pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: [pkgsrc-2019Q1] pkgsrc/net/bind911



Module Name:    pkgsrc
Committed By:   spz
Date:           Sun May 12 20:44:15 UTC 2019

Modified Files:
        pkgsrc/net/bind911 [pkgsrc-2019Q1]: MESSAGE Makefile distinfo
            options.mk
        pkgsrc/net/bind911/patches [pkgsrc-2019Q1]: patch-lib_isc_unix_socket.c
            patch-lib_lwres_getnameinfo.c
Added Files:
        pkgsrc/net/bind911/patches [pkgsrc-2019Q1]: patch-bin_named_server.c
            patch-bin_pkcs11_pkcs11-keygen.c patch-lib_dns_view.c

Log Message:
Pullup ticket #5958 - requested by taca
net/bind911: security update

Revisions pulled up:
- net/bind911/MESSAGE                                           1.2
- net/bind911/Makefile                                          1.8
- net/bind911/distinfo                                          1.7
- net/bind911/options.mk                                        1.3
- net/bind911/patches/patch-bin_named_server.c                  1.1
- net/bind911/patches/patch-bin_pkcs11_pkcs11-keygen.c          1.1
- net/bind911/patches/patch-lib_dns_view.c                      1.1
- net/bind911/patches/patch-lib_isc_unix_socket.c               1.3
- net/bind911/patches/patch-lib_lwres_getnameinfo.c             1.2

-------------------------------------------------------------------
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Tue Apr 30 02:51:38 UTC 2019

   Modified Files:
        pkgsrc/net/bind911: MESSAGE Makefile distinfo options.mk
        pkgsrc/net/bind911/patches: patch-lib_isc_unix_socket.c
            patch-lib_lwres_getnameinfo.c
   Added Files:
        pkgsrc/net/bind911/patches: patch-bin_named_server.c
            patch-bin_pkcs11_pkcs11-keygen.c patch-lib_dns_view.c

   Log Message:
   net/bind911: update to 9.11.6pl1

   Update bind911 to 9.11.5pl4 (BIND 9.11.5-P4).

   Fix security problem CVE-2018-5743 and overhaul pkgsrc.  Now no need
   to change namedb is permission under NetBSD.

   * Update note about required directories.
   * Drop pkg-config from USE_TOOLS.
   * Drop none existing configure arguments and PKG_OPTIONS:
        - fetchlimit
        - sit

        --- 9.11.6-P1 released ---

   5200.        [security]      tcp-clients settings could be exceeded in some cases,
                        which could lead to exhaustion of file descriptors.
                        (CVE-2018-5743) [GL #615]

   To generate a diff of this commit:
   cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/bind911/MESSAGE
   cvs rdiff -u -r1.7 -r1.8 pkgsrc/net/bind911/Makefile
   cvs rdiff -u -r1.6 -r1.7 pkgsrc/net/bind911/distinfo
   cvs rdiff -u -r1.2 -r1.3 pkgsrc/net/bind911/options.mk
   cvs rdiff -u -r0 -r1.1 pkgsrc/net/bind911/patches/patch-bin_named_server.c \
       pkgsrc/net/bind911/patches/patch-bin_pkcs11_pkcs11-keygen.c \
       pkgsrc/net/bind911/patches/patch-lib_dns_view.c
   cvs rdiff -u -r1.2 -r1.3 \
       pkgsrc/net/bind911/patches/patch-lib_isc_unix_socket.c
   cvs rdiff -u -r1.1 -r1.2 \
       pkgsrc/net/bind911/patches/patch-lib_lwres_getnameinfo.c


