Up to [cvs.NetBSD.org] / pkgsrc / net / bind910
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
net/bind910: remove bind910 Remove bind910 EOL since July 2018.
net/bind910: backport from bind911 Backport changes between BIND 9.11.4-P1 and 9.11.4-P2. Bump PKGREVISION.
Pullup ticket #5810 - requested by maya net/bind99: security fix, NetBSD build fix net/bind910: security fix, NetBSD build fix Revisions pulled up: - net/bind910/Makefile 1.42-1.43 - net/bind910/distinfo 1.35-1.36 - net/bind910/patches/patch-lib_isc_unix_socket.c 1.1 - net/bind99/Makefile 1.75-1.76 - net/bind99/distinfo 1.53-1.54 - net/bind99/patches/patch-lib_isc_unix_socket.c 1.1 --- Module Name: pkgsrc Committed By: taca Date: Thu Aug 9 14:51:25 UTC 2018 Modified Files: pkgsrc/net/bind99: Makefile distinfo Log Message: net/bind99: update to 9.9.13pl1 Update bind99 to 9.9.13pl1 (9.9.13-P1). --- 9.9.13-P1 released --- 4997. [security] named could crash during recursive processing of DNAME records when "deny-answer-aliases" was in use. (CVE-2018-5740) [GL #387] --- Module Name: pkgsrc Committed By: taca Date: Thu Aug 9 14:49:09 UTC 2018 Modified Files: pkgsrc/net/bind910: Makefile distinfo Log Message: net/bind910: update to 9.10.8pl1 Update bind910 to 9.10.8pl1 (9.10.8-P1). --- 9.10.8-P1 released --- 4997. [security] named could crash during recursive processing of DNAME records when "deny-answer-aliases" was in use. (CVE-2018-5740) [GL #387] --- Module Name: pkgsrc Committed By: maya Date: Mon Aug 13 13:36:25 UTC 2018 Modified Files: pkgsrc/net/bind99: Makefile distinfo Added Files: pkgsrc/net/bind99/patches: patch-lib_isc_unix_socket.c Log Message: bind99: Make ENOBUFS a soft error. Needed for netbsd>=8. See https://gitlab.isc.org/isc-projects/bind9/issues/462 bump PKGREVISION --- Module Name: pkgsrc Committed By: maya Date: Mon Aug 13 13:37:14 UTC 2018 Modified Files: pkgsrc/net/bind910: Makefile Added Files: pkgsrc/net/bind910/patches: patch-lib_isc_unix_socket.c Log Message: bind910: Make ENOBUFS a soft error. Needed for netbsd>=8. See https://gitlab.isc.org/isc-projects/bind9/issues/462 Bump PKGREVISION. --- Module Name: pkgsrc Committed By: maya Date: Mon Aug 13 13:41:49 UTC 2018 Modified Files: pkgsrc/net/bind910: distinfo Log Message: bind910: also add patch to distinfo.
bind910: also add patch to distinfo.
net/bind910: update to 9.10.8pl1 Update bind910 to 9.10.8pl1 (9.10.8-P1). --- 9.10.8-P1 released --- 4997. [security] named could crash during recursive processing of DNAME records when "deny-answer-aliases" was in use. (CVE-2018-5740) [GL #387]
Pullup ticket #5788 - requested by taca net/bind910: security update Revisions pulled up: - net/bind910/Makefile 1.41 - net/bind910/distinfo 1.33-1.34 - net/bind910/patches/patch-bin_tests_system_metadata_tests.sh 1.2 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Sat Jul 14 03:53:42 UTC 2018 Modified Files: pkgsrc/net/bind910: Makefile distinfo pkgsrc/net/bind910/patches: patch-bin_tests_system_metadata_tests.sh Log Message: net/bind910: update to 9.10.8 This release contains security fix for CVE-2018-5738 and several bug fixes. For more detail, please refer CHANGES file. To generate a diff of this commit: cvs rdiff -u -r1.40 -r1.41 pkgsrc/net/bind910/Makefile cvs rdiff -u -r1.32 -r1.33 pkgsrc/net/bind910/distinfo cvs rdiff -u -r1.1 -r1.2 \ pkgsrc/net/bind910/patches/patch-bin_tests_system_metadata_tests.sh ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Sat Jul 14 03:54:59 UTC 2018 Modified Files: pkgsrc/net/bind910: distinfo Log Message: net/bind910: remove local trial patch. Remove local trial patch info. To generate a diff of this commit: cvs rdiff -u -r1.33 -r1.34 pkgsrc/net/bind910/distinfo
net/bind910: remove local trial patch. Remove local trial patch info.
net/bind910: update to 9.10.8 This release contains security fix for CVE-2018-5738 and several bug fixes. For more detail, please refer CHANGES file.
net/bind910: update to 9.10.7 New maintenance releases in the 9.9, 9.10, 9.11, and 9.12 branches of BIND are now available. Release notes can be found with the releases or in the ISC Knowledge Base: 9.9.12: https://kb.isc.org/article/AA-01596/0/9.9.12-Notes.html 9.10.7: https://kb.isc.org/article/AA-01595/0/9.10.7-Notes.html 9.11.3: https://kb.isc.org/article/AA-01597/0/9.11.3-Notes.html 9.12.1: https://kb.isc.org/article/AA-01598/0/9.12.1-Notes.html Users who are migrating an existing BIND configuration to these new versions should take special note of two changes in the behavior of the "update-policy" statement which slightly change the behavior of two update-policy options. The first such change is discussed in greater length in the BIND Operational Notification issued today: https://kb.isc.org/article/AA-01599/update-policy-local-was-named-misleadingly The second change to update-policy behavior concerns this change: "update-policy rules that otherwise ignore the name field now require that it be set to "." to ensure that any type list present is properly interpreted. Previously, if the name field was omitted from the rule declaration but a type list was present, it wouldn't be interpreted as expected." which is a correction to an ambiguous case that was previously allowed, but which was capable of causing unexpected results when accidentally applied. The new requirement eliminates is intended to eliminate the confusion, which previously caused some operators to misapply security policies. However, due to the new requirement, named configuration files that relied on the previous behavior will no longer be accepted. These changes should not affect most operators, even those using "update-policy" to define Dynamic DNS permissions, but we would like to draw your attention to them so that operators are informed about the new behaviors.
net/bind910: Fix problem in configure where contents of $LIBS would be lost when json-c support was enabled.
Pullup ticket #5684 - requested by taca net/bind910: security update Revisions pulled up: - net/bind910/Makefile 1.39 - net/bind910/distinfo 1.30 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Wed Jan 17 00:31:38 UTC 2018 Modified Files: pkgsrc/net/bind910: Makefile distinfo Log Message: net/bind910: update to 9.10.6pl1 (BIND 9.10.6-P1). Release Notes for BIND Version 9.10.6-P1 Introduction This document summarizes changes since BIND 9.10.6. BIND 9.10.6-P1 addresses the security issue described in CVE-2017-3145. Download The latest versions of BIND 9 software can always be found at http://www.isc.org/downloads/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. New DNSSEC Root Key ICANN is in the process of introducing a new Key Signing Key (KSK) for the global root zone. BIND has multiple methods for managing DNSSEC trust anchors, with somewhat different behaviors. If the root key is configured using the managed-keys statement, or if the pre-configured root key is enabled by using dnssec-validation auto, then BIND can keep keys up to date automatically. Servers configured in this way should have begun the process of rolling to the new key when it was published in the root zone in July 2017. However, keys configured using the trusted-keys statement are not automatically maintained. If your server is performing DNSSEC validation and is configured using trusted-keys, you are advised to change your configuration before the root zone begins signing with the new KSK. This is currently scheduled for October 11, 2017. This release includes an updated version of the bind.keys file containing the new root key. This file can also be downloaded from https://www.isc.org/bind-keys . Windows XP No Longer Supported As of BIND 9.10.6, Windows XP is no longer a supported platform for BIND, and Windows XP binaries are no longer available for download from ISC. Security Fixes * Addresses could be referenced after being freed during resolver processing, causing an assertion failure. The chances of this happening were remote, but the introduction of a delay in resolution increased them. (The delay will be addressed in an upcoming maintenance release.) This bug is disclosed in CVE-2017-3145. [RT #46839] * An error in TSIG handling could permit unauthorized zone transfers or zone updates. These flaws are disclosed in CVE-2017-3142 and CVE-2017-3143. [RT #45383] * The BIND installer on Windows used an unquoted service path, which can enable privilege escalation. This flaw is disclosed in CVE-2017-3141. [RT #45229] * With certain RPZ configurations, a response with TTL 0 could cause named to go into an infinite query loop. This flaw is disclosed in CVE-2017-3140. [RT #45181] Feature Changes * dig +ednsopt now accepts the names for EDNS options in addition to numeric values. For example, an EDNS Client-Subnet option could be sent using dig +ednsoptěs:.... Thanks to John Worley of Secure64 for the contribution. [RT #44461] * Threads in named are now set to human-readable names to assist debugging on operating systems that support that. Threads will have names such as "isc-timer", "isc-sockmgr", "isc-worker0001", and so on. This will affect the reporting of subsidiary thread names in ps and top, but not the main thread. [RT #43234] * DiG now warns about .local queries which are reserved for Multicast DNS. [RT #44783] Bug Fixes * Fixed a bug that was introduced in an earlier development release which caused multi-packet AXFR and IXFR messages to fail validation if not all packets contained TSIG records; this caused interoperability problems with some other DNS implementations. [RT #45509] * Semicolons are no longer escaped when printing CAA and URI records. This may break applications that depend on the presence of the backslash before the semicolon. [RT #45216] * AD could be set on truncated answer with no records present in the answer and authority sections. [RT #45140] End of Life The end of life for BIND 9.10 is yet to be determined but will not be before BIND 9.12.0 has been released for 6 months. https://www.isc.org/downloads/software-support-policy/ To generate a diff of this commit: cvs rdiff -u -r1.38 -r1.39 pkgsrc/net/bind910/Makefile cvs rdiff -u -r1.29 -r1.30 pkgsrc/net/bind910/distinfo
net/bind910: update to 9.10.6pl1 (BIND 9.10.6-P1). Release Notes for BIND Version 9.10.6-P1 Introduction This document summarizes changes since BIND 9.10.6. BIND 9.10.6-P1 addresses the security issue described in CVE-2017-3145. Download The latest versions of BIND 9 software can always be found at http://www.isc.org/downloads/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. New DNSSEC Root Key ICANN is in the process of introducing a new Key Signing Key (KSK) for the global root zone. BIND has multiple methods for managing DNSSEC trust anchors, with somewhat different behaviors. If the root key is configured using the managed-keys statement, or if the pre-configured root key is enabled by using dnssec-validation auto, then BIND can keep keys up to date automatically. Servers configured in this way should have begun the process of rolling to the new key when it was published in the root zone in July 2017. However, keys configured using the trusted-keys statement are not automatically maintained. If your server is performing DNSSEC validation and is configured using trusted-keys, you are advised to change your configuration before the root zone begins signing with the new KSK. This is currently scheduled for October 11, 2017. This release includes an updated version of the bind.keys file containing the new root key. This file can also be downloaded from https://www.isc.org/bind-keys . Windows XP No Longer Supported As of BIND 9.10.6, Windows XP is no longer a supported platform for BIND, and Windows XP binaries are no longer available for download from ISC. Security Fixes * Addresses could be referenced after being freed during resolver processing, causing an assertion failure. The chances of this happening were remote, but the introduction of a delay in resolution increased them. (The delay will be addressed in an upcoming maintenance release.) This bug is disclosed in CVE-2017-3145. [RT #46839] * An error in TSIG handling could permit unauthorized zone transfers or zone updates. These flaws are disclosed in CVE-2017-3142 and CVE-2017-3143. [RT #45383] * The BIND installer on Windows used an unquoted service path, which can enable privilege escalation. This flaw is disclosed in CVE-2017-3141. [RT #45229] * With certain RPZ configurations, a response with TTL 0 could cause named to go into an infinite query loop. This flaw is disclosed in CVE-2017-3140. [RT #45181] Feature Changes * dig +ednsopt now accepts the names for EDNS options in addition to numeric values. For example, an EDNS Client-Subnet option could be sent using dig +ednsopt=ecs:.... Thanks to John Worley of Secure64 for the contribution. [RT #44461] * Threads in named are now set to human-readable names to assist debugging on operating systems that support that. Threads will have names such as "isc-timer", "isc-sockmgr", "isc-worker0001", and so on. This will affect the reporting of subsidiary thread names in ps and top, but not the main thread. [RT #43234] * DiG now warns about .local queries which are reserved for Multicast DNS. [RT #44783] Bug Fixes * Fixed a bug that was introduced in an earlier development release which caused multi-packet AXFR and IXFR messages to fail validation if not all packets contained TSIG records; this caused interoperability problems with some other DNS implementations. [RT #45509] * Semicolons are no longer escaped when printing CAA and URI records. This may break applications that depend on the presence of the backslash before the semicolon. [RT #45216] * AD could be set on truncated answer with no records present in the answer and authority sections. [RT #45140] End of Life The end of life for BIND 9.10 is yet to be determined but will not be before BIND 9.12.0 has been released for 6 months. https://www.isc.org/downloads/software-support-policy/
bind910: Correct bind-json-statistics-server option build Switch detection of json-c from homegrown detection of libraries in hardcoded dirs to pkg-config detection. Add new USE_TOOLS option pkg-config. Bump PKGREVISION to 1 for new dependency.
