The NetBSD Project

CVS log for pkgsrc/net/bind910/Attic/PLIST

[BACK] Up to [cvs.NetBSD.org] / pkgsrc / net / bind910

Request diff between arbitrary revisions


Default branch: MAIN


Revision 1.13, Tue Apr 30 03:55:09 2019 UTC (4 years, 7 months ago) by taca
Branch: MAIN
CVS Tags: HEAD
Changes since 1.12: +1 -1 lines
FILE REMOVED

net/bind910: remove bind910

Remove bind910 EOL since July 2018.

Revision 1.12 / (download) - annotate - [select for diffs], Sat Mar 24 15:02:32 2018 UTC (5 years, 8 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2019Q1-base, pkgsrc-2019Q1, pkgsrc-2018Q4-base, pkgsrc-2018Q4, pkgsrc-2018Q3-base, pkgsrc-2018Q3, pkgsrc-2018Q2-base, pkgsrc-2018Q2, pkgsrc-2018Q1-base, pkgsrc-2018Q1
Changes since 1.11: +3 -1 lines
Diff to previous 1.11 (colored)

net/bind910: update to 9.10.7

New maintenance releases in the 9.9, 9.10, 9.11, and 9.12 branches of
BIND are now available.

Release notes can be found with the releases or in the ISC Knowledge Base:

 9.9.12:  https://kb.isc.org/article/AA-01596/0/9.9.12-Notes.html
 9.10.7:  https://kb.isc.org/article/AA-01595/0/9.10.7-Notes.html
 9.11.3:  https://kb.isc.org/article/AA-01597/0/9.11.3-Notes.html
 9.12.1:  https://kb.isc.org/article/AA-01598/0/9.12.1-Notes.html

Users who are migrating an existing BIND configuration to these new
versions should take special note of two changes in the behavior
of the "update-policy" statement which slightly change the behavior
of two update-policy options.

The first such change is discussed in greater length in the BIND
Operational Notification issued today:


https://kb.isc.org/article/AA-01599/update-policy-local-was-named-misleadingly

The second change to update-policy behavior concerns this change:

   "update-policy rules that otherwise ignore the name field now
   require that it be set to "." to ensure that any type list present
   is properly interpreted. Previously, if the name field was omitted
   from the rule declaration but a type list was present, it wouldn't
   be interpreted as expected."

which is a correction to an ambiguous case that was previously allowed,
but which was capable of causing unexpected results when accidentally
applied.  The new requirement eliminates is intended to eliminate the
confusion, which previously caused some operators to misapply security
policies.  However, due to the new requirement, named configuration
files that relied on the previous behavior will no longer be accepted.

These changes should not affect most operators, even those using
"update-policy" to define Dynamic DNS permissions, but we would like
to draw your attention to them so that operators are informed about
the new behaviors.

Revision 1.11 / (download) - annotate - [select for diffs], Mon Jan 1 22:29:46 2018 UTC (5 years, 10 months ago) by rillig
Branch: MAIN
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored)

Sort PLIST files.

Unsorted entries in PLIST files have generated a pkglint warning for at
least 12 years. Somewhat more recently, pkglint has learned to sort
PLIST files automatically. Since pkglint 5.4.23, the sorting is only
done in obvious, simple cases. These have been applied by running:

  pkglint -Cnone,PLIST -Wnone,plist-sort -r -F

Revision 1.10 / (download) - annotate - [select for diffs], Mon Jul 31 13:37:53 2017 UTC (6 years, 3 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2017Q4-base, pkgsrc-2017Q4, pkgsrc-2017Q3-base, pkgsrc-2017Q3
Changes since 1.9: +2 -2 lines
Diff to previous 1.9 (colored)

Update bind910 to 9.10.6.

Here is release note except security (already fixed by bind-9.10.5pl3, BIND
9.10.5-P3).

Release Notes for BIND Version 9.10.6

Introduction

   This document summarizes changes since the last production release on
   the BIND 9.10 branch. Please see the CHANGES file for a further list of
   bug fixes and other changes.

Download

   The latest versions of BIND 9 software can always be found at
   http://www.isc.org/downloads/. There you will find additional
   information about each release, source code, and pre-compiled versions
   for Microsoft Windows operating systems.

New DNSSEC Root Key

   ICANN is in the process of introducing a new Key Signing Key (KSK) for
   the global root zone. BIND has multiple methods for managing DNSSEC
   trust anchors, with somewhat different behaviors. If the root key is
   configured using the managed-keys statement, or if the pre-configured
   root key is enabled by using dnssec-validation auto, then BIND can keep
   keys up to date automatically. Servers configured in this way should
   have begun the process of rolling to the new key when it was published
   in the root zone in July 2017. However, keys configured using the
   trusted-keys statement are not automatically maintained. If your server
   is performing DNSSEC validation and is configured using trusted-keys,
   you are advised to change your configuration before the root zone
   begins signing with the new KSK. This is currently scheduled for
   October 11, 2017.

