From bcb19d0721d82efd2e5a33eb10aada8d010296d6 Mon Sep 17 00:00:00 2001 From: taca Date: Sat, 21 Sep 2013 15:59:00 +0000 Subject: [PATCH] Update bind98 to 9.8.6 (BIND 9.8.6). (CVE-2013-4854 and CVE-2013-3919 were already fixed in pkgsrc.) Security Fixes Previously an error in bounds checking on the private type 'keydata' could be used to deny service through a deliberately triggerable REQUIRE failure (CVE-2013-4854). [RT #34238] Prevents exploitation of a runtime_check which can crash named when satisfying a recursive query for particular malformed zones. (CVE-2013-3919) [RT #33690] Feature Changes rndc status now also shows the build-id. [RT #20422] Improved OPT pseudo-record processing to make it easier to support new EDNS options. [RT #34414] "configure" now finishes by printing a summary of optional BIND features and whether they are active or inactive. ("configure --enable-full-report" increases the verbosity of the summary.) [RT #31777] Addressed compatibility issues with newer versions of Microsoft Visual Studio. [RT #33916] Improved the 'rndc' man page. [RT #33506] 'named -g' now no longer works with an invalid logging configuration. [RT #33473] The default (and minimum) value for tcp-listen-queue is now 10 instead of 3. This is a subtle control setting (not applicable to all OS environments). When there is a high rate of inbound TCP connections, it controls how many connections can be queued before they are accepted by named. Once this limit is exceeded, new TCP connections will be rejected. Note however that a value of 10 does not imply a strict limit of 10 queued TCP connections - the impact of changing this configuration setting will be OS-dependent. Larger values for tcp-listen queue will permit more pending tcp connections, which may be needed where there is a high rate of TCP-based traffic (for example in a dynamic environment where there are frequent zone updates and transfers). For most production servers the new default value of 10 should be adequate. [RT #33029] Added support for OpenSSL versions 0.9.8y, 1.0.0k, and 1.0.1e with PKCS#11. [RT #33463] Added logging messages on slave servers when they forward DDNS updates to a master. [RT #33240] Bug Fixes Fixed the "allow-query-on" option to correctly check the destination address. [RT #34590] Fix DNSSEC auto maintenance so signatures can be removed from a zone with only KSK keys for an algorithm. [RT #34439] Fix forwarding for forward only "zones" beneath automatic empty zones. [RT #34583] Fix DNSSEC auto maintenance so signatures from newly inactive keys are removed (when publishing a new key while deactivating another key at the same time). [RT #32178] Remove bogus warning log message about missing signatures when receiving a query for a SIG record. [RT #34600] Fix Response Policy Zones on slave servers so new RPZ changes take effect. [RT #34450] Improved resistance to a theoretical authentication attack based on differential timing. [RT #33939] named was failing to answer queries during "rndc reload" [RT #34098] Fixed a broken 'Invalid keyfile' error message in dnssec-keygen. [RT #34045] The build of BIND now installs isc/stat.h so that it's available to /isc/file.h when building other applications that reference these header files - for example dnsperf (see Debian bug ticket #692467). [RT #33056] Better handle failures building XML for stats channel responses. [RT #33706] Fixed a memory leak in GSS-API processing. [RT #33574] Fixed an acache-related race condition that could cause a crash. [RT #33602] rndc now properly fails when given an invalid '-c' argument. [RT #33571] Fixed an issue with the handling of zero TTL records that could cause improper SERVFAILs. [RT #33411] Fixed a crash-on-shutdown race condition with DNSSEC validation. [RT #33573] Corrected the way that "rndc addzone" and "rndc delzone" handle non-standard characters in zone names. [RT #33419] --- net/bind98/Makefile | 4 +-- net/bind98/PLIST | 4 ++- net/bind98/distinfo | 20 ++++++------- net/bind98/options.mk | 4 +-- net/bind98/patches/patch-bin_dig_dighost.c | 30 +++++++++---------- net/bind98/patches/patch-configure | 8 ++--- .../patches/patch-lib_lwres_getnameinfo.c | 6 ++-- 7 files changed, 39 insertions(+), 37 deletions(-) diff --git a/net/bind98/Makefile b/net/bind98/Makefile index de4c353e909a..6f17d2a96731 100644 --- a/net/bind98/Makefile +++ b/net/bind98/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.32 2013/07/27 03:20:53 taca Exp $ +# $NetBSD: Makefile,v 1.33 2013/09/21 15:59:00 taca Exp $ DISTNAME= bind-${BIND_VERSION} PKGNAME= ${DISTNAME:S/-P/pl/} @@ -14,7 +14,7 @@ CONFLICTS+= host-[0-9]* MAKE_JOBS_SAFE= no -BIND_VERSION= 9.8.5-P2 +BIND_VERSION= 9.8.6 .include "../../mk/bsd.prefs.mk" diff --git a/net/bind98/PLIST b/net/bind98/PLIST index 2356b562fede..be78825b425b 100644 --- a/net/bind98/PLIST +++ b/net/bind98/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.4 2013/06/06 02:56:36 taca Exp $ +@comment $NetBSD: PLIST,v 1.5 2013/09/21 15:59:00 taca Exp $ bin/dig bin/host bin/isc-config.sh @@ -144,11 +144,13 @@ include/isc/resource.h include/isc/result.h include/isc/resultclass.h include/isc/rwlock.h +include/isc/safe.h include/isc/serial.h include/isc/sha1.h include/isc/sha2.h include/isc/sockaddr.h include/isc/socket.h +include/isc/stat.h include/isc/stdio.h include/isc/stdlib.h include/isc/stdtime.h diff --git a/net/bind98/distinfo b/net/bind98/distinfo index 0423c8c20ced..feadd25ed13f 100644 --- a/net/bind98/distinfo +++ b/net/bind98/distinfo @@ -1,15 +1,15 @@ -$NetBSD: distinfo,v 1.23 2013/07/27 03:20:53 taca Exp $ +$NetBSD: distinfo,v 1.24 2013/09/21 15:59:00 taca Exp $ -SHA1 (bind-9.8.5-P2.tar.gz) = 2cab91cfe21487f90225c3c3b0e8656706642f29 -RMD160 (bind-9.8.5-P2.tar.gz) = 8bab1002fc23fc71898d187b7f79eaa55f0b143c -Size (bind-9.8.5-P2.tar.gz) = 7262961 bytes -SHA1 (rl-9.8.5-P1.patch) = 4a8a4e17ed835b4c99dbb236b8bb65d6ab28a00c -RMD160 (rl-9.8.5-P1.patch) = 758f2f6970a452c9e2ea5afb21cf52e297a32b82 -Size (rl-9.8.5-P1.patch) = 103398 bytes -SHA1 (patch-bin_dig_dighost.c) = 3f37033cc64e1153268ab437fab533d2920bb18c +SHA1 (bind-9.8.6.tar.gz) = d596d488e5bb09cc695364f1d16adef4af673e86 +RMD160 (bind-9.8.6.tar.gz) = 22e93866dd7aef576dd2746483644575b7976e15 +Size (bind-9.8.6.tar.gz) = 7275769 bytes +SHA1 (rl-9.8.6rc1.patch) = cacea695ab57cc44f0b79bef1e42ba4f787ca96f +RMD160 (rl-9.8.6rc1.patch) = 13ac5bb0c5b0129b560026861dd4be5d17801055 +Size (rl-9.8.6rc1.patch) = 103557 bytes +SHA1 (patch-bin_dig_dighost.c) = f76d4a3a3e521a9ff691e12b9f7c63299b15c74d SHA1 (patch-bin_tests_system_Makefile.in) = 650ac962464e23f6c4278e7025f55f282789f9c9 SHA1 (patch-config.threads.in) = 045531d8378a88c654ab98ba6ea65786c8cf4e2b -SHA1 (patch-configure) = 08f878fd3a5d3d17e0cf55d01344ddc84991967f +SHA1 (patch-configure) = 5d16cc851b425805e97c4a14770529ced57a5374 SHA1 (patch-lib_dns_rbt.c) = 29fb5c24ff3558f1621e93ea16419e32dbc695b7 SHA1 (patch-lib_lwres_getaddrinfo.c) = 9585a26a376d32f80ac8266eb7967c00b433f14d -SHA1 (patch-lib_lwres_getnameinfo.c) = c26dcff4637b7beb16b66c32b304d0f187390eed +SHA1 (patch-lib_lwres_getnameinfo.c) = 1224033e3c1ca14f1508542e5d41c899060d4d9c diff --git a/net/bind98/options.mk b/net/bind98/options.mk index