deleted file mode 100644
@@ -1,35 +0,0 @@
-From a3af4a405baf5ff582e82aaba392dd9667d94bdc Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Mon, 27 Aug 2018 21:24:20 +0800
-Subject: [PATCH] `named/lwresd -V' and start log hide build options
-
-The build options expose build path directories, so hide them.
-[snip]
-$ named -V
-|built by make with *** (options are hidden)
-[snip]
-
-Upstream-Status: Inappropriate [oe-core specific]
-
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
-
-Refreshed for 9.16.0
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- bin/named/include/named/globals.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: bind-9.16.0/bin/named/include/named/globals.h
-===================================================================
---- bind-9.16.0.orig/bin/named/include/named/globals.h
-+++ bind-9.16.0/bin/named/include/named/globals.h
-@@ -69,7 +69,7 @@ EXTERN const char *named_g_version I
- EXTERN const char *named_g_product INIT(PRODUCT);
- EXTERN const char *named_g_description INIT(DESCRIPTION);
- EXTERN const char *named_g_srcid INIT(SRCID);
--EXTERN const char *named_g_configargs INIT(CONFIGARGS);
-+EXTERN const char *named_g_configargs INIT("*** (options are hidden)");
- EXTERN const char *named_g_builder INIT(BUILDER);
- EXTERN in_port_t named_g_port INIT(0);
- EXTERN isc_dscp_t named_g_dscp INIT(-1);
deleted file mode 100644
@@ -1,76 +0,0 @@
-From 011e9418ce9bb25675de6ac8d47536efedeeb312 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
-Date: Fri, 24 Sep 2021 09:35:11 +0200
-Subject: [PATCH] Disable lame-ttl cache
-
-The lame-ttl cache is implemented in ADB as per-server locked
-linked-list "indexed" with <qname,qtype>. This list has to be walked
-every time there's a new query or new record added into the lame cache.
-Determined attacker can use this to degrade performance of the resolver.
-
-Resolver testing has shown that disabling the lame cache has little
-impact on the resolver performance and it's a minimal viable defense
-against this kind of attack.
-
-CVE: CVE-2021-25219
-
-Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/8fe18c0566c41228a568157287f5a44f96d37662]
-
-Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
----
- bin/named/config.c | 2 +-
- bin/named/server.c | 7 +++++--
- doc/arm/reference.rst | 6 +++---
- 3 files changed, 9 insertions(+), 6 deletions(-)
-
-diff --git a/bin/named/config.c b/bin/named/config.c
-index fa8473db7c..b6453b814e 100644
---- a/bin/named/config.c
-+++ b/bin/named/config.c
-@@ -151,7 +151,7 @@ options {\n\
- fetches-per-server 0;\n\
- fetches-per-zone 0;\n\
- glue-cache yes;\n\
-- lame-ttl 600;\n"
-+ lame-ttl 0;\n"
- #ifdef HAVE_LMDB
- " lmdb-mapsize 32M;\n"
- #endif /* ifdef HAVE_LMDB */
-diff --git a/bin/named/server.c b/bin/named/server.c
-index 638703e8c2..35ad6a0b7f 100644
---- a/bin/named/server.c
-+++ b/bin/named/server.c
-@@ -4806,8 +4806,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
- result = named_config_get(maps, "lame-ttl", &obj);
- INSIST(result == ISC_R_SUCCESS);
- lame_ttl = cfg_obj_asduration(obj);
-- if (lame_ttl > 1800) {
-- lame_ttl = 1800;
-+ if (lame_ttl > 0) {
-+ cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
-+ "disabling lame cache despite lame-ttl > 0 as it "
-+ "may cause performance issues");
-+ lame_ttl = 0;
- }
- dns_resolver_setlamettl(view->resolver, lame_ttl);
-
-diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
-index 3bc4439745..fea854f3d1 100644
---- a/doc/arm/reference.rst
-+++ b/doc/arm/reference.rst
-@@ -3358,9 +3358,9 @@ Tuning
- ^^^^^^
-
- ``lame-ttl``
-- This sets the number of seconds to cache a lame server indication. 0
-- disables caching. (This is **NOT** recommended.) The default is
-- ``600`` (10 minutes) and the maximum value is ``1800`` (30 minutes).
-+ This is always set to 0. More information is available in the
-+ `security advisory for CVE-2021-25219
-+ <https://kb.isc.org/docs/cve-2021-25219>`_.
-
- ``servfail-ttl``
- This sets the number of seconds to cache a SERVFAIL response due to DNSSEC
-2.17.1
-
deleted file mode 100644
@@ -1,65 +0,0 @@
-From 117cf776a7add27ac6d236b4062258da0d068486 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
-Date: Mon, 15 Nov 2021 16:26:52 +0800
-Subject: [PATCH] Enable lame response detection even with disabled lame cache
-
-Previously, when lame cache would be disabled by setting lame-ttl to 0,
-it would also disable lame answer detection. In this commit, we enable
-the lame response detection even when the lame cache is disabled. This
-enables stopping answer processing early rather than going through the
-whole answer processing flow.
