Google Git
Sign in
android-kvm / buildroot / c1ad352d26de110c4784dadca428d4b740324ecf
commitc1ad352d26de110c4784dadca428d4b740324ecf[log] [tgz]
authorPeter Korsgaard <peter@korsgaard.com>Fri Feb 22 14:40:38 2019 +0100
committerPeter Korsgaard <peter@korsgaard.com>Sat Feb 23 19:36:58 2019 +0100
tree38624d354fd28a4a60433d1f2e8be4bce7e9bb4f
parent37f35c2bc970f149fa4dbfa60c85103a78a19004 [diff]
package/bind: security bump to version 9.11.5-P4

Fixes the following security issues:

- named could crash during recursive processing of DNAME records when
  deny-answer-aliases was in use.  This flaw is disclosed in CVE-2018-5740.
  [GL #387]

- When recursion is enabled but the allow-recursion and allow-query-cache
  ACLs are not specified, they should be limited to local networks, but they
  were inadvertently set to match the default allow-query, thus allowing
  remote queries.  This flaw is disclosed in CVE-2018-5738.  [GL #309]

- Code change #4964, intended to prevent double signatures when deleting an
  inactive zone DNSKEY in some situations, introduced a new problem during
  zone processing in which some delegation glue RRsets are incorrectly
  identified as needing RRSIGs, which are then created for them using the
  current active ZSK for the zone.  In some, but not all cases, the
  newly-signed RRsets are added to the zone's NSEC/NSEC3 chain, but
  incompletely -- this can result in a broken chain, affecting validation of
  proof of nonexistence for records in the zone.  [GL #771]

- named could crash if it managed a DNSSEC security root with managed-keys
  and the authoritative zone rolled the key to an algorithm not supported by
  BIND 9.  This flaw is disclosed in CVE-2018-5745.  [GL #780]

- named leaked memory when processing a request with multiple Key Tag EDNS
  options present.  ISC would like to thank Toshifumi Sakaguchi for bringing
  this to our attention.  This flaw is disclosed in CVE-2018-5744.  [GL
  #772]

- Zone transfer controls for writable DLZ zones were not effective as the
  allowzonexfr method was not being called for such zones.  This flaw is
  disclosed in CVE-2019-6465.  [GL #790]

For more details, see the release notes:

http://ftp.isc.org/isc/bind9/9.11.5-P4/RELEASE-NOTES-bind-9.11.5-P4.html

Change the upstream URL to HTTPS as the webserver uses HSTS:

>>> bind 9.11.5-P4 Downloading
URL transformed to HTTPS due to an HSTS policy

Update the hash of the license file to account for a change of copyright
year:

-Copyright (C) 1996-2018  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 1996-2019  Internet Systems Consortium, Inc. ("ISC")

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 12f644e2c52336579df74ac59089dc2aa0469c2b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2 files changed
tree: 38624d354fd28a4a60433d1f2e8be4bce7e9bb4f
  1. arch/
  2. board/
  3. boot/
  4. configs/
  5. docs/
  6. fs/
  7. linux/
  8. package/
  9. support/
  10. system/
  11. toolchain/
  12. utils/
  13. .defconfig
  14. .flake8
  15. .gitignore
  16. .gitlab-ci.yml
  17. .gitlab-ci.yml.in
  18. CHANGES
  19. Config.in
  20. Config.in.legacy
  21. COPYING
  22. DEVELOPERS
  23. Makefile
  24. Makefile.legacy
  25. README