head 1.7; access; symbols pkgsrc-2019Q1:1.6.0.10 pkgsrc-2019Q1-base:1.6 pkgsrc-2018Q4:1.6.0.8 pkgsrc-2018Q4-base:1.6 pkgsrc-2018Q3:1.6.0.6 pkgsrc-2018Q3-base:1.6 pkgsrc-2018Q2:1.6.0.4 pkgsrc-2018Q2-base:1.6 pkgsrc-2018Q1:1.6.0.2 pkgsrc-2018Q1-base:1.6 pkgsrc-2017Q4:1.5.0.2 pkgsrc-2017Q4-base:1.5 pkgsrc-2017Q3:1.4.0.18 pkgsrc-2017Q3-base:1.4 pkgsrc-2017Q2:1.4.0.14 pkgsrc-2017Q2-base:1.4 pkgsrc-2017Q1:1.4.0.12 pkgsrc-2017Q1-base:1.4 pkgsrc-2016Q4:1.4.0.10 pkgsrc-2016Q4-base:1.4 pkgsrc-2016Q3:1.4.0.8 pkgsrc-2016Q3-base:1.4 pkgsrc-2016Q2:1.4.0.6 pkgsrc-2016Q2-base:1.4 pkgsrc-2016Q1:1.4.0.4 pkgsrc-2016Q1-base:1.4 pkgsrc-2015Q4:1.4.0.2 pkgsrc-2015Q4-base:1.4 pkgsrc-2015Q3:1.3.0.6 pkgsrc-2015Q3-base:1.3 pkgsrc-2015Q2:1.3.0.4 pkgsrc-2015Q2-base:1.3 pkgsrc-2015Q1:1.3.0.2 pkgsrc-2015Q1-base:1.3 pkgsrc-2014Q4:1.2.0.2 pkgsrc-2014Q4-base:1.2 pkgsrc-2014Q3:1.1.1.1.0.2 pkgsrc-2014Q3-base:1.1.1.1 pkgsrc-base:1.1.1.1 TNF:1.1.1; locks; strict; comment @# @; 1.7 date 2019.04.30.03.55.10; author taca; state dead; branches; next 1.6; commitid TzsHeY8ceQHtcklB; 1.6 date 2018.02.08.14.43.07; author fhajny; state Exp; branches; next 1.5; commitid UNwKhqYtbZ9s74qA; 1.5 date 2017.11.07.02.16.45; author kamil; state Exp; branches; next 1.4; commitid qx1ZG8K8vRwXY2eA; 1.4 date 2015.12.13.17.35.22; author taca; state Exp; branches; next 1.3; commitid cMZZrGoUtmZXoOMy; 1.3 date 2015.02.26.10.15.02; author taca; state Exp; branches 1.3.6.1; next 1.2; commitid XBmJCnvgivXWhvby; 1.2 date 2014.10.14.16.23.19; author taca; state Exp; branches; next 1.1; commitid oPB1ysICgjYmFbUx; 1.1 date 2014.07.02.02.42.58; author jnemeth; state Exp; branches 1.1.1.1; next ; commitid NRT4TW0ipVNBsKGx; 1.3.6.1 date 2015.12.18.19.46.02; author bsiegert; state Exp; branches; next ; commitid MknvIv8Vf4m4YsNy; 1.1.1.1 date 2014.07.02.02.42.58; author jnemeth; state Exp; branches 1.1.1.1.2.1; next ; commitid NRT4TW0ipVNBsKGx; 1.1.1.1.2.1 date 2014.12.10.19.53.09; author tron; state Exp; branches; next ; commitid sqX6ykmUIsGRZw1y; desc @@ 1.7 log @net/bind910: remove bind910 Remove bind910 EOL since July 2018. @ text @$NetBSD: patch-configure,v 1.6 2018/02/08 14:43:07 fhajny Exp $ * Add DragonFly support. * Link proper postgresql library. * Avoid using "==" for argument of test(1). --- configure.orig 2018-01-04 05:35:08.000000000 +0000 +++ configure @@@@ -14657,6 +14657,8 @@@@ case $host in use_threads=false ;; *-freebsd*) use_threads=true ;; +*-dragonfly*) + use_threads=false ;; *-bsdi[234]*) # Thread signals do not work reliably on some versions of BSD/OS. use_threads=false ;; @@@@ -16956,27 +16958,10 @@@@ case "$use_libjson" in libjson_libs="" ;; auto|yes) - for d in /usr /usr/local /opt/local - do - if test -f "${d}/include/json/json.h" - then - if test ${d} != /usr - then - libjson_cflags="-I ${d}/include" - LIBS="$LIBS -L${d}/lib" - fi - have_libjson="yes" - elif test -f "${d}/include/json-c/json.h" - then - if test ${d} != /usr - then - libjson_cflags="-I ${d}/include" - LIBS="$LIBS -L${d}/lib" - fi - have_libjson="yes" - have_libjson_c="yes" - fi - done + libjson_cflags="`pkg-config --cflags json-c`" + LIBS="$LIBS `pkg-config --libs json-c`" + have_libjson="yes" + have_libjson_c="yes" ;; *) if test -f "${use_libjson}/include/json/json.h" @@@@ -21861,7 +21846,7 @@@@ $as_echo "no" >&6; } fi if test -n "-L$use_dlz_postgres_lib -lpq" then - DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_postgres_lib -lpq" + DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L${PREFIX}/lib -lpq" fi @ 1.6 log @net/bind910: Fix problem in configure where contents of $LIBS would be lost when json-c support was enabled. @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.5 2017/11/07 02:16:45 kamil Exp $ @ 1.5 log @bind910: Correct bind-json-statistics-server option build Switch detection of json-c from homegrown detection of libraries in hardcoded dirs to pkg-config detection. Add new USE_TOOLS option pkg-config. Bump PKGREVISION to 1 for new dependency. @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.4 2015/12/13 17:35:22 taca Exp $ d7 1 a7 1 --- configure.orig 2017-07-24 05:31:21.000000000 +0000 d44 1 a44 1 + LIBS="`pkg-config --libs json-c`" @ 1.4 log @Update bind910 to 9.10.3. Security Fixes * An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. This flaw is disclosed in CVE-2015-5986. [RT #40286] * A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys. This flaw was discovered by Hanno Böck of the Fuzzing Project, and is disclosed in CVE-2015-5722. [RT #40212] * A specially crafted query could trigger an assertion failure in message.c. This flaw was discovered by Jonathan Foote, and is disclosed in CVE-2015-5477. [RT #40046] * On servers configured to perform DNSSEC validation, an assertion failure could be triggered on answers from a specially configured server. This flaw was discovered by Breno Silveira Soares, and is disclosed in CVE-2015-4620. [RT #39795] New