Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/external/mpl/bind/dist --- 9.14.7 released ---



details:   https://anonhg.NetBSD.org/src/rev/21957eef116e
branches:  trunk
changeset: 966189:21957eef116e
user:      christos <christos%NetBSD.org@localhost>
date:      Thu Oct 17 16:25:39 2019 +0000

description:
--- 9.14.7 released ---

5299.   [security]      A flaw in DNSSEC verification when transferring
                        mirror zones could allow data to be incorrectly
                        marked valid. (CVE-2019-6475) [GL #16P]

5298.   [security]      Named could assert if a forwarder returned a
                        referral, rather than resolving the query, when QNAME
                        minimization was enabled. (CVE-2019-6476) [GL #1051]

5297.   [bug]           Check whether a previous QNAME minimization fetch
                        is still running before starting a new one; return
                        SERVFAIL and log an error if so. [GL #1191]

5294.   [func]          Fallback to ACE name on output in locale, which does not
                        support converting it to unicode.  [GL #846]

5293.   [bug]           On Windows, named crashed upon any attempt to fetch XML
                        statistics from it. [GL #1245]

5292.   [bug]           Queue 'rndc nsec3param' requests while signing inline
                        zone changes. [GL #1205]

        --- 9.14.6 released ---

5289.   [bug]           Address NULL pointer dereference in rpz.c:rpz_detach.
                        [GL #1210]

5286.   [contrib]       Address potential NULL pointer dereferences in
                        dlz_mysqldyn_mod.c. [GL #1207]

5285.   [port]          win32: implement "-T maxudpXXX". [GL #837]

5283.   [bug]           When a response-policy zone expires, ensure that
                        its policies are removed from the RPZ summary
                        database. [GL #1146]

5282.   [bug]           Fixed a bug in searching for possible wildcard matches
                        for query names in the RPZ summary database. [GL #1146]

5281.   [cleanup]       Don't escape commas when reporting named's command
                        line. [GL #1189]

5280.   [protocol]      Add support for displaying EDNS option LLQ. [GL #1201]

5279.   [bug]           When loading, reject zones containing CDS or CDNSKEY
                        RRsets at the zone apex if they would cause DNSSEC
                        validation failures if published in the parent zone
                        as the DS RRset.  [GL #1187]

diffstat:

