The NetBSD Project

CVS log for pkgsrc/net/bind910/Attic/distinfo

[BACK] Up to [cvs.NetBSD.org] / pkgsrc / net / bind910

Request diff between arbitrary revisions


Keyword substitution: kv
Default branch: MAIN


Revision 1.38
Tue Apr 30 03:55:09 2019 UTC (5 years, 7 months ago) by taca
Branches: MAIN
CVS tags: HEAD
FILE REMOVED
Changes since revision 1.37: +1 -1 lines
net/bind910: remove bind910

Remove bind910 EOL since July 2018.

Revision 1.37: download - view: text, markup, annotated - select for diffs
Sun Sep 23 14:27:07 2018 UTC (6 years, 2 months ago) by taca
Branches: MAIN
CVS tags: pkgsrc-2019Q1-base, pkgsrc-2019Q1, pkgsrc-2018Q4-base, pkgsrc-2018Q4, pkgsrc-2018Q3-base, pkgsrc-2018Q3
Diff to: previous 1.36: preferred, colored
Changes since revision 1.36: +4 -1 lines
net/bind910: backport from bind911

Backport changes between BIND 9.11.4-P1 and 9.11.4-P2.

Bump PKGREVISION.

Revision 1.32.4.2: download - view: text, markup, annotated - select for diffs
Sat Aug 18 13:18:08 2018 UTC (6 years, 3 months ago) by bsiegert
Branches: pkgsrc-2018Q2
Diff to: previous 1.32.4.1: preferred, colored; branchpoint 1.32: preferred, colored; next MAIN 1.33: preferred, colored
Changes since revision 1.32.4.1: +6 -5 lines
Pullup ticket #5810 - requested by maya
net/bind99: security fix, NetBSD build fix
net/bind910: security fix, NetBSD build fix

Revisions pulled up:
- net/bind910/Makefile                                          1.42-1.43
- net/bind910/distinfo                                          1.35-1.36
- net/bind910/patches/patch-lib_isc_unix_socket.c               1.1
- net/bind99/Makefile                                           1.75-1.76
- net/bind99/distinfo                                           1.53-1.54
- net/bind99/patches/patch-lib_isc_unix_socket.c                1.1

---
   Module Name:    pkgsrc
   Committed By:   taca
   Date:           Thu Aug  9 14:51:25 UTC 2018

   Modified Files:
           pkgsrc/net/bind99: Makefile distinfo

   Log Message:
   net/bind99: update to 9.9.13pl1

   Update bind99 to 9.9.13pl1 (9.9.13-P1).

           --- 9.9.13-P1 released ---

   4997.   [security]      named could crash during recursive processing
                           of DNAME records when "deny-answer-aliases" was
                           in use. (CVE-2018-5740) [GL #387]

---
   Module Name:    pkgsrc
   Committed By:   taca
   Date:           Thu Aug  9 14:49:09 UTC 2018

   Modified Files:
           pkgsrc/net/bind910: Makefile distinfo

   Log Message:
   net/bind910: update to 9.10.8pl1

   Update bind910 to 9.10.8pl1 (9.10.8-P1).

           --- 9.10.8-P1 released ---

   4997.   [security]      named could crash during recursive processing
                           of DNAME records when "deny-answer-aliases" was
                           in use. (CVE-2018-5740) [GL #387]

---
   Module Name:    pkgsrc
   Committed By:   maya
   Date:           Mon Aug 13 13:36:25 UTC 2018

   Modified Files:
           pkgsrc/net/bind99: Makefile distinfo
   Added Files:
           pkgsrc/net/bind99/patches: patch-lib_isc_unix_socket.c

   Log Message:
   bind99: Make ENOBUFS a soft error. Needed for netbsd>=8.
   See https://gitlab.isc.org/isc-projects/bind9/issues/462
   bump PKGREVISION

---
   Module Name:    pkgsrc
   Committed By:   maya
   Date:           Mon Aug 13 13:37:14 UTC 2018

   Modified Files:
           pkgsrc/net/bind910: Makefile
   Added Files:
           pkgsrc/net/bind910/patches: patch-lib_isc_unix_socket.c

   Log Message:
   bind910: Make ENOBUFS a soft error. Needed for netbsd>=8.
   See https://gitlab.isc.org/isc-projects/bind9/issues/462
   Bump PKGREVISION.

---
   Module Name:    pkgsrc
   Committed By:   maya
   Date:           Mon Aug 13 13:41:49 UTC 2018

   Modified Files:
           pkgsrc/net/bind910: distinfo

   Log Message:
   bind910: also add patch to distinfo.

Revision 1.36: download - view: text, markup, annotated - select for diffs
Mon Aug 13 13:41:49 2018 UTC (6 years, 3 months ago) by maya
Branches: MAIN
Diff to: previous 1.35: preferred, colored
Changes since revision 1.35: +2 -1 lines
bind910: also add patch to distinfo.

Revision 1.35: download - view: text, markup, annotated - select for diffs
Thu Aug 9 14:49:09 2018 UTC (6 years, 4 months ago) by taca
Branches: MAIN
Diff to: previous 1.34: preferred, colored
Changes since revision 1.34: +5 -5 lines
net/bind910: update to 9.10.8pl1

Update bind910 to 9.10.8pl1 (9.10.8-P1).

	--- 9.10.8-P1 released ---

4997.	[security]	named could crash during recursive processing
			of DNAME records when "deny-answer-aliases" was
			in use. (CVE-2018-5740) [GL #387]

Revision 1.32.4.1: download - view: text, markup, annotated - select for diffs
Sat Jul 14 18:36:25 2018 UTC (6 years, 4 months ago) by spz
Branches: pkgsrc-2018Q2
Diff to: previous 1.32: preferred, colored
Changes since revision 1.32: +6 -6 lines
Pullup ticket #5788 - requested by taca
net/bind910: security update

Revisions pulled up:
- net/bind910/Makefile                                          1.41
- net/bind910/distinfo                                          1.33-1.34
- net/bind910/patches/patch-bin_tests_system_metadata_tests.sh  1.2

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Sat Jul 14 03:53:42 UTC 2018

   Modified Files:
   	pkgsrc/net/bind910: Makefile distinfo
   	pkgsrc/net/bind910/patches: patch-bin_tests_system_metadata_tests.sh

   Log Message:
   net/bind910: update to 9.10.8

   This release contains security fix for CVE-2018-5738 and several bug fixes.
   For more detail, please refer CHANGES file.


   To generate a diff of this commit:
   cvs rdiff -u -r1.40 -r1.41 pkgsrc/net/bind910/Makefile
   cvs rdiff -u -r1.32 -r1.33 pkgsrc/net/bind910/distinfo
   cvs rdiff -u -r1.1 -r1.2 \
       pkgsrc/net/bind910/patches/patch-bin_tests_system_metadata_tests.sh

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Sat Jul 14 03:54:59 UTC 2018

   Modified Files:
   	pkgsrc/net/bind910: distinfo

   Log Message:
   net/bind910: remove local trial patch.

   Remove local trial patch info.


   To generate a diff of this commit:
   cvs rdiff -u -r1.33 -r1.34 pkgsrc/net/bind910/distinfo

Revision 1.34: download - view: text, markup, annotated - select for diffs
Sat Jul 14 03:54:59 2018 UTC (6 years, 4 months ago) by taca
Branches: MAIN
Diff to: previous 1.33: preferred, colored
Changes since revision 1.33: +1 -2 lines
net/bind910: remove local trial patch.

Remove local trial patch info.

Revision 1.33: download - view: text, markup, annotated - select for diffs
Sat Jul 14 03:53:42 2018 UTC (6 years, 4 months ago) by taca
Branches: MAIN
Diff to: previous 1.32: preferred, colored
Changes since revision 1.32: +7 -6 lines
net/bind910: update to 9.10.8

This release contains security fix for CVE-2018-5738 and several bug fixes.
For more detail, please refer CHANGES file.

Revision 1.32: download - view: text, markup, annotated - select for diffs
Sat Mar 24 15:02:32 2018 UTC (6 years, 8 months ago) by taca
Branches: MAIN
CVS tags: pkgsrc-2018Q2-base, pkgsrc-2018Q1-base, pkgsrc-2018Q1
Branch point for: pkgsrc-2018Q2
Diff to: previous 1.31: preferred, colored
Changes since revision 1.31: +6 -5 lines
net/bind910: update to 9.10.7

New maintenance releases in the 9.9, 9.10, 9.11, and 9.12 branches of
BIND are now available.

Release notes can be found with the releases or in the ISC Knowledge Base:

 9.9.12:  https://kb.isc.org/article/AA-01596/0/9.9.12-Notes.html
 9.10.7:  https://kb.isc.org/article/AA-01595/0/9.10.7-Notes.html
 9.11.3:  https://kb.isc.org/article/AA-01597/0/9.11.3-Notes.html
 9.12.1:  https://kb.isc.org/article/AA-01598/0/9.12.1-Notes.html

Users who are migrating an existing BIND configuration to these new
versions should take special note of two changes in the behavior
of the "update-policy" statement which slightly change the behavior
of two update-policy options.

The first such change is discussed in greater length in the BIND
Operational Notification issued today:


https://kb.isc.org/article/AA-01599/update-policy-local-was-named-misleadingly

The second change to update-policy behavior concerns this change:

   "update-policy rules that otherwise ignore the name field now
   require that it be set to "." to ensure that any type list present
   is properly interpreted. Previously, if the name field was omitted
   from the rule declaration but a type list was present, it wouldn't
   be interpreted as expected."

which is a correction to an ambiguous case that was previously allowed,
but which was capable of causing unexpected results when accidentally
applied.  The new requirement eliminates is intended to eliminate the
confusion, which previously caused some operators to misapply security
policies.  However, due to the new requirement, named configuration
files that relied on the previous behavior will no longer be accepted.

These changes should not affect most operators, even those using
"update-policy" to define Dynamic DNS permissions, but we would like
to draw your attention to them so that operators are informed about
the new behaviors.

Revision 1.31: download - view: text, markup, annotated - select for diffs
Thu Feb 8 14:43:06 2018 UTC (6 years, 10 months ago) by fhajny
Branches: MAIN
Diff to: previous 1.30: preferred, colored
Changes since revision 1.30: +2 -2 lines
net/bind910: Fix problem in configure where contents of $LIBS would
be lost when json-c support was enabled.

Revision 1.29.2.1: download - view: text, markup, annotated - select for diffs
Fri Jan 19 21:42:37 2018 UTC (6 years, 10 months ago) by spz
Branches: pkgsrc-2017Q4
Diff to: previous 1.29: preferred, colored; next MAIN 1.30: preferred, colored
Changes since revision 1.29: +5 -5 lines
Pullup ticket #5684 - requested by taca
net/bind910: security update

Revisions pulled up:
- net/bind910/Makefile                                          1.39
- net/bind910/distinfo                                          1.30

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Wed Jan 17 00:31:38 UTC 2018

   Modified Files:
   	pkgsrc/net/bind910: Makefile distinfo

   Log Message:
   net/bind910: update to 9.10.6pl1 (BIND 9.10.6-P1).

   Release Notes for BIND Version 9.10.6-P1

   Introduction

      This document summarizes changes since BIND 9.10.6.

      BIND 9.10.6-P1 addresses the security issue described in CVE-2017-3145.

   Download

      The latest versions of BIND 9 software can always be found at
      http://www.isc.org/downloads/. There you will find additional
      information about each release, source code, and pre-compiled versions
      for Microsoft Windows operating systems.

   New DNSSEC Root Key

      ICANN is in the process of introducing a new Key Signing Key (KSK) for
      the global root zone. BIND has multiple methods for managing DNSSEC
      trust anchors, with somewhat different behaviors. If the root key is
      configured using the managed-keys statement, or if the pre-configured
      root key is enabled by using dnssec-validation auto, then BIND can keep
      keys up to date automatically. Servers configured in this way should
      have begun the process of rolling to the new key when it was published
      in the root zone in July 2017. However, keys configured using the
      trusted-keys statement are not automatically maintained. If your server
      is performing DNSSEC validation and is configured using trusted-keys,
      you are advised to change your configuration before the root zone
      begins signing with the new KSK. This is currently scheduled for
      October 11, 2017.

      This release includes an updated version of the bind.keys file
      containing the new root key. This file can also be downloaded from
      https://www.isc.org/bind-keys .

   Windows XP No Longer Supported

      As of BIND 9.10.6, Windows XP is no longer a supported platform for
      BIND, and Windows XP binaries are no longer available for download from
      ISC.

   Security Fixes

        * Addresses could be referenced after being freed during resolver
          processing, causing an assertion failure. The chances of this
          happening were remote, but the introduction of a delay in
          resolution increased them. (The delay will be addressed in an
          upcoming maintenance release.) This bug is disclosed in
          CVE-2017-3145. [RT #46839]
        * An error in TSIG handling could permit unauthorized zone transfers
          or zone updates. These flaws are disclosed in CVE-2017-3142 and
          CVE-2017-3143. [RT #45383]
        * The BIND installer on Windows used an unquoted service path, which
          can enable privilege escalation. This flaw is disclosed in
          CVE-2017-3141. [RT #45229]
        * With certain RPZ configurations, a response with TTL 0 could cause
          named to go into an infinite query loop. This flaw is disclosed in
          CVE-2017-3140. [RT #45181]

   Feature Changes

        * dig +ednsopt now accepts the names for EDNS options in addition to
          numeric values. For example, an EDNS Client-Subnet option could be
          sent using dig +ednsoptěs:.... Thanks to John Worley of Secure64
          for the contribution. [RT #44461]
        * Threads in named are now set to human-readable names to assist
          debugging on operating systems that support that. Threads will have
          names such as "isc-timer", "isc-sockmgr", "isc-worker0001", and so
          on. This will affect the reporting of subsidiary thread names in ps
          and top, but not the main thread. [RT #43234]
        * DiG now warns about .local queries which are reserved for Multicast
          DNS. [RT #44783]

   Bug Fixes

        * Fixed a bug that was introduced in an earlier development release
          which caused multi-packet AXFR and IXFR messages to fail validation
          if not all packets contained TSIG records; this caused
          interoperability problems with some other DNS implementations. [RT
          #45509]
        * Semicolons are no longer escaped when printing CAA and URI records.
          This may break applications that depend on the presence of the
          backslash before the semicolon. [RT #45216]
        * AD could be set on truncated answer with no records present in the
          answer and authority sections. [RT #45140]

   End of Life

      The end of life for BIND 9.10 is yet to be determined but will not be
      before BIND 9.12.0 has been released for 6 months.
      https://www.isc.org/downloads/software-support-policy/


   To generate a diff of this commit:
   cvs rdiff -u -r1.38 -r1.39 pkgsrc/net/bind910/Makefile
   cvs rdiff -u -r1.29 -r1.30 pkgsrc/net/bind910/distinfo

Revision 1.30: download - view: text, markup, annotated - select for diffs
Wed Jan 17 00:31:38 2018 UTC (6 years, 10 months ago) by taca
Branches: MAIN
Diff to: previous 1.29: preferred, colored
Changes since revision 1.29: +5 -5 lines
net/bind910: update to 9.10.6pl1 (BIND 9.10.6-P1).

