CVS commit: pkgsrc/net/bind916

["Takahiro Kambe" <taca%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   taca
Date:           Thu Jan 26 13:32:47 UTC 2023

Modified Files:
        pkgsrc/net/bind916: Makefile builtin.mk distinfo
        pkgsrc/net/bind916/patches: patch-lib_isc_siphash.c
            patch-lib_ns_update.c

Log Message:
net/bind916: update to 9.16.37

        --- 9.16.37 released ---

6067.   [security]      Fix serve-stale crash when recursive clients soft quota
                        is reached. (CVE-2022-3924) [GL #3619]

6066.   [security]      Handle RRSIG lookups when serve-stale is active.
                        (CVE-2022-3736) [GL #3622]

6064.   [security]      An UPDATE message flood could cause named to exhaust all
                        available memory. This flaw was addressed by adding a
                        new "update-quota" statement that controls the number of
                        simultaneous UPDATE messages that can be processed or
                        forwarded. The default is 100. A stats counter has been
                        added to record events when the update quota is
                        exceeded, and the XML and JSON statistics version
                        numbers have been updated. (CVE-2022-3094) [GL #3523]

6062.   [func]          The DSCP implementation, which has only been
                        partly operational since 9.16.0, is now marked as
                        deprecated. Configuring DSCP values in named.conf
                        will cause a warning will be logged. [GL #3773]

6060.   [bug]           Fix a use-after-free bug in dns_zonemgr_releasezone()
                        by detaching from the zone manager outside of the write
                        lock. [GL #3768]

6059.   [bug]           In some serve stale scenarios, like when following an
                        expired CNAME record, named could return SERVFAIL if the
                        previous request wasn't successful. Consider non-stale
                        data when in serve-stale mode. [GL #3678]

6058.   [bug]           Prevent named from crashing when "rndc delzone"
                        attempts to delete a zone added by a catalog zone.
                        [GL #3745]

6050.   [bug]           Changes to the RPZ response-policy min-update-interval
                        and add-soa options now take effect as expected when
                        named is reconfigured. [GL #3740]

6048.   [bug]           Fix a log message error in dns_catz_update_from_db(),
                        where serials with values of 2^31 or larger were logged
                        incorrectly as negative numbers. [GL #3742]

6045.   [cleanup]       The list of supported DNSSEC algorithms changed log
                        level from "warning" to "notice" to match named's other
                        startup messages. [GL !7217]

6044.   [bug]           There was an "RSASHA236" typo in a log message.
                        [GL !7206]


To generate a diff of this commit:
cvs rdiff -u -r1.51 -r1.52 pkgsrc/net/bind916/Makefile
cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/bind916/builtin.mk
cvs rdiff -u -r1.43 -r1.44 pkgsrc/net/bind916/distinfo
cvs rdiff -u -r1.3 -r1.4 pkgsrc/net/bind916/patches/patch-lib_isc_siphash.c
cvs rdiff -u -r1.2 -r1.3 pkgsrc/net/bind916/patches/patch-lib_ns_update.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/bind916/Makefile
diff -u pkgsrc/net/bind916/Makefile:1.51 pkgsrc/net/bind916/Makefile:1.52
--- pkgsrc/net/bind916/Makefile:1.51    Mon Jan  9 06:48:53 2023
+++ pkgsrc/net/bind916/Makefile Thu Jan 26 13:32:47 2023
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.51 2023/01/09 06:48:53 taca Exp $
+# $NetBSD: Makefile,v 1.52 2023/01/26 13:32:47 taca Exp $
 