 external/mpl/bind/dist/CHANGES                                          |   52 +-
 external/mpl/bind/dist/README                                           |   70 +-
 external/mpl/bind/dist/README.md                                        |   89 +-
 external/mpl/bind/dist/bin/check/win32/checkconf.vcxproj.in             |    5 +-
 external/mpl/bind/dist/bin/check/win32/checktool.vcxproj.in             |    5 +-
 external/mpl/bind/dist/bin/check/win32/checkzone.vcxproj.in             |   17 +-
 external/mpl/bind/dist/bin/confgen/win32/confgentool.vcxproj.in         |    5 +-
 external/mpl/bind/dist/bin/confgen/win32/ddnsconfgen.vcxproj.in         |    5 +-
 external/mpl/bind/dist/bin/confgen/win32/rndcconfgen.vcxproj.in         |    5 +-
 external/mpl/bind/dist/bin/delv/win32/delv.vcxproj.in                   |    5 +-
 external/mpl/bind/dist/bin/dig/win32/dig.vcxproj.in                     |    5 +-
 external/mpl/bind/dist/bin/dig/win32/dighost.vcxproj.in                 |    5 +-
 external/mpl/bind/dist/bin/dig/win32/host.vcxproj.in                    |    5 +-
 external/mpl/bind/dist/bin/dig/win32/nslookup.vcxproj.in                |    5 +-
 external/mpl/bind/dist/bin/dnssec/win32/cds.vcxproj.in                  |    5 +-
 external/mpl/bind/dist/bin/dnssec/win32/dnssectool.vcxproj.in           |    5 +-
 external/mpl/bind/dist/bin/dnssec/win32/dsfromkey.vcxproj.in            |    5 +-
 external/mpl/bind/dist/bin/dnssec/win32/importkey.vcxproj.in            |    5 +-
 external/mpl/bind/dist/bin/dnssec/win32/keyfromlabel.vcxproj.in         |    5 +-
 external/mpl/bind/dist/bin/dnssec/win32/keygen.vcxproj.in               |    5 +-
 external/mpl/bind/dist/bin/dnssec/win32/revoke.vcxproj.in               |    5 +-
 external/mpl/bind/dist/bin/dnssec/win32/settime.vcxproj.in              |    5 +-
 external/mpl/bind/dist/bin/dnssec/win32/signzone.vcxproj.in             |    5 +-
 external/mpl/bind/dist/bin/dnssec/win32/verify.vcxproj.in               |    5 +-
 external/mpl/bind/dist/bin/named/win32/named.vcxproj.in                 |    5 +-
 external/mpl/bind/dist/bin/nsupdate/win32/nsupdate.vcxproj.in           |    5 +-
 external/mpl/bind/dist/bin/pkcs11/win32/pk11destroy.vcxproj.in          |    5 +-
 external/mpl/bind/dist/bin/pkcs11/win32/pk11keygen.vcxproj.in           |    5 +-
 external/mpl/bind/dist/bin/pkcs11/win32/pk11list.vcxproj.in             |    5 +-
 external/mpl/bind/dist/bin/pkcs11/win32/pk11tokens.vcxproj.in           |    5 +-
 external/mpl/bind/dist/bin/rndc/win32/rndc.vcxproj.in                   |    5 +-
 external/mpl/bind/dist/bin/rndc/win32/rndcutil.vcxproj.in               |    5 +-
 external/mpl/bind/dist/bin/tests/system/checkzone/zones/bad-cdnskey.db  |    4 +
 external/mpl/bind/dist/bin/tests/system/checkzone/zones/bad-cds.db      |    6 +
 external/mpl/bind/dist/bin/tests/system/checkzone/zones/good-cdnskey.db |    4 +
 external/mpl/bind/dist/bin/tests/system/checkzone/zones/good-cds.db     |    4 +
 external/mpl/bind/dist/bin/tests/system/conf.sh.common                  |    1 +
 external/mpl/bind/dist/bin/tests/system/conf.sh.win32                   |    2 +-
 external/mpl/bind/dist/bin/tests/system/digdelv/tests.sh                |    8 +
 external/mpl/bind/dist/bin/tests/system/dnssec/ns2/sign.sh              |   12 +-
 external/mpl/bind/dist/bin/tests/system/dnssec/tests.sh                 |    4 +-
 external/mpl/bind/dist/bin/tests/system/forward/ns1/named.conf.in       |    5 +
 external/mpl/bind/dist/bin/tests/system/forward/ns1/sld.tld.db          |   11 +
 external/mpl/bind/dist/bin/tests/system/forward/ns2/named.conf.in       |    5 +
 external/mpl/bind/dist/bin/tests/system/forward/ns2/tld.db              |   12 +
 external/mpl/bind/dist/bin/tests/system/forward/ns8/named.conf.in       |   28 +
 external/mpl/bind/dist/bin/tests/system/forward/ns8/root.db             |   11 +
 external/mpl/bind/dist/bin/tests/system/forward/setup.sh                |    1 +
 external/mpl/bind/dist/bin/tests/system/forward/tests.sh                |    7 +
 external/mpl/bind/dist/bin/tests/system/glue/clean.sh                   |    2 +-
 external/mpl/bind/dist/bin/tests/system/glue/ns1/named.conf.in          |    7 -
 external/mpl/bind/dist/bin/tests/system/glue/ns1/root.db                |   16 -
 external/mpl/bind/dist/bin/tests/system/glue/setup.sh                   |    2 -
 external/mpl/bind/dist/bin/tests/system/idna/tests.sh                   |   19 +
 external/mpl/bind/dist/bin/tests/system/keymgr/tests.sh                 |    2 +-
 external/mpl/bind/dist/bin/tests/system/resolver/ns6/delegation-only.db |    2 +-
 external/mpl/bind/dist/bin/tests/system/resolver/tests.sh               |   17 +-
 external/mpl/bind/dist/bin/tests/system/rpz/clean.sh                    |    4 +-
 external/mpl/bind/dist/bin/tests/system/rpz/ns3/named.conf.in           |   10 +
 external/mpl/bind/dist/bin/tests/system/rpz/ns5/expire.conf.in          |   17 +
 external/mpl/bind/dist/bin/tests/system/rpz/ns5/fast-expire.db.in       |   16 +
 external/mpl/bind/dist/bin/tests/system/rpz/ns5/named.conf.in           |    2 +
 external/mpl/bind/dist/bin/tests/system/rpz/setup.sh                    |    4 +
