head 1.28; access; symbols pkgsrc-2014Q4:1.27.0.8 pkgsrc-2014Q4-base:1.27 pkgsrc-2014Q3:1.27.0.6 pkgsrc-2014Q3-base:1.27 pkgsrc-2014Q2:1.27.0.4 pkgsrc-2014Q2-base:1.27 pkgsrc-2014Q1:1.27.0.2 pkgsrc-2014Q1-base:1.27 pkgsrc-2013Q4:1.25.0.2 pkgsrc-2013Q4-base:1.25 pkgsrc-2013Q3:1.24.0.2 pkgsrc-2013Q3-base:1.24 pkgsrc-2013Q2:1.22.0.2 pkgsrc-2013Q2-base:1.22 pkgsrc-2013Q1:1.20.0.2 pkgsrc-2013Q1-base:1.20 pkgsrc-2012Q4:1.17.0.2 pkgsrc-2012Q4-base:1.17 pkgsrc-2012Q3:1.14.0.2 pkgsrc-2012Q3-base:1.14 pkgsrc-2012Q2:1.12.0.2 pkgsrc-2012Q2-base:1.12 pkgsrc-2012Q1:1.8.0.2 pkgsrc-2012Q1-base:1.8 pkgsrc-2011Q4:1.7.0.2 pkgsrc-2011Q4-base:1.7 pkgsrc-2011Q3:1.5.0.2 pkgsrc-2011Q3-base:1.5 pkgsrc-2011Q2:1.4.0.2 pkgsrc-2011Q2-base:1.4 pkgsrc-2011Q1:1.1.1.1.0.2 pkgsrc-2011Q1-base:1.1.1.1 pkgsrc-base:1.1.1.1 TNF:1.1.1; locks; strict; comment @# @; 1.28 date 2015.02.19.14.51.30; author taca; state dead; branches; next 1.27; commitid tnivugIiHeqI2Day; 1.27 date 2014.01.27.21.25.21; author pettai; state Exp; branches; next 1.26; commitid Hom1eeT9nSzUGNmx; 1.26 date 2014.01.13.17.28.22; author taca; state Exp; branches; next 1.25; commitid mv7ChEBP3DlyPYkx; 1.25 date 2013.11.07.04.22.22; author taca; state Exp; branches 1.25.2.1; next 1.24; commitid TIqva200rOlqDicx; 1.24 date 2013.09.21.15.59.00; author taca; state Exp; branches; next 1.23; commitid ceOT8ctq8SW60k6x; 1.23 date 2013.07.27.03.20.53; author taca; state Exp; branches; next 1.22; commitid 67BoPPU8B7xMB3Zw; 1.22 date 2013.06.06.02.56.36; author taca; state Exp; branches 1.22.2.1; next 1.21; commitid BRqXGZmJVcON6vSw; 1.21 date 2013.04.08.15.53.36; author pettai; state Exp; branches; next 1.20; 1.20 date 2013.03.27.12.03.55; author pettai; state Exp; branches; next 1.19; 1.19 date 2013.03.26.22.12.56; author taca; state Exp; branches; next 1.18; 1.18 date 2013.02.09.00.09.43; author pettai; state Exp; branches; next 1.17; 1.17 date 2012.12.05.00.54.16; author taca; state Exp; branches 1.17.2.1; next 1.16; 1.16 date 2012.11.10.23.44.30; author pettai; state Exp; branches; next 1.15; 1.15 date 2012.10.10.03.06.37; author taca; state Exp; branches; next 1.14; 1.14 date 2012.09.13.01.35.18; author taca; state Exp; branches 1.14.2.1; next 1.13; 1.13 date 2012.07.24.20.16.21; author spz; state Exp; branches; next 1.12; 1.12 date 2012.06.04.13.25.55; author taca; state Exp; branches 1.12.2.1; next 1.11; 1.11 date 2012.05.22.03.32.31; author taca; state Exp; branches; next 1.10; 1.10 date 2012.05.20.13.22.40; author marino; state Exp; branches; next 1.9; 1.9 date 2012.05.01.02.48.20; author taca; state Exp; branches; next 1.8; 1.8 date 2012.04.05.00.39.34; author taca; state Exp; branches 1.8.2.1; next 1.7; 1.7 date 2011.11.17.00.48.09; author taca; state Exp; branches; next 1.6; 1.6 date 2011.11.16.21.34.44; author spz; state Exp; branches; next 1.5; 1.5 date 2011.09.01.03.44.35; author taca; state Exp; branches 1.5.2.1; next 1.4; 1.4 date 2011.07.05.13.35.29; author taca; state Exp; branches; next 1.3; 1.3 date 2011.05.27.06.45.30; author taca; state Exp; branches; next 1.2; 1.2 date 2011.05.06.00.34.32; author taca; state Exp; branches; next 1.1; 1.1 date 2011.03.04.03.52.14; author taca; state Exp; branches 1.1.1.1; next ; 1.25.2.1 date 2014.01.14.09.49.00; author tron; state Exp; branches; next 1.25.2.2; commitid Kkrn3VnjOAEgg4lx; 1.25.2.2 date 2014.02.04.22.48.05; author tron; state Exp; branches; next ; commitid 0B7ifLv8ndSFTPnx; 1.22.2.1 date 2013.07.27.11.50.06; author tron; state Exp; branches; next ; commitid 1d52am5NojtAq6Zw; 1.17.2.1 date 2013.03.30.17.37.47; author tron; state Exp; branches; next ; 1.14.2.1 date 2012.10.10.13.11.14; author tron; state Exp; branches; next 1.14.2.2; 1.14.2.2 date 2012.12.05.07.07.43; author sbd; state Exp; branches; next ; 1.12.2.1 date 2012.07.25.10.29.34; author sbd; state Exp; branches; next 1.12.2.2; 1.12.2.2 date 2012.09.13.07.48.01; author sbd; state Exp; branches; next ; 1.8.2.1 date 2012.05.03.18.24.56; author tron; state Exp; branches; next 1.8.2.2; 1.8.2.2 date 2012.05.22.09.29.13; author tron; state Exp; branches; next 1.8.2.3; 1.8.2.3 date 2012.06.05.08.26.58; author sbd; state Exp; branches; next ; 1.5.2.1 date 2011.11.17.01.26.00; author sbd; state Exp; branches; next ; 1.1.1.1 date 2011.03.04.03.52.14; author taca; state Exp; branches 1.1.1.1.2.1; next ; 1.1.1.1.2.1 date 2011.05.07.10.44.31; author tron; state Exp; branches; next 1.1.1.1.2.2; 1.1.1.1.2.2 date 2011.05.27.11.06.38; author sbd; state Exp; branches; next 1.1.1.1.2.3; 1.1.1.1.2.3 date 2011.07.06.03.00.39; author sbd; state Exp; branches; next ; desc @@ 1.28 log @Remove bind98 package which was EOL Sep, 2014. @ text @$NetBSD: distinfo,v 1.27 2014/01/27 21:25:21 pettai Exp $ SHA1 (bind-9.8.6-P2.tar.gz) = c2c513621019d14fd9e13caad86a4e13198d5e77 RMD160 (bind-9.8.6-P2.tar.gz) = 11384ed47a19d9bfd32b1f00f0d5e879c76d396c Size (bind-9.8.6-P2.tar.gz) = 7275835 bytes SHA1 (rl-9.8.6.patch) = 16d0231ab1fda38ff02ce1ff1393242feece34c7 RMD160 (rl-9.8.6.patch) = 4c98ae1b11e770626ff10e6904b62ef034033c29 Size (rl-9.8.6.patch) = 103547 bytes SHA1 (patch-bin_dig_dighost.c) = f76d4a3a3e521a9ff691e12b9f7c63299b15c74d SHA1 (patch-bin_tests_system_Makefile.in) = 650ac962464e23f6c4278e7025f55f282789f9c9 SHA1 (patch-config.threads.in) = 045531d8378a88c654ab98ba6ea65786c8cf4e2b SHA1 (patch-configure) = f811ac49b3d94903eb3abf887e0613decd4e8344 SHA1 (patch-lib_dns_rbt.c) = 29fb5c24ff3558f1621e93ea16419e32dbc695b7 SHA1 (patch-lib_lwres_getaddrinfo.c) = 9585a26a376d32f80ac8266eb7967c00b433f14d SHA1 (patch-lib_lwres_getnameinfo.c) = 1224033e3c1ca14f1508542e5d41c899060d4d9c @ 1.27 log @Update distfile to reflect the new rrl patch @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.26 2014/01/13 17:28:22 taca Exp $ @ 1.26 log @Update bind98 to 9.8.6pl2, (BIND 9.8.6-P2), security fix for CVE-2014-0591. --- 9.8.6-P2 released --- 3693. [security] memcpy was incorrectly called with overlapping ranges resulting in malformed names being generated on some platforms. This could cause INSIST failures when serving NSEC3 signed zones. [RT #35120] 3658. [port] linux: Address platform specific compilation issue when libcap-devel is installed. [RT #34838] @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.25 2013/11/07 04:22:22 taca Exp $ d6 3 a8 3 SHA1 (rl-9.8.6rc1.patch) = cacea695ab57cc44f0b79bef1e42ba4f787ca96f RMD160 (rl-9.8.6rc1.patch) = 13ac5bb0c5b0129b560026861dd4be5d17801055 Size (rl-9.8.6rc1.patch) = 103557 bytes @ 1.25 log @Update bind98 to 9.8.6pl1 (BIND 9.8.6-P1). Security Fixes Treat an all zero