diff options
-rw-r--r-- | net/djbdns/Makefile | 4 | ||||
-rw-r--r-- | net/djbdns/distinfo | 12 | ||||
-rw-r--r-- | net/djbdns/files/patch-mergequeries (renamed from net/djbdns/files/patch-qmerge2) | 5 | ||||
-rw-r--r-- | net/djbdns/files/patch-mergequeries-boundscheck | 27 | ||||
-rw-r--r-- | net/djbdns/options.mk | 33 | ||||
-rw-r--r-- | net/djbdns/patches/patch-response.c | 3 |
6 files changed, 50 insertions, 34 deletions
diff --git a/net/djbdns/Makefile b/net/djbdns/Makefile index a19fb6e571a..dea1cb04d67 100644 --- a/net/djbdns/Makefile +++ b/net/djbdns/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.66 2018/06/18 10:44:38 schmonz Exp $ +# $NetBSD: Makefile,v 1.67 2018/09/28 20:36:24 schmonz Exp $ DISTNAME= djbdns-1.05 -PKGREVISION= 13 +PKGREVISION= 14 CATEGORIES= net MASTER_SITES= http://cr.yp.to/djbdns/ DISTFILES= ${DISTNAME}${EXTRACT_SUFX} ${MANPAGES} diff --git a/net/djbdns/distinfo b/net/djbdns/distinfo index 8722d685d51..bb11a03cd35 100644 --- a/net/djbdns/distinfo +++ b/net/djbdns/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.26 2018/06/18 10:44:38 schmonz Exp $ +$NetBSD: distinfo,v 1.27 2018/09/28 20:36:24 schmonz Exp $ SHA1 (djbdns-1.05.tar.gz) = 2efdb3a039d0c548f40936aa9cb30829e0ce8c3d RMD160 (djbdns-1.05.tar.gz) = a832cbfd93e4ccec6a565492a4ee0b3c1b4b68ed @@ -20,16 +20,8 @@ SHA1 (djbdns-cachestats.patch) = ab0b2835140768d89159d5564534d39520d7f403 RMD160 (djbdns-cachestats.patch) = e09994d84573e781ce18b59f909f8bd013de5d8e SHA512 (djbdns-cachestats.patch) = e78b6a8fc43f94e5bc5971d85f952ef9cac4fa827b00036994fa51dcebb9c9755c36488ac24a9ec7b92097a38938191147faf8cce84a9e636072684db28a2e62 Size (djbdns-cachestats.patch) = 2341 bytes -SHA1 (0001-dnscache-merge-similar-outgoing-queries.patch) = 8dd3ce7758d3a97cafbe6a60ea83f48e916f496d -RMD160 (0001-dnscache-merge-similar-outgoing-queries.patch) = c416dd6575819cfd40ef0d306ccb14d34a5afc90 -SHA512 (0001-dnscache-merge-similar-outgoing-queries.patch) = cbec128b021a341c68906289ca02d3a7fe088c8b3835f2ae3dbb581ad6520712eb344d66e11bb82368dbca2e93e46facd4e10d121fc091099b3a7bfd5e6d081e -Size (0001-dnscache-merge-similar-outgoing-queries.patch) = 9914 bytes -SHA1 (0002-dnscache-cache-soa-records.patch) = ac9b6a62c62588205cc4dc71da4e0ad6630f9635 -RMD160 (0002-dnscache-cache-soa-records.patch) = 0b58e57bc11b36113c5fef73a64c869895f83889 -SHA512 (0002-dnscache-cache-soa-records.patch) = f65ca7dfc8e85f469f22d72a1c79126c35243dc077abf4b688eb7d057f19456dc8a3665f558a8a3c1908f96fa1838792aa1bc317d2e89f4953020828c05926e6 -Size (0002-dnscache-cache-soa-records.patch) = 2944 bytes SHA1 (patch-Makefile) = 0dffb59090ccb4977c65885f062eb37255ccd0d9 SHA1 (patch-dnscache-conf.c) = 873897ad6b97baff363874a6a79c8da44383c283 SHA1 (patch-dnsroots.global) = 183964d516e08c46773847fe542f5a502ec2edcf SHA1 (patch-hier.c) = 874af27489ad4597e213cfe05a7f2f919081db20 -SHA1 (patch-response.c) = 4f089b63664b7e4685b77fc55b287860c8c68229 +SHA1 (patch-response.c) = 24c8f3bc4b629dd04a0b83285eff4579750d92ff diff --git a/net/djbdns/files/patch-qmerge2 b/net/djbdns/files/patch-mergequeries index 87c2223aec9..39e5de50929 100644 --- a/net/djbdns/files/patch-qmerge2 +++ b/net/djbdns/files/patch-mergequeries @@ -1,4 +1,7 @@ -$NetBSD: patch-qmerge2,v 1.2 2015/12/29 04:04:29 dholland Exp $ +$NetBSD: patch-mergequeries,v 1.1 2018/09/28 20:36:24 schmonz Exp $ + +Address the dnscache poisoning weaknesses described in CVE-2008-4392. +From Jeff King in <https://marc.info/?l=djbdns&m=123859517723684&w=2> --- clients.h.orig 2009-04-21 23:43:02.000000000 -0400 +++ clients.h diff --git a/net/djbdns/files/patch-mergequeries-boundscheck b/net/djbdns/files/patch-mergequeries-boundscheck new file