| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes multiple security issues:
CVE-2022-38178 - Fix memory leak in EdDSA verify processing
CVE-2022-3080 - Fix serve-stale crash that could happen when
stale-answer-client-timeout was set to 0 and there was
a stale CNAME in the cache for an incoming query
CVE-2022-2906 - Fix memory leaks in the DH code when using OpenSSL 3.0.0
and later versions. The openssldh_compare(),
openssldh_paramcompare(), and openssldh_todns()
functions were affected
CVE-2022-2881 - When an HTTP connection was reused to get
statistics from the stats channel, and zlib
compression was in use, each successive
response sent larger and larger blocks of memory,
potentially reading past the end of the allocated
buffer
CVE-2022-2795 - Prevent excessive resource use while processing large
delegations
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
|
|
|
| |
Fixes:
- CVE-2022-1183
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
|
| |\
| |
| | |
bind: add subpackaging for ddns-confgen
|
| | |
| |
| |
| |
| |
| |
| | |
ddns-confgen is a useful tool for generating partial zones for
transfer/update in dynamic DNS (ddns) scenarios.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes multiple security issues:
* CVE-2022-0667 -- An assertion could occur in resume_dslookup() if the
fetch had been shut down earlier
* CVE-2022-0635 -- Lookups involving a DNAME could trigger an INSIST when
"synth-from-dnssec" was enabled
* CVE-2022-0396 -- A synchronous call to closehandle_cb() caused
isc__nm_process_sock_buffer() to be called recursively,
which in turn left TCP connections hanging in the CLOSE_WAIT
state blocking indefinitely when out-of-order processing was
disabled.
* CVE-2021-25220 -- The rules for acceptance of records into the cache
have been tightened to prevent the possibility of
poisoning if forwarders send records outside the
configured bailiwick
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| | |
| |
| |
| | |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Unless we're using "mktemp -u ..." (not recommended), it will
create the temp file as part of its safety checking. Thus you
should only create the name (file) if you're going to use it,
and always remove it if you have created it.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
DoH is enabled by default, but disabling it removes the need to link
against libnghttp2, which may be desirable more constrained
environments.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |/
|
|
| |
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
| |
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
|
|
|
| |
Side-effect of dropping capabilities(7) with last commit is now we
need the `/var/run/named/` directory created for us at startup.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |\
| |
| | |
bind: detect new interfaces when they come up
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Reload the service when interfaces flap; note that libcap support
is required to open new sockets on interfaces coming up during
a reload, otherwise a full restart would be needed.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |\ \
| | |
| | | |
bind: Bump to 9.17.19
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The following CVE updates are included:
* CVE-2021-25219: The "lame-ttl" option is now forcibly set to 0. This
effectively disables the lame server cache, as it could previously be
abused by an attacker to significantly degrade resolver performance.
* CVE-2021-25218: An assertion failure occurred when named attempted
to send a UDP packet that exceeded the MTU size, if Response Rate
Limiting (RRL) was enabled.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
| |
This has been replaced with the "trust-anchors" keyword, per
section 8.21.1 New Features of the Bind 9 Administrator Reference
Manual:
• In order to clarify the configuration of DNSSEC keys, the trusted-keys and managed-keys statements have been deprecated, and the new trust-anchors statement should now be used for both types of key.
When used with the keyword initial-key, trust-anchors has the same behavior as managed-keys, i.e., it configures a trust anchor that is to be maintained via RFC 5011.
When used with the new keyword static-key, trust-anchors has the same behavior as trusted-keys, i.e., it configures a permanent trust anchor that will not automatically be updated. (This usage is not recommended for the root key.) [GL #6]
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the following security issues:
* CVE-2021-25215 - named crashed when a DNAME record placed in the ANSWER
section during DNAME chasing turned out to be the final
answer to a client query.
* CVE-2021-25214 - Insufficient IXFR checks could result in named serving a
zone without an SOA record at the apex, leading to a
RUNTIME_CHECK assertion failure when the zone was
subsequently refreshed. This has been fixed by adding an
owner name check for all SOA records which are included
in a zone transfer.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
|
|
| |
Backport upstream OpenSSL deprecated API patch.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| |
|
|
|
|
|
| |
After d18692c, we need to include nls.mk to setup correct
environment variables so that linking succeeds.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
|
| |
|
|
|
|
| |
Add build dependency on libnghttp2 for DNS-over-HTTPS support
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Drop obsolete patches
- 001-no-tests.patch
- 002-fix-cross-compilation.patch
Move several user-executable binaries from /usr/sbin to /usr/bin per
upstream.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Start named before dhcpd so that dhcpd can prime the local zones at startup.
Restore the empty domain zone for rfc1918 addresses that previously existed.
