Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

bind: Update to version 9.11.3 and optionally support eddsa for dnssec

Browse source 
EdDSA support is optional and currently defaults to being disabled.

The following security issues are addressed with this update:

  * An error in TSIG handling could permit unauthorized zone transfers
    or zone updates. These flaws are disclosed in CVE-2017-3142 and
    CVE-2017-3143.
  * The BIND installer on Windows used an unquoted service path, which
    can enable privilege escalation. This flaw is disclosed in
    CVE-2017-3141.
  * With certain RPZ configurations, a response with TTL 0 could cause
    named to go into an infinite query loop. This flaw is disclosed in
    CVE-2017-3140.
  * Addresses could be referenced after being freed during resolver
    processing, causing an assertion failure. The chances of this
    happening were remote, but the introduction of a delay in
    resolution increased them. This bug is disclosed in CVE-2017-3145.

Signed-off-by: Noah Meyerhans <frodo@morgul.net>
This commit is contained in:
Noah Meyerhans 2018-06-13 17:25:38 -07:00
parent 996773d366
commit 037f1def7d
2 changed files with 13 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
net/bind/Config.in
View file

@ -34,4 +34,14 @@ config BIND_LIBXML2
format. Building with libjson support will require the format. Building with libjson support will require the
libxml2 package to be installed as well. libxml2 package to be installed as well.
config BIND_ENABLE_EDDSA
bool
default n
prompt "Include Edwards Curve DNSSEC signature support"
help
Enable BIND support for Edwards Curve DNSSEC signing algorithms
described in RFC 8080.
Note that this requires OpenSSL 1.1, which is not currently
the available in OpenWRT, so it is disabled by default.
endif endif

5
net/bind/Makefile
View file

@ -9,7 +9,7 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=bind PKG_NAME:=bind
PKG_VERSION:=9.11.2-P1 PKG_VERSION:=9.11.3
PKG_RELEASE:=1 PKG_RELEASE:=1
USERID:=bind=57:bind=57 USERID:=bind=57:bind=57
@ -20,7 +20,7 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:= \ PKG_SOURCE_URL:= \
http://www.mirrorservice.org/sites/ftp.isc.org/isc/bind9/$(PKG_VERSION) \ http://www.mirrorservice.org/sites/ftp.isc.org/isc/bind9/$(PKG_VERSION) \
http://ftp.isc.org/isc/bind9/$(PKG_VERSION) http://ftp.isc.org/isc/bind9/$(PKG_VERSION)
PKG_HASH:=cec31548832fca3f85d95178d4019b7d702039e8595d4c93914feba337df1212 PKG_HASH:=0d9dde14b2ec7f9cdc3b69f19540c7a2e4eee7b6c727965dfae48810965876f5
PKG_FIXUP:=autoreconf PKG_FIXUP:=autoreconf
PKG_REMOVE_FILES:=aclocal.m4 libtool.m4 PKG_REMOVE_FILES:=aclocal.m4 libtool.m4
@ -125,6 +125,7 @@ CONFIGURE_ARGS += \
--with-gost=no \ --with-gost=no \
--with-gssapi=no \ --with-gssapi=no \
--with-ecdsa=$(if $(CONFIG_OPENSSL_WITH_EC),yes,no) \ --with-ecdsa=$(if $(CONFIG_OPENSSL_WITH_EC),yes,no) \
--with-eddsa=$(if $(CONFIG_BIND_ENABLE_EDDSA),yes,no) \
--with-readline=no \ --with-readline=no \
--sysconfdir=/etc/bind --sysconfdir=/etc/bind