mode 100644 index 00000000000..1383b8ee2c5 --- /dev/null +++ b/net/djbdns/files/patch-mergequeries-boundscheck @@ -0,0 +1,27 @@ +$NetBSD: patch-mergequeries-boundscheck,v 1.1 2018/09/28 20:36:24 schmonz Exp $ + +Add a missing bounds check to the MERGEQUERIES patch's try_merge(). +From Tim Stewart in <https://marc.info/?l=djbdns&m=153020962703821> + +--- dns_transmit.c.orig 2018-09-28 20:25:42.000000000 +0000 ++++ dns_transmit.c +@@ -35,6 +35,7 @@ static int try_merge(struct dns_transmit + for (i = 0; i < MAXUDP; i++) { + if (!inprogress[i]) continue; + if (!merge_equal(d, inprogress[i])) continue; ++ if (inprogress[i]->nslaves == MAXUDP) continue; + d->master = inprogress[i]; + inprogress[i]->slaves[inprogress[i]->nslaves++] = d; + return 1; +@@ -127,8 +128,10 @@ static void mergefree(struct dns_transmi + } + /* and unregister all of our slaves from us */ + for (i = 0; i < d->nslaves; i++) { +- if (d->slaves[i]) ++ if (d->slaves[i]) { + d->slaves[i]->master = NULL; ++ d->slaves[i] = 0; ++ } + } + d->nslaves = 0; + } diff --git a/net/djbdns/options.mk b/net/djbdns/options.mk index b38563ffd81..81047c67bab 100644 --- a/net/djbdns/options.mk +++ b/net/djbdns/options.mk @@ -1,12 +1,14 @@ -# $NetBSD: options.mk,v 1.19 2018/06/18 10:44:38 schmonz Exp $ +# $NetBSD: options.mk,v 1.20 2018/09/28 20:36:24 schmonz Exp $ PKG_OPTIONS_VAR= PKG_OPTIONS.djbdns PKG_SUPPORTED_OPTIONS+= # inet6 PKG_SUPPORTED_OPTIONS+= djbdns-cachestats djbdns-ignoreip2 -PKG_SUPPORTED_OPTIONS+= djbdns-tinydns64 -PKG_OPTIONS_OPTIONAL_GROUPS= qmerge -PKG_OPTIONS_GROUP.qmerge= djbdns-qmerge1 djbdns-qmerge2 -PKG_SUGGESTED_OPTIONS+= djbdns-qmerge2 djbdns-tinydns64 +PKG_SUPPORTED_OPTIONS+= djbdns-mergequeries djbdns-tinydns64 +PKG_SUGGESTED_OPTIONS+= djbdns-mergequeries djbdns-tinydns64 + +# For users migrating from 2018Q2; remove compatibility after 2018Q3 is branched +PKG_OPTIONS_LEGACY_OPTS+= djbdns-qmerge1:djbdns-mergequeries +PKG_OPTIONS_LEGACY_OPTS+= djbdns-qmerge2:djbdns-mergequeries .include "../../mk/bsd.options.mk" @@ -35,22 +37,13 @@ PATCHFILES+= ${IGNOREIP2_PATCH} SITES.${IGNOREIP2_PATCH}= http://www.tinydns.org/ .endif -.if !empty(PKG_OPTIONS:Mdjbdns-qmerge1) -DNSCACHE_MERGE_PATCH= 0001-dnscache-merge-similar-outgoing-queries.patch -DNSCACHE_SOA_PATCH= 0002-dnscache-cache-soa-records.patch -PATCHFILES+= ${DNSCACHE_MERGE_PATCH} ${DNSCACHE_SOA_PATCH} -PATCH_DIST_STRIP.${DNSCACHE_MERGE_PATCH}= -p1 -PATCH_DIST_STRIP.${DNSCACHE_SOA_PATCH}= -p1 -SITES.${DNSCACHE_MERGE_PATCH}= http://www.your.org/dnscache/ -SITES.${DNSCACHE_SOA_PATCH}= http://www.your.org/dnscache/ -.endif - -.if !empty(PKG_OPTIONS:Mdjbdns-qmerge2) +.if !empty(PKG_OPTIONS:Mdjbdns-mergequeries) USE_TOOLS+= patch -post-patch: patch-qmerge2 -.PHONY: patch-qmerge2 -patch-qmerge2: - cd ${WRKSRC} && ${PATCH} ${PATCH_ARGS} < ${FILESDIR}/patch-qmerge2 +post-patch: patch-mergequeries +.PHONY: patch-mergequeries +patch-mergequeries: + cd ${WRKSRC} && ${PATCH} ${PATCH_ARGS} < ${FILESDIR}/patch-mergequeries + cd ${WRKSRC} && ${PATCH} ${PATCH_ARGS} < ${FILESDIR}/patch-mergequeries-boundscheck .endif .if !empty(PKG_OPTIONS:Mdjbdns-tinydns64) diff --git a/net/djbdns/patches/patch-response.c b/net/djbdns/patches/patch-response.c index dc8409f3114..f0b396a50c7 100644 --- a/net/djbdns/patches/patch-response.c +++ b/net/djbdns/patches/patch-response.c @@ -1,6 +1,7 @@ -$NetBSD: patch-response.c,v 1.1 2017/05/26 15:16:45 schmonz Exp $ +$NetBSD: patch-response.c,v 1.2 2018/09/28 20:36:24 schmonz Exp $ Fix the security hole found by Matthew Dempsky. +From DJB in <https://marc.info/?l=djbdns&m=123613000920446&w=2> --- response.c.orig 2001-02-11 16:11:45.000000000 -0500 +++ response.c |