Update to the -P1 versions of the current BIND ports which contain

the fix for the following vulnerability: https://www.isc.org/node/373

Description:
Return values from OpenSSL library functions EVP_VerifyFinal()
and DSA_do_verify() were not checked properly.

Impact:
It is theoretically possible to spoof answers returned from
zones using the DNSKEY algorithms DSA (3) and NSEC3DSA (6).

In short, if you're not using DNSSEC to verify signatures you have
nothing to worry about.

While I'm here, address the issues raised in the PR by adding a knob
to disable building with OpenSSL altogether (which eliminates DNSSEC
capability), and fix the configure arguments to better deal with the
situation where the user has ssl bits in both the base and LOCALBASE.

PR:		ports/126297
Submitted by:	Ronald F.Guilmette <rfg@tristatelogic.com>

2 files changed, 17 insertions, 14 deletions

diff --git a/dns/bind96/Makefile b/dns/bind96/Makefile
index 7d225392b218..a3411a65fe07 100644
--- a/dns/bind96/Makefile
+++ b/dns/bind96/Makefile
@@ -12,7 +12,7 @@
 # release you can generally build it cleanly from the source - Doug
 
 PORTNAME=	bind96
-PORTVERSION=	9.6.0
+PORTVERSION=	9.6.0.1
 CATEGORIES=	dns net ipv6
 MASTER_SITES=	${MASTER_SITE_ISC} \
 		http://dougbarton.us/Downloads/%SUBDIR%/
@@ -25,23 +25,25 @@ MAINTAINER=	dougb@FreeBSD.org
 COMMENT=	The BIND DNS suite with updated DNSSEC and threads
 
 # ISC releases things like 9.4.0b3, which our versioning doesn't like
-ISCVERSION=	9.6.0
+ISCVERSION=	9.6.0-P1
 
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS=	--localstatedir=/var --disable-linux-caps \
 		--with-randomdev=/dev/random
 
-USE_OPENSSL=	yes
-
 CONFLICTS=	bind9-9.[345].* bind9-sdb-* host-*
 
-OPTIONS=	XML "Support for xml statistics output" on \
+OPTIONS=	SSL "Building without OpenSSL removes DNSSEC" on \
+		XML "Support for xml statistics output" on \
 		IDN "Add IDN support to dig, host, etc." off \
 		REPLACE_BASE "Replace base BIND with this version" off \
 		LARGE_FILE "64-bit file support" off \
 		SIGCHASE "dig/host/nslookup will do DNSSEC validation" off \
 		IPV6 "IPv6 Support (autodetected by default)" off
 
+# Just in case
+USE_OPENSSL=	yes
+
 .include <bsd.port.pre.mk>
 
 .if (${ARCH} == "amd64")
@@ -55,10 +57,11 @@ OPTIONS+=	THREADS	"Compile with thread support" on
 OPTIONS+=	THREADS	"Compile w/threads (Not Recommended <FreeBSD-7)" off
 .endif
 
-.if defined(WITH_OPENSSL_PORT)
-CONFIGURE_ARGS+=	--with-openssl=${LOCALBASE}
+.if !defined(WITHOUT_SSL)
+CONFIGURE_ARGS+=	--with-openssl=${OPENSSLBASE}
 .else
-CONFIGURE_ARGS+=	--with-openssl
+CONFIGURE_ARGS+=	--disable-openssl-version-check
+CONFIGURE_ARGS+=	--without-openssl
 .endif
 
 .if !defined(WITHOUT_XML)
diff --git a/dns/bind96/distinfo b/dns/bind96/distinfo
index bad825742ce7..01c66ef4e1a8 100644
--- a/dns/bind96/distinfo
+++ b/dns/bind96/distinfo
@@ -1,6 +1,6 @@
-MD5 (bind-9.6.0.tar.gz) = 287231d759ad83ed51f60f8a9f8176b9
-SHA256 (bind-9.6.0.tar.gz) = 2b13953224a066aa41797bbaace921f622f627184dca0360d662f9418a1acebb
-SIZE (bind-9.6.0.tar.gz) = 6525672
-MD5 (bind-9.6.0.tar.gz.asc) = c4b5eb7959d3d9a50084d47093a41334
-SHA256 (bind-9.6.0.tar.gz.asc) = 451e3dd1ef45b2a5e9c314ea1954facc2209ce110267ad3a11b2c10d0538f1e8
-SIZE (bind-9.6.0.tar.gz.asc) = 479
+MD5 (bind-9.6.0-P1.tar.gz) = 886b7eae55cfdc8cd8d2ca74a2f99c6e
+SHA256 (bind-9.6.0-P1.tar.gz) = 4ccbd33a5b5c974c2778d5e61eeb4841c04a40904db43ee1ad190c3ed82978a9
+SIZE (bind-9.6.0-P1.tar.gz) = 6526739
+MD5 (bind-9.6.0-P1.tar.gz.asc) = 45bdf652391fc47ae55903d208fa0616
+SHA256 (bind-9.6.0-P1.tar.gz.asc) = 560a34288a8946fec7ad2ebf06d7a98964b08772e8bda7a94a99783c79ec04c5
+SIZE (bind-9.6.0-P1.tar.gz.asc) = 479