2522. [security] Handle -1 from DSA_do_verify().
2498. [bug] Removed a bogus function argument used with
ISC_SOCKET_USE_POLLWATCH: it could cause compiler
warning or crash named with the debug 1 level
of logging. [RT #18917]
Resolver could try unreachable servers multiple times.
Adb's handling of lame addresses was different for IPv4 and IPv6.
Remove NULL pointer dereference in dns_journal_print().
libbind: Out of bounds reference in dns_ho.c:addrsort.
Set initial timeout to 800ms.
TSIG context leak
For all the details see:
http://oldwww.isc.org/sw/bind/view/?release=9.4.3#RELEASE
--- 9.4.2-P2 released ---
2406. [bug] Some operating systems have FD_SETSIZE set to a
low value by default, which can cause resource
exhaustion when many simultaneous connections are
open. Linux in particular makes it difficult to
increase this value. To use more sockets with
select(), set ISC_SOCKET_FDSETSIZE. Example:
STD_CDEFINES="-DISC_SOCKET_FDSETSIZE=4096" ./configure
(This should not be necessary in most cases, and
never for an authoritative-only server.) [RT #18328]
2404. [port] hpux: files unlimited support.
2403. [bug] TSIG context leak. [RT #18341]
2402. [port] Support Solaris 2.11 and over. [RT #18362]
2401. [bug] Expect to get E[MN]FILE errno internal_accept()
(from accept() or fcntl() system calls). [RT #18358]
2399. [bug] Abort timeout queries to reduce the number of open
UDP sockets. [RT #18367]
2398. [bug] Improve file descriptor management. New,
temporary, named.conf option reserved-sockets,
default 512. [RT #18344]
2396. [bug] Don't set SO_REUSEADDR for randomized ports.
[RT #18336]
2395. [port] Avoid warning and no effect from "files unlimited"
on Linux when running as root. [RT #18335]
2394. [bug] Default configuration options set the limit for
open files to 'unlimited' as described in the
documentation. [RT #18331]
2392. [bug] remove 'grep -q' from acl test script, some platforms
don't support it. [RT #18253]
2322. [port] MacOS: work around the limitation of setrlimit()
for RLIMIT_NOFILE. [RT #17526]
Please see CHANGES for all the details but the driving factor of this update
is:
2375. [security] Fully randomize UDP query ports to improve
forgery resilience. [RT #17949]
check can be abused for implementation specific exploitation: depending on
the use of libbind, this can result in denial of service or even remote
code execution.
and to support the "inet6" option instead.
Remaining usage of USE_INET6 was solely for the benefit of the scripts
that generate the README.html files. Replace:
BUILD_DEFS+= USE_INET6
with
BUILD_DEFS+= IPV6_READY
and teach the README-generation tools to look for that instead.
This nukes USE_INET6 from pkgsrc proper. We leave a tiny bit of code
to continue to support USE_INET6 for pkgsrc-wip until it has been nuked
from there as well.
2206. [security]
"allow-query-cache" and "allow-recursion" now
cross inherit from each other.
If allow-query-cache is not set in named.conf then
allow-recursion is used if set, otherwise allow-query
is used if set, otherwise the default (localnets;
localhost;) is used.
If allow-recursion is not set in named.conf then
allow-query-cache is used if set, otherwise allow-query
is used if set, otherwise the default (localnets;
localhost;) is used.
2203. [security]
Query id generation was cryptographically weak.
2202. [security]
The default acls for allow-query-cache and
allow-recursion were not being applied.
2193. [port]
win32: BINDInstall.exe is now linked statically.
2192. [port]
win32: use vcredist_x86.exe to install Visual
Studio's redistributable dlls if building with
Visual Stdio 2005 or later.
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
CVE-2007-2241: A sequence of queries can cause a recursive nameserver
to exit. While it is unlikely these will occur in normal operation, an
attack can use them to cause the affected versions to exit. This attack
is a denial of service, and does not allow an attacker to gain control
of affected systems.
- "share/doc/bind9" shouldn't be group-writable.
- "share/doc/bind9/arm/Bv9ARM.pdf" shouldn't be executable.
Bump package revision because of these fixes.
Lots of changes, see http://www.isc.org/sw/bind/view/?release=9.3.4#RELEASE
for all the details:
In brief:
2126. [security] Serialise validation of type ANY responses.
