head 1.12; access; symbols pkgsrc-2018Q2:1.11.0.24 pkgsrc-2018Q2-base:1.11 pkgsrc-2018Q1:1.11.0.22 pkgsrc-2018Q1-base:1.11 pkgsrc-2017Q4:1.11.0.20 pkgsrc-2017Q4-base:1.11 pkgsrc-2017Q3:1.11.0.18 pkgsrc-2017Q3-base:1.11 pkgsrc-2017Q2:1.11.0.14 pkgsrc-2017Q2-base:1.11 pkgsrc-2017Q1:1.11.0.12 pkgsrc-2017Q1-base:1.11 pkgsrc-2016Q4:1.11.0.10 pkgsrc-2016Q4-base:1.11 pkgsrc-2016Q3:1.11.0.8 pkgsrc-2016Q3-base:1.11 pkgsrc-2016Q2:1.11.0.6 pkgsrc-2016Q2-base:1.11 pkgsrc-2016Q1:1.11.0.4 pkgsrc-2016Q1-base:1.11 pkgsrc-2015Q4:1.11.0.2 pkgsrc-2015Q4-base:1.11 pkgsrc-2015Q3:1.10.0.6 pkgsrc-2015Q3-base:1.10 pkgsrc-2015Q2:1.10.0.4 pkgsrc-2015Q2-base:1.10 pkgsrc-2015Q1:1.10.0.2 pkgsrc-2015Q1-base:1.10 pkgsrc-2014Q4:1.9.0.2 pkgsrc-2014Q4-base:1.9 pkgsrc-2014Q3:1.8.0.6 pkgsrc-2014Q3-base:1.8 pkgsrc-2014Q2:1.8.0.4 pkgsrc-2014Q2-base:1.8 pkgsrc-2014Q1:1.8.0.2 pkgsrc-2014Q1-base:1.8 pkgsrc-2013Q4:1.6.0.4 pkgsrc-2013Q4-base:1.6 pkgsrc-2013Q3:1.6.0.2 pkgsrc-2013Q3-base:1.6 pkgsrc-2013Q2:1.5.0.2 pkgsrc-2013Q2-base:1.5 pkgsrc-2013Q1:1.4.0.2 pkgsrc-2013Q1-base:1.4 pkgsrc-2012Q4:1.3.0.2 pkgsrc-2012Q4-base:1.3 pkgsrc-2012Q3:1.2.0.2 pkgsrc-2012Q3-base:1.2 pkgsrc-2012Q2:1.1.1.1.0.4 pkgsrc-2012Q2-base:1.1.1.1 pkgsrc-2012Q1:1.1.1.1.0.2 pkgsrc-2012Q1-base:1.1.1.1 pkgsrc-base:1.1.1.1 TNF:1.1.1; locks; strict; comment @# @; 1.12 date 2018.09.23.14.31.11; author taca; state dead; branches; next 1.11; commitid HMhOPhbyVRmWKeTA; 1.11 date 2015.12.13.17.37.00; author taca; state Exp; branches; next 1.10; commitid O0KvDrvJOplDpOMy; 1.10 date 2015.02.26.10.14.10; author taca; state Exp; branches 1.10.6.1; next 1.9; commitid V5eyrk3nLxmzhvby; 1.9 date 2014.10.14.16.21.02; author taca; state Exp; branches; next 1.8; commitid o7C9yauWhqSwEbUx; 1.8 date 2014.02.02.07.58.20; author taca; state Exp; branches 1.8.6.1; next 1.7; commitid FO3IIiuz3iCn2vnx; 1.7 date 2014.01.13.17.31.00; author taca; state Exp; branches; next 1.6; commitid 53h5mAUj10IuQYkx; 1.6 date 2013.09.21.16.00.34; author taca; state Exp; branches 1.6.4.1; next 1.5; commitid Vajqn7Gr9J7G0k6x; 1.5 date 2013.06.06.02.55.03; author taca; state Exp; branches; next 1.4; commitid QEUkp6fXJg5W5vSw; 1.4 date 2013.03.26.22.12.14; author taca; state Exp; branches; next 1.3; 1.3 date 2012.10.10.03.07.12; author taca; state Exp; branches 1.3.2.1; next 1.2; 1.2 date 2012.07.10.10.23.03; author sbd; state Exp; branches 1.2.2.1; next 1.1; 1.1 date 2012.03.07.14.25.00; author taca; state Exp; branches 1.1.1.1; next ; 1.10.6.1 date 2015.12.17.20.31.35; author bsiegert; state Exp; branches; next ; commitid y1UgptOBk4MGflNy; 1.8.6.1 date 2014.12.10.09.24.28; author tron; state Exp; branches; next ; commitid wpGVAJ5ubQtbwt1y; 1.6.4.1 date 2014.01.14.10.02.07; author tron; state Exp; branches; next ; commitid 2oE49H3ddIOKk4lx; 1.3.2.1 date 2013.03.30.17.52.50; author tron; state Exp; branches; next ; 1.2.2.1 date 2012.10.10.13.48.13; author tron; state Exp; branches; next ; 1.1.1.1 date 2012.03.07.14.25.00; author taca; state Exp; branches; next ; desc @@ 1.12 log @net/bind99: remove bind99 Remove bind99 from pkgsrc since BIND 9.9 became EOL on 30 June 2018. @ text @$NetBSD: patch-configure,v 1.11 2015/12/13 17:37:00 taca Exp $ * Add DragonFly support. * Link proper postgresql library. --- configure.orig 2015-09-09 02:23:50.000000000 +0000 +++ configure @@@@ -14572,6 +14572,8 @@@@ case $host in use_threads=false ;; *-freebsd*) use_threads=true ;; +*-dragonfly*) + use_threads=false ;; *-bsdi[234]*) # Thread signals do not work reliably on some versions of BSD/OS. use_threads=false ;; @@@@ -20162,7 +20164,7 @@@@ $as_echo "no" >&6; } fi if test -n "-L$use_dlz_postgres_lib -lpq" then - DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_postgres_lib -lpq" + DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L${PREFIX}/lib -lpq" fi @ 1.11 log @Update bind99 to 9.9.8. Security Fixes * An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. This flaw is disclosed in CVE-2015-5986. [RT #40286] * A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys. This flaw was discovered by Hanno Böck of the Fuzzing Project, and is disclosed in CVE-2015-5722. [RT #40212] * A specially crafted query could trigger an assertion failure in message.c. This flaw was discovered by Jonathan Foote, and is disclosed in CVE-2015-5477. [RT #40046] * On servers configured to perform DNSSEC validation, an assertion failure could be triggered on answers from a specially configured server. This flaw was discovered by Breno Silveira Soares, and is disclosed in CVE-2015-4620. [RT #39795] New Features * New quotas have been added to limit the queries that are sent by recursive resolvers to authoritative servers experiencing denial-of-service attacks. When configured, these options can both reduce the harm done to authoritative servers and also avoid the resource exhaustion that can be experienced by recursives when they are being used as a vehicle for such an attack. NOTE: These options are not available by default; use configure --enable-fetchlimit to include them in the build. + fetches-per-server limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the fetch-quota-params option. + fetches-per-zone limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) Statistics counters have also been added to track the number of queries affected by these quotas. * An --enable-querytrace configure switch is now available to enable very verbose query tracelogging. This option can only be set at compile time. This option has a negative performance impact and should be used only for debugging. * EDNS COOKIE options content is now displayed as "COOKIE: ". Feature Changes * Large inline-signing changes should be less disruptive. Signature generation is now done incrementally; the number of signatures to be generated in each quantum is controlled by "sig-signing-signatures number;". [RT #37927] * Retrieving the local port range from net.ipv4.ip_local_port_range on Linux is now supported. * Active Directory names of the form gc._msdcs. are now accepted as valid hostnames when using the check-names option. is still restricted to letters, digits and hyphens. * Names containing rich text are now accepted as valid hostnames