Release Notes for BIND Version 9.10.6-P1

Introduction

   This document summarizes changes since BIND 9.10.6.

   BIND 9.10.6-P1 addresses the security issue described in CVE-2017-3145.

Download

   The latest versions of BIND 9 software can always be found at
   http://www.isc.org/downloads/. There you will find additional
   information about each release, source code, and pre-compiled versions
   for Microsoft Windows operating systems.

New DNSSEC Root Key

   ICANN is in the process of introducing a new Key Signing Key (KSK) for
   the global root zone. BIND has multiple methods for managing DNSSEC
   trust anchors, with somewhat different behaviors. If the root key is
   configured using the managed-keys statement, or if the pre-configured
   root key is enabled by using dnssec-validation auto, then BIND can keep
   keys up to date automatically. Servers configured in this way should
   have begun the process of rolling to the new key when it was published
   in the root zone in July 2017. However, keys configured using the
   trusted-keys statement are not automatically maintained. If your server
   is performing DNSSEC validation and is configured using trusted-keys,
   you are advised to change your configuration before the root zone
   begins signing with the new KSK. This is currently scheduled for
   October 11, 2017.

   This release includes an updated version of the bind.keys file
   containing the new root key. This file can also be downloaded from
   https://www.isc.org/bind-keys .

Windows XP No Longer Supported

   As of BIND 9.10.6, Windows XP is no longer a supported platform for
   BIND, and Windows XP binaries are no longer available for download from
   ISC.

Security Fixes

     * Addresses could be referenced after being freed during resolver
       processing, causing an assertion failure. The chances of this
       happening were remote, but the introduction of a delay in
       resolution increased them. (The delay will be addressed in an
       upcoming maintenance release.) This bug is disclosed in
       CVE-2017-3145. [RT #46839]
     * An error in TSIG handling could permit unauthorized zone transfers
       or zone updates. These flaws are disclosed in CVE-2017-3142 and
       CVE-2017-3143. [RT #45383]
     * The BIND installer on Windows used an unquoted service path, which
       can enable privilege escalation. This flaw is disclosed in
       CVE-2017-3141. [RT #45229]
     * With certain RPZ configurations, a response with TTL 0 could cause
       named to go into an infinite query loop. This flaw is disclosed in
       CVE-2017-3140. [RT #45181]

Feature Changes

     * dig +ednsopt now accepts the names for EDNS options in addition to
       numeric values. For example, an EDNS Client-Subnet option could be
       sent using dig +ednsopt=ecs:.... Thanks to John Worley of Secure64
       for the contribution. [RT #44461]
     * Threads in named are now set to human-readable names to assist
       debugging on operating systems that support that. Threads will have
       names such as "isc-timer", "isc-sockmgr", "isc-worker0001", and so
       on. This will affect the reporting of subsidiary thread names in ps
       and top, but not the main thread. [RT #43234]
     * DiG now warns about .local queries which are reserved for Multicast
       DNS. [RT #44783]

Bug Fixes

     * Fixed a bug that was introduced in an earlier development release
       which caused multi-packet AXFR and IXFR messages to fail validation
       if not all packets contained TSIG records; this caused
       interoperability problems with some other DNS implementations. [RT
       #45509]
     * Semicolons are no longer escaped when printing CAA and URI records.
       This may break applications that depend on the presence of the
       backslash before the semicolon. [RT #45216]
     * AD could be set on truncated answer with no records present in the
       answer and authority sections. [RT #45140]

End of Life

   The end of life for BIND 9.10 is yet to be determined but will not be
   before BIND 9.12.0 has been released for 6 months.
   https://www.isc.org/downloads/software-support-policy/

Revision 1.29: download - view: text, markup, annotated - select for diffs
Tue Nov 7 02:16:44 2017 UTC (7 years, 1 month ago) by kamil
Branches: MAIN
CVS tags: pkgsrc-2017Q4-base
Branch point for: pkgsrc-2017Q4
Diff to: previous 1.28: preferred, colored
Changes since revision 1.28: +2 -2 lines
bind910: Correct bind-json-statistics-server option build

Switch detection of json-c from homegrown detection of libraries in
hardcoded dirs to pkg-config detection.

Add new USE_TOOLS option pkg-config.

Bump PKGREVISION to 1 for new dependency.

Revision 1.28: download - view: text, markup, annotated - select for diffs
Mon Jul 31 13:37:53 2017 UTC (7 years, 4 months ago) by taca
Branches: MAIN
CVS tags: pkgsrc-2017Q3-base, pkgsrc-2017Q3
Diff to: previous 1.27: preferred, colored
Changes since revision 1.27: +5 -5 lines
Update bind910 to 9.10.6.

Here is release note except security (already fixed by bind-9.10.5pl3, BIND
9.10.5-P3).

Release Notes for BIND Version 9.10.6

Introduction

   This document summarizes changes since the last production release on
   the BIND 9.10 branch. Please see the CHANGES file for a further list of
   bug fixes and other changes.

Download

   The latest versions of BIND 9 software can always be found at
   http://www.isc.org/downloads/. There you will find additional
   information about each release, source code, and pre-compiled versions
   for Microsoft Windows operating systems.

New DNSSEC Root Key

   ICANN is in the process of introducing a new Key Signing Key (KSK) for
   the global root zone. BIND has multiple methods for managing DNSSEC
   trust anchors, with somewhat different behaviors. If the root key is
   configured using the managed-keys statement, or if the pre-configured
   root key is enabled by using dnssec-validation auto, then BIND can keep
   keys up to date automatically. Servers configured in this way should
   have begun the process of rolling to the new key when it was published
   in the root zone in July 2017. However, keys configured using the
   trusted-keys statement are not automatically maintained. If your server
   is performing DNSSEC validation and is configured using trusted-keys,
   you are advised to change your configuration before the root zone
   begins signing with the new KSK. This is currently scheduled for
   October 11, 2017.

   This release includes an updated version of the bind.keys file
   containing the new root key. This file can also be downloaded from
   https://www.isc.org/bind-keys .

Windows XP No Longer Supported

   As of BIND 9.10.6, Windows XP is no longer a supported platform for
   BIND, and Windows XP binaries are no longer available for download from
   ISC.

Feature Changes

     * dig +ednsopt now accepts the names for EDNS options in addition to
       numeric values. For example, an EDNS Client-Subnet option could be
       sent using dig +ednsopt=ecs:.... Thanks to John Worley of Secure64
       for the contribution. [RT #44461]
     * Threads in named are now set to human-readable names to assist
       debugging on operating systems that support that. Threads will have
       names such as "isc-timer", "isc-sockmgr", "isc-worker0001", and so
       on. This will affect the reporting of subsidiary thread names in ps
       and top, but not the main thread. [RT #43234]
     * DiG now warns about .local queries which are reserved for Multicast
       DNS. [RT #44783]

Bug Fixes

     * Fixed a bug that was introduced in an earlier development release
       which caused multi-packet AXFR and IXFR messages to fail validation
       if not all packets contained TSIG records; this caused
       interoperability problems with some other DNS implementations. [RT
       #45509]
     * Semicolons are no longer escaped when printing CAA and URI records.
       This may break applications that depend on the presence of the
       backslash before the semicolon. [RT #45216]
     * AD could be set on truncated answer with no records present in the
       answer and authority sections. [RT #45140]

End of Life

   The end of life for BIND 9.10 is yet to be determined but will not be
   before BIND 9.12.0 has been released for 6 months.
   https://www.isc.org/downloads/software-support-policy/

Revision 1.26.2.1: download - view: text, markup, annotated - select for diffs
Sun Jul 16 08:09:48 2017 UTC (7 years, 4 months ago) by bsiegert
Branches: pkgsrc-2017Q2
Diff to: previous 1.26: preferred, colored; next MAIN 1.27: preferred, colored
Changes since revision 1.26: +5 -5 lines
Pullup ticket #5511 - requested by taca
net/bind910: security fix

Revisions pulled up:
- net/bind910/Makefile                                          1.36
- net/bind910/distinfo                                          1.27

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Sat Jul  8 04:29:00 UTC 2017

   Modified Files:
   	pkgsrc/net/bind910: Makefile distinfo

   Log Message:
   Update bind910 to 9.10.5pl3 (BIND 9.10.5-P3).

   --- 9.10.5-P3 released ---

   4647.	[bug]		Change 4643 broke verification of TSIG signed TCP
   			message sequences where not all the messages contain
   			TSIG records.  These may be used in AXFR and IXFR
   			responses. [RT #45509]

Revision 1.27: download - view: text, markup, annotated - select for diffs
Sat Jul 8 04:29:00 2017 UTC (7 years, 5 months ago) by taca
Branches: MAIN
Diff to: previous 1.26: preferred, colored
Changes since revision 1.26: +5 -5 lines
Update bind910 to 9.10.5pl3 (BIND 9.10.5-P3).

--- 9.10.5-P3 released ---

4647.	[bug]		Change 4643 broke verification of TSIG signed TCP
			message sequences where not all the messages contain
			TSIG records.  These may be used in AXFR and IXFR
			responses. [RT #45509]

Revision 1.26: download - view: text, markup, annotated - select for diffs
Sat Jul 1 17:39:44 2017 UTC (7 years, 5 months ago) by taca
Branches: MAIN
CVS tags: pkgsrc-2017Q2-base
Branch point for: pkgsrc-2017Q2
Diff to: previous 1.25: preferred, colored
Changes since revision 1.25: +5 -5 lines
Update bind910 to 9.10.5pl2 (9.10.5-P2).

--- 9.10.5-P2 released ---

4643.	[security]	An error in TSIG handling could permit unauthorized
			zone transfers or zone updates. (CVE-2017-3142)
			(CVE-2017-3143) [RT #45383]

4633.	[maint]		Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET.

Revision 1.25: download - view: text, markup, annotated - select for diffs
Thu Jun 15 01:58:41 2017 UTC (7 years, 5 months ago) by taca
Branches: MAIN
Diff to: previous 1.24: preferred, colored
Changes since revision 1.24: +5 -5 lines
Update bind910 package to 9.10.5pl1 (BIND 9.10.5-P1).

	--- 9.10.5-P1 released ---

4632.	[security]	The BIND installer on Windows used an unquoted
			service path, which can enable privilege escalation.
			(CVE-2017-3141) [RT #45229]

4631.	[security]	Some RPZ configurations could go into an infinite
			query loop when encountering responses with TTL=0.
			(CVE-2017-3140) [RT #45181]

Revision 1.24: download - view: text, markup, annotated - select for diffs
Sat Apr 22 16:05:43 2017 UTC (7 years, 7 months ago) by taca
Branches: MAIN
Diff to: previous 1.23: preferred, colored
Changes since revision 1.23: +6 -6 lines
Update bind910 to 9.10.5 (BIND 9.10.5).

This is maintenance release and please refer release announce in detail:
https://kb.isc.org/article/AA-01490.

Revision 1.22.2.1: download - view: text, markup, annotated - select for diffs
Thu Apr 13 11:29:32 2017 UTC (7 years, 7 months ago) by bsiegert
Branches: pkgsrc-2017Q1
Diff to: previous 1.22: preferred, colored; next MAIN 1.23: preferred, colored
Changes since revision 1.22: +5 -5 lines
Pullup ticket #5272 - requested by taca
net/bind910: security fix

Revisions pulled up:
- net/bind910/Makefile                                          1.32
- net/bind910/distinfo                                          1.23

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Thu Apr 13 01:52:42 UTC 2017

   Modified Files:
   	pkgsrc/net/bind910: Makefile distinfo

   Log Message:
   Update bind910 to 9.10.4pl8 (BIND 9.10.4-P8).

   Quote from release announce:

      BIND 9.10.4-P8 addresses the security issues described in
      CVE-2017-3136, CVE-2017-3137, and CVE-2017-3138, and updates the
      built-in trusted keys for the root zone.

   From CHANGELOG:

   	--- 9.10.4-P8 released ---

   4582.	[security]	'rndc ""' could trigger a assertion failure in named.
   			(CVE-2017-3138) [RT #44924]

   4580.	[bug]		4578 introduced a regression when handling CNAME to
   			referral below the current domain. [RT #44850]

   	--- 9.10.4-P7 released ---

   4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
   			queries could trigger assertion failures.
   			(CVE-2017-3137) [RT #44734]

   4575.	[security]	DNS64 with "break-dnssec yes;" can result in an
   			assertion failure. (CVE-2017-3136) [RT #44653]

   4564.	[maint]		Update the built in managed keys to include the
   			upcoming root KSK. [RT #44579]

Revision 1.23: download - view: text, markup, annotated - select for diffs
Thu Apr 13 01:52:42 2017 UTC (7 years, 7 months ago) by taca
Branches: MAIN
Diff to: previous 1.22: preferred, colored
Changes since revision 1.22: +5 -5 lines
Update bind910 to 9.10.4pl8 (BIND 9.10.4-P8).

