Age | Commit message (Collapse) | Author |
|
includes:
CVE-2018-5738
drop patch for CVE-2018-5740 now included in update
see: https://ftp.isc.org/isc/bind9/9.11.5/RELEASE-NOTES-bind-9.11.5.html
Add RECIPE_NO_UPDATE_REASON for lts
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The generated key file should try to have bind group so that if
the named daemon is started via '-u bind' option, which is the
default in OE core, we will not get startup failure because of
'permission denied' error.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
- Tweak var-DST_OPENSSL_LIBS assignment in configure.in, it is
helpful to fix build path issue in isc-config.sh
- `named/lwresd -V' and start log hide build options which expose
build path directories.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
LIC_FILES_CHKSUM changed do to updated year
removed:
dont-test-on-host.patch, no longer implemented
drop use-python3-and-fix-install-lib-path.patch, they added the ability to pass in lib dir loctions
drop bind-confgen-build-unix.o-once.patch, fix included in update
Refresh other patches:
add python3 flag for PACKAGECONFIG to pull in python
add new config option --with-eddsa=no (needs openssl support not released)
Python support is disaled by default now.
Acked-by: Martin Hundebøll <mnhu@prevas.dk>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Upgrade bind from 9.10.3-P3 to 9.10.5-P3
* Update md5sum of LIC_FILES_CHKSUM that it update year in file COPYRIGHT
* Remvoe mips1-not-support-opcode.diff which has been merged
* Remove CVE patches that there are backported from upstream
* Use python3 for build and make sure install .py files to right directory
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Build without threads for bind is inherited from legacy openembedded.
All libc's support proper threading on Linux now, so enable threads
support for bind.
It is also need to disable static library build which cause package dhcp
fail to build after enable bind threads support.
Options devpoll and epoll are configured to choose most preferable
multiplex method for unix socket. The priorities are: epoll > poll >
select. When set '--enable-epoll', it just defines a var and include
header file that is available for cross compile. So use epoll for bind.
Add PACKAGECONFIG 'urandom' that could use /dev/urandom as random device.
Update file/directory ownerships to fix daemon start failure.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
CVE-2016-6170: ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1, and
9.11.x through 9.11.0b1 allows primary DNS servers to cause a denial of
service (secondary DNS server crash) via a large AXFR response, and
possibly allows IXFR servers to cause a denial of service (IXFR client
crash) via a large IXFR response and allows remote authenticated users
to cause a denial of service (primary DNS server crash) via a large
UPDATE message.
External References:
https://nvd.nist.gov/vuln/detail/CVE-2016-6170
Patch from:
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=1bbcfe2fc84f57b1e4e075fb3bc2a1dd0a3a851f
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
CVE-2016-8864: named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before
9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause
a denial of service (assertion failure and daemon exit) via a DNAME
record in the answer section of a response to a recursive query,
related to db.c and resolver.c.
External References:
https://nvd.nist.gov/vuln/detail/CVE-2016-8864
Patch from:
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=c1d0599a246f646d1c22018f8fa09459270a44b8
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Add two CVE patches from upstream
git: https://www.isc.org/git/
1.CVE-2016-2775.patch
2.CVE-2016-2776.patch
Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Enforce the correct tag names across all of oe-core for consistency.
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Duplicate EDNS COOKIE options in a response could trigger an
assertion failure: Fix with a backport.
bind as built with the oe-core recipe is not at risk: Only servers
which are built with DNS cookie support (--enable-sit) are vulnerable
to denial of service.
Fixes [YOCTO #9438]
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Fixes following vulnerabilities:
CVE-2016-1285 bind: malformed packet sent to rndc can trigger assertion failure
CVE-2016-1286 bind: malformed signature records for DNAME records can
trigger assertion failure
[YOCTO #9400]
External References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1285
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1286
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1285
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1286
References to the Upstream commits and Security Advisories:
===========================================================
CVE-2016-1285: https://kb.isc.org/article/AA-01352
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=70037e040e587329cec82123e12b9f4f7c945f67
CVE-2016-1286_1: https://kb.isc.org/article/AA-01353
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=a3d327bf1ceaaeabb20223d8de85166e940b9f12
CVE-2016-1286_2: https://kb.isc.org/article/AA-01353
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=7602be276a73a6eb5431c5acd9718e68a55e8b61
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Upgrade bind from 9.10.2-P4 to 9.10.3-P2.
