net/bind911: update to 9.11.6pl1

Update bind911 to 9.11.5pl4 (BIND 9.11.5-P4). Fix security problem CVE-2018-5743 and overhaul pkgsrc. Now no need to change namedb is permission under NetBSD. * Update note about required directories. * Drop pkg-config from USE_TOOLS. * Drop none existing configure arguments and PKG_OPTIONS: - fetchlimit - sit --- 9.11.6-P1 released --- 5200. [security] tcp-clients settings could be exceeded in some cases, which could lead to exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
author: taca <taca@pkgsrc.org> 2019-04-30 02:51:38 +0000
committer: taca <taca@pkgsrc.org> 2019-04-30 02:51:38 +0000
commit: 48b2ebffbd29cf5100dd5ff65e6e29a16fd44d5a (patch)
tree: b442e82662bd0d7cdb5453b943652bc31dcca8b4 /net/bind911
parent: 5ed655bcda28cfe114cfbb26fe73a15a102b0eab (diff)
download: pkgsrc-48b2ebffbd29cf5100dd5ff65e6e29a16fd44d5a.tar.gz
9 files changed, 99 insertions, 41 deletions
diff --git a/net/bind911/MESSAGE b/net/bind911/MESSAGE
index 6abe63ef60f..bfcfdbe64d2 100644
--- a/net/bind911/MESSAGE
+++ b/net/bind911/MESSAGE
@@ -1,5 +1,5 @@
 ===========================================================================
-$NetBSD: MESSAGE,v 1.1 2018/09/09 13:11:38 taca Exp $
+$NetBSD: MESSAGE,v 1.2 2019/04/30 02:51:38 taca Exp $
 
 Please consider running BIND under the pseudo user account "${BIND_USER}"
 in a chroot environment for security reasons.
@@ -7,7 +7,13 @@ in a chroot environment for security reasons.
 To achieve this, set the variable "named_chrootdir" in /etc/rc.conf to
 the directory with the chroot environment e.g. "${BIND_DIR}".
 
-Note: named(8) requires writable permission to current directory when
-start up or the directory specified by "directory" in options statement.
+Note: named(8) requires writable directories under "/etc/namedb" which
+specified by "directory" in "options" statement:
+
+	cache
+	keys
+	nta
+
+Make sure to these directories exists with writable by "${BIND_USER}" user.
 
 ===========================================================================
diff --git a/net/bind911/Makefile b/net/bind911/Makefile
index 4114755ea3c..c8a0d56aa0b 100644
--- a/net/bind911/Makefile
+++ b/net/bind911/Makefile
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.7 2019/02/22 01:22:38 taca Exp $
+# $NetBSD: Makefile,v 1.8 2019/04/30 02:51:38 taca Exp $
 
 DISTNAME=	bind-${BIND_VERSION}
 PKGNAME=	${DISTNAME:S/-P/pl/}
@@ -14,7 +14,7 @@ CONFLICTS+=	host-[0-9]*
 
 MAKE_JOBS_SAFE=	no
 
-BIND_VERSION=	9.11.5-P4
+BIND_VERSION=	9.11.6-P1
 
 .include "../../mk/bsd.prefs.mk"
 
@@ -22,14 +22,13 @@ BUILD_DEFS+=	BIND_DIR VARBASE
 
 .include "options.mk"
 
-USE_TOOLS+=		pax perl pkg-config
+USE_TOOLS+=		pax perl
 USE_LIBTOOL=		yes
 GNU_CONFIGURE=		yes
 
 CONFIGURE_ARGS+=	--with-libtool
 CONFIGURE_ARGS+=	--sysconfdir=${PKG_SYSCONFDIR}
 CONFIGURE_ARGS+=	--localstatedir=${VARBASE}
-CONFIGURE_ARGS+=	--disable-openssl-version-check
 CONFIGURE_ARGS+=	--with-openssl=${SSLBASE:Q}
 CONFIGURE_ARGS+=	--with-python=no
 .if !empty(MACHINE_PLATFORM:MNetBSD-*-m68k) || \
diff --git a/net/bind911/distinfo b/net/bind911/distinfo
index 2b25deb1dc7..77a38a69041 100644
--- a/net/bind911/distinfo
+++ b/net/bind911/distinfo
@@ -1,14 +1,17 @@
-$NetBSD: distinfo,v 1.6 2019/02/22 01:22:38 taca Exp $
+$NetBSD: distinfo,v 1.7 2019/04/30 02:51:38 taca Exp $
 
