Notes for BIND 9.11.35
Security Fixes
named failed to check the opcode of responses when performing zone refreshes,
stub zone updates, and UPDATE forwarding. This could lead to an assertion
failure under certain conditions and has been addressed by rejecting responses
whose opcode does not match the expected value. [GL #2762]
(From OE-Core rev: ede9176c53d2de5559a15f48f2a0a3a31a331d1b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Notes for BIND 9.11.34
This maintenance release of BIND 9.11 contains no significant changes,
although some minor updates have been made (for example, to fix build
issues on Solaris 11).
(From OE-Core rev: ec9d6b2dc3e64715286bd93c789887b3ea0d4e3c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Notes for BIND 9.11.33
This maintenance release of BIND 9.11 contains no significant changes,
although some minor updates have been made (for example, to eliminate
compiler warnings emitted by GCC 11).
(From OE-Core rev: ee9986b305250b5940e38c1aeac69ec0c958d923)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
updates include fixes for
CVE-2021-25214
CVE-2021-25215
CVE-2021-25216
CVE-2020-8625 fixed in 9.11.28, so drop that patch
(From OE-Core rev: d7e56f1910b7963d8b704107903ecf40e9472d3c)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
tmp
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Added HOMEPAGE and DESCRIPTION for recipes with missing decriptions or homepage
[YOCTO #13471]
(From OE-Core rev: a2658937bcb987b061cd9866d726d9d66623e93c)
Signed-off-by: Dorinda Bassey <dorindabassey@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ecf8922e6bb12a2facc59bbe794b575101fce1dc)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop backports.
Drop 0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch and
0001-lib-dns-gen.c-fix-too-long-error.patch as problem is fixed
upstream.
(From OE-Core rev: 6965ec5c491e71d5951dfb58fc060bd0b717e33d)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport patches to fix CVE-2019-6471 and CVE-2018-5743 for bind.
CVE-2019-6471 is fixed by 0001-bind-fix-CVE-2019-6471.patch and the
other 6 patches are for CVE-2018-5743. And backport one more patch to
fix compile error on arm caused by these 6 commits.
(From OE-Core rev: 3c39d4158677b97253df63f23b74c3a9dd5539f6)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Nothing in the target installation actually needs it.
(From OE-Core rev: 0357b2d2cdcbcef89a346126969ec3e1856bda95)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If the PACKAGECONFIG item, python3, is enabled, we get the following
QA issue when multilib is enabled.
ERROR: bind-9.11.5-P4-r0 do_package: QA Issue: bind: Files/directories were installed but not shipped in any package:
/usr/lib
/usr/lib/python3.7
/usr/lib/python3.7/site-packages
/usr/lib/python3.7/site-packages/isc-2.0-py3.7.egg-info
/usr/lib/python3.7/site-packages/isc
/usr/lib/python3.7/site-packages/isc/policy.py
[snip]
The thing is, when --with-python is specified with a path instead of 'yes',
the --with-python-install-dir is in fact ignored.
Fix this issue by specifying the correct arguments.
(From OE-Core rev: 2c36b3e5c7caae07ffe0cfb816d37fad52d69fc9)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
nslookup was undeprecated 15 years ago,
and installing bind-utils should replace the busybox version.
(From OE-Core rev: 6d594e2a466a75f88fe8ab454e58ae20e3bdee05)
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is a client tool that is usually not used one the same
machine as the DNS server.
(From OE-Core rev: 3f114fb51ca315db0f7cb73b450a508a0477ab88)
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Commit "c37207d0aca5 bind: update to ESV version 9.11.3" dropped
0001-build-use-pkg-config-to-find-libxml2.patch
from recipe, but left the patch itself in source tree.
Remove this patch since nobody uses it.
Cc: Armin Kuster <akuster808@gmail.com>
(From OE-Core rev: 6d624b57397fce4ac98b98e8f47cd95336e44122)
Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The generated key file should try to have bind group so that if
the named daemon is started via '-u bind' option, which is the
default in OE core, we will not get startup failure because of
'permission denied' error.
(From OE-Core rev: fc4c4f40dbcf558a48058d944eef21e588d64aa0)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It adds ${libdir} to linker options in scripts bind9-config and
isc-config.sh. And then causes install file conflicts when install bind
andl ib32-bind both.
Inherit multilib_script.bbclass to fix this issue.
(From OE-Core rev: d3baeaf09d5d3e7548e5b2ea1b565880ea6ce994)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
with bind 9.11.2+ when the build host has lmdb installed, bind configure looks into
host headers and wrongly interprets that it should be enabling lmdb
disable lmdb to fix
| configure: error: found lmdb include but not library.
