summaryrefslogtreecommitdiffstats
path: root/package/bind/bind.hash
Commit message (Collapse)AuthorAgeFilesLines
* package/bind: security bump to version 9.11.5-P4Peter Korsgaard2019-02-221-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issues: - named could crash during recursive processing of DNAME records when deny-answer-aliases was in use. This flaw is disclosed in CVE-2018-5740. [GL #387] - When recursion is enabled but the allow-recursion and allow-query-cache ACLs are not specified, they should be limited to local networks, but they were inadvertently set to match the default allow-query, thus allowing remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309] - Code change #4964, intended to prevent double signatures when deleting an inactive zone DNSKEY in some situations, introduced a new problem during zone processing in which some delegation glue RRsets are incorrectly identified as needing RRSIGs, which are then created for them using the current active ZSK for the zone. In some, but not all cases, the newly-signed RRsets are added to the zone's NSEC/NSEC3 chain, but incompletely -- this can result in a broken chain, affecting validation of proof of nonexistence for records in the zone. [GL #771] - named could crash if it managed a DNSSEC security root with managed-keys and the authoritative zone rolled the key to an algorithm not supported by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780] - named leaked memory when processing a request with multiple Key Tag EDNS options present. ISC would like to thank Toshifumi Sakaguchi for bringing this to our attention. This flaw is disclosed in CVE-2018-5744. [GL #772] - Zone transfer controls for writable DLZ zones were not effective as the allowzonexfr method was not being called for such zones. This flaw is disclosed in CVE-2019-6465. [GL #790] For more details, see the release notes: http://ftp.isc.org/isc/bind9/9.11.5-P4/RELEASE-NOTES-bind-9.11.5-P4.html Change the upstream URL to HTTPS as the webserver uses HSTS: >>> bind 9.11.5-P4 Downloading URL transformed to HTTPS due to an HSTS policy Update the hash of the license file to account for a change of copyright year: -Copyright (C) 1996-2018 Internet Systems Consortium, Inc. ("ISC") +Copyright (C) 1996-2019 Internet Systems Consortium, Inc. ("ISC") Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* bind: security bump to version 9.11.5Peter Korsgaard2018-11-071-2/+2
| | | | | | | | | | | | | | | | | | | | Fixes the following security issues: - CVE-2018-5738: Some versions of BIND can improperly permit recursive query service to unauthorized clients - CVE-2018-5740: A flaw in the "deny-answer-aliases" feature can cause an INSIST assertion failure in named For more details, see the release notes: https://ftp.isc.org/isc/bind9/9.11.5/RELEASE-NOTES-bind-9.11.5.html Drop patch 0003-Rename-ptrsize-to-ptr_size.patch as the uClibc-ng issue was fixed upstream in commit 931fd627f6195 (mips: fix clashing symbols), which is included in uclibc-1.0.12 (January 2016). Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* bind: security bump to version 9.11.4-P2Peter Korsgaard2018-09-301-1/+1
| | | | | | | | | | | | | | | | | | | | | >From the release notes (http://ftp.isc.org/isc/bind9/9.11.4-P2/RELEASE-NOTES-bind-9.11.4-P2.txt): * There was a long-existing flaw in the documentation for ms-self, krb5-self, ms-subdomain, and krb5-subdomain rules in update-policy statements. Though the policies worked as intended, operators who configured their servers according to the misleading documentation may have thought zone updates were more restricted than they were; users of these rule types are advised to review the documentation and correct their configurations if necessary. New rule types matching the previously documented behavior will be introduced in a future maintenance release. [GL !708] * named could crash during recursive processing of DNAME records when deny-answer-aliases was in use. This flaw is disclosed in CVE-2018-5740. [GL #387] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/bind: security bump to version 9.11.4-P1Bernd Kuhls2018-08-191-2/+2
| | | | | | | Fixes CVE-2018-5740: https://ftp.isc.org/isc/bind9/9.11.4-P1/CHANGES Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* bind: security bump to 9.11.4Baruch Siach2018-07-171-3/+4
| | | | | | | | | | | | | | Fixes CVE-2018-5738: When recursion is enabled but the allow-recursion and allow-query-cache ACLs are not specified, they should be limited to local networks, but they were inadvertently set to match the default allow-query, thus allowing remote queries. Update license file hash; copyright year update. Add reference to tarball signature key. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* bind: security bump to version 9.11.2-P1Peter Korsgaard2018-01-171-2/+2
| | | | | | | | | | | | | | Fixes the following security issue: CVE-2017-3145: Improper sequencing during cleanup can lead to a use-after-free error, triggering an assertion failure and crash in named. For more details, see the advisory: https://lists.isc.org/pipermail/bind-announce/2018-January/001072.html Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* bind: bump to version 9.11.2Peter Korsgaard2017-09-221-2/+2
| | | | | | | | | | | | Adds support for the new ICANN DNSSEC root key for the upcoming KSK rollover (Oct 11): https://www.icann.org/resources/pages/ksk-rollover For more details, see the release notes: https://kb.isc.org/article/AA-01522 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* bind: bump version to bugfix release 9.11.1-P3Peter Korsgaard2017-07-241-2/+3
