| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
--- 9.4.2-P2 released ---
2406. [bug] Some operating systems have FD_SETSIZE set to a
low value by default, which can cause resource
exhaustion when many simultaneous connections are
open. Linux in particular makes it difficult to
increase this value. To use more sockets with
select(), set ISC_SOCKET_FDSETSIZE. Example:
STD_CDEFINES="-DISC_SOCKET_FDSETSIZE=4096" ./configure
(This should not be necessary in most cases, and
never for an authoritative-only server.) [RT #18328]
2404. [port] hpux: files unlimited support.
2403. [bug] TSIG context leak. [RT #18341]
2402. [port] Support Solaris 2.11 and over. [RT #18362]
2401. [bug] Expect to get E[MN]FILE errno internal_accept()
(from accept() or fcntl() system calls). [RT #18358]
2399. [bug] Abort timeout queries to reduce the number of open
UDP sockets. [RT #18367]
2398. [bug] Improve file descriptor management. New,
temporary, named.conf option reserved-sockets,
default 512. [RT #18344]
2396. [bug] Don't set SO_REUSEADDR for randomized ports.
[RT #18336]
2395. [port] Avoid warning and no effect from "files unlimited"
on Linux when running as root. [RT #18335]
2394. [bug] Default configuration options set the limit for
open files to 'unlimited' as described in the
documentation. [RT #18331]
2392. [bug] remove 'grep -q' from acl test script, some platforms
don't support it. [RT #18253]
2322. [port] MacOS: work around the limitation of setrlimit()
for RLIMIT_NOFILE. [RT #17526]
|
|
Please see CHANGES for all the details but the driving factor of this update
is:
2375. [security] Fully randomize UDP query ports to improve
forgery resilience. [RT #17949]
|
|
|
|
|
|
many packages used to use ${PAX}. Use the common way of directly calling
pax, it is created as tool after all.
|
|
check can be abused for implementation specific exploitation: depending on
the use of libbind, this can result in denial of service or even remote
code execution.
|
|
through PLIST_SUBST to the plist module.
|
|
on packages that are affected by the switch from the openssl 0.9.7
branch to the 0.9.8 branch. ok jlam@
|
|
and to support the "inet6" option instead.
Remaining usage of USE_INET6 was solely for the benefit of the scripts
that generate the README.html files. Replace:
BUILD_DEFS+= USE_INET6
with
BUILD_DEFS+= IPV6_READY
and teach the README-generation tools to look for that instead.
This nukes USE_INET6 from pkgsrc proper. We leave a tiny bit of code
to continue to support USE_INET6 for pkgsrc-wip until it has been nuked
from there as well.
|
|
"dragonfly" this may change the build.
|
|
|
|
2206. [security]
"allow-query-cache" and "allow-recursion" now
cross inherit from each other.
If allow-query-cache is not set in named.conf then
allow-recursion is used if set, otherwise allow-query
is used if set, otherwise the default (localnets;
localhost;) is used.
If allow-recursion is not set in named.conf then
allow-query-cache is used if set, otherwise allow-query
is used if set, otherwise the default (localnets;
localhost;) is used.
2203. [security]
Query id generation was cryptographically weak.
2202. [security]
The default acls for allow-query-cache and
allow-recursion were not being applied.
2193. [port]
win32: BINDInstall.exe is now linked statically.
2192. [port]
win32: use vcredist_x86.exe to install Visual
Studio's redistributable dlls if building with
Visual Stdio 2005 or later.
|
|
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
|
|
change some of the binaries.
|
|
CVE-2007-2241: A sequence of queries can cause a recursive nameserver
to exit. While it is unlikely these will occur in normal operation, an
attack can use them to cause the affected versions to exit. This attack
is a denial of service, and does not allow an attacker to gain control
of affected systems.
|
|
I won't attempt to summarize 221 lines of changes in README here.
|
|
- "share/doc/bind9" shouldn't be group-writable.
- "share/doc/bind9/arm/Bv9ARM.pdf" shouldn't be executable.
Bump package revision because of these fixes.
|
|
Lots of changes, see http://www.isc.org/sw/bind/view/?release=9.3.4#RELEASE
for all the details:
In brief:
2126. [security] Serialise validation of type ANY responses.
