OpenPOWER buildroot sources https://git.raptorcs.com/git/buildroot/atom?h=2019.02-op-build 2019-02-22T16:58:55+00:00 2019-02-22T16:58:55+00:00 Peter Korsgaard peter@korsgaard.com 2019-02-22T13:40:38+00:00 urn:sha1:12f644e2c52336579df74ac59089dc2aa0469c2b Fixes the following security issues: - named could crash during recursive processing of DNAME records when deny-answer-aliases was in use. This flaw is disclosed in CVE-2018-5740. [GL #387] - When recursion is enabled but the allow-recursion and allow-query-cache ACLs are not specified, they should be limited to local networks, but they were inadvertently set to match the default allow-query, thus allowing remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309] - Code change #4964, intended to prevent double signatures when deleting an inactive zone DNSKEY in some situations, introduced a new problem during zone processing in which some delegation glue RRsets are incorrectly identified as needing RRSIGs, which are then created for them using the current active ZSK for the zone. In some, but not all cases, the newly-signed RRsets are added to the zone's NSEC/NSEC3 chain, but incompletely -- this can result in a broken chain, affecting validation of proof of nonexistence for records in the zone. [GL #771] - named could crash if it managed a DNSSEC security root with managed-keys and the authoritative zone rolled the key to an algorithm not supported by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780] - named leaked memory when processing a request with multiple Key Tag EDNS options present. ISC would like to thank Toshifumi Sakaguchi for bringing this to our attention. This flaw is disclosed in CVE-2018-5744. [GL #772] - Zone transfer controls for writable DLZ zones were not effective as the allowzonexfr method was not being called for such zones. This flaw is disclosed in CVE-2019-6465. [GL #790] For more details, see the release notes: http://ftp.isc.org/isc/bind9/9.11.5-P4/RELEASE-NOTES-bind-9.11.5-P4.html Change the upstream URL to HTTPS as the webserver uses HSTS: >>> bind 9.11.5-P4 Downloading URL transformed to HTTPS due to an HSTS policy Update the hash of the license file to account for a change of copyright year: -Copyright (C) 1996-2018 Internet Systems Consortium, Inc. ("ISC") +Copyright (C) 1996-2019 Internet Systems Consortium, Inc. ("ISC") Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2018-11-07T22:04:06+00:00 Peter Korsgaard peter@korsgaard.com 2018-11-07T14:38:12+00:00 urn:sha1:955df7463b0747620b744e19a78cfc84e1c99965 Fixes the following security issues: - CVE-2018-5738: Some versions of BIND can improperly permit recursive query service to unauthorized clients - CVE-2018-5740: A flaw in the "deny-answer-aliases" feature can cause an INSIST assertion failure in named For more details, see the release notes: https://ftp.isc.org/isc/bind9/9.11.5/RELEASE-NOTES-bind-9.11.5.html Drop patch 0003-Rename-ptrsize-to-ptr_size.patch as the uClibc-ng issue was fixed upstream in commit 931fd627f6195 (mips: fix clashing symbols), which is included in uclibc-1.0.12 (January 2016). Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2018-09-30T08:34:13+00:00 Peter Korsgaard peter@korsgaard.com 2018-09-29T19:30:39+00:00 urn:sha1:63eb34fa121c4e7448dd5ec25491ed742a7ca262 >From the release notes (http://ftp.isc.org/isc/bind9/9.11.4-P2/RELEASE-NOTES-bind-9.11.4-P2.txt): * There was a long-existing flaw in the documentation for ms-self, krb5-self, ms-subdomain, and krb5-subdomain rules in update-policy statements. Though the policies worked as intended, operators who configured their servers according to the misleading documentation may have thought zone updates were more restricted than they were; users of these rule types are advised to review the documentation and correct their configurations if necessary. New rule types matching the previously documented behavior will be introduced in a future maintenance release. [GL !708] * named could crash during recursive processing of DNAME records when deny-answer-aliases was in use. This flaw is disclosed in CVE-2018-5740. [GL #387] Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2018-08-19T19:20:35+00:00 Bernd Kuhls bernd.kuhls@t-online.de 2018-08-18T22:00:13+00:00 urn:sha1:21d0077a2d1e6b8afba0812708d07a99e2738fc6 Fixes CVE-2018-5740: https://ftp.isc.org/isc/bind9/9.11.4-P1/CHANGES Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2018-07-19T07:04:57+00:00 Baruch Siach baruch@tkos.co.il 2018-07-18T18:53:04+00:00 urn:sha1:ba3c7e806d3ebeb1fa66fe7ba0ee9a70447b49b0 The bind configure.in now checks for "${with_zlib}/include/zlib.h". Remove the redundant "include/". Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> 2018-07-19T07:04:45+00:00 Baruch Siach baruch@tkos.co.il 2018-07-18T18:53:03+00:00 urn:sha1:5a92bb63bf0657f24694b8c8c24dff04f6e96dca The bind configure.in uses AC_TRY_RUN that is not compatible with cross compile. Disable eddsa unconditionally since it requires a newer OpenSSL version than we currently have. Enable aes; this is always supported in current OpenSSL versions. Fixes: http://autobuild.buildroot.net/results/3ed/3edb1659954b00401b68ffc7e1c8b3c29581c0e4/ http://autobuild.buildroot.net/results/025/025e377b51b39ba34647636ad0d0661a3cb95572/ http://autobuild.buildroot.net/results/725/7250564e780e43e793ae6c8c526985e5519681f4/ Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> 2018-07-17T19:49:55+00:00 Baruch Siach baruch@tkos.co.il 2018-07-17T11:32:54+00:00 urn:sha1:b36577a2669310c1b1a6722e012a1049e3793d1d Fixes CVE-2018-5738: When recursion is enabled but the allow-recursion and allow-query-cache ACLs are not specified, they should be limited to local networks, but they were inadvertently set to match the default allow-query, thus allowing remote queries. Update license file hash; copyright year update. Add reference to tarball signature key. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2018-04-16T05:34:33+00:00 Carlos Santos casantos@datacom.ind.br 2018-04-16T02:29:19+00:00 urn:sha1:f59d73426b5ead6c808ee83dd324049fb02c89aa The test doesn't make sense. It just exits without any error if the binary doesn't exist, which is silly. Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> 2018-02-27T21:22:14+00:00 Christopher McCrory chrismcc@gmail.com 2018-02-27T12:39:22+00:00 urn:sha1:716cfa6744b542a25a969088c73ad66dffbf6fcf Use the BIND_PKGDIR variable instead of package/bind. Signed-off-by: Christopher McCrory <chrismcc@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> 2018-01-17T13:07:41+00:00 Peter Korsgaard peter@korsgaard.com 2018-01-17T07:42:43+00:00 urn:sha1:d72a2b9247d885c4fc5c2ca6066d3ae6a27a8653 Fixes the following security issue: CVE-2017-3145: Improper sequencing during cleanup can lead to a use-after-free error, triggering an assertion failure and crash in named. For more details, see the advisory: https://lists.isc.org/pipermail/bind-announce/2018-January/001072.html Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>