summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorakuster <akuster808@gmail.com>2020-07-09 00:07:57 +0300
committerAnuj Mittal <anuj.mittal@intel.com>2020-07-17 09:36:48 +0800
commit74aacd292387f9a2c36381080ade5537af1d3d9e (patch)
tree1509610f707cd212c45fb4b26ae4b332c472390b
parent3f723af6059fbfed6dac0c281f212b9a02c3e026 (diff)
downloadopenembedded-core-74aacd292387f9a2c36381080ade5537af1d3d9e.tar.gz
bind: update to 9.11.19
Bug fix only updates. suitable for Stable branch updates where applicable. Drop CVE patches included in update LIC_FILES_CHKSUM update copyright year to 2020 Full changes found at : https://gitlab.isc.org/isc-projects/bind9/-/blob/v9_11/CHANGES (From OE-Core rev: c672d2b6c98607f1fda917f4a3189a53712e8fc2) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit a6ba66cf5e754cdcd41f01d233fbef7b94a10225) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch206
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch29
-rw-r--r--meta/recipes-connectivity/bind/bind_9.11.19.bb (renamed from meta/recipes-connectivity/bind/bind_9.11.13.bb)5
3 files changed, 2 insertions, 238 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch
deleted file mode 100644
index 8f00231919..0000000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch
+++ /dev/null
@@ -1,206 +0,0 @@
-Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8616.patch]
-CVE: CVE-2020-8616
-Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
----
-diff --git a/lib/dns/adb.c b/lib/dns/adb.c
-index 058495f6a5..6b8a9537f0 100644
---- a/lib/dns/adb.c
-+++ b/lib/dns/adb.c
-@@ -404,14 +404,13 @@ static void log_quota(dns_adbentry_t *entry, const char *fmt, ...)
- */
- #define FIND_WANTEVENT(fn) (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0)
- #define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0)
--#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \
-- != 0)
--#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) \
-- != 0)
--#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
--#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
--#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list))
--#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
-+#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) != 0)
-+#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) != 0)
-+#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
-+#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
-+#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list))
-+#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
-+#define FIND_NOFETCH(fn) (((fn)->options & DNS_ADBFIND_NOFETCH) != 0)
-
- /*
- * These are currently used on simple unsigned ints, so they are
-@@ -3155,21 +3154,26 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
- * Listen to negative cache hints, and don't start
- * another query.
- */
-- if (NCACHE_RESULT(result) || AUTH_NX(result))
-+ if (NCACHE_RESULT(result) || AUTH_NX(result)) {
- goto fetch;
-+ }
-
-- if (!NAME_FETCH_V6(adbname))
-+ if (!NAME_FETCH_V6(adbname)) {
- wanted_fetches |= DNS_ADBFIND_INET6;
-+ }
- }
-
- fetch:
- if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) ||
- (WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname)))
-+ {
- have_address = true;
-- else
-+ } else {
- have_address = false;
-- if (wanted_fetches != 0 &&
-- ! (FIND_AVOIDFETCHES(find) && have_address)) {
-+ }
-+ if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address) &&
-+ !FIND_NOFETCH(find))
-+ {
- /*
- * We're missing at least one address family. Either the
- * caller hasn't instructed us to avoid fetches, or we don't
-@@ -3177,8 +3181,9 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
- * be acceptable so we have to launch fetches.
- */
-
-- if (FIND_STARTATZONE(find))
-+ if (FIND_STARTATZONE(find)) {
- start_at_zone = true;
-+ }
-
- /*
- * Start V4.
-diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h
-index 63a13c4e41..edf6e54935 100644
---- a/lib/dns/include/dns/adb.h
-+++ b/lib/dns/include/dns/adb.h
-@@ -207,6 +207,10 @@ struct dns_adbfind {
- * lame for this query.
- */
- #define DNS_ADBFIND_OVERQUOTA 0x00000400
-+/*%
-+ * Don't perform a fetch even if there are no address records available.
-+ */
-+#define DNS_ADBFIND_NOFETCH 0x00000800
-
- /*%
- * The answers to queries come back as a list of these.
-diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
-index 7c44478a26..0a40859d08 100644
---- a/lib/dns/resolver.c
-+++ b/lib/dns/resolver.c
-@@ -172,6 +172,14 @@
- #define DEFAULT_MAX_QUERIES 75
- #endif
-
-+/*
-+ * After NS_FAIL_LIMIT attempts to fetch a name server address,
-+ * if the number of addresses in the NS RRset exceeds NS_RR_LIMIT,
-+ * stop trying to fetch, in order to avoid wasting resources.
