From d539caca79c14909b71ef22c0428fd14a2ad0c79 Mon Sep 17 00:00:00 2001 From: he Date: Fri, 21 Nov 2014 09:19:32 +0000 Subject: Update to version 1.6.17. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pkgsrc changes: * adapt PLIST (1 new file installed) * fix name of patch file Upstream changes: 1.6.17 2014-01-10 * Fix ldns_dnssec_zone_new_frm_fp_l to allow the last parsed line of a zone to be an NSEC3 (or its RRSIG) covering an empty non terminal. * Add --disable-dane option to configure and check availability of the for dane needed X509_check_ca function in openssl. * bugfix #490: Get rid of type-punned pointer warnings. Thanks Adam Tkac. * Make sure executables are linked against libcrypto with the LIBSSL_LDFLAGS. Thanks Leo Baltus. * Miscellaneous prototype fixes. Thanks Dag-Erling Smørgrav. * README now shows preferred way to configure for examples and drill. * Bind to source address for resolvers. drill binds to source with -I. Thanks Bryan Duff. * -T option for ldns-dane that has specific exit status for PKIX validated connections without (secure) TLSA records. * Fix b{32,64}_{ntop,pton} detection and handling. * New RR type TKEY, but without operational practice. * New RR types HIP, NINFO, RKEY, CDS, EUI48, EUI64, URI, CAA and TA. * New output format flag (and accompanying functions) to print certain RR's as unknown type * -u and -U parameter for ldns-read-zone to mark/unmark a RR type for printing as unknown type * bugfix #504: GPOS RR has three rdata fields. Thanks Jelte Jansen. * bugfix #497: Properly test for EOF when reading key files with drill. * New functions: ldns_pkt_ixfr_request_new and ldns_pkt_ixfr_request_new_frm_str. * Use SNI with ldns-dane * bugfix #507: ldnsx Fix use of non-existent variables and not properly referring to instance variable. Patch from shussain. * bugfix #508: ldnsx Adding NSEC3PARAM to known/allowable RR type dictionary. Patch from shussain. * bugfix #517: ldns_resolver_new_frm_fp error when invoked using a NULL file pointer. * Fix memory leak in contrib/python: ldns_pkt.new_query. * Fix buffer overflow in fget_token and bget_token. * ldns-verify-zone NSEC3 checking from quadratic to linear performance. Thanks NIC MX (nicmexico.mx) * ldns-dane setup new ssl session for each new connect to prevent hangs * bugfix #521: drill trace continue on empty non-terminals with NSEC3 * bugfix #525: Fix documentation of ldns_resolver_set_retry * Remove unused LDNS_RDF_TYPE_TSIG and associated functions. * Fix ldns_nsec_covers_name for zones with an apex only. Thanks Miek. * Configure option to build perl bindings: --with-p5-dns-ldns (DNS::LDNS is a contribution from Erik Ostlyngen) * bugfix #527: Move -lssl before -lcrypto when linking * Optimize TSIG digest function name comparison (Thanks Marc Buijsman) * Compare names case insensitive with ldns_pkt_rr_list_by_name and ldns_pkt_rr_list_by_name_and_type (thanks Johannes Naab) * A separate --enable for each draft RR type: --enable-rrtype-ninfo, --enable-rrtype-rkey, --enable-rrtype-cds, --enable-rrtype-uri and --enable-rrtype-ta * bugfix #530: Don't sign and verify duplicate RRs (Thanks Jelte Jansen) * bugfix #505: Manpage and usage output fixes (Thanks Tomas Hozza) * Adjust ldns_sha1() so that the input data is not modified (Thanks Marc