From ccb1e8923e6e0269e2443c37362b2b27c121d956 Mon Sep 17 00:00:00 2001 From: Noah Meyerhans Date: Thu, 29 Apr 2021 09:05:26 -0700 Subject: [PATCH] bind: bump to 9.17.12 Fixes the following security issues: * CVE-2021-25215 - named crashed when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query. * CVE-2021-25214 - Insufficient IXFR checks could result in named serving a zone without an SOA record at the apex, leading to a RUNTIME_CHECK assertion failure when the zone was subsequently refreshed. This has been fixed by adding an owner name check for all SOA records which are included in a zone transfer. Signed-off-by: Noah Meyerhans --- net/bind/Makefile | 4 +- net/bind/patches/010-openssl-deprecated.patch | 45 ------------------- 2 files changed, 2 insertions(+), 47 deletions(-) delete mode 100644 net/bind/patches/010-openssl-deprecated.patch diff --git a/net/bind/Makefile b/net/bind/Makefile index f29ac6d6f..b487da3db 100644 --- a/net/bind/Makefile +++ b/net/bind/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=bind -PKG_VERSION:=9.17.11 +PKG_VERSION:=9.17.12 PKG_RELEASE:=$(AUTORELEASE) USERID:=bind=57:bind=57 @@ -22,7 +22,7 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:= \ https://www.mirrorservice.org/sites/ftp.isc.org/isc/bind9/$(PKG_VERSION) \ https://ftp.isc.org/isc/bind9/$(PKG_VERSION) -PKG_HASH:=00de7bad9291121f3b93e70a6959b540b002f742774823c358c7a416c2e2ed4b +PKG_HASH:=e77951eaa4aaa92b30e6f3ff6c915081a21c8cc70000e7f25a7a285eed0acbe7 PKG_FIXUP:=autoreconf PKG_REMOVE_FILES:=aclocal.m4 libtool.m4 diff --git a/net/bind/patches/010-openssl-deprecated.patch b/net/bind/patches/010-openssl-deprecated.patch deleted file mode 100644 index 2b88bd5d0..000000000 --- a/net/bind/patches/010-openssl-deprecated.patch +++ /dev/null @@ -1,45 +0,0 @@ -From a9f883cbc28b865d312918368772627cf9610a2f Mon Sep 17 00:00:00 2001 -From: Mark Andrews -Date: Tue, 16 Mar 2021 21:58:55 +0000 -Subject: [PATCH] Stop using deprecated calls in lib/isc/tls.c - -from Rosen Penev @neheb ---- - lib/isc/tls.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - ---- a/lib/isc/tls.c -+++ b/lib/isc/tls.c -@@ -12,10 +12,12 @@ - #include - #include - -+#include - #include - #include - #include - #include -+#include - - #include - #include -@@ -274,11 +276,19 @@ isc_tlsctx_createserver(const char *keyf - rsa = NULL; - ASN1_INTEGER_set(X509_get_serialNumber(cert), 1); - -+#if OPENSSL_VERSION_NUMBER < 0x10101000L - X509_gmtime_adj(X509_get_notBefore(cert), 0); -+#else -+ X509_gmtime_adj(X509_getm_notBefore(cert), 0); -+#endif - /* - * We set the vailidy for 10 years. - */ -+#if OPENSSL_VERSION_NUMBER < 0x10101000L - X509_gmtime_adj(X509_get_notAfter(cert), 3650 * 24 * 3600); -+#else -+ X509_gmtime_adj(X509_getm_notAfter(cert), 3650 * 24 * 3600); -+#endif - - X509_set_pubkey(cert, pkey); -