Specifically, newer autoconf (> 2.13) has different semantic of the
configure target. In short, one should use --build=CONFIGURE_TARGET
instead of CONFIGURE_TARGET directly. Otherwise, you will get a warning
and the old semantic may be removed in later autoconf releases.
To workaround this issue, many ports hack the CONFIGURE_TARGET variable
so that it contains the ``--build='' prefix.
To solve this issue, under the fact that some ports still have
configure script generated by the old autoconf, we use runtime detection
in the do-configure target so that the proper argument can be used.
Changes to Mk/*:
- Add runtime detection magic in bsd.port.mk
- Remove CONFIGURE_TARGET hack in various bsd.*.mk
- USE_GNOME=gnometarget is now an no-op
Changes to individual ports, other than removing the CONFIGURE_TARGET hack:
= pkg-plist changed (due to the ugly CONFIGURE_TARGET prefix in * executables)
- comms/gnuradio
- science/abinit
- science/elmer-fem
- science/elmer-matc
- science/elmer-meshgen2d
- science/elmerfront
- science/elmerpost
= use x86_64 as ARCH
- devel/g-wrap
= other changes
- print/magicfilter
GNU_CONFIGURE -> HAS_CONFIGURE since it's not generated by autoconf
Total # of ports modified: 1,027
Total # of ports affected: ~7,000 (set GNU_CONFIGURE to yes)
PR: 126524 (obsoletes 52917)
Submitted by: rafan
Tested on: two pointyhat 7-amd64 exp runs (by pav)
Approved by: portmgr (pav)
ZKT is a tool to manage keys and signatures for DNSSEC-zones.
The Zone Key Tool consists of two commands:
- dnssec-zkt to create and list dnssec zone keys and
- dnssec-signer to sign a zone and manage the lifetime of
the zone signing keys
See: http://www.hznet.de/dns/zkt/
PR: ports/126296
Submitted by: Frank Behrens <frank+ports@ilse.behrens.de>
DNS Server Cache. By sending many queries to a DNS server along with fake
replies, an attacker can successfuly writes a fake new entry in the DNS
cache.
WWW: http://www.securebits.org/dnsmre.html
PR: ports/126189
Submitted by: Tomoyuki Sakurai <cherry at trombik.org>
- Pet portlint
- Remove support for FreeBSD < 5
- Remove file leftover from repocopy
- Bump portepoch
NOTE: Version numbering changed back to 2.9.x instead of 3.x
PR: ports/126270
Submitted by: Ralf van der Enden <tremere@cainites.net> (maintainer)
- performance improvement over the P1 releases, namely
+ significantly remedying the port allocation issues
+ allowing TCP queries and zone transfers while issuing as many
outstanding UDP queries as possible
+ additional security of port randomization at the same level as P1
- also includes fixes for several bugs in the 9.5.0 base code
- Change default OpenLDAP version to 2.4
- Remove OpenLDAP 2.2 support, the port has been gone for some time now
- Add -DDEPRECATED to CFLAGS for all OpenLDAP using ports
PR: ports/123602, ports/124115, ports/125605
Submitted by: delphij, Jens Rehsack <rehsack@web.de>,
Yuri Pankov <yuri.pankov@gmail.com>
- Remove USE_GTK, it's no longer used
PR: ports/123528
Submitted by: mezz
- Use PATCH_WRKSRC instead of WRKSRC in do-patch target
PR: ports/124169
Submitted by: Max Brazhnikov <makc@issp.ac.ru>
- Remove USE_XPM, it's been replaced by USE_XORG+=xpm
PR: ports/124506
Submitted by: Alex Kozlov <spam@rm-rf.kiev.ua>
- Minor fixups for bsd.port.mk
PR: ports/122675
Submitted by: linimon
- Remove stale comment about USE_GETOPT_LONG
PR: ports/124521
Submitted by: Alex Kozlov <spam@rm-rf.kiev.ua>
- Correct comment about default fetch arguments
PR: ports/125334
Submitted by: Gary Palmer <freebsd-gnats@in-addr.com>
of the UDP query-source ports. The server will still use the same query
port for the life of the process, so users for whom the issue of cache
poisoning is highly significant may wish to periodically restart their
server using /etc/rc.d/named restart, or other suitable method.
