pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: [pkgsrc-2019Q1] pkgsrc/net/bind911
Module Name: pkgsrc
Committed By: spz
Date: Sun May 12 20:44:15 UTC 2019
Modified Files:
pkgsrc/net/bind911 [pkgsrc-2019Q1]: MESSAGE Makefile distinfo
options.mk
pkgsrc/net/bind911/patches [pkgsrc-2019Q1]: patch-lib_isc_unix_socket.c
patch-lib_lwres_getnameinfo.c
Added Files:
pkgsrc/net/bind911/patches [pkgsrc-2019Q1]: patch-bin_named_server.c
patch-bin_pkcs11_pkcs11-keygen.c patch-lib_dns_view.c
Log Message:
Pullup ticket #5958 - requested by taca
net/bind911: security update
Revisions pulled up:
- net/bind911/MESSAGE 1.2
- net/bind911/Makefile 1.8
- net/bind911/distinfo 1.7
- net/bind911/options.mk 1.3
- net/bind911/patches/patch-bin_named_server.c 1.1
- net/bind911/patches/patch-bin_pkcs11_pkcs11-keygen.c 1.1
- net/bind911/patches/patch-lib_dns_view.c 1.1
- net/bind911/patches/patch-lib_isc_unix_socket.c 1.3
- net/bind911/patches/patch-lib_lwres_getnameinfo.c 1.2
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Tue Apr 30 02:51:38 UTC 2019
Modified Files:
pkgsrc/net/bind911: MESSAGE Makefile distinfo options.mk
pkgsrc/net/bind911/patches: patch-lib_isc_unix_socket.c
patch-lib_lwres_getnameinfo.c
Added Files:
pkgsrc/net/bind911/patches: patch-bin_named_server.c
patch-bin_pkcs11_pkcs11-keygen.c patch-lib_dns_view.c
Log Message:
net/bind911: update to 9.11.6pl1
Update bind911 to 9.11.5pl4 (BIND 9.11.5-P4).
Fix security problem CVE-2018-5743 and overhaul pkgsrc. Now no need
to change namedb is permission under NetBSD.
* Update note about required directories.
* Drop pkg-config from USE_TOOLS.
* Drop none existing configure arguments and PKG_OPTIONS:
- fetchlimit
- sit
--- 9.11.6-P1 released ---
5200. [security] tcp-clients settings could be exceeded in some cases,
which could lead to exhaustion of file descriptors.
(CVE-2018-5743) [GL #615]
To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/bind911/MESSAGE
cvs rdiff -u -r1.7 -r1.8 pkgsrc/net/bind911/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/net/bind911/distinfo
cvs rdiff -u -r1.2 -r1.3 pkgsrc/net/bind911/options.mk
cvs rdiff -u -r0 -r1.1 pkgsrc/net/bind911/patches/patch-bin_named_server.c \
pkgsrc/net/bind911/patches/patch-bin_pkcs11_pkcs11-keygen.c \
pkgsrc/net/bind911/patches/patch-lib_dns_view.c
cvs rdiff -u -r1.2 -r1.3 \
pkgsrc/net/bind911/patches/patch-lib_isc_unix_socket.c
cvs rdiff -u -r1.1 -r1.2 \
pkgsrc/net/bind911/patches/patch-lib_lwres_getnameinfo.c
To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.1.6.1 pkgsrc/net/bind911/MESSAGE
cvs rdiff -u -r1.7 -r1.7.2.1 pkgsrc/net/bind911/Makefile
cvs rdiff -u -r1.6 -r1.6.2.1 pkgsrc/net/bind911/distinfo
cvs rdiff -u -r1.2 -r1.2.4.1 pkgsrc/net/bind911/options.mk
cvs rdiff -u -r0 -r1.1.2.2 \
pkgsrc/net/bind911/patches/patch-bin_named_server.c \
pkgsrc/net/bind911/patches/patch-bin_pkcs11_pkcs11-keygen.c \
pkgsrc/net/bind911/patches/patch-lib_dns_view.c
cvs rdiff -u -r1.2 -r1.2.4.1 \
pkgsrc/net/bind911/patches/patch-lib_isc_unix_socket.c
cvs rdiff -u -r1.1 -r1.1.6.1 \
pkgsrc/net/bind911/patches/patch-lib_lwres_getnameinfo.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/net/bind911/MESSAGE
diff -u pkgsrc/net/bind911/MESSAGE:1.1 pkgsrc/net/bind911/MESSAGE:1.1.6.1
--- pkgsrc/net/bind911/MESSAGE:1.1 Sun Sep 9 13:11:38 2018
+++ pkgsrc/net/bind911/MESSAGE Sun May 12 20:44:15 2019
@@ -1,5 +1,5 @@
===========================================================================
-$NetBSD: MESSAGE,v 1.1 2018/09/09 13:11:38 taca Exp $
+$NetBSD: MESSAGE,v 1.1.6.1 2019/05/12 20:44:15 spz Exp $
Please consider running BIND under the pseudo user account "${BIND_USER}"
in a chroot environment for security reasons.