Update bind910 to 9.10.6. Here is release note except security (already fixed by bind-9.10.5pl3, BIND 9.10.5-P3). Release Notes for BIND Version 9.10.6 Introduction This document summarizes changes since the last production release on the BIND 9.10 branch. Please see the CHANGES file for a further list of bug fixes and other changes. Download The latest versions of BIND 9 software can always be found at http://www.isc.org/downloads/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. New DNSSEC Root Key ICANN is in the process of introducing a new Key Signing Key (KSK) for the global root zone. BIND has multiple methods for managing DNSSEC trust anchors, with somewhat different behaviors. If the root key is configured using the managed-keys statement, or if the pre-configured root key is enabled by using dnssec-validation auto, then BIND can keep keys up to date automatically. Servers configured in this way should have begun the process of rolling to the new key when it was published in the root zone in July 2017. However, keys configured using the trusted-keys statement are not automatically maintained. If your server is performing DNSSEC validation and is configured using trusted-keys, you are advised to change your configuration before the root zone begins signing with the new KSK. This is currently scheduled for October 11, 2017. This release includes an updated version of the bind.keys file containing the new root key. This file can also be downloaded from https://www.isc.org/bind-keys . Windows XP No Longer Supported As of BIND 9.10.6, Windows XP is no longer a supported platform for BIND, and Windows XP binaries are no longer available for download from ISC. Feature Changes * dig +ednsopt now accepts the names for EDNS options in addition to numeric values. For example, an EDNS Client-Subnet option could be sent using dig +ednsopt=ecs:.... Thanks to John Worley of Secure64 for the contribution. [RT #44461] * Threads in named are now set to human-readable names to assist debugging on operating systems that support that. Threads will have names such as "isc-timer", "isc-sockmgr", "isc-worker0001", and so on. This will affect the reporting of subsidiary thread names in ps and top, but not the main thread. [RT #43234] * DiG now warns about .local queries which are reserved for Multicast DNS. [RT #44783] Bug Fixes * Fixed a bug that was introduced in an earlier development release which caused multi-packet AXFR and IXFR messages to fail validation if not all packets contained TSIG records; this caused interoperability problems with some other DNS implementations. [RT #45509] * Semicolons are no longer escaped when printing CAA and URI records. This may break applications that depend on the presence of the backslash before the semicolon. [RT #45216] * AD could be set on truncated answer with no records present in the answer and authority sections. [RT #45140] End of Life The end of life for BIND 9.10 is yet to be determined but will not be before BIND 9.12.0 has been released for 6 months. https://www.isc.org/downloads/software-support-policy/
Pullup ticket #5511 - requested by taca net/bind910: security fix Revisions pulled up: - net/bind910/Makefile 1.36 - net/bind910/distinfo 1.27 --- Module Name: pkgsrc Committed By: taca Date: Sat Jul 8 04:29:00 UTC 2017 Modified Files: pkgsrc/net/bind910: Makefile distinfo Log Message: Update bind910 to 9.10.5pl3 (BIND 9.10.5-P3). --- 9.10.5-P3 released --- 4647. [bug] Change 4643 broke verification of TSIG signed TCP message sequences where not all the messages contain TSIG records. These may be used in AXFR and IXFR responses. [RT #45509]
Update bind910 to 9.10.5pl3 (BIND 9.10.5-P3). --- 9.10.5-P3 released --- 4647. [bug] Change 4643 broke verification of TSIG signed TCP message sequences where not all the messages contain TSIG records. These may be used in AXFR and IXFR responses. [RT #45509]
Update bind910 to 9.10.5pl2 (9.10.5-P2). --- 9.10.5-P2 released --- 4643. [security] An error in TSIG handling could permit unauthorized zone transfers or zone updates. (CVE-2017-3142) (CVE-2017-3143) [RT #45383] 4633. [maint] Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET.
Update bind910 package to 9.10.5pl1 (BIND 9.10.5-P1). --- 9.10.5-P1 released --- 4632. [security] The BIND installer on Windows used an unquoted service path, which can enable privilege escalation. (CVE-2017-3141) [RT #45229] 4631. [security] Some RPZ configurations could go into an infinite query loop when encountering responses with TTL=0. (CVE-2017-3140) [RT #45181]
Update bind910 to 9.10.5 (BIND 9.10.5). This is maintenance release and please refer release announce in detail: https://kb.isc.org/article/AA-01490.
