From b47c5a374e145807a6f843191229f1cca523bb7f Mon Sep 17 00:00:00 2001 From: dougb Date: Fri, 27 May 2011 23:47:56 +0000 Subject: Upgrade to 9.8.0-P2, which addresses the following issues: 1. Very large RRSIG RRsets included in a negative cache can trigger an assertion failure that will crash named (BIND 9 DNS) due to an off-by-one error in a buffer size check. This bug affects all resolving name servers, whether DNSSEC validation is enabled or not, on all BIND versions prior to today. There is a possibility of malicious exploitation of this bug by remote users. 2. Named could fail to validate zones listed in a DLV that validated insecure without using DLV and had DS records in the parent zone. Add a patch provided by ru@ and confirmed by ISC to fix a crash at shutdown time when a SIG(0) key is being used. Add a patch from ISC that will be in 9.8.1 to handle intermittent failure of recursive queries involving CNAMEs and previously cached responses. --- dns/bind98/Makefile | 4 ++-- dns/bind98/distinfo | 8 ++++---- dns/bind98/files/patch-bin__named__query.c | 18 ++++++++++++++++++ dns/bind98/files/patch-bin__nsupdate__nsupdate.c | 14 ++++++++++++++ 4 files changed, 38 insertions(+), 6 deletions(-) create mode 100644 dns/bind98/files/patch-bin__named__query.c create mode 100644 dns/bind98/files/patch-bin__nsupdate__nsupdate.c (limited to 'dns') diff --git a/dns/bind98/Makefile b/dns/bind98/Makefile index 68ffa643be3c..3bab874a41a7 100644 --- a/dns/bind98/Makefile +++ b/dns/bind98/Makefile @@ -12,7 +12,7 @@ # release you can generally build it cleanly from the source - Doug PORTNAME= bind98 -PORTVERSION= 9.8.0.1 +PORTVERSION= 9.8.0.2 CATEGORIES= dns net ipv6 MASTER_SITES= ${MASTER_SITE_ISC} \ http://dougbarton.us/Downloads/%SUBDIR%/ @@ -25,7 +25,7 @@ MAINTAINER= dougb@FreeBSD.org COMMENT= The BIND DNS suite with updated DNSSEC and DNS64 # ISC releases things like 9.8.0-P1, which our versioning doesn't like -ISCVERSION= 9.8.0-P1 +ISCVERSION= 9.8.0-P2 MAKE_JOBS_UNSAFE= yes diff --git a/dns/bind98/distinfo b/dns/bind98/distinfo index b02bb018d097..9a107949467f 100644 --- a/dns/bind98/distinfo +++ b/dns/bind98/distinfo @@ -1,4 +1,4 @@ -SHA256 (bind-9.8.0-P1.tar.gz) = f0f659079894402d38db4f22aac99ead45401123c2aa2398e13f19dae73bb11e -SIZE (bind-9.8.0-P1.tar.gz) = 7701530 -SHA256 (bind-9.8.0-P1.tar.gz.asc) = abae8380cbf7312574f4d0b1c2865c60e3d152154e7a2a9e99710f085c2aeee9 -SIZE (bind-9.8.0-P1.tar.gz.asc) = 480 +SHA256 (bind-9.8.0-P2.tar.gz) = da4d3d2e2c3b3b1f5c6cd870ff262af5a2e82082b7a7e9c77ccab637fa11f2bd +SIZE (bind-9.8.0-P2.tar.gz) = 7702702 +SHA256 (bind-9.8.0-P2.tar.gz.asc) = 091ac4a4d0aa08fa008eb222070e4bfe82afd601a304842b5cc79eb14b0f7c62 +SIZE (bind-9.8.0-P2.tar.gz.asc) = 481 diff --git a/dns/bind98/files/patch-bin__named__query.c b/dns/bind98/files/patch-bin__named__query.c new file mode 100644 index 000000000000..1216d2bdfe5f --- /dev/null +++ b/dns/bind98/files/patch-bin__named__query.c @@ -0,0 +1,18 @@ +--- bin/named/query.c.orig 2011-04-27 10:06:27.000000000 -0700 ++++ bin/named/query.c 2011-05-27 15:00:15.000000000 -0700 +@@ -637,6 +637,7 @@ + dns_db_attach(db, &dbversion->db); + dns_db_currentversion(db, &dbversion->version); + dbversion->acl_checked = ISC_FALSE; ++ dbversion->queryok = ISC_FALSE; + ISC_LIST_APPEND(client->query.activeversions, + dbversion, link); + } +@@ -768,6 +769,7 @@ + dbversion->queryok = ISC_FALSE; + return (DNS_R_REFUSED); + } ++ dbversion->queryok = ISC_TRUE; + + approved: + /* Transfer ownership, if necessary. */ diff --git a/dns/bind98/files/patch-bin__nsupdate__nsupdate.c b/dns/bind98/files/patch-bin__nsupdate__nsupdate.c new file mode 100644 index 000000000000..ad7c274ea16b --- /dev/null +++ b/dns/bind98/files/patch-bin__nsupdate__nsupdate.c @@ -0,0 +1,14 @@ +--- bin/nsupdate/nsupdate.c.orig 2011-01-09 21:32:03.000000000 -0800 ++++ bin/nsupdate/nsupdate.c 2011-05-27 14:51:32.000000000 -0700 +@@ -695,8 +695,10 @@ + keyfile, isc_result_totext(result)); + return; + } +- } else ++ } else { + dst_key_attach(dstkey, &sig0key); ++ dst_key_free(&dstkey); ++ } + } + + static void -- cgit