 external/mpl/bind/dist/bin/tests/system/rpz/tests.sh                    |   11 +
 external/mpl/bind/dist/bin/tests/system/runall.sh                       |    6 +-
 external/mpl/bind/dist/bin/tests/system/statschannel/tests.sh           |    1 +
 external/mpl/bind/dist/bin/tests/system/win32/bigkey.vcxproj.in         |    5 +-
 external/mpl/bind/dist/bin/tests/system/win32/feature-test.vcxproj.in   |    5 +-
 external/mpl/bind/dist/bin/tests/system/win32/gencheck.vcxproj.in       |    5 +-
 external/mpl/bind/dist/bin/tests/system/win32/keycreate.vcxproj.in      |    5 +-
 external/mpl/bind/dist/bin/tests/system/win32/keydelete.vcxproj.in      |    5 +-
 external/mpl/bind/dist/bin/tests/system/win32/pipequeries.vcxproj.in    |    5 +-
 external/mpl/bind/dist/bin/tests/system/xfer/tests.sh                   |    2 +-
 external/mpl/bind/dist/bin/tests/win32/backtrace_test.vcxproj.in        |    5 +-
 external/mpl/bind/dist/bin/tests/win32/inter_test.vcxproj.in            |    5 +-
 external/mpl/bind/dist/bin/tests/win32/makejournal.vcxproj.in           |    5 +-
 external/mpl/bind/dist/bin/tests/win32/rwlock_test.vcxproj.in           |    5 +-
 external/mpl/bind/dist/bin/tests/win32/shutdown_test.vcxproj.in         |    5 +-
 external/mpl/bind/dist/bin/tests/win32/sock_test.vcxproj.in             |    5 +-
 external/mpl/bind/dist/bin/tests/win32/task_test.vcxproj.in             |    5 +-
 external/mpl/bind/dist/bin/tests/win32/timer_test.vcxproj.in            |    5 +-
 external/mpl/bind/dist/bin/tools/win32/arpaname.vcxproj.in              |    5 +-
 external/mpl/bind/dist/bin/tools/win32/journalprint.vcxproj.in          |    5 +-
 external/mpl/bind/dist/bin/tools/win32/mdig.vcxproj.in                  |    5 +-
 external/mpl/bind/dist/bin/tools/win32/nsec3hash.vcxproj.in             |    5 +-
 external/mpl/bind/dist/bin/tools/win32/rrchecker.vcxproj.in             |    5 +-
 external/mpl/bind/dist/bin/win32/BINDInstall/AccountInfo.cpp            |   23 +-
 external/mpl/bind/dist/bin/win32/BINDInstall/BINDInstall.rc             |    1 +
 external/mpl/bind/dist/bin/win32/BINDInstall/BINDInstall.vcxproj.in     |    5 +-
 external/mpl/bind/dist/bin/win32/BINDInstall/BINDInstallDlg.cpp         |   41 +-
 external/mpl/bind/dist/bin/win32/BINDInstall/DirBrowse.cpp              |    1 +
 external/mpl/bind/dist/bin/win32/BINDInstall/VersionInfo.cpp            |    2 -
 external/mpl/bind/dist/configure.ac                                     |   32 +-
 external/mpl/bind/dist/doc/arm/Bv9ARM-book.xml                          |   29 +-
 external/mpl/bind/dist/doc/arm/Bv9ARM.ch01.html                         |    2 +-
 external/mpl/bind/dist/doc/arm/Bv9ARM.ch02.html                         |    2 +-
 external/mpl/bind/dist/doc/arm/Bv9ARM.ch03.html                         |    2 +-
 external/mpl/bind/dist/doc/arm/Bv9ARM.ch04.html                         |    2 +-
 external/mpl/bind/dist/doc/arm/Bv9ARM.ch05.html                         |   31 +-
 external/mpl/bind/dist/doc/arm/Bv9ARM.ch06.html                         |    2 +-
 external/mpl/bind/dist/doc/arm/Bv9ARM.ch07.html                         |    2 +-
 external/mpl/bind/dist/doc/arm/Bv9ARM.ch08.html                         |  473 +++++----
 external/mpl/bind/dist/doc/arm/Bv9ARM.ch09.html                         |    2 +-
 external/mpl/bind/dist/doc/arm/Bv9ARM.ch10.html                         |    2 +-
 external/mpl/bind/dist/doc/arm/Bv9ARM.ch11.html                         |    2 +-
 external/mpl/bind/dist/doc/arm/Bv9ARM.ch12.html                         |    2 +-
 external/mpl/bind/dist/doc/arm/Bv9ARM.html                              |    6 +-
 external/mpl/bind/dist/doc/arm/Bv9ARM.pdf                               |  Bin 
 external/mpl/bind/dist/doc/arm/Makefile.in                              |   15 +-
 external/mpl/bind/dist/doc/arm/man.arpaname.html                        |    2 +-
 external/mpl/bind/dist/doc/arm/man.ddns-confgen.html                    |    2 +-
 external/mpl/bind/dist/doc/arm/man.delv.html                            |    2 +-
 external/mpl/bind/dist/doc/arm/man.dig.html                             |    2 +-
 external/mpl/bind/dist/doc/arm/man.dnssec-cds.html                      |    2 +-
 external/mpl/bind/dist/doc/arm/man.dnssec-checkds.html                  |    2 +-
 external/mpl/bind/dist/doc/arm/man.dnssec-coverage.html                 |    2 +-
 external/mpl/bind/dist/doc/arm/man.dnssec-dsfromkey.html                |    2 +-
 external/mpl/bind/dist/doc/arm/man.dnssec-importkey.html                |    2 +-
 external/mpl/bind/dist/doc/arm/man.dnssec-keyfromlabel.html             |    2 +-
 external/mpl/bind/dist/doc/arm/man.dnssec-keygen.html                   |    2 +-
 external/mpl/bind/dist/doc/arm/man.dnssec-keymgr.html                   |    2 +-
 external/mpl/bind/dist/doc/arm/man.dnssec-revoke.html                   |    2 +-
 external/mpl/bind/dist/doc/arm/man.dnssec-settime.html                  |    2 +-
 external/mpl/bind/dist/doc/arm/man.dnssec-signzone.html                 |    2 +-
 external/mpl/bind/dist/doc/arm/man.dnssec-verify.html                   |    2 +-
 external/mpl/bind/dist/doc/arm/man.dnstap-read.html                     |    2 +-