Pullup ticket #5272 - requested by taca net/bind910: security fix Revisions pulled up: - net/bind910/Makefile 1.32 - net/bind910/distinfo 1.23 --- Module Name: pkgsrc Committed By: taca Date: Thu Apr 13 01:52:42 UTC 2017 Modified Files: pkgsrc/net/bind910: Makefile distinfo Log Message: Update bind910 to 9.10.4pl8 (BIND 9.10.4-P8). Quote from release announce: BIND 9.10.4-P8 addresses the security issues described in CVE-2017-3136, CVE-2017-3137, and CVE-2017-3138, and updates the built-in trusted keys for the root zone. From CHANGELOG: --- 9.10.4-P8 released --- 4582. [security] 'rndc ""' could trigger a assertion failure in named. (CVE-2017-3138) [RT #44924] 4580. [bug] 4578 introduced a regression when handling CNAME to referral below the current domain. [RT #44850] --- 9.10.4-P7 released --- 4578. [security] Some chaining (CNAME or DNAME) responses to upstream queries could trigger assertion failures. (CVE-2017-3137) [RT #44734] 4575. [security] DNS64 with "break-dnssec yes;" can result in an assertion failure. (CVE-2017-3136) [RT #44653] 4564. [maint] Update the built in managed keys to include the upcoming root KSK. [RT #44579]
Update bind910 to 9.10.4pl8 (BIND 9.10.4-P8). Quote from release announce: BIND 9.10.4-P8 addresses the security issues described in CVE-2017-3136, CVE-2017-3137, and CVE-2017-3138, and updates the built-in trusted keys for the root zone. From CHANGELOG: --- 9.10.4-P8 released --- 4582. [security] 'rndc ""' could trigger a assertion failure in named. (CVE-2017-3138) [RT #44924] 4580. [bug] 4578 introduced a regression when handling CNAME to referral below the current domain. [RT #44850] --- 9.10.4-P7 released --- 4578. [security] Some chaining (CNAME or DNAME) responses to upstream queries could trigger assertion failures. (CVE-2017-3137) [RT #44734] 4575. [security] DNS64 with "break-dnssec yes;" can result in an assertion failure. (CVE-2017-3136) [RT #44653] 4564. [maint] Update the built in managed keys to include the upcoming root KSK. [RT #44579]
Pullup ticket #5210 - requested by taca net/bind910: security update Revisions pulled up: - net/bind910/Makefile 1.29 - net/bind910/distinfo 1.22 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu Feb 9 00:48:59 UTC 2017 Modified Files: pkgsrc/net/bind910: Makefile distinfo Log Message: Update bind910 to 9.10.4pl6 (BIND 9.10.4-P6). Security Fixes * If a server is configured with a response policy zone (RPZ) that rewrites an answer with local data, and is also configured for DNS64 address mapping, a NULL pointer can be read triggering a server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434] * named could mishandle authority sections with missing RRSIGs, triggering an assertion failure. This flaw is disclosed in CVE-2016-9444. [RT #43632] * named mishandled some responses where covering RRSIG records were returned without the requested data, resulting in an assertion failure. This flaw is disclosed in CVE-2016-9147. [RT #43548] * named incorrectly tried to cache TKEY records which could trigger an assertion failure when there was a class mismatch. This flaw is disclosed in CVE-2016-9131. [RT #43522] * It was possible to trigger assertions when processing responses containing answers of type DNAME. This flaw is disclosed in CVE-2016-8864. [RT #43465] * Added the ability to specify the maximum number of records permitted in a zone (max-records #;). This provides a mechanism to block overly large zone transfers, which is a potential risk with slave zones from other parties, as described in CVE-2016-6170. [RT #42143] * It was possible to trigger an assertion when rendering a message using a specially crafted request. This flaw is disclosed in CVE-2016-2776. [RT #43139] * Calling getrrsetbyname() with a non absolute name could trigger an infinite recursion bug in lwresd or named with lwres configured if, when combined with a search list entry from resolv.conf, the resulting name is too long. This flaw is disclosed in CVE-2016-2775. [RT #42694] New Features * named now provides feedback to the owners of zones which have trust anchors configured (trusted-keys, managed-keys, dnssec-validation auto; and dnssec-lookaside auto;) by sending a daily query which encodes the keyids of the configured trust anchors for the zone. This is controlled by trust-anchor-telemetry and defaults to yes. * A new tcp-only option has been added to server clauses, to indicate that UDP should not be used when sending queries to a specified IP address or prefix. Feature Changes * The built in mangaged keys for the global root zone have been updated to include the upcoming key signing key (keyid 20326). * The ISC DNSSEC Lookaside Validation (DLV) service is scheduled to be disabled in 2017. A warning is now logged when named is configured to use this service, either explicitly or via dnssec-lookaside auto;. [RT #42207] * If an ACL is specified with an address prefix in which the prefix length is longer than the address portion (for example, 192.0.2.1/8), named will now log a warning. In future releases this will be a fatal configuration error. [RT #43367] Bug Fixes * A synthesized CNAME record appearing in a response before the associated DNAME could be cached, when it should not have been. This was a regression introduced while addressing CVE-2016-8864. [RT #44318] * Named could deadlock there were multiple changes to NSEC/NSEC3 parameters for a zone being processed at the same time. [RT #42770] * Named could trigger a assertion when sending notify messages. [RT #44019] * Fixed a crash when calling rndc stats on some Windows builds: some Visual Studio compilers generate code that crashes when the "%z" printf() format specifier is used. [RT #42380] * Windows installs were failing due to triggering UAC without the installation binary being signed. * A change in the internal binary representation of the RBT database node structure enabled a race condition to occur (especially when BIND was built with certain compilers or optimizer settings), leading to inconsistent database state which caused random assertion failures. [RT #42380] * Referencing a nonexistent zone in a response-policy statement could cause an assertion failure during configuration. [RT #43787] * rndc addzone could cause a crash when attempting to add a zone with a type other than master or slave. Such zones are now rejected. [RT #43665] * named could hang when encountering log file names with large apparent gaps in version number (for example, when files exist called "logfile.0", "logfile.1", and "logfile.1482954169"). This is now handled correctly. [RT #38688] * If a zone was updated while named was processing a query for nonexistent data, it could return out-of-sync NSEC3 records causing potential DNSSEC validation failure. [RT #43247] * named could crash when loading a zone which had RRISG records whose expiry fields were far enough apart to cause an integer overflow when comparing them. [RT #40571] * The arpaname and named-rrchecker commands were not installed into the correct prefix/bin directory. [RT #42910] * When receiving a response from an authoritative server with a TTL value of zero, named> will now only use that response once, to answer the currently active clients that were waiting for it. Previously, such response could be cached and reused for up to one second. [RT #42142] * named-checkconf now checks the rate-limit clause for correctness. [RT #42970] * Corrected a bug in the rndc control channel that could allow a read past the end of a buffer, crashing named. Thanks to Lian Yihan for reporting this error. Maintenance * The built-in root hints have been updated to include IPv6 addresses for B.ROOT-SERVERS.NET (2001:500:84::b), E.ROOT-SERVERS.NET (2001:500:a8::e) and G.ROOT-SERVERS.NET (2001:500:12::d0d). To generate a diff of this commit: cvs rdiff -u -r1.28 -r1.29 pkgsrc/net/bind910/Makefile cvs rdiff -u -r1.21 -r1.22 pkgsrc/net/bind910/distinfo
Update bind910 to 9.10.4pl6 (BIND 9.10.4-P6). Security Fixes * If a server is configured with a response policy zone (RPZ) that rewrites an answer with local data, and is also configured for DNS64 address mapping, a NULL pointer can be read triggering a server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434] * named could mishandle authority sections with missing RRSIGs, triggering an assertion failure. This flaw is disclosed in CVE-2016-9444. [RT #43632] * named mishandled some responses where covering RRSIG records were returned without the requested data, resulting in an assertion failure. This flaw is disclosed in CVE-2016-9147. [RT #43548] * named incorrectly tried to cache TKEY records which could trigger an assertion failure when there was a class mismatch. This flaw is disclosed in CVE-2016-9131. [RT #43522] * It was possible to trigger assertions when processing responses containing answers of type DNAME. This flaw is disclosed in CVE-2016-8864. [RT #43465] * Added the ability to specify the maximum number of records permitted in a zone (max-records #;). This provides a mechanism to block overly large zone transfers, which is a potential risk with slave zones from other parties, as described in CVE-2016-6170. [RT #42143] * It was possible to trigger an assertion when rendering a message using a specially crafted request. This flaw is disclosed in CVE-2016-2776. [RT #43139] * Calling getrrsetbyname() with a non absolute name could trigger an infinite recursion bug in lwresd or named with lwres configured if, when combined with a search list entry from resolv.conf, the resulting name is too long. This flaw is disclosed in CVE-2016-2775. [RT #42694] New Features * named now provides feedback to the owners of zones which have trust anchors configured (trusted-keys, managed-keys, dnssec-validation auto; and dnssec-lookaside auto;) by sending a daily query which encodes the keyids of the configured trust anchors for the zone. This is controlled by trust-anchor-telemetry and defaults to yes. * A new tcp-only option has been added to server clauses, to indicate that UDP should not be used when sending queries to a specified IP address or prefix. Feature Changes * The built in mangaged keys for the global root zone have been updated to include the upcoming key signing key (keyid 20326). * The ISC DNSSEC Lookaside Validation (DLV) service is scheduled to be disabled in 2017. A warning is now logged when named is configured to use this service, either explicitly or via dnssec-lookaside auto;. [RT #42207] * If an ACL is specified with an address prefix in which the prefix length is longer than the address portion (for example, 192.0.2.1/8), named will now log a warning. In future releases this will be a fatal configuration error. [RT #43367] Bug Fixes * A synthesized CNAME record appearing in a response before the associated DNAME could be cached, when it should not have been. This was a regression introduced while addressing CVE-2016-8864. [RT #44318] * Named could deadlock there were multiple changes to NSEC/NSEC3 parameters for a zone being processed at the same time. [RT #42770] * Named could trigger a assertion when sending notify messages. [RT #44019] * Fixed a crash when calling rndc stats on some Windows builds: some Visual Studio compilers generate code that crashes when the "%z" printf() format specifier is used. [RT #42380] * Windows installs were failing due to triggering UAC without the installation binary being signed. * A change in the internal binary representation of the RBT database node structure enabled a race condition to occur (especially when BIND was built with certain compilers or optimizer settings), leading to inconsistent database state which caused random assertion failures. [RT #42380] * Referencing a nonexistent zone in a response-policy statement could cause an assertion failure during configuration. [RT #43787] * rndc addzone could cause a crash when attempting to add a zone with a type other than master or slave. Such zones are now rejected. [RT #43665] * named could hang when encountering log file names with large apparent gaps in version number (for example, when files exist called "logfile.0", "logfile.1", and "logfile.1482954169"). This is now handled correctly. [RT #38688] * If a zone was updated while named was processing a query for nonexistent data, it could return out-of-sync NSEC3 records causing potential DNSSEC validation failure. [RT #43247] * named could crash when loading a zone which had RRISG records whose expiry fields were far enough apart to cause an integer overflow when comparing them. [RT #40571] * The arpaname and named-rrchecker commands were not installed into the correct prefix/bin directory. [RT #42910] * When receiving a response from an authoritative server with a TTL value of zero, named> will now only use that response once, to answer the currently active clients that were waiting for it. Previously, such response could be cached and reused for up to one second. [RT #42142] * named-checkconf now checks the rate-limit clause for correctness. [RT #42970] * Corrected a bug in the rndc control channel that could allow a read past the end of a buffer, crashing named. Thanks to Lian Yihan for reporting this error. Maintenance * The built-in root hints have been updated to include IPv6 addresses for B.ROOT-SERVERS.NET (2001:500:84::b), E.ROOT-SERVERS.NET (2001:500:a8::e) and G.ROOT-SERVERS.NET (2001:500:12::d0d).