e290da839e09..6e7480c1e978 100644 --- a/net/bind98/options.mk +++ b/net/bind98/options.mk @@ -1,4 +1,4 @@ -# $NetBSD: options.mk,v 1.6 2013/06/06 02:56:36 taca Exp $ +# $NetBSD: options.mk,v 1.7 2013/09/21 15:59:00 taca Exp $ PKG_OPTIONS_VAR= PKG_OPTIONS.bind98 PKG_SUPPORTED_OPTIONS= bind-dig-sigchase bind-xml-statistics-server @@ -55,7 +55,7 @@ CONFIGURE_ARGS+= --with-dlz-filesystem .endif .if !empty(PKG_OPTIONS:Mrrl) -PATCHFILES=rl-9.8.5-P1.patch +PATCHFILES=rl-9.8.6rc1.patch PATCH_SITES=http://ss.vix.su/~vjs/ .endif diff --git a/net/bind98/patches/patch-bin_dig_dighost.c b/net/bind98/patches/patch-bin_dig_dighost.c index 6f4f57d1067c..dbe76bef3bb5 100644 --- a/net/bind98/patches/patch-bin_dig_dighost.c +++ b/net/bind98/patches/patch-bin_dig_dighost.c @@ -1,10 +1,10 @@ -$NetBSD: patch-bin_dig_dighost.c,v 1.1 2011/11/17 00:48:09 taca Exp $ +$NetBSD: patch-bin_dig_dighost.c,v 1.2 2013/09/21 15:59:01 taca Exp $ Avoid to use true as variable name. ---- bin/dig/dighost.c.orig 2011-03-11 06:46:58.000000000 +0000 +--- bin/dig/dighost.c.orig 2013-09-05 05:19:53.000000000 +0000 +++ bin/dig/dighost.c -@@ -4345,7 +4345,7 @@ prepare_lookup(dns_name_t *name) +@@ -4313,7 +4313,7 @@ prepare_lookup(dns_name_t *name) isc_result_t result; isc_region_t r; dns_rdataset_t *rdataset = NULL; @@ -13,7 +13,7 @@ Avoid to use true as variable name. #endif memset(namestr, 0, DNS_NAME_FORMATSIZE); -@@ -4359,7 +4359,7 @@ prepare_lookup(dns_name_t *name) +@@ -4327,7 +4327,7 @@ prepare_lookup(dns_name_t *name) result = advanced_rrsearch(&rdataset, &ns.name, dns_rdatatype_aaaa, @@ -22,7 +22,7 @@ Avoid to use true as variable name. if (result == ISC_R_SUCCESS) { for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; -@@ -4388,7 +4388,7 @@ prepare_lookup(dns_name_t *name) +@@ -4356,7 +4356,7 @@ prepare_lookup(dns_name_t *name) rdataset = NULL; result = advanced_rrsearch(&rdataset, &ns.name, dns_rdatatype_a, @@ -31,7 +31,7 @@ Avoid to use true as variable name. if (result == ISC_R_SUCCESS) { for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; -@@ -4507,11 +4507,11 @@ isc_result_t +@@ -4475,11 +4475,11 @@ isc_result_t initialization(dns_name_t *name) { isc_result_t result; @@ -45,7 +45,7 @@ Avoid to use true as variable name. if (result != ISC_R_SUCCESS) { printf("\n;; NS RRset is missing to continue validation:" " FAILED\n\n"); -@@ -4864,7 +4864,7 @@ sigchase_td(dns_message_t *msg) +@@ -4827,7 +4827,7 @@ sigchase_td(dns_message_t *msg) isc_result_t result; dns_name_t *name = NULL; isc_boolean_t have_answer = ISC_FALSE; @@ -54,7 +54,7 @@ Avoid to use true as variable name. if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER)) == ISC_R_SUCCESS) { -@@ -4873,7 +4873,7 @@ sigchase_td(dns_message_t *msg) +@@ -4836,7 +4836,7 @@ sigchase_td(dns_message_t *msg) initialization(name); return; } @@ -63,7 +63,7 @@ Avoid to use true as variable name. } else { if (!current_lookup->trace_root_sigchase) { result = dns_message_firstname(msg, -@@ -4991,7 +4991,7 @@ sigchase_td(dns_message_t *msg) +@@ -4954,7 +4954,7 @@ sigchase_td(dns_message_t *msg) dns_rdatatype_rrsig, current_lookup ->rdtype_sigchase, @@ -72,7 +72,7 @@ Avoid to use true as variable name. if (result == ISC_R_FAILURE) { printf("\n;; RRset is missing to continue" " validation SHOULD NOT APPEND:" -@@ -5004,7 +5004,7 @@ sigchase_td(dns_message_t *msg) +@@ -4967,7 +4967,7 @@ sigchase_td(dns_message_t *msg) &chase_authority_name, dns_rdatatype_rrsig, dns_rdatatype_any, @@ -81,7 +81,7 @@ Avoid to use true as variable name. if (result == ISC_R_FAILURE) { printf("\n;; RRSIG is missing to continue" " validation