3 files changed, 2 insertions, 240 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch
deleted file mode 100644
index 8f00231919..0000000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch
+++ /dev/null
@@ -1,206 +0,0 @@
-Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8616.patch]
-CVE: CVE-2020-8616
-Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
-diff --git a/lib/dns/adb.c b/lib/dns/adb.c
-index 058495f6a5..6b8a9537f0 100644
--- a/lib/dns/adb.c
-+++ b/lib/dns/adb.c
-@@ -404,14 +404,13 @@ static void log_quota(dns_adbentry_t *entry, const char *fmt, ...)
-  */
- #define FIND_WANTEVENT(fn)      (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0)
- #define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0)
-#define FIND_AVOIDFETCHES(fn)   (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \
-                                != 0)
-#define FIND_STARTATZONE(fn)    (((fn)->options & DNS_ADBFIND_STARTATZONE) \
-                                != 0)
-#define FIND_HINTOK(fn)         (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
-#define FIND_GLUEOK(fn)         (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
-#define FIND_HAS_ADDRS(fn)      (!ISC_LIST_EMPTY((fn)->list))
-#define FIND_RETURNLAME(fn)     (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
-+#define FIND_AVOIDFETCHES(fn)  (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) != 0)
-+#define FIND_STARTATZONE(fn)   (((fn)->options & DNS_ADBFIND_STARTATZONE) != 0)
-+#define FIND_HINTOK(fn)                (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
-+#define FIND_GLUEOK(fn)                (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
-+#define FIND_HAS_ADDRS(fn)     (!ISC_LIST_EMPTY((fn)->list))
-+#define FIND_RETURNLAME(fn)    (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
-+#define FIND_NOFETCH(fn)       (((fn)->options & DNS_ADBFIND_NOFETCH) != 0)
- 
- /*
-  * These are currently used on simple unsigned ints, so they are
-@@ -3155,21 +3154,26 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
-                 * Listen to negative cache hints, and don't start
-                 * another query.
-                 */
-               if (NCACHE_RESULT(result) || AUTH_NX(result))
-+               if (NCACHE_RESULT(result) || AUTH_NX(result)) {
-                        goto fetch;
-+               }
- 
-               if (!NAME_FETCH_V6(adbname))
-+               if (!NAME_FETCH_V6(adbname)) {
-                        wanted_fetches |= DNS_ADBFIND_INET6;
-+               }
-        }
- 
-  fetch:
-        if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) ||
-            (WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname)))
-+       {
-                have_address = true;
-       else
-+       } else {
-                have_address = false;
-       if (wanted_fetches != 0 &&
-           ! (FIND_AVOIDFETCHES(find) && have_address)) {
-+       }
-+       if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address) &&
-+           !FIND_NOFETCH(find))
-+       {
-                /*
-                 * We're missing at least one address family.  Either the
-                 * caller hasn't instructed us to avoid fetches, or we don't
-@@ -3177,8 +3181,9 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
-                 * be acceptable so we have to launch fetches.
-                 */
- 
-               if (FIND_STARTATZONE(find))
-+               if (FIND_STARTATZONE(find)) {
-                        start_at_zone = true;
-+               }
- 
-                /*
-                 * Start V4.
-diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h
-index 63a13c4e41..edf6e54935 100644
--- a/lib/dns/include/dns/adb.h
-+++ b/lib/dns/include/dns/adb.h
-@@ -207,6 +207,10 @@ struct dns_adbfind {
-  *      lame for this query.
-  */
- #define DNS_ADBFIND_OVERQUOTA          0x00000400
-+/*%
-+ *     Don't perform a fetch even if there are no address records available.
-+ */
-+#define DNS_ADBFIND_NOFETCH            0x00000800
- 
- /*%
-  * The answers to queries come back as a list of these.
-diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
-index 7c44478a26..0a40859d08 100644
--- a/lib/dns/resolver.c
-+++ b/lib/dns/resolver.c
-@@ -172,6 +172,14 @@
- #define DEFAULT_MAX_QUERIES 75
- #endif
- 
-+/*
-+ * After NS_FAIL_LIMIT attempts to fetch a name server address,
-+ * if the number of addresses in the NS RRset exceeds NS_RR_LIMIT,
-+ * stop trying to fetch, in order to avoid wasting resources.