@@ -7,7 +7,13 @@ in a chroot environment for security rea
To achieve this, set the variable "named_chrootdir" in /etc/rc.conf to
the directory with the chroot environment e.g. "${BIND_DIR}".
-Note: named(8) requires writable permission to current directory when
-start up or the directory specified by "directory" in options statement.
+Note: named(8) requires writable directories under "/etc/namedb" which
+specified by "directory" in "options" statement:
+
+ cache
+ keys
+ nta
+
+Make sure to these directories exists with writable by "${BIND_USER}" user.
===========================================================================
Index: pkgsrc/net/bind911/Makefile
diff -u pkgsrc/net/bind911/Makefile:1.7 pkgsrc/net/bind911/Makefile:1.7.2.1
--- pkgsrc/net/bind911/Makefile:1.7 Fri Feb 22 01:22:38 2019
+++ pkgsrc/net/bind911/Makefile Sun May 12 20:44:15 2019
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.7 2019/02/22 01:22:38 taca Exp $
+# $NetBSD: Makefile,v 1.7.2.1 2019/05/12 20:44:15 spz Exp $
DISTNAME= bind-${BIND_VERSION}
PKGNAME= ${DISTNAME:S/-P/pl/}
@@ -14,7 +14,7 @@ CONFLICTS+= host-[0-9]*
MAKE_JOBS_SAFE= no
-BIND_VERSION= 9.11.5-P4
+BIND_VERSION= 9.11.6-P1
.include "../../mk/bsd.prefs.mk"
@@ -22,14 +22,13 @@ BUILD_DEFS+= BIND_DIR VARBASE
.include "options.mk"
-USE_TOOLS+= pax perl pkg-config
+USE_TOOLS+= pax perl
USE_LIBTOOL= yes
GNU_CONFIGURE= yes
CONFIGURE_ARGS+= --with-libtool
CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR}
CONFIGURE_ARGS+= --localstatedir=${VARBASE}
-CONFIGURE_ARGS+= --disable-openssl-version-check
CONFIGURE_ARGS+= --with-openssl=${SSLBASE:Q}
CONFIGURE_ARGS+= --with-python=no
.if !empty(MACHINE_PLATFORM:MNetBSD-*-m68k) || \
Index: pkgsrc/net/bind911/distinfo
diff -u pkgsrc/net/bind911/distinfo:1.6 pkgsrc/net/bind911/distinfo:1.6.2.1
--- pkgsrc/net/bind911/distinfo:1.6 Fri Feb 22 01:22:38 2019
+++ pkgsrc/net/bind911/distinfo Sun May 12 20:44:15 2019
@@ -1,14 +1,17 @@
-$NetBSD: distinfo,v 1.6 2019/02/22 01:22:38 taca Exp $
+$NetBSD: distinfo,v 1.6.2.1 2019/05/12 20:44:15 spz Exp $
-SHA1 (bind-9.11.5-P4.tar.gz) = f44a7abaab3946f5c60894a797e575cc7c74f01c
-RMD160 (bind-9.11.5-P4.tar.gz) = 3df68a3763291d9c93a2a6a1366bc7a2da4582bd
-SHA512 (bind-9.11.5-P4.tar.gz) = ba750ffd080a47309db8be3df3d80896c5872aadb1a14ac7effd1bb783c2a2ae1e82959d6999eecc3d694336887060a84ae8813a17836b9064515cdd96fcb573
-Size (bind-9.11.5-P4.tar.gz) = 8819038 bytes
+SHA1 (bind-9.11.6-P1.tar.gz) = 1a142cc9af68f7205bc0ea942458e6a044244422
+RMD160 (bind-9.11.6-P1.tar.gz) = 7024ba26f218015ebd99f54988f78148ae789cf7
+SHA512 (bind-9.11.6-P1.tar.gz) = 419aeeddeab7aef818b9043db7b21a847993444f663dca04e58ee97a0ebee0610cbc5a9422d17a6f0ee5d44598a2cbb5651e3b4e8c56708eaf923dca0a5c4c03