Features * New quotas have been added to limit the queries that are sent by recursive resolvers to authoritative servers experiencing denial-of-service attacks. When configured, these options can both reduce the harm done to authoritative servers and also avoid the resource exhaustion that can be experienced by recursives when they are being used as a vehicle for such an attack. NOTE: These options are not available by default; use configure --enable-fetchlimit to include them in the build. + fetches-per-server limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the fetch-quota-params option. + fetches-per-zone limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) Statistics counters have also been added to track the number of queries affected by these quotas. * dig +ednsflags can now be used to set yet-to-be-defined EDNS flags in DNS requests. * dig +[no]ednsnegotiation can now be used enable / disable EDNS version negotiation. * An --enable-querytrace configure switch is now available to enable very verbose query tracelogging. This option can only be set at compile time. This option has a negative performance impact and should be used only for debugging. Feature Changes * Large inline-signing changes should be less disruptive. Signature generation is now done incrementally; the number of signatures to be generated in each quantum is controlled by "sig-signing-signatures number;". [RT #37927] * The experimental SIT extension now uses the EDNS COOKIE option code point (10) and is displayed as "COOKIE: ". The existing named.conf directives; "request-sit", "sit-secret" and "nosit-udp-size", are still valid and will be replaced by "send-cookie", "cookie-secret" and "nocookie-udp-size" in BIND 9.11. The existing dig directive "+sit" is still valid and will be replaced with "+cookie" in BIND 9.11. * When retrying a query via TCP due to the first answer being truncated, dig will now correctly send the COOKIE value returned by the server in the prior response. [RT #39047] * Retrieving the local port range from net.ipv4.ip_local_port_range on Linux is now supported. * Active Directory names of the form gc._msdcs. are now accepted as valid hostnames when using the check-names option. is still restricted to letters, digits and hyphens. * Names containing rich text are now accepted as valid hostnames in PTR records in DNS-SD reverse lookup zones, as specified in RFC 6763. [RT #37889] Bug Fixes * Asynchronous zone loads were not handled correctly when the zone load was already in progress; this could trigger a crash in zt.c. [RT #37573] * A race during shutdown or reconfiguration could cause an assertion failure in mem.c. [RT #38979] * Some answer formatting options didn't work correctly with dig +short. [RT #39291] * Malformed records of some types, including NSAP and UNSPEC, could trigger assertion failures when loading text zone files. [RT #40274] [RT #40285] * Fixed a possible crash in ratelimiter.c caused by NOTIFY messages being removed from the wrong rate limiter queue. [RT #40350] * The default rrset-order of random was inconsistently applied. [RT #40456] * BADVERS responses from broken authoritative name servers were not handled correctly. [RT #40427] * Several bugs have been fixed in the RPZ implementation: + Policy zones that did not specifically require recursion could be treated as if they did; consequently, setting qname-wait-recurse no; was sometimes ineffective. This has been corrected. In most configurations, behavioral changes due to this fix will not be noticeable. [RT #39229] + The server could crash if policy zones were updated (e.g. via rndc reload or an incoming zone transfer) while RPZ processing was still ongoing for an active query. [RT #39415] + On servers with one or more policy zones configured as slaves, if a policy zone updated during regular operation (rather than at startup) using a full zone reload, such as via AXFR, a bug could allow the RPZ summary data to fall out of sync, potentially leading to an assertion failure in rpz.c when further incremental updates were made to the zone, such as via IXFR. [RT #39567] + The server could match a shorter prefix than what was available in CLIENT-IP policy triggers, and so, an unexpected action could be taken. This has been corrected. [RT #39481] + The server could crash if a reload of an RPZ zone was initiated while another reload of the same zone was already in progress. [RT #39649] + Query names could match against the wrong policy zone if wildcard records were present. [RT #40357] @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.3 2015/02/26 10:15:02 taca Exp $ d7 1 a7 1 --- configure.orig 2015-09-09 02:23:40.000000000 +0000 d9 1 a9 1 @@@@ -14388,6 +14388,8 @@@@ case $host in d18 33 a50 1 @@@@ -21276,7 +21278,7 @@@@ $as_echo "no" >&6; } @ 1.3 log @Update bind910 package to 9.10.2. Security Fixes * On servers configured to perform DNSSEC validation