-
-CVE: CVE-2021-25219
-
-Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/e4931584a34bdd0a0d18e4d918fb853bf5296787]
-
-Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
----
- lib/dns/resolver.c | 23 ++++++++++++-----------
- 1 file changed, 12 insertions(+), 11 deletions(-)
-
-diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
-index 50fadc0..9291bd4 100644
---- a/lib/dns/resolver.c
-+++ b/lib/dns/resolver.c
-@@ -10217,25 +10217,26 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) {
- */
- static isc_result_t
- rctx_lameserver(respctx_t *rctx) {
-- isc_result_t result;
-+ isc_result_t result = ISC_R_SUCCESS;
- fetchctx_t *fctx = rctx->fctx;
- resquery_t *query = rctx->query;
-
-- if (fctx->res->lame_ttl == 0 || ISFORWARDER(query->addrinfo) ||
-- !is_lame(fctx, query->rmessage))
-- {
-+ if (ISFORWARDER(query->addrinfo) || !is_lame(fctx, query->rmessage)) {
- return (ISC_R_SUCCESS);
- }
-
- inc_stats(fctx->res, dns_resstatscounter_lame);
- log_lame(fctx, query->addrinfo);
-- result = dns_adb_marklame(fctx->adb, query->addrinfo, &fctx->name,
-- fctx->type, rctx->now + fctx->res->lame_ttl);
-- if (result != ISC_R_SUCCESS) {
-- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-- DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
-- "could not mark server as lame: %s",
-- isc_result_totext(result));
-+ if (fctx->res->lame_ttl != 0) {
-+ result = dns_adb_marklame(fctx->adb, query->addrinfo,
-+ &fctx->name, fctx->type,
-+ rctx->now + fctx->res->lame_ttl);
-+ if (result != ISC_R_SUCCESS) {
-+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-+ DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
-+ "could not mark server as lame: %s",
-+ isc_result_totext(result));
-+ }
- }
- rctx->broken_server = DNS_R_LAME;
- rctx->next_server = true;
-2.17.1
-
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.16/0001-avoid-start-failure-with-bind-user.patch
rename to meta/recipes-connectivity/bind/bind-9.16.28/0001-avoid-start-failure-with-bind-user.patch
new file mode 100644
@@ -0,0 +1,40 @@
+From ed30068de0349af0296f16523a623574ed3f803b Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia@windriver.com>
+Date: Mon, 25 Apr 2022 15:55:14 +0800
+Subject: [PATCH] `named/lwresd -V' and start log hide build options
+
+The build options expose build path directories, so hide them.
+[snip]
+$ named -V
+|built by make with *** (options are hidden)
+[snip]
+
+Upstream-Status: Inappropriate [oe-core specific]
+
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+
+Refreshed for 9.16.0
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Rebased to 9.16.28
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ bin/named/include/named/globals.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
+index 82b632e..b33a27b 100644
+--- a/bin/named/include/named/globals.h
++++ b/bin/named/include/named/globals.h
+@@ -71,7 +71,7 @@ EXTERN const char *named_g_version INIT(VERSION);
+ EXTERN const char *named_g_product INIT(PRODUCT);
+ EXTERN const char *named_g_description INIT(DESCRIPTION);
+ EXTERN const char *named_g_srcid INIT(SRCID);
+-EXTERN const char *named_g_configargs INIT(CONFIGARGS);
++EXTERN const char *named_g_configargs INIT("*** (options are hidden)");
+ EXTERN const char *named_g_builder INIT(BUILDER);
+ EXTERN in_port_t named_g_port INIT(0);
+ EXTERN isc_dscp_t named_g_dscp INIT(-1);
+--
+2.25.1
+
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.16/bind-ensure-searching-for-json-headers-searches-sysr.patch
rename to meta/recipes-connectivity/bind/bind-9.16.28/bind-ensure-searching-for-json-headers-searches-sysr.patch
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.16/bind9
rename to meta/recipes-connectivity/bind/bind-9.16.28/bind9
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.16/conf.patch
rename to meta/recipes-connectivity/bind/bind-9.16.28/conf.patch
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.16/generate-rndc-key.sh
rename to meta/recipes-connectivity/bind/bind-9.16.28/generate-rndc-key.sh
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.16/init.d-add-support-for-read-only-rootfs.patch
rename to meta/recipes-connectivity/bind/bind-9.16.28/init.d-add-support-for-read-only-rootfs.patch
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.16/make-etc-initd-bind-stop-work.patch
rename to meta/recipes-connectivity/bind/bind-9.16.28/make-etc-initd-bind-stop-work.patch
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.16.16/named.service
rename to meta/recipes-connectivity/bind/bind-9.16.28/named.service
similarity index 93%
rename from meta/recipes-connectivity/bind/bind_9.16.16.bb
rename to meta/recipes-connectivity/bind/bind_9.16.28.bb
@@ -4,7 +4,7 @@ DESCRIPTION = "BIND 9 provides a full-featured Domain Name Server system"
SECTION = "console/network"
LICENSE = "MPL-2.0"
-LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=ef10b4de6371115dcecdc38ca2af4561"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=4e7b3c52170a348459a4ff3f5ce95e37"
DEPENDS = "openssl libcap zlib libuv"
@@ -18,11 +18,9 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
file://bind-ensure-searching-for-json-headers-searches-sysr.patch \
file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
file://0001-avoid-start-failure-with-bind-user.patch \
- file://CVE-2021-25219-1.patch \
- file://CVE-2021-25219-2.patch \
"
-SRC_URI[sha256sum] = "6c913902adf878e7dc5e229cea94faefc9d40f44775a30213edd08860f761d7b"
+SRC_URI[sha256sum] = "332e34dcbd723a2569efbaf4e79b62e6d56c9abd5bb8411df01533f984d1a370"
UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
# stay at 9.16 follow the ESV versions divisible by 4
@@ -64,8 +62,6 @@ SYSTEMD_SERVICE_${PN} = "named.service"
do_install_append() {
- rmdir "${D}${localstatedir}/run"
- rmdir --ignore-fail-on-non-empty "${D}${localstatedir}"
install -d -o bind "${D}${localstatedir}/cache/bind"
install -d "${D}${sysconfdir}/bind"
install -d "${D}${sysconfdir}/init.d"