Quote from release announce:

   BIND 9.10.4-P8 addresses the security issues described in
   CVE-2017-3136, CVE-2017-3137, and CVE-2017-3138, and updates the
   built-in trusted keys for the root zone.

From CHANGELOG:

	--- 9.10.4-P8 released ---

4582.	[security]	'rndc ""' could trigger a assertion failure in named.
			(CVE-2017-3138) [RT #44924]

4580.	[bug]		4578 introduced a regression when handling CNAME to
			referral below the current domain. [RT #44850]

	--- 9.10.4-P7 released ---

4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
			queries could trigger assertion failures.
			(CVE-2017-3137) [RT #44734]

4575.	[security]	DNS64 with "break-dnssec yes;" can result in an
			assertion failure. (CVE-2017-3136) [RT #44653]

4564.	[maint]		Update the built in managed keys to include the
			upcoming root KSK. [RT #44579]

Revision 1.20.2.2: download - view: text, markup, annotated - select for diffs
Sun Feb 12 21:59:21 2017 UTC (7 years, 9 months ago) by spz
Branches: pkgsrc-2016Q4
Diff to: previous 1.20.2.1: preferred, colored; branchpoint 1.20: preferred, colored; next MAIN 1.21: preferred, colored
Changes since revision 1.20.2.1: +4 -4 lines
Pullup ticket #5210 - requested by taca
net/bind910: security update

Revisions pulled up:
- net/bind910/Makefile                                          1.29
- net/bind910/distinfo                                          1.22

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Thu Feb  9 00:48:59 UTC 2017

   Modified Files:
   	pkgsrc/net/bind910: Makefile distinfo

   Log Message:
   Update bind910 to 9.10.4pl6 (BIND 9.10.4-P6).

   Security Fixes

        * If a server is configured with a response policy zone (RPZ) that
          rewrites an answer with local data, and is also configured for
          DNS64 address mapping, a NULL pointer can be read triggering a
          server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434]
        * named could mishandle authority sections with missing RRSIGs,
          triggering an assertion failure. This flaw is disclosed in
          CVE-2016-9444. [RT #43632]
        * named mishandled some responses where covering RRSIG records were
          returned without the requested data, resulting in an assertion
          failure. This flaw is disclosed in CVE-2016-9147. [RT #43548]
        * named incorrectly tried to cache TKEY records which could trigger
          an assertion failure when there was a class mismatch. This flaw is
          disclosed in CVE-2016-9131. [RT #43522]
        * It was possible to trigger assertions when processing responses
          containing answers of type DNAME. This flaw is disclosed in
          CVE-2016-8864. [RT #43465]
        * Added the ability to specify the maximum number of records
          permitted in a zone (max-records #;). This provides a mechanism to
          block overly large zone transfers, which is a potential risk with
          slave zones from other parties, as described in CVE-2016-6170. [RT
          #42143]
        * It was possible to trigger an assertion when rendering a message
          using a specially crafted request. This flaw is disclosed in
          CVE-2016-2776. [RT #43139]
        * Calling getrrsetbyname() with a non absolute name could trigger an
          infinite recursion bug in lwresd or named with lwres configured if,
          when combined with a search list entry from resolv.conf, the
          resulting name is too long. This flaw is disclosed in
          CVE-2016-2775. [RT #42694]

   New Features

        * named now provides feedback to the owners of zones which have trust
          anchors configured (trusted-keys, managed-keys, dnssec-validation
          auto; and dnssec-lookaside auto;) by sending a daily query which
          encodes the keyids of the configured trust anchors for the zone.
          This is controlled by trust-anchor-telemetry and defaults to yes.
        * A new tcp-only option has been added to server clauses, to indicate
          that UDP should not be used when sending queries to a specified IP
          address or prefix.

   Feature Changes

        * The built in mangaged keys for the global root zone have been
          updated to include the upcoming key signing key (keyid 20326).
        * The ISC DNSSEC Lookaside Validation (DLV) service is scheduled to
          be disabled in 2017. A warning is now logged when named is
          configured to use this service, either explicitly or via
          dnssec-lookaside auto;. [RT #42207]
        * If an ACL is specified with an address prefix in which the prefix
          length is longer than the address portion (for example,
          192.0.2.1/8), named will now log a warning. In future releases this
          will be a fatal configuration error. [RT #43367]

   Bug Fixes

        * A synthesized CNAME record appearing in a response before the
          associated DNAME could be cached, when it should not have been.
          This was a regression introduced while addressing CVE-2016-8864.
          [RT #44318]
        * Named could deadlock there were multiple changes to NSEC/NSEC3
          parameters for a zone being processed at the same time. [RT #42770]
        * Named could trigger a assertion when sending notify messages. [RT
          #44019]
        * Fixed a crash when calling rndc stats on some Windows builds: some
          Visual Studio compilers generate code that crashes when the "%z"
          printf() format specifier is used. [RT #42380]
        * Windows installs were failing due to triggering UAC without the
          installation binary being signed.
        * A change in the internal binary representation of the RBT database
          node structure enabled a race condition to occur (especially when
          BIND was built with certain compilers or optimizer settings),
          leading to inconsistent database state which caused random
          assertion failures. [RT #42380]
        * Referencing a nonexistent zone in a response-policy statement could
          cause an assertion failure during configuration. [RT #43787]
        * rndc addzone could cause a crash when attempting to add a zone with
          a type other than master or slave. Such zones are now rejected. [RT
          #43665]
        * named could hang when encountering log file names with large
          apparent gaps in version number (for example, when files exist
          called "logfile.0", "logfile.1", and "logfile.1482954169"). This is
          now handled correctly. [RT #38688]
        * If a zone was updated while named was processing a query for
          nonexistent data, it could return out-of-sync NSEC3 records causing
          potential DNSSEC validation failure. [RT #43247]
        * named could crash when loading a zone which had RRISG records whose
          expiry fields were far enough apart to cause an integer overflow
          when comparing them. [RT #40571]
        * The arpaname and named-rrchecker commands were not installed into
          the correct prefix/bin directory. [RT #42910]
        * When receiving a response from an authoritative server with a TTL
          value of zero, named> will now only use that response once, to
          answer the currently active clients that were waiting for it.
          Previously, such response could be cached and reused for up to one
          second. [RT #42142]
        * named-checkconf now checks the rate-limit clause for correctness.
          [RT #42970]
        * Corrected a bug in the rndc control channel that could allow a read
          past the end of a buffer, crashing named. Thanks to Lian Yihan for
          reporting this error.

   Maintenance

        * The built-in root hints have been updated to include IPv6 addresses
          for B.ROOT-SERVERS.NET (2001:500:84::b), E.ROOT-SERVERS.NET
          (2001:500:a8::e) and G.ROOT-SERVERS.NET (2001:500:12::d0d).


   To generate a diff of this commit:
   cvs rdiff -u -r1.28 -r1.29 pkgsrc/net/bind910/Makefile
   cvs rdiff -u -r1.21 -r1.22 pkgsrc/net/bind910/distinfo

Revision 1.22: download - view: text, markup, annotated - select for diffs
Thu Feb 9 00:48:59 2017 UTC (7 years, 10 months ago) by taca
Branches: MAIN
CVS tags: pkgsrc-2017Q1-base
Branch point for: pkgsrc-2017Q1
Diff to: previous 1.21: preferred, colored
Changes since revision 1.21: +5 -5 lines
Update bind910 to 9.10.4pl6 (BIND 9.10.4-P6).

Security Fixes

     * If a server is configured with a response policy zone (RPZ) that
       rewrites an answer with local data, and is also configured for
       DNS64 address mapping, a NULL pointer can be read triggering a
       server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434]
     * named could mishandle authority sections with missing RRSIGs,
       triggering an assertion failure. This flaw is disclosed in
       CVE-2016-9444. [RT #43632]
     * named mishandled some responses where covering RRSIG records were
       returned without the requested data, resulting in an assertion
       failure. This flaw is disclosed in CVE-2016-9147. [RT #43548]
     * named incorrectly tried to cache TKEY records which could trigger
       an assertion failure when there was a class mismatch. This flaw is
       disclosed in CVE-2016-9131. [RT #43522]
     * It was possible to trigger assertions when processing responses
       containing answers of type DNAME. This flaw is disclosed in
       CVE-2016-8864. [RT #43465]
     * Added the ability to specify the maximum number of records
       permitted in a zone (max-records #;). This provides a mechanism to
       block overly large zone transfers, which is a potential risk with
       slave zones from other parties, as described in CVE-2016-6170. [RT
       #42143]
     * It was possible to trigger an assertion when rendering a message
       using a specially crafted request. This flaw is disclosed in
       CVE-2016-2776. [RT #43139]
     * Calling getrrsetbyname() with a non absolute name could trigger an
       infinite recursion bug in lwresd or named with lwres configured if,
       when combined with a search list entry from resolv.conf, the
       resulting name is too long. This flaw is disclosed in
       CVE-2016-2775. [RT #42694]

New Features

     * named now provides feedback to the owners of zones which have trust
       anchors configured (trusted-keys, managed-keys, dnssec-validation
       auto; and dnssec-lookaside auto;) by sending a daily query which
       encodes the keyids of the configured trust anchors for the zone.
       This is controlled by trust-anchor-telemetry and defaults to yes.
     * A new tcp-only option has been added to server clauses, to indicate
       that UDP should not be used when sending queries to a specified IP
       address or prefix.

Feature Changes

     * The built in mangaged keys for the global root zone have been
       updated to include the upcoming key signing key (keyid 20326).
     * The ISC DNSSEC Lookaside Validation (DLV) service is scheduled to
       be disabled in 2017. A warning is now logged when named is
       configured to use this service, either explicitly or via
       dnssec-lookaside auto;. [RT #42207]
     * If an ACL is specified with an address prefix in which the prefix
       length is longer than the address portion (for example,
       192.0.2.1/8), named will now log a warning. In future releases this
       will be a fatal configuration error. [RT #43367]

Bug Fixes

     * A synthesized CNAME record appearing in a response before the
       associated DNAME could be cached, when it should not have been.
       This was a regression introduced while addressing CVE-2016-8864.
       [RT #44318]
     * Named could deadlock there were multiple changes to NSEC/NSEC3
       parameters for a zone being processed at the same time. [RT #42770]
     * Named could trigger a assertion when sending notify messages. [RT
       #44019]
     * Fixed a crash when calling rndc stats on some Windows builds: some
       Visual Studio compilers generate code that crashes when the "%z"
       printf() format specifier is used. [RT #42380]
     * Windows installs were failing due to triggering UAC without the
       installation binary being signed.
     * A change in the internal binary representation of the RBT database
       node structure enabled a race condition to occur (especially when
       BIND was built with certain compilers or optimizer settings),
       leading to inconsistent database state which caused random
       assertion failures. [RT #42380]
     * Referencing a nonexistent zone in a response-policy statement could
       cause an assertion failure during configuration. [RT #43787]
     * rndc addzone could cause a crash when attempting to add a zone with
       a type other than master or slave. Such zones are now rejected. [RT
       #43665]
     * named could hang when encountering log file names with large
       apparent gaps in version number (for example, when files exist
       called "logfile.0", "logfile.1", and "logfile.1482954169"). This is
       now handled correctly. [RT #38688]
     * If a zone was updated while named was processing a query for
       nonexistent data, it could return out-of-sync NSEC3 records causing
       potential DNSSEC validation failure. [RT #43247]
     * named could crash when loading a zone which had RRISG records whose
       expiry fields were far enough apart to cause an integer overflow
       when comparing them. [RT #40571]
     * The arpaname and named-rrchecker commands were not installed into
       the correct prefix/bin directory. [RT #42910]
     * When receiving a response from an authoritative server with a TTL
       value of zero, named> will now only use that response once, to
       answer the currently active clients that were waiting for it.
       Previously, such response could be cached and reused for up to one
       second. [RT #42142]
     * named-checkconf now checks the rate-limit clause for correctness.
       [RT #42970]
     * Corrected a bug in the rndc control channel that could allow a read
       past the end of a buffer, crashing named. Thanks to Lian Yihan for
       reporting this error.

Maintenance

     * The built-in root hints have been updated to include IPv6 addresses
       for B.ROOT-SERVERS.NET (2001:500:84::b), E.ROOT-SERVERS.NET
       (2001:500:a8::e) and G.ROOT-SERVERS.NET (2001:500:12::d0d).

Revision 1.20.2.1: download - view: text, markup, annotated - select for diffs
Fri Jan 13 20:15:26 2017 UTC (7 years, 10 months ago) by bsiegert
Branches: pkgsrc-2016Q4
Diff to: previous 1.20: preferred, colored
Changes since revision 1.20: +5 -5 lines
Pullup ticket #5189 - requested by taca
net/bind910: security fix

Revisions pulled up:
- net/bind910/Makefile                                          1.28
- net/bind910/distinfo                                          1.21

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Thu Jan 12 00:04:43 UTC 2017

   Modified Files:
   	pkgsrc/net/bind910: Makefile distinfo

   Log Message:
   Update bind910 to 9.10.4pl5 (BIND 9.10.4-P5), including security fixes.

   	--- 9.10.4-P5 released ---

   4530.	[bug]		Change 4489 broke the handling of CNAME -> DNAME
   			in responses resulting in SERVFAIL being returned.
   			[RT #43779]

   4528.	[bug]		Only set the flag bits for the i/o we are waiting
   			for on EPOLLERR or EPOLLHUP. [RT #43617]

   4519.	[port]		win32: handle ERROR_MORE_DATA. [RT #43534]

   4517.	[security]	Named could mishandle authority sections that were
   			missing RRSIGs triggering an assertion failure.
   			(CVE-2016-9444) [RT # 43632]

   4510.	[security]	Named mishandled some responses where covering RRSIG
   			records are returned without the requested data
   			resulting in a assertion failure. (CVE-2016-9147)
   			[RT #43548]

   4508.	[security]	Named incorrectly tried to cache TKEY records which
   			could trigger a assertion failure when there was
   			a class mismatch. (CVE-2016-9131) [RT #43522]

Revision 1.21: download - view: text, markup, annotated - select for diffs
Thu Jan 12 00:04:43 2017 UTC (7 years, 10 months ago) by taca
Branches: MAIN
Diff to: previous 1.20: preferred, colored
Changes since revision 1.20: +5 -5 lines
Update bind910 to 9.10.4pl5 (BIND 9.10.4-P5), including security fixes.