using managed trust anchors (i.e., keys configured explicitly via managed-keys, or implicitly via dnssec-validation auto; or dnssec-lookaside auto;), revoking a trust anchor and sending a new untrusted replacement could cause named to crash with an assertion failure. This could occur in the event of a botched key rollover, or potentially as a result of a deliberate attack if the attacker was in position to monitor the victim's DNS traffic. This flaw was discovered by Jan-Piet Mens, and is disclosed in CVE-2015-1349. [RT #38344] * A flaw in delegation handling could be exploited to put named into an infinite loop, in which each lookup of a name server triggered additional lookups of more name servers. This has been addressed by placing limits on the number of levels of recursion named will allow (default 7), and on the number of queries that it will send before terminating a recursive query (default 50). The recursion depth limit is configured via the max-recursion-depth option, and the query limit via the max-recursion-queries option. The flaw was discovered by Florian Maury of ANSSI, and is disclosed in CVE-2014-8500. [RT #37580] * Two separate problems were identified in BIND's GeoIP code that could lead to an assertion failure. One was triggered by use of both IPv4 and IPv6 address families, the other by referencing a GeoIP database in named.conf which was not installed. Both are covered by CVE-2014-8680. [RT #37672] [RT #37679] A less serious security flaw was also found in GeoIP: changes to the geoip-directory option in named.conf were ignored when running rndc reconfig. In theory, this could allow named to allow access to unintended clients. New Features * None Feature Changes * ACLs containing geoip asnum elements were not correctly matched unless the full organization name was specified in the ACL (as in geoip asnum "AS1234 Example, Inc.";). They can now match against the AS number alone (as in geoip asnum "AS1234";). * When using native PKCS#11 cryptography (i.e., configure --enable-native-pkcs11) HSM PINs of up to 256 characters can now be used. * NXDOMAIN responses to queries of type DS are now cached separately from those for other types. This helps when using "grafted" zones of type forward, for which the parent zone does not contain a delegation, such as local top-level domains. Previously a query of type DS for such a zone could cause the zone apex to be cached as NXDOMAIN, blocking all subsequent queries. (Note: This change is only helpful when DNSSEC validation is not enabled. "Grafted" zones without a delegation in the parent are not a recommended configuration.) * NOTIFY messages that are sent because a zone has been updated are now given priority above NOTIFY messages that were scheduled when the server started up. This should mitigate delays in zone propagation when servers are restarted frequently. * Errors reported when running rndc addzone (e.g., when a zone file cannot be loaded) have been clarified to make it easier to diagnose problems. * Added support for OPENPGPKEY type. * When encountering an authoritative name server whose name is an alias pointing to another name, the resolver treats this as an error and skips to the next server. Previously this happened silently; now the error will be logged to the newly-created "cname" log category. * If named is not configured to validate the answer then allow fallback to plain DNS on timeout even when we know the server supports EDNS. This will allow the server to potentially resolve signed queries when TCP is being blocked. Bug Fixes * dig, host and nslookup aborted when encountering a name which, after appending search list elements, exceeded 255 bytes. Such names are now skipped, but processing of other names will continue. [RT #36892] * The error message generated when named-checkzone or named-checkconf -z encounters a $TTL directive without a value has been clarified. [RT #37138] * Semicolon characters (;) included in TXT records were incorrectly escaped with a backslash when the record was displayed as text. This is actually only necessary when there are no quotation marks. [RT #37159] * When files opened for writing by named, such as zone journal files, were referenced more than once in named.conf, it could lead to file corruption as multiple threads wrote to the same file. This is now detected when loading named.conf and reported as an error. [RT #37172] * dnssec-keygen -S failed to generate successor keys for some algorithm types (including ECDSA and GOST) due to a difference in the content of private key files. This has been corrected. [RT #37183] * UPDATE messages that arrived too soon after an rndc thaw could be lost. [RT #37233] * Forwarding of UPDATE messages did not work when they were signed with SIG(0); they resulted in a BADSIG response code. [RT #37216] * When checking for updates to trust anchors listed in managed-keys, named now