You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

222 lines
5.7 KiB

bind: Update to bind-9.10.5 This change includes fixes for several security issues: * CVE-2017-3138: rndc "" could trigger an assertion failure in named. * CVE-2017-3137: Some chaining (i.e., type CNAME or DNAME) responses to upstream queries could trigger assertion failures. * CVE-2017-3136: dns64 with break-dnssec yes; can result in an assertion failure. * CVE-2017-3135: If a server is configured with a response policy zone (RPZ) that rewrites an answer with local data, and is also configured for DNS64 address mapping, a NULL pointer can be read triggering a server crash. * CVE-2016-9444: named could mishandle authority sections with missing RRSIGs, triggering an assertion failure. * CVE-2016-9131: named mishandled some responses where covering RRSIG records were returned without the requested data, resulting in an assertion failure. * CVE-2016-9131: named incorrectly tried to cache TKEY records which could trigger an assertion failure when there was a class mismatch. * CVE-2016-8864: It was possible to trigger assertions when processing responses containing answers of type DNAME. * CVE-2016-6170: Added the ability to specify the maximum number of records permitted in a zone (max-records #;). This provides a mechanism to block overly large zone transfers, which is a potential risk with slave zones from other parties. * CVE-2016-2776: It was possible to trigger an assertion when rendering a message using a specially crafted request. * CVE-2016-2775: Calling getrrsetbyname() with a non absolute name could trigger an infinite recursion bug in lwresd or named with lwres configured if, when combined with a search list entry from resolv.conf, the resulting name is too long. Signed-off-by: Noah Meyerhans <frodo@morgul.net>
8 years ago
bind: Update to bind-9.10.5 This change includes fixes for several security issues: * CVE-2017-3138: rndc "" could trigger an assertion failure in named. * CVE-2017-3137: Some chaining (i.e., type CNAME or DNAME) responses to upstream queries could trigger assertion failures. * CVE-2017-3136: dns64 with break-dnssec yes; can result in an assertion failure. * CVE-2017-3135: If a server is configured with a response policy zone (RPZ) that rewrites an answer with local data, and is also configured for DNS64 address mapping, a NULL pointer can be read triggering a server crash. * CVE-2016-9444: named could mishandle authority sections with missing RRSIGs, triggering an assertion failure. * CVE-2016-9131: named mishandled some responses where covering RRSIG records were returned without the requested data, resulting in an assertion failure. * CVE-2016-9131: named incorrectly tried to cache TKEY records which could trigger an assertion failure when there was a class mismatch. * CVE-2016-8864: It was possible to trigger assertions when processing responses containing answers of type DNAME. * CVE-2016-6170: Added the ability to specify the maximum number of records permitted in a zone (max-records #;). This provides a mechanism to block overly large zone transfers, which is a potential risk with slave zones from other parties. * CVE-2016-2776: It was possible to trigger an assertion when rendering a message using a specially crafted request. * CVE-2016-2775: Calling getrrsetbyname() with a non absolute name could trigger an infinite recursion bug in lwresd or named with lwres configured if, when combined with a search list entry from resolv.conf, the resulting name is too long. Signed-off-by: Noah Meyerhans <frodo@morgul.net>
8 years ago
  1. #
  2. # Copyright (C) 2006-2012 OpenWrt.org
  3. # 2014-2017 Noah Meyerhans <frodo@morgul.net>
  4. #
  5. # This is free software, licensed under the GNU General Public License v2.
  6. # See /LICENSE for more information.
