From 0f732fd98c63bbe3c7c53f2279f3e4f21b74c17e Mon Sep 17 00:00:00 2001 From: taca Date: Thu, 26 Feb 2015 10:15:02 +0000 Subject: Update bind910 package to 9.10.2. Security Fixes * On servers configured to perform DNSSEC validation using managed trust anchors (i.e., keys configured explicitly via managed-keys, or implicitly via dnssec-validation auto; or dnssec-lookaside auto;), revoking a trust anchor and sending a new untrusted replacement could cause named to crash with an assertion failure. This could occur in the event of a botched key rollover, or potentially as a result of a deliberate attack if the attacker was in position to monitor the victim's DNS traffic. This flaw was discovered by Jan-Piet Mens, and is disclosed in CVE-2015-1349. [RT #38344] * A flaw in delegation handling could be exploited to put named into an infinite loop, in which each lookup of a name server triggered additional lookups of more name servers. This has been addressed by placing limits on the number of levels of recursion named will allow (default 7), and on the number of queries that it will send before terminating a recursive query (default 50). The recursion depth limit is configured via the max-recursion-depth option, and the query limit via the max-recursion-queries option. The flaw was discovered by Florian Maury of ANSSI, and is disclosed in CVE-2014-8500. [RT #37580] * Two separate problems were identified in BIND's GeoIP code that could lead to an assertion failure. One was triggered by use of both IPv4 and IPv6 address families, the other by referencing a GeoIP database in named.conf which was not installed. Both are covered by CVE-2014-8680. [RT #37672] [RT #37679] A less serious security flaw was also found in GeoIP: changes to the geoip-directory option in named.conf were ignored when running rndc reconfig. In theory, this could allow named to allow access to unintended clients. New Features * None Feature Changes * ACLs containing geoip asnum elements were not correctly matched unless the full organization name was specified in the ACL (as in geoip asnum "AS1234 Example, Inc.";). They can now match against the AS number alone (as in geoip asnum "AS1234";). * When using native PKCS#11 cryptography (i.e., configure --enable-native-pkcs11) HSM PINs of up to 256 characters can now be used. * NXDOMAIN responses to queries of type DS are now cached separately from those for other types. This helps when using "grafted" zones of type forward, for which the parent zone does not contain a delegation, such as local top-level domains. Previously a query of type DS for such a zone could cause the zone apex to be cached as NXDOMAIN, blocking all subsequent queries. (Note: This change is only helpful when DNSSEC validation is not enabled. "Grafted" zones without a delegation in the parent are not a recommended configuration.) * NOTIFY messages that are sent because a zone has been updated are now given priority above NOTIFY messages that were scheduled when the server started up. This should mitigate delays in zone propagation when servers are restarted frequently. * Errors reported when running rndc addzone (e.g., when a zone file cannot be loaded) have been clarified to make it easier to diagnose problems. * Added support for OPENPGPKEY type. * When encountering an authoritative name server whose name is an