revalidates keys based on the current set of active trust anchors, without relying on any cached record of previous validation. [RT #37506] * Large-system tuning (configure --with-tuning=large) caused problems on some platforms by setting a socket receive buffer size that was too large. This is now detected and corrected at run time. [RT #37187] * When NXDOMAIN redirection is in use, queries for a name that is present in the redirection zone but a type that is not present will now return NOERROR instead of NXDOMAIN. * When a zone contained a delegation to an IPv6 name server but not an IPv4 name server, it was possible for a memory reference to be left un-freed. This caused an assertion failure on server shutdown, but was otherwise harmless. [RT #37796] * Due to an inadvertent removal of code in the previous release, when named encountered an authoritative name server which dropped all EDNS queries, it did not always try plain DNS. This has been corrected. [RT #37965] * A regression caused nsupdate to use the default recursive servers rather than the SOA MNAME server when sending the UPDATE. * Adjusted max-recursion-queries to accommodate the smaller initial packet sizes used in BIND 9.10 and higher when contacting authoritative servers for the first time. * Built-in "empty" zones did not correctly inherit the "allow-transfer" ACL from the options or view. [RT #38310] * Two leaks were fixed that could cause named processes to grow to very large sizes. [RT #38454] * Fixed some bugs in RFC 5011 trust anchor management, including a memory leak and a possible loss of state information.[RT #38458] @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.2 2014/10/14 16:23:19 taca Exp $ d7 1 a7 1 --- configure.orig 2015-02-18 01:55:55.000000000 +0000 d9 1 a9 19 @@@@ -11840,7 +11840,7 @@@@ fi test -n "$PYTHON" && break done - if test "X$PYTHON" == "X"; then + if test "X$PYTHON" = "X"; then continue; fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking python module 'argparse'" >&5 @@@@ -11855,7 +11855,7 @@@@ $as_echo "not found" >&6; } unset ac_cv_path_PYTHON unset PYTHON done - if test "X$PYTHON" == "X" + if test "X$PYTHON" = "X" then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for python support" >&5 $as_echo_n "checking for python support... " >&6; } @@@@ -14379,6 +14379,8 @@@@ case $host in d18 1 a18 1 @@@@ -21029,7 +21031,7 @@@@ $as_echo "no" >&6; } @ 1.3.6.1 log @Pullup ticket #4872 - requested by taca net/bind910: security fix Revisions pulled up: - net/bind910/Makefile 1.13-1.14 - net/bind910/distinfo 1.12-1.13 - net/bind910/patches/patch-bin_dig_dighost.c 1.3 - net/bind910/patches/patch-bin_tests_system_Makefile.in 1.3 - net/bind910/patches/patch-configure 1.4 --- Module Name: pkgsrc Committed By: taca Date: Sun Dec 13 17:35:22 UTC 2015 Modified Files: pkgsrc/net/bind910: Makefile distinfo pkgsrc/net/bind910/patches: patch-bin_dig_dighost.c patch-bin_tests_system_Makefile.in patch-configure Log Message: Update bind910 to 9.10.3. Security Fixes * An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. This flaw is disclosed in CVE-2015-5986. [RT #40286] * A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys. This flaw was discovered by Hanno Böck of the Fuzzing Project, and is disclosed in CVE-2015-5722. [RT #40212] * A specially crafted query could trigger an assertion failure in message.c. This flaw was discovered by Jonathan Foote, and is disclosed in CVE-2015-5477. [RT #40046] * On servers configured to perform DNSSEC validation, an assertion failure could be triggered on answers from a specially configured server. This flaw was discovered by Breno Silveira Soares, and is disclosed in CVE-2015-4620. [RT #39795] New Features * New quotas have been added to limit the queries that are sent by recursive resolvers to authoritative servers experiencing denial-of-service attacks. When configured, these options can both reduce the harm done to authoritative servers and also avoid the resource exhaustion that can be experienced by recursives when they are being used as a vehicle for such an attack. NOTE: These options are not available by default; use configure --enable-fetchlimit to include them in the build. + fetches-per-server limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the fetch-quota-params option. + fetches-per-zone limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) Statistics counters have also been added to track the number of queries affected by these quotas. * dig +ednsflags can now be used to set yet-to-be-defined EDNS flags in DNS requests. * dig +[no]ednsnegotiation can now be used enable / disable EDNS version negotiation. * An --enable-querytrace configure switch is now available to enable very verbose query tracelogging. This option can only be set at compile time. This option has a negative performance impact and should be used only for debugging. Feature Changes * Large