netmask as invalid when generating the localnets acl. A Winsock library call on some Windows systems can return an incorrect value for an interface's netmask, potentially causing unexpected matches to BIND's built-in "localnets" Access Control List. (CVE-2013-6230) [RT #34687] @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.24 2013/09/21 15:59:00 taca Exp $ d3 3 a5 3 SHA1 (bind-9.8.6-P1.tar.gz) = 8655bf0c40a423248999ba9f36a7133164b0cc65 RMD160 (bind-9.8.6-P1.tar.gz) = b5ff3a24376025dadfc0e8ae7cb8a9ac4deaacc8 Size (bind-9.8.6-P1.tar.gz) = 7275757 bytes d12 1 a12 1 SHA1 (patch-configure) = 5d16cc851b425805e97c4a14770529ced57a5374 @ 1.25.2.1 log @Pullup ticket #4295 - requested by taca net/bind98: security update Revisions pulled up: - net/bind98/Makefile 1.35 - net/bind98/distinfo 1.26 - net/bind98/patches/patch-configure 1.5 --- Module Name: pkgsrc Committed By: taca Date: Mon Jan 13 17:28:22 UTC 2014 Modified Files: pkgsrc/net/bind98: Makefile distinfo pkgsrc/net/bind98/patches: patch-configure Log Message: Update bind98 to 9.8.6pl2, (BIND 9.8.6-P2), security fix for CVE-2014-0591. --- 9.8.6-P2 released --- 3693. [security] memcpy was incorrectly called with overlapping ranges resulting in malformed names being generated on some platforms. This could cause INSIST failures when serving NSEC3 signed zones. [RT #35120] 3658. [port] linux: Address platform specific compilation issue when libcap-devel is installed. [RT #34838] @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 SHA1 (bind-9.8.6-P2.tar.gz) = c2c513621019d14fd9e13caad86a4e13198d5e77 RMD160 (bind-9.8.6-P2.tar.gz) = 11384ed47a19d9bfd32b1f00f0d5e879c76d396c Size (bind-9.8.6-P2.tar.gz) = 7275835 bytes d12 1 a12 1 SHA1 (patch-configure) = f811ac49b3d94903eb3abf887e0613decd4e8344 @ 1.25.2.2 log @Pullup ticket #4313 - requested by pettai net/bind98: build fix Revisions pulled up: - net/bind98/distinfo 1.27 - net/bind98/options.mk 1.9 --- Module Name: pkgsrc Committed By: pettai Date: Mon Jan 27 21:25:21 UTC 2014 Modified Files: pkgsrc/net/bind98: distinfo options.mk Log Message: Fetch the correct rl-9.8.6.patch file Log Message: Update distfile to reflect the new rrl patch @ text @d6 3 a8 3 SHA1 (rl-9.8.6.patch) = 16d0231ab1fda38ff02ce1ff1393242feece34c7 RMD160 (rl-9.8.6.patch) = 4c98ae1b11e770626ff10e6904b62ef034033c29 Size (rl-9.8.6.patch) = 103547 bytes @ 1.24 log @Update bind98 to 9.8.6 (BIND 9.8.6). (CVE-2013-4854 and CVE-2013-3919 were already fixed in pkgsrc.) Security Fixes Previously an error in bounds checking on the private type 'keydata' could be used to deny service through a deliberately triggerable REQUIRE failure (CVE-2013-4854). [RT #34238] Prevents exploitation of a runtime_check which can crash named when satisfying a recursive query for particular malformed zones. (CVE-2013-3919) [RT #33690] Feature Changes rndc status now also shows the build-id. [RT #20422] Improved OPT pseudo-record processing to make it easier to support new EDNS options. [RT #34414] "configure" now finishes by printing a summary of optional BIND features and whether they are active or inactive. ("configure --enable-full-report" increases the verbosity of the summary.) [RT #31777] Addressed compatibility issues with newer versions of Microsoft Visual Studio. [RT #33916] Improved the 'rndc' man page. [RT #33506] 'named -g' now no longer works with an invalid logging configuration. [RT #33473] The default (and minimum) value for tcp-listen-queue is now 10 instead of 3. This is a subtle control setting (not applicable to all OS environments). When there is a high rate of inbound TCP connections, it controls how many connections can be queued before they are accepted by named. Once this limit is exceeded, new TCP connections will be rejected. Note however that a value of 10 does not imply a strict limit of 10 queued TCP connections - the impact of changing this configuration setting will be OS-dependent. Larger values for tcp-listen queue will permit more pending tcp connections, which may be needed where there is a high rate of TCP-based traffic (for example in a dynamic environment where there are frequent zone updates and transfers). For most production servers the new default value of 10 should be adequate. [RT #33029] Added support for OpenSSL versions 0.9.8y, 1.0.0k, and 1.0.1e with PKCS#11. [RT #33463] Added logging messages on slave servers when they forward DDNS updates to a master. [RT #33240] Bug Fixes Fixed the "allow-query-on" option to correctly check the destination address. [RT #34590] Fix DNSSEC auto maintenance so signatures can be removed from a zone with only KSK keys for an algorithm. [RT #34439] Fix forwarding for forward only "zones" beneath automatic empty zones. [RT #34583] Fix DNSSEC auto maintenance so signatures from newly inactive keys are removed (when publishing a new key while deactivating another key at the same time). [RT #32178] Remove bogus warning log message about missing signatures when receiving a query for a SIG record. [RT #34600] Fix Response Policy Zones on slave servers so new RPZ changes take effect. [RT #34450] Improved resistance to a theoretical authentication attack based on differential timing. [RT #33939] named was failing to answer queries during "rndc reload" [RT #34098] Fixed a broken 'Invalid keyfile' error message in dnssec-keygen. [RT #34045] The build of BIND now installs isc/stat.h so that it's available to /isc/file.h when building other applications that reference these header files - for example dnsperf (see Debian bug ticket #692467). [RT #33056] Better handle failures building XML for stats channel responses. [RT #33706] Fixed a memory leak in GSS-API processing. [RT #33574] Fixed an acache-related race condition that could cause a crash. [RT #33602] rndc now properly fails when given an invalid '-c' argument. [RT #33571] Fixed an issue with the handling of zero TTL records that could cause improper SERVFAILs. [RT #33411] Fixed a crash-on-shutdown race condition with DNSSEC validation. [RT #33573] Corrected the way that "rndc addzone" and "rndc delzone" handle non-standard characters in zone names. [RT #33419] @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.23 2013/07/27 03:20:53 taca Exp $ d3 3 a5 3 SHA1 (bind-9.8.6.tar.gz) = d596d488e5bb09cc695364f1d16adef4af673e86 RMD160 (bind-9.8.6.tar.gz) = 22e93866dd7aef576dd2746483644575b7976e15 Size (bind-9.8.6.tar.gz) = 7275769 bytes @ 1.23 log @Update bind98 to 9.8.5pl2 (BIND 9.8.5-P2). --- 9.8.5-P2 released --- 3621. [security] Incorrect bounds checking on