(From OE-Core rev: 8c00b32211f25e38c1601ec8de47e6d4729dd49e)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
LIC_FILES_CHKSUM changed do to updated year
removed:
dont-test-on-host.patch, no longer implemented
drop use-python3-and-fix-install-lib-path.patch, they added the ability to pass in lib dir loctions
drop bind-confgen-build-unix.o-once.patch, fix included in update
Refresh other patches:
add python3 flag for PACKAGECONFIG to pull in python
add new config option --with-eddsa=no (needs openssl support not released)
Python support is disaled by default now.
Acked-by: Martin Hundebøll <mnhu@prevas.dk>
(From OE-Core rev: c37207d0aca5ad1ec2b45813274931be458ee7ed)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In multiarch /usr/include and /usr/lib/<tuple/ are not on the same level anymore. This change will pass a correct includedir, but a wrong libdir, but the linker picks it up anyway.
Tested on multiarch and regular build.
(From OE-Core rev: 9a02cd981eee8b1cd488373659a8a610962309e3)
Signed-off-by: Koen Kooi <koen.kooi@linaro.org>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The ftp protocol is dated and problematic. Since https is available, lets
use that instead, making new users chances of successful builds higher.
(From OE-Core rev: f24a29fcba98ceff08c13b0f029be93995f1deed)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Security Fixes
* An error in TSIG handling could permit unauthorized zone transfers
or zone updates. These flaws are disclosed in CVE-2017-3142 and
CVE-2017-3143. [RT #45383]
* The BIND installer on Windows used an unquoted service path, which
can enable privilege escalation. This flaw is disclosed in
CVE-2017-3141. [RT #45229]
* With certain RPZ configurations, a response with TTL 0 could cause
named to go into an infinite query loop. This flaw is disclosed in
CVE-2017-3140. [RT #45181]
End of Life
The end of life for BIND 9.10 is yet to be determined but will not be
before BIND 9.12.0 has been released for 6 months.
https://www.isc.org/downloads/software-support-policy/
more info see https://lists.isc.org/pipermail/bind-announce/2017-July/001063.html
(From OE-Core rev: 96e9adb60320b2e2f0bb7a04d9ed49ddc53649bb)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The scripts currently reference "python33", fix this so they reference
python3. The move the python3 likely broke these.
(From OE-Core rev: 1a734f037da37d14f780970a9532d1e2e3683bf8)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upgrade bind from 9.10.3-P3 to 9.10.5-P3
* Update md5sum of LIC_FILES_CHKSUM that it update year in file COPYRIGHT
* Remvoe mips1-not-support-opcode.diff which has been merged
* Remove CVE patches that there are backported from upstream
* Use python3 for build and make sure install .py files to right directory
(From OE-Core rev: 9ee6a0a6599d081767b63382a576e67aed12cf4d)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Build without threads for bind is inherited from legacy openembedded.
All libc's support proper threading on Linux now, so enable threads
support for bind.
It is also need to disable static library build which cause package dhcp
fail to build after enable bind threads support.
Options devpoll and epoll are configured to choose most preferable
multiplex method for unix socket. The priorities are: epoll > poll >
select. When set '--enable-epoll', it just defines a var and include
header file that is available for cross compile. So use epoll for bind.
Add PACKAGECONFIG 'urandom' that could use /dev/urandom as random device.
Update file/directory ownerships to fix daemon start failure.
(From OE-Core rev: 598e5da5a2af2bd93ad890687dd32009e348fc85)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Enforce the correct tag names across all of oe-core for consistency.
(From OE-Core rev: 606a43dc38a00cc243f933722db657aea4129f8e)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Duplicate EDNS COOKIE options in a response could trigger an
assertion failure: Fix with a backport.
bind as built with the oe-core recipe is not at risk: Only servers
which are built with DNS cookie support (--enable-sit) are vulnerable
to denial of service.
Fixes [YOCTO #9438]
(From OE-Core rev: da38a9840b32e80464e2938395db5c9167729f7e)
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upgrade bind from 9.10.2-P4 to 9.10.3-P2.
* update context of 0001-build-use-pkg-config-to-find-libxml2.patch
* add PACKAGECONFIGs readline and libedit. They provide same library, so
should not be set at same time.
(From OE-Core rev: b49751e7febd262b754043e4e523e6690bfbbfaa)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
gen.c uses 512 as the path length which is a little short when build in
deep dir, and cause "too long" error, use PATH_MAX if defined.
(From OE-Core rev: 10e017fd3de3ff1ab0c1b32ac7a9610a04f8ff13)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix a variety of problems such as typos, bad punctuations, or incorrect
Upstream-Status values.
(From OE-Core rev: bd220fe6ce8c3a0805f13a14706d3130ea872604)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