To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.1.6.1 pkgsrc/net/bind911/MESSAGE
cvs rdiff -u -r1.7 -r1.7.2.1 pkgsrc/net/bind911/Makefile
cvs rdiff -u -r1.6 -r1.6.2.1 pkgsrc/net/bind911/distinfo
cvs rdiff -u -r1.2 -r1.2.4.1 pkgsrc/net/bind911/options.mk
cvs rdiff -u -r0 -r1.1.2.2 \
    pkgsrc/net/bind911/patches/patch-bin_named_server.c \
    pkgsrc/net/bind911/patches/patch-bin_pkcs11_pkcs11-keygen.c \
    pkgsrc/net/bind911/patches/patch-lib_dns_view.c
cvs rdiff -u -r1.2 -r1.2.4.1 \
    pkgsrc/net/bind911/patches/patch-lib_isc_unix_socket.c
cvs rdiff -u -r1.1 -r1.1.6.1 \
    pkgsrc/net/bind911/patches/patch-lib_lwres_getnameinfo.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/bind911/MESSAGE
diff -u pkgsrc/net/bind911/MESSAGE:1.1 pkgsrc/net/bind911/MESSAGE:1.1.6.1
--- pkgsrc/net/bind911/MESSAGE:1.1      Sun Sep  9 13:11:38 2018
+++ pkgsrc/net/bind911/MESSAGE  Sun May 12 20:44:15 2019
@@ -1,5 +1,5 @@
 ===========================================================================
-$NetBSD: MESSAGE,v 1.1 2018/09/09 13:11:38 taca Exp $
+$NetBSD: MESSAGE,v 1.1.6.1 2019/05/12 20:44:15 spz Exp $
 
 Please consider running BIND under the pseudo user account "${BIND_USER}"
 in a chroot environment for security reasons.
@@ -7,7 +7,13 @@ in a chroot environment for security rea
 To achieve this, set the variable "named_chrootdir" in /etc/rc.conf to
 the directory with the chroot environment e.g. "${BIND_DIR}".
 
-Note: named(8) requires writable permission to current directory when
-start up or the directory specified by "directory" in options statement.
+Note: named(8) requires writable directories under "/etc/namedb" which
+specified by "directory" in "options" statement:
+
+       cache
+       keys
+       nta
+
+Make sure to these directories exists with writable by "${BIND_USER}" user.
 
 ===========================================================================

Index: pkgsrc/net/bind911/Makefile
diff -u pkgsrc/net/bind911/Makefile:1.7 pkgsrc/net/bind911/Makefile:1.7.2.1
--- pkgsrc/net/bind911/Makefile:1.7     Fri Feb 22 01:22:38 2019
+++ pkgsrc/net/bind911/Makefile Sun May 12 20:44:15 2019
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.7 2019/02/22 01:22:38 taca Exp $
+# $NetBSD: Makefile,v 1.7.2.1 2019/05/12 20:44:15 spz Exp $
 
 DISTNAME=      bind-${BIND_VERSION}
 PKGNAME=       ${DISTNAME:S/-P/pl/}
@@ -14,7 +14,7 @@ CONFLICTS+=   host-[0-9]*
 
 MAKE_JOBS_SAFE=        no
 
-BIND_VERSION=  9.11.5-P4
+BIND_VERSION=  9.11.6-P1
 
 .include "../../mk/bsd.prefs.mk"
 
@@ -22,14 +22,13 @@ BUILD_DEFS+=        BIND_DIR VARBASE
 
 .include "options.mk"
 
-USE_TOOLS+=            pax perl pkg-config
+USE_TOOLS+=            pax perl
 USE_LIBTOOL=           yes
 GNU_CONFIGURE=         yes
 
 CONFIGURE_ARGS+=       --with-libtool
 CONFIGURE_ARGS+=       --sysconfdir=${PKG_SYSCONFDIR}
 CONFIGURE_ARGS+=       --localstatedir=${VARBASE}
-CONFIGURE_ARGS+=       --disable-openssl-version-check
 CONFIGURE_ARGS+=       --with-openssl=${SSLBASE:Q}
 CONFIGURE_ARGS+=       --with-python=no
 .if !empty(MACHINE_PLATFORM:MNetBSD-*-m68k) || \

Index: pkgsrc/net/bind911/distinfo
diff -u pkgsrc/net/bind911/distinfo:1.6 pkgsrc/net/bind911/distinfo:1.6.2.1
--- pkgsrc/net/bind911/distinfo:1.6     Fri Feb 22 01:22:38 2019
+++ pkgsrc/net/bind911/distinfo Sun May 12 20:44:15 2019
@@ -1,14 +1,17 @@
-$NetBSD: distinfo,v 1.6 2019/02/22 01:22:38 taca Exp $
+$NetBSD: distinfo,v 1.6.2.1 2019/05/12 20:44:15 spz Exp $
 
