| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
following security issues. All users of BIND are encouraged to upgrade
to this version.
2126. [security] Serialise validation of type ANY responses. [RT #16555]
2124. [security] It was possible to dereference a freed fetch
context. [RT #16584]
2089. [security] Raise the minimum safe OpenSSL versions to
OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions
prior to these have known security flaws which
are (potentially) exploitable in named. [RT #16391]
2088. [security] Change the default RSA exponent from 3 to 65537.
[RT #16391]
2066. [security] Handle SIG queries gracefully. [RT #16300]
1941. [bug] ncache_adderesult() should set eresult even if no
rdataset is passed to it. [RT #15642]
|
| |
|
|
| |
nslookup.1 man pages.
|
| |
|
|
|
|
|
|
| |
a maintenance release, with the usual round of bug and
security fixes.
All users of BIND 9 are encouraged to upgrade to this
version.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
announced by ISC dated 31 October (delivered via e-mail to the
bind-announce@isc.org list today):
Description:
Because of OpenSSL's recently announced vulnerabilities
(CAN-2006-4339, CVE-2006-2937 and CVE-2006-2940) which affect named,
we are announcing this workaround and releasing patches. A proof of
concept attack on OpenSSL has been demonstrated for CAN-2006-4339.
OpenSSL is required to use DNSSEC with BIND.
Fix for version 9.3.2-P1 and lower:
Upgrade to BIND 9.2.3-P2, then generate new RSASHA1 and
RSAMD5 keys for all old keys using the old default exponent
and perform a key rollover to these new keys.
These versions also change the default RSA exponent to be
65537 which is not vulnerable to the attacks described in
CAN-2006-4339.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
vulnerabilities:
http://www.niscc.gov.uk/niscc/docs/re-20060905-00590.pdf?lang=en
2066. [security] Handle SIG queries gracefully. [RT #16300]
http://www.kb.cert.org/vuls/id/697164
1941. [bug] ncache_adderesult() should set eresult even if no
rdataset is passed to it. [RT #15642]
All users of BIND 9 are encouraged to upgrade to this version.
|
| |
|
|
| |
Add CONFLICTS to the bind* ports.
|
| |
|
|
|
| |
Approved by: krion@
PR: ports/88711 (related)
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
openssl from ports, and do not use the option to have the port
version overwrite the base version.
Several folks have mentioned this problem in the past, but a
good workaround (and more importantly, solid testing) were
provided by the submitter.
Submitted by: Uffe Vedenbrant <uffe@vedenbrant.se>
|
| | |
|
| |
|
|
|
|
|
|
|
| |
1. Add myself as a backup master site (Sourceforge and CPAN ports
already have good enough coverage, so skip them).
2. For all ports that have them, download the PGP signature files.
3. For ports in 2, add a verify target to the Makefile
4. For ports where I was already providing a master site, update the URL.
5. Pet portlint in a couple of places.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
incorporated by ISC into the next version of BIND.
The patch addresses a problem with high-load resolvers which
hit memory barriers. Without this patch, running the resolving
name server out of memory would lead to "unpredictable results."
Of course, the canonical answer to this problem is to put more
memory into the system, however that is not always possible, and
the code should be able to handle this situation gracefully in
any case.
Approved by: portmgr (krion)
|
| |
|
|
|
| |
bad idea, so disable them in all cases unless the user has
affirmatively requested this through the define.
|
| |
|
|
|
|
| |
so rip it out until I have a chance to debug it.
2. Improve the comment about deprecating an old knob.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
several important fixes, including a remote (although unlikely) exploit.
See the CHANGES file for details.
All users of BIND 9 are highly encouraged to upgrade to this version.
Changes to the port include:
1. Remove ISC patch to 9.3.0 that addressed the remote exploit
2. Change to OPTIONS, and thereby
3. --enable-threads is now the default. Users report that the new thread
code in 9.3.x works significantly better than the old on all versions of
FreeBSD.
4. Add a temporary shim for the old PORT_REPLACES_BASE_BIND9 option.
The OPTIONS framework requires knobs to start with WITH_ or WITHOUT_
5. Remove patch that shoehorned named.conf.5 into the right place,
it has been fixed in the code.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Name: BIND: Self Check Failing [Added 2005.25.01]
Versions affected: BIND 9.3.0
Severity: LOW
Exploitable: Remotely
Type: Denial of Service
Description:
An incorrect assumption in the validator (authvalidated) can result in a
REQUIRE (internal consistancy) test failing and named exiting.
Workarounds:
Turn off dnssec validation (off by default) at the options/view level.
dnssec-enable no;
Active Exploits: None known
Bump PORTREVISION accordingly.
It should be noted that the vast majority of users would not have
DNSSEC enabled, and therefore are not vulnerable to this bug.
|
| |
|
|
|
|
|
|
| |
provide anything useful for newer systems, so remove them.
PR: ports/72118
Submitted by: Michel Lavondes <fox@vader.aacc.cc.md.us>
Approved by: portmgr (eik)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
significant updates, not the least of which is the new and improved
DNSSEC code based on the latest standards (including DS).
Various updates to the port, including:
1. Download the PGP signature
2. If running on ${OSVERSION} >= 503000, configure with threads
3. Update pkg-descr re IPv6 RRs
4. Update pkg-message to reflect a world with 6-current
There is also a patch to correct a man page installation error.
