diff options
| author | dougb <dougb@FreeBSD.org> | 2009-01-08 16:18:45 +0800 |
|---|---|---|
| committer | dougb <dougb@FreeBSD.org> | 2009-01-08 16:18:45 +0800 |
| commit | b915af665e266a5f90cb5e4a2542431a558c3851 (patch) | |
| tree | 0ffd6d5e688b5d3bbc7b339e41e35664944abc29 /dns/bind9 | |
| parent | 507a1f515d94252dcf5db5cbc493f51d1b0dadc6 (diff) | |
| download | freebsd-ports-gnome-b915af665e266a5f90cb5e4a2542431a558c3851.tar.gz freebsd-ports-gnome-b915af665e266a5f90cb5e4a2542431a558c3851.tar.zst freebsd-ports-gnome-b915af665e266a5f90cb5e4a2542431a558c3851.zip | |
Update to the -P1 versions of the current BIND ports which contain
the fix for the following vulnerability: https://www.isc.org/node/373
Description:
Return values from OpenSSL library functions EVP_VerifyFinal()
and DSA_do_verify() were not checked properly.
Impact:
It is theoretically possible to spoof answers returned from
zones using the DNSKEY algorithms DSA (3) and NSEC3DSA (6).
In short, if you're not using DNSSEC to verify signatures you have
nothing to worry about.
While I'm here, address the issues raised in the PR by adding a knob
to disable building with OpenSSL altogether (which eliminates DNSSEC
capability), and fix the configure arguments to better deal with the
situation where the user has ssl bits in both the base and LOCALBASE.
PR: ports/126297
Submitted by: Ronald F.Guilmette <rfg@tristatelogic.com>
Diffstat (limited to 'dns/bind9')
| -rw-r--r-- | dns/bind9/Makefile | 19 | ||||
| -rw-r--r-- | dns/bind9/distinfo | 12 |
2 files changed, 17 insertions, 14 deletions
diff --git a/dns/bind9/Makefile b/dns/bind9/Makefile index 2b122e063e28..58f67dc29c60 100644 --- a/dns/bind9/Makefile +++ b/dns/bind9/Makefile @@ -12,7 +12,7 @@ # release you can generally build it cleanly from the source - Doug PORTNAME= bind9 -PORTVERSION= 9.3.6 +PORTVERSION= 9.3.6.1 CATEGORIES= dns net ipv6 MASTER_SITES= ${MASTER_SITE_ISC} \ http://dougbarton.us/Downloads/%SUBDIR%/ @@ -25,25 +25,28 @@ MAINTAINER= DougB@FreeBSD.org COMMENT= Completely new version of the BIND DNS suite with updated DNSSEC # ISC releases things like 9.3.0rc1, which our versioning doesn't like -ISCVERSION= 9.3.6 +ISCVERSION= 9.3.6-P1 GNU_CONFIGURE= yes CONFIGURE_ARGS= --localstatedir=/var --disable-linux-caps \ --with-randomdev=/dev/random -USE_OPENSSL= yes - CONFLICTS= bind9-9.[456].* bind9-sdb-* host-* -OPTIONS= REPLACE_BASE "Replace base BIND with this version" off \ +OPTIONS= SSL "Building without OpenSSL removes DNSSEC" on \ + REPLACE_BASE "Replace base BIND with this version" off \ THREADS "Compile with thread support (NOT RECOMMENDED!)" off +# Just in case +USE_OPENSSL= yes + .include <bsd.port.pre.mk> -.if defined(WITH_OPENSSL_PORT) -CONFIGURE_ARGS+= --with-openssl=${LOCALBASE} +.if !defined(WITHOUT_SSL) +CONFIGURE_ARGS+= --with-openssl=${OPENSSLBASE} .else -CONFIGURE_ARGS+= --with-openssl +CONFIGURE_ARGS+= --disable-openssl-version-check +CONFIGURE_ARGS+= --without-openssl .endif # ISC staff has informed me that for 9.3.x, threads are always a bad idea. diff --git a/dns/bind9/distinfo b/dns/bind9/distinfo index 4baac53a7423..296e1bf11875 100644 --- a/dns/bind9/distinfo +++ b/dns/bind9/distinfo @@ -1,6 +1,6 @@ -MD5 (bind-9.3.6.tar.gz) = 58ea86efa5d20ffc282ef2e1690dc484 -SHA256 (bind-9.3.6.tar.gz) = 275f4d19b8af8bbc93eda9d8532c21d32cd30195db82f15f10916c02416f9f03 -SIZE (bind-9.3.6.tar.gz) = 5717096 -MD5 (bind-9.3.6.tar.gz.asc) = 58a2244cf46d3b1b9caeef6e7c59883c -SHA256 (bind-9.3.6.tar.gz.asc) = 87d0ea9bf6fa4576fbba198805a4d323c255ceddfed059898293ebec98be19de -SIZE (bind-9.3.6.tar.gz.asc) = 479 +MD5 (bind-9.3.6-P1.tar.gz) = 8ad020e0857ddef49de39c54b456eac9 +SHA256 (bind-9.3.6-P1.tar.gz) = 7c38fee2e9729360be7bc35f07713ab96152350ab2eb4f3c5b249948e366c8f8 +SIZE (bind-9.3.6-P1.tar.gz) = 5717426 +MD5 (bind-9.3.6-P1.tar.gz.asc) = e5de7bbe55e4f63c86c6f4f3fd0c8b44 +SHA256 (bind-9.3.6-P1.tar.gz.asc) = f1cf957430fe18c810d1916ddb8069a2e7881346cdecca161918aaa7f1b678c0 +SIZE (bind-9.3.6-P1.tar.gz.asc) = 479 |