nixpkgs/pkgs/servers/dns/bind/default.nix
Franz Pletz cfbac7bbad
bind: 9.11.1-P2 -> 9.11.2 for multiple CVEs
See: https://kb.isc.org/article/AA-01522

Fixes: CVE-2017-3140 CVE-2017-3141 CVE-2017-3142 CVE-2017-3143
2017-08-01 10:26:20 +02:00

68 lines
1.8 KiB
Nix

{ stdenv, lib, fetchurl, openssl, libtool, perl, libxml2
, enableSeccomp ? false, libseccomp ? null }:
assert enableSeccomp -> libseccomp != null;
let version = "9.11.2"; in
stdenv.mkDerivation rec {
name = "bind-${version}";
src = fetchurl {
url = "http://ftp.isc.org/isc/bind9/${version}/${name}.tar.gz";
sha256 = "0yn7wgi2y8mpmvbjbkl4va7p0xsnn48m4yjx6ynb1hzp423asikz";
};
outputs = [ "out" "lib" "dev" "man" "dnsutils" "host" ];
patches = [ ./dont-keep-configure-flags.patch ./remove-mkdir-var.patch ] ++
stdenv.lib.optional stdenv.isDarwin ./darwin-openssl-linking-fix.patch;
buildInputs = [ openssl libtool perl libxml2 ] ++
stdenv.lib.optional enableSeccomp libseccomp;
STD_CDEFINES = [ "-DDIG_SIGCHASE=1" ]; # support +sigchase
configureFlags = [
"--localstatedir=/var"
"--with-libtool"
"--with-libxml2=${libxml2.dev}"
"--with-openssl=${openssl.dev}"
"--without-atf"
"--without-dlopen"
"--without-docbook-xsl"
"--without-gssapi"
"--without-idn"
"--without-idnlib"
"--without-pkcs11"
"--without-purify"
"--without-python"
] ++ lib.optional enableSeccomp "--enable-seccomp";
postInstall = ''
moveToOutput bin/bind9-config $dev
moveToOutput bin/isc-config.sh $dev
moveToOutput bin/host $host
moveToOutput bin/dig $dnsutils
moveToOutput bin/nslookup $dnsutils
moveToOutput bin/nsupdate $dnsutils
for f in "$lib/lib/"*.la "$dev/bin/"{isc-config.sh,bind*-config}; do
sed -i "$f" -e 's|-L${openssl.dev}|-L${openssl.out}|g'
done
'';
meta = {
homepage = "http://www.isc.org/software/bind";
description = "Domain name server";
license = stdenv.lib.licenses.isc;
maintainers = with stdenv.lib.maintainers; [viric peti];
platforms = with stdenv.lib.platforms; unix;
outputsToInstall = [ "out" "dnsutils" "host" ];
};
}