 DISTNAME=      bind-${BIND_VERSION}
 PKGNAME=       ${DISTNAME:S/-P/pl/}
@@ -15,7 +15,7 @@ CONFLICTS+=   host-[0-9]*
 
 MAKE_JOBS_SAFE=        no
 
-BIND_VERSION=  9.16.36
+BIND_VERSION=  9.16.37
 
 BUILD_DEFS+=   BIND_DIR VARBASE
 

Index: pkgsrc/net/bind916/builtin.mk
diff -u pkgsrc/net/bind916/builtin.mk:1.1 pkgsrc/net/bind916/builtin.mk:1.2
--- pkgsrc/net/bind916/builtin.mk:1.1   Sun Aug  9 15:20:21 2020
+++ pkgsrc/net/bind916/builtin.mk       Thu Jan 26 13:32:47 2023
@@ -1,4 +1,4 @@
-# $NetBSD: builtin.mk,v 1.1 2020/08/09 15:20:21 taca Exp $
+# $NetBSD: builtin.mk,v 1.2 2023/01/26 13:32:47 taca Exp $
 
 BUILTIN_PKG:=  bind
 
@@ -41,7 +41,7 @@ MAKEVARS+=            IS_BUILTIN.bind
 ### a package name to represent the built-in package.
 ###
 .if !defined(BUILTIN_PKG.bind) && \
-    !empty(IS_BUILTIN.bind:M[yY][eE][sS]) && \
+    ${IS_BUILTIN.bind:tl} == "yes" && \
     defined(BUILTIN_VERSION.bind)
 BUILTIN_PKG.bind=      bind-${BUILTIN_VERSION.bind}
 .endif
@@ -57,10 +57,10 @@ USE_BUILTIN.bind=   no
 .  else
 USE_BUILTIN.bind=      ${IS_BUILTIN.bind}
 .    if defined(BUILTIN_PKG.bind) && \
-        !empty(IS_BUILTIN.bind:M[yY][eE][sS])
+        ${IS_BUILTIN.bind:tl} == "yes"
 USE_BUILTIN.bind=      yes
 .      for dep in ${BUILDLINK_API_DEPENDS.bind}
-.        if !empty(USE_BUILTIN.bind:M[yY][eE][sS])
+.        if ${USE_BUILTIN.bind:tl} == "yes"
 USE_BUILTIN.bind!=                                                     \
        if ${PKG_ADMIN} pmatch ${dep:Q} ${BUILTIN_PKG.bind:Q}; then     \
                ${ECHO} yes;                                            \
@@ -79,13 +79,13 @@ MAKEVARS+=          USE_BUILTIN.bind
 ### solely to determine whether a built-in implementation exists.
 ###
 CHECK_BUILTIN.bind?=   no
-.if !empty(CHECK_BUILTIN.bind:M[nN][oO])
+.if ${CHECK_BUILTIN.bind:tl} == "no"
 
-.  if !empty(USE_BUILTIN.bind:M[yY][eE][sS])
-.    if !empty(BUILTIN_LIB_FOUND.bind:M[yY][eE][sS])
+.  if ${USE_BUILTIN.bind:tl} == "yes"
+.    if ${BUILTIN_LIB_FOUND.bind:tl} == "yes"
 BUILDLINK_LDADD.bind?= -lbind
 .    endif
-.  elif !empty(USE_BUILTIN.bind:M[nN][oO])
+.  elif ${USE_BUILTIN.bind:tl} == "no"
 BUILDLINK_LDADD.bind?= -lbind
 .  endif
 

Index: pkgsrc/net/bind916/distinfo
diff -u pkgsrc/net/bind916/distinfo:1.43 pkgsrc/net/bind916/distinfo:1.44
--- pkgsrc/net/bind916/distinfo:1.43    Mon Jan  9 06:48:53 2023
+++ pkgsrc/net/bind916/distinfo Thu Jan 26 13:32:47 2023
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.43 2023/01/09 06:48:53 taca Exp $
+$NetBSD: distinfo,v 1.44 2023/01/26 13:32:47 taca Exp $
 