-SHA1 (bind-9.11.5-P4.tar.gz) = f44a7abaab3946f5c60894a797e575cc7c74f01c
-RMD160 (bind-9.11.5-P4.tar.gz) = 3df68a3763291d9c93a2a6a1366bc7a2da4582bd
-SHA512 (bind-9.11.5-P4.tar.gz) = ba750ffd080a47309db8be3df3d80896c5872aadb1a14ac7effd1bb783c2a2ae1e82959d6999eecc3d694336887060a84ae8813a17836b9064515cdd96fcb573
-Size (bind-9.11.5-P4.tar.gz) = 8819038 bytes
+SHA1 (bind-9.11.6-P1.tar.gz) = 1a142cc9af68f7205bc0ea942458e6a044244422
+RMD160 (bind-9.11.6-P1.tar.gz) = 7024ba26f218015ebd99f54988f78148ae789cf7
+SHA512 (bind-9.11.6-P1.tar.gz) = 419aeeddeab7aef818b9043db7b21a847993444f663dca04e58ee97a0ebee0610cbc5a9422d17a6f0ee5d44598a2cbb5651e3b4e8c56708eaf923dca0a5c4c03
+Size (bind-9.11.6-P1.tar.gz) = 8102241 bytes
+SHA1 (patch-bin_named_server.c) = 0294d74eb3039049c4672a3de6eb371407bb382d
+SHA1 (patch-bin_pkcs11_pkcs11-keygen.c) = 49571fc0222c57cac0f2f07875c74ad2afadcb32
 SHA1 (patch-bin_tests_system_metadata_tests.sh) = d01a492d0b7738760bdbff714248e279a78fef28
 SHA1 (patch-config.threads.in) = 8341bdb11888d3efdde5f115de91b1f46aa40bd0
 SHA1 (patch-configure) = 7f73f26266ebd4556ab160e93dc0738188a70e20
 SHA1 (patch-contrib_dlz_config.dlz.in) = 6c53d61aaaf1a952a867e4c4da0194db94f511d7
 SHA1 (patch-lib_dns_rbt.c) = 8af91b6d40b591d28d15f7f98c9b7a82df234381
-SHA1 (patch-lib_isc_unix_socket.c) = dff0163246985d0750b2c99ce7673b257df3e5bf
+SHA1 (patch-lib_dns_view.c) = 39e71fe6a407e4f9bee49b1ee25adfa0ba74b338
+SHA1 (patch-lib_isc_unix_socket.c) = a36e24f530c4a462b782ad7cce784fd4648dded3
 SHA1 (patch-lib_lwres_getaddrinfo.c) = 1956a857c1b158dbe95c46d90ab406e0030e321e
-SHA1 (patch-lib_lwres_getnameinfo.c) = 366100a25064f43bd938e9acf31188c917b45cbe
+SHA1 (patch-lib_lwres_getnameinfo.c) = 67cece0c9b7077dc48fcae15bcab426e8e82a506
diff --git a/net/bind911/options.mk b/net/bind911/options.mk
index 2d05f6a8b96..21baff1c570 100644
--- a/net/bind911/options.mk
+++ b/net/bind911/options.mk
@@ -1,10 +1,10 @@
-# $NetBSD: options.mk,v 1.2 2018/10/24 11:27:28 jperkin Exp $
+# $NetBSD: options.mk,v 1.3 2019/04/30 02:51:38 taca Exp $
 
 PKG_OPTIONS_VAR=	PKG_OPTIONS.bind911
 PKG_SUPPORTED_OPTIONS=	bind-dig-sigchase bind-xml-statistics-server
 PKG_SUPPORTED_OPTIONS+=	bind-json-statistics-server
 PKG_SUPPORTED_OPTIONS+=	inet6 threads readline mysql pgsql ldap dlz-filesystem
-PKG_SUPPORTED_OPTIONS+=	fetchlimit geoip pkcs11 sit tuning
+PKG_SUPPORTED_OPTIONS+=	geoip pkcs11 tuning
 PKG_SUGGESTED_OPTIONS+=	readline
 
 PLIST_VARS+=	inet6 pkcs11
@@ -59,10 +59,6 @@ CONFIGURE_ARGS+=	--with-dlz-ldap=${BUILDLINK_PREFIX.openldap-client}
 CONFIGURE_ARGS+=	--with-dlz-filesystem
 .endif
 