+Size (bind-9.11.6-P1.tar.gz) = 8102241 bytes
+SHA1 (patch-bin_named_server.c) = 0294d74eb3039049c4672a3de6eb371407bb382d
+SHA1 (patch-bin_pkcs11_pkcs11-keygen.c) = 49571fc0222c57cac0f2f07875c74ad2afadcb32
SHA1 (patch-bin_tests_system_metadata_tests.sh) = d01a492d0b7738760bdbff714248e279a78fef28
SHA1 (patch-config.threads.in) = 8341bdb11888d3efdde5f115de91b1f46aa40bd0
SHA1 (patch-configure) = 7f73f26266ebd4556ab160e93dc0738188a70e20
SHA1 (patch-contrib_dlz_config.dlz.in) = 6c53d61aaaf1a952a867e4c4da0194db94f511d7
SHA1 (patch-lib_dns_rbt.c) = 8af91b6d40b591d28d15f7f98c9b7a82df234381
-SHA1 (patch-lib_isc_unix_socket.c) = dff0163246985d0750b2c99ce7673b257df3e5bf
+SHA1 (patch-lib_dns_view.c) = 39e71fe6a407e4f9bee49b1ee25adfa0ba74b338
+SHA1 (patch-lib_isc_unix_socket.c) = a36e24f530c4a462b782ad7cce784fd4648dded3
SHA1 (patch-lib_lwres_getaddrinfo.c) = 1956a857c1b158dbe95c46d90ab406e0030e321e
-SHA1 (patch-lib_lwres_getnameinfo.c) = 366100a25064f43bd938e9acf31188c917b45cbe
+SHA1 (patch-lib_lwres_getnameinfo.c) = 67cece0c9b7077dc48fcae15bcab426e8e82a506
Index: pkgsrc/net/bind911/options.mk
diff -u pkgsrc/net/bind911/options.mk:1.2 pkgsrc/net/bind911/options.mk:1.2.4.1
--- pkgsrc/net/bind911/options.mk:1.2 Wed Oct 24 11:27:28 2018
+++ pkgsrc/net/bind911/options.mk Sun May 12 20:44:15 2019
@@ -1,10 +1,10 @@
-# $NetBSD: options.mk,v 1.2 2018/10/24 11:27:28 jperkin Exp $
+# $NetBSD: options.mk,v 1.2.4.1 2019/05/12 20:44:15 spz Exp $
PKG_OPTIONS_VAR= PKG_OPTIONS.bind911
PKG_SUPPORTED_OPTIONS= bind-dig-sigchase bind-xml-statistics-server
PKG_SUPPORTED_OPTIONS+= bind-json-statistics-server
PKG_SUPPORTED_OPTIONS+= inet6 threads readline mysql pgsql ldap dlz-filesystem
-PKG_SUPPORTED_OPTIONS+= fetchlimit geoip pkcs11 sit tuning
+PKG_SUPPORTED_OPTIONS+= geoip pkcs11 tuning
PKG_SUGGESTED_OPTIONS+= readline
PLIST_VARS+= inet6 pkcs11
@@ -59,10 +59,6 @@ CONFIGURE_ARGS+= --with-dlz-ldap=${BUILD
CONFIGURE_ARGS+= --with-dlz-filesystem
.endif
-.if !empty(PKG_OPTIONS:Mfetchlimit)
-CONFIGURE_ARGS+= --enable-fetchlimit
-.endif
-
.if !empty(PKG_OPTIONS:Mgeoip)
CONFIGURE_ARGS+= --with-geoip=${PREFIX}
LDFLAGS+= -lGeoIP
@@ -74,10 +70,6 @@ CONFIGURE_ARGS+= --with-pkcs11=yes
PLIST.pkcs11= yes
.endif
-.if !empty(PKG_OPTIONS:Msit)
-CONFIGURE_ARGS+= --enable-sit
-.endif
-
.if !empty(PKG_OPTIONS:Mtuning)
CONFIGURE_ARGS+= --with-tuning=large
.endif
Index: pkgsrc/net/bind911/patches/patch-lib_isc_unix_socket.c
diff -u pkgsrc/net/bind911/patches/patch-lib_isc_unix_socket.c:1.2 pkgsrc/net/bind911/patches/patch-lib_isc_unix_socket.c:1.2.4.1
--- pkgsrc/net/bind911/patches/patch-lib_isc_unix_socket.c:1.2 Sun Oct 21 15:51:14 2018
