bind: Update to version 9.11.3 and optionally support eddsa for dnssec
EdDSA support is optional and currently defaults to being disabled.
The following security issues are addressed with this update:
* An error in TSIG handling could permit unauthorized zone transfers
or zone updates. These flaws are disclosed in CVE-2017-3142 and
CVE-2017-3143.
* The BIND installer on Windows used an unquoted service path, which
can enable privilege escalation. This flaw is disclosed in
CVE-2017-3141.
* With certain RPZ configurations, a response with TTL 0 could cause
named to go into an infinite query loop. This flaw is disclosed in
CVE-2017-3140.
* Addresses could be referenced after being freed during resolver
processing, causing an assertion failure. The chances of this
happening were remote, but the introduction of a delay in
resolution increased them. This bug is disclosed in CVE-2017-3145.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
This commit is contained in:
Noah Meyerhans
parent
996773d366
commit
037f1def7d
2 changed files with 13 additions and 2 deletions
|
|
@ -34,4 +34,14 @@ config BIND_LIBXML2
|
|||
format. Building with libjson support will require the
|
||||
libxml2 package to be installed as well.
|
||||
|
||||
config BIND_ENABLE_EDDSA
|
||||
bool
|
||||
default n
|
||||
prompt "Include Edwards Curve DNSSEC signature support"
|
||||
help
|
||||
Enable BIND support for Edwards Curve DNSSEC signing algorithms
|
||||
described in RFC 8080.
|
||||
|
||||
Note that this requires OpenSSL 1.1, which is not currently
|
||||
the available in OpenWRT, so it is disabled by default.
|
||||
endif
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=bind
|
||||
PKG_VERSION:=9.11.2-P1
|
||||
PKG_VERSION:=9.11.3
|
||||
PKG_RELEASE:=1
|
||||
USERID:=bind=57:bind=57
|
||||
|
||||
|
|
@ -20,7 +20,7 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
|||
PKG_SOURCE_URL:= \
|
||||
http://www.mirrorservice.org/sites/ftp.isc.org/isc/bind9/$(PKG_VERSION) \
|
||||
http://ftp.isc.org/isc/bind9/$(PKG_VERSION)
|
||||
PKG_HASH:=cec31548832fca3f85d95178d4019b7d702039e8595d4c93914feba337df1212
|
||||
PKG_HASH:=0d9dde14b2ec7f9cdc3b69f19540c7a2e4eee7b6c727965dfae48810965876f5
|
||||
|
||||
PKG_FIXUP:=autoreconf
|
||||
PKG_REMOVE_FILES:=aclocal.m4 libtool.m4
|
||||
|
|
@ -125,6 +125,7 @@ CONFIGURE_ARGS += \
|
|||
--with-gost=no \
|
||||
--with-gssapi=no \
|
||||
--with-ecdsa=$(if $(CONFIG_OPENSSL_WITH_EC),yes,no) \
|
||||
--with-eddsa=$(if $(CONFIG_BIND_ENABLE_EDDSA),yes,no) \
|
||||
--with-readline=no \
|
||||
--sysconfdir=/etc/bind
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue