openembedded-core.git/meta/recipes-connectivity/bind, branch pyro Mirror of openembedded-core bind: Security fix CVE-2016-6170 2017-04-28T10:26:07+00:00 Yi Zhao yi.zhao@windriver.com 2017-04-13T05:48:13+00:00 14abd767349bc868ca59838f1af3aaf17dfe4350 CVE-2016-6170: ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1, and 9.11.x through 9.11.0b1 allows primary DNS servers to cause a denial of service (secondary DNS server crash) via a large AXFR response, and possibly allows IXFR servers to cause a denial of service (IXFR client crash) via a large IXFR response and allows remote authenticated users to cause a denial of service (primary DNS server crash) via a large UPDATE message. External References: https://nvd.nist.gov/vuln/detail/CVE-2016-6170 Patch from: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=1bbcfe2fc84f57b1e4e075fb3bc2a1dd0a3a851f Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
CVE-2016-6170: ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1, and
9.11.x through 9.11.0b1 allows primary DNS servers to cause a denial of
service (secondary DNS server crash) via a large AXFR response, and
possibly allows IXFR servers to cause a denial of service (IXFR client
crash) via a large IXFR response and allows remote authenticated users
to cause a denial of service (primary DNS server crash) via a large
UPDATE message.

External References:
https://nvd.nist.gov/vuln/detail/CVE-2016-6170

Patch from:
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=1bbcfe2fc84f57b1e4e075fb3bc2a1dd0a3a851f

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
bind: Security fix CVE-2016-8864 2017-04-28T10:26:07+00:00 Yi Zhao yi.zhao@windriver.com 2017-04-13T05:48:12+00:00 c06f3a5993c7d63d91840c2a4d5b621e946ef78f CVE-2016-8864: named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c. External References: https://nvd.nist.gov/vuln/detail/CVE-2016-8864 Patch from: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=c1d0599a246f646d1c22018f8fa09459270a44b8 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
CVE-2016-8864: named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before
9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause
a denial of service (assertion failure and daemon exit) via a DNAME
record in the answer section of a response to a recursive query,
related to db.c and resolver.c.

External References:
https://nvd.nist.gov/vuln/detail/CVE-2016-8864

Patch from:
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=c1d0599a246f646d1c22018f8fa09459270a44b8

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
bind: fix two CVEs 2016-10-15T08:58:56+00:00 Zheng Ruoqin zhengrq.fnst@cn.fujitsu.com 2016-10-14T14:11:04+00:00 5f4588d675e400f13bb6001df04790c867a95230 Add two CVE patches from upstream git: https://www.isc.org/git/ 1.CVE-2016-2775.patch 2.CVE-2016-2776.patch Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
Add two CVE patches from upstream
git: https://www.isc.org/git/

1.CVE-2016-2775.patch
2.CVE-2016-2776.patch

Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
meta: update patch metadata 2016-07-08T08:55:40+00:00 Ross Burton ross.burton@intel.com 2016-06-27T19:59:19+00:00 606a43dc38a00cc243f933722db657aea4129f8e Enforce the correct tag names across all of oe-core for consistency. Signed-off-by: Ross Burton <ross.burton@intel.com> 
Enforce the correct tag names across all of oe-core for consistency.

Signed-off-by: Ross Burton <ross.burton@intel.com>
bind: switch Python dependency to Python 3.x 2016-06-02T10:45:24+00:00 Alexander Kanavin alexander.kanavin@linux.intel.com 2016-06-02T09:25:38+00:00 a10fd8722fb7c5f2c5a206203d0c7f4237a86466 Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
bind: CVE-2016-2088 2016-04-18T15:27:45+00:00 Jussi Kukkonen jussi.kukkonen@intel.com 2016-04-15T12:03:17+00:00 da38a9840b32e80464e2938395db5c9167729f7e Duplicate EDNS COOKIE options in a response could trigger an assertion failure: Fix with a backport. bind as built with the oe-core recipe is not at risk: Only servers which are built with DNS cookie support (--enable-sit) are vulnerable to denial of service. Fixes [YOCTO #9438] Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
Duplicate EDNS COOKIE options in a response could trigger an
assertion failure: Fix with a backport.

bind as built with the oe-core recipe is not at risk: Only servers
which are built with DNS cookie support (--enable-sit) are vulnerable
to denial of service.