   This release includes an updated version of the bind.keys file
   containing the new root key. This file can also be downloaded from
   https://www.isc.org/bind-keys .

Windows XP No Longer Supported

   As of BIND 9.10.6, Windows XP is no longer a supported platform for
   BIND, and Windows XP binaries are no longer available for download from
   ISC.

Feature Changes

     * dig +ednsopt now accepts the names for EDNS options in addition to
       numeric values. For example, an EDNS Client-Subnet option could be
       sent using dig +ednsopt=ecs:.... Thanks to John Worley of Secure64
       for the contribution. [RT #44461]
     * Threads in named are now set to human-readable names to assist
       debugging on operating systems that support that. Threads will have
       names such as "isc-timer", "isc-sockmgr", "isc-worker0001", and so
       on. This will affect the reporting of subsidiary thread names in ps
       and top, but not the main thread. [RT #43234]
     * DiG now warns about .local queries which are reserved for Multicast
       DNS. [RT #44783]

Bug Fixes

     * Fixed a bug that was introduced in an earlier development release
       which caused multi-packet AXFR and IXFR messages to fail validation
       if not all packets contained TSIG records; this caused
       interoperability problems with some other DNS implementations. [RT
       #45509]
     * Semicolons are no longer escaped when printing CAA and URI records.
       This may break applications that depend on the presence of the
       backslash before the semicolon. [RT #45216]
     * AD could be set on truncated answer with no records present in the
       answer and authority sections. [RT #45140]

End of Life

   The end of life for BIND 9.10 is yet to be determined but will not be
   before BIND 9.12.0 has been released for 6 months.
   https://www.isc.org/downloads/software-support-policy/

Revision 1.9 / (download) - annotate - [select for diffs], Sat Apr 22 16:05:43 2017 UTC (6 years, 7 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2017Q2-base, pkgsrc-2017Q2
Changes since 1.8: +5 -3 lines
Diff to previous 1.8 (colored)

Update bind910 to 9.10.5 (BIND 9.10.5).

This is maintenance release and please refer release announce in detail:
https://kb.isc.org/article/AA-01490.

Revision 1.8 / (download) - annotate - [select for diffs], Fri Feb 24 15:46:14 2017 UTC (6 years, 9 months ago) by fhajny
Branch: MAIN
CVS Tags: pkgsrc-2017Q1-base, pkgsrc-2017Q1
Changes since 1.7: +2 -1 lines
Diff to previous 1.7 (colored)

Fix bind.keys PLIST handling, thanks joerg@ for the notice.

Revision 1.6.2.1 / (download) - annotate - [select for diffs], Wed Jul 20 02:55:36 2016 UTC (7 years, 4 months ago) by spz
Branch: pkgsrc-2016Q2
Changes since 1.6: +3 -1 lines
Diff to previous 1.6 (colored) next main 1.7 (colored)

Pullup ticket #5066 - requested by taca
net/bind910: security update

Revisions pulled up:
- net/bind910/Makefile                                          1.23
- net/bind910/PLIST                                             1.7
- net/bind910/distinfo                                          1.18
- net/bind910/patches/patch-lib_dns_rbt.c                       1.5

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Tue Jul 19 01:08:05 UTC 2016

   Modified Files:
   	pkgsrc/net/bind910: Makefile PLIST distinfo
   	pkgsrc/net/bind910/patches: patch-lib_dns_rbt.c

   Log Message:
   Update bind910 to 9.10.4pl2 (BIND 9.10.4-P2).

   Changes from 9.10.3-P4 to 9.10.4 are too many to write here, please refer
   CHANGES file.

   	--- 9.10.4-P2 released ---

   4406.	[bug]		getrrsetbyname with a non absolute name could
   			trigger an infinite recursion bug in lwresd
   			and named with lwres configured if when combined
   			with a search list entry the resulting name is
   			too long. (CVE-2016-2775) [RT #42694]

   4405.	[bug]		Change 4342 introduced a regression where you could
   			not remove a delegation in a NSEC3 signed zone using
   			OPTOUT via nsupdate. [RT #42702]

   4387.	[bug]		Change 4336 was not complete leading to SERVFAIL
   			being return as NS records expired. [RT #42683]

   	--- 9.10.4-P1 released ---

   4368.	[bug]		Fix a crash when calling "rndc stats" on some
   			Windows builds because some Visual Studio compilers
   			generated crashing code for the "%z" printf()
   			format specifier. [RT #42380]

   4366.	[bug]		Address race condition when updating rbtnode bit
   			fields. [RT #42379]

   4363.	[port]		win32: Disable explicit triggering UAC when running
   			BINDInstall.

