diff options
author | wangmy <wangmy@fujitsu.com> | 2022-05-24 16:33:42 +0800 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2022-07-26 05:34:59 -1000 |
commit | 1bbedc1c6f9b1d431a7d72b9e8e2871d0fe988f5 (patch) | |
tree | 73ae8ac33cf0ab9fd78040eb8636f18b00ab08db /meta/recipes-connectivity/bind/bind-9.18.3/init.d-add-support-for-read-only-rootfs.patch | |
parent | e22b7b2a30c4c688b9c4414824c93ae8a884496c (diff) | |
download | openembedded-core-contrib-1bbedc1c6f9b1d431a7d72b9e8e2871d0fe988f5.tar.gz |
bind: upgrade 9.18.2 -> 9.18.3
Changelog:
==========
[security]
Fix a crash in DNS-over-HTTPS (DoH) code caused by
premature TLS stream socket object deletion.
(CVE-2022-1183) [GL #3216]
[bug]
RPZ NSIP and NSDNAME rule processing didn't handle stub
and static-stub zones at or above the query name. This
has now been addressed. [GL #3232]
Fixed a deadlock that could occur if an rndc
connection arrived during the shutdown of network
interfaces. [GL #3272]
Refactor the fctx_done() function to set fctx to
NULL after detaching, so that reference counting
errors will be easier to avoid. [GL #2969]
udp_recv() in dispatch could trigger an INSIST when the
callback's result indicated success but the response
was canceled in the meantime. [GL #3300]
Work around a jemalloc quirk which could trigger an
out-of-memory condition in named over time. [GL #3287]
If there was a pending negative cache DS entry,
validations depending upon it could fail. [GL #3279]
dig returned a 0 exit status on UDP connection failure.
[GL #3235]
Fix an assertion failure when using dig with +nssearch
and +tcp options by starting the next query in the
send_done() callback (like in the UDP mode) instead
of doing that recursively in start_tcp(). Also
ensure that queries interrupted while connecting
are detached properly. [GL #3144]
Don't remove CDS/CDNSKEY DELETE records on zone sign
when using 'auto-dnssec maintain;'. [GL #2931]
[contrib]
Avoid name space collision in dlz modules by prefixing
functions with 'dlz_'. [GL !5778]
dlz: Add FALLTHROUGH and UNREACHABLE macros. [GL #3306]
[func]
Add new named command-line option -C to print built-in
defaults. [GL #1326]
Introduce the concept of broken catalog zones described
in the DNS catalog zones draft version 5 document.
[GL #3224]
Add DNS Extended Errors when stale answers are returned
from cache. [GL #2267]
Implement support for catalog zones change of ownership
(coo) mechanism described in the DNS catalog zones draft
version 5 document. [GL #3223]
Implement support for catalog zones options new syntax
based on catalog zones custom properties with "ext"
suffix described in the DNS catalog zones draft version
5 document. [GL #3222]
Implement reference counting for TLS contexts and
allow reloading of TLS certificates on reconfiguration
without destroying the underlying TCP listener sockets
for TLS-based DNS transports. [GL #3122]
Add support for remote TLS certificates
verification, both to BIND and dig, making it possible
to implement Strict and Mutual TLS authentication,
as described in RFC 9103, Section 9.3. [GL #3163]
[cleanup]
Remove use of exclusive mode in ns_interfacemgr in
favor of rwlocked access to localhost and localnets
members of dns_aclenv_t structure. [GL #3229]
Remove the task exclusive mode use in ns_clientmgr.
[GL #3230]
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d2ae8b85c71be2e9e332b1ef0a2d3083b30c63e6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-connectivity/bind/bind-9.18.3/init.d-add-support-for-read-only-rootfs.patch')
-rw-r--r-- | meta/recipes-connectivity/bind/bind-9.18.3/init.d-add-support-for-read-only-rootfs.patch | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind-9.18.3/init.d-add-support-for-read-only-rootfs.patch b/meta/recipes-connectivity/bind/bind-9.18.3/init.d-add-support-for-read-only-rootfs.patch new file mode 100644 index 0000000000..11db95ede1 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind-9.18.3/init.d-add-support-for-read-only-rootfs.patch @@ -0,0 +1,65 @@ +Subject: init.d: add support for read-only rootfs + +Upstream-Status: Inappropriate [oe specific] + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + init.d | 40 ++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 40 insertions(+) + +diff --git a/init.d b/init.d +index 0111ed4..24677c8 100644 +--- a/init.d ++++ b/init.d +@@ -6,8 +6,48 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin + # Don't modify this line, change or create /etc/default/bind9. + OPTIONS="" + ++test -f /etc/default/rcS && . /etc/default/rcS + test -f /etc/default/bind9 && . /etc/default/bind9 + ++# This function is here because it's possible that /var and / are on different partitions. ++is_on_read_only_partition () { ++ DIRECTORY=$1 ++ dir=`readlink -f $DIRECTORY` ++ while true; do ++ if [ ! -d "$dir" ]; then ++ echo "ERROR: $dir is not a directory" ++ exit 1 ++ else ++ for flag in `awk -v dir=$dir '{ if ($2 == dir) { print "FOUND"; split($4,FLAGS,",") } }; \ ++ END { for (f in FLAGS) print FLAGS[f] }' < /proc/mounts`; do ++ [ "$flag" = "FOUND" ] && partition="read-write" ++ [ "$flag" = "ro" ] && { partition="read-only"; break; } ++ done ++ if [ "$dir" = "/" -o -n "$partition" ]; then ++ break ++ else ++ dir=`dirname $dir` ++ fi ++ fi ++ done ++ [ "$partition" = "read-only" ] && echo "yes" || echo "no" ++} ++ ++bind_mount () { ++ olddir=$1 ++ newdir=$2 ++ mkdir -p $olddir ++ cp -a $newdir/* $olddir ++ mount --bind $olddir $newdir ++} ++ ++# Deal with read-only rootfs ++if [ "$ROOTFS_READ_ONLY" = "yes" ]; then ++ [ "$VERBOSE" != "no" ] && echo "WARN: start bind service in read-only rootfs" ++ [ `is_on_read_only_partition /etc/bind` = "yes" ] && bind_mount /var/volatile/bind/etc /etc/bind ++ [ `is_on_read_only_partition /var/named` = "yes" ] && bind_mount /var/volatile/bind/named /var/named ++fi ++ + test -x /usr/sbin/rndc || exit 0 + + case "$1" in +-- +1.7.9.5 + |