2124. [security] It was possible to dereference a freed fetch
context.
2089. [security] Raise the minimum safe OpenSSL versions to
OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions
prior to these have known security flaws which
are (potentially) exploitable in named.
2088. [security] Change the default RSA exponent from 3 to 65537.
2066. [security] Handle SIG queries gracefully.
1941. [bug] ncache_adderesult() should set eresult even if no
rdataset is passed to it.
check. Also don't install utility perl scripts for building the
docs. Use pax to install all the doc files in one go.
Bump PKGREVISION to 3 for the PLIST changes.
* Assertion failure in ISC BIND SIG query processing (CVE-2006-4095)
- Recursive servers
Queries for SIG records will trigger an assertion failure if more
than one RRset is returned. However exposure can be minimized by
restricting which sources can ask for recursion.
- Authoritative servers
If a nameserver is serving a RFC 2535 DNSSEC zone and is queried
for the SIG records where there are multiple RRsets, then the
named program will trigger an assertion failure when it tries
to construct the response.
* INSIST failure in ISC BIND recursive query handling code (CVE-2006-4096)
It is possible to trigger an INSIST failure by sending enough
recursive queries such that the response to the query arrives after
all the clients waiting for the response have left the recursion
queue. However exposure can be minimized by restricting which sources
can ask for recursion.
Fix build on NetBSD/sparc64 3.x: sync CPP symbols usage between
struct addrinfo definition and its usage in getaddrinfo().
While here define struct addrinfo's pad members the same way as in
NetBSD's /usr/include/netbsd.h and sync code in
lib/bind/irs/getaddrinfo.c:getaddrinfo().
This had been reported to bind9-bugs at isc dot org.
dutifully installs whatever it thinks might be missing or just
substandard on the current system.
As the Makefile already adds the contents of share/doc/bind9
dynamically to the PLIST, do the same for include/bind.
Fixes the PLIST on RedHat EL 2 & 3, and does not break it on NetBSD/3
No PKGREVISION bump as no change to anything but generated PLIST
backslashes anymore. A single backslash is enough. Changed the
definition in all affected packages. For those that are not caught, an
additional check is placed into bsd.pkginstall.mk.
into "named9.sh".
- Create a user and a group "named" for running the name server.
- Add a message file which encourages to run the name server in a
change root non-root configuration.
This address PR pkg/14876 by Greg A. Woods.
Bump package revision because of the above changes.
builtin script.
- Don't set "pidfile" in "named9.sh" because it breaks change rooted
configurations.
- Disable inlining in "lib/dns/rbt.c" on PowerPC systems because certain
GCC version create broken code for that file.
Bump package revision because of the above changes.
enabled. Until this is fixed, we'll turn off threading for VAX and m68k.
PowerPC has some other issue, and i386 and SPARC appear to work fine with
threading.
- DNSSEC is now DS based (RFC 3658).
See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
- DNSSEC lookaside validation.
- check-names is now implemented.
- rrset-order in more complete.
- IPv4/IPv6 transition support, dual-stack-servers.
- IXFR deltas can now be generated when loading master files,
ixfr-from-differences.
- It is now possible to specify the size of a journal, max-journal-size.
- It is now possible to define a named set of master servers to be
used in masters clause, masters.
- The advertised EDNS UDP size can now be set, edns-udp-size.
allow-v6-synthesis has been obsoleted.
NOTE:
* Zones containing MD and MF will now be rejected.
* dig, nslookup name. now report "Not Implemented" as
NOTIMP rather than NOTIMPL. This will have impact on scripts
that are looking for NOTIMPL.
- libbind: corresponds to that from BIND 8.4.5.
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
which are the full option names used to set rpath directives for the
linker and the compiler, respectively. In places were we are invoking
the linker, use "${LINKER_RPATH_FLAG} <path>", where the space is
inserted in case the flag is a word, e.g. -rpath. The default values
of *_RPATH_FLAG are set by the compiler/*.mk files, depending on the
compiler that you use. They may be overridden on a ${OPSYS}-specific
basis by setting _OPSYS_LINKER_RPATH_FLAG and _OPSYS_COMPILER_RPATH_FLAG,
respectively. Garbage-collect _OPSYS_RPATH_NAME and _COMPILER_LD_FLAG.