   	--- 9.10.4 released ---


   To generate a diff of this commit:
   cvs rdiff -u -r1.22 -r1.23 pkgsrc/net/bind910/Makefile
   cvs rdiff -u -r1.6 -r1.7 pkgsrc/net/bind910/PLIST
   cvs rdiff -u -r1.17 -r1.18 pkgsrc/net/bind910/distinfo
   cvs rdiff -u -r1.4 -r1.5 pkgsrc/net/bind910/patches/patch-lib_dns_rbt.c

Revision 1.7 / (download) - annotate - [select for diffs], Tue Jul 19 01:08:05 2016 UTC (7 years, 4 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2016Q4-base, pkgsrc-2016Q4, pkgsrc-2016Q3-base, pkgsrc-2016Q3
Changes since 1.6: +3 -1 lines
Diff to previous 1.6 (colored)

Update bind910 to 9.10.4pl2 (BIND 9.10.4-P2).

Changes from 9.10.3-P4 to 9.10.4 are too many to write here, please refer
CHANGES file.

	--- 9.10.4-P2 released ---

4406.	[bug]		getrrsetbyname with a non absolute name could
			trigger an infinite recursion bug in lwresd
			and named with lwres configured if when combined
			with a search list entry the resulting name is
			too long. (CVE-2016-2775) [RT #42694]

4405.	[bug]		Change 4342 introduced a regression where you could
			not remove a delegation in a NSEC3 signed zone using
			OPTOUT via nsupdate. [RT #42702]

4387.	[bug]		Change 4336 was not complete leading to SERVFAIL
			being return as NS records expired. [RT #42683]

	--- 9.10.4-P1 released ---

4368.	[bug]		Fix a crash when calling "rndc stats" on some
			Windows builds because some Visual Studio compilers
			generated crashing code for the "%z" printf()
			format specifier. [RT #42380]

4366.	[bug]		Address race condition when updating rbtnode bit
			fields. [RT #42379]

4363.	[port]		win32: Disable explicit triggering UAC when running
			BINDInstall.

	--- 9.10.4 released ---

Revision 1.6 / (download) - annotate - [select for diffs], Wed May 11 11:26:30 2016 UTC (7 years, 6 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2016Q2-base
Branch point for: pkgsrc-2016Q2
Changes since 1.5: +1 -3 lines
Diff to previous 1.5 (colored)

Make bind910 downgrade to 9.10.3pl4 keeping soe options and MASTERSITE
change since ISC mark 9.10.4 as "deprecated".

See https://lists.isc.org/pipermail/bind-users/2016-May/096851.html.

Revision 1.5 / (download) - annotate - [select for diffs], Mon May 2 13:27:57 2016 UTC (7 years, 6 months ago) by taca
Branch: MAIN
Changes since 1.4: +11 -1 lines
Diff to previous 1.4 (colored)

Update bind910 to 9.10.4 (BIND 9.10.4).

PKG_OPTIONS change:

    * Remove rrl which is always enabled.
    * Add fetchlimit, geoip, pkcs11, sit and tuning.


Security Fixes

     * Duplicate EDNS COOKIE options in a response could trigger an
       assertion failure. This flaw is disclosed in CVE-2016-2088. [RT
       #41809]
     * The resolver could abort with an assertion failure due to improper
       DNAME handling when parsing fetch reply messages. This flaw is
       disclosed in CVE-2016-1286. [RT #41753]
     * Malformed control messages can trigger assertions in named and
       rndc. This flaw is disclosed in CVE-2016-1285. [RT #41666]
     * Certain errors that could be encountered when printing out or
       logging an OPT record containing a CLIENT-SUBNET option could be
       mishandled, resulting in an assertion failure. This flaw is
       disclosed in CVE-2015-8705. [RT #41397]
     * Specific APL data could trigger an INSIST. This flaw is disclosed
       in CVE-2015-8704. [RT #41396]
     * Incorrect reference counting could result in an INSIST failure if a
       socket error occurred while performing a lookup. This flaw is
       disclosed in CVE-2015-8461. [RT#40945]
     * Insufficient testing when parsing a message allowed records with an
       incorrect class to be be accepted, triggering a REQUIRE failure
       when those records were subsequently cached. This flaw is disclosed
       in CVE-2015-8000. [RT #40987]

New Features

     * The following resource record types have been implemented: AVC,
       CSYNC, NINFO, RKEY, SINK, SMIMEA, TA, TALINK.
     * Added a warning for a common misconfiguration involving forwarded
       RFC 1918 and IPv6 ULA (Universal Local Address) zones.
     * Contributed software from Nominum is included in the source at
       contrib/dnsperf-2.1.0.0-1/. It includes dnsperf for measuring the
       performance of authoritative DNS servers, resperf for testing the
       resolution performance of a caching DNS server, resperf-report for
       generating a resperf report in HTML with gnuplot graphs, and
       queryparse to extract DNS queries from pcap capture files. This
       software is not installed by default with BIND.
     * When loading a signed zone, named will now check whether an RRSIG's
       inception time is in the future, and if so, it will regenerate the
       RRSIG immediately. This helps when a system's clock needs to be
       reset backwards.

Feature Changes

     * Updated the compiled-in addresses for H.ROOT-SERVERS.NET and
       L.ROOT-SERVERS.NET.
     * The default preferred glue is now the address type of the transport
       the query was received over.
     * On machines with 2 or more processors (CPU), the default value for
       the number of UDP listeners has been changed to the number of
       detected processors minus one.
     * Zone transfers now use smaller message sizes to improve message
       compression. This results in reduced network usage.
     * named -V output now also includes operating system details.