-BLAKE2s (bind-9.16.36.tar.xz) = 645f478fdc213520a7b7085cd171fdd2ebdad78c5cf0dd3abaeb9c38b85a87f6
-SHA512 (bind-9.16.36.tar.xz) = 521a021456b6daf260fead75efc298dd964ff00947fd95fadb3c13d52f4c07fb61b74861601d22722e8d546dca284524fd4d770cc5cf347d9659b6df9654ed95
-Size (bind-9.16.36.tar.xz) = 5105696 bytes
+BLAKE2s (bind-9.16.37.tar.xz) = d40e5ca3b87dfdaff9d8f49e231dbc4b0db96c0acb123d66dbca83e97773cb85
+SHA512 (bind-9.16.37.tar.xz) = 2c4b01f6cc598849688b5b2710caf48db47e1e860df785783ef2b140a25507b48357a9becf7911ba0feda285c4bca87764e21128fac5cf17efa47fd5134dc59f
+Size (bind-9.16.37.tar.xz) = 5109440 bytes
 SHA1 (patch-bin_dig_dighost.c) = b1073911d80ecd519af98b6678968296ff8c0c98
 SHA1 (patch-bin_dig_include_dig_dig.h) = 10166f5bb98b208c7b10d63eb31e8253f704acc8
 SHA1 (patch-bin_named_Makefile.in) = f1367da6a226ba44d0ee13acf00b8abeb5b1b7eb
@@ -42,7 +42,7 @@ SHA1 (patch-lib_isc_include_isc_types.h)
 SHA1 (patch-lib_isc_netmgr_netmgr-int.h) = d84993edf254605f85421fbdd2fc523255c7316d
 SHA1 (patch-lib_isc_netmgr_netmgr.c) = 3df1d37061f6ceb37e309a0dc4f782fc35863146
 SHA1 (patch-lib_isc_rwlock.c) = 1d114248ddee20db7a7429afab446f8b2f0dca82
-SHA1 (patch-lib_isc_siphash.c) = 8999deb002e4fdb6b13e6f297298ef73c97042c3
+SHA1 (patch-lib_isc_siphash.c) = a6642bd91aef22afb7ec4e2e0912275371644a3f
 SHA1 (patch-lib_isc_stats.c) = 8d962fa360740770588fccf1d303d7fe22ae724b
 SHA1 (patch-lib_isc_timer.c) = aea2019bbf3d84cad77af432a2bbdf0da8f2f893
 SHA1 (patch-lib_isc_unix_include_isc_stdatomic.h) = b73b0224be47c1733f6346fce9243e97f54e1865
@@ -55,6 +55,6 @@ SHA1 (patch-lib_ns_include_ns_client.h) 
 SHA1 (patch-lib_ns_include_ns_pfilter.h) = cc86752971b4f9f7492283c4ad3ff29bc1bae237
 SHA1 (patch-lib_ns_pfilter.c) = 8f4a3b3a729360a131eb1962c42a9f9f985c7e7b
 SHA1 (patch-lib_ns_query.c) = 0c3c4a20aa4b40c144c4f986599cda67db3e2491
-SHA1 (patch-lib_ns_update.c) = 2fb3457da333143508d28420490cbc1cb69ddb19
+SHA1 (patch-lib_ns_update.c) = 2c5a9302178abe9dc9b6396b053319e39e1ef950
 SHA1 (patch-lib_ns_xfrout.c) = 79d9e4add58ffd75ea9718f5501f1517e67416e3
 SHA1 (patch-make_rules.in) = 5fb3a44ff0066c93872c25596267fbabffc6da8f

Index: pkgsrc/net/bind916/patches/patch-lib_isc_siphash.c
diff -u pkgsrc/net/bind916/patches/patch-lib_isc_siphash.c:1.3 pkgsrc/net/bind916/patches/patch-lib_isc_siphash.c:1.4
--- pkgsrc/net/bind916/patches/patch-lib_isc_siphash.c:1.3      Sun Oct 24 06:40:28 2021
+++ pkgsrc/net/bind916/patches/patch-lib_isc_siphash.c  Thu Jan 26 13:32:47 2023
@@ -1,12 +1,12 @@
-$NetBSD: patch-lib_isc_siphash.c,v 1.3 2021/10/24 06:40:28 taca Exp $
+$NetBSD: patch-lib_isc_siphash.c,v 1.4 2023/01/26 13:32:47 taca Exp $
 
 * Take from NetBSD base.
 
