bind: bump to 9.17.12

Fixes the following security issues:

* CVE-2021-25215 - named crashed when a DNAME record placed in the ANSWER
                   section during DNAME chasing turned out to be the final
                   answer to a client query.
* CVE-2021-25214 - Insufficient IXFR checks could result in named serving a
                   zone without an SOA record at the apex, leading to a
                   RUNTIME_CHECK assertion failure when the zone was
                   subsequently refreshed. This has been fixed by adding an
                   owner name check for all SOA records which are included
                   in a zone transfer.

Signed-off-by: Noah Meyerhans <frodo@morgul.net>

diff --git a/net/bind/Makefile b/net/bind/Makefile
index f29ac6d6fee482972a9522052f75bd6d6bfa7688..b487da3db019effa436615d93684cdb062afc578 100644 (file)
--- a/net/bind/Makefile
+++ b/net/bind/Makefile
@@ -9,7 +9,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=bind
-PKG_VERSION:=9.17.11
+PKG_VERSION:=9.17.12
 PKG_RELEASE:=$(AUTORELEASE)
 USERID:=bind=57:bind=57
 
@@ -22,7 +22,7 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:= \
        https://www.mirrorservice.org/sites/ftp.isc.org/isc/bind9/$(PKG_VERSION) \
        https://ftp.isc.org/isc/bind9/$(PKG_VERSION)
-PKG_HASH:=00de7bad9291121f3b93e70a6959b540b002f742774823c358c7a416c2e2ed4b
+PKG_HASH:=e77951eaa4aaa92b30e6f3ff6c915081a21c8cc70000e7f25a7a285eed0acbe7
 
 PKG_FIXUP:=autoreconf
 PKG_REMOVE_FILES:=aclocal.m4 libtool.m4

diff --git a/net/bind/patches/010-openssl-deprecated.patch b/net/bind/patches/010-openssl-deprecated.patch
deleted file mode 100644 (file)
index 2b88bd5..0000000
--- a/net/bind/patches/010-openssl-deprecated.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From a9f883cbc28b865d312918368772627cf9610a2f Mon Sep 17 00:00:00 2001
-From: Mark Andrews <marka@isc.org>
-Date: Tue, 16 Mar 2021 21:58:55 +0000
-Subject: [PATCH] Stop using deprecated calls in lib/isc/tls.c
-
-from Rosen Penev @neheb
----
- lib/isc/tls.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
---- a/lib/isc/tls.c
-+++ b/lib/isc/tls.c
-@@ -12,10 +12,12 @@
- #include <inttypes.h>
- #include <nghttp2/nghttp2.h>
- 
-+#include <openssl/bn.h>
- #include <openssl/conf.h>
- #include <openssl/err.h>
- #include <openssl/opensslv.h>
- #include <openssl/rand.h>
-+#include <openssl/rsa.h>
- 
- #include <isc/atomic.h>
- #include <isc/log.h>
-@@ -274,11 +276,19 @@ isc_tlsctx_createserver(const char *keyf
-               rsa = NULL;
-               ASN1_INTEGER_set(X509_get_serialNumber(cert), 1);
- 
-+#if OPENSSL_VERSION_NUMBER < 0x10101000L
-               X509_gmtime_adj(X509_get_notBefore(cert), 0);
-+#else
-+              X509_gmtime_adj(X509_getm_notBefore(cert), 0);
-+#endif
-               /*
-                * We set the vailidy for 10 years.
-                */
-+#if OPENSSL_VERSION_NUMBER < 0x10101000L
-               X509_gmtime_adj(X509_get_notAfter(cert), 3650 * 24 * 3600);
-+#else
-+              X509_gmtime_adj(X509_getm_notAfter(cert), 3650 * 24 * 3600);
-+#endif
- 
-               X509_set_pubkey(cert, pkey);
-