Porting Changes

     * The Microsoft Windows install tool BINDInstall.exe which requires a
       non-free version of Visual Studio to be built, now uses two files
       (lists of flags and files) created by the Configure perl script
       with all the needed information which were previously compiled in
       the binary. Read win32utils/build.txt for more details. [RT #38915]

Bug Fixes

     * rndc flushtree now works even if there wasn't a cached node at the
       specified name. [RT #41846]
     * Don't emit records with zero TTL unless the records were received
       with a zero TTL. After being returned to waiting clients, the
       answer will be discarded from the cache. [RT #41687]
     * For Windows platforms, the SIT (Source Identity Token) support was
       restored. (It was mistakenly partially replaced in a previous beta
       with new 9.11 COOKIE support.) [RT #41905]
     * When deleting records from a zone database, interior nodes could be
       left empty but not deleted, damaging search performance afterward.
       [RT #40997] [RT #41941]
     * The server could crash due to a use-after-free if a zone transfer
       timed out. [RT #41297]
     * Authoritative servers that were marked as bogus (e.g. blackholed in
       configuration or with invalid addresses) were being queried anyway.
       [RT #41321]
     * Some of the options for GeoIP ACLs, including "areacode",
       "metrocode", and "timezone", were incorrectly documented as "area",
       "metro" and "tz". Both the long and abbreviated versions are now
       accepted.
     * Zones configured to use map format master files can't be used as
       policy zones because RPZ summary data isn't compiled when such
       zones are mapped into memory. This limitation may be fixed in a
       future release, but in the meantime it has been documented, and
       attempting to use such zones in response-policy statements is now a
       configuration error. [RT #38321]

Revision 1.4 / (download) - annotate - [select for diffs], Thu Feb 26 10:15:02 2015 UTC (8 years, 9 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2016Q1-base, pkgsrc-2016Q1, pkgsrc-2015Q4-base, pkgsrc-2015Q4, pkgsrc-2015Q3-base, pkgsrc-2015Q3, pkgsrc-2015Q2-base, pkgsrc-2015Q2, pkgsrc-2015Q1-base, pkgsrc-2015Q1
Changes since 1.3: +5 -1 lines
Diff to previous 1.3 (colored)

Update bind910 package to 9.10.2.

Security Fixes

     * On servers configured to perform DNSSEC validation using managed
       trust anchors (i.e., keys configured explicitly via managed-keys,
       or implicitly via dnssec-validation auto; or dnssec-lookaside
       auto;), revoking a trust anchor and sending a new untrusted
       replacement could cause named to crash with an assertion failure.
       This could occur in the event of a botched key rollover, or
       potentially as a result of a deliberate attack if the attacker was
       in position to monitor the victim's DNS traffic.
       This flaw was discovered by Jan-Piet Mens, and is disclosed in
       CVE-2015-1349. [RT #38344]
     * A flaw in delegation handling could be exploited to put named into
       an infinite loop, in which each lookup of a name server triggered
       additional lookups of more name servers. This has been addressed by
       placing limits on the number of levels of recursion named will
       allow (default 7), and on the number of queries that it will send
       before terminating a recursive query (default 50).
       The recursion depth limit is configured via the max-recursion-depth
       option, and the query limit via the max-recursion-queries option.
       The flaw was discovered by Florian Maury of ANSSI, and is disclosed
       in CVE-2014-8500. [RT #37580]
     * Two separate problems were identified in BIND's GeoIP code that
       could lead to an assertion failure. One was triggered by use of
       both IPv4 and IPv6 address families, the other by referencing a
       GeoIP database in named.conf which was not installed. Both are
       covered by CVE-2014-8680. [RT #37672] [RT #37679]
       A less serious security flaw was also found in GeoIP: changes to
       the geoip-directory option in named.conf were ignored when running
       rndc reconfig. In theory, this could allow named to allow access to
       unintended clients.

New Features

     * None

Feature Changes

     * ACLs containing geoip asnum elements were not correctly matched
       unless the full organization name was specified in the ACL (as in
       geoip asnum "AS1234 Example, Inc.";). They can now match against
       the AS number alone (as in geoip asnum "AS1234";).
     * When using native PKCS#11 cryptography (i.e., configure
       --enable-native-pkcs11) HSM PINs of up to 256 characters can now be
       used.
     * NXDOMAIN responses to queries of type DS are now cached separately
       from those for other types. This helps when using "grafted" zones
       of type forward, for which the parent zone does not contain a
       delegation, such as local top-level domains. Previously a query of
       type DS for such a zone could cause the zone apex to be cached as
       NXDOMAIN, blocking all subsequent queries. (Note: This change is
       only helpful when DNSSEC validation is not enabled. "Grafted" zones
       without a delegation in the parent are not a recommended
       configuration.)
     * NOTIFY messages that are sent because a zone has been updated are
       now given priority above NOTIFY messages that were scheduled when
       the server started up. This should mitigate delays in zone
       propagation when servers are restarted frequently.
     * Errors reported when running rndc addzone (e.g., when a zone file
       cannot be loaded) have been clarified to make it easier to diagnose
       problems.
     * Added support for OPENPGPKEY type.
     * When encountering an authoritative name server whose name is an
       alias pointing to another name, the resolver treats this as an
       error and skips to the next server. Previously this happened
       silently; now the error will be logged to the newly-created "cname"
       log category.
     * If named is not configured to validate the answer then allow
       fallback to plain DNS on timeout even when we know the server
       supports EDNS. This will allow the server to potentially resolve
       signed queries when TCP is being blocked.