-+ */
-+#define NS_FAIL_LIMIT 4
-+#define NS_RR_LIMIT   5
-+
- /* Number of hash buckets for zone counters */
- #ifndef RES_DOMAIN_BUCKETS
- #define RES_DOMAIN_BUCKETS     523
-@@ -3130,8 +3138,7 @@ sort_finds(dns_adbfindlist_t *findlist, unsigned int bias) {
- static void
- findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
-         unsigned int options, unsigned int flags, isc_stdtime_t now,
-        bool *overquota, bool *need_alternate)
-{
-+        bool *overquota, bool *need_alternate, unsigned int *no_addresses) {
-        dns_adbaddrinfo_t *ai;
-        dns_adbfind_t *find;
-        dns_resolver_t *res;
-@@ -3219,7 +3226,12 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
-                              find->result_v6 != DNS_R_NXDOMAIN) ||
-                             (res->dispatches6 == NULL &&
-                              find->result_v4 != DNS_R_NXDOMAIN)))
-+                       {
-                                *need_alternate = true;
-+                       }
-+                       if (no_addresses != NULL) {
-+                               (*no_addresses)++;
-+                       }
-                } else {
-                        if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) {
-                                if (overquota != NULL)
-@@ -3270,6 +3282,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
-        dns_rdata_ns_t ns;
-        bool need_alternate = false;
-        bool all_spilled = true;
-+       unsigned int no_addresses = 0;
- 
-        FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
- 
-@@ -3437,20 +3450,28 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
-                 * Extract the name from the NS record.
-                 */
-                result = dns_rdata_tostruct(&rdata, &ns, NULL);
-               if (result != ISC_R_SUCCESS)
-+               if (result != ISC_R_SUCCESS) {
-                        continue;
-+               }
- 
-               findname(fctx, &ns.name, 0, stdoptions, 0, now,
-                        &overquota, &need_alternate);
-+               if (no_addresses > NS_FAIL_LIMIT &&
-+                   dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT)
-+               {
-+                       stdoptions |= DNS_ADBFIND_NOFETCH;
-+               }
-+               findname(fctx, &ns.name, 0, stdoptions, 0, now, &overquota,
-+                        &need_alternate, &no_addresses);
- 
-               if (!overquota)
-+               if (!overquota) {
-                        all_spilled = false;
-+               }
- 
-                dns_rdata_reset(&rdata);
-                dns_rdata_freestruct(&ns);
-        }
-       if (result != ISC_R_NOMORE)
-+       if (result != ISC_R_NOMORE) {
-                return (result);
-+       }
- 
-        /*
-         * Do we need to use 6 to 4?
-@@ -3465,7 +3486,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
-                        if (!a->isaddress) {
-                                findname(fctx, &a->_u._n.name, a->_u._n.port,
-                                         stdoptions, FCTX_ADDRINFO_FORWARDER,
-                                        now, NULL, NULL);
-+                                        now, NULL, NULL, NULL);
-                                continue;
-                        }
-                        if (isc_sockaddr_pf(&a->_u.addr) != family)
-@@ -3827,16 +3827,14 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) {
-                }
-        }
- 
-       if (dns_name_countlabels(&fctx->domain) > 2) {
-               result = isc_counter_increment(fctx->qc);
-               if (result != ISC_R_SUCCESS) {
-                       isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-                                     DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
-                                     "exceeded max queries resolving '%s'",
-                                     fctx->info);
-                       fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
-                       return;
-               }
-+       result = isc_counter_increment(fctx->qc);
-+       if (result != ISC_R_SUCCESS) {
-+               isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-+                             DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
-+                             "exceeded max queries resolving '%s'",
-+                             fctx->info);
-+               fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
-+               return;
-        }
- 
-        bucketnum = fctx->bucketnum;
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch
deleted file mode 100644
index d8769c45cc..0000000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8617.patch]
-CVE: CVE-2020-8617
-Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
-diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
-index b597a18d49..6357a3a486 100644
--- a/lib/dns/tsig.c