* update context of 0001-build-use-pkg-config-to-find-libxml2.patch
* add PACKAGECONFIGs readline and libedit. They provide same library, so
should not be set at same time.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
gen.c uses 512 as the path length which is a little short when build in
deep dir, and cause "too long" error, use PATH_MAX if defined.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Fix a variety of problems such as typos, bad punctuations, or incorrect
Upstream-Status values.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fix the building path is long, when building bind, we would meet the following
error.
".../long/path/to/bind/9.10.2-P3-r0/bind-9.10.2-P3/lib/dns" too long
This is because the in gen.c, DIRNAMESIZE is limited to 256. But in OE, the
path length limit is more than 400. So we change it to 512.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Bind can fail configure by detecting headers w/o libs, or
it can fail the host contamination check. More details
are within the commit log in the contained patch.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Refresh the libxml2 detection patch to directly call pkg-config instead of
attempting to use xml2-config, which will always return an error in OE.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
1. Remove two unneeded CVE patches, 9.10.2 fixed the CVE-2015-1349 also
2. Remove bind-subdirs-run-serially.patch and cross-build-fix.patch,
similar fixes are merged into 9.10.2
3. update the dont-test-on-host.patch
4. update the Copyright file checksum, since the date in it has been changed.
5. replace the hardcode lib dir with $base_libdir in bind-add-crosscripts*.patch
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
They are backport patches, and verified that the patches are in the
source.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fixed:
unix/os.o: file not recognized: File truncated
collect2: error: ld returned 1 exit status
This is because os.o was built twice:
* The implicity rule (depends on unix/os.o)
* The "make all" in unix subdir (depends on unix/os.o)
Depend on subdirs which is unix only rather than unix/os.o will fix the
problem.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
|
|
Signed-off-by: Ting Liu <ting.liu@freescale.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
* Firstly configure scritp was testing files from bin folder.
In our case we don't copy bin folder to sysroot for target
recipes. So added extra check to validate .pc file from lib
folder via a patch to configure.in file.
* Secondly linxml2 dependency was missing. So added PACKAGECONFIG
for libxml2.
Signed-off-by: Noor Ahsan <noor_ahsan@mentor.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
[From upstream commit: 603a0e2637b35a2da820bc807f69bcf09c682dce]
[YOCTO #7098]
External References:
===================
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Add in conf.patch /etc/bind/db.255 file so that we don't get the following error.
zone 255.in-addr.arpa/IN: loading from master file /etc/bind/db.255 failed: file not found
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Use /etc/default/bind9 as the environment file in named.service.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
We refer what ubuntu/redhat did, gave bind a user/group
Here is the example in ubuntu 14.04:
$ ps -eo user,group,cmd | grep "named"
...
bind bind /usr/sbin/named -u bind
...
$vim bind9_1%3a9.9.5.dfsg-3_amd64.deb/postinst
...
# lets give them a bind user/group in all cases.
getent group bind >/dev/null 2>&1 || addgroup --system bind
getent passwd bind >/dev/null 2>&1 ||
adduser --system --home /var/cache/bind --no-create-home \
--disabled-password --ingroup bind bind
...
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This patch adds support for read-only rootfs to the bind service.
Basically it just bind mounts several directories so that the bind
service could start correctly without reporting any error.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Add systemd support for bind.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Remove CVE patches that are in bind
Updated COPYRIGHT includes date changes the NetBSD Copyright
Modifies the Base BSD License to 3-Clause (removes advertising clause)w
Add patch to disable running tests on host
Add python-core to RDEPENDS for dnssec-checkds and dnssec-coverage and fix path to python
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|