Update BIND 9.9 and 9.10 to the latest security patch.

Sponsored by:	Absolight

6 files changed, 13 insertions, 117 deletions

diff --git a/dns/bind910/Makefile b/dns/bind910/Makefile
index bc9c25835f45..90c7b3c3e82a 100644
--- a/dns/bind910/Makefile
+++ b/dns/bind910/Makefile
@@ -4,10 +4,10 @@ PORTNAME=	bind
 PORTVERSION=	${ISCVERSION:S/-P/P/}
 .if defined(BIND_TOOLS_SLAVE)
 # dns/bind-tools here
-PORTREVISION=	1
+PORTREVISION=	0
 .else
 # dns/bind910 here
-PORTREVISION=	2
+PORTREVISION=	0
 .endif
 CATEGORIES=	dns net ipv6
 MASTER_SITES=	ISC/bind9/${ISCVERSION}
@@ -20,7 +20,7 @@ COMMENT?=	BIND DNS suite with updated DNSSEC and DNS64
 LICENSE=	ISCL
 
 # ISC releases things like 9.8.0-P1, which our versioning doesn't like
-ISCVERSION=	9.10.1-P1
+ISCVERSION=	9.10.1-P2
 
 MAKE_JOBS_UNSAFE=	yes
 
diff --git a/dns/bind910/distinfo b/dns/bind910/distinfo
index e61262c6bf39..0c9277a8ab9a 100644
--- a/dns/bind910/distinfo
+++ b/dns/bind910/distinfo
@@ -1,2 +1,2 @@
-SHA256 (bind-9.10.1-P1.tar.gz) = 974343108d32f253a130383d0ba51290fb7bf372092f1451f264a9e3ac09898d
-SIZE (bind-9.10.1-P1.tar.gz) = 8356463
+SHA256 (bind-9.10.1-P2.tar.gz) = 42dced2300ba6147168fe1b7faa2e7740e47b75e481290cd5e4483bd8b8a7feb
+SIZE (bind-9.10.1-P2.tar.gz) = 8356565
diff --git a/dns/bind910/files/patch-CVE-2015-1349 b/dns/bind910/files/patch-CVE-2015-1349
deleted file mode 100644
index 4eb553a7a479..000000000000
--- a/dns/bind910/files/patch-CVE-2015-1349
+++ /dev/null
@@ -1,52 +0,0 @@
-commit 12df718c23e29b16fcb5c12eace4b4a924de104d
-Author: Evan Hunt <each@isc.org>
-Date:   Tue Feb 3 18:32:05 2015 -0800
-
-    [v9_10_1_patch] avoid crash due to managed-key rollover
-    
-    4053.	[security]	Revoking a managed trust anchor and supplying
-    			an untrusted replacement could cause named
-    			to crash with an assertion failure.
-    			(CVE-2015-1349) [RT #38344]
-
-diff --git a/CHANGES b/CHANGES
-index 1234469..fc58de7 100644
---- CHANGES
-+++ CHANGES
-@@ -1,3 +1,10 @@
-+	--- 9.10.1-P2 released ---
-+
-+4053.	[security]	Revoking a managed trust anchor and supplying
-+			an untrusted replacement could cause named
-+			to crash with an assertion failure.
-+			(CVE-2015-1349) [RT #38344]
-+
- 	--- 9.10.1-P1 released ---
- 
- 4006.	[security]	A flaw in delegation handling could be exploited
-diff --git a/lib/dns/zone.c b/lib/dns/zone.c
-index ef60454..2c4558e 100644
---- lib/dns/zone.c
-+++ lib/dns/zone.c
-@@ -8946,6 +8946,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
- 					     namebuf, tag);
- 				trustkey = ISC_TRUE;
- 			}
-+		} else {
-+			/*
-+			 * No previously known key, and the key is not
-+			 * secure, so skip it.
-+			 */
-+			continue;
- 		}
- 
- 		/* Delete old version */
-@@ -8994,7 +9000,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
- 			trust_key(zone, keyname, &dnskey, mctx);
- 		}
- 
--		if (!deletekey) {
-+		if (secure && !deletekey) {
- 			INSIST(newkey || updatekey);
- 			set_refreshkeytimer(zone, &keydata, now);
- 		}
diff --git a/dns/bind99/Makefile b/dns/bind99/Makefile
index 35d06ad0e736..36a73c65f072 100644
--- a/dns/bind99/Makefile
+++ b/dns/bind99/Makefile
@@ -2,7 +2,7 @@
 
 PORTNAME=	bind
 PORTVERSION=	${ISCVERSION:S/-P/P/}
-PORTREVISION=	4
+PORTREVISION=	0
 CATEGORIES=	dns net ipv6
 MASTER_SITES=	ISC/bind9/${ISCVERSION}
 PKGNAMESUFFIX=	99
@@ -14,7 +14,7 @@ COMMENT=	BIND DNS suite with updated DNSSEC and DNS64
 LICENSE=	ISCL
 
 # ISC releases things like 9.8.0-P1, which our versioning doesn't like
-ISCVERSION=	9.9.6-P1
+ISCVERSION=	9.9.6-P2
 
 MAKE_JOBS_UNSAFE=	yes
 
@@ -111,8 +111,8 @@ RPZ_NSIP_CONFIGURE_ENABLE=	rpz-nsip
 
 RPZ_NSDNAME_CONFIGURE_ENABLE=	rpz-nsdname
 
-RPZ_PATCH_PATCHFILES=	${ISCVERSION}-rpz2+rl.14038.05.patch:vix
-RPZ_PATCH_PATCH_SITES=	http://ss.vix.su/~vjs/:vix ${MASTER_SITE_LOCAL:S/%SUBDIR%/mat\/bind/:S/$/:vix/}
+RPZ_PATCH_PATCHFILES=	${ISCVERSION}-rpz2+rl.14038.05.patch.xz:vix
+RPZ_PATCH_PATCH_SITES=	http://ss.vix.su/~vjs/:vix LOCAL/mat/bind:vix
 
 RRL_CONFIGURE_ENABLE=	rrl
 
diff --git a/dns/bind99/distinfo b/dns/bind99/distinfo
index 40b19c835b41..c8dca30964fa 100644
--- a/dns/bind99/distinfo
+++ b/dns/bind99/distinfo
@@ -1,4 +1,4 @@
-SHA256 (bind-9.9.6-P1.tar.gz) = dfedcb2b414d2803accd1a9c21d183178a288f40a2486af5ec0d3369a8cb8526
-SIZE (bind-9.9.6-P1.tar.gz) = 7816337
-SHA256 (9.9.6-P1-rpz2+rl.14038.05.patch) = b978d634c3deb1de42418700ac28ec947373f8979a4bbe2230d0eea462a6cc86
-SIZE (9.9.6-P1-rpz2+rl.14038.05.patch) = 194778
+SHA256 (bind-9.9.6-P2.tar.gz) = 5e882f453a8c799a121272f68bdb90936ce97bb857f8c2b3af1c8ba3d1b749ed
+SIZE (bind-9.9.6-P2.tar.gz) = 7816640
+SHA256 (9.9.6-P2-rpz2+rl.14038.05.patch.xz) = b69825ddee742dbb342f2da4265ff2139256ad79bd0d029ba010b7bf98f2d1e5
+SIZE (9.9.6-P2-rpz2+rl.14038.05.patch.xz) = 38792
diff --git a/dns/bind99/files/patch-CVE-2015-1349 b/dns/bind99/files/patch-CVE-2015-1349
deleted file mode 100644
index 0f7794bc3a04..000000000000
--- a/dns/bind99/files/patch-CVE-2015-1349
+++ /dev/null
@@ -1,52 +0,0 @@
-commit 2e9d79f169663c9aff5f0dcdc626a2cd2dbb5892
-Author: Evan Hunt <each@isc.org>
-Date:   Tue Feb 3 18:30:38 2015 -0800
-
-    [v9_9_6_patch] avoid crash due to managed-key rollover
-    
-    4053.	[security]	Revoking a managed trust anchor and supplying
-    			an untrusted replacement could cause named
-    			to crash with an assertion failure.
-    			(CVE-2015-1349) [RT #38344]
-
-diff --git a/CHANGES b/CHANGES
-index e8d75ea..b45be6d 100644
---- CHANGES
-+++ CHANGES
-@@ -1,3 +1,10 @@
-+	--- 9.9.6-P2 released ---
-+
-+4053.	[security]	Revoking a managed trust anchor and supplying
-+			an untrusted replacement could cause named
-+			to crash with an assertion failure.
-+			(CVE-2015-1349) [RT #38344]
-+
- 	--- 9.9.6-P1 released ---
- 
- 4006.	[security]	A flaw in delegation handling could be exploited
-diff --git a/lib/dns/zone.c b/lib/dns/zone.c
-index 7a9825b..5db2844 100644
---- lib/dns/zone.c
-+++ lib/dns/zone.c
-@@ -8508,6 +8508,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
- 					     namebuf, tag);
- 				trustkey = ISC_TRUE;
- 			}
-+		} else {
-+			/*
-+			 * No previously known key, and the key is not
-+			 * secure, so skip it.
-+			 */
-+			continue;
- 		}
- 
- 		/* Delete old version */
-@@ -8556,7 +8562,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
- 			trust_key(zone, keyname, &dnskey, mctx);
- 		}
- 
--		if (!deletekey) {
-+		if (secure && !deletekey) {
- 			INSIST(newkey || updatekey);
- 			set_refreshkeytimer(zone, &keydata, now);
- 		}