Bug Fixes

     * dig, host and nslookup aborted when encountering a name which,
       after appending search list elements, exceeded 255 bytes. Such
       names are now skipped, but processing of other names will continue.
       [RT #36892]
     * The error message generated when named-checkzone or named-checkconf
       -z encounters a $TTL directive without a value has been clarified.
       [RT #37138]
     * Semicolon characters (;) included in TXT records were incorrectly
       escaped with a backslash when the record was displayed as text.
       This is actually only necessary when there are no quotation marks.
       [RT #37159]
     * When files opened for writing by named, such as zone journal files,
       were referenced more than once in named.conf, it could lead to file
       corruption as multiple threads wrote to the same file. This is now
       detected when loading named.conf and reported as an error. [RT
       #37172]
     * dnssec-keygen -S failed to generate successor keys for some
       algorithm types (including ECDSA and GOST) due to a difference in
       the content of private key files. This has been corrected. [RT
       #37183]
     * UPDATE messages that arrived too soon after an rndc thaw could be
       lost. [RT #37233]
     * Forwarding of UPDATE messages did not work when they were signed
       with SIG(0); they resulted in a BADSIG response code. [RT #37216]
     * When checking for updates to trust anchors listed in managed-keys,
       named now revalidates keys based on the current set of active trust
       anchors, without relying on any cached record of previous
       validation. [RT #37506]
     * Large-system tuning (configure --with-tuning=large) caused problems
       on some platforms by setting a socket receive buffer size that was
       too large. This is now detected and corrected at run time. [RT
       #37187]
     * When NXDOMAIN redirection is in use, queries for a name that is
       present in the redirection zone but a type that is not present will
       now return NOERROR instead of NXDOMAIN.
     * When a zone contained a delegation to an IPv6 name server but not
       an IPv4 name server, it was possible for a memory reference to be
       left un-freed. This caused an assertion failure on server shutdown,
       but was otherwise harmless. [RT #37796]
     * Due to an inadvertent removal of code in the previous release, when
       named encountered an authoritative name server which dropped all
       EDNS queries, it did not always try plain DNS. This has been
       corrected. [RT #37965]
     * A regression caused nsupdate to use the default recursive servers
       rather than the SOA MNAME server when sending the UPDATE.
     * Adjusted max-recursion-queries to accommodate the smaller initial
       packet sizes used in BIND 9.10 and higher when contacting
       authoritative servers for the first time.
     * Built-in "empty" zones did not correctly inherit the
       "allow-transfer" ACL from the options or view. [RT #38310]
     * Two leaks were fixed that could cause named processes to grow to
       very large sizes. [RT #38454]
     * Fixed some bugs in RFC 5011 trust anchor management, including a
       memory leak and a possible loss of state information.[RT #38458]

Revision 1.1.1.1.2.1 / (download) - annotate - [select for diffs], Wed Dec 10 19:53:09 2014 UTC (8 years, 11 months ago) by tron
Branch: pkgsrc-2014Q3
Changes since 1.1.1.1: +2 -0 lines
Diff to previous 1.1.1.1 (colored) next main 1.2 (colored)

Pullup ticket #4570 - requested by taca
net/bind910: security update

Revisions pulled up:
- net/bind910/Makefile                                          1.2-1.3
- net/bind910/PLIST                                             1.2-1.3
- net/bind910/distinfo                                          1.2-1.3
- net/bind910/patches/patch-bin_tests_system_Makefile.in        1.2
- net/bind910/patches/patch-configure                           1.2
- net/bind910/patches/patch-lib_bind9_Makefile.in               deleted
- net/bind910/patches/patch-lib_dns_Makefile.in                 deleted
- net/bind910/patches/patch-lib_dns_rbt.c                       1.2
- net/bind910/patches/patch-lib_isc_Makefile.in                 deleted
- net/bind910/patches/patch-lib_isccc_Makefile.in               deleted
- net/bind910/patches/patch-lib_isccfg_Makefile.in              deleted
- net/bind910/patches/patch-lib_lwres_Makefile.in               deleted
- net/bind910/patches/patch-lib_lwres_getaddrinfo.c             1.2

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Tue Oct 14 16:23:19 UTC 2014

   Modified Files:
   	pkgsrc/net/bind910: Makefile PLIST distinfo
   	pkgsrc/net/bind910/patches: patch-bin_tests_system_Makefile.in
   	    patch-configure patch-lib_dns_rbt.c patch-lib_lwres_getaddrinfo.c
   Removed Files:
   	pkgsrc/net/bind910/patches: patch-lib_bind9_Makefile.in
   	    patch-lib_dns_Makefile.in patch-lib_isc_Makefile.in
   	    patch-lib_isccc_Makefile.in patch-lib_isccfg_Makefile.in
   	    patch-lib_lwres_Makefile.in

   Log Message:
   Update bind910 to 9.10.1.