| | | | | | | | | | | | BIND 9.11.1-P3 addresses a TSIG regression introduced in the 9.11.1-P2 security bump: https://lists.isc.org/pipermail/bind-announce/2017-July/001057.html Also add a hash for the license file while we're at it. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* bind: security bump to version 9.11.1-P2Peter Korsgaard2017-07-021-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issues: CVE-2017-3142: An error in TSIG authentication can permit unauthorized zone transfers An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name may be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into: * providing an AXFR of a zone to an unauthorized recipient * accepting bogus NOTIFY packets https://kb.isc.org/article/AA-01504/74/CVE-2017-3142 CVE-2017-3041: An error in TSIG authentication can permit unauthorized dynamic updates An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND into accepting an unauthorized dynamic update. https://kb.isc.org/article/AA-01503/74/CVE-2017-3143 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* bind: security bump to version 9.11-P1Peter Korsgaard2017-06-201-2/+2
| | | | | | | | | | | | | | | | | | | | | | Fixes the following security issues: CVE-2017-3140 is a denial-of-service vulnerability affecting 9.9.10, 9.10.5, 9.11.0->9.11.1, 9.9.10-S1, and 9.10.5-S1 when configured with Response Policy Zones (RPZ) utilizing NSIP or NSDNAME rules. https://kb.isc.org/article/AA-01495/74/CVE-2017-3140 CVE-2017-3141 is a Windows privilege escalation vector affecting 9.2.6-P2+, 9.3.2-P1+, 9.4.x, 9.5.x, 9.6.x, 9.7.x, 9.8.x, 9.9.0->9.9.10, 9.10.0->9.10.5, 9.11.0->9.11.1, 9.9.3-S1->9.9.10-S1, and 9.10.5-S1. The BIND Windows installer failed to properly quote the service paths, possibly allowing a local user to achieve privilege escalation, if allowed by file system permissions. https://kb.isc.org/article/AA-01496/74/CVE-2017-3141 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* bind: bump version to 9.11.1Vicente Olivert Riera2017-04-201-2/+2
| | | | | Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* bind: bump version to 9.11.0-P5 (security)Vicente Olivert Riera2017-04-131-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Security Fixes: - rndc "" could trigger an assertion failure in named. This flaw is disclosed in (CVE-2017-3138). [RT #44924] - Some chaining (i.e., type CNAME or DNAME) responses to upstream queries could trigger assertion failures. This flaw is disclosed in CVE-2017-3137. [RT #44734] - dns64 with break-dnssec yes; can result in an assertion failure. This flaw is disclosed in CVE-2017-3136. [RT #44653] - If a server is configured with a response policy zone (RPZ) that rewrites an answer with local data, and is also configured for DNS64 address mapping, a NULL pointer can be read triggering a server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434] - A coding error in the nxdomain-redirect feature could lead to an assertion failure if the redirection namespace was served from a local authoritative data source such as a local zone or a DLZ instead of via recursive lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837] - named could mishandle authority sections with missing RRSIGs, triggering an assertion failure. This flaw is disclosed in CVE-2016-9444. [RT #43632] - named mishandled some responses where covering RRSIG records were returned without the requested data, resulting in an assertion failure. This flaw is disclosed in CVE-2016-9147. [RT #43548] - named incorrectly tried to cache TKEY records which could trigger an assertion failure when there was a class mismatch. This flaw is disclosed in CVE-2016-9131. [RT #43522] - It was possible to trigger assertions when processing responses containing answers of type DNAME. This flaw is disclosed in CVE-2016-8864. [RT #43465] Full release notes: ftp://ftp.isc.org/isc/bind9/9.11.0-P5/RELEASE-NOTES-bind-9.11.0-P5.html Also, remove --enable-rrl configure option from bind.mk as it doesn't exist anymore. Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* bind: security bump to version 9.11.0-P3Peter Korsgaard2017-02-131-2/+2
| | | | | | | | Fixes CVE-2017-3135: Combination of DNS64 and RPZ Can Lead to Crash: https://kb.isc.org/article/AA-01453 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* bind: security bump to version 9.11.0-P2Peter Korsgaard2017-01-131-2/+2
| | | | | | | | | | | | | | | | | | Bugfixes: - CVE-2016-9131: A malformed response to an ANY query can cause an assertion failure during recursion - CVE-2016-9147: An error handling a query response containing inconsistent DNSSEC information could cause an assertion failure - CVE-2016-9444: An unusually-formed DS record response could cause an assertion failure - CVE-2016-9778: An error handling certain queries using the nxdomain-redirect feature could cause a REQUIRE assertion failure in db.c Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* bind: security bump to version 9.11.0-P1Gustavo Zacarias2016-11-021-2/+2
| | | | | | | | | | Fixes: CVE-2016-8864 - denial-of-service vector which can potentially be exploited against BIND 9 servers. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> [Thomas: fix hash URL in .hash file, noticed by Vicente.] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* bind: bump version to 9.11.0Vicente Olivert Riera2016-10-151-2/+2
