diff options
| author | dougb <dougb@FreeBSD.org> | 2008-07-10 03:02:01 +0800 |
|---|---|---|
| committer | dougb <dougb@FreeBSD.org> | 2008-07-10 03:02:01 +0800 |
| commit | 5f2e4c3a4899ca454d11731a1c3b331808db8dc5 (patch) | |
| tree | 9979d86bf5735abfae7e8171361c7011f681d867 /dns/bind96 | |
| parent | c5ea010d9f9262843ac677a48adfcfd0156ee1d8 (diff) | |
| download | freebsd-ports-gnome-5f2e4c3a4899ca454d11731a1c3b331808db8dc5.tar.gz freebsd-ports-gnome-5f2e4c3a4899ca454d11731a1c3b331808db8dc5.tar.zst freebsd-ports-gnome-5f2e4c3a4899ca454d11731a1c3b331808db8dc5.zip | |
Upgrade to the -P1 versions of each port, which add stronger randomization
of the UDP query-source ports. The server will still use the same query
port for the life of the process, so users for whom the issue of cache
poisoning is highly significant may wish to periodically restart their
server using /etc/rc.d/named restart, or other suitable method.
In order to take advantage of this randomization users MUST have an
appropriate firewall configuration to allow UDP queries to be sent and
answers to be received on random ports; and users MUST NOT specify a
port number using the query-source[-v6] option.
The avoid-v[46]-udp-ports options exist for users who wish to eliminate
certain port numbers from being chosen by named for this purpose. See
the ARM Chatper 6 for more information.
Also please note, this issue applies only to UDP query ports. A random
ephemeral port is always chosen for TCP queries.
This issue applies primarily to name servers whose main purpose is to
resolve random queries (sometimes referred to as "caching" servers, or
more properly as "resolving" servers), although even an "authoritative"
name server will make some queries, primarily at startup time.
This update addresses issues raised in:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://www.kb.cert.org/vuls/id/800113
http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience
Diffstat (limited to 'dns/bind96')
| -rw-r--r-- | dns/bind96/Makefile | 4 | ||||
| -rw-r--r-- | dns/bind96/distinfo | 12 |
2 files changed, 8 insertions, 8 deletions
diff --git a/dns/bind96/Makefile b/dns/bind96/Makefile index 059ebbc07553..f28f00d309ef 100644 --- a/dns/bind96/Makefile +++ b/dns/bind96/Makefile @@ -12,7 +12,7 @@ # release you can generally build it cleanly from the source - Doug PORTNAME= bind95 -PORTVERSION= 9.5.0 +PORTVERSION= 9.5.0.1 CATEGORIES= dns net ipv6 MASTER_SITES= ${MASTER_SITE_ISC} \ http://dougbarton.us/Downloads/%SUBDIR%/ @@ -25,7 +25,7 @@ MAINTAINER= dougb@FreeBSD.org COMMENT= The BIND DNS suite with updated DNSSEC and threads # ISC releases things like 9.4.0b3, which our versioning doesn't like -ISCVERSION= 9.5.0 +ISCVERSION= 9.5.0-P1 GNU_CONFIGURE= yes CONFIGURE_ARGS= --localstatedir=/var --disable-linux-caps \ diff --git a/dns/bind96/distinfo b/dns/bind96/distinfo index d595a925efdd..ffc5ca2b6a02 100644 --- a/dns/bind96/distinfo +++ b/dns/bind96/distinfo @@ -1,6 +1,6 @@ -MD5 (bind-9.5.0.tar.gz) = 066484717db1d1b1b4092ddcf5d0eb6e -SHA256 (bind-9.5.0.tar.gz) = fbb4c02c792a5298f8c71d617dfbab2acebbbdd51ea1d1e94d1aa66de48ddd61 -SIZE (bind-9.5.0.tar.gz) = 6749437 -MD5 (bind-9.5.0.tar.gz.asc) = 36b1c6c37e047cb2c1214fdc74a62b30 -SHA256 (bind-9.5.0.tar.gz.asc) = 6d83c4a6c0bc67472e998bb260c1b0cfc55825c9b707da409c5a200c38119a64 -SIZE (bind-9.5.0.tar.gz.asc) = 486 +MD5 (bind-9.5.0-P1.tar.gz) = a4f9dd6d205d24ec89fa4e44d8188197 +SHA256 (bind-9.5.0-P1.tar.gz) = a0a726a83ae0b576a602494c8cda2b03041c5cf09b6423117ff42979c675374d +SIZE (bind-9.5.0-P1.tar.gz) = 6622200 +MD5 (bind-9.5.0-P1.tar.gz.asc) = f0efeb024f8d0a87792424a030f84883 +SHA256 (bind-9.5.0-P1.tar.gz.asc) = 47117588c2139e91944346d17e176f31af519e1a3376fb54016fefea09a946a4 +SIZE (bind-9.5.0-P1.tar.gz.asc) = 479 |