head	1.4;
access;
symbols
	pkgsrc-2013Q2:1.4.0.10
	pkgsrc-2013Q2-base:1.4
	pkgsrc-2012Q4:1.4.0.8
	pkgsrc-2012Q4-base:1.4
	pkgsrc-2011Q4:1.4.0.6
	pkgsrc-2011Q4-base:1.4
	pkgsrc-2011Q2:1.4.0.4
	pkgsrc-2011Q2-base:1.4
	pkgsrc-2009Q4:1.4.0.2
	pkgsrc-2009Q4-base:1.4
	pkgsrc-2008Q4:1.3.0.10
	pkgsrc-2008Q4-base:1.3
	pkgsrc-2008Q3:1.3.0.8
	pkgsrc-2008Q3-base:1.3
	cube-native-xorg:1.3.0.6
	cube-native-xorg-base:1.3
	pkgsrc-2008Q2:1.3.0.4
	pkgsrc-2008Q2-base:1.3
	cwrapper:1.3.0.2
	pkgsrc-2008Q1:1.2.0.10
	pkgsrc-2008Q1-base:1.2
	pkgsrc-2007Q4:1.2.0.8
	pkgsrc-2007Q4-base:1.2
	pkgsrc-2007Q3:1.2.0.6
	pkgsrc-2007Q3-base:1.2
	pkgsrc-2007Q2:1.2.0.4
	pkgsrc-2007Q2-base:1.2
	pkgsrc-2007Q1:1.2.0.2
	pkgsrc-2007Q1-base:1.2
	pkgsrc-2006Q4:1.1.0.6
	pkgsrc-2006Q4-base:1.1
	pkgsrc-2006Q3:1.1.0.4
	pkgsrc-2006Q3-base:1.1
	pkgsrc-2006Q2:1.1.0.2;
locks; strict;
comment	@# @;


1.4
date	2009.01.04.00.16.03;	author adrianp;	state dead;
branches;
next	1.3;

1.3
date	2008.05.11.00.00.59;	author tonnerre;	state Exp;
branches
	1.3.10.1;
next	1.2;

1.2
date	2007.01.28.01.31.52;	author adrianp;	state dead;
branches
	1.2.10.1;
next	1.1;

1.1
date	2006.09.05.20.45.32;	author adrianp;	state Exp;
branches
	1.1.2.1;
next	;

1.3.10.1
date	2009.01.19.11.44.16;	author tron;	state dead;
branches;
next	;

1.2.10.1
date	2008.05.11.09.42.59;	author ghen;	state Exp;
branches;
next	;

1.1.2.1
date	2006.09.05.20.45.32;	author ghen;	state dead;
branches;
next	1.1.2.2;

1.1.2.2
date	2006.09.07.11.20.44;	author ghen;	state Exp;
branches;
next	;


desc
@@


1.4
log
@Update to 9.4.3

Resolver could try unreachable servers multiple times.
Adb's handling of lame addresses was different for IPv4 and IPv6.
Remove NULL pointer dereference in dns_journal_print().
libbind: Out of bounds reference in dns_ho.c:addrsort.
Set initial timeout to 800ms.
TSIG context leak

For all the details see:
 http://oldwww.isc.org/sw/bind/view/?release=9.4.3#RELEASE
@
text
@$NetBSD: patch-ap,v 1.3 2008/05/11 00:00:59 tonnerre Exp $

--- lib/bind/inet/inet_network.c.orig	2005-04-27 07:00:54.000000000 +0200
+++ lib/bind/inet/inet_network.c
@@@@ -84,9 +84,9 @@@@ again:
 	}
 	if (!digit)
 		return (INADDR_NONE);
+	if (pp >= parts + 4 || val > 0xffU)
+		return (INADDR_NONE);
 	if (*cp == '.') {
-		if (pp >= parts + 4 || val > 0xffU)
-			return (INADDR_NONE);
 		*pp++ = val, cp++;
 		goto again;
 	}
@


1.3
log
@Fix CVE-2008-0122 for libbind (as contained in bind). A misplaced boundary
check can be abused for implementation specific exploitation: depending on
the use of libbind, this can result in denial of service or even remote
code execution.
@
text
@d1 1
a1 1
$NetBSD$
@


1.3.10.1
log
@Pullup ticket #2645 - requested by mlelstv
bind9: security update

Revisions pulled up:
- net/bind9/Makefile				1.103-1.104
- net/bind9/PLIST				1.23
- net/bind9/distinfo				1.39-1.40
- net/bind9/patches/patch-ai			1.10
- net/bind9/patches/patch-ap			delete
---
Module Name:	pkgsrc
Committed By:	adrianp
Date:		Sun Jan	 4 00:16:03 UTC 2009

Modified Files:
	pkgsrc/net/bind9: Makefile PLIST distinfo
	pkgsrc/net/bind9/patches: patch-ai
Removed Files:
	pkgsrc/net/bind9/patches: patch-ap

Log Message:
Update to 9.4.3

Resolver could try unreachable servers multiple times.
Adb's handling of lame addresses was different for IPv4 and IPv6.
Remove NULL pointer dereference in dns_journal_print().
libbind: Out of bounds reference in dns_ho.c:addrsort.
Set initial timeout to 800ms.
TSIG context leak

For all the details see:
 http://oldwww.isc.org/sw/bind/view/?release=9.4.3#RELEASE
---
Module Name:	pkgsrc
Committed By:	adrianp
Date:		Thu Jan	 8 09:02:19 UTC 2009

Modified Files:
	pkgsrc/net/bind9: Makefile distinfo

Log Message:
Changes since 9.4.3:

2522.	[security]	Handle -1 from DSA_do_verify().

