head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.28 pkgsrc-2013Q2-base:1.2 pkgsrc-2012Q4:1.2.0.26 pkgsrc-2012Q4-base:1.2 pkgsrc-2011Q4:1.2.0.24 pkgsrc-2011Q4-base:1.2 pkgsrc-2011Q2:1.2.0.22 pkgsrc-2011Q2-base:1.2 pkgsrc-2009Q4:1.2.0.20 pkgsrc-2009Q4-base:1.2 pkgsrc-2008Q4:1.2.0.18 pkgsrc-2008Q4-base:1.2 pkgsrc-2008Q3:1.2.0.16 pkgsrc-2008Q3-base:1.2 cube-native-xorg:1.2.0.14 cube-native-xorg-base:1.2 pkgsrc-2008Q2:1.2.0.12 pkgsrc-2008Q2-base:1.2 pkgsrc-2008Q1:1.2.0.10 pkgsrc-2008Q1-base:1.2 pkgsrc-2007Q4:1.2.0.8 pkgsrc-2007Q4-base:1.2 pkgsrc-2007Q3:1.2.0.6 pkgsrc-2007Q3-base:1.2 pkgsrc-2007Q2:1.2.0.4 pkgsrc-2007Q2-base:1.2 pkgsrc-2007Q1:1.2.0.2 pkgsrc-2007Q1-base:1.2 pkgsrc-2006Q4:1.1.0.6 pkgsrc-2006Q4-base:1.1 pkgsrc-2006Q3:1.1.0.4 pkgsrc-2006Q3-base:1.1 pkgsrc-2006Q2:1.1.0.2; locks; strict; comment @# @; 1.2 date 2007.01.28.01.31.52; author adrianp; state dead; branches; next 1.1; 1.1 date 2006.09.05.20.45.32; author adrianp; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2006.09.05.20.45.32; author ghen; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2006.09.07.11.20.44; author ghen; state Exp; branches; next ; desc @@ 1.2 log @Update to 9.3.4 Lots of changes, see http://www.isc.org/sw/bind/view/?release=9.3.4#RELEASE for all the details: In brief: 2126. [security] Serialise validation of type ANY responses. 2124. [security] It was possible to dereference a freed fetch context. 2089. [security] Raise the minimum safe OpenSSL versions to OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions prior to these have known security flaws which are (potentially) exploitable in named. 2088. [security] Change the default RSA exponent from 3 to 65537. 2066. [security] Handle SIG queries gracefully. 1941. [bug] ncache_adderesult() should set eresult even if no rdataset is passed to it. @ text @$NetBSD: patch-aq,v 1.1 2006/09/05 20:45:32 adrianp Exp $ --- lib/dns/resolver.c.orig 2005-10-14 02:38:48.000000000 +0100 +++ lib/dns/resolver.c @@@@ -762,7 +762,8 @@@@ fctx_sendevents(fetchctx_t *fctx, isc_re INSIST(result != ISC_R_SUCCESS || dns_rdataset_isassociated(event->rdataset) || fctx->type == dns_rdatatype_any || - fctx->type == dns_rdatatype_rrsig); + fctx->type == dns_rdatatype_rrsig || + fctx->type == dns_rdatatype_sig); isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event)); } @@@@ -3188,7 +3189,8 @@@@ validated(isc_task_t *task, isc_event_t if (hevent != NULL) { if (!negative && !chaining && (fctx->type == dns_rdatatype_any || - fctx->type == dns_rdatatype_rrsig)) { + fctx->type == dns_rdatatype_rrsig || + fctx->type == dns_rdatatype_sig)) { /* * Don't bind rdatasets; the caller * will iterate the node. @@@@ -3306,7 +3308,8 @@@@ validated(isc_task_t *task, isc_event_t if (!ISC_LIST_EMPTY(fctx->validators)) { INSIST(!negative); INSIST(fctx->type == dns_rdatatype_any || - fctx->type == dns_rdatatype_rrsig); + fctx->type == dns_rdatatype_rrsig || + fctx->type == dns_rdatatype_sig); /* * Don't send a response yet - we have * more rdatasets that still need to @@@@ -3455,14 +3458,15 @@@@ cache_name(fetchctx_t *fctx, dns_name_t return (result); anodep = &event->node; /* - * If this is an ANY or SIG query, we're not going - * to return any rdatasets, unless we encountered + * If this is an ANY, SIG or RRSIG query, we're not + * going to return any rdatasets, unless we encountered * a CNAME or DNAME as "the answer". In this case, * we're going to return DNS_R_CNAME or DNS_R_DNAME * and we must set up the rdatasets. */ if ((fctx->type != dns_rdatatype_any && - fctx->type != dns_rdatatype_rrsig) || + fctx->type != dns_rdatatype_rrsig && + fctx->type != dns_rdatatype_sig) || (name->attributes & DNS_NAMEATTR_CHAINING) != 0) { ardataset = event->rdataset; asigrdataset = event->sigrdataset; @@@@ -3521,7 +3525,7 @@@@ cache_name(fetchctx_t *fctx, dns_name_t */ if (secure_domain && rdataset->trust != dns_trust_glue) { /* - * SIGs are validated as part of validating the + * RRSIGs are validated as part of validating the * type they cover. */ if (rdataset->type == dns_rdatatype_rrsig) @@@@ -3591,7 +3595,8 @@@@ cache_name(fetchctx_t *fctx, dns_name_t if (ANSWER(rdataset) && need_validation) { if (fctx->type != dns_rdatatype_any && - fctx->type != dns_rdatatype_rrsig) { + fctx->type != dns_rdatatype_rrsig && + fctx->type != dns_rdatatype_sig) { /* * This is The Answer. We will * validate it, but first we cache @@@@ -3763,23 +3768,28 @@@@ ncache_adderesult(dns_message_t *message isc_result_t *eresultp) { isc_result_t result; + dns_rdataset_t rdataset; + + if (ardataset == NULL) { + dns_rdataset_init(&rdataset); + ardataset = &rdataset; + } result = dns_ncache_add(message, cache, node, covers, now, maxttl, ardataset); - if (result == DNS_R_UNCHANGED) { + if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) { /* - * The data in the cache are better than the negative cache - * entry we're trying to add. + * If the cache now contains a negative entry and we + * care about whether it is DNS_R_NCACHENXDOMAIN or + * DNS_R_NCACHENXRRSET then extract it. */ - if (ardataset != NULL && ardataset->type == 0) { + if (ardataset->type == 0) { /* - * The cache data is also a negative cache - * entry. + * The cache data is a negative cache entry. */ if (NXDOMAIN(ardataset)) *eresultp = DNS_R_NCACHENXDOMAIN; else *eresultp = DNS_R_NCACHENXRRSET; - result = ISC_R_SUCCESS; } else { /* * Either we don't care about the nature of the @@@@ -3791,14 +3801,11 @@@@ ncache_adderesult(dns_message_t *message * XXXRTH There's a CNAME/DNAME problem here. */ *eresultp = ISC_R_SUCCESS; - result = ISC_R_SUCCESS; } - } else if (result == ISC_R_SUCCESS) { - if (NXDOMAIN(ardataset)) - *eresultp = DNS_R_NCACHENXDOMAIN; - else - *eresultp = DNS_R_NCACHENXRRSET; + result = ISC_R_SUCCESS; } + if (ardataset == &rdataset && dns_rdataset_isassociated(ardataset)) + dns_rdataset_disassociate(ardataset); return (result); } @ 1.1 log @Fixes for CVE-2006-4095 and CVE-2006-4096 from bind-9.3.2-P1 * Assertion failure in ISC BIND SIG query processing (CVE-2006-4095) - Recursive servers Queries for SIG records will trigger an assertion failure if more than one RRset is returned. However exposure can be minimized by restricting which sources can ask for recursion. - Authoritative servers If a nameserver is serving a RFC 2535 DNSSEC zone and is queried for the SIG records where there are multiple RRsets, then the named program will trigger an assertion failure when it tries to construct the response. * INSIST failure in ISC BIND recursive query handling code (CVE-2006-4096) It is possible to trigger an INSIST failure by sending enough recursive queries such that the response to the query arrives after all the clients waiting for the response have left the recursion queue. However exposure can be minimized by restricting which sources can ask for recursion. @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-aq was added on branch pkgsrc-2006Q2 on 2006-09-05 20:45:32 +0000 @ text @d1 126 @ 1.1.2.2 log @Pullup ticket 1816 - requested by adrianp security update