 external/mpl/bind/dist/doc/arm/man.filter-aaaa.html                     |    2 +-
 external/mpl/bind/dist/doc/arm/man.host.html                            |    2 +-
 external/mpl/bind/dist/doc/arm/man.mdig.html                            |    2 +-
 external/mpl/bind/dist/doc/arm/man.named-checkconf.html                 |    2 +-
 external/mpl/bind/dist/doc/arm/man.named-checkzone.html                 |    2 +-
 external/mpl/bind/dist/doc/arm/man.named-journalprint.html              |    2 +-
 external/mpl/bind/dist/doc/arm/man.named-nzd2nzf.html                   |    2 +-
 external/mpl/bind/dist/doc/arm/man.named-rrchecker.html                 |    2 +-
 external/mpl/bind/dist/doc/arm/man.named.conf.html                      |    2 +-
 external/mpl/bind/dist/doc/arm/man.named.html                           |    2 +-
 external/mpl/bind/dist/doc/arm/man.nsec3hash.html                       |    2 +-
 external/mpl/bind/dist/doc/arm/man.nslookup.html                        |    2 +-
 external/mpl/bind/dist/doc/arm/man.nsupdate.html                        |    2 +-
 external/mpl/bind/dist/doc/arm/man.pkcs11-destroy.html                  |    2 +-
 external/mpl/bind/dist/doc/arm/man.pkcs11-keygen.html                   |    2 +-
 external/mpl/bind/dist/doc/arm/man.pkcs11-list.html                     |    2 +-
 external/mpl/bind/dist/doc/arm/man.pkcs11-tokens.html                   |    2 +-
 external/mpl/bind/dist/doc/arm/man.rndc-confgen.html                    |    2 +-
 external/mpl/bind/dist/doc/arm/man.rndc.conf.html                       |    2 +-
 external/mpl/bind/dist/doc/arm/man.rndc.html                            |    2 +-
 external/mpl/bind/dist/doc/arm/notes-bug-fixes.xml                      |   81 +
 external/mpl/bind/dist/doc/arm/notes-download.xml                       |   20 +
 external/mpl/bind/dist/doc/arm/notes-eol.xml                            |   21 +
 external/mpl/bind/dist/doc/arm/notes-intro.xml                          |   22 +
 external/mpl/bind/dist/doc/arm/notes-license.xml                        |   34 +
 external/mpl/bind/dist/doc/arm/notes-new-features.xml                   |   78 +
 external/mpl/bind/dist/doc/arm/notes-numbering.xml                      |   20 +
 external/mpl/bind/dist/doc/arm/notes-platforms.xml                      |   44 +
 external/mpl/bind/dist/doc/arm/notes-sec-fixes.xml                      |   37 +
 external/mpl/bind/dist/doc/arm/notes-thankyou.xml                       |   19 +
 external/mpl/bind/dist/doc/arm/notes.html                               |  469 +++++----
 external/mpl/bind/dist/doc/arm/notes.pdf                                |  Bin 
 external/mpl/bind/dist/doc/arm/notes.txt                                |   33 +-
 external/mpl/bind/dist/doc/arm/notes.xml                                |  263 +-----
 external/mpl/bind/dist/lib/bind9/win32/libbind9.vcxproj.in              |    5 +-
 external/mpl/bind/dist/lib/dns/api                                      |    2 +-
 external/mpl/bind/dist/lib/dns/tests/Kyuafile                           |    1 -
 external/mpl/bind/dist/lib/dns/tests/Makefile.in                        |   11 -
 external/mpl/bind/dist/lib/dns/win32/gen.vcxproj.in                     |    5 +-
 external/mpl/bind/dist/lib/dns/win32/libdns.vcxproj.in                  |    5 +-
 external/mpl/bind/dist/lib/irs/win32/libirs.vcxproj.in                  |    5 +-
 external/mpl/bind/dist/lib/isc/api                                      |    2 +-
 external/mpl/bind/dist/lib/isc/win32/libisc.vcxproj.in                  |    5 +-
 external/mpl/bind/dist/lib/isccc/win32/libisccc.vcxproj.in              |    5 +-
 external/mpl/bind/dist/lib/isccfg/api                                   |    2 +-
 external/mpl/bind/dist/lib/isccfg/win32/libisccfg.vcxproj.in            |    5 +-
 external/mpl/bind/dist/lib/ns/api                                       |    2 +-
 external/mpl/bind/dist/lib/ns/win32/libns.vcxproj.in                    |    5 +-
 external/mpl/bind/dist/lib/samples/win32/async.vcxproj.in               |    5 +-
 external/mpl/bind/dist/lib/samples/win32/gai.vcxproj.in                 |    5 +-
 external/mpl/bind/dist/lib/samples/win32/nsprobe.vcxproj.in             |    5 +-
 external/mpl/bind/dist/lib/samples/win32/request.vcxproj.in             |    5 +-
 external/mpl/bind/dist/lib/samples/win32/resolve.vcxproj.in             |    5 +-
 external/mpl/bind/dist/lib/samples/win32/update.vcxproj.in              |    5 +-
 external/mpl/bind/dist/lib/win32/bindevt/bindevt.vcxproj.in             |    5 +-
 external/mpl/bind/dist/srcid                                            |    2 +-
 external/mpl/bind/dist/unit/unittest.sh.in                              |    2 +-
 external/mpl/bind/dist/version                                          |    2 +-
 external/mpl/bind/dist/win32utils/Configure                             |   23 +-
 external/mpl/bind/dist/win32utils/bind9.sln.in                          |    5 +
 external/mpl/bind/dist/win32utils/build.txt                             |  123 +-
 external/mpl/bind/dist/win32utils/readme1st.txt                         |   64 +-
 188 files changed, 1730 insertions(+), 1208 deletions(-)

