From 9967746a35d9217d074a79e67b4f05779ba01e43 Mon Sep 17 00:00:00 2001 From: Derek Straka Date: Sun, 24 Jan 2016 08:13:04 -0500 Subject: bind: update to 9.10.3-P3 Addresses CVE-2015-8704 and CVE-2015-8705 CVE-2015-8704 Allows remote authenticated users to cause a denial of service via a malformed Address Prefix List record CVE-2015-8705: When debug loggin is enabled, allows remote attackers to cause a denial of service or have possibly unspecified impact via OPT data or ECS option [YOCTO 8966] References: https://kb.isc.org/article/AA-01346/0/BIND-9.10.3-P3-Release-Notes.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8704 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8705 (From OE-Core rev: 58d47cdf91076cf055046ce9ec5f3e2e21dae1c0) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- meta/recipes-connectivity/bind/bind_9.10.3-P2.bb | 106 ----------------------- meta/recipes-connectivity/bind/bind_9.10.3-P3.bb | 106 +++++++++++++++++++++++ 2 files changed, 106 insertions(+), 106 deletions(-) delete mode 100644 meta/recipes-connectivity/bind/bind_9.10.3-P2.bb create mode 100644 meta/recipes-connectivity/bind/bind_9.10.3-P3.bb (limited to 'meta/recipes-connectivity/bind') diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P2.bb b/meta/recipes-connectivity/bind/bind_9.10.3-P2.bb deleted file mode 100644 index 875a0c8f80..0000000000 --- a/meta/recipes-connectivity/bind/bind_9.10.3-P2.bb +++ /dev/null @@ -1,106 +0,0 @@ -SUMMARY = "ISC Internet Domain Name Server" -HOMEPAGE = "http://www.isc.org/sw/bind/" -SECTION = "console/network" - -LICENSE = "ISC & BSD" -LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=0a95f52a0ab6c5f52dedc9a45e7abb3f" - -DEPENDS = "openssl libcap" - -SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ - file://conf.patch \ - file://make-etc-initd-bind-stop-work.patch \ - file://mips1-not-support-opcode.diff \ - file://dont-test-on-host.patch \ - file://generate-rndc-key.sh \ - file://named.service \ - file://bind9 \ - file://init.d-add-support-for-read-only-rootfs.patch \ - file://bind-confgen-build-unix.o-once.patch \ - file://0001-build-use-pkg-config-to-find-libxml2.patch \ - file://bind-ensure-searching-for-json-headers-searches-sysr.patch \ - file://0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch \ - file://0001-lib-dns-gen.c-fix-too-long-error.patch \ - " - -SRC_URI[md5sum] = "672dd3c2796b12ac8440f55bcaecfa82" -SRC_URI[sha256sum] = "4a6c1911ac0d4b6be635b63de3429b6c168ea244043f12bbc8a4eb3368fd6ecd" - -ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'yes', 'no', d)}" -EXTRA_OECONF = " ${ENABLE_IPV6} --with-randomdev=/dev/random --disable-threads \ - --disable-devpoll --disable-epoll --with-gost=no \ - --with-gssapi=no --with-ecdsa=yes \ - --sysconfdir=${sysconfdir}/bind \ - --with-openssl=${STAGING_LIBDIR}/.. \ - " -inherit autotools update-rc.d systemd useradd pkgconfig - -# PACKAGECONFIGs readline and libedit should NOT be set at same time -PACKAGECONFIG ?= "readline" -PACKAGECONFIG[httpstats] = "--with-libxml2,--without-libxml2,libxml2" -PACKAGECONFIG[readline] = "--with-readline=-lreadline,,readline" -PACKAGECONFIG[libedit] = "--with-readline=-ledit,,libedit" - -USERADD_PACKAGES = "${PN}" -USERADD_PARAM_${PN} = "--system --home /var/cache/bind --no-create-home \ - --user-group bind" - -INITSCRIPT_NAME = "bind" -INITSCRIPT_PARAMS = "defaults" - -SYSTEMD_SERVICE_${PN} = "named.service" - -PARALLEL_MAKE = "" - -RDEPENDS_${PN} = "python-core" -RDEPENDS_${PN}-dev = "" - -PACKAGE_BEFORE_PN += "${PN}-utils" -FILES_${PN}-utils = "${bindir}/host ${bindir}/dig" -FILES_${PN}-dev += "${bindir}/isc-config.h" -FILES_${PN} += "${sbindir}/generate-rndc-key.sh" - -do_install_prepend() { - # clean host path in isc-config.sh before the hardlink created - # by "make install": - # bind9-config -> isc-config.sh - sed -i -e "s,${STAGING_LIBDIR},${libdir}," ${B}/isc-config.sh -} - -do_install_append() { - rm "${D}${bindir}/nslookup" - rm "${D}${mandir}/man1/nslookup.1" - rmdir "${D}${localstatedir}/run" - rmdir --ignore-fail-on-non-empty "${D}${localstatedir}" - install -d "${D}${localstatedir}/cache/bind" - install -d "${D}${sysconfdir}/bind" - install -d "${D}${sysconfdir}/init.d" - install -m 644 ${S}/conf/* "${D}${sysconfdir}/bind/" - install -m 755 "${S}/init.d" "${D}${sysconfdir}/init.d/bind" - sed -i -e '1s,#!.