In order to take advantage of this randomization users MUST have an
appropriate firewall configuration to allow UDP queries to be sent and
answers to be received on random ports; and users MUST NOT specify a
port number using the query-source[-v6] option.
The avoid-v[46]-udp-ports options exist for users who wish to eliminate
certain port numbers from being chosen by named for this purpose. See
the ARM Chatper 6 for more information.
Also please note, this issue applies only to UDP query ports. A random
ephemeral port is always chosen for TCP queries.
This issue applies primarily to name servers whose main purpose is to
resolve random queries (sometimes referred to as "caching" servers, or
more properly as "resolving" servers), although even an "authoritative"
name server will make some queries, primarily at startup time.
This update addresses issues raised in:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447http://www.kb.cert.org/vuls/id/800113http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience
Some of the important features of BIND 9 are:
DNS Security: DNSSEC (signed zones), TSIG (signed DNS requests)
IP version 6: Answers DNS queries on IPv6 sockets, IPv6 resource records (AAAA)
Experimental IPv6 Resolver Library
DNS Protocol Enhancements: IXFR, DDNS, Notify, EDNS0
Improved standards conformance
Views: One server process can provide multiple "views" of the DNS namespace,
e.g. an "inside" view to certain clients, and an "outside" view to others.
Multiprocessor Support, including working threads in this version
BIND 9.5 has a number of new features over previous versions, including:
GSS-TSIG support (RFC 3645), DHCID support
Experimental http server and statistics support for named via xml
More detailed statistics counters, compatible with the ones supported in BIND 8
Faster ACL processing
Efficient LRU cache cleaning mechanism.
NSID support (RFC 5001).
Rink Springer also asked me if he could maintain his own ports. Change
maitainership of games/sudsol, net/freedbd and net/kissd to Rink.
Approved by: philip (mentor), rink
<joe@joeholden.co.uk>
(reason: 553 5.3.5 system config error)
----- Transcript of session follows -----
553 5.3.5 127.0.0.1. config error: mail loops back to me (MX problem?)
554 5.3.5 Local configuration error
The affected ports are the ones with gettext as a run-dependency
according to ports/INDEX-7 (5007 of them) and the ones with USE_GETTEXT
in Makefile (29 of them).
PR: ports/124340
Submitted by: edwin@
Approved by: portmgr (pav)
According to http://cr.yp.to/distributors.html djbdns is
put into the public domain, therefore the port doesn't need
to be RESTRICTED.
PR: ports/122864
Submitted by: Björn Jonare <rksah@bredband.net>
Approved by: maintainer timeout
Unbound is designed as a set of modular components, so that also
DNSSEC (secure DNS) validation and stub-resolvers (that do not run as
a server, but are linked into an application) are easily possible.
Goals:
* A validating recursive DNS resolver.
* Code diversity in the DNS resolver monoculture.
* Drop-in replacement for BIND apart from config.
* DNSSEC support.
* Fully RFC compliant.
* High performance
o even with validation.
* Used as
o stub resolver.
o full caching name server.
o resolver library.
* Elegant design of validator, resolver, cache modules.
o provide the ability to pick and choose modules.
* Robust.
* In C, open source: The BSD license.
* Smallest as possible component that does the job.
* Stub-zones can be configured (local data or AS112 zones).
Non-goals:
* An authoritative name server.
* Too many Features.
WWW: http://unbound.net
- Remove USE_XLIB/USE_X_PREFIX/USE_XPM in favor of USE_XORG
- Remove X11BASE support in favor of LOCALBASE or PREFIX
- Use USE_LDCONFIG instead of INSTALLS_SHLIB
- Remove unneeded USE_GCC 3.4+
Thanks to all Helpers:
Dmitry Marakasov, Chess Griffin, beech@, dinoex, rafan, gahr,
ehaupt, nox, itetcu, flz, pav
PR: 116263
Tested on: pointyhat
Approved by: portmgr (pav)
Fix rt.cpan.org #30316 Security issue with Net::DNS Resolver.
Net/DNS/RR/A.pm in Net::DNS 0.60 build 654 allows remote attackers
to cause a denial of service (program "croak") via a crafted DNS
response (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6341). Packet
parsing routines are now enclosed in eval blocks to trap exception
and avoid premature termination of user program.
Used ideas from:
PR: ports/120702
Submitted by: Felippe de Meirelles Motta <lippemail@gmail.com>
where the portname does not match the projects hostname.
PR: ports/121453 (related)
Submitted by: Edwin Groothuis <edwin@mavetju.org>
Reviewed by: pav@
took the IPv6 address even if you used the -4 option.
- Fix false lame server issues with domains which have the
higher domain in it (command.com for example).
responses.
It is designed to be used in conjunction with an existing recursive DNS resolver
in order to protect networks against DNS rebinding attacks.
interrogation success for a list of IP addresses against a list of DNSBL's.
The module is used to implement the reproting script dnsblstat.
WWW: http://search.cpan.org/dist/Net-DNSBL-Statistics/
PR: ports/119424
Submitted by: Jin-Shan Tseng <tjs at cdpa.nsysu.edu.tw>
Actually, the maintainer submits the rc script which uses 'name=noip2'.
After some discussion with him, I changed it to use noip in order to
match its port name, but forget to properly set $command.
Pointy hat to: rafan
Reported by: Andrea Venturoli <ml at netfence.it>
Approved by: maintainer (implicit)
PLIST_SUB, so deleting them will not change the package. Therefore
no PORTREVISION bump.
PR: ports/119458
Submitted by: Philippe Audeoud <jadawin@tuxaco.net>
directly frobbing packets or calling Net::DNS::RR->new_from_data()
(which you should not be doing anyway) then you should read the changelog
carefully and review/test your code before committing to this version.
2. Remove support for old Perl.
* updated noip2.c: added SkipHeaders() instead of the magic 6 line pass
* Changed to ip1.dynupdate.no-ip.com for ip retrieval
* added fclose() for stdin, stdout & stderr to child
* made Force_Update work on 30 day intervals
* added version number into shared mem and -S display
PR: 118989
Submitted by: Kay Abendroth <kay.abendroth@raxion.net> (maintainer)
http://www.isc.org/index.pl?/sw/bind/bind8-eol.php
Therefore, per the previous announcement, remove the ports for BIND 8.
This includes the chinese/bind8 slave port, and mail/smc-milter which
has a dependency on libbind_r.a from BIND 8.x. The latter has been
unmaintained since 2005, and is 3 versions behind.
Approved by: portmgr (linimon)
perl unconditonally, or conditionally. To be able to conditionalize the
inclusion of bsd.perl.mk, they now need to be defined before the inclusion
of bsd.port.pre.mk.
Hat: portmgr
I don't think this port has any specific to do with gcc-3.4
compiler; building with the gcc-4.2.0 (and the latest 4.2.1)
is fine here.
I also have added a few patch files, for hard-coded
/etc/inadyn.conf, although a sample config
/usr/local/etc/inadyn.conf.sample and an rc script to
automate daemonization also need to added. But are not
mandatory.
PR: ports/115699
Submitted by: Balwinder S Dheeman <bdheeman@yahoo.com>
- Bump PORTREVISION
[1] Notes:
powerdns-recursor 3.1.4 doesn't support multiline txt records, which
are used by various dns information systems. 3.1.5 does have support
for this. A backport of the code changes is relatively risk-free, and has been
requested by users and port maintainers.
http://www.nabble.com/recursor-unable-to-resolve-asn.routeviews.org-data-t4252567.html
PR: 116029
Submitted by: Sten Spans <sten@blinkenlights.nl> (Maintainer)
in the tooth BIND 8. As of today (27 August 2007) ISC has announced
that BIND 8 is officially End of Life (EOL) and therefore it's time
to say good-bye.
Please see http://www.isc.org/sw/bind/bind8-eol.php for details on the
reasoning behind the EOL status, the latest security issues, and a
migration guide to help you move toward BIND 9.4.x.
bind8 (BIND 8.3.7) is marked FORBIDDEN due to the predictable query ID
bug (see above) which will not be fixed for this version.
bind84 is marked DEPRECATED, and will be upgraded to 8.4.7-P1 when it
is available.
daemon.
multi_dnsbl is a DNS emulator daemon that increases the efficacy of DNSBL
look-ups in a mail system. multi_dnsbl may be used as a stand-alone DNSBL or as
a plug-in for a standard BIND 9 installation. multi_dnsbl shares a common
configuration file format with the Mail::SpamCannibal sc_BLcheck.pl script so
that DNSBL's can be maintained in a common configuration file for an entire
mail installation.
Because DNSBL usefulness is dependent on the nature and source of spam sent to
a specific site and because sometimes DNSBL's may provide intermittant service,
multi_dnsbl interrogates them sorted in the order of greatest successful hits.
DNSBL's that do not respond within the configured timeout period are not
interrogated at all after 6 consecutive failures, and thereafter will be
retried not more often than once every hour until they come back online. This
eliminates the need to place DNSBL's in a particular order in your MTA's config
file or periodically monitor the DNSBL statistics and/or update the MTA config
file.
WWW: http://search.cpan.org/~miker/Net-DNSBL-MultiDaemon-0.18/MultiDaemon.pm
PR: ports/115639
Submitted by: Andrew Greenwood <greenwood.andy at gmail.com>
- Add significantly better support in bsd.python.mk for working with
Python Eggs and the easy_install system
Tested by: pointyhat runs
Approved by: pav (portmgr)
Most work by: perky
Thanks to: pav
1. The default access control lists (acls) are not being
correctly set. If not set anyone can make recursive queries
and/or query the cache contents.
See also:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2925
2. The DNS query id generation is vulnerable to cryptographic
analysis which provides a 1 in 8 chance of guessing the next
query id for 50% of the query ids. This can be used to perform
cache poisoning by an attacker.
This bug only affects outgoing queries, generated by BIND 9 to
answer questions as a resolver, or when it is looking up data
for internal uses, such as when sending NOTIFYs to slave name
servers.
All users are encouraged to upgrade.
See also:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926
The DNS query id generation is vulnerable to cryptographic
analysis which provides a 1 in 8 chance of guessing the next
query id for 50% of the query ids. This can be used to perform
cache poisoning by an attacker.
This bug only affects outgoing queries, generated by BIND 9 to
answer questions as a resolver, or when it is looking up data
for internal uses, such as when sending NOTIFYs to slave name
servers.
All users are encouraged to upgrade.
See also:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926
supports them. This is determined by running ``configure --help'' in
do-configure target and set the shell variable _LATE_CONFIGURE_ARGS
which is then passed to CONFIGURE_ARGS.
- Remove --mandir and --infodir in ports' Makefile where applicable
Few ports use REINPLACE_CMD to achieve the same effect, remove them too.
- Correct some manual pages location from PREFIX/man to MANPREFIX/man
- Define INFO_PATH where necessary
- Document that .info files are installed in a subdirectory relative to
PREFIX/INFO_PATH and slightly change add-plist-info to use INFO_PATH and
subdirectory detection.
PR: ports/111470
Approved by: portmgr
Discussed with: stas (Mk/*), gerald (info related stuffs)
Tested by: pointyhat exp run
- maradns.sh and zoneserver.sh now use PID file
- change default MaraDNS UID from 99 to bind(53)
- change default maraDNS GID from 99 to bind(53)
- change default duende logger process UID from 66 to nobody(65534)
- create empty etc/logger directory
PR: ports/113235
Submitted by: Simun Mikecin <numisemis@yahoo.com>
Approved by: Alex Kapranoff <alex@kapranoff.ru> (maintainer)
