Upgrade to 9.6-ESV-R4-P1 and 9.7.3-P1, which address the following issues:

1. Very large RRSIG RRsets included in a negative cache can trigger an assertion failure that will crash named (BIND 9 DNS) due to an off-by-one error in a buffer size check. This bug affects all resolving name servers, whether DNSSEC validation is enabled or not, on all BIND versions prior to today. There is a possibility of malicious exploitation of this bug by remote users. 2. Named could fail to validate zones listed in a DLV that validated insecure without using DLV and had DS records in the parent zone. Add a patch provided by ru@ and confirmed by ISC to fix a crash at shutdown time when a SIG(0) key is being used.
svn path=/head/; revision=274746
2011-05-27 23:47:39 +00:00 · 2011-05-27 23:47:39 +00:00 · 55533b257f · 2021-03-31 03:12:20 +00:00
commit 55533b257f
parent 612e91cca5
6 changed files with 39 additions and 11 deletions
--- a/dns/bind96/Makefile
+++ b/dns/bind96/Makefile
@ -12,7 +12,7 @@
 # release you can generally build it cleanly from the source - Doug

 PORTNAME=	bind96
-PORTVERSION=	9.6.3
+PORTVERSION=	9.6.3.1.ESV.R4.1
 CATEGORIES=	dns net ipv6
 MASTER_SITES=	${MASTER_SITE_ISC} \
 		http://dougbarton.us/Downloads/%SUBDIR%/
@ -25,7 +25,7 @@ MAINTAINER=	dougb@FreeBSD.org
 COMMENT=	The BIND DNS suite with updated DNSSEC and threads

 # ISC releases things like 9.4.0b3, which our versioning doesn't like
-ISCVERSION=	9.6.3
+ISCVERSION=	9.6-ESV-R4-P1

 MAKE_JOBS_UNSAFE=	yes

--- a/dns/bind96/distinfo
+++ b/dns/bind96/distinfo
@ -1,4 +1,4 @@
-SHA256 (bind-9.6.3.tar.gz) = 17d21c729bc50046ad30481a54b1610deb75a3b93e1584405f8e0b442d13081d
-SIZE (bind-9.6.3.tar.gz) = 7203094
-SHA256 (bind-9.6.3.tar.gz.asc) = 40edbf3b1332f8bddd2f348a9e52713724ab49be8267b7dc7e77499e0b08727b
-SIZE (bind-9.6.3.tar.gz.asc) = 481
+SHA256 (bind-9.6-ESV-R4-P1.tar.gz) = e1152921fd57d3cdad7ec42f608b33dadce23fbd83f8346f037034a1ec0674d9
+SIZE (bind-9.6-ESV-R4-P1.tar.gz) = 7160025
+SHA256 (bind-9.6-ESV-R4-P1.tar.gz.asc) = 5c86d28e656fbdd12f5564c339591af0af7561b4edab49b27d224d0cb40cb51b
+SIZE (bind-9.6-ESV-R4-P1.tar.gz.asc) = 481
--- a/dns/bind96/files/patch-binnsupdatensupdate.c
+++ b/dns/bind96/files/patch-binnsupdatensupdate.c
@ -0,0 +1,14 @@
+--- bin/nsupdate/nsupdate.c.orig	2010-12-08 20:30:57.000000000 -0800
+++ bin/nsupdate/nsupdate.c	2011-05-27 15:17:58.000000000 -0700
+@@ -617,8 +617,10 @@
+ 				keyfile, isc_result_totext(result));
+ 			return;
+ 		}
+-	} else
+	} else {
+ 		dst_key_attach(dstkey, &sig0key);
+		dst_key_free(&dstkey);
+	}
+ }
+ 
+ static void
--- a/dns/bind97/Makefile
+++ b/dns/bind97/Makefile
@ -20,7 +20,7 @@ MAINTAINER=	dougb@FreeBSD.org
 COMMENT?=	The BIND DNS suite with updated DNSSEC and threads

 # ISC releases things like 9.4.0b3, which our versioning doesn't like
-ISCVERSION=	9.7.3
+ISCVERSION=	9.7.3-P1

 MAKE_JOBS_UNSAFE=	yes

--- a/dns/bind97/distinfo
+++ b/dns/bind97/distinfo
@ -1,4 +1,4 @@
-SHA256 (bind-9.7.3.tar.gz) = 7c584ca838da4adb6e94e4507b97b180248ca2b1e6aec1513336b58b344a29f7
-SIZE (bind-9.7.3.tar.gz) = 7653584
-SHA256 (bind-9.7.3.tar.gz.asc) = 96386b587a21f86f456fdddc17558f5d799e2428261a7c6348b273b6912ff34d
-SIZE (bind-9.7.3.tar.gz.asc) = 481
+SHA256 (bind-9.7.3-P1.tar.gz) = 5ff684039fda0df27b75a771b66dbe77fd612fb4ade5f4c15960fbb8d62bbbf1
+SIZE (bind-9.7.3-P1.tar.gz) = 7586464
+SHA256 (bind-9.7.3-P1.tar.gz.asc) = 81b766f8e11f17d56a83dbc6c4ab5e9564d62a255fd878dc55d3a03253d7cd3c
+SIZE (bind-9.7.3-P1.tar.gz.asc) = 481
--- a/dns/bind97/files/patch-binnsupdatensupdate.c
+++ b/dns/bind97/files/patch-binnsupdatensupdate.c
@ -0,0 +1,14 @@
+--- bin/nsupdate/nsupdate.c.orig	2010-12-08 20:31:30.000000000 -0800
+++ bin/nsupdate/nsupdate.c	2011-05-27 15:21:39.000000000 -0700
+@@ -694,8 +694,10 @@
+ 				keyfile, isc_result_totext(result));
+ 			return;
+ 		}
+-	} else
+	} else {
+ 		dst_key_attach(dstkey, &sig0key);
+		dst_key_free(&dstkey);
+	}
+ }
+ 
+ static void