in PTR records in DNS-SD reverse lookup zones, as specified in RFC 6763. [RT #37889] Bug Fixes * Asynchronous zone loads were not handled correctly when the zone load was already in progress; this could trigger a crash in zt.c. [RT #37573] * A race during shutdown or reconfiguration could cause an assertion failure in mem.c. [RT #38979] * Some answer formatting options didn't work correctly with dig +short. [RT #39291] * Malformed records of some types, including NSAP and UNSPEC, could trigger assertion failures when loading text zone files. [RT #40274] [RT #40285] * Fixed a possible crash in ratelimiter.c caused by NOTIFY messages being removed from the wrong rate limiter queue. [RT #40350] * The default rrset-order of random was inconsistently applied. [RT #40456] * BADVERS responses from broken authoritative name servers were not handled correctly. [RT #40427] @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.10 2015/02/26 10:14:10 taca Exp $ @ 1.10 log @Update bind99 to 9.9.7. Security Fixes * On servers configured to perform DNSSEC validation using managed trust anchors (i.e., keys configured explicitly via managed-keys, or implicitly via dnssec-validation auto; or dnssec-lookaside auto;), revoking a trust anchor and sending a new untrusted replacement could cause named to crash with an assertion failure. This could occur in the event of a botched key rollover, or potentially as a result of a deliberate attack if the attacker was in position to monitor the victim's DNS traffic. This flaw was discovered by Jan-Piet Mens, and is disclosed in CVE-2015-1349. [RT #38344] * A flaw in delegation handling could be exploited to put named into an infinite loop, in which each lookup of a name server triggered additional lookups of more name servers. This has been addressed by placing limits on the number of levels of recursion named will allow (default 7), and on the number of queries that it will send before terminating a recursive query (default 50). The recursion depth limit is configured via the max-recursion-depth option, and the query limit via the max-recursion-queries option. The flaw was discovered by Florian Maury of ANSSI, and is disclosed in CVE-2014-8500. [RT #37580] New Features * None Feature Changes * NXDOMAIN responses to queries of type DS are now cached separately from those for other types. This helps when using "grafted" zones of type forward, for which the parent zone does not contain a delegation, such as local top-level domains. Previously a query of type DS for such a zone could cause the zone apex to be cached as NXDOMAIN, blocking all subsequent queries. (Note: This change is only helpful when DNSSEC validation is not enabled. "Grafted" zones without a delegation in the parent are not a recommended configuration.) * NOTIFY messages that are sent because a zone has been updated are now given priority above NOTIFY messages that were scheduled when the server started up. This should mitigate delays in zone propagation when servers are restarted frequently. * Errors reported when running rndc addzone (e.g., when a zone file cannot be loaded) have been clarified to make it easier to diagnose problems. * Added support for OPENPGPKEY type. * When encountering an authoritative name server whose name is an alias pointing to another name, the resolver treats this as an error and skips to the next server. Previously this happened silently; now the error will be logged to the newly-created "cname" log category. * If named is not configured to validate the answer then allow fallback to plain DNS on timeout even when we know the server supports EDNS. This will allow the server to potentially resolve signed queries when TCP is being blocked. Bug Fixes * dig, host and nslookup aborted when encountering a name which, after appending search list elements, exceeded 255 bytes. Such names are now skipped, but processing of other names will continue. [RT #36892] * The error message generated when named-checkzone or named-checkconf -z encounters a $TTL directive without a value has been clarified. [RT #37138] * Semicolon characters (;) included in TXT records were incorrectly escaped with a backslash when the record was displayed as text. This is actually only necessary when there are no quotation marks. [RT #37159] * When files opened for writing by named, such as zone journal files, were referenced more than once in named.conf, it could lead to file corruption as multiple threads wrote to the same file. This is now detected when loading named.conf and reported as an error. [RT #37172] * dnssec-keygen -S failed to generate successor keys for some algorithm types (including ECDSA and GOST) due to a difference in the content of private key files. This has been corrected. [RT #37183] * UPDATE messages that arrived too soon after an rndc thaw could be lost. [RT #37233] * Forwarding of UPDATE messages did not work when they were signed with SIG(0); they resulted in a BADSIG response code. [RT #37216] * When checking for updates to trust anchors listed in managed-keys, named now revalidates keys based on the current set of active trust anchors, without relying on any cached record of previous validation. [RT #37506] * When NXDOMAIN redirection is in use, queries for a name that is present in the redirection zone but a type that is not present will now return NOERROR instead of NXDOMAIN. * When a zone contained a delegation to an IPv6 name server but not an IPv4 name server, it was possible for a memory reference to be left un-freed. This caused an assertion failure on server shutdown, but was otherwise harmless. [RT #37796] * Due to an inadvertent removal of code in the previous release, when named encountered an authoritative name server which dropped all EDNS queries, it did not always try plain DNS. This has been corrected. [RT #37965] * A regression caused nsupdate to use the default recursive servers rather than the SOA MNAME server when sending the UPDATE. * Adjusted max-recursion-queries to better accommodate empty caches. * Built-in "empty" zones did not correctly inherit the "allow-transfer" ACL from the options or view. [RT #38310] * A mutex leak was fixed that could cause named processes to grow to very large sizes. [RT #38454] * Fixed some bugs in RFC 5011 trust anchor management, including a memory leak and a possible loss of state information.