Pullup ticket #5189 - requested by taca net/bind910: security fix Revisions pulled up: - net/bind910/Makefile 1.28 - net/bind910/distinfo 1.21 --- Module Name: pkgsrc Committed By: taca Date: Thu Jan 12 00:04:43 UTC 2017 Modified Files: pkgsrc/net/bind910: Makefile distinfo Log Message: Update bind910 to 9.10.4pl5 (BIND 9.10.4-P5), including security fixes. --- 9.10.4-P5 released --- 4530. [bug] Change 4489 broke the handling of CNAME -> DNAME in responses resulting in SERVFAIL being returned. [RT #43779] 4528. [bug] Only set the flag bits for the i/o we are waiting for on EPOLLERR or EPOLLHUP. [RT #43617] 4519. [port] win32: handle ERROR_MORE_DATA. [RT #43534] 4517. [security] Named could mishandle authority sections that were missing RRSIGs triggering an assertion failure. (CVE-2016-9444) [RT # 43632] 4510. [security] Named mishandled some responses where covering RRSIG records are returned without the requested data resulting in a assertion failure. (CVE-2016-9147) [RT #43548] 4508. [security] Named incorrectly tried to cache TKEY records which could trigger a assertion failure when there was a class mismatch. (CVE-2016-9131) [RT #43522]
Update bind910 to 9.10.4pl5 (BIND 9.10.4-P5), including security fixes. --- 9.10.4-P5 released --- 4530. [bug] Change 4489 broke the handling of CNAME -> DNAME in responses resulting in SERVFAIL being returned. [RT #43779] 4528. [bug] Only set the flag bits for the i/o we are waiting for on EPOLLERR or EPOLLHUP. [RT #43617] 4519. [port] win32: handle ERROR_MORE_DATA. [RT #43534] 4517. [security] Named could mishandle authority sections that were missing RRSIGs triggering an assertion failure. (CVE-2016-9444) [RT # 43632] 4510. [security] Named mishandled some responses where covering RRSIG records are returned without the requested data resulting in a assertion failure. (CVE-2016-9147) [RT #43548] 4508. [security] Named incorrectly tried to cache TKEY records which could trigger a assertion failure when there was a class mismatch. (CVE-2016-9131) [RT #43522]
Pullup ticket #5149 - requested by taca net/bind910: security fix Revisions pulled up: - net/bind910/Makefile 1.25-1.26 - net/bind910/distinfo 1.20 --- Committed By: taca Date: Wed Nov 2 00:05:17 UTC 2016 Modified Files: pkgsrc/net/bind910: Makefile distinfo Log Message: Update bind910 to 9.10.4pl4 (BIND 9.10.4-P4). --- 9.10.4-P4 released --- 4489. [security] It was possible to trigger assertions when processing a response. (CVE-2016-8864) [RT #43465]
Update bind910 to 9.10.4pl4 (BIND 9.10.4-P4). --- 9.10.4-P4 released --- 4489. [security] It was possible to trigger assertions when processing a response. (CVE-2016-8864) [RT #43465]
Update bind910 to 9.10.4pl3 (BIND 9.10.4-P3), fixing CVE-2016-2776. --- 9.10.4-P3 released --- 4468. [bug] Address ECS option handling issues. [RT #43191] Note: Only the parts required to restore interoperation with ECS clients have been included in this security release. The full fix is included in BIND 9.10.5. 4467. [security] It was possible to trigger a assertion when rendering a message. (CVE-2016-2776) [RT #43139]
Pullup ticket #5066 - requested by taca net/bind910: security update Revisions pulled up: - net/bind910/Makefile 1.23 - net/bind910/PLIST 1.7 - net/bind910/distinfo 1.18 - net/bind910/patches/patch-lib_dns_rbt.c 1.5 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Tue Jul 19 01:08:05 UTC 2016 Modified Files: pkgsrc/net/bind910: Makefile PLIST distinfo pkgsrc/net/bind910/patches: patch-lib_dns_rbt.c Log Message: Update bind910 to 9.10.4pl2 (BIND 9.10.4-P2). Changes from 9.10.3-P4 to 9.10.4 are too many to write here, please refer CHANGES file. --- 9.10.4-P2 released --- 4406. [bug] getrrsetbyname with a non absolute name could trigger an infinite recursion bug in lwresd and named with lwres configured if when combined with a search list entry the resulting name is too long. (CVE-2016-2775) [RT #42694] 4405. [bug] Change 4342 introduced a regression where you could not remove a delegation in a NSEC3 signed zone using OPTOUT via nsupdate. [RT #42702] 4387. [bug] Change 4336 was not complete leading to SERVFAIL being return as NS records expired. [RT #42683] --- 9.10.4-P1 released --- 4368. [bug] Fix a crash when calling "rndc stats" on some Windows builds because some Visual Studio compilers generated crashing code for the "%z" printf() format specifier. [RT #42380] 4366. [bug] Address race condition when updating rbtnode bit fields. [RT #42379] 4363. [port] win32: Disable explicit triggering UAC when running BINDInstall. --- 9.10.4 released --- To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 pkgsrc/net/bind910/Makefile cvs rdiff -u -r1.6 -r1.7 pkgsrc/net/bind910/PLIST cvs rdiff -u -r1.17 -r1.18 pkgsrc/net/bind910/distinfo cvs rdiff -u -r1.4 -r1.5 pkgsrc/net/bind910/patches/patch-lib_dns_rbt.c
Update bind910 to 9.10.4pl2 (BIND 9.10.4-P2). Changes from 9.10.3-P4 to 9.10.4 are too many to write here, please refer CHANGES file. --- 9.10.4-P2 released --- 4406. [bug] getrrsetbyname with a non absolute name could trigger an infinite recursion bug in lwresd and named with lwres configured if when combined with a search list entry the resulting name is too long. (CVE-2016-2775) [RT #42694] 4405. [bug] Change 4342 introduced a regression where you could not remove a delegation in a NSEC3 signed zone using OPTOUT via nsupdate. [RT #42702] 4387. [bug] Change 4336 was not complete leading to SERVFAIL being return as NS records expired. [RT #42683] --- 9.10.4-P1 released --- 4368. [bug] Fix a crash when calling "rndc stats" on some Windows builds because some Visual Studio compilers generated crashing code for the "%z" printf() format specifier. [RT #42380] 4366. [bug] Address race condition when updating rbtnode bit fields. [RT #42379] 4363. [port] win32: Disable explicit triggering UAC when running BINDInstall. --- 9.10.4 released ---
Make bind910 downgrade to 9.10.3pl4 keeping soe options and MASTERSITE change since ISC mark 9.10.4 as "deprecated". See https://lists.isc.org/pipermail/bind-users/2016-May/096851.html.
Update bind910 to 9.10.4 (BIND 9.10.4). PKG_OPTIONS change: * Remove rrl which is always enabled. * Add fetchlimit, geoip, pkcs11, sit and tuning. Security Fixes * Duplicate EDNS COOKIE options in a response could trigger an assertion failure. This flaw is disclosed in CVE-2016-2088. [RT #41809] * The resolver could abort with an assertion failure due to improper DNAME handling when parsing fetch reply messages. This flaw is disclosed in CVE-2016-1286. [RT #41753] * Malformed control messages can trigger assertions in named and rndc. This flaw is disclosed in CVE-2016-1285. [RT #41666] * Certain errors that could be encountered when printing out or logging an OPT record containing a CLIENT-SUBNET option could be mishandled, resulting in an assertion failure. This flaw is disclosed in CVE-2015-8705. [RT #41397] * Specific APL data could trigger an INSIST. This flaw is disclosed in CVE-2015-8704. [RT #41396] * Incorrect reference counting could result in an INSIST failure if a socket error occurred while performing a lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945] * Insufficient testing when parsing a message allowed records with an incorrect class to be be accepted, triggering a REQUIRE failure when those records were subsequently cached. This flaw is disclosed in CVE-2015-8000. [RT #40987] New Features * The following resource record types have been implemented: AVC, CSYNC, NINFO, RKEY, SINK, SMIMEA, TA, TALINK. * Added a warning for a common misconfiguration involving forwarded RFC 1918 and IPv6 ULA (Universal Local Address) zones. * Contributed software from Nominum is included in the source at contrib/dnsperf-2.1.0.0-1/. It includes dnsperf for measuring the performance of authoritative DNS servers, resperf for testing the resolution performance of a caching DNS server, resperf-report for generating a resperf report in HTML with gnuplot graphs, and queryparse to extract DNS queries from pcap capture files. This software is not installed by default with BIND. * When loading a signed zone, named will now check whether an RRSIG's inception time is in the future, and if so, it will regenerate the RRSIG immediately. This helps when a system's clock needs to be reset backwards. Feature Changes * Updated the compiled-in addresses for H.ROOT-SERVERS.NET and L.ROOT-SERVERS.NET. * The default preferred glue is now the address type of the transport the query was received over. * On machines with 2 or more processors (CPU), the default value for the number of UDP listeners has been changed to the number of detected processors minus one. * Zone transfers now use smaller message sizes to improve message compression. This results in reduced network usage. * named -V output now also includes operating system details. Porting Changes * The Microsoft Windows install tool BINDInstall.exe which requires a non-free version of Visual Studio to be built, now uses two files (lists of flags and files) created by the Configure perl script with all the needed information which were previously compiled in the binary. Read win32utils/build.txt for more details. [RT #38915] Bug Fixes * rndc flushtree now works even if there wasn't a cached node at the specified name. [RT #41846] * Don't emit records with zero TTL unless the records were received with a zero TTL. After being returned to waiting clients, the answer will be discarded from the cache. [RT #41687] * For Windows platforms, the SIT (Source Identity Token) support was restored. (It was mistakenly partially replaced in a previous beta with new 9.11 COOKIE support.) [RT #41905] * When deleting records from a zone database, interior nodes could be left empty but not deleted, damaging search performance afterward. [RT #40997] [RT #41941] * The server could crash due to a use-after-free if a zone transfer timed out. [RT #41297] * Authoritative servers that were marked as bogus (e.g. blackholed in configuration or with invalid addresses) were being queried anyway. [RT #41321] * Some of the options for GeoIP ACLs, including "areacode", "metrocode", and "timezone", were incorrectly documented as "area", "metro" and "tz". Both the long and abbreviated versions are now accepted. * Zones configured to use map format master files can't be used as policy zones because RPZ summary data isn't compiled when such zones are mapped into memory. This limitation may be fixed in a future release, but in the meantime it has been documented, and attempting to use such zones in response-policy statements is now a configuration error. [RT #38321]
Pullup ticket #4949 - requested by taca net/bind910: security fix Revisions pulled up: - net/bind910/Makefile 1.18 - net/bind910/distinfo 1.15 --- Module Name: pkgsrc Committed By: taca Date: Thu Mar 10 00:48:41 UTC 2016 Modified Files: pkgsrc/net/bind910: Makefile distinfo Log Message: Update bind910 to 9.10.3pl4 (BIND 9.10.3-P4), security release. --- 9.10.3-P4 released --- 4322. [security] Duplicate EDNS COOKIE options in a response could trigger an assertion failure. (CVE-2016-2088) [RT #41809] 4319. [security] Fix resolver assertion failure due to improper DNAME handling when parsing fetch reply messages. (CVE-2016-1286) [RT #41753] 4318. [security] Malformed control messages can trigger assertions in named and rndc. (CVE-2016-1285) [RT #41666]