	--- 9.10.4-P5 released ---

4530.	[bug]		Change 4489 broke the handling of CNAME -> DNAME
			in responses resulting in SERVFAIL being returned.
			[RT #43779]

4528.	[bug]		Only set the flag bits for the i/o we are waiting
			for on EPOLLERR or EPOLLHUP. [RT #43617]

4519.	[port]		win32: handle ERROR_MORE_DATA. [RT #43534]

4517.	[security]	Named could mishandle authority sections that were
			missing RRSIGs triggering an assertion failure.
			(CVE-2016-9444) [RT # 43632]

4510.	[security]	Named mishandled some responses where covering RRSIG
			records are returned without the requested data
			resulting in a assertion failure. (CVE-2016-9147)
			[RT #43548]

4508.	[security]	Named incorrectly tried to cache TKEY records which
			could trigger a assertion failure when there was
			a class mismatch. (CVE-2016-9131) [RT #43522]

Revision 1.19.2.1: download - view: text, markup, annotated - select for diffs
Thu Nov 3 19:57:29 2016 UTC (8 years, 1 month ago) by bsiegert
Branches: pkgsrc-2016Q3
Diff to: previous 1.19: preferred, colored; next MAIN 1.20: preferred, colored
Changes since revision 1.19: +5 -5 lines
Pullup ticket #5149 - requested by taca
net/bind910: security fix

Revisions pulled up:
- net/bind910/Makefile                                          1.25-1.26
- net/bind910/distinfo                                          1.20

---
   Committed By:	taca
   Date:		Wed Nov  2 00:05:17 UTC 2016

   Modified Files:
   	pkgsrc/net/bind910: Makefile distinfo

   Log Message:
   Update bind910 to 9.10.4pl4 (BIND 9.10.4-P4).

   	--- 9.10.4-P4 released ---

   4489.	[security]	It was possible to trigger assertions when processing
   			a response. (CVE-2016-8864) [RT #43465]

Revision 1.20: download - view: text, markup, annotated - select for diffs
Wed Nov 2 00:05:17 2016 UTC (8 years, 1 month ago) by taca
Branches: MAIN
CVS tags: pkgsrc-2016Q4-base
Branch point for: pkgsrc-2016Q4
Diff to: previous 1.19: preferred, colored
Changes since revision 1.19: +5 -5 lines
Update bind910 to 9.10.4pl4 (BIND 9.10.4-P4).

	--- 9.10.4-P4 released ---

4489.	[security]	It was possible to trigger assertions when processing
			a response. (CVE-2016-8864) [RT #43465]

Revision 1.19: download - view: text, markup, annotated - select for diffs
Tue Sep 27 17:12:34 2016 UTC (8 years, 2 months ago) by taca
Branches: MAIN
CVS tags: pkgsrc-2016Q3-base
Branch point for: pkgsrc-2016Q3
Diff to: previous 1.18: preferred, colored
Changes since revision 1.18: +5 -5 lines
Update bind910 to 9.10.4pl3 (BIND 9.10.4-P3), fixing CVE-2016-2776.

	--- 9.10.4-P3 released ---

4468.	[bug]		Address ECS option handling issues. [RT #43191]

			Note: Only the parts required to restore
			interoperation with ECS clients have been
			included in this security release.  The full
			fix is included in BIND 9.10.5.

4467.	[security]	It was possible to trigger a assertion when rendering
			a message. (CVE-2016-2776) [RT #43139]

Revision 1.17.2.1: download - view: text, markup, annotated - select for diffs
Wed Jul 20 02:55:36 2016 UTC (8 years, 4 months ago) by spz
Branches: pkgsrc-2016Q2
Diff to: previous 1.17: preferred, colored; next MAIN 1.18: preferred, colored
Changes since revision 1.17: +6 -6 lines
Pullup ticket #5066 - requested by taca
net/bind910: security update

Revisions pulled up:
- net/bind910/Makefile                                          1.23
- net/bind910/PLIST                                             1.7
- net/bind910/distinfo                                          1.18
- net/bind910/patches/patch-lib_dns_rbt.c                       1.5

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Tue Jul 19 01:08:05 UTC 2016

   Modified Files:
   	pkgsrc/net/bind910: Makefile PLIST distinfo
   	pkgsrc/net/bind910/patches: patch-lib_dns_rbt.c

   Log Message:
   Update bind910 to 9.10.4pl2 (BIND 9.10.4-P2).

   Changes from 9.10.3-P4 to 9.10.4 are too many to write here, please refer
   CHANGES file.

   	--- 9.10.4-P2 released ---

   4406.	[bug]		getrrsetbyname with a non absolute name could
   			trigger an infinite recursion bug in lwresd
   			and named with lwres configured if when combined
   			with a search list entry the resulting name is
   			too long. (CVE-2016-2775) [RT #42694]

   4405.	[bug]		Change 4342 introduced a regression where you could
   			not remove a delegation in a NSEC3 signed zone using
   			OPTOUT via nsupdate. [RT #42702]

   4387.	[bug]		Change 4336 was not complete leading to SERVFAIL
   			being return as NS records expired. [RT #42683]

   	--- 9.10.4-P1 released ---

   4368.	[bug]		Fix a crash when calling "rndc stats" on some
   			Windows builds because some Visual Studio compilers
   			generated crashing code for the "%z" printf()
   			format specifier. [RT #42380]

   4366.	[bug]		Address race condition when updating rbtnode bit
   			fields. [RT #42379]

   4363.	[port]		win32: Disable explicit triggering UAC when running
   			BINDInstall.

   	--- 9.10.4 released ---


   To generate a diff of this commit:
   cvs rdiff -u -r1.22 -r1.23 pkgsrc/net/bind910/Makefile
   cvs rdiff -u -r1.6 -r1.7 pkgsrc/net/bind910/PLIST
   cvs rdiff -u -r1.17 -r1.18 pkgsrc/net/bind910/distinfo
   cvs rdiff -u -r1.4 -r1.5 pkgsrc/net/bind910/patches/patch-lib_dns_rbt.c

Revision 1.18: download - view: text, markup, annotated - select for diffs
Tue Jul 19 01:08:05 2016 UTC (8 years, 4 months ago) by taca
Branches: MAIN
Diff to: previous 1.17: preferred, colored
Changes since revision 1.17: +6 -6 lines
Update bind910 to 9.10.4pl2 (BIND 9.10.4-P2).

Changes from 9.10.3-P4 to 9.10.4 are too many to write here, please refer
CHANGES file.

	--- 9.10.4-P2 released ---

4406.	[bug]		getrrsetbyname with a non absolute name could
			trigger an infinite recursion bug in lwresd
			and named with lwres configured if when combined
			with a search list entry the resulting name is
			too long. (CVE-2016-2775) [RT #42694]

4405.	[bug]		Change 4342 introduced a regression where you could
			not remove a delegation in a NSEC3 signed zone using
			OPTOUT via nsupdate. [RT #42702]

4387.	[bug]		Change 4336 was not complete leading to SERVFAIL
			being return as NS records expired. [RT #42683]

	--- 9.10.4-P1 released ---

4368.	[bug]		Fix a crash when calling "rndc stats" on some
			Windows builds because some Visual Studio compilers
			generated crashing code for the "%z" printf()
			format specifier. [RT #42380]

4366.	[bug]		Address race condition when updating rbtnode bit
			fields. [RT #42379]

4363.	[port]		win32: Disable explicit triggering UAC when running
			BINDInstall.

	--- 9.10.4 released ---

Revision 1.17: download - view: text, markup, annotated - select for diffs
Wed May 11 11:26:30 2016 UTC (8 years, 7 months ago) by taca
Branches: MAIN
CVS tags: pkgsrc-2016Q2-base
Branch point for: pkgsrc-2016Q2
Diff to: previous 1.16: preferred, colored
Changes since revision 1.16: +6 -6 lines
Make bind910 downgrade to 9.10.3pl4 keeping soe options and MASTERSITE
change since ISC mark 9.10.4 as "deprecated".

See https://lists.isc.org/pipermail/bind-users/2016-May/096851.html.

Revision 1.16: download - view: text, markup, annotated - select for diffs
Mon May 2 13:27:57 2016 UTC (8 years, 7 months ago) by taca
Branches: MAIN
Diff to: previous 1.15: preferred, colored
Changes since revision 1.15: +6 -6 lines
Update bind910 to 9.10.4 (BIND 9.10.4).

PKG_OPTIONS change:

    * Remove rrl which is always enabled.
    * Add fetchlimit, geoip, pkcs11, sit and tuning.


Security Fixes

     * Duplicate EDNS COOKIE options in a response could trigger an
       assertion failure. This flaw is disclosed in CVE-2016-2088. [RT
       #41809]
     * The resolver could abort with an assertion failure due to improper
       DNAME handling when parsing fetch reply messages. This flaw is
       disclosed in CVE-2016-1286. [RT #41753]
     * Malformed control messages can trigger assertions in named and
       rndc. This flaw is disclosed in CVE-2016-1285. [RT #41666]
     * Certain errors that could be encountered when printing out or
       logging an OPT record containing a CLIENT-SUBNET option could be
       mishandled, resulting in an assertion failure. This flaw is
       disclosed in CVE-2015-8705. [RT #41397]
     * Specific APL data could trigger an INSIST. This flaw is disclosed
       in CVE-2015-8704. [RT #41396]
     * Incorrect reference counting could result in an INSIST failure if a
       socket error occurred while performing a lookup. This flaw is
       disclosed in CVE-2015-8461. [RT#40945]
     * Insufficient testing when parsing a message allowed records with an
       incorrect class to be be accepted, triggering a REQUIRE failure
       when those records were subsequently cached. This flaw is disclosed
       in CVE-2015-8000. [RT #40987]

New Features

     * The following resource record types have been implemented: AVC,
       CSYNC, NINFO, RKEY, SINK, SMIMEA, TA, TALINK.
     * Added a warning for a common misconfiguration involving forwarded
       RFC 1918 and IPv6 ULA (Universal Local Address) zones.
     * Contributed software from Nominum is included in the source at
       contrib/dnsperf-2.1.0.0-1/. It includes dnsperf for measuring the
       performance of authoritative DNS servers, resperf for testing the
       resolution performance of a caching DNS server, resperf-report for
       generating a resperf report in HTML with gnuplot graphs, and
       queryparse to extract DNS queries from pcap capture files. This
       software is not installed by default with BIND.
     * When loading a signed zone, named will now check whether an RRSIG's
       inception time is in the future, and if so, it will regenerate the
       RRSIG immediately. This helps when a system's clock needs to be
       reset backwards.

Feature Changes

     * Updated the compiled-in addresses for H.ROOT-SERVERS.NET and
       L.ROOT-SERVERS.NET.
     * The default preferred glue is now the address type of the transport
       the query was received over.
     * On machines with 2 or more processors (CPU), the default value for
       the number of UDP listeners has been changed to the number of
       detected processors minus one.
     * Zone transfers now use smaller message sizes to improve message
       compression. This results in reduced network usage.
     * named -V output now also includes operating system details.

Porting Changes

     * The Microsoft Windows install tool BINDInstall.exe which requires a
       non-free version of Visual Studio to be built, now uses two files
       (lists of flags and files) created by the Configure perl script
       with all the needed information which were previously compiled in
       the binary. Read win32utils/build.txt for more details. [RT #38915]

Bug Fixes

     * rndc flushtree now works even if there wasn't a cached node at the
       specified name. [RT #41846]
     * Don't emit records with zero TTL unless the records were received
       with a zero TTL. After being returned to waiting clients, the
       answer will be discarded from the cache. [RT #41687]
     * For Windows platforms, the SIT (Source Identity Token) support was
       restored. (It was mistakenly partially replaced in a previous beta
       with new 9.11 COOKIE support.) [RT #41905]
     * When deleting records from a zone database, interior nodes could be
       left empty but not deleted, damaging search performance afterward.
       [RT #40997] [RT #41941]
     * The server could crash due to a use-after-free if a zone transfer
       timed out. [RT #41297]
     * Authoritative servers that were marked as bogus (e.g. blackholed in
       configuration or with invalid addresses) were being queried anyway.
       [RT #41321]
     * Some of the options for GeoIP ACLs, including "areacode",
       "metrocode", and "timezone", were incorrectly documented as "area",
       "metro" and "tz". Both the long and abbreviated versions are now
       accepted.
     * Zones configured to use map format master files can't be used as
       policy zones because RPZ summary data isn't compiled when such
       zones are mapped into memory. This limitation may be fixed in a
       future release, but in the meantime it has been documented, and
       attempting to use such zones in response-policy statements is now a
       configuration error. [RT #38321]

Revision 1.13.2.2: download - view: text, markup, annotated - select for diffs
Fri Mar 11 09:38:01 2016 UTC (8 years, 9 months ago) by bsiegert
Branches: pkgsrc-2015Q4
Diff to: previous 1.13.2.1: preferred, colored; branchpoint 1.13: preferred, colored; next MAIN 1.14: preferred, colored
Changes since revision 1.13.2.1: +5 -5 lines
Pullup ticket #4949 - requested by taca
net/bind910: security fix

Revisions pulled up:
- net/bind910/Makefile                                          1.18
- net/bind910/distinfo                                          1.15

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Thu Mar 10 00:48:41 UTC 2016

   Modified Files:
   	pkgsrc/net/bind910: Makefile distinfo

   Log Message:
   Update bind910 to 9.10.3pl4 (BIND 9.10.3-P4), security release.