   Security Fixes

      A query specially crafted to exploit a defect in EDNS option
      processing could cause named to terminate with an assertion
      failure, due to a missing isc_buffer_availablelength() check
      when formatting packet contents for logging. For more information,
      see the security advisory at https://kb.isc.org/article/AA-01166/.
      [CVE-2014-3859] [RT #36078]

      A programming error in the prefetch feature could cause named
      to crash with a "REQUIRE" assertion failure in name.c. For more
      information, see the security advisory at
      https://kb.isc.org/article/AA-01161/. [CVE-2014-3214] [RT #35899]

   New Features

      Support for CAA record types, as described in RFC 6844 "DNS
      Certification Authority Authorization (CAA) Resource Record",
      was added. [RT#36625] [RT #36737]

      Disallow "request-ixfr" from being specified in zone statements
      where it is not valid (it is only valid for slave and redirect
      zones) [RT #36608]

      Support for CDS and CDNSKEY resource record types was added. For
      details see the proposed Informational Internet-Draft "Automating
      DNSSEC Delegation Trust Maintenance" at
      http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14.
      [RT #36333]

      Added version printing options to various BIND utilities. [RT #26057]
      [RT #10686]

      Optionally allows libseccomp-based (secure computing mode)
      system-call filtering on Linux. This sandboxing mechanism may
      be used to isolate "named" from various system resources. Use
      "configure --enable-seccomp" at build time to enable it.  Thank you
      to Loganaden Velvindron of AFRINIC for the contribution. [RT #35347]

   Feature Changes

      "geoip asnum" ACL elements would not match unless the full
      organization name was specified.  They can now match against the
      AS number alone (e.g., AS1234). [RT #36945]

      Adds RPZ SOA to the additional section of responses to clearly
      indicate the use of RPZ in a manner that is intended to avoid
      causing issues for downstream resolvers and forwarders [RT #36507]

      rndc now gives distinct error messages when an unqualified zone
      name matches multiple views vs. matching no views [RT #36691]

      Improves the accuracy of dig's reported round trip times.  [RT #36611]

      When an SPF record exists in a zone but no equivalent TXT record
      does, a warning will be issued.  The warning for the reverse
      condition is no longer issued. See the check-spf option in the
      documentation for details. [RT #36210]

      Aging of smoothed round-trip time measurements is now limited
      to no more than once per second, to improve accuracy in selecting
      the best name server. [RT #32909]

      DNSSEC keys that have been marked active but have no publication
      date are no longer presumed to be publishable. [RT #35063]

   Bug Fixes

      The Makefile in bin/python was changed to work around a bmake
      bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**)

      Corrected bugs in the handling of wildcard records by the DNSSEC
      validator: invalid wildcard expansions could be treated as valid
      if signed, and valid wildcard expansions in NSEC3 opt-out ranges
      had the AD bit set incorrectly in responses. [RT #37093] [RT #37072]

      An assertion failure could occur if a route event arrived while
      shutting down. [RT #36887]

      When resigning, dnssec-signzone was removing all signatures from
      delegation nodes. It now retains DS and (if applicable) NSEC
      signatures.  [RT #36946]

      The AD flag was being set inappopriately on RPZ responses. [RT #36833]

      Updates the URI record type to current draft standard,
      draft-faltstrom-uri-08, and allows the value field to be zero
      length [RT #36642] [RT #36737]

      On some platforms, overhead from DSCP tagging caused a performance
      regression between BIND 9.9 and BIND 9.10.  [RT #36534]

      RRSIG sets that were not loaded in a single transaction at start
      up were not being correctly added to re-signing heaps.  [RT #36302]

      Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452]

      Fixed a bug where some updated policy zone contents could be
      ignored due to stale RPZ summary information [RT #35885]

      A race condition could cause a crash in isc_event_free during
      shutdown.  [RT #36720]

      Addresses some problems with unrecoverable lookup failures. [RT #36330]

      Addresses a race condition issue in dispatch. [RT #36731]

      acl elements could be miscounted, causing a crash while loading
      a config [RT #36675]

      Corrects a deadlock between view.c and adb.c. [RT #36341]

      liblwres wasn't properly handling link-local addresses in
      nameserver clauses in resolv.conf. [RT #36039]

      Disable the GCC 4.9 "delete null pointer check" optimizer option,
      and refactor dns_rdataslab_fromrdataset() to separate out the
      handling of an rdataset with no records. This fixes problems
      when using GNU GCC 4.9.0 where its compiler code optimizations
      may cause crashes in BIND. For more information, see the operational
      advisory at https://kb.isc.org/article/AA-01167/. [RT #35968]

