diff options
| author | adrianp <adrianp> | 2007-01-28 01:31:52 +0000 |
|---|---|---|
| committer | adrianp <adrianp> | 2007-01-28 01:31:52 +0000 |
| commit | 8f1afad12b5fd0a553c3f7ab1a5f4ad47ec7e5e6 (patch) | |
| tree | 76bf89e629f5712fca024ed48ac5b7780e78f247 /net | |
| parent | 4600927c295c3a92fac4cf8a9c4491fb6632c60e (diff) | |
| download | pkgsrc-8f1afad12b5fd0a553c3f7ab1a5f4ad47ec7e5e6.tar.gz | |
Update to 9.3.4
Lots of changes, see http://www.isc.org/sw/bind/view/?release=9.3.4#RELEASE
for all the details:
In brief:
2126. [security] Serialise validation of type ANY responses.
2124. [security] It was possible to dereference a freed fetch
context.
2089. [security] Raise the minimum safe OpenSSL versions to
OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions
prior to these have known security flaws which
are (potentially) exploitable in named.
2088. [security] Change the default RSA exponent from 3 to 65537.
2066. [security] Handle SIG queries gracefully.
1941. [bug] ncache_adderesult() should set eresult even if no
rdataset is passed to it.
Diffstat (limited to 'net')
| -rw-r--r-- | net/bind9/Makefile | 5 | ||||
| -rw-r--r-- | net/bind9/distinfo | 12 | ||||
| -rw-r--r-- | net/bind9/patches/patch-ao | 13 | ||||
| -rw-r--r-- | net/bind9/patches/patch-ap | 22 | ||||
| -rw-r--r-- | net/bind9/patches/patch-aq | 126 |
5 files changed, 14 insertions, 164 deletions
diff --git a/net/bind9/Makefile b/net/bind9/Makefile index 0267ef14da6..999b2a9de05 100644 --- a/net/bind9/Makefile +++ b/net/bind9/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.84 2006/11/23 22:19:38 hubertf Exp $ +# $NetBSD: Makefile,v 1.85 2007/01/28 01:31:52 adrianp Exp $ DISTNAME= bind-${BIND_VERSION} -PKGREVISION= 4 CATEGORIES= net MASTER_SITES= ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/ @@ -9,7 +8,7 @@ MAINTAINER= pkgsrc-users@NetBSD.org HOMEPAGE= http://www.isc.org/sw/bind/ COMMENT= Version 9 of the Berkeley Internet Name Daemon, implementation of DNS -BIND_VERSION= 9.3.2 +BIND_VERSION= 9.3.4 # IPv6 ready, automatically detected .include "../../mk/bsd.prefs.mk" diff --git a/net/bind9/distinfo b/net/bind9/distinfo index 5374dccd0a5..4fcd2a8d444 100644 --- a/net/bind9/distinfo +++ b/net/bind9/distinfo @@ -1,8 +1,8 @@ -$NetBSD: distinfo,v 1.29 2006/09/05 20:45:32 adrianp Exp $ +$NetBSD: distinfo,v 1.30 2007/01/28 01:31:52 adrianp Exp $ -SHA1 (bind-9.3.2.tar.gz) = 13efeaf496ed110980088fb5cbe22460f04a0fac -RMD160 (bind-9.3.2.tar.gz) = c825b6308eb374e9bcf9b6ccc48f65d8753c0a6d -Size (bind-9.3.2.tar.gz) = 5302112 bytes +SHA1 (bind-9.3.4.tar.gz) = f53c7e24157ae1fd881834351804bfee3c2782ee +RMD160 (bind-9.3.4.tar.gz) = 8b5fda9542f6afbe7ffb857d72f7e545237d7826 +Size (bind-9.3.4.tar.gz) = 5405022 bytes SHA1 (patch-ab) = dd12c457791a75a8b43d9dfd0c0b236dcdbe31a5 SHA1 (patch-ac) = 4df1ece91d59b2b36fc7a4316604f1c112cf70ba SHA1 (patch-ad) = 0e28ae0bb42e633f1ff1111478c97ced5c222186 @@ -13,6 +13,4 @@ SHA1 (patch-aj) = c3bbf84a8a735298552f918ac38331e06a1b68a1 SHA1 (patch-al) = eb6a52d3f865639447ec6f9019c0ea1d2122b772 SHA1 (patch-am) = bb267f13dbd30d492f4dfcf9c278b941efa97bed SHA1 (patch-an) = b3e5cd93890aa9a9cec7c14abf1b62ddbf854b14 -SHA1 (patch-ao) = 8a3f8f1b5871af263fc99bc8e552b3ab615bc815 -SHA1 (patch-ap) = 817c39121f1b62f8033822a42d7d9f8a5b5372ea -SHA1 (patch-aq) = 20cde9869c69dff2aca4784ec9b8b032639776fe +SHA1 (patch-ao) = 9a1ed7b37befdd8e29d233fe55cd62362df3c50e