private type 'keydata' can lead to a remotely triggerable REQUIRE failure (CVE-2013-4854). [RT #34238] @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.22 2013/06/06 02:56:36 taca Exp $ d3 7 a9 7 SHA1 (bind-9.8.5-P2.tar.gz) = 2cab91cfe21487f90225c3c3b0e8656706642f29 RMD160 (bind-9.8.5-P2.tar.gz) = 8bab1002fc23fc71898d187b7f79eaa55f0b143c Size (bind-9.8.5-P2.tar.gz) = 7262961 bytes SHA1 (rl-9.8.5-P1.patch) = 4a8a4e17ed835b4c99dbb236b8bb65d6ab28a00c RMD160 (rl-9.8.5-P1.patch) = 758f2f6970a452c9e2ea5afb21cf52e297a32b82 Size (rl-9.8.5-P1.patch) = 103398 bytes SHA1 (patch-bin_dig_dighost.c) = 3f37033cc64e1153268ab437fab533d2920bb18c d12 1 a12 1 SHA1 (patch-configure) = 08f878fd3a5d3d17e0cf55d01344ddc84991967f d15 1 a15 1 SHA1 (patch-lib_lwres_getnameinfo.c) = c26dcff4637b7beb16b66c32b304d0f187390eed @ 1.22 log @Update bind98 to 9.8.5pl1 (BIND 9.8.5-P1). Please refer CHANGES file for complete changes and here is quote from release announce. Introduction BIND 9.8.5-P1 is the latest production release of BIND 9.8. Security Fixes Prevents exploitation of a runtime_check which can crash named when satisfying a recursive query for particular malformed zones. (CVE-2013-3919) [RT #33690] A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. (CVE-2012-5166) [RT #31090] Now supports NAPTR regular expression validation on all platforms, and avoids memory exhaustion compiling pathological regular expressions. (CVE-2013-2266) [RT #32688] Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. (CVE-2012-5688) [RT #30792 / #30996] Prevents an assertion failure in named when RPZ and DNS64 are used together. (CVE-2012-5689) [RT #32141] New Features Adds a new configuration option, "check-spf"; valid values are "warn" (default) and "ignore". When set to "warn", checks SPF and TXT records in spf format, warning if either resource record type occurs without a corresponding record of the other resource record type. [RT #33355] Adds support for Uniform Resource Identifier (URI) resource records. [RT #23386] Adds support for the EUI48 and EUI64 RR types. [RT #33082] Adds support for the RFC 6742 ILNP record types (NID, LP, L32, and L64). [RT #31836] @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.21 2013/04/08 15:53:36 pettai Exp $ d3 3 a5 3 SHA1 (bind-9.8.5-P1.tar.gz) = e1ecf6a21a4d1e2e214ff5dbbb1d4314a6f514c4 RMD160 (bind-9.8.5-P1.tar.gz) = 402287a079e10b3a1f61b48a7208fd6b38850160 Size (bind-9.8.5-P1.tar.gz) = 7263322 bytes @ 1.22.2.1 log @Pullup ticket #4190 - requested by taca net/bind98: security update Revisions pulled up: - net/bind98/Makefile 1.31-1.32 - net/bind98/distinfo 1.23 --- Module Name: pkgsrc Committed By: jperkin Date: Fri Jul 12 10:45:05 UTC 2013 Modified Files: pkgsrc/audio/icecast: Makefile pkgsrc/audio/mt-daapd: Makefile pkgsrc/audio/pulseaudio: Makefile pkgsrc/audio/ubs: Makefile pkgsrc/chat/anope: Makefile pkgsrc/chat/atheme: Makefile pkgsrc/chat/bitlbee: Makefile pkgsrc/chat/gale: Makefile pkgsrc/chat/inspircd: Makefile pkgsrc/chat/inspircd12: Makefile pkgsrc/chat/ircd-hybrid: Makefile pkgsrc/chat/ircu: Makefile pkgsrc/chat/jabberd: Makefile pkgsrc/chat/jabberd2: Makefile pkgsrc/chat/silc-server: Makefile pkgsrc/chat/unrealircd: Makefile pkgsrc/comms/asterisk: Makefile pkgsrc/comms/asterisk10: Makefile pkgsrc/comms/asterisk18: Makefile pkgsrc/comms/fidogate: Makefile pkgsrc/comms/mgetty+sendfax: Makefile pkgsrc/comms/minicom: Makefile pkgsrc/comms/snooper: Makefile pkgsrc/databases/apache-cassandra: Makefile pkgsrc/databases/gnats: Makefile pkgsrc/databases/mysql5-server: Makefile pkgsrc/databases/mysql51-server: Makefile pkgsrc/databases/mysql55-server: Makefile pkgsrc/databases/mysql56-server: Makefile pkgsrc/databases/openldap-server: Makefile pkgsrc/databases/pgbouncer: Makefile pkgsrc/databases/phpmyadmin: Makefile pkgsrc/databases/postgresql84-server: Makefile pkgsrc/databases/postgresql90-server: Makefile pkgsrc/databases/postgresql91-server: Makefile pkgsrc/databases/postgresql92-server: Makefile pkgsrc/databases/virtuoso: Makefile pkgsrc/devel/cvsd: Makefile pkgsrc/devel/distcc: Makefile pkgsrc/devel/memcached: Makefile pkgsrc/devel/monotone-server: Makefile pkgsrc/filesystems/tahoe-lafs: Makefile pkgsrc/inputmethod/canna-dict: Makefile pkgsrc/inputmethod/canna-server: Makefile pkgsrc/inputmethod/ja-freewnn-server: Makefile pkgsrc/inputmethod/sj3-server: Makefile pkgsrc/mail/amavisd-new: Makefile pkgsrc/mail/courier-imap: Makefile pkgsrc/mail/courier-maildir: Makefile pkgsrc/mail/dcc: Makefile pkgsrc/mail/dkim-milter: Makefile pkgsrc/mail/dovecot: Makefile pkgsrc/mail/dovecot2: Makefile pkgsrc/mail/dspam: Makefile pkgsrc/mail/enma: Makefile pkgsrc/mail/exim: Makefile pkgsrc/mail/exim3: Makefile pkgsrc/mail/fml: Makefile pkgsrc/mail/fml4: Makefile pkgsrc/mail/freepops: Makefile pkgsrc/mail/gld: Makefile pkgsrc/mail/imapproxy: Makefile pkgsrc/mail/maildrop: Makefile pkgsrc/mail/mailman: Makefile pkgsrc/mail/majordomo: Makefile pkgsrc/mail/milter-greylist: Makefile pkgsrc/mail/milter-manager: Makefile pkgsrc/mail/milter-regex: Makefile pkgsrc/mail/mimedefang: Makefile pkgsrc/mail/nullmailer: Makefile pkgsrc/mail/opendkim: Makefile pkgsrc/mail/policyd-weight: Makefile pkgsrc/mail/popa3d: Makefile pkgsrc/mail/postgrey: Makefile pkgsrc/mail/prayer: Makefile pkgsrc/mail/qpopper: Makefile pkgsrc/mail/quickml: Makefile pkgsrc/mail/sendmail: Makefile pkgsrc/mail/smtp-vilter: Makefile pkgsrc/mail/spamd: Makefile pkgsrc/mail/sqlgrey: Makefile pkgsrc/mail/sqwebmail: Makefile pkgsrc/mail/sympa: Makefile pkgsrc/mail/tmda: Makefile pkgsrc/multimedia/gmediaserver: Makefile pkgsrc/multimedia/mediatomb: Makefile pkgsrc/net/DarwinStreamingServer: Makefile pkgsrc/net/avahi: Makefile pkgsrc/net/bind96: Makefile pkgsrc/net/bind98: Makefile pkgsrc/net/bind99: Makefile pkgsrc/net/cacti: Makefile pkgsrc/net/cntlm: Makefile pkgsrc/net/couriertcpd: Makefile pkgsrc/net/freeradius: Makefile pkgsrc/net/freeradius2: Makefile pkgsrc/net/gofish: Makefile pkgsrc/net/iodine: Makefile pkgsrc/net/irrd: Makefile pkgsrc/net/kismet: Makefile pkgsrc/net/lambdamoo: Makefile pkgsrc/net/lldpd: Makefile pkgsrc/net/mldonkey: Makefile pkgsrc/net/mydns-mysql: Makefile pkgsrc/net/mydns-pgsql: Makefile pkgsrc/net/netdisco: Makefile pkgsrc/net/nsd: Makefile pkgsrc/net/openntpd: Makefile pkgsrc/net/openvpn: Makefile pkgsrc/net/pygopherd: Makefile pkgsrc/net/quagga: Makefile pkgsrc/net/rancid: Makefile pkgsrc/net/rbldnsd: Makefile pkgsrc/net/ruby-stompserver: Makefile pkgsrc/net/snort: Makefile pkgsrc/net/spread: Makefile pkgsrc/net/tacacs-shrubbery: Makefile pkgsrc/net/teamspeak-server: Makefile pkgsrc/net/tor: Makefile pkgsrc/net/unbound: Makefile pkgsrc/net/uucp: Makefile pkgsrc/net/vsftpd: Makefile pkgsrc/net/xymon: Makefile pkgsrc/net/xymonclient: Makefile pkgsrc/news/leafnode: Makefile pkgsrc/news/nntpcache: Makefile pkgsrc/parallel/gridscheduler: Makefile pkgsrc/parallel/sge: Makefile pkgsrc/parallel/slurm: Makefile pkgsrc/print/cups: Makefile pkgsrc/security/cyrus-sasl: Makefile pkgsrc/security/dirmngr: Makefile pkgsrc/security/f-prot-antivirus6-ms-bin: Makefile pkgsrc/security/libprelude: Makefile pkgsrc/security/libprelude-lua: Makefile pkgsrc/security/libprelude-perl: Makefile pkgsrc/security/libprelude-python: Makefile pkgsrc/security/libprelude-ruby: Makefile pkgsrc/security/opendnssec: Makefile pkgsrc/security/openssh: Makefile pkgsrc/security/pks: Makefile pkgsrc/security/policykit: Makefile pkgsrc/security/prelude-correlator: Makefile pkgsrc/security/prelude-lml: Makefile pkgsrc/security/prelude-manager: Makefile pkgsrc/security/py-prewikka: Makefile pkgsrc/security/sfs: Makefile pkgsrc/security/stunnel: Makefile pkgsrc/sysutils/amanda-common: Makefile pkgsrc/sysutils/bacula: Makefile pkgsrc/sysutils/dbus: Makefile pkgsrc/sysutils/hal: Makefile pkgsrc/sysutils/munin-node: Makefile pkgsrc/sysutils/munin-server: Makefile pkgsrc/sysutils/sysbuild-user: Makefile pkgsrc/sysutils/ups-nut: Makefile pkgsrc/textproc/dict-server: Makefile pkgsrc/www/apache: Makefile pkgsrc/www/apache-tomcat6: Makefile pkgsrc/www/apache-tomcat7: Makefile pkgsrc/www/apache2: Makefile pkgsrc/www/apache22: Makefile pkgsrc/www/apache24: Makefile pkgsrc/www/dansguardian: Makefile pkgsrc/www/jetty7: Makefile pkgsrc/www/nginx: Makefile pkgsrc/www/nginx-devel: Makefile pkgsrc/www/ocsigen: Makefile pkgsrc/www/php-concrete5: Makefile pkgsrc/www/php-owncloud: Makefile pkgsrc/www/php-piwigo: Makefile pkgsrc/www/php-soycms: Makefile pkgsrc/www/php-sugarcrm: Makefile pkgsrc/www/php-tiki6: Makefile pkgsrc/www/php-tt-rss: Makefile pkgsrc/www/privoxy: Makefile pkgsrc/www/screws: Makefile pkgsrc/www/sencha-sns: Makefile pkgsrc/www/squid3: Makefile pkgsrc/www/squidGuard: Makefile pkgsrc/www/tinyproxy: Makefile Log Message: Bump PKGREVISION of all packages which create users, to pick up change of sysutils/user_* packages. --- Module Name: pkgsrc Committed By: taca Date: Sat Jul 27 03:20:53 UTC 2013 Modified Files: pkgsrc/net/bind98: Makefile distinfo Log Message: Update bind98 to 9.8.5pl2 (BIND 9.8.5-P2). --- 9.8.5-P2 released --- 3621. [security] Incorrect bounds checking on private type 'keydata' can lead to a remotely triggerable REQUIRE failure (CVE-2013-4854). [RT #34238] @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 SHA1 (bind-9.8.5-P2.tar.gz) = 2cab91cfe21487f90225c3c3b0e8656706642f29 RMD160 (bind-9.8.5-P2.tar.gz) = 8bab1002fc23fc71898d187b7f79eaa55f0b143c Size (bind-9.8.5-P2.tar.gz) = 7262961 bytes @ 1.21 log @new rrl patch, new checksum @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.20 2013/03/27 12:03:55 pettai Exp $ d3 6 a8 6 SHA1 (bind-9.8.4-P2.tar.gz) = f8d1f3d7fd41b943901dacf01f6b95f901288359 RMD160 (bind-9.8.4-P2.tar.gz) = 620426bde78c49c81900d6d537e2f818600f43b2 Size (bind-9.8.4-P2.tar.gz) = 7129690 bytes SHA1 (rl-9.8.4-P2.patch) = fabbb08ba8cc1ecee3b4bdf14e93a1db9ca896cd RMD160 (rl-9.8.4-P2.patch) = 8460e01863a584cbf523ab63db8d2ca0db5147cb Size (rl-9.8.4-P2.patch) = 100590 bytes @ 1.20 log @Also update the corresponding RRL patch + distinfo file @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.19 2013/03/26 22:12:56 taca Exp $ d6 3 a8 3 SHA1 (rl-9.8.4-P2.patch) = d15d0ce067269d75b830693e4eeb5facc7a60140 RMD160 (rl-9.8.4-P2.patch) = 6a55461dbad7fd0eb7e36e4031f5c46ba49e1cad Size (rl-9.8.4-P2.patch) = 100510 bytes @ 1.19 log @Update bind98 to 9.8.4pl2 (BIND 9.8.4-P2). --- 9.8.4-P2 released --- 3516. [security] Removed the check for regex.h in configure in order to disable regex syntax checking, as it exposes BIND to a critical flaw in libregex on some platforms. [RT #32688] @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.18 2013/02/09 00:09:43 pettai Exp $ d6 3 @ 1.18 log @Updated rrl patch version + source @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.17 2012/12/05 00:54:16 taca Exp $ d3 3 a5 6 SHA1 (bind-9.8.4-P1.tar.gz) = 91be68225c7b99d8ea31f05ddcd829201e18b45e RMD160 (bind-9.8.4-P1.tar.gz) = 72e5001e92748bcf4f4b5b241adc211678ab93e9 Size (bind-9.8.4-P1.tar.gz) = 7129321 bytes SHA1 (rl-9.8.4-P1.patch) = cb386680e6dfe6b832d670cbdcafd52c5e5f1558 RMD160 (rl-9.8.4-P1.patch) = 273a5e3431ee37c85db39ae918536daa3b56d2ab Size (rl-9.8.4-P1.patch) = 100388 bytes @ 1.17 log @Update bind98 to 9.8.4p1 (BIND 9.8.4-P1) which solves CVE-2012-5688. --- 9.8.4-P1 released --- 3407. [security] Named could die on specific queries with dns64 enabled. [Addressed in change #3388 for BIND 9.8.5 and 9.9.3.] @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.16 2012/11/10 23:44:30 pettai Exp $ d6 3 @ 1.17.2.1 log @Pullup ticket #4104 - requested by taca net/bind98: security update Revisions pulled up: - net/bind98/Makefile 1.27 via patch - net/bind98/distinfo 1.19-1.20 via patch - net/bind98/options.mk 1.5 via patch --- Module Name: pkgsrc Committed By: taca Date: Tue Mar 26 22:12:56 UTC 2013 Modified Files: pkgsrc/net/bind98: Makefile distinfo Log Message: Update bind98 to 9.8.4pl2 (BIND 9.8.4-P2). --- 9.8.4-P2 released --- 3516. [security] Removed the check for regex.h in configure in order to disable regex syntax checking, as it exposes BIND to a critical flaw in libregex on some platforms. [RT #32688] @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.17 2012/12/05 00:54:16 taca Exp $ d3 3 a5 6 SHA1 (bind-9.8.4-P2.tar.gz) = f8d1f3d7fd41b943901dacf01f6b95f901288359 RMD160 (bind-9.8.4-P2.tar.gz) = 620426bde78c49c81900d6d537e2f818600f43b2 Size (bind-9.8.4-P2.tar.gz) = 7129690 bytes SHA1 (rl-9.8.4-P2.patch) = d15d0ce067269d75b830693e4eeb5facc7a60140 RMD160 (rl-9.8.4-P2.patch) = 6a55461dbad7fd0eb7e36e4031f5c46ba49e1cad Size (rl-9.8.4-P2.patch) = 100510 bytes @ 1.16 log @Added RRL (Response Rate Limiting) build option @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.15 2012/10/10 03:06:37 taca Exp $ d3 3 a5 6 SHA1 (bind-9.8.4.tar.gz) = 3ea4b34fa12868796e4aad06663e7d1689b1cbe1 RMD160 (bind-9.8.4.tar.gz) = 20940bcf6c47eefaec905d474a3470f4aa9aa9a8 Size (bind-9.8.4.tar.gz) = 7141026 bytes SHA1 (rl-9.8.4.patch) = caa4b944c4d29b9dcbdfab1ff7888c485c0bac71 RMD160 (rl-9.8.4.patch) = 0d81be5dc04daa5c2724d05764f5dd3aea4c3592 Size (rl-9.8.4.patch) = 91928 bytes @ 1.15 log @Update bind98 package to 9.8.4. Here are change changes from release note. Note security fixes except CVE-2012-5166 should be already fixed in previous version of bind98 package. Please refer https://kb.isc.org/article/AA-00797 for list of full bug fixes. Security Fixes * A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [CVE-2012-5166] [RT #31090] * Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes [CVE-2012-4244] [RT #30416] * Prevents a named assert (crash) when validating caused by using "Bad cache" data before it has been initialized. [CVE-2012-3817] [RT #30025] * A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] New Features * Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918] Feature Changes * Improves OpenSSL error logging [RT #29932] * nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492] @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.14 2012/09/13 01:35:18 taca Exp $ d6 3 @ 1.14 log @Update bind98 to 9.8.3pl3 (BIND 9.8.3-P3). --- 9.8.3-P3 released --- 3364. [security] Named could die on specially crafted record. [RT #30416] @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.13 2012/07/24 20:16:21 spz Exp $ d3 3 a5 3 SHA1 (bind-9.8.3-P3.tar.gz) = 49ec161887601465c486de4c817271a9dbf5575f RMD160 (bind-9.8.3-P3.tar.gz) = 0576fd67e0c003c8d40e551035ed5ba91033edfd Size (bind-9.8.3-P3.tar.gz) = 7109848 bytes @ 1.14.2.1 log @Pullup ticket #3943 - requested by taca net/bind98: security update Revisions pulled up: - net/bind98/Makefile 1.17-1.18 - net/bind98/distinfo 1.15 --- Module Name: pkgsrc Committed By: wiz Date: Wed Oct 3 21:59:10 UTC 2012 Modified Files: pkgsrc/net/bind98: Makefile Log Message: Bump all packages that use perl, or depend on a p5-* package, or are called p5-*. I hope that's all of them. --- Module Name: pkgsrc Committed By: taca Date: Wed Oct 10 03:06:37 UTC 2012 Modified Files: pkgsrc/net/bind98: Makefile distinfo Log Message: Update bind98 package to 9.8.4. Here are change changes from release note. Note security fixes except CVE-2012-5166 should be already fixed in previous version of bind98 package. Please refer https://kb.isc.org/article/AA-00797 for list of full bug fixes. Security Fixes * A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [CVE-2012-5166] [RT #31090] * Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes [CVE-2012-4244] [RT #30416] * Prevents a named assert (crash) when validating caused by using "Bad cache" data before it has been initialized. [CVE-2012-3817] [RT #30025] * A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] New Features * Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918] Feature Changes * Improves OpenSSL error logging [RT #29932] * nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492] @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 SHA1 (bind-9.8.4.tar.gz) = 3ea4b34fa12868796e4aad06663e7d1689b1cbe1 RMD160 (bind-9.8.4.tar.gz) = 20940bcf6c47eefaec905d474a3470f4aa9aa9a8 Size (bind-9.8.4.tar.gz) = 7141026 bytes @ 1.14.2.2 log @Pullup ticket #3982 - requested by taca net/bind98 security update Revisions pulled up: - net/bind98/Makefile 1.19-1.23 - net/bind98/distinfo 1.16-1.17 - net/bind98/options.mk 1.2 --- Module Name: pkgsrc Committed By: cheusov Date: Sun Oct 21 15:49:07 UTC 2012 Modified Files: pkgsrc/net/bind96: Makefile pkgsrc/net/bind97: Makefile pkgsrc/net/bind98: Makefile pkgsrc/net/bind99: Makefile pkgsrc/net/host: Makefile Log Message: Add CONFLICTS between net/bind and net/host. net/bind9*: remove "bindheaps to avoid triggering an assertion when flushing cache data. [RT #28571] * Resolves inconsistencies in locating DNSSEC keys where zone names contain characters that require special mappings [RT #28600] * A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] * Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] * SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.10 2012/05/20 13:22:40 marino Exp $ d3 3 a5 3 SHA1 (bind-9.8.3.tar.gz) = 6efdf42764c2d787a0395d077da0f7091bb371a5 RMD160 (bind-9.8.3.tar.gz) = b5c704f8ea2b5e34ca7a7b6e73618e8be5521ce2 Size (bind-9.8.3.tar.gz) = 6984538 bytes @ 1.10 log @net/bind98: Fix undefined reference to 'main' Bind98 needs the same fix bind99 received on 23 Mar 2012 to fix the linking of driver.so @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.9 2012/05/01 02:48:20 taca Exp $ d3 3 a5 3 SHA1 (bind-9.8.2.tar.gz) = 09f0b18bde0438186d6639f08c17db3b98e81c17 RMD160 (bind-9.8.2.tar.gz) = 59f6502cc4dd315da4c31adc183f0eb88e6856b4 Size (bind-9.8.2.tar.gz) = 7054574 bytes d7 1 a7 1 SHA1 (patch-bin_tests_system_Makefile.in) = 43c985c1df28acdc160691a65ba34290731a87f7 a10 1 SHA1 (patch-lib_dns_resolver.c) = e6abfc6bb117bd4e12a0d5b4641423b1f0408178 @ 1.9 log @Add fix to a race condition in the resolver code that can cause a recursive nameserver: . Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.8 2012/04/05 00:39:34 taca Exp $ d7 1 @ 1.8 log @Update bind98 pacakge to 9.8.2. Security Fixes + BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313] Feature Changes + RPZ implementation now conforms to version 3 of the specification. [RT #27316] + It is now possible to explicitly disable DLV in named.conf by specifying "dnssec-lookaside no;". This is the default, but the ability to configure it makes it clearly visible to administrators. [RT #24858] + --enable-developer, a new composite argument to the configure script, enables a set of build options normally disabled but frequently selected in test or development builds, specifically: enable_fixed_rrset, with_atf, enable_filter_aaaa, enable_rpz_nsip, enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and Darwin, also enable_exportlib) [RT #27103] @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.7 2011/11/17 00:48:09 taca Exp $ d10 1 @ 1.8.2.1 log @Pullup ticket #3763 - requested by taca net/bind98: security patch Revisions pulled up: - net/bind98/Makefile 1.9 - net/bind98/distinfo 1.9 - net/bind98/patches/patch-lib_dns_resolver.c 1.1 --- Module Name: pkgsrc Committed By: taca Date: Tue May 1 02:48:20 UTC 2012 Modified Files: pkgsrc/net/bind98: Makefile distinfo Added Files: pkgsrc/net/bind98/patches: patch-lib_dns_resolver.c Log Message: Add fix to a race condition in the resolver code that can cause a recursive nameserver: . Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD$ a9 1 SHA1 (patch-lib_dns_resolver.c) = e6abfc6bb117bd4e12a0d5b4641423b1f0408178 @ 1.8.2.2 log @Pullup ticket #3798 - requested by taca net/bind98: security update Revisions pulled up: - net/bind98/Makefile 1.10-1.11 - net/bind98/distinfo 1.10-1.11 - net/bind98/files/named9.sh 1.2 - net/bind98/patches/patch-bin_tests_system_Makefile.in 1.1-1.2 - net/bind98/patches/patch-lib_dns_resolver.c deleted --- Module Name: pkgsrc Committed By: marino Date: Sun May 20 13:22:40 UTC 2012 Modified Files: pkgsrc/net/bind98: distinfo Added Files: pkgsrc/net/bind98/patches: patch-bin_tests_system_Makefile.in Log Message: net/bind98: Fix undefined reference to 'main' Bind98 needs the same fix bind99 received on 23 Mar 2012 to fix the linking of driver.so --- Module Name: pkgsrc Committed By: marino Date: Sun May 20 09:10:44 UTC 2012 Modified Files: pkgsrc/net/bind98: Makefile pkgsrc/net/bind98/files: named9.sh Log Message: PR#45780 net/bind98: Fix chroot operation Implemented per PR. --- Module Name: pkgsrc Committed By: taca Date: Tue May 22 03:32:31 UTC 2012 Modified Files: pkgsrc/net/bind98: Makefile distinfo pkgsrc/net/bind98/patches: patch-bin_tests_system_Makefile.in Removed Files: pkgsrc/net/bind98/patches: patch-lib_dns_resolver.c Log Message: Update bind98 to 9.8.3. pkgsrc change: add an comment to patches/patch-bin_tests_system_Makefile.in. Changes from release announce: Security Fixes * Windows binary packages distributed by ISC are now built and linked against OpenSSL 1.0.0i New Features * None Feature Changes * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] Bug Fixes * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] * Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732] * named-checkconf now correctly validates dns64 clients acl definitions. [RT #27631] * Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] * Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] * Improves DNS64 reverse zone performance. [RT #28563] * Adds wire format lookup method to sdb. [RT #28563] * Uses hmctx, not mctx when freeing rbtdb->heaps to avoid triggering an assertion when flushing cache data. [RT #28571] * Resolves inconsistencies in locating DNSSEC keys where zone names contain characters that require special mappings [RT #28600] * A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] * Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] * SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] @ text @d3 3 a5 3 SHA1 (bind-9.8.3.tar.gz) = 6efdf42764c2d787a0395d077da0f7091bb371a5 RMD160 (bind-9.8.3.tar.gz) = b5c704f8ea2b5e34ca7a7b6e73618e8be5521ce2 Size (bind-9.8.3.tar.gz) = 6984538 bytes a6 1 SHA1 (patch-bin_tests_system_Makefile.in) = 650ac962464e23f6c4278e7025f55f282789f9c9 d10 1 @ 1.8.2.3 log @Pullup ticket #3818 - requested by taca net/bind98 security update Revisions pulled up: - net/bind98/Makefile 1.12 - net/bind98/distinfo 1.12 --- Module Name: pkgsrc Committed By: taca Date: Mon Jun 4 13:25:56 UTC 2012 Modified Files: pkgsrc/net/bind98: Makefile distinfo Log Message: Update bind98 to 9.8.3pl1 (BIND 9.8.3-P1). Security release for CVE-2012-1667. --- 9.8.3-P1 released --- 3331. [security] dns_rdataslab_fromrdataset could produce bad rdataslabs. [RT #29644] @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.8.2.2 2012/05/22 09:29:13 tron Exp $ d3 3 a5 3 SHA1 (bind-9.8.3-P1.tar.gz) = 485ecc493bea424a120c954e3d241d3554597894 RMD160 (bind-9.8.3-P1.tar.gz) = 3984ad96c02c6f8712e3800d80f6c9a06093fe72 Size (bind-9.8.3-P1.tar.gz) = 7112920 bytes @ 1.7 log @Fix build problem on NetBSD current, maybe caused by newer gcc. * Avoid to use true as variable name. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.6 2011/11/16 21:34:44 spz Exp $ d3 3 a5 3 SHA1 (bind-9.8.1-P1.tar.gz) = 1cff6594aa185d84942edd2f3cc06dff9cebb04b RMD160 (bind-9.8.1-P1.tar.gz) = 3183167d73a5da81e7e286a6eb123fc8684f4421 Size (bind-9.8.1-P1.tar.gz) = 8451969 bytes d7 2 a8 3 SHA1 (patch-config.threads.in) = 3d8ee03230fdb6aca545a67759ba7aacda52bb61 SHA1 (patch-configure) = 81a83d750f5c6d21abb30a743a4aa09e7d91711e SHA1 (patch-contrib_dlz_drivers_sdlz__helper.c) = d6e9a7145449874ad00a0b28b1582df5a2516965 @ 1.6 log @BIND 9.8.1-P1 is security patch for BIND 9.8.1. * BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. [RT #26590] @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.5 2011/09/01 03:44:35 taca Exp $ d6 1 @ 1.5 log @Update bind98 package to 9.8.1. pkgsrc change: add a patch to fix build problem with some PKG_OPTIONS, such as "ldap". New Features 9.8.1 * Added a new include file with function typedefs for the DLZ "dlopen" driver. [RT #23629] * Added a tool able to generate malformed packets to allow testing of how named handles them. [RT #24096] * The root key is now provided in the file bind.keys allowing DNSSEC validation to be switched on at start up by adding "dnssec-validation auto;" to named.conf. If the root key provided has expired, named will log the expiration and validation will not work. More information and the most current copy of bind.keys can be found at http://www.isc.org/bind-keys. *Please note this feature was actually added in 9.8.0 but was not included in the 9.8.0 release notes. [RT #21727] Security Fixes 9.8.1 * If named is configured with a response policy zone (RPZ) and a query of type RRSIG is received for a name configured for RRset replacement in that RPZ, it will trigger an INSIST and crash the server. RRSIG. [RT #24280] * named, set up to be a caching resolver, is vulnerable to a user querying a domain with very large resource record sets (RRSets) when trying to negatively cache the response. Due to an off-by-one error, caching the response could cause named to crash. [RT #24650] [CVE-2011-1910] * Using Response Policy Zone (RPZ) to query a wildcard CNAME label with QUERY type SIG/RRSIG, it can cause named to crash. Fix is query type independant. [RT #24715] * Using Response Policy Zone (RPZ) with DNAME records and querying the subdomain of that label can cause named to crash. Now logs that DNAME is not supported. [RT #24766] * Change #2912 populated the message section in replies to UPDATE requests, which some Windows clients wanted. This exposed a latent bug that allowed the response message to crash named. With this fix, change 2912 has been reduced to copy only the zone section to the reply. A more complete fix for the latent bug will be released later. [RT #24777] Feature Changes 9.8.1 * Merged in the NetBSD ATF test framework (currently version 0.12) for development of future unit tests. Use configure --with-atf to build ATF internally or configure --with-atf=prefix to use an external copy. [RT #23209] * Added more verbose error reporting from DLZ LDAP. [RT #23402] * The DLZ "dlopen" driver is now built by