inline-signing changes should be less disruptive. Signature generation is now done incrementally; the number of signatures to be generated in each quantum is controlled by "sig-signing-signatures number;". [RT #37927] * The experimental SIT extension now uses the EDNS COOKIE option code point (10) and is displayed as "COOKIE: ". The existing named.conf directives; "request-sit", "sit-secret" and "nosit-udp-size", are still valid and will be replaced by "send-cookie", "cookie-secret" and "nocookie-udp-size" in BIND 9.11. The existing dig directive "+sit" is still valid and will be replaced with "+cookie" in BIND 9.11. * When retrying a query via TCP due to the first answer being truncated, dig will now correctly send the COOKIE value returned by the server in the prior response. [RT #39047] * Retrieving the local port range from net.ipv4.ip_local_port_range on Linux is now supported. * Active Directory names of the form gc._msdcs. are now accepted as valid hostnames when using the check-names option. is still restricted to letters, digits and hyphens. * Names containing rich text are now accepted as valid hostnames in PTR records in DNS-SD reverse lookup zones, as specified in RFC 6763. [RT #37889] Bug Fixes * Asynchronous zone loads were not handled correctly when the zone load was already in progress; this could trigger a crash in zt.c. [RT #37573] * A race during shutdown or reconfiguration could cause an assertion failure in mem.c. [RT #38979] * Some answer formatting options didn't work correctly with dig +short. [RT #39291] * Malformed records of some types, including NSAP and UNSPEC, could trigger assertion failures when loading text zone files. [RT #40274] [RT #40285] * Fixed a possible crash in ratelimiter.c caused by NOTIFY messages being removed from the wrong rate limiter queue. [RT #40350] * The default rrset-order of random was inconsistently applied. [RT #40456] * BADVERS responses from broken authoritative name servers were not handled correctly. [RT #40427] * Several bugs have been fixed in the RPZ implementation: + Policy zones that did not specifically require recursion could be treated as if they did; consequently, setting qname-wait-recurse no; was sometimes ineffective. This has been corrected. In most configurations, behavioral changes due to this fix will not be noticeable. [RT #39229] + The server could crash if policy zones were updated (e.g. via rndc reload or an incoming zone transfer) while RPZ processing was still ongoing for an active query. [RT #39415] + On servers with one or more policy zones configured as slaves, if a policy zone updated during regular operation (rather than at startup) using a full zone reload, such as via AXFR, a bug could allow the RPZ summary data to fall out of sync, potentially leading to an assertion failure in rpz.c when further incremental updates were made to the zone, such as via IXFR. [RT #39567] + The server could match a shorter prefix than what was available in CLIENT-IP policy triggers, and so, an unexpected action could be taken. This has been corrected. [RT #39481] + The server could crash if a reload of an RPZ zone was initiated while another reload of the same zone was already in progress. [RT #39649] + Query names could match against the wrong policy zone if wildcard records were present. [RT #40357] --- Module Name: pkgsrc Committed By: taca Date: Wed Dec 16 00:31:22 UTC 2015 Modified Files: pkgsrc/net/bind910: Makefile distinfo Log Message: Update bind910 package to 9.10.3pl2 (BIND 9.10.3-P2), security release. --- 9.10.3-P2 released --- 4270. [security] Update allowed OpenSSL versions as named is potentially vulnerable to CVE-2015-3193. 4261. [maint] H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53. [RT #40556] 4260. [security] Insufficient testing when parsing a message allowed records with an incorrect class to be be accepted, triggering a REQUIRE failure when those records were subsequently cached. (CVE-2015-8000) [RT #40987] 4253. [security] Address fetch context reference count handling error on socket error. (CVE-2015-8461) [RT#40945] --- 9.10.3-P1 (withdrawn) --- @ text @d1 1 a1 1 $NetBSD$ d7 1 a7 1 --- configure.orig 2015-09-09 02:23:40.000000000 +0000 d9 19 a27 1 @@@@ -14388,6 +14388,8 @@@@ case $host in d36 1 a36 1 @@@@ -21276,7 +21278,7 @@@@ $as_echo "no" >&6; } @ 1.2 log @Update bind910 to 9.10.1. Security Fixes A query specially crafted to exploit a defect in EDNS option processing could cause named to terminate with an assertion failure, due to a missing isc_buffer_availablelength() check when formatting packet contents for logging. For more information, see the security advisory at https://kb.isc.org/article/AA-01166/. [CVE-2014-3859] [RT #36078] A programming error in the prefetch feature could cause named to crash with a "REQUIRE" assertion failure in name.c. For more information, see the security advisory at