+++ pkgsrc/net/bind911/patches/patch-lib_isc_unix_socket.c Sun May 12 20:44:15 2019
@@ -1,8 +1,8 @@
-$NetBSD: patch-lib_isc_unix_socket.c,v 1.2 2018/10/21 15:51:14 taca Exp $
+$NetBSD: patch-lib_isc_unix_socket.c,v 1.2.4.1 2019/05/12 20:44:15 spz Exp $
Apply fix from NetBSD revision 1.24.
---- lib/isc/unix/socket.c.orig 2018-10-06 01:36:17.000000000 +0000
+--- lib/isc/unix/socket.c.orig 2019-02-27 23:28:15.000000000 +0000
+++ lib/isc/unix/socket.c
@@ -258,6 +258,7 @@ typedef enum { poll_idle, poll_active, p
(e) == EWOULDBLOCK || \
@@ -12,13 +12,3 @@ Apply fix from NetBSD revision 1.24.
(e) == 0)
#define DLVL(x) ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(x)
-@@ -1575,7 +1576,8 @@ build_msghdr_send(isc__socket_t *sock, c
-
- #if defined(IPV6_USE_MIN_MTU)
- if ((sock->type == isc_sockettype_udp) &&
-- ((dev->attributes & ISC_SOCKEVENTATTR_USEMINMTU) != 0))
-+ ((dev->attributes & ISC_SOCKEVENTATTR_USEMINMTU) != 0) &&
-+ (sock->pf == AF_INET6))
- {
- int use_min_mtu = 1; /* -1, 0, 1 */
-
Index: pkgsrc/net/bind911/patches/patch-lib_lwres_getnameinfo.c
diff -u pkgsrc/net/bind911/patches/patch-lib_lwres_getnameinfo.c:1.1 pkgsrc/net/bind911/patches/patch-lib_lwres_getnameinfo.c:1.1.6.1
--- pkgsrc/net/bind911/patches/patch-lib_lwres_getnameinfo.c:1.1 Sun Sep 9 13:11:38 2018
+++ pkgsrc/net/bind911/patches/patch-lib_lwres_getnameinfo.c Sun May 12 20:44:15 2019
@@ -1,10 +1,10 @@
-$NetBSD: patch-lib_lwres_getnameinfo.c,v 1.1 2018/09/09 13:11:38 taca Exp $
+$NetBSD: patch-lib_lwres_getnameinfo.c,v 1.1.6.1 2019/05/12 20:44:15 spz Exp $
* Add fix for KAME based implementation.
---- lib/lwres/getnameinfo.c.orig 2018-07-03 06:56:55.000000000 +0000
+--- lib/lwres/getnameinfo.c.orig 2019-02-27 23:28:15.000000000 +0000
+++ lib/lwres/getnameinfo.c
-@@ -115,6 +115,10 @@
+@@ -116,6 +116,10 @@
#include <lwres/netdb.h>
#include "print_p.h"
@@ -13,9 +13,9 @@ $NetBSD: patch-lib_lwres_getnameinfo.c,v
+#endif
+
#include "assert_p.h"
+ #include "unreachable_p.h"
- #define SUCCESS 0
-@@ -266,13 +270,9 @@ lwres_getnameinfo(const struct sockaddr
+@@ -268,13 +272,9 @@ lwres_getnameinfo(const struct sockaddr
((const struct sockaddr_in6 *)sa)->sin6_scope_id) {
char *p = numaddr + strlen(numaddr);
const char *stringscope = NULL;
Added files:
Index: pkgsrc/net/bind911/patches/patch-bin_named_server.c
diff -u /dev/null pkgsrc/net/bind911/patches/patch-bin_named_server.c:1.1.2.2
--- /dev/null Sun May 12 20:44:15 2019
+++ pkgsrc/net/bind911/patches/patch-bin_named_server.c Sun May 12 20:44:15 2019
@@ -0,0 +1,23 @@
+$NetBSD: patch-bin_named_server.c,v 1.1.2.2 2019/05/12 20:44:15 spz Exp $
+
+* Disable checking working directory is writable as BIND_USER in NetBSD
+ base system.
