From fae7df9e66e127bb7fbb84743d6d88ad695b0be9 Mon Sep 17 00:00:00 2001 From: Noah Meyerhans Date: Wed, 9 Mar 2016 12:54:51 -0800 Subject: [PATCH 01/15] bind: Update to 9.9.8-P4 to resolve CVE-2016-1285 and CVE-2016-1286 Signed-off-by: Noah Meyerhans --- net/bind/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/bind/Makefile b/net/bind/Makefile index 5764fb2b5..6367b0008 100644 --- a/net/bind/Makefile +++ b/net/bind/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=bind -PKG_VERSION:=9.9.8-P3 +PKG_VERSION:=9.9.8-P4 PKG_RELEASE:=1 USERID:=bind=57:bind=57 @@ -20,7 +20,7 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ ftp://ftp.isc.org/isc/bind9/$(PKG_VERSION) \ http://www.mirrorservice.org/sites/ftp.isc.org/isc/bind9/$(PKG_VERSION) -PKG_MD5SUM:=30b9bf88a78eee783d3fef5257445788 +PKG_MD5SUM:=5e401f6cf024f596044d733ceb0d6415 PKG_FIXUP:=autoreconf PKG_REMOVE_FILES:=aclocal.m4 libtool.m4 From 3497b7239dbe9081a1985073750c747dda9c1694 Mon Sep 17 00:00:00 2001 From: DonkZZ Date: Sun, 20 Mar 2016 14:29:36 +0100 Subject: [PATCH 02/15] net/bind: Little cleaning in named.init The variable "config_file" appears twice. Signed-off-by: DonkZZ donk@evhr.net --- net/bind/files/named.init | 1 - 1 file changed, 1 deletion(-) diff --git a/net/bind/files/named.init b/net/bind/files/named.init index 2ef7797ba..b7876d9e1 100644 --- a/net/bind/files/named.init +++ b/net/bind/files/named.init @@ -13,7 +13,6 @@ pid_file=/var/run/named/named.pid logdir=/var/log/named/ cachedir=/var/cache/bind libdir=/var/lib/bind -config_file=/etc/bind/named.conf fix_perms() { for dir in $libdir $logdir $cachedir; do From 41a87a5ce5fb55e6c7c67cd6379adc3f72d7516f Mon Sep 17 00:00:00 2001 From: DonkZZ Date: Sun, 20 Mar 2016 14:38:15 +0100 Subject: [PATCH 03/15] net/bind: Update db.root The contents of the file "db.root" is very old (12 years). Here's a new version downloaded from ftp://ftp.internic.net/domain/ Signed-off-by: DonkZZ --- net/bind/files/bind/db.root | 135 ++++++++++++++++++++++++------------ 1 file changed, 90 insertions(+), 45 deletions(-) diff --git a/net/bind/files/bind/db.root b/net/bind/files/bind/db.root index 0eb52af7a..f0b79d2af 100644 --- a/net/bind/files/bind/db.root +++ b/net/bind/files/bind/db.root @@ -1,45 +1,90 @@ - -; <<>> DiG 9.2.3 <<>> ns . @a.root-servers.net. -;; global options: printcmd -;; Got answer: -;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18944 -;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 - -;; QUESTION SECTION: -;. IN NS - -;; ANSWER SECTION: -. 518400 IN NS A.ROOT-SERVERS.NET. -. 518400 IN NS B.ROOT-SERVERS.NET. -. 518400 IN NS C.ROOT-SERVERS.NET. -. 518400 IN NS D.ROOT-SERVERS.NET. -. 518400 IN NS E.ROOT-SERVERS.NET. -. 518400 IN NS F.ROOT-SERVERS.NET. -. 518400 IN NS G.ROOT-SERVERS.NET. -. 518400 IN NS H.ROOT-SERVERS.NET. -. 518400 IN NS I.ROOT-SERVERS.NET. -. 518400 IN NS J.ROOT-SERVERS.NET. -. 518400 IN NS K.ROOT-SERVERS.NET. -. 518400 IN NS L.ROOT-SERVERS.NET. -. 