2498.	[bug]		Removed a bogus function argument used with
			ISC_SOCKET_USE_POLLWATCH: it could cause compiler
			warning or crash named with the debug 1 level
			of logging. [RT #18917]


To generate a diff of this commit:
cvs rdiff -r1.103 -r1.104 pkgsrc/net/bind9/Makefile
cvs rdiff -r1.39 -r1.40 pkgsrc/net/bind9/distinfo
@
text
@d1 1
a1 1
$NetBSD: patch-ap,v 1.3 2008/05/11 00:00:59 tonnerre Exp $
@


1.2
log
@Update to 9.3.4
Lots of changes, see http://www.isc.org/sw/bind/view/?release=9.3.4#RELEASE
for all the details:

In brief:
2126.	[security]	Serialise validation of type ANY responses.

2124.	[security]	It was possible to dereference a freed fetch
context.

2089.	[security]	Raise the minimum safe OpenSSL versions to
OpenSSL 0.9.7l and OpenSSL 0.9.8d.  Versions
prior to these have known security flaws which
are (potentially) exploitable in named.

2088.	[security]	Change the default RSA exponent from 3 to 65537.

2066.   [security]      Handle SIG queries gracefully.

1941.   [bug]           ncache_adderesult() should set eresult even if no
rdataset is passed to it.
@
text
@d1 1
a1 1
$NetBSD: patch-ap,v 1.1 2006/09/05 20:45:32 adrianp Exp $
d3 14
a16 20
--- bin/named/query.c.orig	2005-08-11 06:25:20.000000000 +0100
+++ bin/named/query.c
@@@@ -2393,7 +2393,7 @@@@ query_find(ns_client_t *client, dns_fetc
 		is_zone = ISC_FALSE;
 
 		qtype = event->qtype;
-		if (qtype == dns_rdatatype_rrsig)
+		if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig)
 			type = dns_rdatatype_any;
 		else
 			type = qtype;
@@@@ -2434,7 +2434,7 @@@@ query_find(ns_client_t *client, dns_fetc
 	/*
 	 * If it's a SIG query, we'll iterate the node.
 	 */
-	if (qtype == dns_rdatatype_rrsig)
+	if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig)
 		type = dns_rdatatype_any;
 	else
 		type = qtype;
@


1.2.10.1
log
@Pullup ticket 2370 - requested by tonnerre
security fix for bind 9

- pkgsrc/net/bind9/Makefile				1.97
- pkgsrc/net/bind9/distinfo				1.35
- pkgsrc/net/bind9/patches/patch-ap			1.3

   Module Name:		pkgsrc
   Committed By:	tonnerre
   Date:		Sun May 11 00:00:59 UTC 2008

   Modified Files:
	   pkgsrc/net/bind9: Makefile distinfo
   Added Files:
	   pkgsrc/net/bind9/patches: patch-ap

   Log Message:
   Fix CVE-2008-0122 for libbind (as contained in bind). A misplaced
   boundary check can be abused for implementation specific exploitation:
   depending on the use of libbind, this can result in denial of service
   or even remote code execution.
@
text
@d1 1
a1 1
$NetBSD$
d3 20
a22 14
--- lib/bind/inet/inet_network.c.orig	2005-04-27 07:00:54.000000000 +0200
+++ lib/bind/inet/inet_network.c
@@@@ -84,9 +84,9 @@@@ again:
 	}
 	if (!digit)
 		return (INADDR_NONE);
+	if (pp >= parts + 4 || val > 0xffU)
+		return (INADDR_NONE);
 	if (*cp == '.') {
-		if (pp >= parts + 4 || val > 0xffU)
-			return (INADDR_NONE);
 		*pp++ = val, cp++;
 		goto again;
 	}
@


1.1
log
@Fixes for CVE-2006-4095 and CVE-2006-4096 from bind-9.3.2-P1

* Assertion failure in ISC BIND SIG query processing (CVE-2006-4095)

- Recursive servers
Queries for SIG records will trigger an assertion failure if more
than one RRset is returned. However exposure can be minimized by
restricting which sources can ask for recursion.

- Authoritative servers
If a nameserver is serving a RFC 2535 DNSSEC zone and is queried
for the SIG records where there are multiple RRsets, then the
named program will trigger an assertion failure when it tries
to construct the response.

