as a local zone or a DLZ instead of via recursive lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837] - named could mishandle authority sections with missing RRSIGs, triggering an assertion failure. This flaw is disclosed in CVE-2016-9444. [RT #43632] - named mishandled some responses where covering RRSIG records were returned without the requested data, resulting in an assertion failure. This flaw is disclosed in CVE-2016-9147. [RT #43548] - named incorrectly tried to cache TKEY records which could trigger an assertion failure when there was a class mismatch. This flaw is disclosed in CVE-2016-9131. [RT #43522] - It was possible to trigger assertions when processing responses containing answers of type DNAME. This flaw is disclosed in CVE-2016-8864. [RT #43465] Full release notes: ftp://ftp.isc.org/isc/bind9/9.11.0-P5/RELEASE-NOTES-bind-9.11.0-P5.html Also, remove --enable-rrl configure option from bind.mk as it doesn't exist anymore. Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-04-01T13:27:47+00:00 Rahul Bedarkar rahulbedarkar89@gmail.com 2017-03-30T13:43:42+00:00 urn:sha1:f33fd75afc1701ee1ded34454db7ce170adc4c9f We want to use SPDX identifier for license string as much as possible. SPDX short identifier for MPLv1.0/MPLv1.1/MPLv2.0 is MPL-1.0/MPL-1.1/ MPL-2.0. This change is done using following command. find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/MPLv([1-2]\.[0-1])/MPL-\1/g' Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-02-13T17:01:14+00:00 Peter Korsgaard peter@korsgaard.com 2017-02-12T21:59:58+00:00 urn:sha1:b9141fc88b24b6e0d565f84ee768f3199f31a6cd Fixes CVE-2017-3135: Combination of DNS64 and RPZ Can Lead to Crash: https://kb.isc.org/article/AA-01453 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2017-01-13T15:15:42+00:00 Peter Korsgaard peter@korsgaard.com 2017-01-12T08:00:00+00:00 urn:sha1:4bab93be70ba576668a9fa19d0ff92ce2b97c905 Bugfixes: - CVE-2016-9131: A malformed response to an ANY query can cause an assertion failure during recursion - CVE-2016-9147: An error handling a query response containing inconsistent DNSSEC information could cause an assertion failure - CVE-2016-9444: An unusually-formed DS record response could cause an assertion failure - CVE-2016-9778: An error handling certain queries using the nxdomain-redirect feature could cause a REQUIRE assertion failure in db.c Signed-off-by: Peter Korsgaard <peter@korsgaard.com>