From 037f1def7d0da79868e0e303996d9fb14efb54ac Mon Sep 17 00:00:00 2001 From: Noah Meyerhans Date: Wed, 13 Jun 2018 17:25:38 -0700 Subject: [PATCH] bind: Update to version 9.11.3 and optionally support eddsa for dnssec EdDSA support is optional and currently defaults to being disabled. The following security issues are addressed with this update: * An error in TSIG handling could permit unauthorized zone transfers or zone updates. These flaws are disclosed in CVE-2017-3142 and CVE-2017-3143. * The BIND installer on Windows used an unquoted service path, which can enable privilege escalation. This flaw is disclosed in CVE-2017-3141. * With certain RPZ configurations, a response with TTL 0 could cause named to go into an infinite query loop. This flaw is disclosed in CVE-2017-3140. * Addresses could be referenced after being freed during resolver processing, causing an assertion failure. The chances of this happening were remote, but the introduction of a delay in resolution increased them. This bug is disclosed in CVE-2017-3145. Signed-off-by: Noah Meyerhans --- net/bind/Config.in | 10 ++++++++++ net/bind/Makefile | 5 +++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/net/bind/Config.in b/net/bind/Config.in index ed3734642d..8973821f86 100644 --- a/net/bind/Config.in +++ b/net/bind/Config.in @@ -34,4 +34,14 @@ config BIND_LIBXML2 format. Building with libjson support will require the libxml2 package to be installed as well. +config BIND_ENABLE_EDDSA + bool + default n + prompt "Include Edwards Curve DNSSEC signature support" + help + Enable BIND support for Edwards Curve DNSSEC signing algorithms + described in RFC 8080. + + Note that this requires OpenSSL 1.1, which is not currently + the available in OpenWRT, so it is disabled by default. endif diff --git a/net/bind/Makefile b/net/bind/Makefile index 1005eae3ac..f81846282f 100644 --- a/net/bind/Makefile +++ b/net/bind/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=bind -PKG_VERSION:=9.11.2-P1 +PKG_VERSION:=9.11.3 PKG_RELEASE:=1 USERID:=bind=57:bind=57 @@ -20,7 +20,7 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ http://www.mirrorservice.org/sites/ftp.isc.org/isc/bind9/$(PKG_VERSION) \ http://ftp.isc.org/isc/bind9/$(PKG_VERSION) -PKG_HASH:=cec31548832fca3f85d95178d4019b7d702039e8595d4c93914feba337df1212 +PKG_HASH:=0d9dde14b2ec7f9cdc3b69f19540c7a2e4eee7b6c727965dfae48810965876f5 PKG_FIXUP:=autoreconf PKG_REMOVE_FILES:=aclocal.m4 libtool.m4 @@ -125,6 +125,7 @@ CONFIGURE_ARGS += \ --with-gost=no \ --with-gssapi=no \ --with-ecdsa=$(if $(CONFIG_OPENSSL_WITH_EC),yes,no) \ + --with-eddsa=$(if $(CONFIG_BIND_ENABLE_EDDSA),yes,no) \ --with-readline=no \ --sysconfdir=/etc/bind -- 2.30.2