https://kb.isc.org/article/AA-01161/. [CVE-2014-3214] [RT #35899] New Features Support for CAA record types, as described in RFC 6844 "DNS Certification Authority Authorization (CAA) Resource Record", was added. [RT#36625] [RT #36737] Disallow "request-ixfr" from being specified in zone statements where it is not valid (it is only valid for slave and redirect zones) [RT #36608] Support for CDS and CDNSKEY resource record types was added. For details see the proposed Informational Internet-Draft "Automating DNSSEC Delegation Trust Maintenance" at http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14. [RT #36333] Added version printing options to various BIND utilities. [RT #26057] [RT #10686] Optionally allows libseccomp-based (secure computing mode) system-call filtering on Linux. This sandboxing mechanism may be used to isolate "named" from various system resources. Use "configure --enable-seccomp" at build time to enable it. Thank you to Loganaden Velvindron of AFRINIC for the contribution. [RT #35347] Feature Changes "geoip asnum" ACL elements would not match unless the full organization name was specified. They can now match against the AS number alone (e.g., AS1234). [RT #36945] Adds RPZ SOA to the additional section of responses to clearly indicate the use of RPZ in a manner that is intended to avoid causing issues for downstream resolvers and forwarders [RT #36507] rndc now gives distinct error messages when an unqualified zone name matches multiple views vs. matching no views [RT #36691] Improves the accuracy of dig's reported round trip times. [RT #36611] When an SPF record exists in a zone but no equivalent TXT record does, a warning will be issued. The warning for the reverse condition is no longer issued. See the check-spf option in the documentation for details. [RT #36210] Aging of smoothed round-trip time measurements is now limited to no more than once per second, to improve accuracy in selecting the best name server. [RT #32909] DNSSEC keys that have been marked active but have no publication date are no longer presumed to be publishable. [RT #35063] Bug Fixes The Makefile in bin/python was changed to work around a bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**) Corrected bugs in the handling of wildcard records by the DNSSEC validator: invalid wildcard expansions could be treated as valid if signed, and valid wildcard expansions in NSEC3 opt-out ranges had the AD bit set incorrectly in responses. [RT #37093] [RT #37072] An assertion failure could occur if a route event arrived while shutting down. [RT #36887] When resigning, dnssec-signzone was removing all signatures from delegation nodes. It now retains DS and (if applicable) NSEC signatures. [RT #36946] The AD flag was being set inappopriately on RPZ responses. [RT #36833] Updates the URI record type to current draft standard, draft-faltstrom-uri-08, and allows the value field to be zero length [RT #36642] [RT #36737] On some platforms, overhead from DSCP tagging caused a performance regression between BIND 9.9 and BIND 9.10. [RT #36534] RRSIG sets that were not loaded in a single transaction at start up were not being correctly added to re-signing heaps. [RT #36302] Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452] Fixed a bug where some updated policy zone contents could be ignored due to stale RPZ summary information [RT #35885] A race condition could cause a crash in isc_event_free during shutdown. [RT #36720] Addresses some problems with unrecoverable lookup failures. [RT #36330] Addresses a race condition issue in dispatch. [RT #36731] acl elements could be miscounted, causing a crash while loading a config [RT #36675] Corrects a deadlock between view.c and adb.c. [RT #36341] liblwres wasn't properly handling link-local addresses in nameserver clauses in resolv.conf. [RT #36039] Disable the GCC 4.9 "delete null pointer check" optimizer option, and refactor dns_rdataslab_fromrdataset() to separate out the handling of an rdataset with no records. This fixes problems when using GNU GCC 4.9.0 where its compiler code optimizations may cause crashes in BIND. For more information, see the operational advisory at https://kb.isc.org/article/AA-01167/. [RT #35968] Fixed a bug that could cause repeated resigning of records in dynamically signed zones. [RT #35273] Fixed a bug that could cause an assertion failure after forwarding was disabled. [RT #35979] Fixed a bug that caused GeoIP ACLs not to work when referenced indirectly via named or nested ACLs. [RT #35879] FIxed a bug that could cause problems with cache cleaning when SIT was enabled. [RT #35858] Fixed a bug that caused SERVFAILs when using RPZ on a system configured as a forwarder. [RT #36060] Worked around a limitation in Solaris's /dev/poll implementation that could cause named to fail to start when configured to use more sockets than the system could accomodate. [RT #35878] Fixed a bug that