+
+--- bin/named/server.c.orig 2019-04-06 01:47:33.000000000 +0000
++++ bin/named/server.c
+@@ -8272,6 +8272,7 @@ load_configuration(const char *filename,
+ ns_os_changeuser();
+ }
+
++#if 0
+ /*
+ * Check that the working directory is writable.
+ */
+@@ -8280,6 +8281,7 @@ load_configuration(const char *filename,
+ NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+ "the working directory is not writable");
+ }
++#endif
+
+ #ifdef HAVE_LMDB
+ /*
Index: pkgsrc/net/bind911/patches/patch-bin_pkcs11_pkcs11-keygen.c
diff -u /dev/null pkgsrc/net/bind911/patches/patch-bin_pkcs11_pkcs11-keygen.c:1.1.2.2
--- /dev/null Sun May 12 20:44:15 2019
+++ pkgsrc/net/bind911/patches/patch-bin_pkcs11_pkcs11-keygen.c Sun May 12 20:44:15 2019
@@ -0,0 +1,30 @@
+$NetBSD: patch-bin_pkcs11_pkcs11-keygen.c,v 1.1.2.2 2019/05/12 20:44:15 spz Exp $
+
+* Honor HAVE_PKCS11_ECDSA.
+
+--- bin/pkcs11/pkcs11-keygen.c.orig 2019-02-27 23:28:15.000000000 +0000
++++ bin/pkcs11/pkcs11-keygen.c
+@@ -421,13 +421,23 @@ main(int argc, char *argv[]) {
+ id_offset = ECC_ID;
+
+ if (bits == 256) {
++#if HAVE_PKCS11_ECDSA
+ public_template[4].pValue = pk11_ecc_prime256v1;
+ public_template[4].ulValueLen =
+ sizeof(pk11_ecc_prime256v1);
++#else
++ fprintf(stderr, "PRIME256v1 is not supported\n");
++ usage();
++#endif
+ } else {
++#if HAVE_PKCS11_ECDSA
+ public_template[4].pValue = pk11_ecc_secp384r1;
+ public_template[4].ulValueLen =
+ sizeof(pk11_ecc_secp384r1);
++#else
++ fprintf(stderr, "SEP384r1 is not supported\n");
++ usage();
++#endif
+ }
+
+ break;
Index: pkgsrc/net/bind911/patches/patch-lib_dns_view.c
diff -u /dev/null pkgsrc/net/bind911/patches/patch-lib_dns_view.c:1.1.2.2
--- /dev/null Sun May 12 20:44:15 2019
+++ pkgsrc/net/bind911/patches/patch-lib_dns_view.c Sun May 12 20:44:15 2019
@@ -0,0 +1,15 @@
+$NetBSD: patch-lib_dns_view.c,v 1.1.2.2 2019/05/12 20:44:15 spz Exp $
+
+* Use nta sub-directory as NetBSD base system.
+
+--- lib/dns/view.c.orig 2019-04-06 01:47:33.000000000 +0000
++++ lib/dns/view.c
+@@ -107,7 +107,7 @@ dns_view_create(isc_mem_t *mctx, dns_rda
+ goto cleanup_view;
+ }
+
+- result = isc_file_sanitize(NULL, view->name, "nta",
++ result = isc_file_sanitize("nta", view->name, "nta",
+ buffer, sizeof(buffer));
+ if (result != ISC_R_SUCCESS)
+ goto cleanup_name;
Home |
Main Index |
Thread Index |
Old Index