[RT #38458] @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.9 2014/10/14 16:21:02 taca Exp $ a4 1 * Avoid using "==" for argument of test(1). d6 1 a6 1 --- configure.orig 2015-02-18 01:56:06.000000000 +0000 d8 1 a8 19 @@@@ -11691,7 +11691,7 @@@@ fi test -n "$PYTHON" && break done - if test "X$PYTHON" == "X"; then + if test "X$PYTHON" = "X"; then continue; fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking python module 'argparse'" >&5 @@@@ -11706,7 +11706,7 @@@@ $as_echo "not found" >&6; } unset ac_cv_path_PYTHON unset PYTHON done - if test "X$PYTHON" == "X" + if test "X$PYTHON" = "X" then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for python support" >&5 $as_echo_n "checking for python support... " >&6; } @@@@ -14560,6 +14560,8 @@@@ case $host in d17 1 a17 1 @@@@ -19923,7 +19925,7 @@@@ $as_echo "no" >&6; } @ 1.10.6.1 log @Pullup ticket #4871 - requested by taca net/bind99: security fix Revisions pulled up: - net/bind99/Makefile 1.49-1.50 - net/bind99/distinfo 1.34-1.35 - net/bind99/patches/patch-bin_dig_dighost.c 1.5 - net/bind99/patches/patch-bin_tests_system_Makefile.in 1.6 - net/bind99/patches/patch-configure 1.11 --- Module Name: pkgsrc Committed By: taca Date: Sun Dec 13 17:37:00 UTC 2015 Modified Files: pkgsrc/net/bind99: Makefile distinfo pkgsrc/net/bind99/patches: patch-bin_dig_dighost.c patch-bin_tests_system_Makefile.in patch-configure Log Message: Update bind99 to 9.9.8. Security Fixes * An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. This flaw is disclosed in CVE-2015-5986. [RT #40286] * A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys. This flaw was discovered by Hanno Böck of the Fuzzing Project, and is disclosed in CVE-2015-5722. [RT #40212] * A specially crafted query could trigger an assertion failure in message.c. This flaw was discovered by Jonathan Foote, and is disclosed in CVE-2015-5477. [RT #40046] * On servers configured to perform DNSSEC validation, an assertion failure could be triggered on answers from a specially configured server. This flaw was discovered by Breno Silveira Soares, and is disclosed in CVE-2015-4620. [RT #39795] New Features * New quotas have been added to limit the queries that are sent by recursive resolvers to authoritative servers experiencing denial-of-service attacks. When configured, these options can both reduce the harm done to authoritative servers and also avoid the resource exhaustion that can be experienced by recursives when they are being used as a vehicle for such an attack. NOTE: These options are not available by default; use configure --enable-fetchlimit to include them in the build. + fetches-per-server limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the fetch-quota-params option. + fetches-per-zone limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) Statistics counters have also been added to track the number of queries affected by these quotas. * An --enable-querytrace configure switch is now available to enable very verbose query tracelogging. This option can only be set at compile time. This option has a negative performance impact and should be used only for debugging. * EDNS COOKIE options content is now displayed as "COOKIE: ". Feature Changes * Large inline-signing changes should be less disruptive. Signature generation is now done incrementally; the number of signatures to be generated in each quantum is controlled by "sig-signing-signatures number;". [RT #37927] * Retrieving the local port range from net.ipv4.ip_local_port_range on Linux is now supported. * Active Directory names of the form gc._msdcs. are now accepted as valid hostnames when using the check-names option. is still restricted to letters, digits and hyphens. * Names containing rich text are now accepted as valid hostnames in PTR records in DNS-SD reverse lookup zones, as specified in RFC 6763. [RT #37889] Bug Fixes * Asynchronous zone loads were not handled correctly when the zone load was already in progress; this could trigger a crash in zt.c. [RT #37573] * A race during shutdown or reconfiguration could cause an assertion failure in mem.c. [RT #38979] * Some answer formatting options didn't work correctly with dig +short. [RT #39291] * Malformed records of some types, including NSAP and UNSPEC, could trigger assertion failures when loading text zone files. [RT #40274] [RT #40285] * Fixed a possible crash in ratelimiter.c caused by NOTIFY messages being removed from the wrong rate limiter queue. [RT #40350] * The default rrset-order of random was inconsistently applied. [RT #40456] * BADVERS responses from broken authoritative name servers were not handled correctly. [RT #40427] --- Module Name: pkgsrc Committed By: taca Date: Wed Dec 16 00:32:06 UTC 2015 Modified Files: pkgsrc/net/bind99: Makefile distinfo Log Message: Update bind99 package to 9.9.8pl2 (BIND 9.9.8-P2), security release. --- 9.9.8-P2 released --- 4270. [security] Update allowed OpenSSL versions as named is potentially vulnerable to CVE-2015-3193. 4261. [maint] H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53. [RT #40556] 4260. [security] Insufficient testing when parsing a message allowed records with an incorrect class to be be accepted, triggering a REQUIRE failure when those records were subsequently cached. (CVE-2015-8000) [RT #40987] 4253. [security] Address fetch context reference count handling error on socket error. (CVE-2015-8461) [RT#40945] --- 9.9.8-P1 (withdrawn) --- @ text @d1 1 a1 1 $NetBSD$ d5 1 d7 1 a7 1 --- configure.orig 2015-09-09 02:23:50.000000000 +0000 d9 19 a27 1 @@@@ -14572,6 +14572,8 @@@@ case $host in d36 1 a36 1 @@@@ -20162,7 +20164,7 @@@@ $as_echo "no" >&6; } @ 1.9 log @Update bind99 to 9.9.6. New Features Support for CAA record types, as described in RFC 6844 "DNS Certification Authority Authorization (CAA) Resource Record", was added. [RT#36625] [RT #36737] Disallow "request-ixfr" from being specified in zone statements where it is not valid (it is only valid for slave and redirect