   	--- 9.10.3-P4 released ---

   4322.	[security]	Duplicate EDNS COOKIE options in a response could
   			trigger an assertion failure. (CVE-2016-2088)
   			[RT #41809]

   4319.	[security]	Fix resolver assertion failure due to improper
   			DNAME handling when parsing fetch reply messages.
   			(CVE-2016-1286) [RT #41753]

   4318.	[security]	Malformed control messages can trigger assertions
   			in named and rndc. (CVE-2016-1285) [RT #41666]

Revision 1.15: download - view: text, markup, annotated - select for diffs
Thu Mar 10 00:48:41 2016 UTC (8 years, 9 months ago) by taca
Branches: MAIN
CVS tags: pkgsrc-2016Q1-base, pkgsrc-2016Q1
Diff to: previous 1.14: preferred, colored
Changes since revision 1.14: +5 -5 lines
Update bind910 to 9.10.3pl4 (BIND 9.10.3-P4), security release.

	--- 9.10.3-P4 released ---

4322.	[security]	Duplicate EDNS COOKIE options in a response could
			trigger an assertion failure. (CVE-2016-2088)
			[RT #41809]

4319.	[security]	Fix resolver assertion failure due to improper
			DNAME handling when parsing fetch reply messages.
			(CVE-2016-1286) [RT #41753]

4318.	[security]	Malformed control messages can trigger assertions
			in named and rndc. (CVE-2016-1285) [RT #41666]

Revision 1.13.2.1: download - view: text, markup, annotated - select for diffs
Wed Jan 20 19:32:01 2016 UTC (8 years, 10 months ago) by bsiegert
Branches: pkgsrc-2015Q4
Diff to: previous 1.13: preferred, colored
Changes since revision 1.13: +5 -5 lines
Pullup ticket #4901 - requested by taca
net/bind910: security fix

Revisions pulled up:
- net/bind910/Makefile                                          1.15
- net/bind910/distinfo                                          1.14

---
   Module Name:    pkgsrc
   Committed By:   taca
   Date:           Wed Jan 20 02:15:58 UTC 2016

   Modified Files:
           pkgsrc/net/bind910: Makefile distinfo

   Log Message:
   Update bind910 to 9.10.3pl3 (BIND 9.10.3-P3).

   Security Fixes

        * Specific APL data could trigger an INSIST. This flaw was discovered
          by Brian Mitchell and is disclosed in CVE-2015-8704. [RT #41396]
        * Certain errors that could be encountered when printing out or
          logging an OPT record containing a CLIENT-SUBNET option could be
          mishandled, resulting in an assertion failure. This flaw was
          discovered by Brian Mitchell and is disclosed in CVE-2015-8705. [RT
          #41397]
        * Named is potentially vulnerable to the OpenSSL vulnerabilty
          described in CVE-2015-3193.
        * Insufficient testing when parsing a message allowed records with an
          incorrect class to be be accepted, triggering a REQUIRE failure
          when those records were subsequently cached. This flaw is disclosed
          in CVE-2015-8000. [RT #40987]
        * Incorrect reference counting could result in an INSIST failure if a
          socket error occurred while performing a lookup. This flaw is
          disclosed in CVE-2015-8461. [RT#40945]

   New Features

        * None.

   Feature Changes

        * Updated the compiled in addresses for H.ROOT-SERVERS.NET.

   Bug Fixes

        * Authoritative servers that were marked as bogus (e.g. blackholed in
          configuration or with invalid addresses) were being queried anyway.
          [RT #41321]

Revision 1.14: download - view: text, markup, annotated - select for diffs
Wed Jan 20 02:15:58 2016 UTC (8 years, 10 months ago) by taca
Branches: MAIN
Diff to: previous 1.13: preferred, colored
Changes since revision 1.13: +5 -5 lines
Update bind910 to 9.10.3pl3 (BIND 9.10.3-P3).

Security Fixes

     * Specific APL data could trigger an INSIST. This flaw was discovered
       by Brian Mitchell and is disclosed in CVE-2015-8704. [RT #41396]
     * Certain errors that could be encountered when printing out or
       logging an OPT record containing a CLIENT-SUBNET option could be
       mishandled, resulting in an assertion failure. This flaw was
       discovered by Brian Mitchell and is disclosed in CVE-2015-8705. [RT
       #41397]
     * Named is potentially vulnerable to the OpenSSL vulnerabilty
       described in CVE-2015-3193.
     * Insufficient testing when parsing a message allowed records with an
       incorrect class to be be accepted, triggering a REQUIRE failure
       when those records were subsequently cached. This flaw is disclosed
       in CVE-2015-8000. [RT #40987]
     * Incorrect reference counting could result in an INSIST failure if a
       socket error occurred while performing a lookup. This flaw is
       disclosed in CVE-2015-8461. [RT#40945]

New Features

     * None.

Feature Changes

     * Updated the compiled in addresses for H.ROOT-SERVERS.NET.

Bug Fixes

     * Authoritative servers that were marked as bogus (e.g. blackholed in
       configuration or with invalid addresses) were being queried anyway.
       [RT #41321]

Revision 1.10.2.1: download - view: text, markup, annotated - select for diffs
Fri Dec 18 19:46:02 2015 UTC (8 years, 11 months ago) by bsiegert
Branches: pkgsrc-2015Q3
Diff to: previous 1.10: preferred, colored; next MAIN 1.11: preferred, colored
Changes since revision 1.10: +8 -7 lines
Pullup ticket #4872 - requested by taca
net/bind910: security fix

Revisions pulled up:
- net/bind910/Makefile                                          1.13-1.14
- net/bind910/distinfo                                          1.12-1.13
- net/bind910/patches/patch-bin_dig_dighost.c                   1.3
- net/bind910/patches/patch-bin_tests_system_Makefile.in        1.3
- net/bind910/patches/patch-configure                           1.4

---
   Module Name:    pkgsrc
   Committed By:   taca
   Date:           Sun Dec 13 17:35:22 UTC 2015

   Modified Files:
           pkgsrc/net/bind910: Makefile distinfo
           pkgsrc/net/bind910/patches: patch-bin_dig_dighost.c
               patch-bin_tests_system_Makefile.in patch-configure

   Log Message:
   Update bind910 to 9.10.3.

   Security Fixes

        * An incorrect boundary check in the OPENPGPKEY rdatatype could
          trigger an assertion failure. This flaw is disclosed in
          CVE-2015-5986. [RT #40286]
        * A buffer accounting error could trigger an assertion failure when
          parsing certain malformed DNSSEC keys.
          This flaw was discovered by Hanno Böck of the Fuzzing Project, and
          is disclosed in CVE-2015-5722. [RT #40212]
        * A specially crafted query could trigger an assertion failure in
          message.c.
          This flaw was discovered by Jonathan Foote, and is disclosed in
          CVE-2015-5477. [RT #40046]
        * On servers configured to perform DNSSEC validation, an assertion
          failure could be triggered on answers from a specially configured
          server.
          This flaw was discovered by Breno Silveira Soares, and is disclosed
          in CVE-2015-4620. [RT #39795]

   New Features

        * New quotas have been added to limit the queries that are sent by
          recursive resolvers to authoritative servers experiencing
          denial-of-service attacks. When configured, these options can both
          reduce the harm done to authoritative servers and also avoid the
          resource exhaustion that can be experienced by recursives when they
          are being used as a vehicle for such an attack.
          NOTE: These options are not available by default; use configure
          --enable-fetchlimit to include them in the build.
             + fetches-per-server limits the number of simultaneous queries
               that can be sent to any single authoritative server. The
               configured value is a starting point; it is automatically
               adjusted downward if the server is partially or completely
               non-responsive. The algorithm used to adjust the quota can be
               configured via the fetch-quota-params option.
             + fetches-per-zone limits the number of simultaneous queries
               that can be sent for names within a single domain. (Note:
               Unlike "fetches-per-server", this value is not self-tuning.)
          Statistics counters have also been added to track the number of
          queries affected by these quotas.
        * dig +ednsflags can now be used to set yet-to-be-defined EDNS flags
          in DNS requests.
        * dig +[no]ednsnegotiation can now be used enable / disable EDNS
          version negotiation.
        * An --enable-querytrace configure switch is now available to enable
          very verbose query tracelogging. This option can only be set at
          compile time. This option has a negative performance impact and
          should be used only for debugging.

   Feature Changes

        * Large inline-signing changes should be less disruptive. Signature
          generation is now done incrementally; the number of signatures to
          be generated in each quantum is controlled by
          "sig-signing-signatures number;". [RT #37927]
        * The experimental SIT extension now uses the EDNS COOKIE option code
          point (10) and is displayed as "COOKIE: <value>". The existing
          named.conf directives; "request-sit", "sit-secret" and
          "nosit-udp-size", are still valid and will be replaced by
          "send-cookie", "cookie-secret" and "nocookie-udp-size" in BIND
          9.11. The existing dig directive "+sit" is still valid and will be
          replaced with "+cookie" in BIND 9.11.
        * When retrying a query via TCP due to the first answer being
          truncated, dig will now correctly send the COOKIE value returned by
          the server in the prior response. [RT #39047]
        * Retrieving the local port range from net.ipv4.ip_local_port_range
          on Linux is now supported.
        * Active Directory names of the form gc._msdcs.<forest> are now
          accepted as valid hostnames when using the check-names option.
          <forest> is still restricted to letters, digits and hyphens.
        * Names containing rich text are now accepted as valid hostnames in
          PTR records in DNS-SD reverse lookup zones, as specified in RFC
          6763. [RT #37889]

   Bug Fixes

        * Asynchronous zone loads were not handled correctly when the zone
          load was already in progress; this could trigger a crash in zt.c.
          [RT #37573]
        * A race during shutdown or reconfiguration could cause an assertion
          failure in mem.c. [RT #38979]
        * Some answer formatting options didn't work correctly with dig
          +short. [RT #39291]
        * Malformed records of some types, including NSAP and UNSPEC, could
          trigger assertion failures when loading text zone files. [RT
          #40274] [RT #40285]
        * Fixed a possible crash in ratelimiter.c caused by NOTIFY messages
          being removed from the wrong rate limiter queue. [RT #40350]
        * The default rrset-order of random was inconsistently applied. [RT
          #40456]
        * BADVERS responses from broken authoritative name servers were not
          handled correctly. [RT #40427]
        * Several bugs have been fixed in the RPZ implementation:
             + Policy zones that did not specifically require recursion could
               be treated as if they did; consequently, setting
               qname-wait-recurse no; was sometimes ineffective. This has
               been corrected. In most configurations, behavioral changes due
               to this fix will not be noticeable. [RT #39229]
             + The server could crash if policy zones were updated (e.g. via
               rndc reload or an incoming zone transfer) while RPZ processing
               was still ongoing for an active query. [RT #39415]
             + On servers with one or more policy zones configured as slaves,
               if a policy zone updated during regular operation (rather than
               at startup) using a full zone reload, such as via AXFR, a bug
               could allow the RPZ summary data to fall out of sync,
               potentially leading to an assertion failure in rpz.c when
               further incremental updates were made to the zone, such as via
               IXFR. [RT #39567]
             + The server could match a shorter prefix than what was
               available in CLIENT-IP policy triggers, and so, an unexpected
               action could be taken. This has been corrected. [RT #39481]
             + The server could crash if a reload of an RPZ zone was
               initiated while another reload of the same zone was already in
               progress. [RT #39649]
             + Query names could match against the wrong policy zone if
               wildcard records were present. [RT #40357]

---
   Module Name:    pkgsrc
   Committed By:   taca
   Date:           Wed Dec 16 00:31:22 UTC 2015

   Modified Files:
           pkgsrc/net/bind910: Makefile distinfo

   Log Message:
   Update bind910 package to 9.10.3pl2 (BIND 9.10.3-P2), security release.

           --- 9.10.3-P2 released ---

   4270.   [security]      Update allowed OpenSSL versions as named is
                           potentially vulnerable to CVE-2015-3193.

   4261.   [maint]         H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53.
                           [RT #40556]

   4260.   [security]      Insufficient testing when parsing a message allowed
                           records with an incorrect class to be be accepted,
                           triggering a REQUIRE failure when those records
                           were subsequently cached. (CVE-2015-8000) [RT #40987]

   4253.   [security]      Address fetch context reference count handling error
                           on socket error. (CVE-2015-8461) [RT#40945]

           --- 9.10.3-P1 (withdrawn) ---

Revision 1.13: download - view: text, markup, annotated - select for diffs
Wed Dec 16 00:31:22 2015 UTC (8 years, 11 months ago) by taca
Branches: MAIN
CVS tags: pkgsrc-2015Q4-base
Branch point for: pkgsrc-2015Q4
Diff to: previous 1.12: preferred, colored
Changes since revision 1.12: +5 -5 lines
Update bind910 package to 9.10.3pl2 (BIND 9.10.3-P2), security release.

	--- 9.10.3-P2 released ---

4270.	[security]	Update allowed OpenSSL versions as named is
			potentially vulnerable to CVE-2015-3193.

4261.	[maint]		H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53.
			[RT #40556]

4260.	[security]	Insufficient testing when parsing a message allowed
			records with an incorrect class to be be accepted,
			triggering a REQUIRE failure when those records
			were subsequently cached. (CVE-2015-8000) [RT #40987]

4253.	[security]	Address fetch context reference count handling error
			on socket error. (CVE-2015-8461) [RT#40945]

	--- 9.10.3-P1 (withdrawn) ---

Revision 1.12: download - view: text, markup, annotated - select for diffs
Sun Dec 13 17:35:22 2015 UTC (8 years, 11 months ago) by taca
Branches: MAIN
Diff to: previous 1.11: preferred, colored
Changes since revision 1.11: +8 -8 lines
Update bind910 to 9.10.3.