for bind9 Revisions pulled up: - pkgsrc/net/bind9/Makefile 1.79,1.81-1.82 - pkgsrc/net/bind9/PLIST 1.19 - pkgsrc/net/bind9/distinfo 1.27 - pkgsrc/net/bind9/patches/patch-aa removed - pkgsrc/net/bind9/patches/patch-ac 1.6 - pkgsrc/net/bind9/patches/patch-ad 1.6 - pkgsrc/net/bind9/patches/patch-ae removed - pkgsrc/net/bind9/patches/patch-af 1.6 - pkgsrc/net/bind9/patches/patch-ah removed - pkgsrc/net/bind9/patches/patch-ai 1.7 - pkgsrc/net/bind9/patches/patch-aj 1.4 - pkgsrc/net/bind9/patches/patch-al 1.2 - pkgsrc/net/bind9/patches/patch-am 1.1 - pkgsrc/net/bind9/patches/patch-ao 1.1 - pkgsrc/net/bind9/patches/patch-ap 1.1 - pkgsrc/net/bind9/patches/patch-aq 1.1 Module Name: pkgsrc Committed By: taca Date: Thu Aug 17 14:14:18 UTC 2006 Modified Files: pkgsrc/net/bind9: Makefile PLIST distinfo pkgsrc/net/bind9/patches: patch-ac patch-ad patch-af patch-ai patch-aj patch-al Added Files: pkgsrc/net/bind9/patches: patch-am Removed Files: pkgsrc/net/bind9/patches: patch-aa patch-ae patch-ah Log Message: Update bind to 9.3.2. Changes are huge, so please see http://www.isc.org/sw/bind/bind9.3.php. --- Module Name: pkgsrc Committed By: seb Date: Mon Aug 28 16:00:45 UTC 2006 Modified Files: pkgsrc/net/bind9: Makefile distinfo Added Files: pkgsrc/net/bind9/patches: patch-an patch-ao Log Message: Bump PKGREVISION to 1. Fix build on NetBSD/sparc64 3.x: sync CPP symbols usage between struct addrinfo definition and its usage in getaddrinfo(). While here define struct addrinfo's pad members the same way as in NetBSD's /usr/include/netbsd.h and sync code in lib/bind/irs/getaddrinfo.c:getaddrinfo(). This had been reported to bind9-bugs at isc dot org. --- Module Name: pkgsrc Committed By: rillig Date: Sun Sep 3 22:58:26 UTC 2006 Modified Files: pkgsrc/net/bind9: Makefile Log Message: Added the relevant variables to BUILD_DEFS. --- Module Name: pkgsrc Committed By: adrianp Date: Tue Sep 5 20:45:32 UTC 2006 Modified Files: pkgsrc/net/bind9: Makefile distinfo Added Files: pkgsrc/net/bind9/patches: patch-ap patch-aq Log Message: Fixes for CVE-2006-4095 and CVE-2006-4096 from bind-9.3.2-P1 * Assertion failure in ISC BIND SIG query processing (CVE-2006-4095) - Recursive servers Queries for SIG records will trigger an assertion failure if more than one RRset is returned. However exposure can be minimized by restricting which sources can ask for recursion. - Authoritative servers If a nameserver is serving a RFC 2535 DNSSEC zone and is queried for the SIG records where there are multiple RRsets, then the named program will trigger an assertion failure when it tries to construct the response. * INSIST failure in ISC BIND recursive query handling code (CVE-2006-4096) It is possible to trigger an INSIST failure by sending enough recursive queries such that the response to the query arrives after all the clients waiting for the response have left the recursion queue. However exposure can be minimized by restricting which sources can ask for recursion. @ text @a0 126 $NetBSD: patch-aq,v 1.1.2.1 2006/09/07 11:20:44 ghen Exp $ --- lib/dns/resolver.c.orig 2005-10-14 02:38:48.000000000 +0100 +++ lib/dns/resolver.c @@@@ -762,7 +762,8 @@@@ fctx_sendevents(fetchctx_t *fctx, isc_re INSIST(result != ISC_R_SUCCESS || dns_rdataset_isassociated(event->rdataset) || fctx->type == dns_rdatatype_any || - fctx->type == dns_rdatatype_rrsig); + fctx->type == dns_rdatatype_rrsig || + fctx->type == dns_rdatatype_sig); isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event)); } @@@@ -3188,7 +3189,8 @@@@ validated(isc_task_t *task, isc_event_t if (hevent != NULL) { if (!negative && !chaining && (fctx->type == dns_rdatatype_any || - fctx->type == dns_rdatatype_rrsig)) { + fctx->type == dns_rdatatype_rrsig || + fctx->type == dns_rdatatype_sig)) { /* * Don't bind rdatasets; the caller * will iterate the node. @@@@ -3306,7 +3308,8 @@@@ validated(isc_task_t *task, isc_event_t if (!ISC_LIST_EMPTY(fctx->validators)) { INSIST(!negative); INSIST(fctx->type == dns_rdatatype_any || - fctx->type == dns_rdatatype_rrsig); + fctx->type == dns_rdatatype_rrsig || + fctx->type == dns_rdatatype_sig); /* * Don't send a response yet - we have * more rdatasets that still need to @@@@ -3455,14 +3458,15 @@@@ cache_name(fetchctx_t *fctx, dns_name_t return (result); anodep = &event->node; /* - * If this is an ANY or SIG query, we're not going - * to return any rdatasets, unless we encountered + * If this is an ANY, SIG or RRSIG query, we're not + * going to return any rdatasets, unless we encountered * a CNAME or DNAME as "the answer". In this case, * we're going to return DNS_R_CNAME or DNS_R_DNAME * and we must set up the rdatasets. */ if ((fctx->type != dns_rdatatype_any && - fctx->type != dns_rdatatype_rrsig) || + fctx->type != dns_rdatatype_rrsig && + fctx->type != dns_rdatatype_sig) || (name->attributes & DNS_NAMEATTR_CHAINING) != 0) { ardataset = event->rdataset; asigrdataset = event->sigrdataset; @@@@ -3521,7 +3525,7 @@@@ cache_name(fetchctx_t *fctx, dns_name_t */ if (secure_domain && rdataset->trust != dns_trust_glue) { /* - * SIGs are validated as part of validating the + * RRSIGs are validated as part of validating the * type they cover. */ if (rdataset->type == dns_rdatatype_rrsig) @@@@ -3591,7 +3595,8 @@@@ cache_name(fetchctx_t *fctx, dns_name_t if (ANSWER(rdataset) && need_validation) { if (fctx->type != dns_rdatatype_any && - fctx->type != dns_rdatatype_rrsig) { + fctx->type != dns_rdatatype_rrsig && + fctx->type != dns_rdatatype_sig) { /* * This is The Answer. We will * validate it, but first we cache @@@@ -3763,23 +3768,28 @@@@ ncache_adderesult(dns_message_t *message isc_result_t *eresultp) { isc_result_t result; + dns_rdataset_t rdataset; + + if (ardataset == NULL) { + dns_rdataset_init(&rdataset); + ardataset = &rdataset; + } result = dns_ncache_add(message, cache, node, covers, now, maxttl, ardataset); - if (result == DNS_R_UNCHANGED) { + if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) { /* - * The data in the cache are better than the negative cache - * entry we're trying to add. + * If the cache now contains a negative entry and we + * care about whether it is DNS_R_NCACHENXDOMAIN or + * DNS_R_NCACHENXRRSET then extract it. */ - if (ardataset != NULL && ardataset->type == 0) { + if (ardataset->type == 0) { /* - * The cache data is also a negative cache - * entry. + * The cache data is a negative cache entry. */ if (NXDOMAIN(ardataset)) *eresultp = DNS_R_NCACHENXDOMAIN; else *eresultp = DNS_R_NCACHENXRRSET; - result = ISC_R_SUCCESS; } else { /* * Either we don't care about the nature of the @@@@ -3791,14 +3801,11 @@@@ ncache_adderesult(dns_message_t *message * XXXRTH There's a CNAME/DNAME problem here. */ *eresultp = ISC_R_SUCCESS; - result = ISC_R_SUCCESS; } - } else if (result == ISC_R_SUCCESS) { - if (NXDOMAIN(ardataset)) - *eresultp = DNS_R_NCACHENXDOMAIN; - else - *eresultp = DNS_R_NCACHENXRRSET; + result = ISC_R_SUCCESS; } + if (ardataset == &rdataset && dns_rdataset_isassociated(ardataset)) + dns_rdataset_disassociate(ardataset); return (result); } @