diff --git a/net/bind9/patches/patch-ao b/net/bind9/patches/patch-ao index 58fc04b6328..592731b2f84 100644 --- a/net/bind9/patches/patch-ao +++ b/net/bind9/patches/patch-ao @@ -1,21 +1,22 @@ -$NetBSD: patch-ao,v 1.1 2006/08/28 16:00:45 seb Exp $ +$NetBSD: patch-ao,v 1.2 2007/01/28 01:31:52 adrianp Exp $ ---- lib/bind/irs/getaddrinfo.c.orig 2005-07-28 07:43:19.000000000 +0000 +--- lib/bind/irs/getaddrinfo.c.orig 2006-11-13 05:04:49.000000000 +0000 +++ lib/bind/irs/getaddrinfo.c -@@ -332,7 +332,7 @@ getaddrinfo(hostname, servname, hints, r +@@ -332,7 +332,8 @@ getaddrinfo(hostname, servname, hints, r pai->ai_family = PF_UNSPEC; pai->ai_socktype = ANY; pai->ai_protocol = ANY; --#ifdef __sparcv9 +-#if defined(sun) && defined(_SOCKLEN_T) && defined(__sparcv9) +#if (defined(sun) && defined(_SOCKLEN_T) && defined(__sparc9)) || (defined(__NetBSD__) && (((defined(__sparc__) || defined(__i386__)) && defined(_LP64)) || defined(__alpha__))) ++ /* * clear _ai_pad to preserve binary * compatibility with previously compiled 64-bit -@@ -365,7 +365,7 @@ getaddrinfo(hostname, servname, hints, r +@@ -365,7 +366,7 @@ getaddrinfo(hostname, servname, hints, r } memcpy(pai, hints, sizeof(*pai)); --#ifdef __sparcv9 +-#if defined(sun) && defined(_SOCKLEN_T) && defined(__sparcv9) +#if (defined(sun) && defined(_SOCKLEN_T) && defined(__sparc9)) || (defined(__NetBSD__) && (((defined(__sparc__) || defined(__i386__)) && defined(_LP64)) || defined(__alpha__))) /* * We need to clear _ai_pad to preserve binary diff --git a/net/bind9/patches/patch-ap b/net/bind9/patches/patch-ap deleted file mode 100644 index 1bd9d81ad9d..00000000000 --- a/net/bind9/patches/patch-ap +++ /dev/null @@ -1,22 +0,0 @@ -$NetBSD: patch-ap,v 1.1 2006/09/05 20:45:32 adrianp Exp $ - ---- bin/named/query.c.orig 2005-08-11 06:25:20.000000000 +0100 -+++ bin/named/query.c -@@ -2393,7 +2393,7 @@ query_find(ns_client_t *client, dns_fetc - is_zone = ISC_FALSE; - - qtype = event->qtype; -- if (qtype == dns_rdatatype_rrsig) -+ if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig) - type = dns_rdatatype_any; - else - type = qtype; -@@ -2434,7 +2434,7 @@ query_find(ns_client_t *client, dns_fetc - /* - * If it's a SIG query, we'll iterate the node. - */ -- if (qtype == dns_rdatatype_rrsig) -+ if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig) - type = dns_rdatatype_any; - else - type = qtype; diff --git a/net/bind9/patches/patch-aq b/net/bind9/patches/patch-aq deleted file mode 100644 index 29a20832f7d..00000000000 --- a/net/bind9/patches/patch-aq +++ /dev/null @@ -1,126 +0,0 @@ -$NetBSD: patch-aq,v 1.1 2006/09/05 20:45:32 adrianp Exp $ - ---- lib/dns/resolver.c.orig 2005-10-14 02:38:48.000000000 +0100 -+++ lib/dns/resolver.c -@@ -762,7 +762,8 @@ fctx_sendevents(fetchctx_t *fctx, isc_re - INSIST(result != ISC_R_SUCCESS || - dns_rdataset_isassociated(event->rdataset) || - fctx->type == dns_rdatatype_any || -- fctx->type == dns_rdatatype_rrsig); -+ fctx->type == dns_rdatatype_rrsig || -+ fctx->type == dns_rdatatype_sig); - - isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event)); - } -@@ -3188,7 +3189,8 @@ validated(isc_task_t *task, isc_event_t - if (hevent != NULL) { - if (!negative && !chaining && - (fctx->type == dns_rdatatype_any || -- fctx->type == dns_rdatatype_rrsig)) { -+ fctx->type == dns_rdatatype_rrsig || -+ fctx->type == dns_rdatatype_sig)) { - /* - * Don't bind