---- lib/isc/siphash.c.orig     2021-09-07 09:37:05.000000000 +0000
+--- lib/isc/siphash.c.orig     2023-01-12 22:45:02.000000000 +0000
 +++ lib/isc/siphash.c
-@@ -90,8 +90,14 @@ isc_siphash24(const uint8_t *k, const ui
-       REQUIRE(k != NULL);
+@@ -93,8 +93,14 @@ isc_siphash24(const uint8_t *k, const ui
        REQUIRE(out != NULL);
+       REQUIRE(inlen == 0 || in != NULL);
  
 -      uint64_t k0 = U8TO64_LE(k);
 -      uint64_t k1 = U8TO64_LE(k + 8);

Index: pkgsrc/net/bind916/patches/patch-lib_ns_update.c
diff -u pkgsrc/net/bind916/patches/patch-lib_ns_update.c:1.2 pkgsrc/net/bind916/patches/patch-lib_ns_update.c:1.3
--- pkgsrc/net/bind916/patches/patch-lib_ns_update.c:1.2        Sat Dec 19 16:41:36 2020
+++ pkgsrc/net/bind916/patches/patch-lib_ns_update.c    Thu Jan 26 13:32:47 2023
@@ -1,10 +1,10 @@
-$NetBSD: patch-lib_ns_update.c,v 1.2 2020/12/19 16:41:36 taca Exp $
+$NetBSD: patch-lib_ns_update.c,v 1.3 2023/01/26 13:32:47 taca Exp $
 
 * Based on NetBSD, add support for blocklist(blacklist).
 
---- lib/ns/update.c.orig       2020-12-07 08:16:53.000000000 +0000
+--- lib/ns/update.c.orig       2023-01-12 22:45:02.000000000 +0000
 +++ lib/ns/update.c
-@@ -52,6 +52,10 @@
+@@ -54,6 +54,10 @@
  #include <ns/stats.h>
  #include <ns/update.h>
  
@@ -15,27 +15,27 @@ $NetBSD: patch-lib_ns_update.c,v 1.2 202
  /*! \file
   * \brief
   * This module implements dynamic update as in RFC2136.
-@@ -340,6 +344,9 @@ checkqueryacl(ns_client_t *client, dns_a
- 
-       result = ns_client_checkaclsilent(client, NULL, queryacl, true);
+@@ -349,6 +353,9 @@ checkqueryacl(ns_client_t *client, dns_a
        if (result != ISC_R_SUCCESS) {
+               int level = update_possible ? ISC_LOG_ERROR : ISC_LOG_INFO;
+ 
 +#if defined(HAVE_BLACKLIST_H) || defined(HAVE_BLOCKLIST_H)
 +              pfilter_notify(result, client, "queryacl");
 +#endif
                dns_name_format(zonename, namebuf, sizeof(namebuf));
                dns_rdataclass_format(client->view->rdclass, classbuf,
                                      sizeof(classbuf));
-@@ -352,6 +359,9 @@ checkqueryacl(ns_client_t *client, dns_a
+@@ -358,6 +365,9 @@ checkqueryacl(ns_client_t *client, dns_a
                              "update '%s/%s' denied due to allow-query",
                              namebuf, classbuf);
-       } else if (updateacl == NULL && ssutable == NULL) {
+       } else if (!update_possible) {
 +#if defined(HAVE_BLACKLIST_H) || defined(HAVE_BLOCKLIST_H)
 +              pfilter_notify(result, client, "updateacl");
 +#endif
                dns_name_format(zonename, namebuf, sizeof(namebuf));
                dns_rdataclass_format(client->view->rdclass, classbuf,
                                      sizeof(classbuf));
-@@ -393,6 +403,9 @@ checkupdateacl(ns_client_t *client, dns_
+@@ -399,6 +409,9 @@ checkupdateacl(ns_client_t *client, dns_
                msg = "disabled";
        } else {
                result = ns_client_checkaclsilent(client, NULL, acl, false);