bind: security bump to version 9.9.5 (46b10b01) · Commits · Dom Sekotill / buildroot

package/bind/Config.in

+2 −3

Original line number	Diff line number	Diff line
		@@ -2,8 +2,7 @@ config BR2_PACKAGE_BIND
		bool "bind"
		depends on BR2_INET_IPV6
		depends on BR2_LARGEFILE
		# fork()
		depends on BR2_USE_MMU
		depends on BR2_USE_MMU # fork()
		help
		BIND (Berkeley Internet Name Domain) is an implementation of
		the Domain Name System (DNS) protocols and provides an openly
		@@ -35,7 +34,7 @@ config BR2_PACKAGE_BIND_SERVER
		config BR2_PACKAGE_BIND_TOOLS
		bool "Install tools"
		help
		Install tools (host, nslookup, dig, nsupdate)
		Install tools (dig, host, nslookup, nsupdate)

		endif

package/bind/S81named

+14 −31

Original line number	Diff line number	Diff line
		#!/bin/sh
		#
		# System-V init to control the bind DNS Daemon
		#

		NAME=named
		DAEMON=/usr/sbin/$NAME
		CONFIG=/etc/bind/named.conf
		DAEMON=/usr/sbin/named

		# this file contains a few tunable parameters
		test -r /etc/default/named && . /etc/default/named

		test -f $DAEMON \|\| exit 0

		set -e
		[ -x $DAEMON ] \|\| exit 0
		[ -f $CONFIG ] \|\| exit 0

		case "$1" in
		start)
		test -z "$CHROOT" \|\| ARGS="$ARGS -t $CHROOT"
		test -z "$SETUID" \|\| ARGS="$ARGS -u $SETUID"
		if [ ! -f $CHROOT/etc/rndc.key ]; then
		echo "Initializing $NAME control key: rndc-confgen"
		set +e

		if [ ! -f /etc/rndc.key ]; then
		echo -n "Initializing bind control key: "
		# if rndc.key is a symlink, the target must exist
		touch $CHROOT/etc/rndc.key
		touch etc/rndc.key

		rndc-confgen -a -r /dev/urandom $ARGS \|\| true
		set -e
		touch /etc/rndc.key
		rndc-confgen -a -r /dev/urandom 2>/dev/null && echo "OK" \|\| echo "FAIL"
		fi
		test -z "$CONF" \|\| ARGS="$ARGS -c $CONF"
		echo -n "Starting domain name daemon: $NAME"
		trap 'echo failed' 0
		start-stop-daemon -S -x $DAEMON -- $ARGS
		trap - 0
		echo "."
		echo -n "Starting domain name daemon: "
		start-stop-daemon -S -x $DAEMON -- -c $CONFIG -u named
		[ $? == 0 ] && echo "OK" \|\| echo "FAIL"
		;;
		stop)
		echo -n "Stopping domain name daemon: $NAME"
		echo -n "Stopping domain name daemon: "
		rndc stop \|\| start-stop-daemon -K -x $DAEMON
		echo "."
		[ $? == 0 ] && echo "OK" \|\| echo "FAIL"
		;;
		restart)
		$0 stop \|\| true
		sleep 2
		sleep 1
		$0 start
		;;
		reload\|force-reload)

package/bind/bind-01-disable-tests.patch

+19 −7

Original line number	Diff line number	Diff line
		@@ -2,15 +2,27 @@ Disable tests to avoid cross-compilation issues (tries to run genrandom).

		Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>

		diff -Nura bind-9.6-ESV-R9-P1.orig/bin/Makefile.in bind-9.6-ESV-R9-P1/bin/Makefile.in
		--- bind-9.6-ESV-R9-P1.orig/bin/Makefile.in 2013-06-04 15:30:48.000000000 -0300
		+++ bind-9.6-ESV-R9-P1/bin/Makefile.in 2013-07-19 15:32:19.018287733 -0300
		diff -Nura bind-9.9.4-P2.orig/bin/Makefile.in bind-9.9.4-P2/bin/Makefile.in
		--- bind-9.9.4-P2.orig/bin/Makefile.in 2013-12-19 21:28:28.000000000 -0300
		+++ bind-9.9.4-P2/bin/Makefile.in 2014-01-17 11:41:25.378784210 -0300
		@@ -19,7 +19,7 @@
		VPATH = @srcdir@
		top_srcdir = @top_srcdir@

		-SUBDIRS = named rndc dig dnssec tests nsupdate check
		+SUBDIRS = named rndc dig dnssec nsupdate check
		-SUBDIRS = named rndc dig dnssec tools tests nsupdate \
		+SUBDIRS = named rndc dig dnssec tools nsupdate \
		check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@
		TARGETS =

		diff -Nura bind-9.9.4-P2.orig/lib/Makefile.in bind-9.9.4-P2/lib/Makefile.in
		--- bind-9.9.4-P2.orig/lib/Makefile.in 2013-12-19 21:28:28.000000000 -0300
		+++ bind-9.9.4-P2/lib/Makefile.in 2014-01-17 11:41:30.489954861 -0300
		@@ -23,7 +23,7 @@
		# Attempt to disable parallel processing.
		.NOTPARALLEL:
		.NO_PARALLEL:
		-SUBDIRS = isc isccc dns isccfg bind9 lwres tests
		+SUBDIRS = isc isccc dns isccfg bind9 lwres
		TARGETS =

		@BIND9_MAKE_RULES@

package/bind/bind.mk

+51 −25

Original line number	Diff line number	Diff line
		@@ -4,26 +4,36 @@
		#
		################################################################################

		BIND_VERSION = 9.6-ESV-R10
		BIND_VERSION = 9.9.5
		BIND_SITE = ftp://ftp.isc.org/isc/bind9/$(BIND_VERSION)
		BIND_MAKE = $(MAKE1)
		BIND_INSTALL_STAGING = YES
		BIND_CONFIG_SCRIPTS = bind9-config isc-config.sh
		BIND_LICENSE = ISC
		BIND_LICENSE_FILES = COPYRIGHT
		BIND_TARGET_SBINS = lwresd named named-checkconf named-checkzone
		BIND_TARGET_SBINS += named-compilezone rndc rndc-confgen dnssec-dsfromkey
		BIND_TARGET_SBINS += dnssec-keyfromlabel dnssec-keygen dnssec-signzone
		BIND_TARGET_BINS = dig host nslookup nsupdate
		BIND_TARGET_LIBS = libbind9.* libdns.* libisc.* libisccc.* libisccfg.* liblwres.*
		BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage
		BIND_TARGET_SERVER_SBIN += dnssec-importkey dnssec-keygen dnssec-revoke
		BIND_TARGET_SERVER_SBIN += dnssec-settime dnssec-verify genrandom
		BIND_TARGET_SERVER_SBIN += isc-hmac-fixup named-journalprint nsec3hash
		BIND_TARGET_SERVER_SBIN += lwresd named named-checkconf named-checkzone
		BIND_TARGET_SERVER_SBIN += named-compilezone rndc rndc-confgen dnssec-dsfromkey
		BIND_TARGET_SERVER_SBIN += dnssec-keyfromlabel dnssec-signzone
		BIND_TARGET_TOOLS_BIN = dig host nslookup nsupdate
		BIND_CONF_ENV = BUILD_CC="$(TARGET_CC)" \
		BUILD_CFLAGS="$(TARGET_CFLAGS)"
		BIND_CONF_OPT = --sysconfdir=/etc \
		--localstatedir=/var \
		BIND_CONF_OPT = --localstatedir=/var \
		--with-randomdev=/dev/urandom \
		--enable-epoll --with-libtool
		--enable-epoll --with-libtool \
		--with-gssapi=no --enable-rrl