-SHA1 (bind-9.11.5-P4.tar.gz) = f44a7abaab3946f5c60894a797e575cc7c74f01c
-RMD160 (bind-9.11.5-P4.tar.gz) = 3df68a3763291d9c93a2a6a1366bc7a2da4582bd
-SHA512 (bind-9.11.5-P4.tar.gz) = ba750ffd080a47309db8be3df3d80896c5872aadb1a14ac7effd1bb783c2a2ae1e82959d6999eecc3d694336887060a84ae8813a17836b9064515cdd96fcb573
-Size (bind-9.11.5-P4.tar.gz) = 8819038 bytes
+SHA1 (bind-9.11.6-P1.tar.gz) = 1a142cc9af68f7205bc0ea942458e6a044244422
+RMD160 (bind-9.11.6-P1.tar.gz) = 7024ba26f218015ebd99f54988f78148ae789cf7
+SHA512 (bind-9.11.6-P1.tar.gz) = 419aeeddeab7aef818b9043db7b21a847993444f663dca04e58ee97a0ebee0610cbc5a9422d17a6f0ee5d44598a2cbb5651e3b4e8c56708eaf923dca0a5c4c03
+Size (bind-9.11.6-P1.tar.gz) = 8102241 bytes
+SHA1 (patch-bin_named_server.c) = 0294d74eb3039049c4672a3de6eb371407bb382d
+SHA1 (patch-bin_pkcs11_pkcs11-keygen.c) = 49571fc0222c57cac0f2f07875c74ad2afadcb32
 SHA1 (patch-bin_tests_system_metadata_tests.sh) = d01a492d0b7738760bdbff714248e279a78fef28
 SHA1 (patch-config.threads.in) = 8341bdb11888d3efdde5f115de91b1f46aa40bd0
 SHA1 (patch-configure) = 7f73f26266ebd4556ab160e93dc0738188a70e20
 SHA1 (patch-contrib_dlz_config.dlz.in) = 6c53d61aaaf1a952a867e4c4da0194db94f511d7
 SHA1 (patch-lib_dns_rbt.c) = 8af91b6d40b591d28d15f7f98c9b7a82df234381
-SHA1 (patch-lib_isc_unix_socket.c) = dff0163246985d0750b2c99ce7673b257df3e5bf
+SHA1 (patch-lib_dns_view.c) = 39e71fe6a407e4f9bee49b1ee25adfa0ba74b338
+SHA1 (patch-lib_isc_unix_socket.c) = a36e24f530c4a462b782ad7cce784fd4648dded3
 SHA1 (patch-lib_lwres_getaddrinfo.c) = 1956a857c1b158dbe95c46d90ab406e0030e321e
-SHA1 (patch-lib_lwres_getnameinfo.c) = 366100a25064f43bd938e9acf31188c917b45cbe
+SHA1 (patch-lib_lwres_getnameinfo.c) = 67cece0c9b7077dc48fcae15bcab426e8e82a506

Index: pkgsrc/net/bind911/options.mk
diff -u pkgsrc/net/bind911/options.mk:1.2 pkgsrc/net/bind911/options.mk:1.2.4.1
--- pkgsrc/net/bind911/options.mk:1.2   Wed Oct 24 11:27:28 2018
+++ pkgsrc/net/bind911/options.mk       Sun May 12 20:44:15 2019
@@ -1,10 +1,10 @@
-# $NetBSD: options.mk,v 1.2 2018/10/24 11:27:28 jperkin Exp $
+# $NetBSD: options.mk,v 1.2.4.1 2019/05/12 20:44:15 spz Exp $
 
 PKG_OPTIONS_VAR=       PKG_OPTIONS.bind911
 PKG_SUPPORTED_OPTIONS= bind-dig-sigchase bind-xml-statistics-server
 PKG_SUPPORTED_OPTIONS+=        bind-json-statistics-server
 PKG_SUPPORTED_OPTIONS+=        inet6 threads readline mysql pgsql ldap dlz-filesystem
-PKG_SUPPORTED_OPTIONS+=        fetchlimit geoip pkcs11 sit tuning
+PKG_SUPPORTED_OPTIONS+=        geoip pkcs11 tuning
 PKG_SUGGESTED_OPTIONS+=        readline
 
 PLIST_VARS+=   inet6 pkcs11
@@ -59,10 +59,6 @@ CONFIGURE_ARGS+=     --with-dlz-ldap=${BUILD
 CONFIGURE_ARGS+=       --with-dlz-filesystem
 .endif
 
