New upstream release includes fixes for the following security issues:
* CVE-2017-3140: With certain RPZ configurations, a response with TTL 0 could
cause named to go into an infinite query loop
* CVE-2017-3142: An error in TSIG handling could permit unauthorized zone
transfers or zone updates.
* CVE-2017-3143: An error in TSIG handling could permit unauthorized zone
transfers or zone updates.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
This change includes fixes for several security issues:
* CVE-2017-3138: rndc "" could trigger an assertion failure in named.
* CVE-2017-3137: Some chaining (i.e., type CNAME or DNAME) responses to
upstream queries could trigger assertion failures.
* CVE-2017-3136: dns64 with break-dnssec yes; can result in an assertion
failure.
* CVE-2017-3135: If a server is configured with a response policy zone
(RPZ) that rewrites an answer with local data, and is also configured
for DNS64 address mapping, a NULL pointer can be read triggering a
server crash.
* CVE-2016-9444: named could mishandle authority sections with missing
RRSIGs, triggering an assertion failure.
* CVE-2016-9131: named mishandled some responses where covering RRSIG
records were returned without the requested data, resulting in an
assertion failure.
* CVE-2016-9131: named incorrectly tried to cache TKEY records which could
trigger an assertion failure when there was a class mismatch.
* CVE-2016-8864: It was possible to trigger assertions when processing
responses containing answers of type DNAME.
* CVE-2016-6170: Added the ability to specify the maximum number of
records permitted in a zone (max-records #;). This provides a mechanism
to block overly large zone transfers, which is a potential risk with
slave zones from other parties.
* CVE-2016-2776: It was possible to trigger an assertion when rendering a
message using a specially crafted request.
* CVE-2016-2775: Calling getrrsetbyname() with a non absolute name could
trigger an infinite recursion bug in lwresd or named with lwres
configured if, when combined with a search list entry from resolv.conf,
the resulting name is too long.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
This change fixes multiple denial-of-service vulnerabilities:
* CVE-2016-9131: A malformed response to an ANY query can cause an
assertion failure during recursion
* CVE-2016-9147: An error handling a query response containing
inconsistent DNSSEC information could cause an assertion failure
* CVE-2016-9444: An unusually-formed DS record response could cause
an assertion failure
* CVE-2016-9778: An error handling certain queries using the
nxdomain-redirect feature could cause a REQUIRE assertion failure
in db.c
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
If libjson-c is detected during bind-libs configure phase, bind-libs
will be built with libjson support. This results in a missing dependency
error during install phase. Solve this by disabling libjson support.
Update nginx to version 1.10.3.
Add new configuration options to enable the following optional
modules (disabled by default):
- http_auth_request_module
- http_v2_module
- http_realip_module
- http_secure_link_module
Signed-off-by: Val Kulkov <val.kulkov@gmail.com>
In this bump as agreed with Thomas we are dropping out all the nginx 3rd party
addons. In case you would like to see your 3rd party addon included please send
a pull request and make sure it works with newest version.
Signed-off-by: Luka Perkov <luka@openwrt.org>
This fixes the following CVEs:
- in intl: CVE-2016-7416
- in mysqlnd: CVE-2016-7412
- in phar: CVE-2016-7414
- in spl: CVE-2016-7417
- in standard: CVS-2016-7411
- in wddx: CVE-2016-7413, CVE-2016-7418
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
This fixes the following CVEs:
- in GD: CVE-2015-8874, CVE-2016-5766, CVE-2016-5767
- in mbstring: CVE-2016-5768
- in mcrypt: CVE-2016-5769
- in SPL: CVE-2016-5770, CVE-2016-5771
- in WDDX: CVE-2016-5772
- in zip: CVE-2016-5773
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
This fixes the following CVEs:
- in BCMath: CVE-2016-4537, CVE-2016-4538
- in EXIF: CVE-2016-4542, CVE-2016-4543, CVE-2016-4544
- in GD: CVE-2016-3074
- in Intl: CVE-2016-4540, CVE-2016-4541
- in XML: CVE-2016-4539
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