2124. [security] It was possible to dereference a freed fetch
context.
2089. [security] Raise the minimum safe OpenSSL versions to
OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions
prior to these have known security flaws which
are (potentially) exploitable in named.
2088. [security] Change the default RSA exponent from 3 to 65537.
2066. [security] Handle SIG queries gracefully.
1941. [bug] ncache_adderesult() should set eresult even if no
rdataset is passed to it.
|
|
sparc64 tested successfully by Volkmar Seifert <vs@nifelheim.info>
OK'd by (and sparc included per suggestion of) martin@
|
|
check. Also don't install utility perl scripts for building the
docs. Use pax to install all the doc files in one go.
Bump PKGREVISION to 3 for the PLIST changes.
|
|
* Assertion failure in ISC BIND SIG query processing (CVE-2006-4095)
- Recursive servers
Queries for SIG records will trigger an assertion failure if more
than one RRset is returned. However exposure can be minimized by
restricting which sources can ask for recursion.
- Authoritative servers
If a nameserver is serving a RFC 2535 DNSSEC zone and is queried
for the SIG records where there are multiple RRsets, then the
named program will trigger an assertion failure when it tries
to construct the response.
* INSIST failure in ISC BIND recursive query handling code (CVE-2006-4096)
It is possible to trigger an INSIST failure by sending enough
recursive queries such that the response to the query arrives after
all the clients waiting for the response have left the recursion
queue. However exposure can be minimized by restricting which sources
can ask for recursion.
|
|
|
|
Fix build on NetBSD/sparc64 3.x: sync CPP symbols usage between
struct addrinfo definition and its usage in getaddrinfo().
While here define struct addrinfo's pad members the same way as in
NetBSD's /usr/include/netbsd.h and sync code in
lib/bind/irs/getaddrinfo.c:getaddrinfo().
This had been reported to bind9-bugs at isc dot org.
|
|
Changes are huge, so please see http://www.isc.org/sw/bind/bind9.3.php.
|
|
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the buildlink3.mk files included as well as the depth at
which they are included.
For example, "make show-buildlink3" in fonts/Xft2 displays:
zlib
fontconfig
iconv
zlib
freetype2
expat
freetype2
Xrender
renderproto
|
|
of the order in which buildlink3.mk files are (recursively) included
by a package Makefile.
|
|
dutifully installs whatever it thinks might be missing or just
substandard on the current system.
As the Makefile already adds the contents of share/doc/bind9
dynamically to the PLIST, do the same for include/bind.
Fixes the PLIST on RedHat EL 2 & 3, and does not break it on NetBSD/3
No PKGREVISION bump as no change to anything but generated PLIST
|
|
system I administrate.
|
|
syntax as specified in pkgsrc/mk/install/bsd.pkginstall.mk:1.47.
|
|
that they look nicer.
|
|
RECOMMENDED is removed. It becomes ABI_DEPENDS.
BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.
BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.
BUILDLINK_DEPENDS does not change.
IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".
Added to obsolete.mk checking for IGNORE_RECOMMENDED.
I did not manually go through and fix any aesthetic tab/spacing issues.
I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.
I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.
As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.
As discussed on tech-pkg.
I will commit to revbump, pkglint, pkg_install, createbuildlink separately.
Note that if you use wip, it will fail! I will commit to pkgsrc-wip
later (within day).
|
|
exists on the disk -- we can just check whether a variable defined by
find-files.mk is "__nonexistent__" or not.
|
|
|
|
automatically detects whether we want the pkginstall machinery to be
used by the package Makefile.
|
|
CONFIGURE_ARGS.
|
|
example MAKE_ENV+=FOO=${BAR} is changed to MAKE_ENV+=FOO=${BAR:Q}. Some
other changes are outlined in
http://mail-index.netbsd.org/tech-pkg/2005/12/02/0034.html
|
|
backslashes anymore. A single backslash is enough. Changed the
definition in all affected packages. For those that are not caught, an
additional check is placed into bsd.pkginstall.mk.
|
|
|
|
- s/change root/chroot/ for clarity
- punctuation fixes
|
|
This bug was introduced in revision 1.7 where bind was determined to
be built-in only if libbind.* existed on the system, which isn't
necessarily true on systems where the resolver routines are incorporated
into libc, e.g. NetBSD.