      Fixed a bug that could cause repeated resigning of records in
      dynamically signed zones. [RT #35273]

      Fixed a bug that could cause an assertion failure after forwarding
      was disabled. [RT #35979]

      Fixed a bug that caused GeoIP ACLs not to work when referenced
      indirectly via named or nested ACLs. [RT #35879]

      FIxed a bug that could cause problems with cache cleaning when
      SIT was enabled. [RT #35858]

      Fixed a bug that caused SERVFAILs when using RPZ on a system
      configured as a forwarder. [RT #36060]

      Worked around a limitation in Solaris's /dev/poll implementation
      that could cause named to fail to start when configured to use
      more sockets than the system could accomodate. [RT #35878]

      Fixed a bug that could cause an assertion failure when inserting
      and deleting parent and child nodes in a response-policy zone.
      [RT #36272]

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Mon Dec  8 21:59:09 UTC 2014

   Modified Files:
   	pkgsrc/net/bind910: Makefile PLIST distinfo

   Log Message:
   Update bind910 to 9.10.1pl1 (BIND 9.10.1-P1).

   	--- 9.10.1-P1 released ---

   4006.	[security]	A flaw in delegation handling could be exploited
   			to put named into an infinite loop.  This has
   			been addressed by placing limits on the number
   			of levels of recursion named will allow (default 7),
   			and the number of iterative queries that it will
   			send (default 50) before terminating a recursive
   			query (CVE-2014-8500).

   			The recursion depth limit is configured via the
   			"max-recursion-depth" option, and the query limit
   			via the "max-recursion-queries" option.  [RT #37580]

   4003.	[security]	When geoip-directory was reconfigured during
   			named run-time, the previously loaded GeoIP
   			data could remain, potentially causing wrong
   			ACLs to be used or wrong results to be served
   			based on geolocation (CVE-2014-8680). [RT #37720]

   4002.	[security]	Lookups in GeoIP databases that were not
   			loaded could cause an assertion failure
   			(CVE-2014-8680). [RT #37679]

   4001.	[security]	The caching of GeoIP lookups did not always
   			handle address families correctly, potentially
   			resulting in an assertion failure (CVE-2014-8680).
   			[RT #37672]

Revision 1.3 / (download) - annotate - [select for diffs], Mon Dec 8 21:59:09 2014 UTC (8 years, 11 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2014Q4-base, pkgsrc-2014Q4
Changes since 1.2: +2 -1 lines
Diff to previous 1.2 (colored)

Update bind910 to 9.10.1pl1 (BIND 9.10.1-P1).

	--- 9.10.1-P1 released ---

4006.	[security]	A flaw in delegation handling could be exploited
			to put named into an infinite loop.  This has
			been addressed by placing limits on the number
			of levels of recursion named will allow (default 7),
			and the number of iterative queries that it will
			send (default 50) before terminating a recursive
			query (CVE-2014-8500).

			The recursion depth limit is configured via the
			"max-recursion-depth" option, and the query limit
			via the "max-recursion-queries" option.  [RT #37580]

4003.	[security]	When geoip-directory was reconfigured during
			named run-time, the previously loaded GeoIP
			data could remain, potentially causing wrong
			ACLs to be used or wrong results to be served
			based on geolocation (CVE-2014-8680). [RT #37720]

4002.	[security]	Lookups in GeoIP databases that were not
			loaded could cause an assertion failure
			(CVE-2014-8680). [RT #37679]

4001.	[security]	The caching of GeoIP lookups did not always
			handle address families correctly, potentially
			resulting in an assertion failure (CVE-2014-8680).
			[RT #37672]

Revision 1.2 / (download) - annotate - [select for diffs], Tue Oct 14 16:23:19 2014 UTC (9 years, 1 month ago) by taca
Branch: MAIN
Changes since 1.1: +2 -1 lines
Diff to previous 1.1 (colored)

Update bind910 to 9.10.1.

Security Fixes

   A query specially crafted to exploit a defect in EDNS option
   processing could cause named to terminate with an assertion
   failure, due to a missing isc_buffer_availablelength() check
   when formatting packet contents for logging. For more information,
   see the security advisory at https://kb.isc.org/article/AA-01166/.
   [CVE-2014-3859] [RT #36078]

   A programming error in the prefetch feature could cause named
   to crash with a "REQUIRE" assertion failure in name.c. For more
   information, see the security advisory at
   https://kb.isc.org/article/AA-01161/. [CVE-2014-3214] [RT #35899]

New Features

   Support for CAA record types, as described in RFC 6844 "DNS
   Certification Authority Authorization (CAA) Resource Record",
   was added. [RT#36625] [RT #36737]

   Disallow "request-ixfr" from being specified in zone statements
   where it is not valid (it is only valid for slave and redirect
   zones) [RT #36608]