-.if !empty(PKG_OPTIONS:Mfetchlimit)
-CONFIGURE_ARGS+=	--enable-fetchlimit
-.endif
-
 .if !empty(PKG_OPTIONS:Mgeoip)
 CONFIGURE_ARGS+=	--with-geoip=${PREFIX}
 LDFLAGS+=		-lGeoIP
@@ -74,10 +70,6 @@ CONFIGURE_ARGS+=	--with-pkcs11=yes
 PLIST.pkcs11=		yes
 .endif
 
-.if !empty(PKG_OPTIONS:Msit)
-CONFIGURE_ARGS+=	--enable-sit
-.endif
-
 .if !empty(PKG_OPTIONS:Mtuning)
 CONFIGURE_ARGS+=	--with-tuning=large
 .endif
diff --git a/net/bind911/patches/patch-bin_named_server.c b/net/bind911/patches/patch-bin_named_server.c
new file mode 100644
index 00000000000..9f91f411be1
--- /dev/null
+++ b/net/bind911/patches/patch-bin_named_server.c
@@ -0,0 +1,23 @@
+$NetBSD: patch-bin_named_server.c,v 1.1 2019/04/30 02:51:38 taca Exp $
+
+* Disable checking working directory is writable as BIND_USER in NetBSD
+  base system.
+
+--- bin/named/server.c.orig	2019-04-06 01:47:33.000000000 +0000
++++ bin/named/server.c
+@@ -8272,6 +8272,7 @@ load_configuration(const char *filename,
+ 		ns_os_changeuser();
+ 	}
+ 
++#if 0
+ 	/*
+ 	 * Check that the working directory is writable.
+ 	 */
+@@ -8280,6 +8281,7 @@ load_configuration(const char *filename,
+ 			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+ 			      "the working directory is not writable");
+ 	}
++#endif
+ 
+ #ifdef HAVE_LMDB
+ 	/*
diff --git a/net/bind911/patches/patch-bin_pkcs11_pkcs11-keygen.c b/net/bind911/patches/patch-bin_pkcs11_pkcs11-keygen.c
new file mode 100644
index 00000000000..fb589fa7cec
--- /dev/null
+++ b/net/bind911/patches/patch-bin_pkcs11_pkcs11-keygen.c
@@ -0,0 +1,30 @@
+$NetBSD: patch-bin_pkcs11_pkcs11-keygen.c,v 1.1 2019/04/30 02:51:38 taca Exp $
+
+* Honor HAVE_PKCS11_ECDSA.
+
+--- bin/pkcs11/pkcs11-keygen.c.orig	2019-02-27 23:28:15.000000000 +0000
++++ bin/pkcs11/pkcs11-keygen.c
+@@ -421,13 +421,23 @@ main(int argc, char *argv[]) {
+ 		id_offset = ECC_ID;
+ 
+ 		if (bits == 256) {
++#if HAVE_PKCS11_ECDSA
+ 			public_template[4].pValue = pk11_ecc_prime256v1;
+ 			public_template[4].ulValueLen =
+ 				sizeof(pk11_ecc_prime256v1);
++#else
++			fprintf(stderr, "PRIME256v1 is not supported\n");
++			usage();
++#endif
+ 		} else {
++#if HAVE_PKCS11_ECDSA
+ 			public_template[4].pValue = pk11_ecc_secp384r1;
+ 			public_template[4].ulValueLen =
+ 				sizeof(pk11_ecc_secp384r1);
++#else
++			fprintf(stderr, "SEP384r1 is not supported\n");
++			usage();
++#endif
+ 		}
+ 
+ 		break;
diff --git a/net/bind911/patches/patch-lib_dns_view.c b/net/bind911/patches/patch-lib_dns_view.c
new file mode 100644
index 00000000000..e98936af8f1
--- /dev/null
+++ b/net/bind911/patches/patch-lib_dns_view.c
@@ -0,0 +1,15 @@
+$NetBSD: patch-lib_dns_view.c,v 1.1 2019/04/30 02:51:38 taca Exp $
+
+* Use nta sub-directory as NetBSD base system.
+
+--- lib/dns/view.c.orig	2019-04-06 01:47:33.000000000 +0000
++++ lib/dns/view.c
+@@ -107,7 +107,7 @@ dns_view_create(isc_mem_t *mctx, dns_rda
+ 		goto cleanup_view;
+ 	}
+ 
+-	result = isc_file_sanitize(NULL, view->name, "nta",
++	result = isc_file_sanitize("nta", view->name, "nta",
+ 				   buffer, sizeof(buffer));
+ 	if (result != ISC_R_SUCCESS)
+ 		goto cleanup_name;
diff --git a/net/bind911/patches/patch-lib_isc_unix_socket.c b/net/bind911/patches/patch-lib_isc_unix_socket.c
index 4a2cf9614be..0fb4edda448 100644
--- a/net/bind911/patches/patch-lib_isc_unix_socket.c
+++ b/net/bind911/patches/patch-lib_isc_unix_socket.c
@@ -1,8 +1,8 @@
-$NetBSD: patch-lib_isc_unix_socket.c,v 1.2 2018/10/21 15:51:14 taca Exp $
+$NetBSD: patch-lib_isc_unix_socket.c,v 1.3 2019/04/30 02:51:38 taca Exp $
 