-+++ b/lib/dns/tsig.c
-@@ -1427,8 +1424,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
-                        goto cleanup_context;
-                }
-                msg->verified_sig = 1;
-       } else if (tsig.error != dns_tsigerror_badsig &&
-                  tsig.error != dns_tsigerror_badkey) {
-+       } else if (!response || (tsig.error != dns_tsigerror_badsig &&
-+                                tsig.error != dns_tsigerror_badkey))
-+       {
-                tsig_log(msg->tsigkey, 2, "signature was empty");
-                return (DNS_R_TSIGVERIFYFAILURE);
-        }
-@@ -1484,7 +1482,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
-                }
-        }
- 
-       if (tsig.error != dns_rcode_noerror) {
-+       if (response && tsig.error != dns_rcode_noerror) {
-                msg->tsigstatus = tsig.error;
-                if (tsig.error == dns_tsigerror_badtime)
-                        ret = DNS_R_CLOCKSKEW;
diff --git a/meta/recipes-connectivity/bind/bind_9.11.13.bb b/meta/recipes-connectivity/bind/bind_9.11.19.bb
index 8f2d702dcb..276173e09f 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.13.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.19.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.isc.org/sw/bind/"
 SECTION = "console/network"
 LICENSE = "ISC & BSD"
-LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=8f17f64e47e83b60cd920a1e4b54419e"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=bf39058a7f64b2a934ce14dc9ec1dd45"
 DEPENDS = "openssl libcap zlib"
@@ -18,12 +18,9 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
           file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
           file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
           file://0001-avoid-start-failure-with-bind-user.patch \
-           file://CVE-2020-8616.patch \
-           file://CVE-2020-8617.patch \
           "
-SRC_URI[md5sum] = "17de0d024ab1eac377f1c2854dc25057"
+SRC_URI[sha256sum] = "0dee554a4caa368948b32da9a0c97b516c19103bc13ff5b3762c5d8552f52329"
-SRC_URI[sha256sum] = "fd3f3cc9fcfcdaa752db35eb24598afa1fdcc2509d3227fc90a8631b7b400f7d"
 UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
 # stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch deleted file mode 100644 index 8f00231919..0000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch +++ /dev/null
@@ -1,206 +0,0 @@
1	Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8616.patch]
2	CVE: CVE-2020-8616
3	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
4	---
5	diff --git a/lib/dns/adb.c b/lib/dns/adb.c
6	index 058495f6a5..6b8a9537f0 100644
7	--- a/lib/dns/adb.c
8	+++ b/lib/dns/adb.c
9	@@ -404,14 +404,13 @@ static void log_quota(dns_adbentry_t entry, const char fmt, ...)
10	*/
11	#define FIND_WANTEVENT(fn) (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0)
12	#define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0)
13	-#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \
14	- != 0)
15	-#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) \
16	- != 0)
17	-#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
18	-#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
19	-#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list))
20	-#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
21	+#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) != 0)
22	+#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) != 0)
23	+#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
24	+#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
25	+#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list))
26	+#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
27	+#define FIND_NOFETCH(fn) (((fn)->options & DNS_ADBFIND_NOFETCH) != 0)
28
29	/*
30	* These are currently used on simple unsigned ints, so they are
31	@@ -3155,21 +3154,26 @@ dns_adb_createfind2(dns_adb_t adb, isc_task_t task, isc_taskaction_t action,
32	* Listen to negative cache hints, and don't start
33	* another query.
34	*/
35	- if (NCACHE_RESULT(result) \|\| AUTH_NX(result))
36	+ if (NCACHE_RESULT(result) \|\| AUTH_NX(result)) {
37	goto fetch;
38	+ }
39
40	- if (!NAME_FETCH_V6(adbname))
41	+ if (!NAME_FETCH_V6(adbname)) {
42	wanted_fetches \|= DNS_ADBFIND_INET6;
43	+ }
44	}
45
46	fetch:
47	if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) \|\|
48	(WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname)))
49	+ {
50	have_address = true;
51	- else
52	+ } else {
53	have_address = false;
54	- if (wanted_fetches != 0 &&
55	- ! (FIND_AVOIDFETCHES(find) && have_address)) {
56	+ }
57	+ if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address) &&
58	+ !FIND_NOFETCH(find))
59	+ {
60	/*
61	* We're missing at least one address family. Either the
62	* caller hasn't instructed us to avoid fetches, or we don't
63	@@ -3177,8 +3181,9 @@ dns_adb_createfind2(dns_adb_t adb, isc_task_t task, isc_taskaction_t action,
64	* be acceptable so we have to launch fetches.