-.if !empty(PKG_OPTIONS:Mfetchlimit)
-CONFIGURE_ARGS+=       --enable-fetchlimit
-.endif
-
 .if !empty(PKG_OPTIONS:Mgeoip)
 CONFIGURE_ARGS+=       --with-geoip=${PREFIX}
 LDFLAGS+=              -lGeoIP
@@ -74,10 +70,6 @@ CONFIGURE_ARGS+=     --with-pkcs11=yes
 PLIST.pkcs11=          yes
 .endif
 
-.if !empty(PKG_OPTIONS:Msit)
-CONFIGURE_ARGS+=       --enable-sit
-.endif
-
 .if !empty(PKG_OPTIONS:Mtuning)
 CONFIGURE_ARGS+=       --with-tuning=large
 .endif

Index: pkgsrc/net/bind911/patches/patch-lib_isc_unix_socket.c
diff -u pkgsrc/net/bind911/patches/patch-lib_isc_unix_socket.c:1.2 pkgsrc/net/bind911/patches/patch-lib_isc_unix_socket.c:1.2.4.1
--- pkgsrc/net/bind911/patches/patch-lib_isc_unix_socket.c:1.2  Sun Oct 21 15:51:14 2018
+++ pkgsrc/net/bind911/patches/patch-lib_isc_unix_socket.c      Sun May 12 20:44:15 2019
@@ -1,8 +1,8 @@
-$NetBSD: patch-lib_isc_unix_socket.c,v 1.2 2018/10/21 15:51:14 taca Exp $
+$NetBSD: patch-lib_isc_unix_socket.c,v 1.2.4.1 2019/05/12 20:44:15 spz Exp $
 
 Apply fix from NetBSD revision 1.24.
 
---- lib/isc/unix/socket.c.orig 2018-10-06 01:36:17.000000000 +0000
+--- lib/isc/unix/socket.c.orig 2019-02-27 23:28:15.000000000 +0000
 +++ lib/isc/unix/socket.c
 @@ -258,6 +258,7 @@ typedef enum { poll_idle, poll_active, p
                         (e) == EWOULDBLOCK || \
@@ -12,13 +12,3 @@ Apply fix from NetBSD revision 1.24.
                         (e) == 0)
  
  #define DLVL(x) ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(x)
-@@ -1575,7 +1576,8 @@ build_msghdr_send(isc__socket_t *sock, c
- 
- #if defined(IPV6_USE_MIN_MTU)
-       if ((sock->type == isc_sockettype_udp) &&
--          ((dev->attributes & ISC_SOCKEVENTATTR_USEMINMTU) != 0))
-+          ((dev->attributes & ISC_SOCKEVENTATTR_USEMINMTU) != 0) &&
-+          (sock->pf == AF_INET6))
-       {
-               int use_min_mtu = 1;    /* -1, 0, 1 */
- 

Index: pkgsrc/net/bind911/patches/patch-lib_lwres_getnameinfo.c
diff -u pkgsrc/net/bind911/patches/patch-lib_lwres_getnameinfo.c:1.1 pkgsrc/net/bind911/patches/patch-lib_lwres_getnameinfo.c:1.1.6.1
--- pkgsrc/net/bind911/patches/patch-lib_lwres_getnameinfo.c:1.1        Sun Sep  9 13:11:38 2018
+++ pkgsrc/net/bind911/patches/patch-lib_lwres_getnameinfo.c    Sun May 12 20:44:15 2019
@@ -1,10 +1,10 @@
-$NetBSD: patch-lib_lwres_getnameinfo.c,v 1.1 2018/09/09 13:11:38 taca Exp $
+$NetBSD: patch-lib_lwres_getnameinfo.c,v 1.1.6.1 2019/05/12 20:44:15 spz Exp $
 
 * Add fix for KAME based implementation.
 
---- lib/lwres/getnameinfo.c.orig       2018-07-03 06:56:55.000000000 +0000
+--- lib/lwres/getnameinfo.c.orig       2019-02-27 23:28:15.000000000 +0000
 +++ lib/lwres/getnameinfo.c
-@@ -115,6 +115,10 @@
+@@ -116,6 +116,10 @@
  #include <lwres/netdb.h>
  #include "print_p.h"
  
@@ -13,9 +13,9 @@ $NetBSD: patch-lib_lwres_getnameinfo.c,v
 +#endif
 +
  #include "assert_p.h"
+ #include "unreachable_p.h"
  