We now consider bind to be built-in if BUILTIN_VERSION.bind is defined,
and we define BUILTIN_VERSION.bind only if /usr/sbin/named exists on
the system. We also improve the derivation of the version number of
BIND by parsing the named output, so we can now also detect bind-4.x
and bind-8.x.
|
|
|
|
|
|
BIND 9.3.1 is a maintenance release, containing fixes for a number of
bugs in 9.3.0.
libbind: corresponds to that from BIND 8.4.6-REL.
|
|
Several changes are involved since they are all interrelated. These
changes affect about 1000 files.
The first major change is rewriting bsd.builtin.mk as well as all of
the builtin.mk files to follow the new example in bsd.builtin.mk.
The loop to include all of the builtin.mk files needed by the package
is moved from bsd.builtin.mk and into bsd.buildlink3.mk. bsd.builtin.mk
is now included by each of the individual builtin.mk files and provides
some common logic for all of the builtin.mk files. Currently, this
includes the computation for whether the native or pkgsrc version of
the package is preferred. This causes USE_BUILTIN.* to be correctly
set when one builtin.mk file includes another.
The second major change is teach the builtin.mk files to consider
files under ${LOCALBASE} to be from pkgsrc-controlled packages. Most
of the builtin.mk files test for the presence of built-in software by
checking for the existence of certain files, e.g. <pthread.h>, and we
now assume that if that file is under ${LOCALBASE}, then it must be
from pkgsrc. This modification is a nod toward LOCALBASE=/usr. The
exceptions to this new check are the X11 distribution packages, which
are handled specially as noted below.
The third major change is providing builtin.mk and version.mk files
for each of the X11 distribution packages in pkgsrc. The builtin.mk
file can detect whether the native X11 distribution is the same as
the one provided by pkgsrc, and the version.mk file computes the
version of the X11 distribution package, whether it's built-in or not.
The fourth major change is that the buildlink3.mk files for X11 packages
that install parts which are part of X11 distribution packages, e.g.
Xpm, Xcursor, etc., now use imake to query the X11 distribution for
whether the software is already provided by the X11 distribution.
This is more accurate than grepping for a symbol name in the imake
config files. Using imake required sprinkling various builtin-imake.mk
helper files into pkgsrc directories. These files are used as input
to imake since imake can't use stdin for that purpose.
The fifth major change is in how packages note that they use X11.
Instead of setting USE_X11, package Makefiles should now include
x11.buildlink3.mk instead. This causes the X11 package buildlink3
and builtin logic to be executed at the correct place for buildlink3.mk
and builtin.mk files that previously set USE_X11, and fixes packages
that relied on buildlink3.mk files to implicitly note that X11 is
needed. Package buildlink3.mk should also include x11.buildlink3.mk
when linking against the package libraries requires also linking
against the X11 libraries. Where it was obvious, redundant inclusions
of x11.buildlink3.mk have been removed.
|
|
|
|
|
|
And always is defined as share/examples/rc.d
which was the default before.
This rc.d scripts are not automatically added to PLISTs now also.
So add to each corresponding PLIST as required.
This was discussed on tech-pkg in late January and late April.
Todo: remove the RCD_SCRIPTS_EXAMPLEDIR uses in MESSAGES and elsewhere
and remove the RCD_SCRIPTS_EXAMPLEDIR itself.
|
|
|
|
into "named9.sh".
- Create a user and a group "named" for running the name server.
- Add a message file which encourages to run the name server in a
change root non-root configuration.
This address PR pkg/14876 by Greg A. Woods.
Bump package revision because of the above changes.
|
|
builtin script.
- Don't set "pidfile" in "named9.sh" because it breaks change rooted
configurations.
- Disable inlining in "lib/dns/rbt.c" on PowerPC systems because certain
GCC version create broken code for that file.
Bump package revision because of the above changes.
|