rdatasets; the caller - * will iterate the node. -@@ -3306,7 +3308,8 @@ validated(isc_task_t *task, isc_event_t - if (!ISC_LIST_EMPTY(fctx->validators)) { - INSIST(!negative); - INSIST(fctx->type == dns_rdatatype_any || -- fctx->type == dns_rdatatype_rrsig); -+ fctx->type == dns_rdatatype_rrsig || -+ fctx->type == dns_rdatatype_sig); - /* - * Don't send a response yet - we have - * more rdatasets that still need to -@@ -3455,14 +3458,15 @@ cache_name(fetchctx_t *fctx, dns_name_t - return (result); - anodep = &event->node; - /* -- * If this is an ANY or SIG query, we're not going -- * to return any rdatasets, unless we encountered -+ * If this is an ANY, SIG or RRSIG query, we're not -+ * going to return any rdatasets, unless we encountered - * a CNAME or DNAME as "the answer". In this case, - * we're going to return DNS_R_CNAME or DNS_R_DNAME - * and we must set up the rdatasets. - */ - if ((fctx->type != dns_rdatatype_any && -- fctx->type != dns_rdatatype_rrsig) || -+ fctx->type != dns_rdatatype_rrsig && -+ fctx->type != dns_rdatatype_sig) || - (name->attributes & DNS_NAMEATTR_CHAINING) != 0) { - ardataset = event->rdataset; - asigrdataset = event->sigrdataset; -@@ -3521,7 +3525,7 @@ cache_name(fetchctx_t *fctx, dns_name_t - */ - if (secure_domain && rdataset->trust != dns_trust_glue) { - /* -- * SIGs are validated as part of validating the -+ * RRSIGs are validated as part of validating the - * type they cover. - */ - if (rdataset->type == dns_rdatatype_rrsig) -@@ -3591,7 +3595,8 @@ cache_name(fetchctx_t *fctx, dns_name_t - - if (ANSWER(rdataset) && need_validation) { - if (fctx->type != dns_rdatatype_any && -- fctx->type != dns_rdatatype_rrsig) { -+ fctx->type != dns_rdatatype_rrsig && -+ fctx->type != dns_rdatatype_sig) { - /* - * This is The Answer. We will - * validate it, but first we cache -@@ -3763,23 +3768,28 @@ ncache_adderesult(dns_message_t *message - isc_result_t *eresultp) - { - isc_result_t result; -+ dns_rdataset_t rdataset; -+ -+ if (ardataset == NULL) { -+ dns_rdataset_init(&rdataset); -+ ardataset = &rdataset; -+ } - result = dns_ncache_add(message, cache, node, covers, now, - maxttl, ardataset); -- if (result == DNS_R_UNCHANGED) { -+ if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) { - /* -- * The data in the cache are better than the negative cache -- * entry we're trying to add. -+ * If the cache now contains a negative entry and we -+ * care about whether it is DNS_R_NCACHENXDOMAIN or -+ * DNS_R_NCACHENXRRSET then extract it. - */ -- if (ardataset != NULL && ardataset->type == 0) { -+ if (ardataset->type == 0) { - /* -- * The cache data is also a negative cache -- * entry. -+ * The cache data is a negative cache entry. - */ - if (NXDOMAIN(ardataset)) - *eresultp = DNS_R_NCACHENXDOMAIN; - else - *eresultp = DNS_R_NCACHENXRRSET; -- result = ISC_R_SUCCESS; - } else { - /* - * Either we don't care about the nature of the -@@ -3791,14 +3801,11 @@ ncache_adderesult(dns_message_t *message - * XXXRTH There's a CNAME/DNAME problem here. - */ - *eresultp = ISC_R_SUCCESS; -- result = ISC_R_SUCCESS; - } -- } else if (result == ISC_R_SUCCESS) { -- if (NXDOMAIN(ardataset)) -- *eresultp = DNS_R_NCACHENXDOMAIN; -- else -- *eresultp = DNS_R_NCACHENXRRSET; -+ result = ISC_R_SUCCESS; - } -+ if (ardataset == &rdataset && dns_rdataset_isassociated(ardataset)) -+ dns_rdataset_disassociate(ardataset); - - return (result); - } |