Security Fixes

     * An incorrect boundary check in the OPENPGPKEY rdatatype could
       trigger an assertion failure. This flaw is disclosed in
       CVE-2015-5986. [RT #40286]
     * A buffer accounting error could trigger an assertion failure when
       parsing certain malformed DNSSEC keys.
       This flaw was discovered by Hanno Böck of the Fuzzing Project, and
       is disclosed in CVE-2015-5722. [RT #40212]
     * A specially crafted query could trigger an assertion failure in
       message.c.
       This flaw was discovered by Jonathan Foote, and is disclosed in
       CVE-2015-5477. [RT #40046]
     * On servers configured to perform DNSSEC validation, an assertion
       failure could be triggered on answers from a specially configured
       server.
       This flaw was discovered by Breno Silveira Soares, and is disclosed
       in CVE-2015-4620. [RT #39795]

New Features

     * New quotas have been added to limit the queries that are sent by
       recursive resolvers to authoritative servers experiencing
       denial-of-service attacks. When configured, these options can both
       reduce the harm done to authoritative servers and also avoid the
       resource exhaustion that can be experienced by recursives when they
       are being used as a vehicle for such an attack.
       NOTE: These options are not available by default; use configure
       --enable-fetchlimit to include them in the build.
          + fetches-per-server limits the number of simultaneous queries
            that can be sent to any single authoritative server. The
            configured value is a starting point; it is automatically
            adjusted downward if the server is partially or completely
            non-responsive. The algorithm used to adjust the quota can be
            configured via the fetch-quota-params option.
          + fetches-per-zone limits the number of simultaneous queries
            that can be sent for names within a single domain. (Note:
            Unlike "fetches-per-server", this value is not self-tuning.)
       Statistics counters have also been added to track the number of
       queries affected by these quotas.
     * dig +ednsflags can now be used to set yet-to-be-defined EDNS flags
       in DNS requests.
     * dig +[no]ednsnegotiation can now be used enable / disable EDNS
       version negotiation.
     * An --enable-querytrace configure switch is now available to enable
       very verbose query tracelogging. This option can only be set at
       compile time. This option has a negative performance impact and
       should be used only for debugging.

Feature Changes

     * Large inline-signing changes should be less disruptive. Signature
       generation is now done incrementally; the number of signatures to
       be generated in each quantum is controlled by
       "sig-signing-signatures number;". [RT #37927]
     * The experimental SIT extension now uses the EDNS COOKIE option code
       point (10) and is displayed as "COOKIE: <value>". The existing
       named.conf directives; "request-sit", "sit-secret" and
       "nosit-udp-size", are still valid and will be replaced by
       "send-cookie", "cookie-secret" and "nocookie-udp-size" in BIND
       9.11. The existing dig directive "+sit" is still valid and will be
       replaced with "+cookie" in BIND 9.11.
     * When retrying a query via TCP due to the first answer being
       truncated, dig will now correctly send the COOKIE value returned by
       the server in the prior response. [RT #39047]
     * Retrieving the local port range from net.ipv4.ip_local_port_range
       on Linux is now supported.
     * Active Directory names of the form gc._msdcs.<forest> are now
       accepted as valid hostnames when using the check-names option.
       <forest> is still restricted to letters, digits and hyphens.
     * Names containing rich text are now accepted as valid hostnames in
       PTR records in DNS-SD reverse lookup zones, as specified in RFC
       6763. [RT #37889]

Bug Fixes

     * Asynchronous zone loads were not handled correctly when the zone
       load was already in progress; this could trigger a crash in zt.c.
       [RT #37573]
     * A race during shutdown or reconfiguration could cause an assertion
       failure in mem.c. [RT #38979]
     * Some answer formatting options didn't work correctly with dig
       +short. [RT #39291]
     * Malformed records of some types, including NSAP and UNSPEC, could
       trigger assertion failures when loading text zone files. [RT
       #40274] [RT #40285]
     * Fixed a possible crash in ratelimiter.c caused by NOTIFY messages
       being removed from the wrong rate limiter queue. [RT #40350]
     * The default rrset-order of random was inconsistently applied. [RT
       #40456]
     * BADVERS responses from broken authoritative name servers were not
       handled correctly. [RT #40427]
     * Several bugs have been fixed in the RPZ implementation:
          + Policy zones that did not specifically require recursion could
            be treated as if they did; consequently, setting
            qname-wait-recurse no; was sometimes ineffective. This has
            been corrected. In most configurations, behavioral changes due
            to this fix will not be noticeable. [RT #39229]
          + The server could crash if policy zones were updated (e.g. via
            rndc reload or an incoming zone transfer) while RPZ processing
            was still ongoing for an active query. [RT #39415]
          + On servers with one or more policy zones configured as slaves,
            if a policy zone updated during regular operation (rather than
            at startup) using a full zone reload, such as via AXFR, a bug
            could allow the RPZ summary data to fall out of sync,
            potentially leading to an assertion failure in rpz.c when
            further incremental updates were made to the zone, such as via
            IXFR. [RT #39567]
          + The server could match a shorter prefix than what was
            available in CLIENT-IP policy triggers, and so, an unexpected
            action could be taken. This has been corrected. [RT #39481]
          + The server could crash if a reload of an RPZ zone was
            initiated while another reload of the same zone was already in
            progress. [RT #39649]
          + Query names could match against the wrong policy zone if
            wildcard records were present. [RT #40357]

Revision 1.11: download - view: text, markup, annotated - select for diffs
Wed Nov 4 00:34:53 2015 UTC (9 years, 1 month ago) by agc
Branches: MAIN
Diff to: previous 1.10: preferred, colored
Changes since revision 1.10: +2 -1 lines
Add SHA512 digests for distfiles for net category

Problems found with existing digests:
	Package haproxy distfile haproxy-1.5.14.tar.gz
	159f5beb8fdc6b8059ae51b53dc935d91c0fb51f [recorded]
	da39a3ee5e6b4b0d3255bfef95601890afd80709 [calculated]

Problems found locating distfiles:
	Package bsddip: missing distfile bsddip-1.02.tar.Z
	Package citrix_ica: missing distfile citrix_ica-10.6.115659/en.linuxx86.tar.gz
	Package djbdns: missing distfile djbdns-1.05-test25.diff.bz2
	Package djbdns: missing distfile djbdns-cachestats.patch
	Package djbdns: missing distfile 0002-dnscache-cache-soa-records.patch
	Package gated: missing distfile gated-3-5-11.tar.gz
	Package owncloudclient: missing distfile owncloudclient-2.0.2.tar.xz
	Package poink: missing distfile poink-1.6.tar.gz
	Package ra-rtsp-proxy: missing distfile rtspd-src-1.0.0.0.tar.gz
	Package ucspi-ssl: missing distfile ucspi-ssl-0.70-ucspitls-0.1.patch
	Package waste: missing distfile waste-source.tar.gz

Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden).  All existing
SHA1 digests retained for now as an audit trail.

Revision 1.6.2.3: download - view: text, markup, annotated - select for diffs
Thu Sep 3 20:11:22 2015 UTC (9 years, 3 months ago) by tron
Branches: pkgsrc-2015Q2
Diff to: previous 1.6.2.2: preferred, colored; branchpoint 1.6: preferred, colored; next MAIN 1.7: preferred, colored
Changes since revision 1.6.2.2: +3 -3 lines
Pullup ticket #4811 - requested by sevan
net/bind910: security update

Revisions pulled up:
- net/bind910/Makefile                                          1.11-1.12
- net/bind910/distinfo                                          1.9-1.10
- net/bind910/patches/patch-lib_dns_hmac_link.c                 deleted
- net/bind910/patches/patch-lib_dns_include_dst_dst.h           deleted
- net/bind910/patches/patch-lib_dns_ncache.c                    deleted
- net/bind910/patches/patch-lib_dns_openssldh_link.c            deleted
- net/bind910/patches/patch-lib_dns_openssldsa_link.c           deleted
- net/bind910/patches/patch-lib_dns_opensslecdsa_link.c         deleted
- net/bind910/patches/patch-lib_dns_opensslrsa_link.c           deleted
- net/bind910/patches/patch-lib_dns_pkcs11dh_link.c             deleted
- net/bind910/patches/patch-lib_dns_pkcs11dsa_link.c            deleted
- net/bind910/patches/patch-lib_dns_pkcs11rsa_link.c            deleted
- net/bind910/patches/patch-lib_dns_rdata_generic_openpgpkey_61.c deleted
- net/bind910/patches/patch-lib_dns_resolver.c                  deleted

---
   Module Name:	pkgsrc
   Committed By:	sevan
   Date:		Wed Sep  2 19:46:44 UTC 2015

   Modified Files:
   	pkgsrc/net/bind910: Makefile distinfo
   Added Files:
   	pkgsrc/net/bind910/patches: patch-lib_dns_hmac_link.c
   	    patch-lib_dns_include_dst_dst.h patch-lib_dns_ncache.c
   	    patch-lib_dns_openssldh_link.c patch-lib_dns_openssldsa_link.c
   	    patch-lib_dns_opensslecdsa_link.c patch-lib_dns_opensslrsa_link.c
   	    patch-lib_dns_pkcs11dh_link.c patch-lib_dns_pkcs11dsa_link.c
   	    patch-lib_dns_pkcs11rsa_link.c
   	    patch-lib_dns_rdata_generic_openpgpkey_61.c
   	    patch-lib_dns_resolver.c

   Log Message:
   Patch CVE-2015-5722 & CVE-2015-5986
   Bump rev

   CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
   assertion in buffer.c
   https://kb.isc.org/article/AA-01287/0

   CVE-2015-5986 - An incorrect boundary check can trigger a REQUIRE assertion
   failure in openpgpkey_61.c
   https://kb.isc.org/article/AA-01291/0

   Reviewed by wiz@

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Thu Sep  3 00:33:32 UTC 2015

   Modified Files:
   	pkgsrc/net/bind910: Makefile distinfo
   Removed Files:
   	pkgsrc/net/bind910/patches: patch-lib_dns_hmac_link.c
   	    patch-lib_dns_include_dst_dst.h patch-lib_dns_ncache.c
   	    patch-lib_dns_openssldh_link.c patch-lib_dns_openssldsa_link.c
   	    patch-lib_dns_opensslecdsa_link.c patch-lib_dns_opensslrsa_link.c
   	    patch-lib_dns_pkcs11dh_link.c patch-lib_dns_pkcs11dsa_link.c
   	    patch-lib_dns_pkcs11rsa_link.c
   	    patch-lib_dns_rdata_generic_openpgpkey_61.c
   	    patch-lib_dns_resolver.c

   Log Message:
   Update bind910 to 9.10.2pl4 (BIND 9.10.2-P4).
   (Already fixed by bind-9.10.2pl3nb1.)

   	--- 9.10.2-P4 released ---

   4170.	[security]	An incorrect boundary check in the OPENPGPKEY
   			rdatatype could trigger an assertion failure.
   			(CVE-2015-5986) [RT #40286]

   4168.	[security]	A buffer accounting error could trigger an
   			assertion failure when parsing certain malformed
   			DNSSEC keys. (CVE-2015-5722) [RT #40212]

Revision 1.10: download - view: text, markup, annotated - select for diffs
Thu Sep 3 00:33:31 2015 UTC (9 years, 3 months ago) by taca
Branches: MAIN
CVS tags: pkgsrc-2015Q3-base
Branch point for: pkgsrc-2015Q3
Diff to: previous 1.9: preferred, colored
Changes since revision 1.9: +4 -16 lines
Update bind910 to 9.10.2pl4 (BIND 9.10.2-P4).
(Already fixed by bind-9.10.2pl3nb1.)

	--- 9.10.2-P4 released ---

4170.	[security]	An incorrect boundary check in the OPENPGPKEY
			rdatatype could trigger an assertion failure.
			(CVE-2015-5986) [RT #40286]

4168.	[security]	A buffer accounting error could trigger an
			assertion failure when parsing certain malformed
			DNSSEC keys. (CVE-2015-5722) [RT #40212]

Revision 1.9: download - view: text, markup, annotated - select for diffs
Wed Sep 2 19:46:44 2015 UTC (9 years, 3 months ago) by sevan
Branches: MAIN
Diff to: previous 1.8: preferred, colored
Changes since revision 1.8: +13 -1 lines
Patch CVE-2015-5722 & CVE-2015-5986
Bump rev

CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
assertion in buffer.c
https://kb.isc.org/article/AA-01287/0

CVE-2015-5986 - An incorrect boundary check can trigger a REQUIRE assertion
failure in openpgpkey_61.c
https://kb.isc.org/article/AA-01291/0

Reviewed by wiz@

Revision 1.6.2.2: download - view: text, markup, annotated - select for diffs
Sat Aug 1 08:54:30 2015 UTC (9 years, 4 months ago) by tron
Branches: pkgsrc-2015Q2
Diff to: previous 1.6.2.1: preferred, colored; branchpoint 1.6: preferred, colored
Changes since revision 1.6.2.1: +3 -3 lines
Pullup ticket #4785 - requested by taca
net/bind910: security update

Revisions pulled up:
- net/bind910/Makefile                                          1.10
- net/bind910/distinfo                                          1.8

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Tue Jul 28 22:36:38 UTC 2015

   Modified Files:
   	pkgsrc/net/bind910: Makefile distinfo

   Log Message:
   Update bind910 to 9.10.2pl3 (BIND 9.10.2-P3).

   	--- 9.10.2-P3 released ---

   4165.	[security]	A failure to reset a value to NULL in tkey.c could
   			result in an assertion failure. (CVE-2015-5477)
   			[RT #40046]

Revision 1.8: download - view: text, markup, annotated - select for diffs
Tue Jul 28 22:36:38 2015 UTC (9 years, 4 months ago) by taca
Branches: MAIN
Diff to: previous 1.7: preferred, colored
Changes since revision 1.7: +4 -4 lines
Update bind910 to 9.10.2pl3 (BIND 9.10.2-P3).