65	*/
66
67	- if (FIND_STARTATZONE(find))
68	+ if (FIND_STARTATZONE(find)) {
69	start_at_zone = true;
70	+ }
71
72	/*
73	* Start V4.
74	diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h
75	index 63a13c4e41..edf6e54935 100644
76	--- a/lib/dns/include/dns/adb.h
77	+++ b/lib/dns/include/dns/adb.h
78	@@ -207,6 +207,10 @@ struct dns_adbfind {
79	* lame for this query.
80	*/
81	#define DNS_ADBFIND_OVERQUOTA 0x00000400
82	+/*%
83	+ * Don't perform a fetch even if there are no address records available.
84	+ */
85	+#define DNS_ADBFIND_NOFETCH 0x00000800
86
87	/*%
88	* The answers to queries come back as a list of these.
89	diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
90	index 7c44478a26..0a40859d08 100644
91	--- a/lib/dns/resolver.c
92	+++ b/lib/dns/resolver.c
93	@@ -172,6 +172,14 @@
94	#define DEFAULT_MAX_QUERIES 75
95	#endif
96
97	+/*
98	+ * After NS_FAIL_LIMIT attempts to fetch a name server address,
99	+ * if the number of addresses in the NS RRset exceeds NS_RR_LIMIT,
100	+ * stop trying to fetch, in order to avoid wasting resources.
101	+ */
102	+#define NS_FAIL_LIMIT 4
103	+#define NS_RR_LIMIT 5
104	+
105	/* Number of hash buckets for zone counters */
106	#ifndef RES_DOMAIN_BUCKETS
107	#define RES_DOMAIN_BUCKETS 523
108	@@ -3130,8 +3138,7 @@ sort_finds(dns_adbfindlist_t *findlist, unsigned int bias) {
109	static void
110	findname(fetchctx_t fctx, dns_name_t name, in_port_t port,
111	unsigned int options, unsigned int flags, isc_stdtime_t now,
112	- bool overquota, bool need_alternate)
113	-{
114	+ bool overquota, bool need_alternate, unsigned int *no_addresses) {
115	dns_adbaddrinfo_t *ai;
116	dns_adbfind_t *find;
117	dns_resolver_t *res;
118	@@ -3219,7 +3226,12 @@ findname(fetchctx_t fctx, dns_name_t name, in_port_t port,
119	find->result_v6 != DNS_R_NXDOMAIN) \|\|
120	(res->dispatches6 == NULL &&
121	find->result_v4 != DNS_R_NXDOMAIN)))
122	+ {
123	*need_alternate = true;
124	+ }
125	+ if (no_addresses != NULL) {
126	+ (*no_addresses)++;
127	+ }
128	} else {
129	if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) {
130	if (overquota != NULL)
131	@@ -3270,6 +3282,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
132	dns_rdata_ns_t ns;
133	bool need_alternate = false;
134	bool all_spilled = true;
135	+ unsigned int no_addresses = 0;
136
137	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
138
139	@@ -3437,20 +3450,28 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
140	* Extract the name from the NS record.
141	*/
142	result = dns_rdata_tostruct(&rdata, &ns, NULL);
143	- if (result != ISC_R_SUCCESS)
144	+ if (result != ISC_R_SUCCESS) {
145	continue;
146	+ }
147
148	- findname(fctx, &ns.name, 0, stdoptions, 0, now,
149	- &overquota, &need_alternate);
150	+ if (no_addresses > NS_FAIL_LIMIT &&
151	+ dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT)
152	+ {
153	+ stdoptions \|= DNS_ADBFIND_NOFETCH;
154	+ }
155	+ findname(fctx, &ns.name, 0, stdoptions, 0, now, &overquota,
156	+ &need_alternate, &no_addresses);
157
158	- if (!overquota)
159	+ if (!overquota) {
160	all_spilled = false;
161	+ }
162
163	dns_rdata_reset(&rdata);
164	dns_rdata_freestruct(&ns);
165	}
166	- if (result != ISC_R_NOMORE)
167	+ if (result != ISC_R_NOMORE) {
168	return (result);
169	+ }
170
171	/*
172	* Do we need to use 6 to 4?