diffs (truncated from 6480 to 300 lines):

diff -r 16fe23a676ec -r 21957eef116e external/mpl/bind/dist/CHANGES
--- a/external/mpl/bind/dist/CHANGES    Thu Oct 17 16:21:02 2019 +0000
+++ b/external/mpl/bind/dist/CHANGES    Thu Oct 17 16:25:39 2019 +0000
@@ -1,3 +1,53 @@
+       --- 9.14.7 released ---
+
+5299.  [security]      A flaw in DNSSEC verification when transferring
+                       mirror zones could allow data to be incorrectly
+                       marked valid. (CVE-2019-6475) [GL #16P]
+
+5298.  [security]      Named could assert if a forwarder returned a
+                       referral, rather than resolving the query, when QNAME
+                       minimization was enabled. (CVE-2019-6476) [GL #1051]
+
+5297.  [bug]           Check whether a previous QNAME minimization fetch
+                       is still running before starting a new one; return
+                       SERVFAIL and log an error if so. [GL #1191]
+
+5294.  [func]          Fallback to ACE name on output in locale, which does not
+                       support converting it to unicode.  [GL #846]
+
+5293.  [bug]           On Windows, named crashed upon any attempt to fetch XML
+                       statistics from it. [GL #1245]
+
+5292.  [bug]           Queue 'rndc nsec3param' requests while signing inline
+                       zone changes. [GL #1205]
+
+       --- 9.14.6 released ---
+
+5289.  [bug]           Address NULL pointer dereference in rpz.c:rpz_detach.
+                       [GL #1210]
+
+5286.  [contrib]       Address potential NULL pointer dereferences in
+                       dlz_mysqldyn_mod.c. [GL #1207]
+
+5285.  [port]          win32: implement "-T maxudpXXX". [GL #837]
+
+5283.  [bug]           When a response-policy zone expires, ensure that
+                       its policies are removed from the RPZ summary
+                       database. [GL #1146]
+
+5282.  [bug]           Fixed a bug in searching for possible wildcard matches
+                       for query names in the RPZ summary database. [GL #1146]
+
+5281.  [cleanup]       Don't escape commas when reporting named's command
+                       line. [GL #1189]
+
+5280.  [protocol]      Add support for displaying EDNS option LLQ. [GL #1201]
+
+5279.  [bug]           When loading, reject zones containing CDS or CDNSKEY
+                       RRsets at the zone apex if they would cause DNSSEC
+                       validation failures if published in the parent zone
+                       as the DS RRset.  [GL #1187]
+
        --- 9.14.5 released ---
 