alias pointing to another name, the resolver treats this as an error and skips to the next server. Previously this happened silently; now the error will be logged to the newly-created "cname" log category. * If named is not configured to validate the answer then allow fallback to plain DNS on timeout even when we know the server supports EDNS. This will allow the server to potentially resolve signed queries when TCP is being blocked. Bug Fixes * dig, host and nslookup aborted when encountering a name which, after appending search list elements, exceeded 255 bytes. Such names are now skipped, but processing of other names will continue. [RT #36892] * The error message generated when named-checkzone or named-checkconf -z encounters a $TTL directive without a value has been clarified. [RT #37138] * Semicolon characters (;) included in TXT records were incorrectly escaped with a backslash when the record was displayed as text. This is actually only necessary when there are no quotation marks. [RT #37159] * When files opened for writing by named, such as zone journal files, were referenced more than once in named.conf, it could lead to file corruption as multiple threads wrote to the same file. This is now detected when loading named.conf and reported as an error. [RT #37172] * dnssec-keygen -S failed to generate successor keys for some algorithm types (including ECDSA and GOST) due to a difference in the content of private key files. This has been corrected. [RT #37183] * UPDATE messages that arrived too soon after an rndc thaw could be lost. [RT #37233] * Forwarding of UPDATE messages did not work when they were signed with SIG(0); they resulted in a BADSIG response code. [RT #37216] * When checking for updates to trust anchors listed in managed-keys, named now revalidates keys based on the current set of active trust anchors, without relying on any cached record of previous validation. [RT #37506] * Large-system tuning (configure --with-tuning=large) caused problems on some platforms by setting a socket receive buffer size that was too large. This is now detected and corrected at run time. [RT #37187] * When NXDOMAIN redirection is in use, queries for a name that is present in the redirection zone but a type that is not present will now return NOERROR instead of NXDOMAIN. * When a zone contained a delegation to an IPv6 name server but not an IPv4 name server, it was possible for a memory reference to be left un-freed. This caused an assertion failure on server shutdown, but was otherwise harmless. [RT #37796] * Due to an inadvertent removal of code in the previous release, when named encountered an authoritative name server which dropped all EDNS queries, it did not always try plain DNS. This has been corrected. [RT #37965] * A regression caused nsupdate to use the default recursive servers rather than the SOA MNAME server when sending the UPDATE. * Adjusted max-recursion-queries to accommodate the smaller initial packet sizes used in BIND 9.10 and higher when contacting authoritative servers for the first time. * Built-in "empty" zones did not correctly inherit the "allow-transfer" ACL from the options or view. [RT #38310] * Two leaks were fixed that could cause named processes to grow to very large sizes. [RT #38454] * Fixed some bugs in RFC 5011 trust anchor management, including a memory leak and a possible loss of state information.