173	@@ -3465,7 +3486,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
174	if (!a->isaddress) {
175	findname(fctx, &a->_u._n.name, a->_u._n.port,
176	stdoptions, FCTX_ADDRINFO_FORWARDER,
177	- now, NULL, NULL);
178	+ now, NULL, NULL, NULL);
179	continue;
180	}
181	if (isc_sockaddr_pf(&a->_u.addr) != family)
182	@@ -3827,16 +3827,14 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) {
183	}
184	}
185
186	- if (dns_name_countlabels(&fctx->domain) > 2) {
187	- result = isc_counter_increment(fctx->qc);
188	- if (result != ISC_R_SUCCESS) {
189	- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
190	- DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
191	- "exceeded max queries resolving '%s'",
192	- fctx->info);
193	- fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
194	- return;
195	- }
196	+ result = isc_counter_increment(fctx->qc);
197	+ if (result != ISC_R_SUCCESS) {
198	+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
199	+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
200	+ "exceeded max queries resolving '%s'",
201	+ fctx->info);
202	+ fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
203	+ return;
204	}
205
206	bucketnum = fctx->bucketnum;


diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch deleted file mode 100644 index d8769c45cc..0000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch +++ /dev/null
@@ -1,29 +0,0 @@
1	Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8617.patch]
2	CVE: CVE-2020-8617
3	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
4	---
5	diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
6	index b597a18d49..6357a3a486 100644
7	--- a/lib/dns/tsig.c
8	+++ b/lib/dns/tsig.c
9	@@ -1427,8 +1424,9 @@ dns_tsig_verify(isc_buffer_t source, dns_message_t msg,
10	goto cleanup_context;
11	}
12	msg->verified_sig = 1;
13	- } else if (tsig.error != dns_tsigerror_badsig &&
14	- tsig.error != dns_tsigerror_badkey) {
15	+ } else if (!response \|\| (tsig.error != dns_tsigerror_badsig &&
16	+ tsig.error != dns_tsigerror_badkey))
17	+ {
18	tsig_log(msg->tsigkey, 2, "signature was empty");
19	return (DNS_R_TSIGVERIFYFAILURE);
20	}
21	@@ -1484,7 +1482,7 @@ dns_tsig_verify(isc_buffer_t source, dns_message_t msg,
22	}
23	}
24
25	- if (tsig.error != dns_rcode_noerror) {
26	+ if (response && tsig.error != dns_rcode_noerror) {
27	msg->tsigstatus = tsig.error;
28	if (tsig.error == dns_tsigerror_badtime)
29	ret = DNS_R_CLOCKSKEW;


diff --git a/meta/recipes-connectivity/bind/bind_9.11.13.bb b/meta/recipes-connectivity/bind/bind_9.11.19.bb index 8f2d702dcb..276173e09f 100644 --- a/meta/recipes-connectivity/bind/bind_9.11.13.bb +++ b/meta/recipes-connectivity/bind/bind_9.11.19.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.isc.org/sw/bind/"
3	SECTION = "console/network"	3	SECTION = "console/network"
4		4
5	LICENSE = "ISC & BSD"	5	LICENSE = "ISC & BSD"
6	LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=8f17f64e47e83b60cd920a1e4b54419e"	6	LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=bf39058a7f64b2a934ce14dc9ec1dd45"
7		7
8	DEPENDS = "openssl libcap zlib"	8	DEPENDS = "openssl libcap zlib"
9		9
@@ -18,12 +18,9 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
18	file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \	18	file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
19	file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \	19	file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
20	file://0001-avoid-start-failure-with-bind-user.patch \	20	file://0001-avoid-start-failure-with-bind-user.patch \
21	file://CVE-2020-8616.patch \
22	file://CVE-2020-8617.patch \
23	"	21	"
24		22
25	SRC_URI[md5sum] = "17de0d024ab1eac377f1c2854dc25057"	23	SRC_URI[sha256sum] = "0dee554a4caa368948b32da9a0c97b516c19103bc13ff5b3762c5d8552f52329"
26	SRC_URI[sha256sum] = "fd3f3cc9fcfcdaa752db35eb24598afa1fdcc2509d3227fc90a8631b7b400f7d"
27		24
28	UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"	25	UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
29	# stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4	26	# stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4