Update bind910 to 9.10.3pl4 (BIND 9.10.3-P4), security release. --- 9.10.3-P4 released --- 4322. [security] Duplicate EDNS COOKIE options in a response could trigger an assertion failure. (CVE-2016-2088) [RT #41809] 4319. [security] Fix resolver assertion failure due to improper DNAME handling when parsing fetch reply messages. (CVE-2016-1286) [RT #41753] 4318. [security] Malformed control messages can trigger assertions in named and rndc. (CVE-2016-1285) [RT #41666]
Pullup ticket #4901 - requested by taca net/bind910: security fix Revisions pulled up: - net/bind910/Makefile 1.15 - net/bind910/distinfo 1.14 --- Module Name: pkgsrc Committed By: taca Date: Wed Jan 20 02:15:58 UTC 2016 Modified Files: pkgsrc/net/bind910: Makefile distinfo Log Message: Update bind910 to 9.10.3pl3 (BIND 9.10.3-P3). Security Fixes * Specific APL data could trigger an INSIST. This flaw was discovered by Brian Mitchell and is disclosed in CVE-2015-8704. [RT #41396] * Certain errors that could be encountered when printing out or logging an OPT record containing a CLIENT-SUBNET option could be mishandled, resulting in an assertion failure. This flaw was discovered by Brian Mitchell and is disclosed in CVE-2015-8705. [RT #41397] * Named is potentially vulnerable to the OpenSSL vulnerabilty described in CVE-2015-3193. * Insufficient testing when parsing a message allowed records with an incorrect class to be be accepted, triggering a REQUIRE failure when those records were subsequently cached. This flaw is disclosed in CVE-2015-8000. [RT #40987] * Incorrect reference counting could result in an INSIST failure if a socket error occurred while performing a lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945] New Features * None. Feature Changes * Updated the compiled in addresses for H.ROOT-SERVERS.NET. Bug Fixes * Authoritative servers that were marked as bogus (e.g. blackholed in configuration or with invalid addresses) were being queried anyway. [RT #41321]
Update bind910 to 9.10.3pl3 (BIND 9.10.3-P3). Security Fixes * Specific APL data could trigger an INSIST. This flaw was discovered by Brian Mitchell and is disclosed in CVE-2015-8704. [RT #41396] * Certain errors that could be encountered when printing out or logging an OPT record containing a CLIENT-SUBNET option could be mishandled, resulting in an assertion failure. This flaw was discovered by Brian Mitchell and is disclosed in CVE-2015-8705. [RT #41397] * Named is potentially vulnerable to the OpenSSL vulnerabilty described in CVE-2015-3193. * Insufficient testing when parsing a message allowed records with an incorrect class to be be accepted, triggering a REQUIRE failure when those records were subsequently cached. This flaw is disclosed in CVE-2015-8000. [RT #40987] * Incorrect reference counting could result in an INSIST failure if a socket error occurred while performing a lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945] New Features * None. Feature Changes * Updated the compiled in addresses for H.ROOT-SERVERS.NET. Bug Fixes * Authoritative servers that were marked as bogus (e.g. blackholed in configuration or with invalid addresses) were being queried anyway. [RT #41321]
Pullup ticket #4872 - requested by taca net/bind910: security fix Revisions pulled up: - net/bind910/Makefile 1.13-1.14 - net/bind910/distinfo 1.12-1.13 - net/bind910/patches/patch-bin_dig_dighost.c 1.3 - net/bind910/patches/patch-bin_tests_system_Makefile.in 1.3 - net/bind910/patches/patch-configure 1.4 --- Module Name: pkgsrc Committed By: taca Date: Sun Dec 13 17:35:22 UTC 2015 Modified Files: pkgsrc/net/bind910: Makefile distinfo pkgsrc/net/bind910/patches: patch-bin_dig_dighost.c patch-bin_tests_system_Makefile.in patch-configure Log Message: Update bind910 to 9.10.3. Security Fixes * An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. This flaw is disclosed in CVE-2015-5986. [RT #40286] * A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys. This flaw was discovered by Hanno Böck of the Fuzzing Project, and is disclosed in CVE-2015-5722. [RT #40212] * A specially crafted query could trigger an assertion failure in message.c. This flaw was discovered by Jonathan Foote, and is disclosed in CVE-2015-5477. [RT #40046] * On servers configured to perform DNSSEC validation, an assertion failure could be triggered on answers from a specially configured server. This flaw was discovered by Breno Silveira Soares, and is disclosed in CVE-2015-4620. [RT #39795] New Features * New quotas have been added to limit the queries that are sent by recursive resolvers to authoritative servers experiencing denial-of-service attacks. When configured, these options can both reduce the harm done to authoritative servers and also avoid the resource exhaustion that can be experienced by recursives when they are being used as a vehicle for such an attack. NOTE: These options are not available by default; use configure --enable-fetchlimit to include them in the build. + fetches-per-server limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the fetch-quota-params option. + fetches-per-zone limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) Statistics counters have also been added to track the number of queries affected by these quotas. * dig +ednsflags can now be used to set yet-to-be-defined EDNS flags in DNS requests. * dig +[no]ednsnegotiation can now be used enable / disable EDNS version negotiation. * An --enable-querytrace configure switch is now available to enable very verbose query tracelogging. This option can only be set at compile time. This option has a negative performance impact and should be used only for debugging. Feature Changes * Large inline-signing changes should be less disruptive. Signature generation is now done incrementally; the number of signatures to be generated in each quantum is controlled by "sig-signing-signatures number;". [RT #37927] * The experimental SIT extension now uses the EDNS COOKIE option code point (10) and is displayed as "COOKIE: <value>". The existing named.conf directives; "request-sit", "sit-secret" and "nosit-udp-size", are still valid and will be replaced by "send-cookie", "cookie-secret" and "nocookie-udp-size" in BIND 9.11. The existing dig directive "+sit" is still valid and will be replaced with "+cookie" in BIND 9.11. * When retrying a query via TCP due to the first answer being truncated, dig will now correctly send the COOKIE value returned by the server in the prior response. [RT #39047] * Retrieving the local port range from net.ipv4.ip_local_port_range on Linux is now supported. * Active Directory names of the form gc._msdcs.<forest> are now accepted as valid hostnames when using the check-names option. <forest> is still restricted to letters, digits and hyphens. * Names containing rich text are now accepted as valid hostnames in PTR records in DNS-SD reverse lookup zones, as specified in RFC 6763. [RT #37889] Bug Fixes * Asynchronous zone loads were not handled correctly when the zone load was already in progress; this could trigger a crash in zt.c. [RT #37573] * A race during shutdown or reconfiguration could cause an assertion failure in mem.c. [RT #38979] * Some answer formatting options didn't work correctly with dig +short. [RT #39291] * Malformed records of some types, including NSAP and UNSPEC, could trigger assertion failures when loading text zone files. [RT #40274] [RT #40285] * Fixed a possible crash in ratelimiter.c caused by NOTIFY messages being removed from the wrong rate limiter queue. [RT #40350] * The default rrset-order of random was inconsistently applied. [RT #40456] * BADVERS responses from broken authoritative name servers were not handled correctly. [RT #40427] * Several bugs have been fixed in the RPZ implementation: + Policy zones that did not specifically require recursion could be treated as if they did; consequently, setting qname-wait-recurse no; was sometimes ineffective. This has been corrected. In most configurations, behavioral changes due to this fix will not be noticeable. [RT #39229] + The server could crash if policy zones were updated (e.g. via rndc reload or an incoming zone transfer) while RPZ processing was still ongoing for an active query. [RT #39415] + On servers with one or more policy zones configured as slaves, if a policy zone updated during regular operation (rather than at startup) using a full zone reload, such as via AXFR, a bug could allow the RPZ summary data to fall out of sync, potentially leading to an assertion failure in rpz.c when further incremental updates were made to the zone, such as via IXFR. [RT #39567] + The server could match a shorter prefix than what was available in CLIENT-IP policy triggers, and so, an unexpected action could be taken. This has been corrected. [RT #39481] + The server could crash if a reload of an RPZ zone was initiated while another reload of the same zone was already in progress. [RT #39649] + Query names could match against the wrong policy zone if wildcard records were present. [RT #40357] --- Module Name: pkgsrc Committed By: taca Date: Wed Dec 16 00:31:22 UTC 2015 Modified Files: pkgsrc/net/bind910: Makefile distinfo Log Message: Update bind910 package to 9.10.3pl2 (BIND 9.10.3-P2), security release. --- 9.10.3-P2 released --- 4270. [security] Update allowed OpenSSL versions as named is potentially vulnerable to CVE-2015-3193. 4261. [maint] H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53. [RT #40556] 4260. [security] Insufficient testing when parsing a message allowed records with an incorrect class to be be accepted, triggering a REQUIRE failure when those records were subsequently cached. (CVE-2015-8000) [RT #40987] 4253. [security] Address fetch context reference count handling error on socket error. (CVE-2015-8461) [RT#40945] --- 9.10.3-P1 (withdrawn) ---
Update bind910 package to 9.10.3pl2 (BIND 9.10.3-P2), security release. --- 9.10.3-P2 released --- 4270. [security] Update allowed OpenSSL versions as named is potentially vulnerable to CVE-2015-3193. 4261. [maint] H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53. [RT #40556] 4260. [security] Insufficient testing when parsing a message allowed records with an incorrect class to be be accepted, triggering a REQUIRE failure when those records were subsequently cached. (CVE-2015-8000) [RT #40987] 4253. [security] Address fetch context reference count handling error on socket error. (CVE-2015-8461) [RT#40945] --- 9.10.3-P1 (withdrawn) ---