default, no longer requiring a configure option. To disable it, use "configure --without-dlopen". (Note: driver not supported on win32.) [RT #23467] * Replaced compile time constant with STDTIME_ON_32BITS. [RT #23587] * Make --with-gssapi default for ./configure. [RT #23738] * Improved the startup time for an authoritative server with a large number of zones by making the zone task table of variable size rather than fixed size. This means that authoritative servers with lots of zones will be serving that zone data much sooner. [RT #24406] * Per RFC 6303, RFC 1918 reverse zones are now part of the built-in list of empty zones. [RT #24990] @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.4 2011/07/05 13:35:29 taca Exp $ d3 3 a5 3 SHA1 (bind-9.8.1.tar.gz) = 7e6ed6ebc896b1de33a9f440233066c60539de4c RMD160 (bind-9.8.1.tar.gz) = a1a49ce0b1b6a5c6dd339fe160920cd4f39e2372 Size (bind-9.8.1.tar.gz) = 8450567 bytes @ 1.5.2.1 log @Pullup ticket #3605 - requested by spz net/bind98 security update Revisions pulled up: - net/bind98/Makefile 1.6 - net/bind98/distinfo 1.6-1.7 - net/bind98/patches/patch-bin_dig_dighost.c 1.1 --- Module Name: pkgsrc Committed By: spz Date: Wed Nov 16 21:34:44 UTC 2011 Modified Files: pkgsrc/net/bind98: Makefile distinfo Log Message: BIND 9.8.1-P1 is security patch for BIND 9.8.1. * BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. [RT #26590] --- Module Name: pkgsrc Committed By: taca Date: Thu Nov 17 00:48:09 UTC 2011 Modified Files: pkgsrc/net/bind98: distinfo Added Files: pkgsrc/net/bind98/patches: patch-bin_dig_dighost.c Log Message: Fix build problem on NetBSD current, maybe caused by newer gcc. * Avoid to use true as variable name. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.5 2011/09/01 03:44:35 taca Exp $ d3 3 a5 4 SHA1 (bind-9.8.1-P1.tar.gz) = 1cff6594aa185d84942edd2f3cc06dff9cebb04b RMD160 (bind-9.8.1-P1.tar.gz) = 3183167d73a5da81e7e286a6eb123fc8684f4421 Size (bind-9.8.1-P1.tar.gz) = 8451969 bytes SHA1 (patch-bin_dig_dighost.c) = 3f37033cc64e1153268ab437fab533d2920bb18c @ 1.4 log @Update bind98 package to 9.8.0pl4 (9.8.0-P4), security release. Introduction BIND 9.8.0-P4 is security patch for BIND 9.8.0. Please see the CHANGES file in the source code release for a complete list of all changes. --- 9.8.0-P4 released --- 3124. [bug] Use an rdataset attribute flag to indicate negative-cache records rather than using rrtype 0; this will prevent problems when that rrtype is used in actual DNS packets. [RT #24777] --- 9.8.0-P3 released (withdrawn) --- 3126. [security] Using DNAME record to generate replacements caused RPZ to exit with a assertion failure. [RT #23766] 3125. [security] Using wildcard CNAME records as a replacement with RPZ caused named to exit with a assertion failure. [RT #24715] 3123. [security] Change #2912 exposed a latent flaw in dns_rdataset_totext() that could cause named to crash with an assertion failure. [RT #24777] 3115. [bug] Named could fail to return requested data when following a CNAME that points into the same zone. [RT #2445] @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.3 2011/05/27 06:45:30 taca Exp $ d3 3 a5 3 SHA1 (bind-9.8.0-P4.tar.gz) = 969864200c1516a8bea54266de60f316d79182b4 RMD160 (bind-9.8.0-P4.tar.gz) = cd44fe00d5f052ab441c16b2e735ad5771b4230a Size (bind-9.8.0-P4.tar.gz) = 7703981 bytes d7 2 a8 1 SHA1 (patch-configure) = edf5a32b5c05aea110316f877264c22a2c4344ba @ 1.3 log @Update bind98 package to 9.8.0pl2(9.8.0-P2) --- 9.8.0-P2 released --- 3121. [security] An authoritative name server sending a negative response containing a very large RRset could trigger an off-by-one error in the ncache code and crash named. [RT #24650] 3120. [bug] Named could fail to validate zones listed in a DLV that validated insecure without using DLV and had DS records in the parent zone. [RT #24631] @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.2 2011/05/06 00:34:32 taca Exp $ d3 3 a5 3 SHA1 (bind-9.8.0-P2.tar.gz) = b3492ad11cfbf2939d9b0fb62c52c204de58679b RMD160 (bind-9.8.0-P2.tar.gz) = 3db0b25303da78f06d6fb48f66908111cb0eb34c Size (bind-9.8.0-P2.tar.gz) = 7702702 bytes @ 1.2 log @Update bind98 pacakge to 9.8.0p1 (9.8.0-P1). Fixes https://www.isc.org/CVE-2011-1907. --- 9.8.0-P1 released --- 3100. [security] Certain response policy zone configurations could trigger an INSIST when receiving a query of type RRSIG. [RT #24280] @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.1.1.1 2011/03/04 03:52:14 taca Exp $ d3 3 a5 3 SHA1 (bind-9.8.0-P1.tar.gz) = aa8f308f218e437ac4bad616e0ae83a9b9c40c29 RMD160 (bind-9.8.0-P1.tar.gz) = 7f86bcd531fea341de6d79386448d58de4222c90 Size (bind-9.8.0-P1.tar.gz) = 7701530 bytes @ 1.1 log @Initial revision @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 SHA1 (bind-9.8.0.tar.gz) = 33019694ef3119d9daa1e8ff5117a6688e188528 RMD160 (bind-9.8.0.tar.gz) = 648ed29a16a0bb3202e177ea3762301ed00f1cde Size (bind-9.8.0.tar.gz) = 7760161 bytes @ 1.1.1.1 log @Importing BIND 9.8.0 as net/bind98. Full release note: http://ftp.isc.org/isc/bind9/9.8.0/RELEASE-NOTES-BIND-9.8.html New Features 9.8.0 * The ADB hash table stores informations about which authoritative servers to query about particular domains. Previous versions of BIND had the hash table size as a fixed value. On a busy recursive server, this could lead to hash table collisions in the ADB cache, resulting in degraded response time to queries. Bind 9.8 now has a dynamically scalable ADB hash table, which helps a busy server to avoid hash table collisions and maintain a consistent query response time. [RT #21186] * BIND now supports a new zone type, static-stub. This allows the administrator of a recursive nameserver to force queries for a particular zone to go to IP addresses of the administrator's choosing, on a per zone basis, both globally or per view. I.e. if the administrator wishes to have their recursive server query 192.0.2.1 and 192.0.2.2 for zone example.com rather than the servers listed by the .com gTLDs, they would configure example.com as a static-stub zone in their recursive server. [RT #21474] * BIND now supports Response Policy Zones, a way of expressing "reputation" in real time via specially constructed DNS zones. See the draft specification here: http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt [RT #21726] * BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records from specified A records if no AAAA record exists. IP6.ARPA CNAME records will be synthesized from corresponding IN-ADDR.ARPA. [RT #21991/22769] * Dynamically Loadable Zones (DLZ) now support dynamic updates. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] * Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than having to be linked with named at compile time. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] * named now retains GSS-TSIG keys across restarts. This is for compatibility with Microsoft DHCP servers doing dynamic DNS updates for clients, which don't know to renegotiate the GSS-TSIG session key when named restarts. [RT #22639] * There is a new update-policy match type "external". This allows named to decide whether to allow a dynamic update by checking with an external daemon. Contributed by Andrew Tridgell of the Samba Project. [RT #22758] * There have been a number of bug fixes and ease of use enhancements for configuring BIND to support GSS-TSIG [RT #22629/22795]. These include: + Added a "tkey-gssapi-keytab" option. If set, dynamic updates will be allowed for any key matching a Kerberos principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] + It is no longer necessary to have a valid /etc/krb5.conf file. Using the syntax DNS/hostname@@REALM in nsupdate is sufficient for to correctly set the default realm. [RT #22795] + Documentation updated new gssapi configuration options (new option tkey-gssapi-keytab and changes in tkey-gssapi-credential and tkey-domain behavior). [RT 22795] + DLZ correctly deals with NULL zone in a query. [RT 22795] + TSIG correctly deals with a NULL tkey->creator. [RT 22795] * A new test has been added to check the apex NSEC3 records after DNSKEY records have been added via dynamic update. [RT #23229] * RTT banding (randomized server selection on queries) was introduced in BIND releases in 2008, due to the Kaminsky cache poisoning bug. Instead of always picking the authoritative server with the lowest RTT to the caching resolver, all the authoritative servers within an RTT range were randomly used by the recursive server. While this did add an extra bit of randomness that an attacker had to overcome to poison a recursive server's cache, it also impacts the resolver's speed in answering end customer queries, since it's no longer the fastest auth server that gets asked. This means that performance optimizations, such using topologically close authoritative servers, are rendered ineffective. ISC has evaluated the amount of security added versus the performance hit to end users and has decided that RTT banding is causing more harm than good. Therefore, with this release, BIND is going back to the server selection used prior to adding RTT banding. [RT #23310] Feature Changes 9.8.0 * There is a new option in dig, +onesoa, that allows the final SOA record in an AXFR response to be suppressed. [RT #20929 * There is additional information displayed in the recursing log (qtype, qclass, qid and whether we are following the original name). [RT #22043] * Added option 'resolver-query-timeout' in named.conf (max query timeout in seconds) to set a different value than the default (30 seconds). A value of 0 means 'use the compiled in default'; anything longer than 30 will be silently set to 30. [RT #22852] * For Mac OS X, you can now have the test interfaces used during "make test" stay beyond reboot. See bin/tests/system/README for details. @ text @@ 1.1.1.1.2.1 log @Pullup ticket #3423 - requested by taca net/bind98: security update Revisions pulled up: - net/bind98/Makefile 1.2 - net/bind98/distinfo 1.2 --- Module Name: pkgsrc Committed By: taca Date: Fri May 6 00:34:32 UTC 2011 Modified Files: pkgsrc/net/bind98: Makefile distinfo Log Message: Update bind98 pacakge to 9.8.0p1 (9.8.0-P1). Fixes https://www.isc.org/CVE-2011-1907. --- 9.8.0-P1 released --- 3100. [security] Certain response policy zone configurations could trigger an INSIST when receiving a query of type RRSIG. [RT #24280] @ text @d3 3 a5 3 SHA1 (bind-9.8.0-P1.tar.gz) = aa8f308f218e437ac4bad616e0ae83a9b9c40c29 RMD160 (bind-9.8.0-P1.tar.gz) = 7f86bcd531fea341de6d79386448d58de4222c90 Size (bind-9.8.0-P1.tar.gz) = 7701530 bytes @ 1.1.1.1.2.2 log @Pullup ticket #3439 - requested by taca net/bind98 security update Revisions pulled up: - net/bind98/Makefile 1.3 - net/bind98/distinfo 1.3 --- Module Name: pkgsrc Committed By: taca Date: Fri May 27 06:45:31 UTC 2011 Modified Files: pkgsrc/net/bind98: Makefile distinfo Log Message: Update bind98 package to 9.8.0pl2(9.8.0-P2) --- 9.8.0-P2 released --- 3121. [security] An authoritative name server sending a negative response containing a very large RRset could trigger an off-by-one error in the ncache code and crash named. [RT #24650] 3120. [bug] Named could fail to validate zones listed in a DLV that validated insecure without using DLV and had DS records in the parent zone. [RT #24631] @ text @d3 3 a5 3 SHA1 (bind-9.8.0-P2.tar.gz) = b3492ad11cfbf2939d9b0fb62c52c204de58679b RMD160 (bind-9.8.0-P2.tar.gz) = 3db0b25303da78f06d6fb48f66908111cb0eb34c Size (bind-9.8.0-P2.tar.gz) = 7702702 bytes @ 1.1.1.1.2.3 log @Pullup ticket #3461 - requested by taca security update for net/bind98 Revisions pulled up: - net/bind98/Makefile 1.4 - net/bind98/distinfo 1.4 --- Module Name: pkgsrc Committed By: taca Date: Tue Jul 5 13:35:29 UTC 2011 Modified Files: pkgsrc/net/bind98: Makefile distinfo Log Message: Update bind98 package to 9.8.0pl4 (9.8.0-P4), security release. Introduction BIND 9.8.0-P4 is security patch for BIND 9.8.0. Please see the CHANGES file in the source code release for a complete list of all changes. --- 9.8.0-P4 released --- 3124. [bug] Use an rdataset attribute flag to indicate negative-cache records rather than using rrtype 0; this will prevent problems when that rrtype is used in actual DNS packets. [RT #24777] --- 9.8.0-P3 released (withdrawn) --- 3126. [security] Using DNAME record to generate replacements caused RPZ to exit with a assertion failure. [RT #23766] 3125. [security] Using wildcard CNAME records as a replacement with RPZ caused named to exit with a assertion failure. [RT #24715] 3123. [security] Change #2912 exposed a latent flaw in dns_rdataset_totext() that could cause named to crash with an assertion failure. [RT #24777] 3115. [bug] Named could fail to return requested data when following a CNAME that points into the same zone. [RT #2445] @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.1.1.1.2.2 2011/05/27 11:06:38 sbd Exp $ d3 3 a5 3 SHA1 (bind-9.8.0-P4.tar.gz) = 969864200c1516a8bea54266de60f316d79182b4 RMD160 (bind-9.8.0-P4.tar.gz) = cd44fe00d5f052ab441c16b2e735ad5771b4230a Size (bind-9.8.0-P4.tar.gz) = 7703981 bytes @