	--- 9.10.2-P3 released ---

4165.	[security]	A failure to reset a value to NULL in tkey.c could
			result in an assertion failure. (CVE-2015-5477)
			[RT #40046]

Revision 1.6.2.1: download - view: text, markup, annotated - select for diffs
Sun Jul 12 09:14:27 2015 UTC (9 years, 5 months ago) by tron
Branches: pkgsrc-2015Q2
Diff to: previous 1.6: preferred, colored
Changes since revision 1.6: +4 -4 lines
Pullup ticket #4769 - requested by taca
net/bind910: security update

Revisions pulled up:
- net/bind910/Makefile                                          1.9
- net/bind910/distinfo                                          1.7

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Tue Jul  7 22:26:42 UTC 2015

   Modified Files:
   	pkgsrc/net/bind910: Makefile distinfo

   Log Message:
   Update bind910 to 9.10.2pl2.

   	--- 9.10.2-P2 released ---

   4138.	[bug]		An uninitialized value in validator.c could result
   			in an assertion failure. (CVE-2015-4620) [RT #39795]

Revision 1.7: download - view: text, markup, annotated - select for diffs
Tue Jul 7 22:26:42 2015 UTC (9 years, 5 months ago) by taca
Branches: MAIN
Diff to: previous 1.6: preferred, colored
Changes since revision 1.6: +4 -4 lines
Update bind910 to 9.10.2pl2.

	--- 9.10.2-P2 released ---

4138.	[bug]		An uninitialized value in validator.c could result
			in an assertion failure. (CVE-2015-4620) [RT #39795]

Revision 1.6: download - view: text, markup, annotated - select for diffs
Thu Jun 11 14:58:46 2015 UTC (9 years, 6 months ago) by taca
Branches: MAIN
CVS tags: pkgsrc-2015Q2-base
Branch point for: pkgsrc-2015Q2
Diff to: previous 1.5: preferred, colored
Changes since revision 1.5: +4 -4 lines
Update bind910 to 9.10.2pl1 (BIND 9.10.2-P1).

	--- 9.10.2-P1 released ---

4134.	[cleanup]	Include client-ip rules when logging the number
                        of RPZ rules of each type. [RT #39670]

4131.	[bug]		Addressed further problems with reloading RPZ
			zones. [RT #39649]

4126.	[bug]		Addressed a regression introduced in change #4121.
			[RT #39611]

4122.	[bug]		The server could match a shorter prefix than what was
			available in CLIENT-IP policy triggers, and so, an
			unexpected action could be taken. This has been
			corrected. [RT #39481]

4121.	[bug]		On servers with one or more policy zones
			configured as slaves, if a policy zone updated
			during regular operation (rather than at
			startup) using a full zone reload, such as via
			AXFR, a bug could allow the RPZ summary data to
			fall out of sync, potentially leading to an
			assertion failure in rpz.c when further
			incremental updates were made to the zone, such
			as via IXFR. [RT #39567]

4120.	[bug]		A bug in RPZ could cause the server to crash if
			policy zones were updated while recursion was
			pending for RPZ processing of an active query.
			[RT #39415]

4116.	[bug]		Fix a bug in RPZ that could cause some policy
			zones that did not specifically require
			recursion to be treated as if they did;
			consequently, setting qname-wait-recurse no; was
			sometimes ineffective. [RT #39229]

4063.	[bug]		Asynchronous zone loads were not handled
			correctly when the zone load was already in
			progress; this could trigger a crash in zt.c.
			[RT #37573]

4062.	[bug]		Fix an out-of-bounds read in RPZ code. If the
			read succeeded, it doesn't result in a bug
			during operation. If the read failed, named
			could segfault. [RT #38559]

Revision 1.5: download - view: text, markup, annotated - select for diffs
Thu Feb 26 10:15:02 2015 UTC (9 years, 9 months ago) by taca
Branches: MAIN
CVS tags: pkgsrc-2015Q1-base, pkgsrc-2015Q1
Diff to: previous 1.4: preferred, colored
Changes since revision 1.4: +6 -6 lines
Update bind910 package to 9.10.2.

Security Fixes

     * On servers configured to perform DNSSEC validation using managed
       trust anchors (i.e., keys configured explicitly via managed-keys,
       or implicitly via dnssec-validation auto; or dnssec-lookaside
       auto;), revoking a trust anchor and sending a new untrusted
       replacement could cause named to crash with an assertion failure.
       This could occur in the event of a botched key rollover, or
       potentially as a result of a deliberate attack if the attacker was
       in position to monitor the victim's DNS traffic.
       This flaw was discovered by Jan-Piet Mens, and is disclosed in
       CVE-2015-1349. [RT #38344]
     * A flaw in delegation handling could be exploited to put named into
       an infinite loop, in which each lookup of a name server triggered
       additional lookups of more name servers. This has been addressed by
       placing limits on the number of levels of recursion named will
       allow (default 7), and on the number of queries that it will send
       before terminating a recursive query (default 50).
       The recursion depth limit is configured via the max-recursion-depth
       option, and the query limit via the max-recursion-queries option.
       The flaw was discovered by Florian Maury of ANSSI, and is disclosed
       in CVE-2014-8500. [RT #37580]
     * Two separate problems were identified in BIND's GeoIP code that
       could lead to an assertion failure. One was triggered by use of
       both IPv4 and IPv6 address families, the other by referencing a
       GeoIP database in named.conf which was not installed. Both are
       covered by CVE-2014-8680. [RT #37672] [RT #37679]
       A less serious security flaw was also found in GeoIP: changes to
       the geoip-directory option in named.conf were ignored when running
       rndc reconfig. In theory, this could allow named to allow access to
       unintended clients.

New Features

     * None

Feature Changes

     * ACLs containing geoip asnum elements were not correctly matched
       unless the full organization name was specified in the ACL (as in
       geoip asnum "AS1234 Example, Inc.";). They can now match against
       the AS number alone (as in geoip asnum "AS1234";).
     * When using native PKCS#11 cryptography (i.e., configure
       --enable-native-pkcs11) HSM PINs of up to 256 characters can now be
       used.
     * NXDOMAIN responses to queries of type DS are now cached separately
       from those for other types. This helps when using "grafted" zones
       of type forward, for which the parent zone does not contain a
       delegation, such as local top-level domains. Previously a query of
       type DS for such a zone could cause the zone apex to be cached as
       NXDOMAIN, blocking all subsequent queries. (Note: This change is
       only helpful when DNSSEC validation is not enabled. "Grafted" zones
       without a delegation in the parent are not a recommended
       configuration.)
     * NOTIFY messages that are sent because a zone has been updated are
       now given priority above NOTIFY messages that were scheduled when
       the server started up. This should mitigate delays in zone
       propagation when servers are restarted frequently.
     * Errors reported when running rndc addzone (e.g., when a zone file
       cannot be loaded) have been clarified to make it easier to diagnose
       problems.
     * Added support for OPENPGPKEY type.
     * When encountering an authoritative name server whose name is an
       alias pointing to another name, the resolver treats this as an
       error and skips to the next server. Previously this happened
       silently; now the error will be logged to the newly-created "cname"
       log category.
     * If named is not configured to validate the answer then allow
       fallback to plain DNS on timeout even when we know the server
       supports EDNS. This will allow the server to potentially resolve
       signed queries when TCP is being blocked.

Bug Fixes

     * dig, host and nslookup aborted when encountering a name which,
       after appending search list elements, exceeded 255 bytes. Such
       names are now skipped, but processing of other names will continue.
       [RT #36892]
     * The error message generated when named-checkzone or named-checkconf
       -z encounters a $TTL directive without a value has been clarified.
       [RT #37138]
     * Semicolon characters (;) included in TXT records were incorrectly
       escaped with a backslash when the record was displayed as text.
       This is actually only necessary when there are no quotation marks.
       [RT #37159]
     * When files opened for writing by named, such as zone journal files,
       were referenced more than once in named.conf, it could lead to file
       corruption as multiple threads wrote to the same file. This is now
       detected when loading named.conf and reported as an error. [RT
       #37172]
     * dnssec-keygen -S failed to generate successor keys for some
       algorithm types (including ECDSA and GOST) due to a difference in
       the content of private key files. This has been corrected. [RT
       #37183]
     * UPDATE messages that arrived too soon after an rndc thaw could be
       lost. [RT #37233]
     * Forwarding of UPDATE messages did not work when they were signed
       with SIG(0); they resulted in a BADSIG response code. [RT #37216]
     * When checking for updates to trust anchors listed in managed-keys,
       named now revalidates keys based on the current set of active trust
       anchors, without relying on any cached record of previous
       validation. [RT #37506]
     * Large-system tuning (configure --with-tuning=large) caused problems
       on some platforms by setting a socket receive buffer size that was
       too large. This is now detected and corrected at run time. [RT
       #37187]
     * When NXDOMAIN redirection is in use, queries for a name that is
       present in the redirection zone but a type that is not present will
       now return NOERROR instead of NXDOMAIN.
     * When a zone contained a delegation to an IPv6 name server but not
       an IPv4 name server, it was possible for a memory reference to be
       left un-freed. This caused an assertion failure on server shutdown,
       but was otherwise harmless. [RT #37796]
     * Due to an inadvertent removal of code in the previous release, when
       named encountered an authoritative name server which dropped all
       EDNS queries, it did not always try plain DNS. This has been
       corrected. [RT #37965]
     * A regression caused nsupdate to use the default recursive servers
       rather than the SOA MNAME server when sending the UPDATE.
     * Adjusted max-recursion-queries to accommodate the smaller initial
       packet sizes used in BIND 9.10 and higher when contacting
       authoritative servers for the first time.
     * Built-in "empty" zones did not correctly inherit the
       "allow-transfer" ACL from the options or view. [RT #38310]
     * Two leaks were fixed that could cause named processes to grow to
       very large sizes. [RT #38454]
     * Fixed some bugs in RFC 5011 trust anchor management, including a
       memory leak and a possible loss of state information.[RT #38458]

Revision 1.3.2.1: download - view: text, markup, annotated - select for diffs
Thu Feb 19 20:56:59 2015 UTC (9 years, 9 months ago) by tron
Branches: pkgsrc-2014Q4
Diff to: previous 1.3: preferred, colored; next MAIN 1.4: preferred, colored
Changes since revision 1.3: +4 -4 lines
Pullup ticket #4622 - requested by taca
net/bind910: security update

Revisions pulled up:
- net/bind910/Makefile                                          1.5
- net/bind910/distinfo                                          1.4

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Thu Feb 19 00:37:17 UTC 2015

   Modified Files:
   	pkgsrc/net/bind910: Makefile distinfo

   Log Message:
   Update bind910 to 9.10.1pl2 (BIND 9.10.1-P2).

   	--- 9.10.1-P2 released ---

   4053.	[security]	Revoking a managed trust anchor and supplying
   			an untrusted replacement could cause named
   			to crash with an assertion failure.
   			(CVE-2015-1349) [RT #38344]

   4027.	[port]		Net::DNS 0.81 compatibility. [RT #38165]

Revision 1.4: download - view: text, markup, annotated - select for diffs
Thu Feb 19 00:37:17 2015 UTC (9 years, 9 months ago) by taca
Branches: MAIN
Diff to: previous 1.3: preferred, colored
Changes since revision 1.3: +4 -4 lines
Update bind910 to 9.10.1pl2 (BIND 9.10.1-P2).

	--- 9.10.1-P2 released ---

4053.	[security]	Revoking a managed trust anchor and supplying
			an untrusted replacement could cause named
			to crash with an assertion failure.
			(CVE-2015-1349) [RT #38344]

4027.	[port]		Net::DNS 0.81 compatibility. [RT #38165]

Revision 1.1.1.1.2.1: download - view: text, markup, annotated - select for diffs
Wed Dec 10 19:53:09 2014 UTC (10 years ago) by tron
Branches: pkgsrc-2014Q3
Diff to: previous 1.1.1.1: preferred, colored; next MAIN 1.2: preferred, colored
Changes since revision 1.1.1.1: +8 -14 lines
Pullup ticket #4570 - requested by taca
net/bind910: security update

Revisions pulled up:
- net/bind910/Makefile                                          1.2-1.3
- net/bind910/PLIST                                             1.2-1.3
- net/bind910/distinfo                                          1.2-1.3
- net/bind910/patches/patch-bin_tests_system_Makefile.in        1.2
- net/bind910/patches/patch-configure                           1.2
- net/bind910/patches/patch-lib_bind9_Makefile.in               deleted
- net/bind910/patches/patch-lib_dns_Makefile.in                 deleted
- net/bind910/patches/patch-lib_dns_rbt.c                       1.2
- net/bind910/patches/patch-lib_isc_Makefile.in                 deleted
- net/bind910/patches/patch-lib_isccc_Makefile.in               deleted
- net/bind910/patches/patch-lib_isccfg_Makefile.in              deleted
- net/bind910/patches/patch-lib_lwres_Makefile.in               deleted
- net/bind910/patches/patch-lib_lwres_getaddrinfo.c             1.2

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Tue Oct 14 16:23:19 UTC 2014

   Modified Files:
   	pkgsrc/net/bind910: Makefile PLIST distinfo
   	pkgsrc/net/bind910/patches: patch-bin_tests_system_Makefile.in
   	    patch-configure patch-lib_dns_rbt.c patch-lib_lwres_getaddrinfo.c
   Removed Files:
   	pkgsrc/net/bind910/patches: patch-lib_bind9_Makefile.in
   	    patch-lib_dns_Makefile.in patch-lib_isc_Makefile.in
   	    patch-lib_isccc_Makefile.in patch-lib_isccfg_Makefile.in
   	    patch-lib_lwres_Makefile.in

   Log Message:
   Update bind910 to 9.10.1.