Update bind910 to 9.10.3. Security Fixes * An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. This flaw is disclosed in CVE-2015-5986. [RT #40286] * A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys. This flaw was discovered by Hanno Böck of the Fuzzing Project, and is disclosed in CVE-2015-5722. [RT #40212] * A specially crafted query could trigger an assertion failure in message.c. This flaw was discovered by Jonathan Foote, and is disclosed in CVE-2015-5477. [RT #40046] * On servers configured to perform DNSSEC validation, an assertion failure could be triggered on answers from a specially configured server. This flaw was discovered by Breno Silveira Soares, and is disclosed in CVE-2015-4620. [RT #39795] New Features * New quotas have been added to limit the queries that are sent by recursive resolvers to authoritative servers experiencing denial-of-service attacks. When configured, these options can both reduce the harm done to authoritative servers and also avoid the resource exhaustion that can be experienced by recursives when they are being used as a vehicle for such an attack. NOTE: These options are not available by default; use configure --enable-fetchlimit to include them in the build. + fetches-per-server limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the fetch-quota-params option. + fetches-per-zone limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) Statistics counters have also been added to track the number of queries affected by these quotas. * dig +ednsflags can now be used to set yet-to-be-defined EDNS flags in DNS requests. * dig +[no]ednsnegotiation can now be used enable / disable EDNS version negotiation. * An --enable-querytrace configure switch is now available to enable very verbose query tracelogging. This option can only be set at compile time. This option has a negative performance impact and should be used only for debugging. Feature Changes * Large inline-signing changes should be less disruptive. Signature generation is now done incrementally; the number of signatures to be generated in each quantum is controlled by "sig-signing-signatures number;". [RT #37927] * The experimental SIT extension now uses the EDNS COOKIE option code point (10) and is displayed as "COOKIE: <value>". The existing named.conf directives; "request-sit", "sit-secret" and "nosit-udp-size", are still valid and will be replaced by "send-cookie", "cookie-secret" and "nocookie-udp-size" in BIND 9.11. The existing dig directive "+sit" is still valid and will be replaced with "+cookie" in BIND 9.11. * When retrying a query via TCP due to the first answer being truncated, dig will now correctly send the COOKIE value returned by the server in the prior response. [RT #39047] * Retrieving the local port range from net.ipv4.ip_local_port_range on Linux is now supported. * Active Directory names of the form gc._msdcs.<forest> are now accepted as valid hostnames when using the check-names option. <forest> is still restricted to letters, digits and hyphens. * Names containing rich text are now accepted as valid hostnames in PTR records in DNS-SD reverse lookup zones, as specified in RFC 6763. [RT #37889] Bug Fixes * Asynchronous zone loads were not handled correctly when the zone load was already in progress; this could trigger a crash in zt.c. [RT #37573] * A race during shutdown or reconfiguration could cause an assertion failure in mem.c. [RT #38979] * Some answer formatting options didn't work correctly with dig +short. [RT #39291] * Malformed records of some types, including NSAP and UNSPEC, could trigger assertion failures when loading text zone files. [RT #40274] [RT #40285] * Fixed a possible crash in ratelimiter.c caused by NOTIFY messages being removed from the wrong rate limiter queue. [RT #40350] * The default rrset-order of random was inconsistently applied. [RT #40456] * BADVERS responses from broken authoritative name servers were not handled correctly. [RT #40427] * Several bugs have been fixed in the RPZ implementation: + Policy zones that did not specifically require recursion could be treated as if they did; consequently, setting qname-wait-recurse no; was sometimes ineffective. This has been corrected. In most configurations, behavioral changes due to this fix will not be noticeable. [RT #39229] + The server could crash if policy zones were updated (e.g. via rndc reload or an incoming zone transfer) while RPZ processing was still ongoing for an active query. [RT #39415] + On servers with one or more policy zones configured as slaves, if a policy zone updated during regular operation (rather than at startup) using a full zone reload, such as via AXFR, a bug could allow the RPZ summary data to fall out of sync, potentially leading to an assertion failure in rpz.c when further incremental updates were made to the zone, such as via IXFR. [RT #39567] + The server could match a shorter prefix than what was available in CLIENT-IP policy triggers, and so, an unexpected action could be taken. This has been corrected. [RT #39481] + The server could crash if a reload of an RPZ zone was initiated while another reload of the same zone was already in progress. [RT #39649] + Query names could match against the wrong policy zone if wildcard records were present. [RT #40357]
Add SHA512 digests for distfiles for net category Problems found with existing digests: Package haproxy distfile haproxy-1.5.14.tar.gz 159f5beb8fdc6b8059ae51b53dc935d91c0fb51f [recorded] da39a3ee5e6b4b0d3255bfef95601890afd80709 [calculated] Problems found locating distfiles: Package bsddip: missing distfile bsddip-1.02.tar.Z Package citrix_ica: missing distfile citrix_ica-10.6.115659/en.linuxx86.tar.gz Package djbdns: missing distfile djbdns-1.05-test25.diff.bz2 Package djbdns: missing distfile djbdns-cachestats.patch Package djbdns: missing distfile 0002-dnscache-cache-soa-records.patch Package gated: missing distfile gated-3-5-11.tar.gz Package owncloudclient: missing distfile owncloudclient-2.0.2.tar.xz Package poink: missing distfile poink-1.6.tar.gz Package ra-rtsp-proxy: missing distfile rtspd-src-1.0.0.0.tar.gz Package ucspi-ssl: missing distfile ucspi-ssl-0.70-ucspitls-0.1.patch Package waste: missing distfile waste-source.tar.gz Otherwise, existing SHA1 digests verified and found to be the same on the machine holding the existing distfiles (morden). All existing SHA1 digests retained for now as an audit trail.
Pullup ticket #4811 - requested by sevan net/bind910: security update Revisions pulled up: - net/bind910/Makefile 1.11-1.12 - net/bind910/distinfo 1.9-1.10 - net/bind910/patches/patch-lib_dns_hmac_link.c deleted - net/bind910/patches/patch-lib_dns_include_dst_dst.h deleted - net/bind910/patches/patch-lib_dns_ncache.c deleted - net/bind910/patches/patch-lib_dns_openssldh_link.c deleted - net/bind910/patches/patch-lib_dns_openssldsa_link.c deleted - net/bind910/patches/patch-lib_dns_opensslecdsa_link.c deleted - net/bind910/patches/patch-lib_dns_opensslrsa_link.c deleted - net/bind910/patches/patch-lib_dns_pkcs11dh_link.c deleted - net/bind910/patches/patch-lib_dns_pkcs11dsa_link.c deleted - net/bind910/patches/patch-lib_dns_pkcs11rsa_link.c deleted - net/bind910/patches/patch-lib_dns_rdata_generic_openpgpkey_61.c deleted - net/bind910/patches/patch-lib_dns_resolver.c deleted --- Module Name: pkgsrc Committed By: sevan Date: Wed Sep 2 19:46:44 UTC 2015 Modified Files: pkgsrc/net/bind910: Makefile distinfo Added Files: pkgsrc/net/bind910/patches: patch-lib_dns_hmac_link.c patch-lib_dns_include_dst_dst.h patch-lib_dns_ncache.c patch-lib_dns_openssldh_link.c patch-lib_dns_openssldsa_link.c patch-lib_dns_opensslecdsa_link.c patch-lib_dns_opensslrsa_link.c patch-lib_dns_pkcs11dh_link.c patch-lib_dns_pkcs11dsa_link.c patch-lib_dns_pkcs11rsa_link.c patch-lib_dns_rdata_generic_openpgpkey_61.c patch-lib_dns_resolver.c Log Message: Patch CVE-2015-5722 & CVE-2015-5986 Bump rev CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c https://kb.isc.org/article/AA-01287/0 CVE-2015-5986 - An incorrect boundary check can trigger a REQUIRE assertion failure in openpgpkey_61.c https://kb.isc.org/article/AA-01291/0 Reviewed by wiz@ --- Module Name: pkgsrc Committed By: taca Date: Thu Sep 3 00:33:32 UTC 2015 Modified Files: pkgsrc/net/bind910: Makefile distinfo Removed Files: pkgsrc/net/bind910/patches: patch-lib_dns_hmac_link.c patch-lib_dns_include_dst_dst.h patch-lib_dns_ncache.c patch-lib_dns_openssldh_link.c patch-lib_dns_openssldsa_link.c patch-lib_dns_opensslecdsa_link.c patch-lib_dns_opensslrsa_link.c patch-lib_dns_pkcs11dh_link.c patch-lib_dns_pkcs11dsa_link.c patch-lib_dns_pkcs11rsa_link.c patch-lib_dns_rdata_generic_openpgpkey_61.c patch-lib_dns_resolver.c Log Message: Update bind910 to 9.10.2pl4 (BIND 9.10.2-P4). (Already fixed by bind-9.10.2pl3nb1.) --- 9.10.2-P4 released --- 4170. [security] An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. (CVE-2015-5986) [RT #40286] 4168. [security] A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys. (CVE-2015-5722) [RT #40212]
Update bind910 to 9.10.2pl4 (BIND 9.10.2-P4). (Already fixed by bind-9.10.2pl3nb1.) --- 9.10.2-P4 released --- 4170. [security] An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. (CVE-2015-5986) [RT #40286] 4168. [security] A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys. (CVE-2015-5722) [RT #40212]
Patch CVE-2015-5722 & CVE-2015-5986 Bump rev CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c https://kb.isc.org/article/AA-01287/0 CVE-2015-5986 - An incorrect boundary check can trigger a REQUIRE assertion failure in openpgpkey_61.c https://kb.isc.org/article/AA-01291/0 Reviewed by wiz@
Pullup ticket #4785 - requested by taca net/bind910: security update Revisions pulled up: - net/bind910/Makefile 1.10 - net/bind910/distinfo 1.8 --- Module Name: pkgsrc Committed By: taca Date: Tue Jul 28 22:36:38 UTC 2015 Modified Files: pkgsrc/net/bind910: Makefile distinfo Log Message: Update bind910 to 9.10.2pl3 (BIND 9.10.2-P3). --- 9.10.2-P3 released --- 4165. [security] A failure to reset a value to NULL in tkey.c could result in an assertion failure. (CVE-2015-5477) [RT #40046]
Update bind910 to 9.10.2pl3 (BIND 9.10.2-P3). --- 9.10.2-P3 released --- 4165. [security] A failure to reset a value to NULL in tkey.c could result in an assertion failure. (CVE-2015-5477) [RT #40046]
Pullup ticket #4769 - requested by taca net/bind910: security update Revisions pulled up: - net/bind910/Makefile 1.9 - net/bind910/distinfo 1.7 --- Module Name: pkgsrc Committed By: taca Date: Tue Jul 7 22:26:42 UTC 2015 Modified Files: pkgsrc/net/bind910: Makefile distinfo Log Message: Update bind910 to 9.10.2pl2. --- 9.10.2-P2 released --- 4138. [bug] An uninitialized value in validator.c could result in an assertion failure. (CVE-2015-4620) [RT #39795]
Update bind910 to 9.10.2pl2. --- 9.10.2-P2 released --- 4138. [bug] An uninitialized value in validator.c could result in an assertion failure. (CVE-2015-4620) [RT #39795]
Update bind910 to 9.10.2pl1 (BIND 9.10.2-P1). --- 9.10.2-P1 released --- 4134. [cleanup] Include client-ip rules when logging the number of RPZ rules of each type. [RT #39670] 4131. [bug] Addressed further problems with reloading RPZ zones. [RT #39649] 4126. [bug] Addressed a regression introduced in change #4121. [RT #39611] 4122. [bug] The server could match a shorter prefix than what was available in CLIENT-IP policy triggers, and so, an unexpected action could be taken. This has been corrected. [RT #39481] 4121. [bug] On servers with one or more policy zones configured as slaves, if a policy zone updated during regular operation (rather than at startup) using a full zone reload, such as via AXFR, a bug could allow the RPZ summary data to fall out of sync, potentially leading to an assertion failure in rpz.c when further incremental updates were made to the zone, such as via IXFR. [RT #39567] 4120. [bug] A bug in RPZ could cause the server to crash if policy zones were updated while recursion was pending for RPZ processing of an active query. [RT #39415] 4116. [bug] Fix a bug in RPZ that could cause some policy zones that did not specifically require recursion to be treated as if they did; consequently, setting qname-wait-recurse no; was sometimes ineffective. [RT #39229] 4063. [bug] Asynchronous zone loads were not handled correctly when the zone load was already in progress; this could trigger a crash in zt.c. [RT #37573] 4062. [bug] Fix an out-of-bounds read in RPZ code. If the read succeeded, it doesn't result in a bug during operation. If the read failed, named could segfault. [RT #38559]