* INSIST failure in ISC BIND recursive query handling code (CVE-2006-4096)

It is possible to trigger an INSIST failure by sending enough
recursive queries such that the response to the query arrives after
all the clients waiting for the response have left the recursion
queue. However exposure can be minimized by restricting which sources
can ask for recursion.
@
text
@d1 1
a1 1
$NetBSD$
@


1.1.2.1
log
@file patch-ap was added on branch pkgsrc-2006Q2 on 2006-09-05 20:45:32 +0000
@
text
@d1 22
@


1.1.2.2
log
@Pullup ticket 1816 - requested by adrianp
security update for bind9

Revisions pulled up:
- pkgsrc/net/bind9/Makefile				1.79,1.81-1.82
- pkgsrc/net/bind9/PLIST				1.19
- pkgsrc/net/bind9/distinfo				1.27
- pkgsrc/net/bind9/patches/patch-aa			removed
- pkgsrc/net/bind9/patches/patch-ac			1.6
- pkgsrc/net/bind9/patches/patch-ad			1.6
- pkgsrc/net/bind9/patches/patch-ae			removed
- pkgsrc/net/bind9/patches/patch-af			1.6
- pkgsrc/net/bind9/patches/patch-ah			removed
- pkgsrc/net/bind9/patches/patch-ai			1.7
- pkgsrc/net/bind9/patches/patch-aj			1.4
- pkgsrc/net/bind9/patches/patch-al			1.2
- pkgsrc/net/bind9/patches/patch-am			1.1
- pkgsrc/net/bind9/patches/patch-ao			1.1
- pkgsrc/net/bind9/patches/patch-ap			1.1
- pkgsrc/net/bind9/patches/patch-aq			1.1

   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Thu Aug 17 14:14:18 UTC 2006

   Modified Files:
	pkgsrc/net/bind9: Makefile PLIST distinfo
	pkgsrc/net/bind9/patches: patch-ac patch-ad patch-af patch-ai patch-aj
	    patch-al
   Added Files:
	pkgsrc/net/bind9/patches: patch-am
   Removed Files:
	pkgsrc/net/bind9/patches: patch-aa patch-ae patch-ah

   Log Message:
   Update bind to 9.3.2.

   Changes are huge, so please see http://www.isc.org/sw/bind/bind9.3.php.
---
   Module Name:	pkgsrc
   Committed By:	seb
   Date:		Mon Aug 28 16:00:45 UTC 2006

   Modified Files:
	pkgsrc/net/bind9: Makefile distinfo
   Added Files:
	pkgsrc/net/bind9/patches: patch-an patch-ao

   Log Message:
   Bump PKGREVISION to 1.

   Fix build on NetBSD/sparc64 3.x: sync CPP symbols usage between
   struct addrinfo definition and its usage in getaddrinfo().

   While here define struct addrinfo's pad members the same way as in
   NetBSD's /usr/include/netbsd.h and sync code in
   lib/bind/irs/getaddrinfo.c:getaddrinfo().

   This had been reported to bind9-bugs at isc dot org.
---
   Module Name:	pkgsrc
   Committed By:	rillig
   Date:		Sun Sep  3 22:58:26 UTC 2006

   Modified Files:
	pkgsrc/net/bind9: Makefile

   Log Message:
   Added the relevant variables to BUILD_DEFS.
---
   Module Name:	pkgsrc
   Committed By:	adrianp
   Date:		Tue Sep  5 20:45:32 UTC 2006

   Modified Files:
	pkgsrc/net/bind9: Makefile distinfo
   Added Files:
	pkgsrc/net/bind9/patches: patch-ap patch-aq

   Log Message:
   Fixes for CVE-2006-4095 and CVE-2006-4096 from bind-9.3.2-P1

   * Assertion failure in ISC BIND SIG query processing (CVE-2006-4095)

   - Recursive servers
   Queries for SIG records will trigger an assertion failure if more
   than one RRset is returned. However exposure can be minimized by
   restricting which sources can ask for recursion.

   - Authoritative servers
   If a nameserver is serving a RFC 2535 DNSSEC zone and is queried
   for the SIG records where there are multiple RRsets, then the
   named program will trigger an assertion failure when it tries
   to construct the response.

   * INSIST failure in ISC BIND recursive query handling code (CVE-2006-4096)

   It is possible to trigger an INSIST failure by sending enough
   recursive queries such that the response to the query arrives after
   all the clients waiting for the response have left the recursion
   queue. However exposure can be minimized by restricting which sources
   can ask for recursion.
@
text
@a0 22
$NetBSD: patch-ap,v 1.1.2.1 2006/09/07 11:20:44 ghen Exp $

--- bin/named/query.c.orig	2005-08-11 06:25:20.000000000 +0100
+++ bin/named/query.c
@@@@ -2393,7 +2393,7 @@@@ query_find(ns_client_t *client, dns_fetc
 		is_zone = ISC_FALSE;
 
 		qtype = event->qtype;
-		if (qtype == dns_rdatatype_rrsig)
+		if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig)
 			type = dns_rdatatype_any;
 		else
 			type = qtype;
@@@@ -2434,7 +2434,7 @@@@ query_find(ns_client_t *client, dns_fetc
 	/*
 	 * If it's a SIG query, we'll iterate the node.
 	 */
-	if (qtype == dns_rdatatype_rrsig)
+	if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig)
 		type = dns_rdatatype_any;
 	else
 		type = qtype;
@