could cause an assertion failure when inserting and deleting parent and child nodes in a response-policy zone. [RT #36272] @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.1.1.1 2014/07/02 02:42:58 jnemeth Exp $ d7 1 a7 1 --- configure.orig 2014-09-16 19:27:15.000000000 +0000 d9 1 a9 1 @@@@ -11827,7 +11827,7 @@@@ fi d18 1 a18 1 @@@@ -11842,7 +11842,7 @@@@ $as_echo "not found" >&6; } d27 1 a27 1 @@@@ -14352,6 +14352,8 @@@@ case $host in d36 1 a36 1 @@@@ -20865,7 +20867,7 @@@@ $as_echo "no" >&6; } @ 1.1 log @Initial revision @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.8 2014/02/02 07:58:20 taca Exp $ d7 1 a7 1 --- configure.orig 2014-01-27 18:58:24.000000000 +0000 d9 3 a11 1 @@@@ -11685,7 +11685,7 @@@@ done d13 15 a27 8 ;; esac - if test "X$PYTHON" == "X" + if test "X$PYTHON" = "X" then case "$use_python" in unspec) @@@@ -14410,6 +14410,8 @@@@ case $host in d36 1 a36 1 @@@@ -19538,7 +19540,7 @@@@ $as_echo "no" >&6; } @ 1.1.1.1 log @Initial import of BIND 9.10. @ text @@ 1.1.1.1.2.1 log @Pullup ticket #4570 - requested by taca net/bind910: security update Revisions pulled up: - net/bind910/Makefile 1.2-1.3 - net/bind910/PLIST 1.2-1.3 - net/bind910/distinfo 1.2-1.3 - net/bind910/patches/patch-bin_tests_system_Makefile.in 1.2 - net/bind910/patches/patch-configure 1.2 - net/bind910/patches/patch-lib_bind9_Makefile.in deleted - net/bind910/patches/patch-lib_dns_Makefile.in deleted - net/bind910/patches/patch-lib_dns_rbt.c 1.2 - net/bind910/patches/patch-lib_isc_Makefile.in deleted - net/bind910/patches/patch-lib_isccc_Makefile.in deleted - net/bind910/patches/patch-lib_isccfg_Makefile.in deleted - net/bind910/patches/patch-lib_lwres_Makefile.in deleted - net/bind910/patches/patch-lib_lwres_getaddrinfo.c 1.2 --- Module Name: pkgsrc Committed By: taca Date: Tue Oct 14 16:23:19 UTC 2014 Modified Files: pkgsrc/net/bind910: Makefile PLIST distinfo pkgsrc/net/bind910/patches: patch-bin_tests_system_Makefile.in patch-configure patch-lib_dns_rbt.c patch-lib_lwres_getaddrinfo.c Removed Files: pkgsrc/net/bind910/patches: patch-lib_bind9_Makefile.in patch-lib_dns_Makefile.in patch-lib_isc_Makefile.in patch-lib_isccc_Makefile.in patch-lib_isccfg_Makefile.in patch-lib_lwres_Makefile.in Log Message: Update bind910 to 9.10.1. Security Fixes A query specially crafted to exploit a defect in EDNS option processing could cause named to terminate with an assertion failure, due to a missing isc_buffer_availablelength() check when formatting packet contents for logging. For more information, see the security advisory at https://kb.isc.org/article/AA-01166/. [CVE-2014-3859] [RT #36078] A programming error in the prefetch feature could cause named to crash with a "REQUIRE" assertion failure in name.c. For more information, see the security advisory at https://kb.isc.org/article/AA-01161/. [CVE-2014-3214] [RT #35899] New Features Support for CAA record types, as described in RFC 6844 "DNS Certification Authority Authorization (CAA) Resource Record", was added. [RT#36625] [RT #36737] Disallow "request-ixfr" from being specified in zone statements where it is not valid (it is only valid for slave and redirect zones) [RT #36608] Support for CDS and CDNSKEY resource record types was added. For details see the proposed Informational Internet-Draft "Automating DNSSEC Delegation Trust Maintenance" at http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14. [RT #36333] Added version printing options to various BIND utilities. [RT #26057] [RT #10686] Optionally allows libseccomp-based (secure computing mode) system-call filtering on Linux. This sandboxing mechanism may be used to isolate "named" from various system resources. Use "configure --enable-seccomp" at build time to enable it. Thank you to Loganaden Velvindron of AFRINIC for the contribution. [RT #35347] Feature Changes "geoip asnum" ACL elements would not match unless the full organization name was specified. They can now match against the AS number alone (e.g., AS1234). [RT #36945] Adds RPZ SOA to the additional section of responses to clearly indicate the use of RPZ in a manner that is intended to avoid causing issues for downstream resolvers and forwarders [RT #36507] rndc now gives distinct error messages when an unqualified zone name matches multiple views vs. matching no views [RT #36691] Improves the accuracy of dig's reported round trip times. [RT #36611] When an SPF record exists in a zone but no equivalent TXT record does, a warning will be issued. The warning for the reverse condition is no longer issued. See the check-spf option in the documentation for details. [RT #36210] Aging of smoothed round-trip time measurements is now limited to no more than once per second, to improve accuracy in selecting the best name server. [RT #32909] DNSSEC keys that have been marked active but have no publication date are no longer presumed to be publishable. [RT #35063] Bug Fixes The