-+ */
-+#define NS_FAIL_LIMIT 4
-+#define NS_RR_LIMIT 5
-+
- /* Number of hash buckets for zone counters */
- #ifndef RES_DOMAIN_BUCKETS
- #define RES_DOMAIN_BUCKETS 523
-@@ -3130,8 +3138,7 @@ sort_finds(dns_adbfindlist_t *findlist, unsigned int bias) {
- static void
- findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
- unsigned int options, unsigned int flags, isc_stdtime_t now,
-- bool *overquota, bool *need_alternate)
--{
-+ bool *overquota, bool *need_alternate, unsigned int *no_addresses) {
- dns_adbaddrinfo_t *ai;
- dns_adbfind_t *find;
- dns_resolver_t *res;
-@@ -3219,7 +3226,12 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
- find->result_v6 != DNS_R_NXDOMAIN) ||
- (res->dispatches6 == NULL &&
- find->result_v4 != DNS_R_NXDOMAIN)))
-+ {
- *need_alternate = true;
-+ }
-+ if (no_addresses != NULL) {
-+ (*no_addresses)++;
-+ }
- } else {
- if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) {
- if (overquota != NULL)
-@@ -3270,6 +3282,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
- dns_rdata_ns_t ns;
- bool need_alternate = false;
- bool all_spilled = true;
-+ unsigned int no_addresses = 0;
-
- FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
-
-@@ -3437,20 +3450,28 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
- * Extract the name from the NS record.
- */
- result = dns_rdata_tostruct(&rdata, &ns, NULL);
-- if (result != ISC_R_SUCCESS)
-+ if (result != ISC_R_SUCCESS) {
- continue;
-+ }
-
-- findname(fctx, &ns.name, 0, stdoptions, 0, now,
-- &overquota, &need_alternate);
-+ if (no_addresses > NS_FAIL_LIMIT &&
-+ dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT)
-+ {
-+ stdoptions |= DNS_ADBFIND_NOFETCH;
-+ }
-+ findname(fctx, &ns.name, 0, stdoptions, 0, now, &overquota,
-+ &need_alternate, &no_addresses);
-
-- if (!overquota)
-+ if (!overquota) {
- all_spilled = false;
-+ }
-
- dns_rdata_reset(&rdata);
- dns_rdata_freestruct(&ns);
- }
-- if (result != ISC_R_NOMORE)
-+ if (result != ISC_R_NOMORE) {
- return (result);
-+ }
-
- /*
- * Do we need to use 6 to 4?
-@@ -3465,7 +3486,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
- if (!a->isaddress) {
- findname(fctx, &a->_u._n.name, a->_u._n.port,
- stdoptions, FCTX_ADDRINFO_FORWARDER,
-- now, NULL, NULL);
-+ now, NULL, NULL, NULL);
- continue;
- }
- if (isc_sockaddr_pf(&a->_u.addr) != family)
-@@ -3827,16 +3827,14 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) {
- }
- }
-
-- if (dns_name_countlabels(&fctx->domain) > 2) {
-- result = isc_counter_increment(fctx->qc);
-- if (result != ISC_R_SUCCESS) {
-- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-- DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
-- "exceeded max queries resolving '%s'",
-- fctx->info);
-- fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
-- return;
-- }
-+ result = isc_counter_increment(fctx->qc);
-+ if (result != ISC_R_SUCCESS) {
-+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
-+ "exceeded max queries resolving '%s'",
-+ fctx->info);
-+ fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
-+ return;
- }
-
- bucketnum = fctx->bucketnum;
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch
deleted file mode 100644
index d8769c45cc..0000000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8617.patch]
-CVE: CVE-2020-8617
-Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
----
-diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
-index b597a18d49..6357a3a486 100644
---- a/lib/dns/tsig.c
-+++ b/lib/dns/tsig.c
-@@ -1427,8 +1424,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
- goto cleanup_context;
- }
- msg->verified_sig = 1;
-- } else if (tsig.error != dns_tsigerror_badsig &&
-- tsig.error != dns_tsigerror_badkey) {
-+ } else if (!response || (tsig.error != dns_tsigerror_badsig &&
-+ tsig.error != dns_tsigerror_badkey))
-+ {
- tsig_log(msg->tsigkey, 2, "signature was empty");
- return (DNS_R_TSIGVERIFYFAILURE);
- }
-@@ -1484,7 +1482,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
- }
- }
-
-- if (tsig.error != dns_rcode_noerror) {
-+ if (response && tsig.error != dns_rcode_noerror) {
- msg->tsigstatus = tsig.error;
- if (tsig.error == dns_tsigerror_badtime)
- ret = DNS_R_CLOCKSKEW;
diff --git a/meta/recipes-connectivity/bind/bind_9.11.13.bb b/meta/recipes-connectivity/bind/bind_9.11.19.bb
index 79275bb1ca..a77be8678f 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.13.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.19.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.isc.org/sw/bind/"
SECTION = "console/network"
LICENSE = "ISC & BSD"
-LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=8f17f64e47e83b60cd920a1e4b54419e"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=bf39058a7f64b2a934ce14dc9ec1dd45"
DEPENDS = "openssl libcap zlib"
@@ -20,8 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
file://0001-avoid-start-failure-with-bind-user.patch \
"
-SRC_URI[md5sum] = "17de0d024ab1eac377f1c2854dc25057"
-SRC_URI[sha256sum] = "fd3f3cc9fcfcdaa752db35eb24598afa1fdcc2509d3227fc90a8631b7b400f7d"
+SRC_URI[sha256sum] = "0dee554a4caa368948b32da9a0c97b516c19103bc13ff5b3762c5d8552f52329"
UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
# stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4