This problem should be fixed in the next release.
Approved by: portmgr (marcus)
|
| |
|
|
| |
Submitted by: fenner's distfile survey
|
| |
|
|
| |
version numbers.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
I realize that my error in version numbering previously caused some confusion
about 9.2.3 being a more up to date version than 9.2.3.4, but this will quickly
be resolved with the next version, and affected only a few users who installed
the release candidate. The portepoch change is permanent, and perpetuates a
silly kludge for no good reason.
Please do not change this again without discussing it with me.
|
| |
|
|
|
|
|
| |
[~/cvs/ports/dns/bind9] edwin@k7>pkg_version -t 9.2.3.4 9.2.3
>
[~/cvs/ports/dns/bind9] edwin@k7>pkg_version -t 9.2.3.4 9.2.3,1
<
|
| | |
|
| |
|
|
| |
Submitted by: A cast of thousands
|
| |
|
|
|
|
|
|
| |
The 9.2.3 code has many many bugs fixed from 9.2.2, check CHANGES
for more information.
The rc4 code has the delegation-only options. Check the ARM for
information on how to enable it.
|
| | |
|
| |
|
|
|
|
| |
PR: ports/56020
Submitted by: Kimura Fuyuki <fuyuki@nigredo.org>
Approved by: portmgr
|
| |
|
|
|
|
| |
PR: ports/56020
Submitted by: Kimura Fuyuki <fuyuki@nigredo.org>
Approved by: portmgr
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
new features compared to 9.2.1, only bug fixes. Users of BIND 9 are
highly encouraged to upgrade.
* Switch to Makefile COMMENT
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
is widely considered to be more stable than 9.2.1. I would have preferred
a -REL version, but better is better.
* Clean up the Makefile a little
* Just say no to threads
* Add the PORT_REPLACES_BASE magic, similar to the bind8 port
|
| |
|
|
| |
Submitted by: Kimura Fuyuki <fuyuki@hadaly.org>
|
| |
|
|
|
| |
PR: 41218
Submitted by: Kimura Fuyuki <fuyuki@hadaly.org> (1)
|
| | |
|
| |
|
|
| |
see /usr/local/share/doc/bind9/CHANGES after installation for details.
|
| |
|
|
|
|
| |
In my previous commit I forgot to mention that 'pkg_add -r bind' is
only half the rationale for changing PORTNAME. The other half is so
that people who really want to can 'pkg_add -r bind9'.
|
| |
|
|
|
|
|
|
|
|
| |
are fixed in this version, however BIND 9 is still recommended only
for early adopters, and those that have time to closely monitor
their name service.
* Change PORTNAME to bind9 so that 'pkg_add -r bind' does the right thing
* Use the local version of openssl, and disable threads on all but
the most recent -current. Thread support is still considered experimental.
|
| | |
|
| | |
|
| |
|
|
| |
some IXFR problems.
|
| |
|
|
|
| |
it is highly recommended that all users of BIND 9 upgrade to this
maintenance release.
|
| |
|
|
| |
bind 9, upgrade to this version.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Approved by: maintainer
|
| | |
|
| | |
|
| |
|
|
| |
use BIND 9 this upgrade is highly recommended.
|
| |
|
|
| |
improve the resistance to DOS, so this is worth a portrevision bump.
|
| |
|
|
|
|
|
|
|
|
|
| |
to make the location of etc/ files prefix-safe. Install a sample
rndc.conf file. Since rndc won't start without one the user should have
an example to work from. Add the installation of various docs wrapped
in a NOPORTDOCS test.
Last but not least, add a patch that turns off the debugging code ISC
left on by default. This should help solve the problems with
misbehaving assert's, related to nmap and other causes.
|
| |
|
|
| |
so I'm on top of the security advisories, etc.
|
| |
|
|
| |
Requested by: Joong Hyun Kim <better@ns1.betterbox.net>
|
| |
|
|
| |
in the "right" place (/var/run), as opposed to ${PREFIX}/var/run
|
| |
|
|
|
| |
PR: ports/22941
Submitted by: Leif Neland, leifn@neland.dk
|
| | |
|
| | |
|
| |
|
|
|
|
| |
of other neat things like that. Sorry for the delay.
Repo-copy by: asami
|
| |
|
|
|
| |
The history is safe, so just "cvs add" the files back when bind9 is
ready to be committed.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Many people submitted patches for this one, and a combination of them
were used.
|
| | |
|
| |
|
|
|
| |
Submitted by: ust@cert.siemens.de
PR: ports/12875
|
| |
|
|
| |
containing the ports editors/vim5, sysutils/star, and one other.
|
| |
|
|
| |
Requested By: a bazillion people both on mailing lists and #FreeBSD.
|
| | |
|
| |
|
|
| |
PR: ports/11784
|
| |
|
|
|
| |
Submitted by: Brad Hendrickse <bradh@uunet.co.za>
PR: ports/10861
|
| | |
|
| |
|
|
| |
PR: 7750
|
| | |
|
| | |
|
| |
|
|
| |
Submitted by: Studded@dal.net
|
| | |
|
| |
|
|
| |
makefile, not bind's.
|
| | |
|
|
|
PR: ports/4118
|