 5277.  [bug]           Cache DB statistics could underflow when serve-stale
@@ -95,7 +145,7 @@
                        code in a high-load cold-cache resolver scenario.
                        [GL #943]
 
-5242.  [bug]           In relaxed qname minimizatiom mode, fall back to
+5242.  [bug]           In relaxed qname minimization mode, fall back to
                        normal resolution when encountering a lame
                        delegation, and use _.domain/A queries rather
                        than domain/NS. [GL #1055]
diff -r 16fe23a676ec -r 21957eef116e external/mpl/bind/dist/README
--- a/external/mpl/bind/dist/README     Thu Oct 17 16:21:02 2019 +0000
+++ b/external/mpl/bind/dist/README     Thu Oct 17 16:25:39 2019 +0000
@@ -71,6 +71,9 @@
 assertion failure or other crash in named, please do NOT use GitLab to
 report it. Instead, please send mail to security-officer%isc.org@localhost.
 
+For a general overview of ISC security policies, read the Knowledge Base
+article at https://kb.isc.org/docs/aa-00861.
+
 Professional support and training for BIND are available from ISC at
 https://www.isc.org/support.
 
@@ -90,7 +93,7 @@
 General information: CONTRIBUTING.md - BIND 9 code style: doc/dev/style.md
 - BIND architecture and developer guide: doc/dev/dev.md
 
-Patches for BIND may be submitted as Merge Requests in the ISC GitLab
+Patches for BIND may be submitted as merge requests in the ISC GitLab
 server at at https://gitlab.isc.org/isc-projects/bind9/merge_requests.
 
 By default, external contributors don't have ability to fork BIND in the
@@ -164,13 +167,27 @@
 BIND 9.14.4 is a maintenance release, and also adds support for the new
 MaxMind GeoIP2 geolocation API when built with configure --with-geoip2.
 
+BIND 9.14.5
+
+BIND 9.14.5 is a maintenance release.
+
+BIND 9.14.6
+
+BIND 9.14.6 is a maintenance release.
+
+BIND 9.14.7
+
+BIND 9.14.7 is a maintenance release, and also addresses the security
+vulnerabilities disclosed in CVE-2019-6475 and CVE-2019-6476.
+
 Building BIND
 
 Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
 basic POSIX support, and a 64-bit integer type. Successful builds have
-been observed on many versions of Linux and UNIX, including RedHat,
-Fedora, Debian, Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS
-X, Solaris, HP-UX, and OpenWRT.
+been observed on many versions of Linux and UNIX, including RHEL/CentOS,
+Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD,
+NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, and
+OpenWRT.
 