zones) [RT #36608] Support for CDS and CDNSKEY resource record types was added. For details see the proposed Informational Internet-Draft "Automating DNSSEC Delegation Trust Maintenance" at http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14. [RT #36333] Added version printing options to various BIND utilities. [RT #26057] [RT #10686] On Windows, enable the Python tools "dnssec-coverage" and "dnssec-checkds". [RT #34355] Added a "no-case-compress" ACL, which causes named to use case-insensitive compression (disabling change #3645) for specified clients. (This is useful when dealing with broken client implementations that use case-sensitive name comparisons, rejecting responses that fail to match the capitalization of the query that was sent.) [RT #35300] Feature Changes Adds RPZ SOA to the additional section of responses to clearly indicate the use of RPZ in a manner that is intended to avoid causing issues for downstream resolvers and forwarders [RT #36507] rndc now gives distinct error messages when an unqualified zone name matches multiple views vs. matching no views [RT #36691] Improves the accuracy of dig's reported round trip times. [RT #36611] The Windows installer now places files in the Program Files area rather than system services. [RT #35361] When an SPF record exists in a zone but no equivalent TXT record does, a warning will be issued. The warning for the reverse condition is no longer issued. See the check-spf option in the documentation for details. [RT #36210] "named" will now log explicitly when using rndc.key to configure command channel. [RT #35316] The default setting for the -U option (setting the number of UDP listeners per interface) has been adjusted to improve performance. [RT #35417] Aging of smoothed round-trip time measurements is now limited to no more than once per second, to improve accuracy in selecting the best name server. [RT #32909] DNSSEC keys that have been marked active but have no publication date are no longer presumed to be publishable. [RT #35063] Bug Fixes The Makefile in bin/python was changed to work around a bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**) Corrected bugs in the handling of wildcard records by the DNSSEC validator: invalid wildcard expansions could be treated as valid if signed, and valid wildcard expansions in NSEC3 opt-out ranges had the AD bit set incorrectly in responses. [RT #37093] [RT #37072] When resigning, dnssec-signzone was removing all signatures from delegation nodes. It now retains DS and (if applicable) NSEC signatures. [RT #36946] The AD flag was being set inappopriately on RPZ responses. [RT #36833] Updates the URI record type to current draft standard, draft-faltstrom-uri-08, and allows the value field to be zero length [RT #36642] [RT #36737] RRSIG sets that were not loaded in a single transaction at start up were not being correctly added to re-signing heaps. [RT #36302] Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452] A race condition could cause a crash in isc_event_free during shutdown. [RT #36720] Addresses a race condition issue in dispatch. [RT #36731] acl elements could be miscounted, causing a crash while loading a config [RT #36675] Corrects a deadlock between view.c and adb.c. [RT #36341] liblwres wasn't properly handling link-local addresses in nameserver clauses in resolv.conf. [RT #36039] Buffers in isc_print_vsnprintf were not properly initialized leading to potential overflows when printing out quad values. [RT #36505] Don't call qsort() with a null pointer, and disable the GCC 4.9 "delete null pointer check" optimizer option. This fixes problems when using GNU GCC 4.9.0 where its compiler code optimizations may cause crashes in BIND. For more information, see the operational advisory at https://kb.isc.org/article/AA-01167/. [RT #35968] Fixed a bug that could cause repeated resigning of records in dynamically signed zones. [RT #35273] Fixed a bug that could cause an assertion failure after forwarding was disabled. [RT #35979] Fixed a bug that caused SERVFAILs when using RPZ on a system configured as a forwarder. [RT #36060] Worked around a limitation in Solaris's /dev/poll implementation that could cause named to fail to start when configured to use more sockets than the system could accomodate. [RT #35878] @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.8 2014/02/02 07:58:20 taca Exp $ d7 1 a7 1 --- configure.orig 2014-09-16 19:27:20.000000000 +0000 d9 1 a9 1 @@@@ -11677,7 +11677,7 @@@@ fi d18 1 a18 1 @@@@ -11692,7 +11692,7 @@@@ $as_echo "not found" >&6; } d27 1 a27 1 @@@@ -14494,6 +14494,8 @@@@ case $host in d36 1 a36 1 @@@@ -19754,7 +19756,7 @@@@ $as_echo "no" >&6; } @ 1.8 log @Update bind99 to 9.9.5 (BIND 9.9.5). Security fixes were already covered by 9.9.4pl2. Some bug fixes and clean up, please refer CHANGES file in detail. @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.7 2014/01/13 17:31:00 taca Exp $ d7 1 a7 1 --- configure.orig 2014-01-27 18:58:24.000000000 +0000 d9 3 a11 1 @@@@ -11685,7 +11685,7 @@@@ done d13 15 a27 8 ;; esac - if test "X$PYTHON" == "X" + if test "X$PYTHON" = "X" then case "$use_python" in unspec) @@@@ -14410,6 +14410,8 @@@@ case $host in d36 1 a36 1 @@@@ -19538,7 +19540,7 @@@@ $as_echo "no" >&6; } @ 1.8.6.1 log @Pullup ticket #4569 - requested by taca net/bind99: security update Revisions pulled up: - net/bind99/Makefile 1.39-1.40 - net/bind99/PLIST 1.8-1.9 - net/bind99/distinfo 1.25-1.26 - net/bind99/patches/patch-bin_tests_system_Makefile.in 1.5 - net/bind99/patches/patch-configure 1.9 - net/bind99/patches/patch-lib_bind9_Makefile.in deleted - net/bind99/patches/patch-lib_dns_Makefile.in deleted - net/bind99/patches/patch-lib_isc_Makefile.in deleted - net/bind99/patches/patch-lib_isccc_Makefile.in deleted - net/bind99/patches/patch-lib_isccfg_Makefile.in deleted - net/bind99/patches/patch-lib_lwres_Makefile.in deleted - net/bind99/patches/patch-lib_lwres_getaddrinfo.c 1.2 - net/bind99/patches/patch-lib_lwres_getnameinfo.c 1.2 --- Module Name: pkgsrc Committed By: taca Date: Tue Oct 14 16:21:02 UTC 2014 Modified Files: pkgsrc/net/bind99: Makefile PLIST distinfo pkgsrc/net/bind99/patches: patch-bin_tests_system_Makefile.in patch-configure patch-lib_lwres_getaddrinfo.c patch-lib_lwres_getnameinfo.c Removed Files: pkgsrc/net/bind99/patches: patch-lib_bind9_Makefile.in patch-lib_dns_Makefile.in patch-lib_isc_Makefile.in patch-lib_isccc_Makefile.in patch-lib_isccfg_Makefile.in patch-lib_lwres_Makefile.in Log Message: Update bind99 to 9.9.6. New Features Support for CAA record types, as described in RFC 6844 "DNS Certification Authority Authorization (CAA) Resource Record", was added. [RT#36625] [RT #36737] Disallow "request-ixfr" from being specified in zone statements where it is not valid (it is only valid for slave and redirect zones) [RT #36608] Support for CDS and CDNSKEY resource record types was added. For details see the proposed Informational Internet-Draft "Automating DNSSEC Delegation Trust Maintenance" at http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14. [RT #36333] Added version printing options to various BIND utilities. [RT #26057] [RT #10686] On Windows, enable the Python tools "dnssec-coverage" and "dnssec-checkds". [RT #34355] Added a "no-case-compress" ACL, which causes named to use case-insensitive compression (disabling change #3645) for specified clients. (This is useful when dealing with broken client implementations that use case-sensitive name comparisons, rejecting responses that fail to match the capitalization of the query that was sent.) [RT #35300] Feature Changes Adds RPZ SOA to the additional section of responses to clearly indicate the use of RPZ in a manner that is intended to avoid causing issues for downstream resolvers and forwarders [RT #36507] rndc now gives distinct error messages when an unqualified zone name matches multiple views vs. matching no views [RT #36691] Improves the accuracy of dig's reported round trip times. [RT #36611] The Windows installer now places files in the Program Files area rather than system services. [RT #35361] When an SPF record exists in a zone but no equivalent TXT record does, a warning will be issued. The warning for the reverse condition is no longer issued. See the check-spf option in the documentation for details. [RT #36210] "named" will now log explicitly when using rndc.key to configure command channel. [RT #35316] The default setting for the -U option (setting the number of UDP listeners per interface) has been adjusted to improve performance. [RT #35417] Aging of smoothed round-trip time measurements is now limited to no more than once per second, to improve accuracy in selecting the best name server. [RT #32909] DNSSEC keys that have been marked active but have no publication date are no longer presumed to be publishable. [RT #35063] Bug Fixes The Makefile in bin/python was changed to work around a bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**) Corrected bugs in the handling of wildcard records by the DNSSEC validator: invalid wildcard expansions could be treated as valid if signed, and valid wildcard expansions in NSEC3 opt-out ranges had the AD bit set incorrectly in responses. [RT #37093] [RT #37072] When resigning, dnssec-signzone was removing all signatures from delegation nodes. It now retains DS and (if applicable) NSEC signatures. [RT #36946] The AD flag was being set inappopriately on RPZ responses. [RT #36833] Updates the URI record type to current draft standard, draft-faltstrom-uri-08, and allows the value field to be zero length [RT #36642] [RT #36737] RRSIG sets that were not loaded in a single transaction at start up were not being correctly added to re-signing heaps. [RT #36302] Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452] A race condition could cause a crash in isc_event_free during shutdown. [RT #36720] Addresses a race condition issue in dispatch. [RT #36731] acl elements could be miscounted, causing a crash while loading a config [RT #36675] Corrects a deadlock between view.c and adb.c. [RT #36341] liblwres wasn't properly handling link-local addresses in nameserver clauses in resolv.conf. [RT #36039] Buffers in isc_print_vsnprintf were not properly initialized leading to potential overflows when printing out quad values. [RT #36505] Don't call qsort() with a null pointer, and disable the GCC 4.9 "delete null pointer check" optimizer option. This fixes problems when using GNU GCC 4.9.0 where its compiler code optimizations may cause crashes in BIND. For more information, see the operational advisory at https://kb.isc.org/article/AA-01167/. [RT #35968] Fixed a bug that could cause repeated resigning of records in dynamically signed zones. [RT #35273] Fixed a bug that could cause an assertion failure after forwarding was disabled. [RT #35979] Fixed a bug that caused SERVFAILs when using RPZ on a system configured as a forwarder. [RT #36060] Worked around a limitation in Solaris's /dev/poll implementation that could cause named to fail to start when configured to use more sockets than the system could accomodate. [RT #35878] --- Module Name: pkgsrc Committed By: taca Date: Mon Dec 8 21:58:18 UTC 2014 Modified Files: pkgsrc/net/bind99: Makefile PLIST distinfo Log Message: Update bind99 to 9.9.6p1 (BIND 9.9.6-P1). --- 9.9.6-P1 released --- 4006. [security] A flaw in delegation handling could be exploited to put named into an infinite loop. This has been addressed by placing limits on the number of levels of recursion named will allow (default 7), and the number of iterative queries that it will send (default 50) before terminating a recursive query (CVE-2014-8500). The recursion depth limit is configured via the "max-recursion-depth" option, and the query limit via the "max-recursion-queries" option. [RT #37580] @ text @d1 1 a1 1 $NetBSD$ d7 1 a7 1 --- configure.orig 2014-09-16 19:27:20.000000000 +0000 d9 1 a9 3 @@@@ -11677,7 +11677,7 @@@@ fi test -n "$PYTHON" && break done d11 8 a18 15 - if test "X$PYTHON" == "X"; then + if test "X$PYTHON" = "X"; then continue; fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking python module 'argparse'" >&5 @@@@ -11692,7 +11692,7 @@@@ $as_echo "not found" >&6; } unset ac_cv_path_PYTHON unset PYTHON done - if test "X$PYTHON" == "X" + if test "X$PYTHON" = "X" then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for