Update bind910 package to 9.10.2. Security Fixes * On servers configured to perform DNSSEC validation using managed trust anchors (i.e., keys configured explicitly via managed-keys, or implicitly via dnssec-validation auto; or dnssec-lookaside auto;), revoking a trust anchor and sending a new untrusted replacement could cause named to crash with an assertion failure. This could occur in the event of a botched key rollover, or potentially as a result of a deliberate attack if the attacker was in position to monitor the victim's DNS traffic. This flaw was discovered by Jan-Piet Mens, and is disclosed in CVE-2015-1349. [RT #38344] * A flaw in delegation handling could be exploited to put named into an infinite loop, in which each lookup of a name server triggered additional lookups of more name servers. This has been addressed by placing limits on the number of levels of recursion named will allow (default 7), and on the number of queries that it will send before terminating a recursive query (default 50). The recursion depth limit is configured via the max-recursion-depth option, and the query limit via the max-recursion-queries option. The flaw was discovered by Florian Maury of ANSSI, and is disclosed in CVE-2014-8500. [RT #37580] * Two separate problems were identified in BIND's GeoIP code that could lead to an assertion failure. One was triggered by use of both IPv4 and IPv6 address families, the other by referencing a GeoIP database in named.conf which was not installed. Both are covered by CVE-2014-8680. [RT #37672] [RT #37679] A less serious security flaw was also found in GeoIP: changes to the geoip-directory option in named.conf were ignored when running rndc reconfig. In theory, this could allow named to allow access to unintended clients. New Features * None Feature Changes * ACLs containing geoip asnum elements were not correctly matched unless the full organization name was specified in the ACL (as in geoip asnum "AS1234 Example, Inc.";). They can now match against the AS number alone (as in geoip asnum "AS1234";). * When using native PKCS#11 cryptography (i.e., configure --enable-native-pkcs11) HSM PINs of up to 256 characters can now be used. * NXDOMAIN responses to queries of type DS are now cached separately from those for other types. This helps when using "grafted" zones of type forward, for which the parent zone does not contain a delegation, such as local top-level domains. Previously a query of type DS for such a zone could cause the zone apex to be cached as NXDOMAIN, blocking all subsequent queries. (Note: This change is only helpful when DNSSEC validation is not enabled. "Grafted" zones without a delegation in the parent are not a recommended configuration.) * NOTIFY messages that are sent because a zone has been updated are now given priority above NOTIFY messages that were scheduled when the server started up. This should mitigate delays in zone propagation when servers are restarted frequently. * Errors reported when running rndc addzone (e.g., when a zone file cannot be loaded) have been clarified to make it easier to diagnose problems. * Added support for OPENPGPKEY type. * When encountering an authoritative name server whose name is an alias pointing to another name, the resolver treats this as an error and skips to the next server. Previously this happened silently; now the error will be logged to the newly-created "cname" log category. * If named is not configured to validate the answer then allow fallback to plain DNS on timeout even when we know the server supports EDNS. This will allow the server to potentially resolve signed queries when TCP is being blocked. Bug Fixes * dig, host and nslookup aborted when encountering a name which, after appending search list elements, exceeded 255 bytes. Such names are now skipped, but processing of other names will continue. [RT #36892] * The error message generated when named-checkzone or named-checkconf -z encounters a $TTL directive without a value has been clarified. [RT #37138] * Semicolon characters (;) included in TXT records were incorrectly escaped with a backslash when the record was displayed as text. This is actually only necessary when there are no quotation marks. [RT #37159] * When files opened for writing by named, such as zone journal files, were referenced more than once in named.conf, it could lead to file corruption as multiple threads wrote to the same file. This is now detected when loading named.conf and reported as an error. [RT #37172] * dnssec-keygen -S failed to generate successor keys for some algorithm types (including ECDSA and GOST) due to a difference in the content of private key files. This has been corrected. [RT #37183] * UPDATE messages that arrived too soon after an rndc thaw could be lost. [RT #37233] * Forwarding of UPDATE messages did not work when they were signed with SIG(0); they resulted in a BADSIG response code. [RT #37216] * When checking for updates to trust anchors listed in managed-keys, named now revalidates keys based on the current set of active trust anchors, without relying on any cached record of previous validation. [RT #37506] * Large-system tuning (configure --with-tuning=large) caused problems on some platforms by setting a socket receive buffer size that was too large. This is now detected and corrected at run time. [RT #37187] * When NXDOMAIN redirection is in use, queries for a name that is present in the redirection zone but a type that is not present will now return NOERROR instead of NXDOMAIN. * When a zone contained a delegation to an IPv6 name server but not an IPv4 name server, it was possible for a memory reference to be left un-freed. This caused an assertion failure on server shutdown, but was otherwise harmless. [RT #37796] * Due to an inadvertent removal of code in the previous release, when named encountered an authoritative name server which dropped all EDNS queries, it did not always try plain DNS. This has been corrected. [RT #37965] * A regression caused nsupdate to use the default recursive servers rather than the SOA MNAME server when sending the UPDATE. * Adjusted max-recursion-queries to accommodate the smaller initial packet sizes used in BIND 9.10 and higher when contacting authoritative servers for the first time. * Built-in "empty" zones did not correctly inherit the "allow-transfer" ACL from the options or view. [RT #38310] * Two leaks were fixed that could cause named processes to grow to very large sizes. [RT #38454] * Fixed some bugs in RFC 5011 trust anchor management, including a memory leak and a possible loss of state information.[RT #38458]
Pullup ticket #4622 - requested by taca net/bind910: security update Revisions pulled up: - net/bind910/Makefile 1.5 - net/bind910/distinfo 1.4 --- Module Name: pkgsrc Committed By: taca Date: Thu Feb 19 00:37:17 UTC 2015 Modified Files: pkgsrc/net/bind910: Makefile distinfo Log Message: Update bind910 to 9.10.1pl2 (BIND 9.10.1-P2). --- 9.10.1-P2 released --- 4053. [security] Revoking a managed trust anchor and supplying an untrusted replacement could cause named to crash with an assertion failure. (CVE-2015-1349) [RT #38344] 4027. [port] Net::DNS 0.81 compatibility. [RT #38165]
Update bind910 to 9.10.1pl2 (BIND 9.10.1-P2). --- 9.10.1-P2 released --- 4053. [security] Revoking a managed trust anchor and supplying an untrusted replacement could cause named to crash with an assertion failure. (CVE-2015-1349) [RT #38344] 4027. [port] Net::DNS 0.81 compatibility. [RT #38165]
Pullup ticket #4570 - requested by taca net/bind910: security update Revisions pulled up: - net/bind910/Makefile 1.2-1.3 - net/bind910/PLIST 1.2-1.3 - net/bind910/distinfo 1.2-1.3 - net/bind910/patches/patch-bin_tests_system_Makefile.in 1.2 - net/bind910/patches/patch-configure 1.2 - net/bind910/patches/patch-lib_bind9_Makefile.in deleted - net/bind910/patches/patch-lib_dns_Makefile.in deleted - net/bind910/patches/patch-lib_dns_rbt.c 1.2 - net/bind910/patches/patch-lib_isc_Makefile.in deleted - net/bind910/patches/patch-lib_isccc_Makefile.in deleted - net/bind910/patches/patch-lib_isccfg_Makefile.in deleted - net/bind910/patches/patch-lib_lwres_Makefile.in deleted - net/bind910/patches/patch-lib_lwres_getaddrinfo.c 1.2 --- Module Name: pkgsrc Committed By: taca Date: Tue Oct 14 16:23:19 UTC 2014 Modified Files: pkgsrc/net/bind910: Makefile PLIST distinfo pkgsrc/net/bind910/patches: patch-bin_tests_system_Makefile.in patch-configure patch-lib_dns_rbt.c patch-lib_lwres_getaddrinfo.c Removed Files: pkgsrc/net/bind910/patches: patch-lib_bind9_Makefile.in patch-lib_dns_Makefile.in patch-lib_isc_Makefile.in patch-lib_isccc_Makefile.in patch-lib_isccfg_Makefile.in patch-lib_lwres_Makefile.in Log Message: Update bind910 to 9.10.1. Security Fixes A query specially crafted to exploit a defect in EDNS option processing could cause named to terminate with an assertion failure, due to a missing isc_buffer_availablelength() check when formatting packet contents for logging. For more information, see the security advisory at https://kb.isc.org/article/AA-01166/. [CVE-2014-3859] [RT #36078] A programming error in the prefetch feature could cause named to crash with a "REQUIRE" assertion failure in name.c. For more information, see the security advisory at https://kb.isc.org/article/AA-01161/. [CVE-2014-3214] [RT #35899] New Features Support for CAA record types, as described in RFC 6844 "DNS Certification Authority Authorization (CAA) Resource Record", was added. [RT#36625] [RT #36737] Disallow "request-ixfr" from being specified in zone statements where it is not valid (it is only valid for slave and redirect zones) [RT #36608] Support for CDS and CDNSKEY resource record types was added. For details see the proposed Informational Internet-Draft "Automating DNSSEC Delegation Trust Maintenance" at http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14. [RT #36333] Added version printing options to various BIND utilities. [RT #26057] [RT #10686] Optionally allows libseccomp-based (secure computing mode) system-call filtering on Linux. This sandboxing mechanism may be used to isolate "named" from various system resources. Use "configure --enable-seccomp" at build time to enable it. Thank you to Loganaden Velvindron of AFRINIC for the contribution. [RT #35347] Feature Changes "geoip asnum" ACL elements would not match unless the full organization name was specified. They can now match against the AS number alone (e.g., AS1234). [RT #36945] Adds RPZ SOA to the additional section of responses to clearly indicate the use of RPZ in a manner that is intended to avoid causing issues for downstream resolvers and forwarders [RT #36507] rndc now gives distinct error messages when an unqualified zone name matches multiple views vs. matching no views [RT #36691] Improves the accuracy of dig's reported round trip times. [RT #36611] When an SPF record exists in a zone but no equivalent TXT record does, a warning will be issued. The