Create an additional subsidiary named.conf.local file (initially empty)
in /tmp/bind/ that can be seeded with dynamic zones and primed with
"rndc reload", and add it to the watched list of config files for procd.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
|
| |
Enable the control port on named that rncd uses to talk to it. Use
rndc to allow for lightweight reloads of some (per-zone) or all of
the database without an interruption of service.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
- DNS Flag Day 2020
(default EDNS buffer size changed from 4096 to 1232 bytes)
-- Added patch, which should be part of the next release
It fixes an issue while cross-compilation (I linked it in the commit
message with issue link)
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
|
| |
|
|
| |
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several security issures are addressed:
- CVE-2020-8620 It was possible to trigger an assertion failure by sending
a specially crafted large TCP DNS message.
- CVE-2020-8621 named could crash after failing an assertion check in
certain query resolution scenarios where QNAME minimization and
forwarding were both enabled. To prevent such crashes, QNAME minimization is
now always disabled for a given query resolution process, if forwarders are
used at any point.
- CVE-2020-8622 It was possible to trigger an assertion failure when
verifying the response to a TSIG-signed request.
- CVE-2020-8623 When BIND 9 was compiled with native PKCS#11 support, it
was possible to trigger an assertion failure in code determining the
number of bits in the PKCS#11 RSA public key with a specially crafted
packet.
- CVE-2020-8624 update-policy rules of type subdomain were incorrectly
treated as zonesub rules, which allowed keys used in subdomain rules to
update names outside of the specified subdomains. The problem was fixed by
making sure subdomain rules are again processed as described in the ARM.
Full release notes are available at
https://ftp.isc.org/isc/bind9/9.16.6/doc/arm/html/notes.html#notes-for-bind-9-16-6
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
This update fixes the following CVE's:
- CVE-2020-8618
- CVE-2020-8619
More info on bug fixes and feature changes in:
https://downloads.isc.org/isc/bind9/9.16.4/doc/arm/html/notes.html
Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
|
| |
|
|
|
|
|
| |
Add alternative to busybox nslookup. Busybox throws an error when
the host does not have an AAAA record.
Signed-off-by: Ian Cooper <iancooper@hotmail.com>
|
| |
|
|
|
|
|
|
| |
Fixes:
CVE-2020-8616
CVE-2020-8617
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
|
| |
|
|
| |
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
|
| |
|
|
|
|
|
|
| |
Add libuv dependency
Fix optional libxml and c-json dependency handling
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
|
|
|
| |
The configure script prefers the latter whereas the code prefers the
latter. Hack around it.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| |
|
|
|
|
| |
Fixes CVE-2019-6477
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
|
| |
|
|
|
|
| |
Fixes CVE-2019-6475 and CVE-2019-6476
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
|
| |
|
|
| |
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
|
| |
|
|
|
|
| |
Add PKG_LICENSE_FILES
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
|
| |
|
|
| |
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
|
| |
|
|
|
|
|
|
| |
Fixed CVE-2019-6471
ChangeLog: https://ftp.isc.org/isc/bind9/9.14.3/CHANGES
Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
BIND now requires POSIX thread and IPv6 support to build
Add filter-AAAA plugin
Remove unrecognized options
Remove patch that no longer needed
- 002-autoconf-ar-fix.patch
Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Fixed CVEs:
CVE-2018-5744
CVE-2018-5745
CVE-2019-6465
Add PKG_CPE_ID
Size optimizations
Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
|
| |
|
|
|
|
|
|
|
| |
Refresh patches
Remove --enable-static and --enable-dynamic because they're enabled by default
Enable parallel compilation
Fix compile without IPv6
Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
|
| |
|
|
|
|
| |
For changes in 9.11.5-P1 see https://ftp.isc.org/isc/bind9/9.11.5-P1/CHANGES
Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
|
| |
|
|
| |
Signed-off-by: Josef Schlehofer <josef.schlehofer@nic.cz>
|
| |
|
|
| |
Signed-off-by: Josef Schlehofer <josef.schlehofer@nic.cz>
|
| |
|
|
|
|
|
|
|
| |
A multi-year DNSSEC root key update is in progress, as described at
https://www.isc.org/downloads/bind/bind-keys/. This change refreshes the
bind.keys file, ensuring that the new key, in place as of 2018-10-11,
will be recognized and trusted.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
|
|
|
| |
delv is a tool for sending DNS queries and validating the results, using the
same internal resolver and validator logic as named.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
|
|
|
|
|
| |
This includes the fix for CVE-2018-5738: When recursion is enabled but the
allow-recursion and allow-query-cache ACLs are not specified, they should be
limited to local networks, but they were inadvertently set to match the default
allow-query, thus allowing remote queries.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| |
|
|
|
|
| |
It seems to not be needed anymore. Tested on mvebu and ar71xx.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| |
|
|
|
|
|
| |
By default, libatomic is conditionally enabled on some platforms, but it's not
strictly necessary. We'll disable it here globally rather than introduce an
unnecessary dependency.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|