		ifeq ($(BR2_PACKAGE_LIBCAP),y)
		BIND_CONF_OPT += --enable-linux-caps
		BIND_DEPENDENCIES += libcap
		else
		BIND_CONF_OPT += --disable-linux-caps
		endif

		ifeq ($(BR2_PACKAGE_LIBXML2),y)
		BIND_CONF_OPT += --with-libxml2=$(STAGING_DIR)/usr
		BIND_CONF_OPT += --with-libxml2=$(STAGING_DIR)/usr --enable-newstats
		BIND_DEPENDENCIES += libxml2
		else
		BIND_CONF_OPT += --with-libxml2=no
		@@ -31,36 +41,52 @@ endif

		ifeq ($(BR2_PACKAGE_OPENSSL),y)
		BIND_DEPENDENCIES += openssl
		BIND_CONF_OPT += --with-openssl=$(STAGING_DIR)/usr LIBS="-lz"
		BIND_CONF_OPT += --with-openssl=$(STAGING_DIR)/usr LIBS="-lz" \
		--with-ecdsa=yes
		# GOST cipher support requires openssl extra engines
		ifeq ($(BR2_PACKAGE_OPENSSL_ENGINES),y)
		BIND_CONF_OPT += --with-gost=yes
		else
		BIND_CONF_OPT += --with-gost=no
		endif
		else
		BIND_CONF_OPT += --with-openssl=no
		endif

		define BIND_INSTALL_INIT_SYSV
		$(INSTALL) -m 0755 -D package/bind/S81named \
		$(TARGET_DIR)/etc/init.d/S81named
		endef

		define BIND_TARGET_INSTALL_FIXES
		rm -f $(TARGET_DIR)/usr/bin/isc-config.sh
		endef
		# Used by dnssec-checkds and dnssec-coverage
		ifeq ($(BR2_PACKAGE_PYTHON)$(BR2_PACKAGE_PYTHON3),)
		BIND_CONF_OPT += --with-python=no
		endif

		BIND_POST_INSTALL_TARGET_HOOKS += BIND_TARGET_INSTALL_FIXES
		ifeq ($(BR2_PACKAGE_READLINE),y)
		BIND_DEPENDENCIES += readline
		else
		BIND_CONF_OPT += --with-readline=no
		endif

		define BIND_TARGET_REMOVE_SERVER
		rm -rf $(addprefix $(TARGET_DIR)/usr/sbin/, $(BIND_TARGET_SBINS))
		rm -rf $(addprefix $(TARGET_DIR)/usr/sbin/, $(BIND_TARGET_SERVER_SBIN))
		endef

		define BIND_TARGET_REMOVE_TOOLS
		rm -rf $(addprefix $(TARGET_DIR)/usr/bin/, $(BIND_TARGET_BINS))
		rm -rf $(addprefix $(TARGET_DIR)/usr/bin/, $(BIND_TARGET_TOOLS_BIN))
		endef

		ifneq ($(BR2_PACKAGE_BIND_SERVER),y)
		ifeq ($(BR2_PACKAGE_BIND_SERVER),y)
		define BIND_INSTALL_INIT_SYSV
		$(INSTALL) -m 0755 -D package/bind/S81named \
		$(TARGET_DIR)/etc/init.d/S81named
		endef
		else
		BIND_POST_INSTALL_TARGET_HOOKS += BIND_TARGET_REMOVE_SERVER
		endif

		ifneq ($(BR2_PACKAGE_BIND_TOOLS),y)
		ifeq ($(BR2_PACKAGE_BIND_TOOLS),)
		BIND_POST_INSTALL_TARGET_HOOKS += BIND_TARGET_REMOVE_TOOLS
		endif

		define BIND_USERS
		named -1 named -1 * /etc/bind - - BIND daemon
		endef

		$(eval $(autotools-package))