 Apply fix from NetBSD revision 1.24.
 
---- lib/isc/unix/socket.c.orig	2018-10-06 01:36:17.000000000 +0000
+--- lib/isc/unix/socket.c.orig	2019-02-27 23:28:15.000000000 +0000
 +++ lib/isc/unix/socket.c
 @@ -258,6 +258,7 @@ typedef enum { poll_idle, poll_active, p
  			 (e) == EWOULDBLOCK || \
@@ -12,13 +12,3 @@ Apply fix from NetBSD revision 1.24.
  			 (e) == 0)
  
  #define DLVL(x) ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(x)
-@@ -1575,7 +1576,8 @@ build_msghdr_send(isc__socket_t *sock, c
- 
- #if defined(IPV6_USE_MIN_MTU)
- 	if ((sock->type == isc_sockettype_udp) &&
--	    ((dev->attributes & ISC_SOCKEVENTATTR_USEMINMTU) != 0))
-+	    ((dev->attributes & ISC_SOCKEVENTATTR_USEMINMTU) != 0) &&
-+	    (sock->pf == AF_INET6))
- 	{
- 		int use_min_mtu = 1;	/* -1, 0, 1 */
- 
diff --git a/net/bind911/patches/patch-lib_lwres_getnameinfo.c b/net/bind911/patches/patch-lib_lwres_getnameinfo.c
index 5fe29deda3c..dfe036225d7 100644
--- a/net/bind911/patches/patch-lib_lwres_getnameinfo.c
+++ b/net/bind911/patches/patch-lib_lwres_getnameinfo.c
@@ -1,10 +1,10 @@
-$NetBSD: patch-lib_lwres_getnameinfo.c,v 1.1 2018/09/09 13:11:38 taca Exp $
+$NetBSD: patch-lib_lwres_getnameinfo.c,v 1.2 2019/04/30 02:51:38 taca Exp $
 
 * Add fix for KAME based implementation.
 
---- lib/lwres/getnameinfo.c.orig	2018-07-03 06:56:55.000000000 +0000
+--- lib/lwres/getnameinfo.c.orig	2019-02-27 23:28:15.000000000 +0000
 +++ lib/lwres/getnameinfo.c
-@@ -115,6 +115,10 @@
+@@ -116,6 +116,10 @@
  #include <lwres/netdb.h>
  #include "print_p.h"
  
@@ -13,9 +13,9 @@ $NetBSD: patch-lib_lwres_getnameinfo.c,v 1.1 2018/09/09 13:11:38 taca Exp $
 +#endif
 +
  #include "assert_p.h"
+ #include "unreachable_p.h"
  
- #define SUCCESS 0
-@@ -266,13 +270,9 @@ lwres_getnameinfo(const struct sockaddr 
+@@ -268,13 +272,9 @@ lwres_getnameinfo(const struct sockaddr 
  		    ((const struct sockaddr_in6 *)sa)->sin6_scope_id) {
  			char *p = numaddr + strlen(numaddr);
  			const char *stringscope = NULL;
author	taca <taca@pkgsrc.org>	2019-04-30 02:51:38 +0000
committer	taca <taca@pkgsrc.org>	2019-04-30 02:51:38 +0000
commit	48b2ebffbd29cf5100dd5ff65e6e29a16fd44d5a (patch)
tree	b442e82662bd0d7cdb5453b943652bc31dcca8b4 /net/bind911
parent	5ed655bcda28cfe114cfbb26fe73a15a102b0eab (diff)
download	pkgsrc-48b2ebffbd29cf5100dd5ff65e6e29a16fd44d5a.tar.gz