[RT #38458] --- net/bind910/Makefile | 4 ++-- net/bind910/PLIST | 6 ++++- net/bind910/distinfo | 12 +++++----- net/bind910/patches/patch-bin_dig_dighost.c | 34 ++++++++++++++--------------- net/bind910/patches/patch-configure | 12 +++++----- 5 files changed, 36 insertions(+), 32 deletions(-) (limited to 'net/bind910') diff --git a/net/bind910/Makefile b/net/bind910/Makefile index d7a4f5e4010..b09191d1330 100644 --- a/net/bind910/Makefile +++ b/net/bind910/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.5 2015/02/19 00:37:17 taca Exp $ +# $NetBSD: Makefile,v 1.6 2015/02/26 10:15:02 taca Exp $ DISTNAME= bind-${BIND_VERSION} PKGNAME= ${DISTNAME:S/-P/pl/} @@ -14,7 +14,7 @@ CONFLICTS+= host-[0-9]* MAKE_JOBS_SAFE= no -BIND_VERSION= 9.10.1-P2 +BIND_VERSION= 9.10.2 .include "../../mk/bsd.prefs.mk" diff --git a/net/bind910/PLIST b/net/bind910/PLIST index ac3b7f2ed84..8290b56ed8d 100644 --- a/net/bind910/PLIST +++ b/net/bind910/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.3 2014/12/08 21:59:09 taca Exp $ +@comment $NetBSD: PLIST,v 1.4 2015/02/26 10:15:02 taca Exp $ bin/bind9-config bin/delv bin/dig @@ -411,6 +411,9 @@ share/doc/bind9/arm/Bv9ARM.ch07.html share/doc/bind9/arm/Bv9ARM.ch08.html share/doc/bind9/arm/Bv9ARM.ch09.html share/doc/bind9/arm/Bv9ARM.ch10.html +share/doc/bind9/arm/Bv9ARM.ch11.html +share/doc/bind9/arm/Bv9ARM.ch12.html +share/doc/bind9/arm/Bv9ARM.ch13.html share/doc/bind9/arm/Bv9ARM.html share/doc/bind9/arm/man.arpaname.html share/doc/bind9/arm/man.ddns-confgen.html @@ -439,3 +442,4 @@ share/doc/bind9/arm/man.nsupdate.html share/doc/bind9/arm/man.rndc-confgen.html share/doc/bind9/arm/man.rndc.conf.html share/doc/bind9/arm/man.rndc.html +share/doc/bind9/arm/notes.html diff --git a/net/bind910/distinfo b/net/bind910/distinfo index 02b09651d44..662249aa5bc 100644 --- a/net/bind910/distinfo +++ b/net/bind910/distinfo @@ -1,12 +1,12 @@ -$NetBSD: distinfo,v 1.4 2015/02/19 00:37:17 taca Exp $ +$NetBSD: distinfo,v 1.5 2015/02/26 10:15:02 taca Exp $ -SHA1 (bind-9.10.1-P2.tar.gz) = 4a7475b4f2c1d257001ad40653379af52f090666 -RMD160 (bind-9.10.1-P2.tar.gz) = 0148b0a2f7cdd3e144b0a52876a01ca8b6de075b -Size (bind-9.10.1-P2.tar.gz) = 8356565 bytes -SHA1 (patch-bin_dig_dighost.c) = 72cb7676cdf9cd4b44bc62c72bcf29127d9fbffe +SHA1 (bind-9.10.2.tar.gz) = 4ddb2670976c06af7e86352616383958d82c51ce +RMD160 (bind-9.10.2.tar.gz) = 62ca38c60b792224e308815f2908b0c588b08c26 +Size (bind-9.10.2.tar.gz) = 8481111 bytes +SHA1 (patch-bin_dig_dighost.c) = 582fa4c7288e70bcc6ac906e8429cf38e0ad5152 SHA1 (patch-bin_tests_system_Makefile.in) = 8bb6130981a6ff2ac736cf53a061115782bb65a2 SHA1 (patch-config.threads.in) = 227b83efe9cb3e301aaac9b97cf42f1fb8ad06b2 -SHA1 (patch-configure) = 1de3bfa72fd9887a8fbb20ddd12bfe0469083ba0 +SHA1 (patch-configure) = 3ea12f60b26064679e086ef5e637420b95d165be SHA1 (patch-contrib_dlz_config.dlz.in) = f18bec63fbfce7cb2cd72929058ce3770fce458f SHA1 (patch-lib_dns_rbt.c) = 510dfc72bc7764e548a46e9c48b58b2543490d7a SHA1 (patch-lib_lwres_getaddrinfo.c) = 69e9c8049fedcb93bd219c6053163f21ce3b2535 diff --git a/net/bind910/patches/patch-bin_dig_dighost.c b/net/bind910/patches/patch-bin_dig_dighost.c index dfa443b8b23..d984b3b7ecd 100644 --- a/net/bind910/patches/patch-bin_dig_dighost.c +++ b/net/bind910/patches/patch-bin_dig_dighost.c @@ -1,10 +1,10 @@ -$NetBSD: patch-bin_dig_dighost.c,v 1.1.1.1 2014/07/02 02:42:58 jnemeth Exp $ +$NetBSD: patch-bin_dig_dighost.c,v 1.2 2015/02/26 10:15:02 taca Exp $ * Avoid to use true as variable name. ---- bin/dig/dighost.c.orig 2014-01-27 18:58:24.000000000 +0000 +--- bin/dig/dighost.c.orig 2015-02-18 01:55:55.000000000 +0000 +++ bin/dig/dighost.c -@@ -4397,7 +4397,7 @@ prepare_lookup(dns_name_t *name) +@@ -4678,7 +4678,7 @@ prepare_lookup(dns_name_t *name) isc_result_t result; isc_region_t r; dns_rdataset_t *rdataset = NULL; @@ -13,7 +13,7 @@ $NetBSD: patch-bin_dig_dighost.c,v 1.1.1.1 2014/07/02 02:42:58 jnemeth Exp $ #endif memset(namestr, 0, DNS_NAME_FORMATSIZE); -@@ -4411,7 +4411,7 @@ prepare_lookup(dns_name_t *name) +@@ -4692,7 +4692,7 @@ prepare_lookup(dns_name_t *name) result = advanced_rrsearch(&rdataset, &ns.name, dns_rdatatype_aaaa, @@ -22,7 +22,7 @@ $NetBSD: patch-bin_dig_dighost.c,v 1.1.1.1 2014/07/02 02:42:58 jnemeth Exp $ if (result == ISC_R_SUCCESS) { for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; -@@ -4440,7 +4440,7 @@ prepare_lookup(dns_name_t *name) +@@ -4721,7 +4721,7 @@ prepare_lookup(dns_name_t *name) rdataset = NULL; result = advanced_rrsearch(&rdataset, &ns.name, dns_rdatatype_a, @@ -31,7 +31,7 @@ $NetBSD: patch-bin_dig_dighost.c,v 1.1.1.1 2014/07/02 02:42:58 jnemeth Exp $ if (result == ISC_R_SUCCESS) { for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; -@@ -4559,11 +4559,11 @@ isc_result_t +@@ -4840,11 +4840,11 @@ isc_result_t initialization(dns_name_t *name) { isc_result_t result; @@ -45,16 +45,16 @@ $NetBSD: patch-bin_dig_dighost.c,v 1.1.1.1 2014/07/02 02:42:58 jnemeth Exp $ if (result != ISC_R_SUCCESS) { printf("\n;; NS RRset is missing to continue validation:" " FAILED\n\n"); -@@ -4911,7 +4911,7 @@ sigchase_td(dns_message_t *msg) +@@ -5202,7 +5202,7 @@ sigchase_td(dns_message_t *msg) isc_result_t result; dns_name_t *name = NULL; isc_boolean_t have_answer = ISC_FALSE; - isc_boolean_t true = ISC_TRUE; + isc_boolean_t isc_true = ISC_TRUE; - if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER)) - == ISC_R_SUCCESS) { -@@ -4920,7 +4920,7 @@ sigchase_td(dns_message_t *msg) + if (msg->rcode != dns_rcode_noerror && + msg->rcode != dns_rcode_nxdomain) { +@@ -5225,7 +5225,7 @@ sigchase_td(dns_message_t *msg) initialization(name); return; } @@ -63,7 +63,7 @@ $NetBSD: patch-bin_dig_dighost.c,v 1.1.1.1 2014/07/02 02:42:58 jnemeth Exp $ } else { if (!current_lookup->trace_root_sigchase) { result = dns_message_firstname(msg, -@@ -5038,7 +5038,7 @@ sigchase_td(dns_message_t *msg) +@@ -5346,7 +5346,7 @@ sigchase_td(dns_message_t *msg) dns_rdatatype_rrsig, current_lookup ->rdtype_sigchase, @@ -72,7 +72,7 @@ $NetBSD: patch-bin_dig_dighost.c,v 1.1.1.1 2014/07/02 02:42:58 jnemeth Exp $ if (result == ISC_R_FAILURE) { printf("\n;; RRset is missing to continue" " validation SHOULD NOT APPEND:" -@@ -5051,7 +5051,7 @@ sigchase_td(dns_message_t *msg) +@@ -5359,7 +5359,7 @@ sigchase_td(dns_message_t *msg) &chase_authority_name, dns_rdatatype_rrsig, dns_rdatatype_any, @@ -81,7 +81,7 @@ $NetBSD: patch-bin_dig_dighost.c,v 1.1.1.1 2014/07/02 02:42:58 jnemeth Exp $ if (result == ISC_R_FAILURE) { printf("\n;; RRSIG is missing to continue" " validation SHOULD NOT APPEND:" -@@ -5127,7 +5127,7 @@ sigchase_td(dns_message_t *msg) +@@ -5435,7 +5435,7 @@ sigchase_td(dns_message_t *msg) &chase_authority_name, dns_rdatatype_rrsig, dns_rdatatype_ds, @@ -90,7 +90,7 @@ $NetBSD: patch-bin_dig_dighost.c,v 1.1.1.1 2014/07/02 02:42:58 jnemeth Exp $ if (result != ISC_R_SUCCESS) { printf("\n;; DSset is missing to continue validation:" " FAILED\n\n"); -@@ -5215,7 +5215,7 @@ sigchase_td(dns_message_t *msg) +@@ -5523,7 +5523,7 @@ sigchase_td(dns_message_t *msg) result = advanced_rrsearch(&chase_rdataset, &chase_name, current_lookup->rdtype_sigchase, dns_rdatatype_any , @@ -99,7 +99,7 @@ $NetBSD: patch-bin_dig_dighost.c,v 1.1.1.1 2014/07/02 02:42:58 jnemeth Exp $ if (result == ISC_R_FAILURE) { printf("\n;; RRsig of RRset is missing to continue validation" " SHOULD NOT APPEND: FAILED\n\n"); -@@ -5258,7 +5258,7 @@ getneededrr(dns_message_t *msg) +@@ -5566,7 +5566,7 @@ getneededrr(dns_message_t *msg) dns_name_t *name = NULL; dns_rdata_t sigrdata = DNS_RDATA_INIT; dns_rdata_sig_t siginfo; @@ -108,7 +108,7 @@ $NetBSD: patch-bin_dig_dighost.c,v 1.1.1.1 2014/07/02 02:42:58 jnemeth Exp $ if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER)) != ISC_R_SUCCESS) { -@@ -5274,7 +5274,7 @@ getneededrr(dns_message_t *msg) +@@ -5582,7 +5582,7 @@ getneededrr(dns_message_t *msg) if (chase_rdataset == NULL) { result = advanced_rrsearch(&chase_rdataset, name, dns_rdatatype_any, @@ -117,7 +117,7 @@ $NetBSD: patch-bin_dig_dighost.c,v 1.1.1.1 2014/07/02 02:42:58 jnemeth Exp $ if (result != ISC_R_SUCCESS) { printf("\n;; No Answers: Validation FAILED\n\n"); return (ISC_R_NOTFOUND); -@@ -5394,7 +5394,7 @@ getneededrr(dns_message_t *msg) +@@ -5701,7 +5701,7 @@ getneededrr(dns_message_t *msg) result = advanced_rrsearch(&chase_sigdsrdataset, &chase_signame, dns_rdatatype_rrsig, diff --git a/net/bind910/patches/patch-configure b/net/bind910/patches/patch-configure index 68bde16b666..ebdc9d6486c 100644 --- a/net/bind910/patches/patch-configure +++ b/net/bind910/patches/patch-configure @@ -1,12 +1,12 @@ -$NetBSD: patch-configure,v 1.2 2014/10/14 16:23:19 taca Exp $ +$NetBSD: patch-configure,v 1.3 2015/02/26 10:15:02 taca Exp $ * Add DragonFly support. * Link proper postgresql library. * Avoid using "==" for argument of test(1). ---- configure.orig 2014-09-16 19:27:15.000000000 +0000 +--- configure.orig 2015-02-18 01:55:55.000000000 +0000 +++ configure -@@ -11827,7 +11827,7 @@ fi +@@ -11840,7 +11840,7 @@ fi test -n "$PYTHON" && break done @@ -15,7 +15,7 @@ $NetBSD: patch-configure,v 1.2 2014/10/14 16:23:19 taca Exp $ continue; fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking python module 'argparse'" >&5 -@@ -11842,7 +11842,7 @@ $as_echo "not found" >&6; } +@@ -11855,7 +11855,7 @@ $as_echo "not found" >&6; } unset ac_cv_path_PYTHON unset PYTHON done @@ -24,7 +24,7 @@ $NetBSD: patch-configure,v 1.2 2014/10/14 16:23:19 taca Exp $ then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for python support" >&5 $as_echo_n "checking for python support... " >&6; } -@@ -14352,6 +14352,8 @@ case $host in +@@ -14379,6 +14379,8 @@ case $host in use_threads=false ;; *-freebsd*) use_threads=true ;; @@ -33,7 +33,7 @@ $NetBSD: patch-configure,v 1.2 2014/10/14 16:23:19 taca Exp $ *-bsdi[234]*) # Thread signals do not work reliably on some versions of BSD/OS. use_threads=false ;; -@@ -20865,7 +20867,7 @@ $as_echo "no" >&6; } +@@ -21029,7 +21031,7 @@ $as_echo "no" >&6; } fi if test -n "-L$use_dlz_postgres_lib -lpq" then -- cgit v1.2.3