| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
This includes the fix for CVE-2018-5738: When recursion is enabled but the
allow-recursion and allow-query-cache ACLs are not specified, they should be
limited to local networks, but they were inadvertently set to match the default
allow-query, thus allowing remote queries.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
|
|
| |
It seems to not be needed anymore. Tested on mvebu and ar71xx.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| |
|
|
|
|
|
| |
By default, libatomic is conditionally enabled on some platforms, but it's not
strictly necessary. We'll disable it here globally rather than introduce an
unnecessary dependency.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
| |
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
EdDSA support is optional and currently defaults to being disabled.
The following security issues are addressed with this update:
* An error in TSIG handling could permit unauthorized zone transfers
or zone updates. These flaws are disclosed in CVE-2017-3142 and
CVE-2017-3143.
* The BIND installer on Windows used an unquoted service path, which
can enable privilege escalation. This flaw is disclosed in
CVE-2017-3141.
* With certain RPZ configurations, a response with TTL 0 could cause
named to go into an infinite query loop. This flaw is disclosed in
CVE-2017-3140.
* Addresses could be referenced after being freed during resolver
processing, causing an assertion failure. The chances of this
happening were remote, but the introduction of a delay in
resolution increased them. This bug is disclosed in CVE-2017-3145.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
|
|
|
|
|
|
| |
New upstream release fixes the following security issues:
* CVE-2017-3145: BIND was improperly sequencing cleanup operations on
upstream recursion fetch contexts, leading in some cases to a use-after-free
error that can trigger an assertion failure and crash in named.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
|
|
|
|
|
|
| |
At least one of libjson|libxml2 is required for bind
statistics to function.
Selecting libjson|libxml2 will result in an additional
dependency required to build and install bind-libs.
Signed-off-by: Hal Martin <hal.martin@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
When building on hosts with lmdb installed, bind configure phase fails:
configure: error: found lmdb include but not library.
Solve this by disabling lmdb. Fixes #4748.
Fixes: eab56b6bee5d ("bind: version update to 9.11.2")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
| |
Also refresh patches and dependencies.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
New upstream release includes fixes for the following security issues:
* CVE-2017-3140: With certain RPZ configurations, a response with TTL 0 could
cause named to go into an infinite query loop
* CVE-2017-3142: An error in TSIG handling could permit unauthorized zone
transfers or zone updates.
* CVE-2017-3143: An error in TSIG handling could permit unauthorized zone
transfers or zone updates.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
<net/bind>
Maintainer: @nmeyerhans
Compile tested: x86_64, OpenWRT 50107
Run tested: x86 / 64, OpenWRT 50107
Description:
Added dnssec-settime into bind-dnssec and bind-tools
Signed-off-by: Sami Olmari <sami+git@olmari.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change includes fixes for several security issues:
* CVE-2017-3138: rndc "" could trigger an assertion failure in named.
* CVE-2017-3137: Some chaining (i.e., type CNAME or DNAME) responses to
upstream queries could trigger assertion failures.
* CVE-2017-3136: dns64 with break-dnssec yes; can result in an assertion
failure.
* CVE-2017-3135: If a server is configured with a response policy zone
(RPZ) that rewrites an answer with local data, and is also configured
for DNS64 address mapping, a NULL pointer can be read triggering a
server crash.
* CVE-2016-9444: named could mishandle authority sections with missing
RRSIGs, triggering an assertion failure.
* CVE-2016-9131: named mishandled some responses where covering RRSIG
records were returned without the requested data, resulting in an
assertion failure.
* CVE-2016-9131: named incorrectly tried to cache TKEY records which could
trigger an assertion failure when there was a class mismatch.
* CVE-2016-8864: It was possible to trigger assertions when processing
responses containing answers of type DNAME.
* CVE-2016-6170: Added the ability to specify the maximum number of
records permitted in a zone (max-records #;). This provides a mechanism
to block overly large zone transfers, which is a potential risk with
slave zones from other parties.
* CVE-2016-2776: It was possible to trigger an assertion when rendering a
message using a specially crafted request.
* CVE-2016-2775: Calling getrrsetbyname() with a non absolute name could
trigger an infinite recursion bug in lwresd or named with lwres
configured if, when combined with a search list entry from resolv.conf,
the resulting name is too long.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change fixes multiple denial-of-service vulnerabilities:
* CVE-2016-9131: A malformed response to an ANY query can cause an
assertion failure during recursion
* CVE-2016-9147: An error handling a query response containing
inconsistent DNSSEC information could cause an assertion failure
* CVE-2016-9444: An unusually-formed DS record response could cause
an assertion failure
* CVE-2016-9778: An error handling certain queries using the
nxdomain-redirect feature could cause a REQUIRE assertion failure
in db.c
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
| |
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
|
|
| |
If libjson-c is detected during bind-libs configure phase, bind-libs
will be built with libjson support. This results in a missing dependency
error during install phase. Solve this by disabling libjson support.
|
| |
|
|
| |
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
| |
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| | |
|
| |
|
|
| |
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
|
|
| |
Standard assignment is immediate expansion without any extraneous spacing, RFC822 compliant email addresses without any quotation marks and long git hashes
Signed-off-by: Stephen Walker <stephendwalker+github@gmail.com>
|
| |
|
| |
Signed-off-by: DonkZZ <donk@evhr.net>
|
| |
|
|
| |
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
| |
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
|
|
|
|
|
|
| |
Fixes:
* CVE-2015-8704
* CVE-2015-3193
* CVE-2015-8000
* CVE-2015-8461
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |\
| |
| | |
bind: Enable ECDSA support
|
| | |
| |
| |
| |
| |
| |
| | |
Enables bind to do ECDSA DNSSEC validation. Depends on OpenSSL support
for ECDSA. Increases size of bind-libs package by about 2kB.
Signed-off-by: Janusz Dziemidowicz <rraptorr@nails.eu.org>
|
| |/
|
|
| |
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
| |
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
| |
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
| |
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
|
| |
Update maintainer and license metadata in Makefile.
Signed-off-by: Noah Meyerhans <noahm@debian.org>
|
|
|
Signed-off-by: Noah Meyerhans <noahm@debian.org>
|