518400 IN NS M.ROOT-SERVERS.NET. - -;; ADDITIONAL SECTION: -A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4 -B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201 -C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12 -D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90 -E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10 -F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241 -G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4 -H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53 -I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17 -J.ROOT-SERVERS.NET. 3600000 IN A 192.58.128.30 -K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129 -L.ROOT-SERVERS.NET. 3600000 IN A 199.7.83.42 -M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33 - -;; Query time: 81 msec -;; SERVER: 198.41.0.4#53(a.root-servers.net.) -;; WHEN: Sun Feb 1 11:27:14 2004 -;; MSG SIZE rcvd: 436 - +; This file holds the information on root name servers needed to +; initialize cache of Internet domain name servers +; (e.g. reference this file in the "cache . " +; configuration file of BIND domain name servers). +; +; This file is made available by InterNIC +; under anonymous FTP as +; file /domain/named.cache +; on server FTP.INTERNIC.NET +; -OR- RS.INTERNIC.NET +; +; last update: February 17, 2016 +; related version of root zone: 2016021701 +; +; formerly NS.INTERNIC.NET +; +. 3600000 NS A.ROOT-SERVERS.NET. +A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 +A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30 +; +; FORMERLY NS1.ISI.EDU +; +. 3600000 NS B.ROOT-SERVERS.NET. +B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 +B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:84::b +; +; FORMERLY C.PSI.NET +; +. 3600000 NS C.ROOT-SERVERS.NET. +C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 +C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c +; +; FORMERLY TERP.UMD.EDU +; +. 3600000 NS D.ROOT-SERVERS.NET. +D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13 +D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d +; +; FORMERLY NS.NASA.GOV +; +. 3600000 NS E.ROOT-SERVERS.NET. +E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 +; +; FORMERLY NS.ISC.ORG +; +. 3600000 NS F.ROOT-SERVERS.NET. +F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 +F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f +; +; FORMERLY NS.NIC.DDN.MIL +; +. 3600000 NS G.ROOT-SERVERS.NET. +G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 +; +; FORMERLY AOS.ARL.ARMY.MIL +; +. 3600000 NS H.ROOT-SERVERS.NET. +H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53 +H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53 +; +; FORMERLY NIC.NORDU.NET +; +. 3600000 NS I.ROOT-SERVERS.NET. +I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 +I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53 +; +; OPERATED BY VERISIGN, INC. +; +. 3600000 NS J.ROOT-SERVERS.NET. +J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 +J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30 +; +; OPERATED BY RIPE NCC +; +. 3600000 NS K.ROOT-SERVERS.NET. +K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 +K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1 +; +; OPERATED BY ICANN +; +. 3600000 NS L.ROOT-SERVERS.NET. +L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 +L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42 +; +; OPERATED BY WIDE +; +. 3600000 NS M.ROOT-SERVERS.NET. +M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 +M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35 +; End of file From 61df1559b850e93f3ca134e80191fa7a180d4452 Mon Sep 17 00:00:00 2001 From: Zoltan HERPAI Date: Thu, 9 Nov 2017 20:59:27 +0100 Subject: [PATCH 04/15] net/bind: PKG_RELEASE increased Signed-off-by: DonkZZ --- net/bind/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bind/Makefile b/net/bind/Makefile index 6367b0008..2b1753ce9 100644 --- a/net/bind/Makefile +++ b/net/bind/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=bind PKG_VERSION:=9.9.8-P4 -PKG_RELEASE:=1 +PKG_RELEASE:=3 USERID:=bind=57:bind=57 PKG_MAINTAINER := Noah Meyerhans From c2b892b145976ef315547062d49d0994153421eb Mon Sep 17 00:00:00 2001 From: Noah Meyerhans Date: Tue, 27 Sep 2016 22:22:05 -0700 Subject: [PATCH 05/15] bind: Update to 9.9.9-p3 for CVE-2016-2776 Signed-off-by: Noah Meyerhans --- net/bind/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/bind/Makefile b/net/bind/Makefile index 2b1753ce9..e780530fc 100644 --- a/net/bind/Makefile +++ b/net/bind/Makefile @@ -9,8 +9,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=bind -PKG_VERSION:=9.9.8-P4 -PKG_RELEASE:=3 +PKG_VERSION:=9.9.9-P3 +PKG_RELEASE:=1 USERID:=bind=57:bind=57 PKG_MAINTAINER := Noah Meyerhans @@ -20,7 +20,7 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ ftp://ftp.isc.org/isc/bind9/$(PKG_VERSION) \ http://www.mirrorservice.org/sites/ftp.isc.org/isc/bind9/$(PKG_VERSION) -PKG_MD5SUM:=5e401f6cf024f596044d733ceb0d6415 +PKG_MD5SUM:=98d46cebb3fac3c6f282e8467424821b PKG_FIXUP:=autoreconf PKG_REMOVE_FILES:=aclocal.m4 libtool.m4 From 374eea23e28a6b6785682df82b012c6bbf138f7b Mon Sep 17 00:00:00 2001 From: Noah Meyerhans Date: Thu, 29 Sep 2016 20:32:49 -0700 Subject: [PATCH 06/15] bind: Set PKG_USE_MIPS16:=0 --- net/bind/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/bind/Makefile b/net/bind/Makefile index e780530fc..13dc86dba 100644 --- a/net/bind/Makefile +++ b/net/bind/Makefile @@ -1,6 +1,6 @@ # # Copyright (C) 2006-2012 OpenWrt.org -# 2014 Noah Meyerhans +# 2014-2016 Noah Meyerhans # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -26,6 +26,7 @@ PKG_FIXUP:=autoreconf PKG_REMOVE_FILES:=aclocal.m4 libtool.m4 PKG_INSTALL:=1 +PKG_USE_MIPS16:=0 include $(INCLUDE_DIR)/package.mk From 6f06eb2e701dd071ebb795367ecbb4cd5f5c0ec2 Mon Sep 17 00:00:00 2001 From: Noah Meyerhans Date: Tue, 1 Nov 2016 22:29:58 -0700 Subject: [PATCH 07/15] bind: update to 9.10.4-p4 Signed-off-by: Noah Meyerhans --- net/bind/Makefile | 4 ++-- net/bind/patches/001-no-tests.patch | 20 ++++++++++---------- net/bind/patches/002-autoconf-ar-fix.patch | 8 +++++--- 3 files changed, 17 insertions(+), 15 deletions(-) diff --git a/net/bind/Makefile b/net/bind/Makefile index 13dc86dba..71886db91 100644 --- a/net/bind/Makefile +++ b/net/bind/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=bind -PKG_VERSION:=9.9.9-P3 +PKG_VERSION:=9.10.4-P4 PKG_RELEASE:=1 USERID:=bind=57:bind=57 @@ -20,7 +20,7 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ ftp://ftp.isc.org/isc/bind9/$(PKG_VERSION) \ http://www.mirrorservice.org/sites/ftp.isc.org/isc/bind9/$(PKG_VERSION) -PKG_MD5SUM:=98d46cebb3fac3c6f282e8467424821b +PKG_MD5SUM:=e110904a1d54f83f01d4be8bcd842927 PKG_FIXUP:=autoreconf PKG_REMOVE_FILES:=aclocal.m4 libtool.m4 diff --git a/net/bind/patches/001-no-tests.patch b/net/bind/patches/001-no-tests.patch index c969c5e96..321924b0c 100644 --- a/net/bind/patches/001-no-tests.patch +++ b/net/bind/patches/001-no-tests.patch @@ -1,26 +1,26 @@ -Index: bind-9.9.4/bin/Makefile.in +Index: bind-9.10.4-P3/bin/Makefile.in =================================================================== ---- bind-9.9.4.orig/bin/Makefile.in -+++ bind-9.9.4/bin/Makefile.in +--- bind-9.10.4-P3.orig/bin/Makefile.in ++++ bind-9.10.4-P3/bin/Makefile.in @@ -19,7 +19,7 @@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ --SUBDIRS = named rndc dig dnssec tools tests nsupdate \ -+SUBDIRS = named rndc dig dnssec tools nsupdate \ +-SUBDIRS = named rndc dig delv dnssec tools tests nsupdate \ ++SUBDIRS = named rndc dig delv dnssec tools nsupdate \ check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@ TARGETS = -Index: bind-9.9.4/lib/Makefile.in +Index: bind-9.10.4-P3/lib/Makefile.in =================================================================== ---- bind-9.9.4.orig/lib/Makefile.in -+++ bind-9.9.4/lib/Makefile.in +--- bind-9.10.4-P3.orig/lib/Makefile.in ++++ bind-9.10.4-P3/lib/Makefile.in @@ -23,7 +23,7 @@ top_srcdir = @top_srcdir@ # Attempt to disable parallel processing. .NOTPARALLEL: .NO_PARALLEL: --SUBDIRS = isc isccc dns isccfg bind9 lwres tests -+SUBDIRS = isc isccc dns isccfg bind9 lwres +-SUBDIRS = isc isccc dns isccfg bind9 lwres irs tests samples ++SUBDIRS = isc isccc dns isccfg bind9 lwres irs samples TARGETS = @BIND9_MAKE_RULES@ diff --git a/net/bind/patches/002-autoconf-ar-fix.patch b/net/bind/patches/002-autoconf-ar-fix.patch index 501fa7d3b..c36026034 100644 --- a/net/bind/patches/002-autoconf-ar-fix.patch +++ b/net/bind/patches/002-autoconf-ar-fix.patch @@ -1,6 +1,8 @@ ---- a/configure.in -+++ b/configure.in -@@ -93,26 +93,11 @@ esac +Index: bind-9.10.4-P3/configure.in +=================================================================== +--- bind-9.10.4-P3.orig/configure.in ++++ bind-9.10.4-P3/configure.in +@@ -167,26 +167,11 @@ esac # AC_CONFIG_FILES([make/rules make/includes]) From cc6555e1d9a1137451d472fbc7c4d92ea598f150 Mon Sep 17 00:00:00 2001 From: Noah Meyerhans Date: Thu, 17 Nov 2016 06:19:55 -0800 Subject: [PATCH 08/15] bind: set sysconfdir to /etc/bind Signed-off-by: Noah Meyerhans --- net/bind/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/bind/Makefile b/net/bind/Makefile index 71886db91..11ccd0415 100644 --- a/net/bind/Makefile +++ b/net/bind/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=bind PKG_VERSION:=9.10.4-P4 -PKG_RELEASE:=1 +PKG_RELEASE:=2 USERID:=bind=57:bind=57 PKG_MAINTAINER := Noah Meyerhans @@ -103,6 +103,7 @@ CONFIGURE_ARGS += \ --with-gssapi=no \ --with-ecdsa=no \ --with-readline=no + --sysconfdir=/etc/bind CONFIGURE_VARS += \ BUILD_CC="$(TARGET_CC)" \ From bd048aabb85d0862a038a16da8c8993620a78825 Mon Sep 17 00:00:00 2001 From: Stijn Tintel Date: Tue, 29 Nov 2016 12:26:05 +0100 Subject: [PATCH 09/15] bind: disable libjson support If libjson-c is detected during bind-libs configure phase, bind-libs will be built with libjson support. This results in a missing dependency error during install phase. Solve this by disabling libjson support. --- net/bind/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/net/bind/Makefile b/net/bind/Makefile index 11ccd0415..87887b4c5 100644 --- a/net/bind/Makefile +++ b/net/bind/Makefile @@ -96,6 +96,7 @@ CONFIGURE_ARGS += \ --disable-threads \ --disable-linux-caps \ --with-openssl="$(STAGING_DIR)/usr" \ + --with-libjson=no \ --with-libtool \ --with-libxml2=no \ --enable-epoll=yes \ From 556c80b16f834987ea2833a5a4cc6243d375eb84 Mon Sep 17 00:00:00 2001 From: Noah Meyerhans Date: Wed, 11 Jan 2017 22:01:53 -0800 Subject: [PATCH 10/15] bind: update to bind-9.10.4-P5 This change fixes multiple denial-of-service vulnerabilities: * CVE-2016-9131: A malformed response to an ANY query can cause an assertion failure during recursion * CVE-2016-9147: An error handling a query response containing inconsistent DNSSEC information could cause an assertion failure * CVE-2016-9444: An unusually-formed DS record response could cause an assertion failure * CVE-2016-9778: An error handling certain queries using the nxdomain-redirect feature could cause a REQUIRE assertion failure in db.c Signed-off-by: Noah Meyerhans --- net/bind/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/bind/Makefile b/net/bind/Makefile index 87887b4c5..4a1c544ee 100644 --- a/net/bind/Makefile +++ b/net/bind/Makefile @@ -9,8 +9,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=bind -PKG_VERSION:=9.10.4-P4 -PKG_RELEASE:=2 +PKG_VERSION:=9.10.4-P5 +PKG_RELEASE:=1 USERID:=bind=57:bind=57 PKG_MAINTAINER := Noah Meyerhans @@ -20,7 +20,7 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ ftp://ftp.isc.org/isc/bind9/$(PKG_VERSION) \ http://www.mirrorservice.org/sites/ftp.isc.org/isc/bind9/$(PKG_VERSION) -PKG_MD5SUM:=e110904a1d54f83f01d4be8bcd842927 +PKG_MD5SUM:=c53a3e34e7aabb16820b036ae9afd3c9 PKG_FIXUP:=autoreconf PKG_REMOVE_FILES:=aclocal.m4 libtool.m4 From f648f3766fe34eb9339e5b36bc2e1060dadf024c Mon Sep 17 00:00:00 2001 From: Noah Meyerhans Date: Wed, 10 May 2017 22:06:46 -0700 Subject: [PATCH 11/15] bind: Update to bind-9.10.5 This change includes fixes for several security issues: * CVE-2017-3138: rndc "" could trigger an assertion failure in named. * CVE-2017-3137: Some chaining (i.e., type CNAME or DNAME) responses to upstream queries could trigger assertion failures. * CVE-2017-3136: dns64 with break-dnssec yes; can result in an assertion failure. * CVE-2017-3135: If a server is configured with a response policy zone (RPZ) that rewrites an answer with local data, and is also configured for DNS64 address mapping, a NULL pointer can be read triggering a server crash. * CVE-2016-9444: named could mishandle authority sections with missing RRSIGs, triggering an assertion failure. * CVE-2016-9131: named mishandled some responses where covering RRSIG records were returned without the requested data, resulting in an assertion failure. * CVE-2016-9131: named incorrectly tried to cache TKEY records which could trigger an assertion failure when there was a class mismatch. * CVE-2016-8864: It was possible to trigger assertions when processing responses containing answers of type DNAME. * CVE-2016-6170: Added the ability to specify the maximum number of records permitted in a zone (max-records #;). This provides a mechanism to block overly large zone transfers, which is a potential risk with slave zones from other parties. * CVE-2016-2776: It was possible to trigger an assertion when rendering a message using a specially crafted request. * CVE-2016-2775: Calling getrrsetbyname() with a non absolute name could trigger an infinite recursion bug in lwresd or named with lwres configured if, when combined with a search list entry from resolv.conf, the resulting name is too long. Signed-off-by: Noah Meyerhans --- net/bind/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/bind/Makefile b/net/bind/Makefile index 4a1c544ee..a0ce812e3 100644 --- a/net/bind/Makefile +++ b/net/bind/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=bind -PKG_VERSION:=9.10.4-P5 +PKG_VERSION:=9.10.5 PKG_RELEASE:=1 USERID:=bind=57:bind=57 @@ -20,7 +20,7 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ ftp://ftp.isc.org/isc/bind9/$(PKG_VERSION) \ http://www.mirrorservice.org/sites/ftp.isc.org/isc/bind9/$(PKG_VERSION) -PKG_MD5SUM:=c53a3e34e7aabb16820b036ae9afd3c9 +PKG_MD5SUM:=8359e000eaec76efd6dfa186c12c3b93 PKG_FIXUP:=autoreconf