python support" >&5 $as_echo_n "checking for python support... " >&6; } @@@@ -14494,6 +14494,8 @@@@ case $host in d27 1 a27 1 @@@@ -19754,7 +19756,7 @@@@ $as_echo "no" >&6; } @ 1.7 log @Update bind99 to 9.9.4pl2 (BIND 9.9.4-P2), securify fix for CVE-2014-0591. pkgsrc change: remove patches/patch-configure.in. --- 9.9.4-P2 released --- 3693. [security] memcpy was incorrectly called with overlapping ranges resulting in malformed names being generated on some platforms. This could cause INSIST failures when serving NSEC3 signed zones. [RT #35120] 3658. [port] linux: Address platform specific compilation issue when libcap-devel is installed. [RT #34838] @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.6 2013/09/21 16:00:34 taca Exp $ d7 1 a7 1 --- configure.orig 2013-12-20 00:28:28.000000000 +0000 d9 1 a9 1 @@@@ -12187,7 +12187,7 @@@@ done d18 1 a18 1 @@@@ -14911,6 +14911,8 @@@@ case $host in d27 1 a27 1 @@@@ -19955,7 +19957,7 @@@@ $as_echo "no" >&6; } @ 1.6 log @Update bind99 to 9.9.4 (BIND 9.9.4). (CVE-2013-4854 and CVE-2013-3919 were already fixed in pkgsrc). Security Fixes Previously an error in bounds checking on the private type 'keydata' could be used to deny service through a deliberately triggerable REQUIRE failure (CVE-2013-4854). [RT #34238] Prevents exploitation of a runtime_check which can crash named when satisfying a recursive query for particular malformed zones. (CVE-2013-3919) [RT #33690] New Features Added Response Rate Limiting (RRL) functionality to reduce the effectiveness of DNS as an amplifier for reflected denial-of-service attacks by rate-limiting substantially-identical responses. [RT #28130] Feature Changes rndc status now also shows the build-id. [RT #20422] Improved OPT pseudo-record processing to make it easier to support new EDNS options. [RT #34414] "configure" now finishes by printing a summary of optional BIND features and whether they are active or inactive. ("configure --enable-full-report" increases the verbosity of the summary.) [RT #31777] Addressed compatibility issues with newer versions of Microsoft Visual Studio. [RT #33916] Improved the 'rndc' man page. [RT #33506] 'named -g' now no longer works with an invalid logging configuration. [RT #33473] The default (and minimum) value for tcp-listen-queue is now 10 instead of 3. This is a subtle control setting (not applicable to all OS environments). When there is a high rate of inbound TCP connections, it controls how many connections can be queued before they are accepted by named. Once this limit is exceeded, new TCP connections will be rejected. Note however that a value of 10 does not imply a strict limit of 10 queued TCP connections - the impact of changing this configuration setting will be OS-dependent. Larger values for tcp-listen queue will permit more pending tcp connections, which may be needed where there is a high rate of TCP-based traffic (for example in a dynamic environment where there are frequent zone updates and transfers). For most production servers the new default value of 10 should be adequate. [RT #33029] Added support for OpenSSL versions 0.9.8y, 1.0.0k, and 1.0.1e with PKCS#11. [RT #33463] Added logging messages on slave servers when they forward DDNS updates to a master. [RT #33240] Changed the logging category for RRL events from 'queries' to 'query-errors'. [RT #33540] Bug Fixes Fixed the "allow-query-on" option to correctly check the destination address. [RT #34590] Fix forwarding for forward only "zones" beneath automatic empty zones. [RT #34583] Fix DNSSEC auto maintenance so signatures can be removed from a zone with only KSK keys for an algorithm. [RT #34439] Fix DNSSEC auto maintenance so signatures from newly inactive keys are removed (when publishing a new key while deactivating another key at the same time). [RT #32178] Remove bogus warning log message about missing signatures when receiving a query for a SIG record. [RT #34600] Fix Response Policy Zones on slave servers so new RPZ changes take effect. [RT #34450] Fix the "zone-statistics" option to work with the default traditional statistics (not new "--enable-newstats" feature). [RT #34466] named could crash when deleting inline-signing zones with "rndc delzone". [RT #34066] Improved resistance to a theoretical authentication attack based on differential timing. [RT #33939] named was failing to answer queries during "rndc reload" [RT #34098] win32: Some executables had been omitted from the installer. [RT #34116] fixed a broken 'Invalid keyfile' error message in dnssec-keygen. [RT #34045] The build of BIND now installs isc/stat.h so that it's available to /isc/file.h when building other applications that reference these header files - for example dnsperf (see Debian bug ticket #692467). [RT #33056] Better handle failures building XML for stats channel responses. [RT #33706] Fixed a memory leak in GSS-API processing. [RT #33574] Fixed an acache-related race condition that could cause a crash. [RT #33602] rndc now properly fails when given an invalid '-c' argument. [RT #33571] Fixed an issue with the handling of zero TTL records that could cause improper SERVFAILs. [RT #33411] Fixed a crash-on-shutdown race condition with DNSSEC validation. [RT #33573] Corrected the way that "rndc addzone" and "rndc delzone" handle non-standard characters in zone names. [RT #33419] Adjusted RRL behavior for recursive queries to defer rate-limiting until after recursion is complete. Also uses correct rcode for slipped NXDOMAIN responses. [RT #33604] Previously, BIND could erroneously report a missing file specification when using inline slave zones. [RT #33662] @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.5 2013/06/06 02:55:03 taca Exp $ d7 1 a7 1 --- configure.orig 2013-09-05 05:09:08.000000000 +0000 d27 1 a27 1 @@@@ -19944,7 +19946,7 @@@@ $as_echo "no" >&6; } @ 1.6.4.1 log @Pullup ticket #4296 - requested by taca net/bind99: security update Revisions pulled up: - net/bind99/Makefile 1.31 - net/bind99/distinfo 1.22 - net/bind99/patches/patch-configure 1.7 - net/bind99/patches/patch-configure.in deleted --- Module Name: pkgsrc Committed By: taca Date: Mon Jan 13 17:31:00 UTC 2014 Modified