| | | | | | | | | | | | | | | | | - With the release of BIND 9.11.0, ISC is changing the open source license for BIND from the ISC license to the Mozilla Public License (MPL 2.0). See release notes: http://ftp.isc.org/isc/bind9/9.11.0/RELEASE-NOTES-bind-9.11.0.html - Explicitly enable/disable zlib support, otherwise the configure script will fail like this: checking for zlib library... yes checking for library containing deflate... no configure: error: found zlib include but not library. Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* bind: bump version to 9.10.4-P3Vicente Olivert Riera2016-09-281-2/+2
| | | | | Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* bind: bump version to 9.10.4-P2Vicente Olivert Riera2016-07-191-2/+2
| | | | | | | Security fixes: CVE-2016-2775 Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* bind: security bump to version 9.10.4Gustavo Zacarias2016-05-041-2/+2
| | | | | | | | | | | Fixes: CVE-2016-2088 - Duplicate EDNS COOKIE options in a response could trigger an assertion failure. Drop libressl support patch since it's upstream now. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* bind: security bump to version 9.10.3-P4Gustavo Zacarias2016-03-101-2/+2
| | | | | | | | | | | | | Fixes: CVE-2016-1285 - An error parsing input received by the rndc control channel can cause an assertion failure in sexpr.c or alist.c CVE-2016-1286 - A problem parsing resource record signatures for DNAME resource records can lead to an assertion failure in resolver.c or db.c CVE-2016-2088 - A response containing multiple DNS cookies causes servers with cookie support enabled to exit with an assertion failure. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* bind: security bump to version 9.10.3-P3Gustavo Zacarias2016-01-261-2/+2
| | | | | | | | | | | | | | | | | | Fixes: CVE-2015-8704 - apl_42.c in ISC BIND 9.x before 9.9.8-P3 and 9.9.x and 9.10.x before 9.10.3-P3 allows remote authenticated users to cause a denial of service (INSIST assertion failure and daemon exit) via a malformed Address Prefix List (APL) record. CVE-2015-8705 - buffer.c in named in ISC BIND 9.10.x before 9.10.3-P3, when debug logging is enabled, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit, or daemon crash) or possibly have unspecified other impact via (1) OPT data or (2) an ECS option. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* bind: bump to version 9.10.3-P2Gustavo Zacarias2015-12-301-2/+2
| | | | | | | | | | | | | Leave the LTS series for the latest stable version for libressl compatibility. Unfortunately this means threads are now required, but this shouldn't be a problem for a fully-featured resolver. Drop 0001-disable-tests.patch since it's no longer required, genrandom isn't run unless the tests are called upon. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* bind: security bump to version 9.9.8-P2Gustavo Zacarias2015-12-171-2/+2
| | | | | | | | | | | | | | | | | Fixes: Named is potentially vulnerable to the OpenSSL vulnerabilty described in CVE-2015-3193. CVE-2015-8461 - Incorrect reference counting could result in an INSIST failure if a socket error occurred while performing a lookup. CVE-2015-8000 - Insufficient testing when parsing a message allowed records with an incorrect class to be be accepted, triggering a REQUIRE failure when those records were subsequently cached. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* bind: bump to version 9.9.8Gustavo Zacarias2015-10-091-2/+2
| | | | | | | Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Reviewed-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Tested-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* bind: security bump to version 9.9.7-P3Gustavo Zacarias2015-09-041-2/+2
| | | | | | | | | | | | | | | Fixes: CVE-2015-5722 - denial-of-service vector which can be exploited remotely against a BIND server that is performing validation on DNSSEC-signed records. CVE-2015-5986 - denial-of-service vector which can be used against a BIND server that is performing recursion and (under limited conditions) an authoritative-only nameserver. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Reviewed-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Tested-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* bind: security bump to version 9.9.7-P2Gustavo Zacarias2015-07-291-2/+2
| | | | | | | | Fixes CVE-2015-5477 - An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* bind: security bump to version 9.9.7-P1Gustavo Zacarias2015-07-081-2/+2
| | | | | | | | | | Fixes: CVE-2015-4620 - On servers configured to perform DNSSEC validation an assertion failure could be triggered on answers from a specially configured server. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* bind: bump to version 9.9.7Gustavo Zacarias2015-03-031-2/+2
| | | | | Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* bind: security bump to version 9.9.6-P2Gustavo Zacarias2015-02-191-2/+2
| | | | | | | | | Fixes CVE-2015-1349 - Revoking a managed trust anchor and supplying an untrusted replacement could cause namedto crash with an assertion failure. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* bind: security bump to version 9.9.6-P1Gustavo Zacarias2014-12-091-2/+2
| | | | | | | | | Fixes CVE-2014-8500 - A flaw in delegation handling could be exploited to put named into an infinite loop, in which each lookup of a name server triggered additional lookups of more name servers. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* bind: bump to version 9.9.6Gustavo Zacarias2014-10-011-0/+2
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
OpenPOWER on IntegriCloud