Project

General

Profile

Actions

Bug #6547

closed

Can the BIND release be upgraded to BIND 9.10.3

Added by r a about 6 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
Normal
Category:
-
Target version:
-
Start date:
2016-01-09
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

Can the version of BIND supplied with OpenIndiana be upgraded to BIND 9.10.3. I have successfully built and tested BIND 9.10.3 on the latest reelease of OpenIndiana using the following configure options.
I enabled --enable-fetchlimit and --with-geoip for those wishing to use OpenIndiana in an Internet facing environment.

For a 64bit build

CC=gcc CXX=g++ F77=gfortran FC=gfortran CFLAGS='-m64 -O3' CXXFLAGS=-m64 FFLAGS=-m64 FCFLAGS=-m64 LDFLAGS=-m64 PKG_CONFIG_PATH=/usr/lib/pkgconfig ./configure --prefix=/usr --mandir=/usr/share/man --bindir=/usr/sbin --libdir=/usr/lib/dns --with-libtool --sbindir=/usr/sbin --sysconfdir=/etc --localstatedir=/var --with-openssl --enable-threads=yes --enable-devpoll=yes --disable-openssl-version-check --enable-fixed-rrset --with-pkcs11 --with-libxml2=/usr --enable-fetchlimit --enable-seccomp --with-geoip --enable-ipv6

Jan 9 15:12:16 tesla named29776: [ID 873579 daemon.notice] starting BIND 9.10.3-P2 <id:f9be8b2>
Jan 9 15:12:16 tesla named29776: [ID 873579 daemon.notice] built with '--prefix=/usr' '--mandir=/usr/share/man' '--bindir=/usr/sbin' '--libdir=/usr/lib/dns' '--with-libtool' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--localstatedir=/var' '--with-openssl' '--enable-threads=yes' '--enable-devpoll=yes' '--disable-openssl-version-check' '--enable-fixed-rrset' '--with-pkcs11' '--with-libxml2=/usr' '--enable-fetchlimit' '--enable-seccomp' '--with-geoip' '--enable-ipv6' 'CC=gcc' 'CFLAGS=-m64 O3' 'LDFLAGS=-m64'
Jan 9 15:12:16 tesla named29776: [ID 873579 daemon.notice] ---------------------------------------------------

Jan 9 15:12:16 tesla named29776: [ID 873579 daemon.notice] BIND 9 is maintained by Internet Systems Consortium,
Jan 9 15:12:16 tesla named29776: [ID 873579 daemon.notice] Inc. (ISC), a non-profit 501(c)(3) public-benefit
Jan 9 15:12:16 tesla named29776: [ID 873579 daemon.notice] corporation. Support and training for BIND 9 are
Jan 9 15:12:16 tesla named29776: [ID 873579 daemon.notice] available at https://www.isc.org/support
Jan 9 15:12:16 tesla named29776: [ID 873579 daemon.notice] ----------------------------------------------------
Jan 9 15:12:16 tesla named29776: [ID 873579 daemon.notice] command channel listening on 127.0.0.1#953

For a 32bit build

CC=gcc CXX=g++ F77=gfortran FC=gfortran CFLAGS='-m32 -O3' CXXFLAGS=-m32 FFLAGS=-m32 FCFLAGS=-m32 LDFLAGS=-m32 PKG_CONFIG_PATH=/usr/lib/pkgconfig ./configure --prefix=/usr --mandir=/usr/share/man --bindir=/usr/sbin --libdir=/usr/lib/dns --with-libtool --sbindir=/usr/sbin --sysconfdir=/etc --localstatedir=/var --with-openssl --enable-threads=yes --enable-devpoll=yes --disable-openssl-version-check --enable-fixed-rrset --with-pkcs11 --with-libxml2=/usr --enable-fetchlimit --enable-seccomp --with-geoip --enable-ipv6

Actions #1

Updated by Aurélien Larcher about 6 years ago

Hello,
could you clone oi-userland:

git clone https://github.com/OpenIndiana/oi-userland.git

cd path/to/oi-userland && gmake setup

then fix the related component Makefile:

https://github.com/OpenIndiana/oi-userland/blob/oi/hipster/components/bind/Makefile

to at least pass the gmake install target ?
It does not install to your system but just in the component's directory and it should not take too much time.

If you have the opportunity you can even gmake sample-manifest and review changes compared to the existing bind.p5m and bindc.p5m manifests: directories, *.a and *.la should be removed from the list of generated files.

Could you also review if any CVE applies ?

Best regards

Aurelien

Actions #2

Updated by r a about 6 years ago

HI Aurelien

I have never cloned oi-userland before so the entire process is outside my experience, I usually just set --prefix=/opt/gnu and use ln -s to replace the current binaries.

In terms of CVE's BIND 9.10.3-P2 addresses the security issues described in CVE-2015-3193 (OpenSSL), CVE-2015-8000 and CVE-2015-8461.

Actions #3

Updated by Aurélien Larcher about 6 years ago

Hello,
you can just follow the steps I wrote, it does not take long to modify the component Makefile according to your configuration steps:

- change the version and make sure that the download link is correct.
- type gmake download, it will download and check the sha256 hash
- replace the hash in the Makefile with the one listed as actual
- type 'gmake prep' to download, verify, extract and patch
- change any configuration flags
- type 'gmake build'
- if everything is fine type 'gmake install'

If you feel uncomfortable dealing with git, just attach the new Makefile to this ticket.

Thank you for reviewing the CVEs :)
Best regards

Aurelien

Actions #4

Updated by Alexander Pyhalov about 6 years ago

  • Status changed from New to Resolved
  • Assignee set to Alexander Pyhalov
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF