Update to versions 9.8.0-P4, 9.7.3-P3, and 9.6-ESV-R4-P3.

ALL BIND USERS ENCOURAGED TO UPGRADE IMMEDIATELY

This update addresses the following vulnerabilities:

CVE-2011-2464
=============
Severity:	High
Exploitable:	Remotely

Description:

A defect in the affected BIND 9 versions allows an attacker to remotely
cause the "named" process to exit using a specially crafted packet. This
defect affects both recursive and authoritative servers. The code location
of the defect makes it impossible to protect BIND using ACLs configured
within named.conf or by disabling any features at compile-time or run-time.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464
https://www.isc.org/software/bind/advisories/cve-2011-2464

CVE-2011-2465
=============
Severity:	High
Exploitable:	Remotely

Description:

A defect in the affected versions of BIND could cause the "named" process
to exit when queried, if the server has recursion enabled and was
configured with an RPZ zone containing certain types of records.
Specifically, these are any DNAME record and certain kinds of CNAME
records.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2465
https://www.isc.org/software/bind/advisories/cve-2011-2465

Additional changes in this version:

* If named is configured to be both authoritative and resursive and
  receives a recursive query for a CNAME in a zone that it is
  authoritative for, if that CNAME also points to a zone the server
  is authoritative for, the recursive part of name will not follow
  the CNAME change and the response will not be a complete CNAME
  chain. [RT #24455]

  Thus the patch for this bug has been removed from the port

* Using Response Policy Zone (RPZ) to query a wildcard CNAME label
  with QUERY type SIG/RRSIG, it can cause named to crash. Fix is
  query type independant. [RT #24715] [CVE-2011-1907]

3 files changed, 6 insertions, 24 deletions

diff --git a/dns/bind98/Makefile b/dns/bind98/Makefile
index 3bab874a41a7..1403926183f2 100644
--- a/dns/bind98/Makefile
+++ b/dns/bind98/Makefile
@@ -12,7 +12,7 @@
 # release you can generally build it cleanly from the source - Doug
 
 PORTNAME=	bind98
-PORTVERSION=	9.8.0.2
+PORTVERSION=	9.8.0.4
 CATEGORIES=	dns net ipv6
 MASTER_SITES=	${MASTER_SITE_ISC} \
 		http://dougbarton.us/Downloads/%SUBDIR%/
@@ -25,7 +25,7 @@ MAINTAINER=	dougb@FreeBSD.org
 COMMENT=	The BIND DNS suite with updated DNSSEC and DNS64
 
 # ISC releases things like 9.8.0-P1, which our versioning doesn't like
-ISCVERSION=	9.8.0-P2
+ISCVERSION=	9.8.0-P4
 
 MAKE_JOBS_UNSAFE=	yes
 
diff --git a/dns/bind98/distinfo b/dns/bind98/distinfo
index 9a107949467f..378e3ee52e6c 100644
--- a/dns/bind98/distinfo
+++ b/dns/bind98/distinfo
@@ -1,4 +1,4 @@
-SHA256 (bind-9.8.0-P2.tar.gz) = da4d3d2e2c3b3b1f5c6cd870ff262af5a2e82082b7a7e9c77ccab637fa11f2bd
-SIZE (bind-9.8.0-P2.tar.gz) = 7702702
-SHA256 (bind-9.8.0-P2.tar.gz.asc) = 091ac4a4d0aa08fa008eb222070e4bfe82afd601a304842b5cc79eb14b0f7c62
-SIZE (bind-9.8.0-P2.tar.gz.asc) = 481
+SHA256 (bind-9.8.0-P4.tar.gz) = ea2d9c30f41e680afc8b85eabd7c58865ce31d72009f2812d03078428869f415
+SIZE (bind-9.8.0-P4.tar.gz) = 7703981
+SHA256 (bind-9.8.0-P4.tar.gz.asc) = a054dc47f90122cf004e002fe46e8599346ff2799aca6e681b4325cecf3840ee
+SIZE (bind-9.8.0-P4.tar.gz.asc) = 481
diff --git a/dns/bind98/files/patch-bin__named__query.c b/dns/bind98/files/patch-bin__named__query.c
deleted file mode 100644
index 1216d2bdfe5f..000000000000
--- a/dns/bind98/files/patch-bin__named__query.c
+++ /dev/null
@@ -1,18 +0,0 @@
---- bin/named/query.c.orig	2011-04-27 10:06:27.000000000 -0700
-+++ bin/named/query.c	2011-05-27 15:00:15.000000000 -0700
-@@ -637,6 +637,7 @@
- 		dns_db_attach(db, &dbversion->db);
- 		dns_db_currentversion(db, &dbversion->version);
- 		dbversion->acl_checked = ISC_FALSE;
-+		dbversion->queryok = ISC_FALSE;
- 		ISC_LIST_APPEND(client->query.activeversions,
- 				dbversion, link);
- 	}
-@@ -768,6 +769,7 @@
- 		dbversion->queryok = ISC_FALSE;
- 		return (DNS_R_REFUSED);
- 	}
-+	dbversion->queryok = ISC_TRUE;
- 
-  approved:
- 	/* Transfer ownership, if necessary. */