- #define SUCCESS 0
-@@ -266,13 +270,9 @@ lwres_getnameinfo(const struct sockaddr 
+@@ -268,13 +272,9 @@ lwres_getnameinfo(const struct sockaddr 
                    ((const struct sockaddr_in6 *)sa)->sin6_scope_id) {
                        char *p = numaddr + strlen(numaddr);
                        const char *stringscope = NULL;

Added files:

Index: pkgsrc/net/bind911/patches/patch-bin_named_server.c
diff -u /dev/null pkgsrc/net/bind911/patches/patch-bin_named_server.c:1.1.2.2
--- /dev/null   Sun May 12 20:44:15 2019
+++ pkgsrc/net/bind911/patches/patch-bin_named_server.c Sun May 12 20:44:15 2019
@@ -0,0 +1,23 @@
+$NetBSD: patch-bin_named_server.c,v 1.1.2.2 2019/05/12 20:44:15 spz Exp $
+
+* Disable checking working directory is writable as BIND_USER in NetBSD
+  base system.
+
+--- bin/named/server.c.orig    2019-04-06 01:47:33.000000000 +0000
++++ bin/named/server.c
+@@ -8272,6 +8272,7 @@ load_configuration(const char *filename,
+               ns_os_changeuser();
+       }
+ 
++#if 0
+       /*
+        * Check that the working directory is writable.
+        */
+@@ -8280,6 +8281,7 @@ load_configuration(const char *filename,
+                             NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+                             "the working directory is not writable");
+       }
++#endif
+ 
+ #ifdef HAVE_LMDB
+       /*
Index: pkgsrc/net/bind911/patches/patch-bin_pkcs11_pkcs11-keygen.c
diff -u /dev/null pkgsrc/net/bind911/patches/patch-bin_pkcs11_pkcs11-keygen.c:1.1.2.2
--- /dev/null   Sun May 12 20:44:15 2019
+++ pkgsrc/net/bind911/patches/patch-bin_pkcs11_pkcs11-keygen.c Sun May 12 20:44:15 2019
@@ -0,0 +1,30 @@
+$NetBSD: patch-bin_pkcs11_pkcs11-keygen.c,v 1.1.2.2 2019/05/12 20:44:15 spz Exp $
+
+* Honor HAVE_PKCS11_ECDSA.
+
+--- bin/pkcs11/pkcs11-keygen.c.orig    2019-02-27 23:28:15.000000000 +0000
++++ bin/pkcs11/pkcs11-keygen.c
+@@ -421,13 +421,23 @@ main(int argc, char *argv[]) {
+               id_offset = ECC_ID;
+ 
+               if (bits == 256) {
++#if HAVE_PKCS11_ECDSA
+                       public_template[4].pValue = pk11_ecc_prime256v1;
+                       public_template[4].ulValueLen =
+                               sizeof(pk11_ecc_prime256v1);
++#else
++                      fprintf(stderr, "PRIME256v1 is not supported\n");
++                      usage();
++#endif
+               } else {
++#if HAVE_PKCS11_ECDSA
+                       public_template[4].pValue = pk11_ecc_secp384r1;
+                       public_template[4].ulValueLen =
+                               sizeof(pk11_ecc_secp384r1);
++#else
++                      fprintf(stderr, "SEP384r1 is not supported\n");
++                      usage();
++#endif
+               }
+ 
+               break;
Index: pkgsrc/net/bind911/patches/patch-lib_dns_view.c
diff -u /dev/null pkgsrc/net/bind911/patches/patch-lib_dns_view.c:1.1.2.2
--- /dev/null   Sun May 12 20:44:15 2019
+++ pkgsrc/net/bind911/patches/patch-lib_dns_view.c     Sun May 12 20:44:15 2019
@@ -0,0 +1,15 @@
+$NetBSD: patch-lib_dns_view.c,v 1.1.2.2 2019/05/12 20:44:15 spz Exp $
+
+* Use nta sub-directory as NetBSD base system.
+
+--- lib/dns/view.c.orig        2019-04-06 01:47:33.000000000 +0000
++++ lib/dns/view.c
+@@ -107,7 +107,7 @@ dns_view_create(isc_mem_t *mctx, dns_rda
+               goto cleanup_view;
+       }
+ 
+-      result = isc_file_sanitize(NULL, view->name, "nta",
++      result = isc_file_sanitize("nta", view->name, "nta",
+                                  buffer, sizeof(buffer));
+       if (result != ISC_R_SUCCESS)
+               goto cleanup_name;



Home | Main Index | Thread Index | Old Index