PKG_REMOVE_FILES:=aclocal.m4 libtool.m4 From e2cd2f2b3c2eb276aafdbac53be346eef4a55ccd Mon Sep 17 00:00:00 2001 From: Sami Olmari Date: Tue, 6 Jun 2017 01:47:05 +0300 Subject: [PATCH 12/15] bind: Include dnssec-settime in bind-dnssec/tool Maintainer: @nmeyerhans Compile tested: x86_64, OpenWRT 50107 Run tested: x86 / 64, OpenWRT 50107 Description: Added dnssec-settime into bind-dnssec and bind-tools Signed-off-by: Sami Olmari --- net/bind/Makefile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/bind/Makefile b/net/bind/Makefile index a0ce812e3..0a8c6de77 100644 --- a/net/bind/Makefile +++ b/net/bind/Makefile @@ -74,7 +74,7 @@ endef define Package/bind-dnssec $(call Package/bind/Default) - TITLE+= administration tools (dnssec-keygen and dnssec-signzone only) + TITLE+= administration tools (dnssec-keygen, dnssec-settime and dnssec-signzone only) endef define Package/bind-host @@ -161,6 +161,7 @@ define Package/bind-tools/install $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/host $(1)/usr/bin/ $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/dnssec-keygen $(1)/usr/sbin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/dnssec-settime $(1)/usr/sbin/ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/dnssec-signzone $(1)/usr/sbin/ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/named-checkconf $(1)/usr/sbin/ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/named-checkzone $(1)/usr/sbin/ @@ -183,6 +184,7 @@ endef define Package/bind-dnssec/install $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/dnssec-keygen $(1)/usr/sbin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/dnssec-settime $(1)/usr/sbin/ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/dnssec-signzone $(1)/usr/sbin/ endef From ed10cd0c390983c99b7ac2c0d13d73ef223783ba Mon Sep 17 00:00:00 2001 From: Noah Meyerhans Date: Sun, 16 Jul 2017 08:53:59 -0700 Subject: [PATCH 13/15] bind: Update to 9.10.5-P3 New upstream release includes fixes for the following security issues: * CVE-2017-3140: With certain RPZ configurations, a response with TTL 0 could cause named to go into an infinite query loop * CVE-2017-3142: An error in TSIG handling could permit unauthorized zone transfers or zone updates. * CVE-2017-3143: An error in TSIG handling could permit unauthorized zone transfers or zone updates. Signed-off-by: Noah Meyerhans --- net/bind/Makefile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/net/bind/Makefile b/net/bind/Makefile index 0a8c6de77..50e253b5a 100644 --- a/net/bind/Makefile +++ b/net/bind/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=bind -PKG_VERSION:=9.10.5 +PKG_VERSION:=9.10.5-P3 PKG_RELEASE:=1 USERID:=bind=57:bind=57 @@ -18,9 +18,9 @@ PKG_LICENSE := BSD-3-Clause PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ - ftp://ftp.isc.org/isc/bind9/$(PKG_VERSION) \ - http://www.mirrorservice.org/sites/ftp.isc.org/isc/bind9/$(PKG_VERSION) -PKG_MD5SUM:=8359e000eaec76efd6dfa186c12c3b93 + http://www.mirrorservice.org/sites/ftp.isc.org/isc/bind9/$(PKG_VERSION) \ + http://ftp.isc.org/isc/bind9/$(PKG_VERSION) +PKG_HASH:=8d7e96b5b0bbac7b900d4c4bbb82e0956b4e509433c5fa392bb72a929b96606a PKG_FIXUP:=autoreconf PKG_REMOVE_FILES:=aclocal.m4 libtool.m4 From bc8a2ff329fdc2095e0f4310e58de262db511645 Mon Sep 17 00:00:00 2001 From: Philip Prindeville Date: Mon, 7 Aug 2017 12:01:56 -0600 Subject: [PATCH 14/15] bind: version update to 9.11.2 Also refresh patches and dependencies. Signed-off-by: Philip Prindeville --- net/bind/Makefile | 6 +++--- net/bind/patches/001-no-tests.patch | 6 +++--- net/bind/patches/002-autoconf-ar-fix.patch | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/net/bind/Makefile b/net/bind/Makefile index 50e253b5a..6186b9940 100644 --- a/net/bind/Makefile +++ b/net/bind/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=bind -PKG_VERSION:=9.10.5-P3 +PKG_VERSION:=9.11.2 PKG_RELEASE:=1 USERID:=bind=57:bind=57 @@ -20,7 +20,7 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ http://www.mirrorservice.org/sites/ftp.isc.org/isc/bind9/$(PKG_VERSION) \ http://ftp.isc.org/isc/bind9/$(PKG_VERSION) -PKG_HASH:=8d7e96b5b0bbac7b900d4c4bbb82e0956b4e509433c5fa392bb72a929b96606a +PKG_HASH:=7f46ad8620f7c3b0ac375d7a5211b15677708fda84ce25d7aeb7222fe2e3c77a PKG_FIXUP:=autoreconf PKG_REMOVE_FILES:=aclocal.m4 libtool.m4 @@ -42,7 +42,7 @@ endef define Package/bind-libs SECTION:=libs CATEGORY:=Libraries - DEPENDS:=+libopenssl + DEPENDS:=+libopenssl +zlib TITLE:=bind shared libraries URL:=https://www.isc.org/software/bind endef diff --git a/net/bind/patches/001-no-tests.patch b/net/bind/patches/001-no-tests.patch index 321924b0c..2d0c152f7 100644 --- a/net/bind/patches/001-no-tests.patch +++ b/net/bind/patches/001-no-tests.patch @@ -2,20 +2,20 @@ Index: bind-9.10.4-P3/bin/Makefile.in =================================================================== --- bind-9.10.4-P3.orig/bin/Makefile.in +++ bind-9.10.4-P3/bin/Makefile.in -@@ -19,7 +19,7 @@ srcdir = @srcdir@ +@@ -10,7 +10,7 @@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ -SUBDIRS = named rndc dig delv dnssec tools tests nsupdate \ +SUBDIRS = named rndc dig delv dnssec tools nsupdate \ - check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@ + check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ TARGETS = Index: bind-9.10.4-P3/lib/Makefile.in =================================================================== --- bind-9.10.4-P3.orig/lib/Makefile.in +++ bind-9.10.4-P3/lib/Makefile.in -@@ -23,7 +23,7 @@ top_srcdir = @top_srcdir@ +@@ -14,7 +14,7 @@ top_srcdir = @top_srcdir@ # Attempt to disable parallel processing. .NOTPARALLEL: .NO_PARALLEL: diff --git a/net/bind/patches/002-autoconf-ar-fix.patch b/net/bind/patches/002-autoconf-ar-fix.patch index c36026034..878554fae 100644 --- a/net/bind/patches/002-autoconf-ar-fix.patch +++ b/net/bind/patches/002-autoconf-ar-fix.patch @@ -2,7 +2,7 @@ Index: bind-9.10.4-P3/configure.in =================================================================== --- bind-9.10.4-P3.orig/configure.in +++ bind-9.10.4-P3/configure.in -@@ -167,26 +167,11 @@ esac +@@ -157,26 +157,11 @@ esac # AC_CONFIG_FILES([make/rules make/includes]) From 2f28404a936e9fa1ccbd07e8c50b77635c51cf7b Mon Sep 17 00:00:00 2001 From: Zoltan HERPAI Date: Wed, 6 Dec 2017 21:23:07 +0100 Subject: [PATCH 15/15] bind: bring back PKG_MD5SUM for CC Signed-off-by: Zoltan HERPAI --- net/bind/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bind/Makefile b/net/bind/Makefile index 6186b9940..8f4ed4bd5 100644 --- a/net/bind/Makefile +++ b/net/bind/Makefile @@ -20,7 +20,7 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ http://www.mirrorservice.org/sites/ftp.isc.org/isc/bind9/$(PKG_VERSION) \ http://ftp.isc.org/isc/bind9/$(PKG_VERSION) -PKG_HASH:=7f46ad8620f7c3b0ac375d7a5211b15677708fda84ce25d7aeb7222fe2e3c77a +PKG_MD5SUM:=efca7e5a63a07efba264da9be2fbb57f PKG_FIXUP:=autoreconf PKG_REMOVE_FILES:=aclocal.m4 libtool.m4