Files: pkgsrc/net/bind99: Makefile distinfo pkgsrc/net/bind99/patches: patch-configure Removed Files: pkgsrc/net/bind99/patches: patch-configure.in Log Message: Update bind99 to 9.9.4pl2 (BIND 9.9.4-P2), securify fix for CVE-2014-0591. pkgsrc change: remove patches/patch-configure.in. --- 9.9.4-P2 released --- 3693. [security] memcpy was incorrectly called with overlapping ranges resulting in malformed names being generated on some platforms. This could cause INSIST failures when serving NSEC3 signed zones. [RT #35120] 3658. [port] linux: Address platform specific compilation issue when libcap-devel is installed. [RT #34838] @ text @d1 1 a1 1 $NetBSD$ d7 1 a7 1 --- configure.orig 2013-12-20 00:28:28.000000000 +0000 d27 1 a27 1 @@@@ -19955,7 +19957,7 @@@@ $as_echo "no" >&6; } @ 1.5 log @Update bind99 to 9.9.3pl1 (BIND 9.9.3-P1). Please refer CHANGES file for complete changes and here is quote from release announce. Introduction BIND 9.9.3-P1 is the latest production release of BIND 9.9-ESV. Security Fixes Prevents exploitation of a runtime_check which can crash named when satisfying a recursive query for particular malformed zones. (CVE-2013-3919) [RT #33690] Now supports NAPTR regular expression validation on all platforms, and avoids memory exhaustion compiling pathological regular expressions. (CVE-2013-2266) [RT #32688] Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. (CVE-2012-5688) [RT #30792 / #30996] Prevents an assertion failure in named when RPZ and DNS64 are used together. (CVE-2012-5689) [RT #32141] New Features Adds a new configuration option, "check-spf"; valid values are "warn" (default) and "ignore". When set to "warn", checks SPF and TXT records in spf format, warning if either resource record type occurs without a corresponding record of the other resource record type. [RT #33355] Adds the command-line tool "dnssec-coverage" that checks to make sure that there is no scheduled lapse in key coverage. Requires python. [RT #28098] Adds support for the EUI48 and EUI64 RR types. [RT #33082] Adds support for the RFC 6742 ILNP record types (NID, LP, L32, and L64). [RT #31836] @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.4 2013/03/26 22:12:14 taca Exp $ d7 1 a7 1 --- configure.orig 2013-06-04 18:30:02.000000000 +0000 d9 1 a9 1 @@@@ -12177,7 +12177,7 @@@@ done d18 1 a18 1 @@@@ -14870,6 +14870,8 @@@@ case $host in d27 1 a27 1 @@@@ -19876,7 +19878,7 @@@@ $as_echo "no" >&6; } @ 1.4 log @Update bind99 to 9.9.2pl2 (BIND 9.9.2-P2). --- 9.9.2-P2 released --- 3516. [security] Removed the check for regex.h in configure in order to disable regex syntax checking, as it exposes BIND to a critical flaw in libregex on some platforms. [RT #32688] @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.3 2012/10/10 03:07:12 taca Exp $ a4 1 * Use separate @@LIBREADLINE@@ AC_SUBST. d7 1 a7 1 --- configure.orig 2013-03-06 16:56:08.000000000 +0000 d9 1 a9 9 @@@@ -1369,6 +1369,7 @@@@ LWRES_PLATFORM_NEEDVSNPRINTF ISC_PLATFORM_NEEDVSNPRINTF LWRES_PLATFORM_NEEDSPRINTF ISC_PLATFORM_NEEDSPRINTF +LIBREADLINE ISC_PLATFORM_NEEDSTRLCAT ISC_PLATFORM_NEEDSTRLCPY GENRANDOMLIB @@@@ -19784,7 +19785,7 @@@@ done d18 1 a18 1 @@@@ -22420,6 +22421,8 @@@@ case $host in d27 1 a27 64 @@@@ -25054,23 +25057,47 @@@@ no) ;; then readline=-lreadline fi - saved_LIBS="$LIBS" - LIBS="$LIBS $readline" - for ac_func in readline -do : - ac_fn_c_check_func "$LINENO" "readline" "ac_cv_func_readline" -if test "x$ac_cv_func_readline" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_READLINE 1 -_ACEOF + as_ac_Lib=`$as_echo "ac_cv_lib_$readline''_readline" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for readline in $readline" >&5 +$as_echo_n "checking for readline in $readline... " >&6; } +if eval \${$as_ac_Lib+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="$readline $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char readline (); +int +main () +{ +return readline (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + eval "$as_ac_Lib=yes" +else + eval "$as_ac_Lib=no" +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +eval ac_res=\$$as_ac_Lib + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then : + LIBREADLINE=-lreadline fi -done - - if test "$ac_cv_func_readline" = "no" - then - LIBS="$saved_LIBS" - fi ;; esac @@@@ -27402,7 +27429,7 @@@@ $as_echo "no" >&6; } @ 1.3 log @Update bind99 to 9.9.2 (BIND 9.9.2). Here are change changes from release note. Note security fixes except CVE-2012-5166 should be already fixed in previous version of bind99 package. Please refer https://kb.isc.org/article/AA-00798 for list of full bug fixes. Security Fixes * A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [CVE-2012-5166] [RT #31090] * Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416] * Prevents a named assert (crash) when validating caused by using "Bad cache" data before it has been initialized. [CVE-2012-3817] [RT #30025] * A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] * ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233] New Features * Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918] * Introduces a new tool "dnssec-checkds" command that checks a zone to determine which DS records should be published in the parent zone, or which DLV records should be published in a DLV zone, and queries the DNS to ensure that it exists. (Note: This tool depends on python; it will not be built or installed on systems that do not have a python interpreter.) [RT #28099] * Introduces a new tool "dnssec-verify" that validates a signed zone, checking for the correctness of signatures and NSEC/NSEC3 chains. [RT #23673] * Adds configuration option "max-rsa-exponent-size ;" that can be used to specify the maximum rsa exponent size that will be accepted when validating [RT #29228] Feature Changes * Improves OpenSSL error logging [RT #29932] * nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492] @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.2 2012/07/10 10:23:03 sbd Exp $ d8 1 a8 1 --- configure.orig 2012-09-27 00:35:19.000000000 +0000 d10 1 a10 1 @@@@ -1341,6 +1341,7 @@@@ LWRES_PLATFORM_NEEDVSNPRINTF d18 1 a18 1 @@@@ -19754,7 +19755,7 @@@@ done d27 1 a27 