diff options
| author | he <he@pkgsrc.org> | 2016-11-06 12:54:35 +0000 |
|---|---|---|
| committer | he <he@pkgsrc.org> | 2016-11-06 12:54:35 +0000 |
| commit | 39c7b4756c69c3844646eee8f06b5e4808e1f639 (patch) | |
| tree | eb23cb710745fe1d81b54ad388646b98ceecab63 | |
| parent | 4da0ab3dd5dd493670be0a339f4cb45b7905c52d (diff) | |
| download | pkgsrc-39c7b4756c69c3844646eee8f06b5e4808e1f639.tar.gz | |
Update OpenDNSSEC to version 1.4.12.
Local changes (retained from earlier versions):
* Some adaptations of the build setup (conversion scripts etc.)
* in signer/ixfr.c, log the zone name if the soamin assertion trigers
* in signer/zone.c, if there's a bad ixfr journal file, save it, for debug
Upstream changes:
News:
This is a bug fix release targeting a memory leak in the signer
when being used in the "bump in the wire" model where the signer
would send out notify messages and respond to IXFR requests for
the signed zone. This typically would manifest itself with very
frequent outgoing IXFRs over a longer period of time.
When upgrading from 1.4.10 (the 1.4.11 release was skipped) no
migration steps are needed. For upgrading from earlier releases
see the migration steps in the individual releases, most notably
in 1.4.8.2. This version of OpenDNSSEC does however require a
slightly less older minimal version of the library ldns.
Fixes:
* OPENDNSSEC-808: Crash on query with empty query section
(thanks Havard Eidnes).
* SUPPORT-191: Regression, Must accept notify without SOA (thanks
Christos Trochalakis).
* OPENDNSSEC-845: memory leak occuring when responding to IXFR
out when having had multiple updates.
* OPENDNSSEC-805: Avoid full resign due to mismatch in backup file
when upgrading from 1.4.8 or later.
* OPENDNSSEC-828: parsing zone list could show data from next zone
when zones iterated on single line.
* OPENDNSSEC-811,OPENDNSSEC-827,e.o.: compiler warnings and other
static code analysis cleanup
* OPENDNSSEC-847: Broken DNS IN notifications when pkt answer
section is empty.
* OPENDNSSEC-838: Crash in signer after having removed a zone.
* Update dependency to ldns to version 1.6.17 enabling the DNS HIP record.
* Prevent responding to queries when not fully started yet.
| -rw-r--r-- | security/opendnssec/Makefile | 7 | ||||
| -rw-r--r-- | security/opendnssec/distinfo | 11 | ||||
| -rw-r--r-- | security/opendnssec/patches/patch-signer_src_wire_query.c | 18 |
3 files changed, 8 insertions, 28 deletions
diff --git a/security/opendnssec/Makefile b/security/opendnssec/Makefile index cf5a8c48ab5..2f31626c586 100644 --- a/security/opendnssec/Makefile +++ b/security/opendnssec/Makefile @@ -1,8 +1,7 @@ -# $NetBSD: Makefile,v 1.58 2016/07/16 19:49:07 he Exp $ +# $NetBSD: Makefile,v 1.59 2016/11/06 12:54:35 he Exp $ # -DISTNAME= opendnssec-1.4.10 -PKGREVISION= 1 +DISTNAME= opendnssec-1.4.12 CATEGORIES= security net MASTER_SITES= http://www.opendnssec.org/files/source/ @@ -11,7 +10,7 @@ HOMEPAGE= http://www.opendnssec.org/ COMMENT= OSS for a fast and easy DNSSEC deployment LICENSE= 2-clause-bsd -DEPENDS+= ldns>=1.6.13:../../net/ldns +DEPENDS+= ldns>=1.6.17:../../net/ldns BUILD_DEPENDS+= CUnit-[0-9]*:../../devel/cunit BUILD_DEFS+= VARBASE diff --git a/security/opendnssec/distinfo b/security/opendnssec/distinfo index 49da17a7f8a..8ca8ce6a64b 100644 --- a/security/opendnssec/distinfo +++ b/security/opendnssec/distinfo @@ -1,12 +1,11 @@ -$NetBSD: distinfo,v 1.34 2016/07/16 19:49:07 he Exp $ +$NetBSD: distinfo,v 1.35 2016/11/06 12:54:35 he Exp $ -SHA1 (opendnssec-1.4.10.tar.gz) = c83c452b9951df8dd784d7c39aae90363f1a1213 -RMD160 (opendnssec-1.4.10.tar.gz) = 0ee7e1b282da6839be919b18faf9fbe567bfc130 -SHA512 (opendnssec-1.4.10.tar.gz) = 00ba6ceba595f9d4d7736af982b78779f204eb52fcf92222256792368328647ca1a4c84b4db64dcdd9a0119292f132a4efd15e60436c2a125bf6a8fb3f33540e -Size (opendnssec-1.4.10.tar.gz) = 1036069 bytes +SHA1 (opendnssec-1.4.12.tar.gz) = feab78605d2c49a2788a4b65e7eb4416777e9610 +RMD160 (opendnssec-1.4.12.tar.gz) = dc91f862691218ca99b3496a7340ef16f29e37aa +SHA512 (opendnssec-1.4.12.tar.gz) = b72b76ab4aec8cc63cc9c020bef9a24b000fd00172a07cf43d57b3a33041bef9e107b71eb7271bb13c3566510599c6a1913cf986a724e169c42dc8bdac8d2e51 +Size (opendnssec-1.4.12.tar.gz) = 1036392 bytes SHA1 (patch-aa) = 104e077af6c368cbb5fc3034d58b2f2249fcf991 SHA1 (patch-enforcer_utils_Makefile.am) = 80915dee723535e5854e62bc18f00ba2d5d7496c SHA1 (patch-enforcer_utils_Makefile.in) = 6c1b4ad25956bfcc8b410a8ca22f2581e64198d1 SHA1 (patch-signer_src_signer_ixfr.c) = 74c2c320080e585a6126e146c453998f44c164f7 SHA1 (patch-signer_src_signer_zone.c) = 0330236f11ccab7ed83b73bc83d851f932124318 -SHA1 (patch-signer_src_wire_query.c) = ab60e229687be910be9acd0a43d47987498de070 diff --git a/security/opendnssec/patches/patch-signer_src_wire_query.c b/security/opendnssec/patches/patch-signer_src_wire_query.c deleted file mode 100644 index 328e45c1a0e..00000000000 --- a/security/opendnssec/patches/patch-signer_src_wire_query.c +++ /dev/null @@ -1,18 +0,0 @@ -$NetBSD: patch-signer_src_wire_query.c,v 1.1 2016/07/16 19:49:07 he Exp $ - -Add a check for whether we have an RRset in the query, -to side-step DoS via crafted packet. - ---- signer/src/wire/query.c.orig 2016-05-02 10:40:02.000000000 +0000 -+++ signer/src/wire/query.c -@@ -869,6 +869,10 @@ query_process(query_type* q, void* engin - return query_formerr(q); - } - rr = ldns_rr_list_rr(ldns_pkt_question(pkt), 0); -+ if (rr == NULL) { -+ ods_log_debug("[%s] no RRset in query, ignoring", query_str); -+ return QUERY_DISCARDED; /* no RRset in query */ -+ } - lock_basic_lock(&e->zonelist->zl_lock); - /* we can just lookup the zone, because we will only handle SOA queries, - zone transfers, updates and notifies */ |