Buijsman) * Messages to stderr are now off by default and can be reenabled with the --enable-stderr-msgs configure option. --- net/ldns/Makefile | 5 +- net/ldns/PLIST | 3 +- net/ldns/distinfo | 9 ++-- net/ldns/patches/patch-examples_ldns-keygen.c | 76 +++++++++++++++++++++++++++ net/ldns/patches/patch_examples_ldns-keygen.c | 76 --------------------------- 5 files changed, 85 insertions(+), 84 deletions(-) create mode 100644 net/ldns/patches/patch-examples_ldns-keygen.c delete mode 100644 net/ldns/patches/patch_examples_ldns-keygen.c (limited to 'net') diff --git a/net/ldns/Makefile b/net/ldns/Makefile index d2057ecd652..74b29690a7c 100644 --- a/net/ldns/Makefile +++ b/net/ldns/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.31 2014/05/29 23:37:04 wiz Exp $ +# $NetBSD: Makefile,v 1.32 2014/11/21 09:19:32 he Exp $ -DISTNAME= ldns-1.6.16 -PKGREVISION= 5 +DISTNAME= ldns-1.6.17 CATEGORIES= net MASTER_SITES= http://www.nlnetlabs.nl/downloads/ldns/ diff --git a/net/ldns/PLIST b/net/ldns/PLIST index 9c5faa57d3b..39695aeafb1 100644 --- a/net/ldns/PLIST +++ b/net/ldns/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.6 2012/10/25 19:24:59 pettai Exp $ +@comment $NetBSD: PLIST,v 1.7 2014/11/21 09:19:32 he Exp $ bin/ldns-config include/ldns/buffer.h include/ldns/common.h @@ -18,6 +18,7 @@ include/ldns/ldns.h include/ldns/net.h include/ldns/packet.h include/ldns/parse.h +include/ldns/radix.h include/ldns/rbtree.h include/ldns/rdata.h include/ldns/resolver.h diff --git a/net/ldns/distinfo b/net/ldns/distinfo index eaa4fea3d39..deec6762c82 100644 --- a/net/ldns/distinfo +++ b/net/ldns/distinfo @@ -1,5 +1,6 @@ -$NetBSD: distinfo,v 1.17 2012/11/13 16:22:31 pettai Exp $ +$NetBSD: distinfo,v 1.18 2014/11/21 09:19:32 he Exp $ -SHA1 (ldns-1.6.16.tar.gz) = 5b4fc6c5c3078cd061905c47178478cb1015c62a -RMD160 (ldns-1.6.16.tar.gz) = e4281eb00275ae5700a4d601ee64faf9aa72f37c -Size (ldns-1.6.16.tar.gz) = 1109941 bytes +SHA1 (ldns-1.6.17.tar.gz) = 4218897b3c002aadfc7280b3f40cda829e05c9a4 +RMD160 (ldns-1.6.17.tar.gz) = 5382cfaafa7ec1fadcf390f804fbf14e04d7c03a +Size (ldns-1.6.17.tar.gz) = 1315403 bytes +SHA1 (patch-examples_ldns-keygen.c) = 45bf69e4689ab7f58d3fc82ebd7cefe542a95c32 diff --git a/net/ldns/patches/patch-examples_ldns-keygen.c b/net/ldns/patches/patch-examples_ldns-keygen.c new file mode 100644 index 00000000000..c6d85e39531 --- /dev/null +++ b/net/ldns/patches/patch-examples_ldns-keygen.c @@ -0,0 +1,76 @@ +$NetBSD: patch-examples_ldns-keygen.c,v 1.1 2014/11/21 09:19:32 he Exp $ + +Get bugfix #573: ldns-keygen write private keys with mode 0600. +From http://git.nlnetlabs.nl/ldns/commit/?h=develop&id=169f38c1e25750f935838b670871056428977e6b +Fixes CVE-2014-3209. + +--- examples/ldns-keygen.c.orig 2010-10-18 13:59:21.000000000 +0000 ++++ examples/ldns-keygen.c +@@ -10,6 +10,9 @@ + + #include + ++#include ++#include ++#include + #include + + #ifdef HAVE_SSL +@@ -48,6 +51,7 @@ int + main(int argc, char *argv[]) + { + int c; ++ int fd; + char *prog; + + /* default key size */ +@@ -250,21 +254,21 @@ main(int argc, char *argv[]) + /* print the priv key to stderr */ + filename = LDNS_XMALLOC(char, strlen(owner) + 21); + snprintf(filename, strlen(owner) + 20, "K%s+%03u+%05u.private", owner, algorithm, (unsigned int) ldns_key_keytag(key)); +- file = fopen(filename, "w"); ++ /* use open() here to prevent creating world-readable private keys (CVE-2014-3209)*/ ++ fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR); ++ if (fd < 0) { ++ goto fail; ++ } ++ ++ file = fdopen(fd, "w"); + if (!file) { +- fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno)); +- ldns_key_deep_free(key); +- free(owner); +- ldns_rr_free(pubkey); +- ldns_rr_free(ds); +- LDNS_FREE(filename); +- exit(EXIT_FAILURE); +- } else { +- ldns_key_print(file, key); +- fclose(file); +- LDNS_FREE(filename); ++ goto fail; + } + ++ ldns_key_print(file, key); ++ fclose(file); ++ LDNS_FREE(filename); ++ + /* print the DS to .ds */ + if (algorithm != LDNS_SIGN_HMACMD5 && + algorithm != LDNS_SIGN_HMACSHA1 && +@@ -296,6 +300,15 @@ main(int argc, char *argv[]) + ldns_rr_free(pubkey); + ldns_rr_free(ds); + exit(EXIT_SUCCESS); ++ ++fail: ++ fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno)); ++ ldns_key_deep_free(key); ++ free(owner); ++ ldns_rr_free(pubkey); ++ ldns_rr_free(ds); ++ LDNS_FREE(filename); ++ exit(EXIT_FAILURE); + } + #else + int diff --git a/net/ldns/patches/patch_examples_ldns-keygen.c b/net/ldns/patches/patch_examples_ldns-keygen.c deleted file mode 100644 index c3af4df798b..00000000000 --- a/net/ldns/patches/patch_examples_ldns-keygen.c +++ /dev/null @@ -1,76 +0,0 @@ -$NetBSD: patch_examples_ldns-keygen.c,v 1.1 2014/05/17 14:55:51 he Exp $ - -Get bugfix #573: ldns-keygen write private keys with mode 0600. -From http://git.nlnetlabs.nl/ldns/commit/?h=develop&id=169f38c1e25750f935838b670871056428977e6b -Fixes CVE-2014-3209. - ---- examples/ldns-keygen.c.orig 2010-10-18 13:59:21.000000000 +0000 -+++ examples/ldns-keygen.c -@@ -10,6 +10,9 @@ - - #include - -+#include -+#include -+#include - #include - - #ifdef HAVE_SSL -@@ -48,6 +51,7 @@ int - main(int argc, char *argv[]) - { - int c; -+ int fd; - char *prog; - - /* default key size */ -@@ -250,21 +254,21 @@ main(int argc, char *argv[]) - /* print the priv key to stderr */ - filename = LDNS_XMALLOC(char, strlen(owner) + 21); - snprintf(filename, strlen(owner) + 20, "K%s+%03u+%05u.private", owner, algorithm, (unsigned int) ldns_key_keytag(key)); -- file = fopen(filename, "w"); -+ /* use open() here to prevent creating world-readable private keys (CVE-2014-3209)*/ -+ fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR); -+ if (fd < 0) { -+ goto fail; -+ } -+ -+ file = fdopen(fd, "w"); - if (!file) { -- fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno)); -- ldns_key_deep_free(key); -- free(owner); -- ldns_rr_free(pubkey); -- ldns_rr_free(ds); -- LDNS_FREE(filename); -- exit(EXIT_FAILURE); -- } else { -- ldns_key_print(file, key); -- fclose(file); -- LDNS_FREE(filename); -+ goto fail; - } - -+ ldns_key_print(file, key); -+ fclose(file); -+ LDNS_FREE(filename); -+ - /* print the DS to .ds */ - if (algorithm != LDNS_SIGN_HMACMD5 && - algorithm != LDNS_SIGN_HMACSHA1 && -@@ -296,6 +300,15 @@ main(int argc, char *argv[]) - ldns_rr_free(pubkey); - ldns_rr_free(ds); - exit(EXIT_SUCCESS); -+ -+fail: -+ fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno)); -+ ldns_key_deep_free(key); -+ free(owner); -+ ldns_rr_free(pubkey); -+ ldns_rr_free(ds); -+ LDNS_FREE(filename); -+ exit(EXIT_FAILURE); - } - #else - int -- cgit v1.2.3