Fixes [YOCTO #9438]

Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
bind: CVE-2016-1285 CVE-2016-1286 2016-04-14T09:58:27+00:00 Sona Sarmadi sona.sarmadi@enea.com 2016-04-13T06:32:15+00:00 080d1a313e4982dd05846b375ebf936c46934d80 Fixes following vulnerabilities: CVE-2016-1285 bind: malformed packet sent to rndc can trigger assertion failure CVE-2016-1286 bind: malformed signature records for DNAME records can trigger assertion failure [YOCTO #9400] External References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1285 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1286 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1285 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1286 References to the Upstream commits and Security Advisories: =========================================================== CVE-2016-1285: https://kb.isc.org/article/AA-01352 https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch; h=70037e040e587329cec82123e12b9f4f7c945f67 CVE-2016-1286_1: https://kb.isc.org/article/AA-01353 https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch; h=a3d327bf1ceaaeabb20223d8de85166e940b9f12 CVE-2016-1286_2: https://kb.isc.org/article/AA-01353 https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch; h=7602be276a73a6eb5431c5acd9718e68a55e8b61 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
Fixes following vulnerabilities:
CVE-2016-1285 bind: malformed packet sent to rndc can trigger assertion failure
CVE-2016-1286 bind: malformed signature records for DNAME records can
trigger assertion failure

[YOCTO #9400]

External References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1285
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1286
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1285
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1286

References to the Upstream commits and Security Advisories:
===========================================================
CVE-2016-1285: https://kb.isc.org/article/AA-01352
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=70037e040e587329cec82123e12b9f4f7c945f67

CVE-2016-1286_1: https://kb.isc.org/article/AA-01353
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=a3d327bf1ceaaeabb20223d8de85166e940b9f12

CVE-2016-1286_2: https://kb.isc.org/article/AA-01353
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;
h=7602be276a73a6eb5431c5acd9718e68a55e8b61

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
bind: /var/cache/bind 2016-03-24T21:44:27+00:00 Joe Slater jslater@windriver.com 2016-03-22T20:36:19+00:00 6c76c9e5bb4f4bf6adfac7ccece03d7dcdea7f3d Change the ownership of /var/cache/bind to bind rather than root. Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
Change the ownership of /var/cache/bind to bind rather than root.

Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
bind: update to 9.10.3-P3 2016-01-26T22:31:09+00:00 Derek Straka derek@asterius.io 2016-01-24T13:13:04+00:00 58d47cdf91076cf055046ce9ec5f3e2e21dae1c0 Addresses CVE-2015-8704 and CVE-2015-8705 CVE-2015-8704 Allows remote authenticated users to cause a denial of service via a malformed Address Prefix List record CVE-2015-8705: When debug loggin is enabled, allows remote attackers to cause a denial of service or have possibly unspecified impact via OPT data or ECS option [YOCTO 8966] References: https://kb.isc.org/article/AA-01346/0/BIND-9.10.3-P3-Release-Notes.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8704 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8705 Signed-off-by: Ross Burton <ross.burton@intel.com> 
Addresses CVE-2015-8704 and CVE-2015-8705

CVE-2015-8704
Allows remote authenticated users to cause a denial of service via a malformed Address Prefix List record

CVE-2015-8705:
When debug loggin is enabled, allows remote attackers to cause a denial of service or have possibly unspecified impact via OPT data or ECS option

[YOCTO 8966]

References:
https://kb.isc.org/article/AA-01346/0/BIND-9.10.3-P3-Release-Notes.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8704
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8705

Signed-off-by: Ross Burton <ross.burton@intel.com>
bind: 9.10.2-P4 -> 9.10.3-P2 2015-12-27T11:26:59+00:00 Kai Kang kai.kang@windriver.com 2015-12-22T01:04:54+00:00 b49751e7febd262b754043e4e523e6690bfbbfaa Upgrade bind from 9.10.2-P4 to 9.10.3-P2. * update context of 0001-build-use-pkg-config-to-find-libxml2.patch * add PACKAGECONFIGs readline and libedit. They provide same library, so should not be set at same time. Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
Upgrade bind from 9.10.2-P4 to 9.10.3-P2.

* update context of 0001-build-use-pkg-config-to-find-libxml2.patch
* add PACKAGECONFIGs readline and libedit. They provide same library, so
  should not be set at same time.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>