 BIND requires a cryptography provider library such as OpenSSL or a
 hardware service module supporting PKCS#11. On Linux, BIND requires the
@@ -179,8 +196,8 @@
 Compile-time options below for details on other libraries that may be
 required to support optional features.
 
-BIND is also available for Windows 2008 and higher. See win32utils/
-readme1st.txt for details on building for Windows systems.
+BIND is also available for Windows Server 2008 and higher. See win32utils/
+build.txt for details on building for Windows systems.
 
 To build on a UNIX or Linux system, use:
 
@@ -208,25 +225,23 @@
 LDFLAGS        Linker flags. Defaults to empty string.
 BUILD_CC       Needed when cross-compiling: the native C compiler to use
                when building for the target system.
-BUILD_CFLAGS   Optional, used for cross-compiling
-BUILD_CPPFLAGS
-BUILD_LDFLAGS
-BUILD_LIBS
+BUILD_CFLAGS   CFLAGS for the target system during cross-compiling.
+BUILD_CPPFLAGS CPPFLAGS for the target system during cross-compiling.
+BUILD_LDFLAGS  LDFLAGS for the target system during cross-compiling.
+BUILD_LIBS     LIBS for the target system during cross-compiling.
 
 macOS
 
 Building on macOS assumes that the "Command Tools for Xcode" is installed.
 This can be downloaded from https://developer.apple.com/download/more/ or
-if you have Xcode already installed you can run "xcode-select --install".
-This will add /usr/include to the system and install the compiler and
-other tools so that they can be easily found.
+if you have Xcode already installed you can run xcode-select --install.
 
 Dependencies
 
 Portions of BIND that are written in Python, including dnssec-keymgr,
 dnssec-coverage, dnssec-checkds, and some of the system tests, require the
-'argparse' and 'ply' modules to be available. 'argparse' is a standard
-module as of Python 2.7 and Python 3.2. 'ply' is available from https://
+argparse and ply modules to be available. argparse is a standard module as
+of Python 2.7 and Python 3.2. ply is available from https://
 pypi.python.org/pypi/ply.
 
 Compile-time options
@@ -245,9 +260,12 @@
 --with-pkcs11=<PREFIX>, and configure BIND with --enable-native-pkcs11.
 
 To support the HTTP statistics channel, the server must be linked with at
-least one of the following: libxml2 http://xmlsoft.org or json-c https://
-github.com/json-c. If these are installed at a nonstandard location,
-specify the prefix using --with-libxml2=/prefix or --with-libjson=/prefix.
+least one of the following libraries: libxml2 http://xmlsoft.org or json-c
+https://github.com/json-c/json-c. If these are installed at a nonstandard
+location, then:
+
+  * for libxml2, specify the prefix using --with-libxml2=/prefix,
+  * for json-c, adjust PKG_CONFIG_PATH.
 
 To support compression on the HTTP statistics channel, the server must be
 linked against libzlib. If this is installed in a nonstandard location,
@@ -276,8 +294,8 @@
 
 On Linux, process capabilities are managed in user space using the libcap
 library, which can be installed on most Linux systems via the libcap-dev
-or libcap-devel module. Process capability support can also be disabled by
-configuring with --disable-linux-caps.
+or libcap-devel package. Process capability support can also be disabled
+by configuring with --disable-linux-caps.
 
 On some platforms it is necessary to explicitly request large file support
 to handle files bigger than 2GB. This can be done by using
@@ -314,7 +332,7 @@
 
 Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
 and will be skipped if these are not available. Some tests require Python
-and the 'dnspython' module and will be skipped if these are not available.
+and the dnspython module and will be skipped if these are not available.
 See bin/tests/system/README for further details.
 
 Unit tests are implemented using the CMocka unit testing framework. To
@@ -325,7 +343,7 @@
 Documentation
 
 The BIND 9 Administrator Reference Manual is included with the source
-distribution, in DocBook XML, HTML and PDF format, in the doc/arm
+distribution, in DocBook XML, HTML, and PDF format, in the doc/arm
 directory.
 