*python,#! /usr/bin/env python,' ${D}${sbindir}/dnssec-coverage ${D}${sbindir}/dnssec-checkds - - # Install systemd related files - install -d ${D}${localstatedir}/cache/bind - install -d ${D}${sbindir} - install -m 755 ${WORKDIR}/generate-rndc-key.sh ${D}${sbindir} - install -d ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/named.service ${D}${systemd_unitdir}/system - sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ - -e 's,@SBINDIR@,${sbindir},g' \ - ${D}${systemd_unitdir}/system/named.service - - install -d ${D}${sysconfdir}/default - install -m 0644 ${WORKDIR}/bind9 ${D}${sysconfdir}/default -} - -CONFFILES_${PN} = " \ - ${sysconfdir}/bind/named.conf \ - ${sysconfdir}/bind/named.conf.local \ - ${sysconfdir}/bind/named.conf.options \ - ${sysconfdir}/bind/db.0 \ - ${sysconfdir}/bind/db.127 \ - ${sysconfdir}/bind/db.empty \ - ${sysconfdir}/bind/db.local \ - ${sysconfdir}/bind/db.root \ - " - diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb new file mode 100644 index 0000000000..da414c00da --- /dev/null +++ b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb @@ -0,0 +1,106 @@ +SUMMARY = "ISC Internet Domain Name Server" +HOMEPAGE = "http://www.isc.org/sw/bind/" +SECTION = "console/network" + +LICENSE = "ISC & BSD" +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=0a95f52a0ab6c5f52dedc9a45e7abb3f" + +DEPENDS = "openssl libcap" + +SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ + file://conf.patch \ + file://make-etc-initd-bind-stop-work.patch \ + file://mips1-not-support-opcode.diff \ + file://dont-test-on-host.patch \ + file://generate-rndc-key.sh \ + file://named.service \ + file://bind9 \ + file://init.d-add-support-for-read-only-rootfs.patch \ + file://bind-confgen-build-unix.o-once.patch \ + file://0001-build-use-pkg-config-to-find-libxml2.patch \ + file://bind-ensure-searching-for-json-headers-searches-sysr.patch \ + file://0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch \ + file://0001-lib-dns-gen.c-fix-too-long-error.patch \ + " + +SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a" +SRC_URI[sha256sum] = "690810d1fbb72afa629e74638d19cd44e28d2b2e5eb63f55c705ad85d1a4cb83" + +ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'yes', 'no', d)}" +EXTRA_OECONF = " ${ENABLE_IPV6} --with-randomdev=/dev/random --disable-threads \ + --disable-devpoll --disable-epoll --with-gost=no \ + --with-gssapi=no --with-ecdsa=yes \ + --sysconfdir=${sysconfdir}/bind \ + --with-openssl=${STAGING_LIBDIR}/.. \ + " +inherit autotools update-rc.d systemd useradd pkgconfig + +# PACKAGECONFIGs readline and libedit should NOT be set at same time +PACKAGECONFIG ?= "readline" +PACKAGECONFIG[httpstats] = "--with-libxml2,--without-libxml2,libxml2" +PACKAGECONFIG[readline] = "--with-readline=-lreadline,,readline" +PACKAGECONFIG[libedit] = "--with-readline=-ledit,,libedit" + +USERADD_PACKAGES = "${PN}" +USERADD_PARAM_${PN} = "--system --home /var/cache/bind --no-create-home \ + --user-group bind" + +INITSCRIPT_NAME = "bind" +INITSCRIPT_PARAMS = "defaults" + +SYSTEMD_SERVICE_${PN} = "named.service" + +PARALLEL_MAKE = "" + +RDEPENDS_${PN} = "python-core" +RDEPENDS_${PN}-dev = "" + +PACKAGE_BEFORE_PN += "${PN}-utils" +FILES_${PN}-utils = "${bindir}/host ${bindir}/dig" +FILES_${PN}-dev += "${bindir}/isc-config.h" +FILES_${PN} += "${sbindir}/generate-rndc-key.sh" + +do_install_prepend() { + # clean host path in isc-config.sh before the hardlink created + # by "make install": + # bind9-config -> isc-config.sh + sed -i -e "s,${STAGING_LIBDIR},${libdir}," ${B}/isc-config.sh +} + +do_install_append() { + rm "${D}${bindir}/nslookup" + rm "${D}${mandir}/man1/nslookup.1" + rmdir "${D}${localstatedir}/run" + rmdir --ignore-fail-on-non-empty "${D}${localstatedir}" + install -d "${D}${localstatedir}/cache/bind" + install -d "${D}${sysconfdir}/bind" + install -d "${D}${sysconfdir}/init.d" + install -m 644 ${S}/conf/* "${D}${sysconfdir}/bind/" + install -m 755 "${S}/init.d" "${D}${sysconfdir}/init.d/bind" + sed -i -e '1s,#!.*python,#! /usr/bin/env python,' ${D}${sbindir}/dnssec-coverage ${D}${sbindir}/dnssec-checkds + + # Install systemd related files + install -d ${D}${localstatedir}/cache/bind + install -d ${D}${sbindir} + install -m 755 ${WORKDIR}/generate-rndc-key.sh ${D}${sbindir} + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/named.service ${D}${systemd_unitdir}/system + sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ + -e 's,@SBINDIR@,${sbindir},g' \ + ${D}${systemd_unitdir}/system/named.service + + install -d ${D}${sysconfdir}/default + install -m 0644 ${WORKDIR}/bind9 ${D}${sysconfdir}/default +} + +CONFFILES_${PN} = " \ + ${sysconfdir}/bind/named.conf \ + ${sysconfdir}/bind/named.conf.local \ + ${sysconfdir}/bind/named.conf.options \ + ${sysconfdir}/bind/db.0 \ + ${sysconfdir}/bind/db.127 \ + ${sysconfdir}/bind/db.empty \ + ${sysconfdir}/bind/db.local \ + ${sysconfdir}/bind/db.root \ + " + -- cgit v1.2.3-54-g00ecf