warning for the reverse condition is no longer issued. See the check-spf option in the documentation for details. [RT #36210] Aging of smoothed round-trip time measurements is now limited to no more than once per second, to improve accuracy in selecting the best name server. [RT #32909] DNSSEC keys that have been marked active but have no publication date are no longer presumed to be publishable. [RT #35063] Bug Fixes The Makefile in bin/python was changed to work around a bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**) Corrected bugs in the handling of wildcard records by the DNSSEC validator: invalid wildcard expansions could be treated as valid if signed, and valid wildcard expansions in NSEC3 opt-out ranges had the AD bit set incorrectly in responses. [RT #37093] [RT #37072] An assertion failure could occur if a route event arrived while shutting down. [RT #36887] When resigning, dnssec-signzone was removing all signatures from delegation nodes. It now retains DS and (if applicable) NSEC signatures. [RT #36946] The AD flag was being set inappopriately on RPZ responses. [RT #36833] Updates the URI record type to current draft standard, draft-faltstrom-uri-08, and allows the value field to be zero length [RT #36642] [RT #36737] On some platforms, overhead from DSCP tagging caused a performance regression between BIND 9.9 and BIND 9.10. [RT #36534] RRSIG sets that were not loaded in a single transaction at start up were not being correctly added to re-signing heaps. [RT #36302] Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452] Fixed a bug where some updated policy zone contents could be ignored due to stale RPZ summary information [RT #35885] A race condition could cause a crash in isc_event_free during shutdown. [RT #36720] Addresses some problems with unrecoverable lookup failures. [RT #36330] Addresses a race condition issue in dispatch. [RT #36731] acl elements could be miscounted, causing a crash while loading a config [RT #36675] Corrects a deadlock between view.c and adb.c. [RT #36341] liblwres wasn't properly handling link-local addresses in nameserver clauses in resolv.conf. [RT #36039] Disable the GCC 4.9 "delete null pointer check" optimizer option, and refactor dns_rdataslab_fromrdataset() to separate out the handling of an rdataset with no records. This fixes problems when using GNU GCC 4.9.0 where its compiler code optimizations may cause crashes in BIND. For more information, see the operational advisory at https://kb.isc.org/article/AA-01167/. [RT #35968] Fixed a bug that could cause repeated resigning of records in dynamically signed zones. [RT #35273] Fixed a bug that could cause an assertion failure after forwarding was disabled. [RT #35979] Fixed a bug that caused GeoIP ACLs not to work when referenced indirectly via named or nested ACLs. [RT #35879] FIxed a bug that could cause problems with cache cleaning when SIT was enabled. [RT #35858] Fixed a bug that caused SERVFAILs when using RPZ on a system configured as a forwarder. [RT #36060] Worked around a limitation in Solaris's /dev/poll implementation that could cause named to fail to start when configured to use more sockets than the system could accomodate. [RT #35878] Fixed a bug that could cause an assertion failure when inserting and deleting parent and child nodes in a response-policy zone. [RT #36272] --- Module Name: pkgsrc Committed By: taca Date: Mon Dec 8 21:59:09 UTC 2014 Modified Files: pkgsrc/net/bind910: Makefile PLIST distinfo Log Message: Update bind910 to 9.10.1pl1 (BIND 9.10.1-P1). --- 9.10.1-P1 released --- 4006. [security] A flaw in delegation handling could be exploited to put named into an infinite loop. This has been addressed by placing limits on the number of levels of recursion named will allow (default 7), and the number of iterative queries that it will send (default 50) before terminating a recursive query (CVE-2014-8500). The recursion depth limit is configured via the "max-recursion-depth" option, and the query limit via the "max-recursion-queries" option. [RT #37580] 4003. [security] When geoip-directory was reconfigured during named run-time, the previously loaded GeoIP data could remain, potentially causing wrong ACLs to be used or wrong results to be served based on geolocation (CVE-2014-8680). [RT #37720] 4002. [security] Lookups in GeoIP databases that were not loaded could cause an assertion failure (CVE-2014-8680). [RT #37679] 4001. [security] The caching of GeoIP lookups did not always handle address families correctly, potentially resulting in an assertion failure (CVE-2014-8680). [RT #37672]
Update bind910 to 9.10.1pl1 (BIND 9.10.1-P1). --- 9.10.1-P1 released --- 4006. [security] A flaw in delegation handling could be exploited to put named into an infinite loop. This has been addressed by placing limits on the number of levels of recursion named will allow (default 7), and the number of iterative queries that it will send (default 50) before terminating a recursive query (CVE-2014-8500). The recursion depth limit is configured via the "max-recursion-depth" option, and the query limit via the "max-recursion-queries" option. [RT #37580] 4003. [security] When geoip-directory was reconfigured during named run-time, the previously loaded GeoIP data could remain, potentially causing wrong ACLs to be used or wrong results to be served based on geolocation (CVE-2014-8680). [RT #37720] 4002. [security] Lookups in GeoIP databases that were not loaded could cause an assertion failure (CVE-2014-8680). [RT #37679] 4001. [security] The caching of GeoIP lookups did not always handle address families correctly, potentially resulting in an assertion failure (CVE-2014-8680). [RT #37672]
Update bind910 to 9.10.1. Security Fixes A query specially crafted to exploit a defect in EDNS option processing could cause named to terminate with an assertion failure, due to a missing isc_buffer_availablelength() check when formatting packet contents for logging. For more information, see the security advisory at https://kb.isc.org/article/AA-01166/. [CVE-2014-3859] [RT #36078] A programming error in the prefetch feature could cause named to crash with a "REQUIRE" assertion failure in name.c. For more information, see the security advisory at https://kb.isc.org/article/AA-01161/. [CVE-2014-3214] [RT #35899] New Features Support for CAA record types, as described in RFC 6844 "DNS Certification Authority Authorization (CAA) Resource Record", was added. [RT#36625] [RT #36737] Disallow "request-ixfr" from being specified in zone statements where it is not valid (it is only valid for slave and redirect zones) [RT #36608] Support for CDS and CDNSKEY resource record types was added. For details see the proposed Informational Internet-Draft "Automating DNSSEC Delegation Trust Maintenance" at http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14. [RT #36333] Added version printing options to various BIND utilities. [RT #26057] [RT #10686] Optionally allows libseccomp-based (secure computing mode) system-call filtering on Linux. This sandboxing mechanism may be used to isolate "named" from various system resources. Use "configure --enable-seccomp" at build time to enable it. Thank you to Loganaden Velvindron of AFRINIC for the contribution. [RT #35347] Feature Changes "geoip asnum" ACL elements would not match unless the full organization name was specified. They can now match against the AS number alone (e.g., AS1234). [RT #36945] Adds RPZ SOA to the additional section of responses to clearly indicate the use of RPZ in a manner that is intended to avoid causing issues for downstream resolvers and forwarders [RT #36507] rndc now gives distinct error messages when an unqualified zone name matches multiple views vs. matching no views [RT #36691] Improves the accuracy of dig's reported round trip times. [RT #36611] When an SPF record exists in a zone but no equivalent TXT record does, a warning will be issued. The warning for the reverse condition is no longer issued. See the check-spf option in the documentation for details. [RT #36210] Aging of smoothed round-trip time measurements is now limited to no more than once per second, to improve accuracy in selecting the best name server. [RT #32909] DNSSEC keys that have been marked active but have no publication date are no longer presumed to be publishable. [RT #35063] Bug Fixes The Makefile in bin/python was changed to work around a bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**) Corrected bugs in the handling of wildcard records by the DNSSEC validator: invalid wildcard expansions could be treated as valid if signed, and valid wildcard expansions in NSEC3 opt-out ranges had the AD bit set incorrectly in responses. [RT #37093] [RT #37072] An assertion failure could occur if a route event arrived while shutting down. [RT #36887] When resigning, dnssec-signzone was removing all signatures from delegation nodes. It now retains DS and (if applicable) NSEC signatures. [RT #36946] The AD flag was being set inappopriately on RPZ responses. [RT #36833] Updates the URI record type to current draft standard, draft-faltstrom-uri-08, and allows the value field to be zero length [RT #36642] [RT #36737] On some platforms, overhead from DSCP tagging caused a performance regression between BIND 9.9 and BIND 9.10. [RT #36534] RRSIG sets that were not loaded in a single transaction at start up were not being correctly added to re-signing heaps. [RT #36302] Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452] Fixed a bug where some updated policy zone contents could be ignored due to stale RPZ summary information [RT #35885] A race condition could cause a crash in isc_event_free during shutdown. [RT #36720] Addresses some problems with unrecoverable lookup failures. [RT #36330] Addresses a race condition issue in dispatch. [RT #36731] acl elements could be miscounted, causing a crash while loading a config [RT #36675] Corrects a deadlock between view.c and adb.c. [RT #36341] liblwres wasn't properly handling link-local addresses in nameserver clauses in resolv.conf. [RT #36039] Disable the GCC 4.9 "delete null pointer check" optimizer option, and refactor dns_rdataslab_fromrdataset() to separate out the handling of an rdataset with no records. This fixes problems when using GNU GCC 4.9.0 where its compiler code optimizations may cause crashes in BIND. For more information, see the operational advisory at https://kb.isc.org/article/AA-01167/. [RT #35968] Fixed a bug that could cause repeated resigning of records in dynamically signed zones. [RT #35273] Fixed a bug that could cause an assertion failure after forwarding was disabled. [RT #35979] Fixed a bug that caused GeoIP ACLs not to work when referenced indirectly via named or nested ACLs. [RT #35879] FIxed a bug that could cause problems with cache cleaning when SIT was enabled. [RT #35858] Fixed a bug that caused SERVFAILs when using RPZ on a system configured as a forwarder. [RT #36060] Worked around a limitation in Solaris's /dev/poll implementation that could cause named to fail to start when configured to use more sockets than the system could accomodate. [RT #35878] Fixed a bug that could cause an assertion failure when inserting and deleting parent and child nodes in a response-policy zone. [RT #36272]
Initial import of BIND 9.10.
Initial revision