 Some of the programs in the BIND 9 distribution have man pages in their
@@ -380,16 +398,16 @@
 referred to entries in the "bind9-bugs" RT database, which was not open to
 the public. More recent entries use the form [GL #NNN] or, less often, [GL
 !NNN], which, respectively, refer to issues or merge requests in the
-Gitlab database. Most of these are publicly readable, unless they include
-information which is confidential or security senstive.
+GitLab database. Most of these are publicly readable, unless they include
+information which is confidential or security sensitive.
 
-To look up a Gitlab issue by its number, use the URL https://
+To look up a GitLab issue by its number, use the URL https://
 gitlab.isc.org/isc-projects/bind9/issues/NNN. To look up a merge request,
 use https://gitlab.isc.org/isc-projects/bind9/merge_requests/NNN.
 
 In rare cases, an issue or merge request number may be followed with the
 letter "P". This indicates that the information is in the private ISC
-Gitlab instance, which is not visible to the public.
+GitLab instance, which is not visible to the public.
 
 Acknowledgments
 
diff -r 16fe23a676ec -r 21957eef116e external/mpl/bind/dist/README.md
--- a/external/mpl/bind/dist/README.md  Thu Oct 17 16:21:02 2019 +0000
+++ b/external/mpl/bind/dist/README.md  Thu Oct 17 16:25:39 2019 +0000
@@ -82,6 +82,9 @@
 report it. Instead, please send mail to
 [security-officer%isc.org@localhost](mailto:security-officer%isc.org@localhost).
 
+For a general overview of ISC security policies, read the Knowledge Base
+article at [https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
+
 Professional support and training for BIND are available from
 ISC at [https://www.isc.org/support](https://www.isc.org/support).
 
@@ -103,7 +106,7 @@
 - BIND architecture and developer guide: [doc/dev/dev.md](doc/dev/dev.md)
 
 Patches for BIND may be submitted as
-[Merge Requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests)
+[merge requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests)
 in the [ISC GitLab server](https://gitlab.isc.org) at
 at [https://gitlab.isc.org/isc-projects/bind9/merge_requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests).
 
@@ -180,13 +183,26 @@
 the new MaxMind GeoIP2 geolocation API when built with
 `configure --with-geoip2`.
 
+#### BIND 9.14.5
+
+BIND 9.14.5 is a maintenance release.
+
+#### BIND 9.14.6
+
+BIND 9.14.6 is a maintenance release.
+
+#### BIND 9.14.7
+
+BIND 9.14.7 is a maintenance release, and also addresses the security
+vulnerabilities disclosed in CVE-2019-6475 and CVE-2019-6476.
+
 ### <a name="build"/> Building BIND
 
 Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
 basic POSIX support, and a 64-bit integer type. Successful builds have been
-observed on many versions of Linux and UNIX, including RedHat, Fedora,
-Debian, Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X,
-Solaris, HP-UX, and OpenWRT.
+observed on many versions of Linux and UNIX, including RHEL/CentOS, Fedora,
+Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD, NetBSD,
+OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, and OpenWRT.
 
 BIND requires a cryptography provider library such as OpenSSL or a
 hardware service module supporting PKCS#11. On Linux, BIND requires
@@ -195,8 +211,8 @@
 See [Compile-time options](#opts) below for details on other libraries
 that may be required to support optional features.
 
-BIND is also available for Windows 2008 and higher.  See
-`win32utils/readme1st.txt` for details on building for Windows
+BIND is also available for Windows Server 2008 and higher.  See
+`win32utils/build.txt` for details on building for Windows
 systems.
 
 To build on a UNIX or Linux system, use:
@@ -218,26 +234,24 @@
 |`STD_CDEFINES`|Any additional preprocessor symbols you want defined.  Defaults to empty string. For a list of possible settings, see the file [OPTIONS](OPTIONS.md).|
 |`LDFLAGS`|Linker flags. Defaults to empty string.|
 |`BUILD_CC`|Needed when cross-compiling: the native C compiler to use when building for the target system.|
-|`BUILD_CFLAGS`|Optional, used for cross-compiling|
-|`BUILD_CPPFLAGS`||
-|`BUILD_LDFLAGS`||
-|`BUILD_LIBS`||



Home | Main Index | Thread Index | Old Index