diff options
| -rw-r--r-- | dns/bind913/Makefile | 4 | ||||
| -rw-r--r-- | dns/bind913/distinfo | 6 | ||||
| -rw-r--r-- | dns/bind913/files/patch-CVE-2018-5738 | 112 |
3 files changed, 5 insertions, 117 deletions
diff --git a/dns/bind913/Makefile b/dns/bind913/Makefile index cd09af2f48f1..64ed15f704d8 100644 --- a/dns/bind913/Makefile +++ b/dns/bind913/Makefile @@ -8,7 +8,7 @@ PORTVERSION= ${ISCVERSION:S/-P/P/:S/b/.b/:S/a/.a/:S/rc/.rc/} PORTREVISION= 0 .else # dns/bind913 here -PORTREVISION= 1 +PORTREVISION= 0 .endif CATEGORIES= dns net ipv6 MASTER_SITES= ISC/bind9/${ISCVERSION} @@ -33,7 +33,7 @@ LIB_DEPENDS= libxml2.so:textproc/libxml2 USES= cpe libedit ssl # ISC releases things like 9.8.0-P1, which our versioning doesn't like -ISCVERSION= 9.13.0 +ISCVERSION= 9.13.1 CPE_VENDOR= isc CPE_VERSION= ${ISCVERSION:C/-.*//} diff --git a/dns/bind913/distinfo b/dns/bind913/distinfo index bc0ad71e5624..41ce677f4b36 100644 --- a/dns/bind913/distinfo +++ b/dns/bind913/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1527250140 -SHA256 (bind-9.13.0.tar.gz) = cac499088c7135d9486ba1fc8416088adec58eea9eeee017845383a1aff34ffc -SIZE (bind-9.13.0.tar.gz) = 8906102 +TIMESTAMP = 1529066513 +SHA256 (bind-9.13.1.tar.gz) = d081011170a915b3059d3f24e1a14e5540d2892f2a0267af94cfbe6601423d22 +SIZE (bind-9.13.1.tar.gz) = 8787034 diff --git a/dns/bind913/files/patch-CVE-2018-5738 b/dns/bind913/files/patch-CVE-2018-5738 deleted file mode 100644 index 7cbc1b47e2e3..000000000000 --- a/dns/bind913/files/patch-CVE-2018-5738 +++ /dev/null @@ -1,112 +0,0 @@ -commit 03ecba2cdc8d9a6cb6bdf863ffa1e230cb4ff223 -Author: Evan Hunt <each@isc.org> -Date: 2018-06-04 15:57:58 -0700 - - allow-recursion could incorrectly inherit from the default allow-query - ---- CHANGES.orig 2018-05-22 23:42:35 UTC -+++ CHANGES -@@ -1,3 +1,10 @@ -+4960. [security] When recursion is enabled, but the "allow-recursion" -+ and "allow-query-cache" ACLs are not specified, -+ they should be limited to local networks, -+ but were inadvertently set to match the default -+ "allow-query", thus allowing remote queries. -+ (CVE-2018-5738) [GL #309] -+ - --- 9.13.0 released --- - - 4950. [bug] ISC_SOCKEVENTATTR_TRUNC was not be set. [GL #238] ---- bin/named/server.c.orig 2018-05-22 23:42:35 UTC -+++ bin/named/server.c -@@ -3723,10 +3723,6 @@ configure_view(dns_view_t *view, dns_vie - CHECKM(named_config_getport(config, &port), "port"); - dns_view_setdstport(view, port); - -- CHECK(configure_view_acl(vconfig, config, named_g_config, -- "allow-query", NULL, actx, -- named_g_mctx, &view->queryacl)); -- - /* - * Make the list of response policy zone names for a view that - * is used for real lookups and so cares about hints. -@@ -4695,21 +4691,35 @@ configure_view(dns_view_t *view, dns_vie - "allow-query-cache-on", NULL, actx, - named_g_mctx, &view->cacheonacl)); - /* -- * Set "allow-query-cache", "allow-recursion", and -- * "allow-recursion-on" acls if configured in named.conf. -- * (Ignore the global defaults for now, because these ACLs -- * can inherit from each other when only some of them set at -- * the options/view level.) -+ * Set the "allow-query", "allow-query-cache", "allow-recursion", -+ * and "allow-recursion-on" ACLs if configured in named.conf, but -+ * NOT from the global defaults. This is done by leaving the third -+ * argument to configure_view_acl() NULL. -+ * -+ * We ignore the global defaults here because these ACLs -+ * can inherit from each other. If any are still unset after -+ * applying the inheritance rules, we'll look up the defaults at -+ * that time. - */ -- CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache", -- NULL, actx, named_g_mctx, &view->cacheacl)); -+ -+ /* named.conf only */ -+ CHECK(configure_view_acl(vconfig, config, NULL, -+ "allow-query", NULL, actx, -+ named_g_mctx, &view->queryacl)); -+ -+ /* named.conf only */ -+ CHECK(configure_view_acl(vconfig, config, NULL, -+ "allow-query-cache", NULL, actx, -+ named_g_mctx, &view->cacheacl)); - - if (strcmp(view->name, "_bind") != 0 && - view->rdclass != dns_rdataclass_chaos) - { -+ /* named.conf only */ - CHECK(configure_view_acl(vconfig, config, NULL, - "allow-recursion", NULL, actx, - named_g_mctx, &view->recursionacl)); -+ /* named.conf only */ - CHECK(configure_view_acl(vconfig, config, NULL, - "allow-recursion-on", NULL, actx, - named_g_mctx, &view->recursiononacl)); -@@ -4747,18 +4757,21 @@ configure_view(dns_view_t *view, dns_vie - * the global config. - */ - if (view->recursionacl == NULL) { -+ /* global default only */ - CHECK(configure_view_acl(NULL, NULL, named_g_config, - "allow-recursion", NULL, - actx, named_g_mctx, - &view->recursionacl)); - } - if (view->recursiononacl == NULL) { -+ /* global default only */ - CHECK(configure_view_acl(NULL, NULL, named_g_config, - "allow-recursion-on", NULL, - actx, named_g_mctx, - &view->recursiononacl)); - } - if (view->cacheacl == NULL) { -+ /* global default only */ - CHECK(configure_view_acl(NULL, NULL, named_g_config, - "allow-query-cache", NULL, - actx, named_g_mctx, -@@ -4772,6 +4785,14 @@ configure_view(dns_view_t *view, dns_vie - CHECK(dns_acl_none(mctx, &view->cacheacl)); - } - -+ if (view->queryacl == NULL) { -+ /* global default only */ -+ CHECK(configure_view_acl(NULL, NULL, named_g_config, -+ "allow-query", NULL, -+ actx, named_g_mctx, -+ &view->queryacl)); -+ } -+ - /* - * Ignore case when compressing responses to the specified - * clients. This causes case not always to be preserved, |