diff options
author | Marc Schiffbauer <mschiff@gentoo.org> | 2016-03-24 00:29:50 +0100 |
---|---|---|
committer | Marc Schiffbauer <mschiff@gentoo.org> | 2016-03-24 01:24:33 +0100 |
commit | 56242b0f136e683c90c0fd1c704a39d1c2869366 (patch) | |
tree | b8c73594fdee6f8c46eb89d1e3d85510f4b3b054 /net-dns | |
parent | www-client/google-chrome-beta: automated update (diff) | |
download | gentoo-56242b0f136e683c90c0fd1c704a39d1c2869366.tar.gz gentoo-56242b0f136e683c90c0fd1c704a39d1c2869366.tar.bz2 gentoo-56242b0f136e683c90c0fd1c704a39d1c2869366.zip |
net-dns/opendnssec: revbump 1.3.18-r1 to fix bug #445172
Package-Manager: portage-2.2.28
Diffstat (limited to 'net-dns')
-rw-r--r-- | net-dns/opendnssec/files/opendnssec-1.3.18-eppclient-curl-CVE-2012-5582.patch | 12 | ||||
-rw-r--r-- | net-dns/opendnssec/opendnssec-1.3.18-r1.ebuild | 204 |
2 files changed, 216 insertions, 0 deletions
diff --git a/net-dns/opendnssec/files/opendnssec-1.3.18-eppclient-curl-CVE-2012-5582.patch b/net-dns/opendnssec/files/opendnssec-1.3.18-eppclient-curl-CVE-2012-5582.patch new file mode 100644 index 000000000000..a0676dd091be --- /dev/null +++ b/net-dns/opendnssec/files/opendnssec-1.3.18-eppclient-curl-CVE-2012-5582.patch @@ -0,0 +1,12 @@ +diff -urN opendnssec-1.3.18.orig/plugins/eppclient/src/epp.c opendnssec-1.3.18/plugins/eppclient/src/epp.c +--- opendnssec-1.3.18.orig/plugins/eppclient/src/epp.c 2014-07-21 11:16:10.000000000 +0200 ++++ opendnssec-1.3.18/plugins/eppclient/src/epp.c 2016-03-23 22:25:18.679354984 +0100 +@@ -390,7 +390,7 @@ + curl_easy_setopt(curl, CURLOPT_URL, url); + curl_easy_setopt(curl, CURLOPT_CONNECT_ONLY, 1L); + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L); +- curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1L); ++ curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2L); + curl_easy_setopt(curl, CURLOPT_USE_SSL, CURLUSESSL_ALL); + curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, curlerr); + curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 1L); diff --git a/net-dns/opendnssec/opendnssec-1.3.18-r1.ebuild b/net-dns/opendnssec/opendnssec-1.3.18-r1.ebuild new file mode 100644 index 000000000000..0f38b649596e --- /dev/null +++ b/net-dns/opendnssec/opendnssec-1.3.18-r1.ebuild @@ -0,0 +1,204 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 + +MY_P="${P/_}" +PKCS11_IUSE="+softhsm opensc external-hsm" +inherit base autotools multilib user + +DESCRIPTION="An open-source turn-key solution for DNSSEC" +HOMEPAGE="http://www.opendnssec.org/" +SRC_URI="http://www.${PN}.org/files/source/${MY_P}.tar.gz" + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="-auditor +curl debug doc eppclient mysql +signer +sqlite test ${PKCS11_IUSE}" + +RDEPEND=" + dev-lang/perl + dev-libs/libxml2 + dev-libs/libxslt + net-libs/ldns + curl? ( net-misc/curl ) + mysql? ( + virtual/mysql + dev-perl/DBD-mysql + ) + opensc? ( dev-libs/opensc ) + softhsm? ( dev-libs/softhsm ) + sqlite? ( + dev-db/sqlite:3 + dev-perl/DBD-SQLite + ) +" +DEPEND="${RDEPEND} + doc? ( app-doc/doxygen ) + test? ( + app-text/trang + ) +" +# test? dev-util/cunit # Requires running test DB + +REQUIRED_USE=" + ^^ ( mysql sqlite ) + ^^ ( softhsm opensc external-hsm ) + eppclient? ( curl ) +" + +PATCHES=( + "${FILESDIR}/${PN}-fix-localstatedir.patch" + "${FILESDIR}/${PN}-fix-run-dir.patch" + "${FILESDIR}/${PN}-1.3.14-drop-privileges.patch" + "${FILESDIR}/${PN}-1.3.14-use-system-trang.patch" + "${FILESDIR}/${PN}-1.3.18-eppclient-curl-CVE-2012-5582.patch" +) + +S="${WORKDIR}/${MY_P}" + +DOCS=( MIGRATION NEWS ) + +check_pkcs11_setup() { + # PKCS#11 HSM's are often only available with proprietary drivers not + # available in portage tree. + + if use softhsm; then + PKCS11_LIB=softhsm + if has_version ">=dev-libs/softhsm-1.3.1"; then + PKCS11_PATH=/usr/$(get_libdir)/softhsm/libsofthsm.so + else + PKCS11_PATH=/usr/$(get_libdir)/libsofthsm.so + fi + elog "Building with SoftHSM PKCS#11 library support." + fi + if use opensc; then + PKCS11_LIB=opensc + PKCS11_PATH=/usr/$(get_libdir)/opensc-pkcs11.so + elog "Building with OpenSC PKCS#11 library support." + fi + if use external-hsm; then + if [[ -n ${PKCS11_SCA6000} ]]; then + PKCS11_LIB=sca6000 + PKCS11_PATH=${PKCS11_SCA6000} + elif [[ -n ${PKCS11_ETOKEN} ]]; then + PKCS11_LIB=etoken + PKCS11_PATH=${PKCS11_ETOKEN} + elif [[ -n ${PKCS11_NCIPHER} ]]; then + PKCS11_LIB=ncipher + PKCS11_PATH=${PKCS11_NCIPHER} + elif [[ -n ${PKCS11_AEPKEYPER} ]]; then + PKCS11_LIB=aepkeyper + PKCS11_PATH=${PKCS11_AEPKEYPER} + else + ewarn "You enabled USE flag 'external-hsm' but did not specify a path to a PKCS#11" + ewarn "library. To set a path, set one of the following environment variables:" + ewarn " for Sun Crypto Accelerator 6000, set: PKCS11_SCA6000=<path>" + ewarn " for Aladdin eToken, set: PKCS11_ETOKEN=<path>" + ewarn " for Thales/nCipher netHSM, set: PKCS11_NCIPHER=<path>" + ewarn " for AEP Keyper, set: PKCS11_AEPKEYPER=<path>" + ewarn "Example:" + ewarn " PKCS11_ETOKEN=\"/opt/etoken/lib/libeTPkcs11.so\" emerge -pv opendnssec" + ewarn "or store the variable into /etc/make.conf" + die "USE flag 'external-hsm' set but no PKCS#11 library path specified." + fi + elog "Building with external PKCS#11 library support ($PKCS11_LIB): ${PKCS11_PATH}" + fi +} + +pkg_pretend() { + local i + + for i in eppclient mysql; do + if use ${i}; then + ewarn + ewarn "Usage of ${i} is considered experimental." + ewarn "Do not report bugs against this feature." + ewarn + fi + done + + check_pkcs11_setup +} + +pkg_setup() { + enewgroup opendnssec + enewuser opendnssec -1 -1 -1 opendnssec + + # pretend does not preserve variables so we need to run this once more + check_pkcs11_setup +} + +src_prepare() { + base_src_prepare + eautoreconf +} + +src_configure() { + # $(use_with test cunit "${EPREFIX}/usr/") \ + econf \ + --without-cunit \ + --localstatedir="${EPREFIX}/var/" \ + --disable-static \ + --with-database-backend=$(use mysql && echo "mysql")$(use sqlite && echo "sqlite3") \ + --with-pkcs11-${PKCS11_LIB}=${PKCS11_PATH} \ + --disable-auditor \ + $(use_with curl) \ + $(use_enable debug timeshift) \ + $(use_enable eppclient) \ + $(use_enable signer) +} + +src_compile() { + default + use doc && emake docs +} + +src_install() { + default + + # remove useless .la files + find "${ED}" -name '*.la' -delete + + # Remove subversion tags from config files to avoid useless config updates + sed -i \ + -e '/<!-- \$Id:/ d' \ + "${ED}"/etc/opendnssec/* || die + + # install update scripts + insinto /usr/share/opendnssec + use sqlite && doins enforcer/utils/migrate_keyshare_sqlite3.pl + use mysql && doins enforcer/utils/migrate_keyshare_mysql.pl + + # fix permissions + fowners root:opendnssec /etc/opendnssec + fowners root:opendnssec /etc/opendnssec/{conf,kasp,zonelist,zonefetch}.xml + use eppclient && fowners root:opendnssec /etc/opendnssec/eppclientd.conf + + fowners opendnssec:opendnssec /var/lib/opendnssec/{,signconf,unsigned,signed,tmp} + + # install conf/init script + newinitd "${FILESDIR}"/opendnssec.initd-1.3.x opendnssec + newconfd "${FILESDIR}"/opendnssec.confd-1.3.x opendnssec + use auditor || sed -i 's/^CHECKCONFIG_BIN=.*/CHECKCONFIG_BIN=/' "${D}"/etc/conf.d/opendnssec +} + +pkg_postinst() { + if use softhsm; then + elog "Please make sure that you create your softhsm database in a location writeable" + elog "by the opendnssec user. You can set its location in /etc/softhsm.conf." + elog "Suggested configuration is:" + elog " echo \"0:/var/lib/opendnssec/softhsm_slot0.db\" >> /etc/softhsm.conf" + elog " softhsm --init-token --slot 0 --label OpenDNSSEC" + elog " chown opendnssec:opendnssec /var/lib/opendnssec/softhsm_slot0.db" + fi + if use auditor; then + ewarn + ewarn "Please note that auditor support has been disabled in this version since it" + ewarn "it depends on ruby 1.8 which has been removed from the portage tree." + ewarn "USE=auditor is only provided for this warning but will not install the" + ewarn "auditor anymore." + ewarn + fi +} |