SHOULD NOT APPEND:" -@@ -5080,7 +5080,7 @@ sigchase_td(dns_message_t *msg) +@@ -5043,7 +5043,7 @@ sigchase_td(dns_message_t *msg) &chase_authority_name, dns_rdatatype_rrsig, dns_rdatatype_ds, @@ -90,7 +90,7 @@ Avoid to use true as variable name. if (result != ISC_R_SUCCESS) { printf("\n;; DSset is missing to continue validation:" " FAILED\n\n"); -@@ -5168,7 +5168,7 @@ sigchase_td(dns_message_t *msg) +@@ -5131,7 +5131,7 @@ sigchase_td(dns_message_t *msg) result = advanced_rrsearch(&chase_rdataset, &chase_name, current_lookup->rdtype_sigchase, dns_rdatatype_any , @@ -99,7 +99,7 @@ Avoid to use true as variable name. if (result == ISC_R_FAILURE) { printf("\n;; RRsig of RRset is missing to continue validation" " SHOULD NOT APPEND: FAILED\n\n"); -@@ -5211,7 +5211,7 @@ getneededrr(dns_message_t *msg) +@@ -5174,7 +5174,7 @@ getneededrr(dns_message_t *msg) dns_name_t *name = NULL; dns_rdata_t sigrdata = DNS_RDATA_INIT; dns_rdata_sig_t siginfo; @@ -108,7 +108,7 @@ Avoid to use true as variable name. if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER)) != ISC_R_SUCCESS) { -@@ -5227,7 +5227,7 @@ getneededrr(dns_message_t *msg) +@@ -5190,7 +5190,7 @@ getneededrr(dns_message_t *msg) if (chase_rdataset == NULL) { result = advanced_rrsearch(&chase_rdataset, name, dns_rdatatype_any, @@ -117,7 +117,7 @@ Avoid to use true as variable name. if (result != ISC_R_SUCCESS) { printf("\n;; No Answers: Validation FAILED\n\n"); return (ISC_R_NOTFOUND); -@@ -5347,7 +5347,7 @@ getneededrr(dns_message_t *msg) +@@ -5310,7 +5310,7 @@ getneededrr(dns_message_t *msg) result = advanced_rrsearch(&chase_sigdsrdataset, &chase_signame, dns_rdatatype_rrsig, diff --git a/net/bind98/patches/patch-configure b/net/bind98/patches/patch-configure index 82baaa21a327..281fc0379046 100644 --- a/net/bind98/patches/patch-configure +++ b/net/bind98/patches/patch-configure @@ -1,8 +1,8 @@ -$NetBSD: patch-configure,v 1.3 2012/04/05 00:39:34 taca Exp $ +$NetBSD: patch-configure,v 1.4 2013/09/21 15:59:01 taca Exp $ ---- configure.orig 2012-03-22 19:20:00.000000000 +0000 +--- configure.orig 2013-09-05 05:19:53.000000000 +0000 +++ configure -@@ -22159,6 +22159,8 @@ case $host in +@@ -14682,6 +14682,8 @@ case $host in use_threads=false ;; *-freebsd*) use_threads=false ;; @@ -11,7 +11,7 @@ $NetBSD: patch-configure,v 1.3 2012/04/05 00:39:34 taca Exp $ *-bsdi[234]*) # Thread signals do not work reliably on some versions of BSD/OS. use_threads=false ;; -@@ -27099,7 +27101,7 @@ $as_echo "no" >&6; } +@@ -19672,7 +19674,7 @@ $as_echo "no" >&6; } fi if test -n "-L$use_dlz_postgres_lib -lpq" then diff --git a/net/bind98/patches/patch-lib_lwres_getnameinfo.c b/net/bind98/patches/patch-lib_lwres_getnameinfo.c index 96b19630abf5..d9c79216454d 100644 --- a/net/bind98/patches/patch-lib_lwres_getnameinfo.c +++ b/net/bind98/patches/patch-lib_lwres_getnameinfo.c @@ -1,6 +1,6 @@ -$NetBSD: patch-lib_lwres_getnameinfo.c,v 1.1.1.1 2011/03/04 03:52:15 taca Exp $ +$NetBSD: patch-lib_lwres_getnameinfo.c,v 1.2 2013/09/21 15:59:01 taca Exp $ ---- lib/lwres/getnameinfo.c.orig 2007-06-19 23:47:22.000000000 +0000 +--- lib/lwres/getnameinfo.c.orig 2013-09-05 05:19:53.000000000 +0000 +++ lib/lwres/getnameinfo.c @@ -121,6 +121,10 @@ #include @@ -13,7 +13,7 @@ $NetBSD: patch-lib_lwres_getnameinfo.c,v 1.1.1.1 2011/03/04 03:52:15 taca Exp $ #include "assert_p.h" #define SUCCESS 0 -@@ -271,13 +275,9 @@ lwres_getnameinfo(const struct sockaddr +@@ -272,13 +276,9 @@ lwres_getnameinfo(const struct sockaddr ((const struct sockaddr_in6 *)sa)->sin6_scope_id) { char *p = numaddr + strlen(numaddr); const char *stringscope = NULL;