   Support for CDS and CDNSKEY resource record types was added. For
   details see the proposed Informational Internet-Draft "Automating
   DNSSEC Delegation Trust Maintenance" at
   http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14.
   [RT #36333]

   Added version printing options to various BIND utilities. [RT #26057]
   [RT #10686]

   Optionally allows libseccomp-based (secure computing mode)
   system-call filtering on Linux. This sandboxing mechanism may
   be used to isolate "named" from various system resources. Use
   "configure --enable-seccomp" at build time to enable it.  Thank you
   to Loganaden Velvindron of AFRINIC for the contribution. [RT #35347]

Feature Changes

   "geoip asnum" ACL elements would not match unless the full
   organization name was specified.  They can now match against the
   AS number alone (e.g., AS1234). [RT #36945]

   Adds RPZ SOA to the additional section of responses to clearly
   indicate the use of RPZ in a manner that is intended to avoid
   causing issues for downstream resolvers and forwarders [RT #36507]

   rndc now gives distinct error messages when an unqualified zone
   name matches multiple views vs. matching no views [RT #36691]

   Improves the accuracy of dig's reported round trip times.  [RT #36611]

   When an SPF record exists in a zone but no equivalent TXT record
   does, a warning will be issued.  The warning for the reverse
   condition is no longer issued. See the check-spf option in the
   documentation for details. [RT #36210]

   Aging of smoothed round-trip time measurements is now limited
   to no more than once per second, to improve accuracy in selecting
   the best name server. [RT #32909]

   DNSSEC keys that have been marked active but have no publication
   date are no longer presumed to be publishable. [RT #35063]

Bug Fixes

   The Makefile in bin/python was changed to work around a bmake
   bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**)

   Corrected bugs in the handling of wildcard records by the DNSSEC
   validator: invalid wildcard expansions could be treated as valid
   if signed, and valid wildcard expansions in NSEC3 opt-out ranges
   had the AD bit set incorrectly in responses. [RT #37093] [RT #37072]

   An assertion failure could occur if a route event arrived while
   shutting down. [RT #36887]

   When resigning, dnssec-signzone was removing all signatures from
   delegation nodes. It now retains DS and (if applicable) NSEC
   signatures.  [RT #36946]

   The AD flag was being set inappopriately on RPZ responses. [RT #36833]

   Updates the URI record type to current draft standard,
   draft-faltstrom-uri-08, and allows the value field to be zero
   length [RT #36642] [RT #36737]

   On some platforms, overhead from DSCP tagging caused a performance
   regression between BIND 9.9 and BIND 9.10.  [RT #36534]

   RRSIG sets that were not loaded in a single transaction at start
   up were not being correctly added to re-signing heaps.  [RT #36302]

   Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452]

   Fixed a bug where some updated policy zone contents could be
   ignored due to stale RPZ summary information [RT #35885]

   A race condition could cause a crash in isc_event_free during
   shutdown.  [RT #36720]

   Addresses some problems with unrecoverable lookup failures. [RT #36330]

   Addresses a race condition issue in dispatch. [RT #36731]

   acl elements could be miscounted, causing a crash while loading
   a config [RT #36675]

   Corrects a deadlock between view.c and adb.c. [RT #36341]

   liblwres wasn't properly handling link-local addresses in
   nameserver clauses in resolv.conf. [RT #36039]

   Disable the GCC 4.9 "delete null pointer check" optimizer option,
   and refactor dns_rdataslab_fromrdataset() to separate out the
   handling of an rdataset with no records. This fixes problems
   when using GNU GCC 4.9.0 where its compiler code optimizations
   may cause crashes in BIND. For more information, see the operational
   advisory at https://kb.isc.org/article/AA-01167/. [RT #35968]

   Fixed a bug that could cause repeated resigning of records in
   dynamically signed zones. [RT #35273]

   Fixed a bug that could cause an assertion failure after forwarding
   was disabled. [RT #35979]

   Fixed a bug that caused GeoIP ACLs not to work when referenced
   indirectly via named or nested ACLs. [RT #35879]

   FIxed a bug that could cause problems with cache cleaning when
   SIT was enabled. [RT #35858]

   Fixed a bug that caused SERVFAILs when using RPZ on a system
   configured as a forwarder. [RT #36060]

   Worked around a limitation in Solaris's /dev/poll implementation
   that could cause named to fail to start when configured to use
   more sockets than the system could accomodate. [RT #35878]

   Fixed a bug that could cause an assertion failure when inserting
   and deleting parent and child nodes in a response-policy zone.
   [RT #36272]

Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Wed Jul 2 02:42:58 2014 UTC (9 years, 4 months ago) by jnemeth
Branch: TNF
CVS Tags: pkgsrc-base, pkgsrc-2014Q3-base
Branch point for: pkgsrc-2014Q3
Changes since 1.1: +0 -0 lines
Diff to previous 1.1 (colored)

Initial import of BIND 9.10.

Revision 1.1 / (download) - annotate - [select for diffs], Wed Jul 2 02:42:58 2014 UTC (9 years, 4 months ago) by jnemeth
Branch: MAIN

Initial revision

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>