  7. #
  8. include $(TOPDIR)/rules.mk
  9. PKG_NAME:=bind
  10. PKG_VERSION:=9.10.5
  11. PKG_RELEASE:=1
  12. USERID:=bind=57:bind=57
  13. PKG_MAINTAINER:=Noah Meyerhans <frodo@morgul.net>
  14. PKG_LICENSE := BSD-3-Clause
  15. PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
  16. PKG_SOURCE_URL:= \
  17. ftp://ftp.isc.org/isc/bind9/$(PKG_VERSION) \
  18. http://www.mirrorservice.org/sites/ftp.isc.org/isc/bind9/$(PKG_VERSION)
  19. PKG_MD5SUM:=8359e000eaec76efd6dfa186c12c3b93
  20. PKG_FIXUP:=autoreconf
  21. PKG_REMOVE_FILES:=aclocal.m4 libtool.m4
  22. PKG_INSTALL:=1
  23. PKG_USE_MIPS16:=0
  24. PKG_CONFIG_DEPENDS := \
  25. CONFIG_OPENSSL_WITH_EC \
  26. CONFIG_BIND_ENABLE_FILTER_AAAA
  27. include $(INCLUDE_DIR)/package.mk
  28. define Package/bind/Default
  29. SECTION:=net
  30. CATEGORY:=Network
  31. DEPENDS:=+bind-libs
  32. TITLE:=bind
  33. URL:=https://www.isc.org/software/bind
  34. SUBMENU:=IP Addresses and Names
  35. endef
  36. define Package/bind-libs
  37. SECTION:=libs
  38. CATEGORY:=Libraries
  39. DEPENDS:=+libopenssl
  40. TITLE:=bind shared libraries
  41. URL:=https://www.isc.org/software/bind
  42. endef
  43. define Package/bind-server
  44. $(call Package/bind/Default)
  45. TITLE+= DNS server
  46. endef
  47. define Package/bind-server/config
  48. source "$(SOURCE)/Config.in"
  49. endef
  50. define Package/bind-client
  51. $(call Package/bind/Default)
  52. TITLE+= dynamic DNS client
  53. endef
  54. define Package/bind-tools
  55. $(call Package/bind/Default)
  56. TITLE+= administration tools (all)
  57. endef
  58. define Package/bind-rndc
  59. $(call Package/bind/Default)
  60. TITLE+= administration tools (rndc and rndc-confgen only)
  61. endef
  62. define Package/bind-check
  63. $(call Package/bind/Default)
  64. TITLE+= administration tools (named-checkconf and named-checkzone only)
  65. endef
  66. define Package/bind-dnssec
  67. $(call Package/bind/Default)
  68. TITLE+= administration tools (dnssec-keygen, dnssec-settime and dnssec-signzone only)
  69. endef
  70. define Package/bind-host
  71. $(call Package/bind/Default)
  72. TITLE+= simple DNS client
  73. endef
  74. define Package/bind-dig
  75. $(call Package/bind/Default)
  76. TITLE+= DNS excavation tool
  77. endef
  78. export BUILD_CC="$(TARGET_CC)"
  79. CONFIGURE_ARGS += \
  80. --enable-shared \
  81. --enable-static \
  82. --with-randomdev="/dev/urandom" \
  83. --disable-threads \
  84. --disable-linux-caps \
  85. --with-openssl="$(STAGING_DIR)/usr" \
  86. --with-libjson=no \
  87. --with-libtool \
  88. --with-libxml2=no \
  89. --enable-epoll=yes \
  90. --with-gost=no \
  91. --with-gssapi=no \
  92. --with-ecdsa=$(if $(CONFIG_OPENSSL_WITH_EC),yes,no) \
  93. --with-readline=no \
  94. --sysconfdir=/etc/bind
  95. ifdef CONFIG_BIND_ENABLE_FILTER_AAAA
  96. CONFIGURE_ARGS += \
  97. --enable-filter-aaaa
  98. endif
  99. CONFIGURE_VARS += \
  100. BUILD_CC="$(TARGET_CC)" \
  101. define Build/Compile
  102. $(MAKE) -C $(PKG_BUILD_DIR)/lib/dns \
  103. BUILD_CC="$(HOSTCC)" \
  104. CC="$(HOSTCC)" \
  105. CFLAGS="-O2" \
  106. LIBS="" \
  107. gen
  108. $(call Build/Compile/Default)
  109. endef
  110. define Package/bind-libs/install
  111. $(INSTALL_DIR) $(1)/usr/lib
  112. $(CP) $(PKG_INSTALL_DIR)/usr/lib/*.so* $(1)/usr/lib
  113. endef
  114. define Package/bind-server/install
  115. $(INSTALL_DIR) $(1)/usr/sbin
  116. $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/named $(1)/usr/sbin/