   Security Fixes

      A query specially crafted to exploit a defect in EDNS option
      processing could cause named to terminate with an assertion
      failure, due to a missing isc_buffer_availablelength() check
      when formatting packet contents for logging. For more information,
      see the security advisory at https://kb.isc.org/article/AA-01166/.
      [CVE-2014-3859] [RT #36078]

      A programming error in the prefetch feature could cause named
      to crash with a "REQUIRE" assertion failure in name.c. For more
      information, see the security advisory at
      https://kb.isc.org/article/AA-01161/. [CVE-2014-3214] [RT #35899]

   New Features

      Support for CAA record types, as described in RFC 6844 "DNS
      Certification Authority Authorization (CAA) Resource Record",
      was added. [RT#36625] [RT #36737]

      Disallow "request-ixfr" from being specified in zone statements
      where it is not valid (it is only valid for slave and redirect
      zones) [RT #36608]

      Support for CDS and CDNSKEY resource record types was added. For
      details see the proposed Informational Internet-Draft "Automating
      DNSSEC Delegation Trust Maintenance" at
      http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14.
      [RT #36333]

      Added version printing options to various BIND utilities. [RT #26057]
      [RT #10686]

      Optionally allows libseccomp-based (secure computing mode)
      system-call filtering on Linux. This sandboxing mechanism may
      be used to isolate "named" from various system resources. Use
      "configure --enable-seccomp" at build time to enable it.  Thank you
      to Loganaden Velvindron of AFRINIC for the contribution. [RT #35347]

   Feature Changes

      "geoip asnum" ACL elements would not match unless the full
      organization name was specified.  They can now match against the
      AS number alone (e.g., AS1234). [RT #36945]

      Adds RPZ SOA to the additional section of responses to clearly
      indicate the use of RPZ in a manner that is intended to avoid
      causing issues for downstream resolvers and forwarders [RT #36507]

      rndc now gives distinct error messages when an unqualified zone
      name matches multiple views vs. matching no views [RT #36691]

      Improves the accuracy of dig's reported round trip times.  [RT #36611]

      When an SPF record exists in a zone but no equivalent TXT record
      does, a warning will be issued.  The warning for the reverse
      condition is no longer issued. See the check-spf option in the
      documentation for details. [RT #36210]

      Aging of smoothed round-trip time measurements is now limited
      to no more than once per second, to improve accuracy in selecting
      the best name server. [RT #32909]

      DNSSEC keys that have been marked active but have no publication
      date are no longer presumed to be publishable. [RT #35063]

   Bug Fixes

      The Makefile in bin/python was changed to work around a bmake
      bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**)

      Corrected bugs in the handling of wildcard records by the DNSSEC
      validator: invalid wildcard expansions could be treated as valid
      if signed, and valid wildcard expansions in NSEC3 opt-out ranges
      had the AD bit set incorrectly in responses. [RT #37093] [RT #37072]

      An assertion failure could occur if a route event arrived while
      shutting down. [RT #36887]

      When resigning, dnssec-signzone was removing all signatures from
      delegation nodes. It now retains DS and (if applicable) NSEC
      signatures.  [RT #36946]

      The AD flag was being set inappopriately on RPZ responses. [RT #36833]

      Updates the URI record type to current draft standard,
      draft-faltstrom-uri-08, and allows the value field to be zero
      length [RT #36642] [RT #36737]

      On some platforms, overhead from DSCP tagging caused a performance
      regression between BIND 9.9 and BIND 9.10.  [RT #36534]

      RRSIG sets that were not loaded in a single transaction at start
      up were not being correctly added to re-signing heaps.  [RT #36302]

      Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452]

      Fixed a bug where some updated policy zone contents could be
      ignored due to stale RPZ summary information [RT #35885]

      A race condition could cause a crash in isc_event_free during
      shutdown.  [RT #36720]

      Addresses some problems with unrecoverable lookup failures. [RT #36330]

      Addresses a race condition issue in dispatch. [RT #36731]

      acl elements could be miscounted, causing a crash while loading
      a config [RT #36675]

      Corrects a deadlock between view.c and adb.c. [RT #36341]

      liblwres wasn't properly handling link-local addresses in
      nameserver clauses in resolv.conf. [RT #36039]

      Disable the GCC 4.9 "delete null pointer check" optimizer option,
      and refactor dns_rdataslab_fromrdataset() to separate out the
      handling of an rdataset with no records. This fixes problems
      when using GNU GCC 4.9.0 where its compiler code optimizations
      may cause crashes in BIND. For more information, see the operational
      advisory at https://kb.isc.org/article/AA-01167/. [RT #35968]

      Fixed a bug that could cause repeated resigning of records in
      dynamically signed zones. [RT #35273]

      Fixed a bug that could cause an assertion failure after forwarding
      was disabled. [RT #35979]

      Fixed a bug that caused GeoIP ACLs not to work when referenced
      indirectly via named or nested ACLs. [RT #35879]

      FIxed a bug that could cause problems with cache cleaning when
      SIT was enabled. [RT #35858]

      Fixed a bug that caused SERVFAILs when using RPZ on a system
      configured as a forwarder. [RT #36060]

      Worked around a limitation in Solaris's /dev/poll implementation
      that could cause named to fail to start when configured to use
      more sockets than the system could accomodate. [RT #35878]

      Fixed a bug that could cause an assertion failure when inserting
      and deleting parent and child nodes in a response-policy zone.
      [RT #36272]

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Mon Dec  8 21:59:09 UTC 2014

   Modified Files:
   	pkgsrc/net/bind910: Makefile PLIST distinfo

   Log Message:
   Update bind910 to 9.10.1pl1 (BIND 9.10.1-P1).

   	--- 9.10.1-P1 released ---

   4006.	[security]	A flaw in delegation handling could be exploited
   			to put named into an infinite loop.  This has
   			been addressed by placing limits on the number
   			of levels of recursion named will allow (default 7),
   			and the number of iterative queries that it will
   			send (default 50) before terminating a recursive
   			query (CVE-2014-8500).

   			The recursion depth limit is configured via the
   			"max-recursion-depth" option, and the query limit
   			via the "max-recursion-queries" option.  [RT #37580]

   4003.	[security]	When geoip-directory was reconfigured during
   			named run-time, the previously loaded GeoIP
   			data could remain, potentially causing wrong
   			ACLs to be used or wrong results to be served
   			based on geolocation (CVE-2014-8680). [RT #37720]

   4002.	[security]	Lookups in GeoIP databases that were not
   			loaded could cause an assertion failure
   			(CVE-2014-8680). [RT #37679]

   4001.	[security]	The caching of GeoIP lookups did not always
   			handle address families correctly, potentially
   			resulting in an assertion failure (CVE-2014-8680).
   			[RT #37672]

Revision 1.3: download - view: text, markup, annotated - select for diffs
Mon Dec 8 21:59:09 2014 UTC (10 years ago) by taca
Branches: MAIN
CVS tags: pkgsrc-2014Q4-base
Branch point for: pkgsrc-2014Q4
Diff to: previous 1.2: preferred, colored
Changes since revision 1.2: +4 -4 lines
Update bind910 to 9.10.1pl1 (BIND 9.10.1-P1).

	--- 9.10.1-P1 released ---

4006.	[security]	A flaw in delegation handling could be exploited
			to put named into an infinite loop.  This has
			been addressed by placing limits on the number
			of levels of recursion named will allow (default 7),
			and the number of iterative queries that it will
			send (default 50) before terminating a recursive
			query (CVE-2014-8500).

			The recursion depth limit is configured via the
			"max-recursion-depth" option, and the query limit
			via the "max-recursion-queries" option.  [RT #37580]

4003.	[security]	When geoip-directory was reconfigured during
			named run-time, the previously loaded GeoIP
			data could remain, potentially causing wrong
			ACLs to be used or wrong results to be served
			based on geolocation (CVE-2014-8680). [RT #37720]

4002.	[security]	Lookups in GeoIP databases that were not
			loaded could cause an assertion failure
			(CVE-2014-8680). [RT #37679]

4001.	[security]	The caching of GeoIP lookups did not always
			handle address families correctly, potentially
			resulting in an assertion failure (CVE-2014-8680).
			[RT #37672]

Revision 1.2: download - view: text, markup, annotated - select for diffs
Tue Oct 14 16:23:19 2014 UTC (10 years, 1 month ago) by taca
Branches: MAIN
Diff to: previous 1.1: preferred, colored
Changes since revision 1.1: +8 -14 lines
Update bind910 to 9.10.1.

Security Fixes

   A query specially crafted to exploit a defect in EDNS option
   processing could cause named to terminate with an assertion
   failure, due to a missing isc_buffer_availablelength() check
   when formatting packet contents for logging. For more information,
   see the security advisory at https://kb.isc.org/article/AA-01166/.
   [CVE-2014-3859] [RT #36078]

   A programming error in the prefetch feature could cause named
   to crash with a "REQUIRE" assertion failure in name.c. For more
   information, see the security advisory at
   https://kb.isc.org/article/AA-01161/. [CVE-2014-3214] [RT #35899]

New Features

   Support for CAA record types, as described in RFC 6844 "DNS
   Certification Authority Authorization (CAA) Resource Record",
   was added. [RT#36625] [RT #36737]

   Disallow "request-ixfr" from being specified in zone statements
   where it is not valid (it is only valid for slave and redirect
   zones) [RT #36608]

   Support for CDS and CDNSKEY resource record types was added. For
   details see the proposed Informational Internet-Draft "Automating
   DNSSEC Delegation Trust Maintenance" at
   http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14.
   [RT #36333]

   Added version printing options to various BIND utilities. [RT #26057]
   [RT #10686]

   Optionally allows libseccomp-based (secure computing mode)
   system-call filtering on Linux. This sandboxing mechanism may
   be used to isolate "named" from various system resources. Use
   "configure --enable-seccomp" at build time to enable it.  Thank you
   to Loganaden Velvindron of AFRINIC for the contribution. [RT #35347]

Feature Changes

   "geoip asnum" ACL elements would not match unless the full
   organization name was specified.  They can now match against the
   AS number alone (e.g., AS1234). [RT #36945]

   Adds RPZ SOA to the additional section of responses to clearly
   indicate the use of RPZ in a manner that is intended to avoid
   causing issues for downstream resolvers and forwarders [RT #36507]

   rndc now gives distinct error messages when an unqualified zone
   name matches multiple views vs. matching no views [RT #36691]

   Improves the accuracy of dig's reported round trip times.  [RT #36611]

   When an SPF record exists in a zone but no equivalent TXT record
   does, a warning will be issued.  The warning for the reverse
   condition is no longer issued. See the check-spf option in the
   documentation for details. [RT #36210]

   Aging of smoothed round-trip time measurements is now limited
   to no more than once per second, to improve accuracy in selecting
   the best name server. [RT #32909]

   DNSSEC keys that have been marked active but have no publication
   date are no longer presumed to be publishable. [RT #35063]

Bug Fixes

   The Makefile in bin/python was changed to work around a bmake
   bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**)

   Corrected bugs in the handling of wildcard records by the DNSSEC
   validator: invalid wildcard expansions could be treated as valid
   if signed, and valid wildcard expansions in NSEC3 opt-out ranges
   had the AD bit set incorrectly in responses. [RT #37093] [RT #37072]

   An assertion failure could occur if a route event arrived while
   shutting down. [RT #36887]

   When resigning, dnssec-signzone was removing all signatures from
   delegation nodes. It now retains DS and (if applicable) NSEC
   signatures.  [RT #36946]

   The AD flag was being set inappopriately on RPZ responses. [RT #36833]

   Updates the URI record type to current draft standard,
   draft-faltstrom-uri-08, and allows the value field to be zero
   length [RT #36642] [RT #36737]

   On some platforms, overhead from DSCP tagging caused a performance
   regression between BIND 9.9 and BIND 9.10.  [RT #36534]

   RRSIG sets that were not loaded in a single transaction at start
   up were not being correctly added to re-signing heaps.  [RT #36302]

   Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452]

   Fixed a bug where some updated policy zone contents could be
   ignored due to stale RPZ summary information [RT #35885]

   A race condition could cause a crash in isc_event_free during
   shutdown.  [RT #36720]

   Addresses some problems with unrecoverable lookup failures. [RT #36330]

   Addresses a race condition issue in dispatch. [RT #36731]

   acl elements could be miscounted, causing a crash while loading
   a config [RT #36675]

   Corrects a deadlock between view.c and adb.c. [RT #36341]

   liblwres wasn't properly handling link-local addresses in
   nameserver clauses in resolv.conf. [RT #36039]

   Disable the GCC 4.9 "delete null pointer check" optimizer option,
   and refactor dns_rdataslab_fromrdataset() to separate out the
   handling of an rdataset with no records. This fixes problems
   when using GNU GCC 4.9.0 where its compiler code optimizations
   may cause crashes in BIND. For more information, see the operational
   advisory at https://kb.isc.org/article/AA-01167/. [RT #35968]

   Fixed a bug that could cause repeated resigning of records in
   dynamically signed zones. [RT #35273]

   Fixed a bug that could cause an assertion failure after forwarding
   was disabled. [RT #35979]

   Fixed a bug that caused GeoIP ACLs not to work when referenced
   indirectly via named or nested ACLs. [RT #35879]

   FIxed a bug that could cause problems with cache cleaning when
   SIT was enabled. [RT #35858]

   Fixed a bug that caused SERVFAILs when using RPZ on a system
   configured as a forwarder. [RT #36060]

   Worked around a limitation in Solaris's /dev/poll implementation
   that could cause named to fail to start when configured to use
   more sockets than the system could accomodate. [RT #35878]

   Fixed a bug that could cause an assertion failure when inserting
   and deleting parent and child nodes in a response-policy zone.
   [RT #36272]

Revision 1.1.1.1 (vendor branch): download - view: text, markup, annotated - select for diffs
Wed Jul 2 02:42:58 2014 UTC (10 years, 5 months ago) by jnemeth
Branches: TNF
CVS tags: pkgsrc-base, pkgsrc-2014Q3-base
Branch point for: pkgsrc-2014Q3
Diff to: previous 1.1: preferred, colored
Changes since revision 1.1: +0 -0 lines
Initial import of BIND 9.10.

Revision 1.1: download - view: text, markup, annotated - select for diffs
Wed Jul 2 02:42:58 2014 UTC (10 years, 5 months ago) by jnemeth
Branches: MAIN
Initial revision

Diff request

This form allows you to request diffs between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.

Log view options

CVSweb <webmaster@jp.NetBSD.org>