1 @@@@ -22390,6 +22391,8 @@@@ case $host in d36 1 a36 1 @@@@ -25024,23 +25027,47 @@@@ no) ;; d45 1 a45 1 -if test "x$ac_cv_func_readline" = x""yes; then : d99 1 a99 1 @@@@ -27372,7 +27399,7 @@@@ $as_echo "no" >&6; } @ 1.3.2.1 log @Pullup ticket #4103 - requested by taca net/bind99: security update Revisions pulled up: - net/bind99/Makefile 1.21-1.23 - net/bind99/distinfo 1.12-1.14 - net/bind99/options.mk 1.5-1.6 - net/bind99/patches/patch-configure 1.4 --- Module Name: pkgsrc Committed By: jperkin Date: Wed Feb 6 23:24:19 UTC 2013 Modified Files: pkgsrc/net/bind99: Makefile Log Message: PKGREVISION bumps for the security/openssl 1.0.1d update. --- Module Name: pkgsrc Committed By: wiz Date: Sat Mar 2 20:33:35 UTC 2013 Modified Files: pkgsrc/net/bind96: Makefile Log Message: Bump PKGREVISION for mysql default change to 55. --- Module Name: pkgsrc Committed By: pettai Date: Sat Feb 9 00:14:34 UTC 2013 Modified Files: pkgsrc/net/bind99: distinfo options.mk Log Message: Updated rrl patch version + source --- Module Name: pkgsrc Committed By: taca Date: Tue Mar 26 22:12:14 UTC 2013 Modified Files: pkgsrc/net/bind99: Makefile distinfo pkgsrc/net/bind99/patches: patch-configure Log Message: Update bind99 to 9.9.2pl2 (BIND 9.9.2-P2). --- 9.9.2-P2 released --- 3516. [security] Removed the check for regex.h in configure in order to disable regex syntax checking, as it exposes BIND to a critical flaw in libregex on some platforms. [RT #32688] --- Module Name: pkgsrc Committed By: pettai Date: Wed Mar 27 12:08:24 UTC 2013 Modified Files: pkgsrc/net/bind99: distinfo options.mk Log Message: Also update the corresponding RRL patch + distinfo file @ text @d1 1 a1 1 $NetBSD$ d8 1 a8 1 --- configure.orig 2013-03-06 16:56:08.000000000 +0000 d10 1 a10 1 @@@@ -1369,6 +1369,7 @@@@ LWRES_PLATFORM_NEEDVSNPRINTF d18 1 a18 1 @@@@ -19784,7 +19785,7 @@@@ done d27 1 a27 1 @@@@ -22420,6 +22421,8 @@@@ case $host in d36 1 a36 1 @@@@ -25054,23 +25057,47 @@@@ no) ;; d45 1 a45 1 -if test "x$ac_cv_func_readline" = xyes; then : d99 1 a99 1 @@@@ -27402,7 +27429,7 @@@@ $as_echo "no" >&6; } @ 1.2 log @Add and enable readline option. To make this work properly rework the readline detection to not use LIBS but instead use the new @@LIBREADLINE@@ AC_SUBST (This stops _everything_ being linked to libreadline!). Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.1.1.1 2012/03/07 14:25:00 taca Exp $ d6 1 d8 1 a8 1 --- configure.orig 2012-06-01 15:29:52.000000000 +0000 d18 10 a27 1 @@@@ -22166,6 +22167,8 @@@@ case $host in d36 1 a36 1 @@@@ -24800,23 +24803,47 @@@@ no) ;; d99 1 a99 1 @@@@ -27148,7 +27175,7 @@@@ $as_echo "no" >&6; } @ 1.2.2.1 log @Pullup ticket #3944 - requested by taca net/bind99: security update Revisions pulled up: - net/bind99/Makefile 1.12-1.13 - net/bind99/PLIST 1.3 - net/bind99/distinfo 1.9 - net/bind99/patches/patch-bin_tests_system_Makefile.in 1.3 - net/bind99/patches/patch-configure 1.3 - net/bind99/patches/patch-configure.in 1.2 --- Module Name: pkgsrc Committed By: wiz Date: Wed Oct 3 21:59:10 UTC 2012 Modified Files: pkgsrc/net/bind99: Makefile Log Message: Bump all packages that use perl, or depend on a p5-* package, or are called p5-*. I hope that's all of them. --- Module Name: pkgsrc Committed By: taca Date: Wed Oct 10 03:07:13 UTC 2012 Modified Files: pkgsrc/net/bind99: Makefile PLIST distinfo pkgsrc/net/bind99/patches: patch-bin_tests_system_Makefile.in patch-configure patch-configure.in Log Message: Update bind99 to 9.9.2 (BIND 9.9.2). Here are change changes from release note. Note security fixes except CVE-2012-5166 should be already fixed in previous version of bind99 package. Please refer https://kb.isc.org/article/AA-00798 for list of full bug fixes. Security Fixes * A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [CVE-2012-5166] [RT #31090] * Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416] * Prevents a named assert (crash) when validating caused by using "Bad cache" data before it has been initialized. [CVE-2012-3817] [RT #30025] * A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] * ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233] New Features * Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918] * Introduces a new tool "dnssec-checkds" command that checks a zone to determine which DS records should be published in the parent zone, or which DLV records should be published in a DLV zone, and queries the DNS to ensure that it exists. (Note: This tool depends on python; it will not be built or installed on systems that do not have a python interpreter.) [RT #28099] * Introduces a new tool "dnssec-verify" that validates a signed zone, checking for the correctness of signatures and NSEC/NSEC3 chains. [RT #23673] * Adds configuration option "max-rsa-exponent-size ;" that can be used to specify the maximum rsa exponent size that will be accepted when validating [RT #29228] Feature Changes * Improves OpenSSL error logging [RT #29932] * nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492] @ text @d1 1 a1 1 $NetBSD$ a5 1 * Avoid using "==" for argument of test(1). d7 1 a7 1 --- configure.orig 2012-09-27 00:35:19.000000000 +0000 d17 1 a17 10 @@@@ -19754,7 +19755,7 @@@@ done ;; esac - if test "X$PYTHON" == "X" + if test "X$PYTHON" = "X" then case "$use_python" in unspec) @@@@ -22390,6 +22391,8 @@@@ case $host in d26 1 a26 1 @@@@ -25024,23 +25027,47 @@@@ no) ;; d89 1 a89 1 @@@@ -27372,7 +27399,7 @@@@ $as_echo "no" >&6; } @ 1.1 log @Initial revision @ text @d1 1 a1 1 $NetBSD$ d5 1 d7 1 a7 1 --- configure.orig 2012-01-30 10:09:37.000000000 +0000 d9 9 a17 1 @@@@ -22166,6 +22166,8 @@@@ case $host in d26 64 a89 1 @@@@ -27148,7 +27150,7 @@@@ $as_echo "no" >&6; } @ 1.1.1.1 log @Importing BIND 9.9.0 as pkgsrc/net/bind99. Introduction BIND 9.9.0 is the first production release of BIND 9.9. This document summarizes changes from BIND 9.8 to BIND 9.9. Please see the CHANGES file in the source code release for a complete list of all changes. New Features * The new "inline-signing" option * NXDOMAIN redirection * "rndc flushtree " command * "rndc sync" command * The new "rndc signing" command * "auto-dnssec" zones * Improves the startup time And more. @ text @@