  117. $(INSTALL_DIR) $(1)/etc/bind
  118. $(CP) \
  119. ./files/bind/db.0 \
  120. ./files/bind/db.127 \
  121. ./files/bind/db.255 \
  122. ./files/bind/db.local \
  123. ./files/bind/db.root \
  124. $(1)/etc/bind/
  125. $(CP) ./files/bind/named.conf.example $(1)/etc/bind/named.conf
  126. $(INSTALL_DIR) $(1)/etc/init.d
  127. $(INSTALL_BIN) ./files/named.init $(1)/etc/init.d/named
  128. find $(1)/etc/bind/ -name ".svn" | xargs rm -rf
  129. endef
  130. define Package/bind-server/conffiles
  131. /etc/bind/db.0
  132. /etc/bind/db.127
  133. /etc/bind/db.255
  134. /etc/bind/db.local
  135. /etc/bind/db.root
  136. /etc/bind/named.conf
  137. endef
  138. define Package/bind-client/install
  139. $(INSTALL_DIR) $(1)/usr/bin
  140. $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/nsupdate $(1)/usr/bin/
  141. endef
  142. define Package/bind-tools/install
  143. $(INSTALL_DIR) $(1)/usr/bin
  144. $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/dig $(1)/usr/bin/
  145. $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/host $(1)/usr/bin/
  146. $(INSTALL_DIR) $(1)/usr/sbin
  147. $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/dnssec-keygen $(1)/usr/sbin/
  148. $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/dnssec-settime $(1)/usr/sbin/
  149. $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/dnssec-signzone $(1)/usr/sbin/
  150. $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/named-checkconf $(1)/usr/sbin/
  151. $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/named-checkzone $(1)/usr/sbin/
  152. $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/rndc $(1)/usr/sbin/
  153. $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/rndc-confgen $(1)/usr/sbin/
  154. endef
  155. define Package/bind-rndc/install
  156. $(INSTALL_DIR) $(1)/usr/sbin
  157. $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/rndc $(1)/usr/sbin/
  158. $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/rndc-confgen $(1)/usr/sbin/
  159. endef
  160. define Package/bind-check/install
  161. $(INSTALL_DIR) $(1)/usr/sbin
  162. $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/named-checkconf $(1)/usr/sbin/
  163. $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/named-checkzone $(1)/usr/sbin/
  164. endef
  165. define Package/bind-dnssec/install
  166. $(INSTALL_DIR) $(1)/usr/sbin
  167. $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/dnssec-keygen $(1)/usr/sbin/
  168. $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/dnssec-settime $(1)/usr/sbin/
  169. $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/dnssec-signzone $(1)/usr/sbin/
  170. endef
  171. define Package/bind-host/install
  172. $(INSTALL_DIR) $(1)/usr/bin
  173. $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/host $(1)/usr/bin/
  174. endef
  175. define Package/bind-dig/install
  176. $(INSTALL_DIR) $(1)/usr/bin
  177. $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/dig $(1)/usr/bin/
  178. endef
  179. $(eval $(call BuildPackage,bind-libs))
  180. $(eval $(call BuildPackage,bind-server))
  181. $(eval $(call BuildPackage,bind-client))
  182. $(eval $(call BuildPackage,bind-tools))
  183. $(eval $(call BuildPackage,bind-rndc))
  184. $(eval $(call BuildPackage,bind-check))
  185. $(eval $(call BuildPackage,bind-dnssec))
  186. $(eval $(call BuildPackage,bind-host))
  187. $(eval $(call BuildPackage,bind-dig))