Makefile in bin/python was changed to work around a bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**) Corrected bugs in the handling of wildcard records by the DNSSEC validator: invalid wildcard expansions could be treated as valid if signed, and valid wildcard expansions in NSEC3 opt-out ranges had the AD bit set incorrectly in responses. [RT #37093] [RT #37072] An assertion failure could occur if a route event arrived while shutting down. [RT #36887] When resigning, dnssec-signzone was removing all signatures from delegation nodes. It now retains DS and (if applicable) NSEC signatures. [RT #36946] The AD flag was being set inappopriately on RPZ responses. [RT #36833] Updates the URI record type to current draft standard, draft-faltstrom-uri-08, and allows the value field to be zero length [RT #36642] [RT #36737] On some platforms, overhead from DSCP tagging caused a performance regression between BIND 9.9 and BIND 9.10. [RT #36534] RRSIG sets that were not loaded in a single transaction at start up were not being correctly added to re-signing heaps. [RT #36302] Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452] Fixed a bug where some updated policy zone contents could be ignored due to stale RPZ summary information [RT #35885] A race condition could cause a crash in isc_event_free during shutdown. [RT #36720] Addresses some problems with unrecoverable lookup failures. [RT #36330] Addresses a race condition issue in dispatch. [RT #36731] acl elements could be miscounted, causing a crash while loading a config [RT #36675] Corrects a deadlock between view.c and adb.c. [RT #36341] liblwres wasn't properly handling link-local addresses in nameserver clauses in resolv.conf. [RT #36039] Disable the GCC 4.9 "delete null pointer check" optimizer option, and refactor dns_rdataslab_fromrdataset() to separate out the handling of an rdataset with no records. This fixes problems when using GNU GCC 4.9.0 where its compiler code optimizations may cause crashes in BIND. For more information, see the operational advisory at https://kb.isc.org/article/AA-01167/. [RT #35968] Fixed a bug that could cause repeated resigning of records in dynamically signed zones. [RT #35273] Fixed a bug that could cause an assertion failure after forwarding was disabled. [RT #35979] Fixed a bug that caused GeoIP ACLs not to work when referenced indirectly via named or nested ACLs. [RT #35879] FIxed a bug that could cause problems with cache cleaning when SIT was enabled. [RT #35858] Fixed a bug that caused SERVFAILs when using RPZ on a system configured as a forwarder. [RT #36060] Worked around a limitation in Solaris's /dev/poll implementation that could cause named to fail to start when configured to use more sockets than the system could accomodate. [RT #35878] Fixed a bug that could cause an assertion failure when inserting and deleting parent and child nodes in a response-policy zone. [RT #36272] --- Module Name: pkgsrc Committed By: taca Date: Mon Dec 8 21:59:09 UTC 2014 Modified Files: pkgsrc/net/bind910: Makefile PLIST distinfo Log Message: Update bind910 to 9.10.1pl1 (BIND 9.10.1-P1). --- 9.10.1-P1 released --- 4006. [security] A flaw in delegation handling could be exploited to put named into an infinite loop. This has been addressed by placing limits on the number of levels of recursion named will allow (default 7), and the number of iterative queries that it will send (default 50) before terminating a recursive query (CVE-2014-8500). The recursion depth limit is configured via the "max-recursion-depth" option, and the query limit via the "max-recursion-queries" option. [RT #37580] 4003. [security] When geoip-directory was reconfigured during named run-time, the previously loaded GeoIP data could remain, potentially causing wrong ACLs to be used or wrong results to be served based on geolocation (CVE-2014-8680). [RT #37720] 4002. [security] Lookups in GeoIP databases that were not loaded could cause an assertion failure (CVE-2014-8680). [RT #37679] 4001. [security] The caching of GeoIP lookups did not always handle address families correctly, potentially resulting in an assertion failure (CVE-2014-8680). [RT #37672] @ text @d1 1 a1 1 $NetBSD$ d7 1 a7 1 --- configure.orig 2014-09-16 19:27:15.000000000 +0000 d9 1 a9 3 @@@@ -11827,7 +11827,7 @@@@ fi test -n "$PYTHON" && break done d11 8 a18 15 - if test "X$PYTHON" == "X"; then + if test "X$PYTHON" = "X"; then continue; fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking python module 'argparse'" >&5 @@@@ -11842,7 +11842,7 @@@@ $as_echo "not found" >&6; } unset ac_cv_path_PYTHON unset PYTHON done - if test "X$PYTHON" == "X" + if test "X$PYTHON" = "X" then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for python support" >&5 $as_echo_n "checking for python support... " >&6; } @@@@ -14352,6 +14352,8 @@@@ case $host in d27 1 a27 1 @@@@ -20865,7 +20867,7 @@@@ $as_echo "no" >&6; } @