pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/opendnssec Update OpenDNSSEC to version 1.4.12.
details: https://anonhg.NetBSD.org/pkgsrc/rev/e66f9c8cc613
branches: trunk
changeset: 354663:e66f9c8cc613
user: he <he%pkgsrc.org@localhost>
date: Sun Nov 06 12:54:35 2016 +0000
description:
Update OpenDNSSEC to version 1.4.12.
Local changes (retained from earlier versions):
* Some adaptations of the build setup (conversion scripts etc.)
* in signer/ixfr.c, log the zone name if the soamin assertion trigers
* in signer/zone.c, if there's a bad ixfr journal file, save it, for debug
Upstream changes:
News:
This is a bug fix release targeting a memory leak in the signer
when being used in the "bump in the wire" model where the signer
would send out notify messages and respond to IXFR requests for
the signed zone. This typically would manifest itself with very
frequent outgoing IXFRs over a longer period of time.
When upgrading from 1.4.10 (the 1.4.11 release was skipped) no
migration steps are needed. For upgrading from earlier releases
see the migration steps in the individual releases, most notably
in 1.4.8.2. This version of OpenDNSSEC does however require a
slightly less older minimal version of the library ldns.
Fixes:
* OPENDNSSEC-808: Crash on query with empty query section
(thanks Havard Eidnes).
* SUPPORT-191: Regression, Must accept notify without SOA (thanks
Christos Trochalakis).
* OPENDNSSEC-845: memory leak occuring when responding to IXFR
out when having had multiple updates.
* OPENDNSSEC-805: Avoid full resign due to mismatch in backup file
when upgrading from 1.4.8 or later.
* OPENDNSSEC-828: parsing zone list could show data from next zone
when zones iterated on single line.
* OPENDNSSEC-811,OPENDNSSEC-827,e.o.: compiler warnings and other
static code analysis cleanup
* OPENDNSSEC-847: Broken DNS IN notifications when pkt answer
section is empty.
* OPENDNSSEC-838: Crash in signer after having removed a zone.
* Update dependency to ldns to version 1.6.17 enabling the DNS HIP record.
* Prevent responding to queries when not fully started yet.
diffstat:
security/opendnssec/Makefile | 7 ++---
security/opendnssec/distinfo | 11 ++++-----
security/opendnssec/patches/patch-signer_src_wire_query.c | 18 ---------------
3 files changed, 8 insertions(+), 28 deletions(-)
diffs (66 lines):
diff -r 1f053bb02df6 -r e66f9c8cc613 security/opendnssec/Makefile
--- a/security/opendnssec/Makefile Sun Nov 06 11:25:35 2016 +0000
+++ b/security/opendnssec/Makefile Sun Nov 06 12:54:35 2016 +0000
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.58 2016/07/16 19:49:07 he Exp $
+# $NetBSD: Makefile,v 1.59 2016/11/06 12:54:35 he Exp $
#
-DISTNAME= opendnssec-1.4.10
-PKGREVISION= 1
+DISTNAME= opendnssec-1.4.12
CATEGORIES= security net
MASTER_SITES= http://www.opendnssec.org/files/source/
@@ -11,7 +10,7 @@
COMMENT= OSS for a fast and easy DNSSEC deployment
LICENSE= 2-clause-bsd
-DEPENDS+= ldns>=1.6.13:../../net/ldns
+DEPENDS+= ldns>=1.6.17:../../net/ldns
BUILD_DEPENDS+= CUnit-[0-9]*:../../devel/cunit
BUILD_DEFS+= VARBASE
diff -r 1f053bb02df6 -r e66f9c8cc613 security/opendnssec/distinfo
--- a/security/opendnssec/distinfo Sun Nov 06 11:25:35 2016 +0000
+++ b/security/opendnssec/distinfo Sun Nov 06 12:54:35 2016 +0000
@@ -1,12 +1,11 @@
-$NetBSD: distinfo,v 1.34 2016/07/16 19:49:07 he Exp $
+$NetBSD: distinfo,v 1.35 2016/11/06 12:54:35 he Exp $
-SHA1 (opendnssec-1.4.10.tar.gz) = c83c452b9951df8dd784d7c39aae90363f1a1213
-RMD160 (opendnssec-1.4.10.tar.gz) = 0ee7e1b282da6839be919b18faf9fbe567bfc130
-SHA512 (opendnssec-1.4.10.tar.gz) = 00ba6ceba595f9d4d7736af982b78779f204eb52fcf92222256792368328647ca1a4c84b4db64dcdd9a0119292f132a4efd15e60436c2a125bf6a8fb3f33540e
-Size (opendnssec-1.4.10.tar.gz) = 1036069 bytes
+SHA1 (opendnssec-1.4.12.tar.gz) = feab78605d2c49a2788a4b65e7eb4416777e9610
+RMD160 (opendnssec-1.4.12.tar.gz) = dc91f862691218ca99b3496a7340ef16f29e37aa
+SHA512 (opendnssec-1.4.12.tar.gz) = b72b76ab4aec8cc63cc9c020bef9a24b000fd00172a07cf43d57b3a33041bef9e107b71eb7271bb13c3566510599c6a1913cf986a724e169c42dc8bdac8d2e51
+Size (opendnssec-1.4.12.tar.gz) = 1036392 bytes
SHA1 (patch-aa) = 104e077af6c368cbb5fc3034d58b2f2249fcf991
SHA1 (patch-enforcer_utils_Makefile.am) = 80915dee723535e5854e62bc18f00ba2d5d7496c
SHA1 (patch-enforcer_utils_Makefile.in) = 6c1b4ad25956bfcc8b410a8ca22f2581e64198d1
SHA1 (patch-signer_src_signer_ixfr.c) = 74c2c320080e585a6126e146c453998f44c164f7
SHA1 (patch-signer_src_signer_zone.c) = 0330236f11ccab7ed83b73bc83d851f932124318
-SHA1 (patch-signer_src_wire_query.c) = ab60e229687be910be9acd0a43d47987498de070
diff -r 1f053bb02df6 -r e66f9c8cc613 security/opendnssec/patches/patch-signer_src_wire_query.c
--- a/security/opendnssec/patches/patch-signer_src_wire_query.c Sun Nov 06 11:25:35 2016 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,18 +0,0 @@
-$NetBSD: patch-signer_src_wire_query.c,v 1.1 2016/07/16 19:49:07 he Exp $
-
-Add a check for whether we have an RRset in the query,
-to side-step DoS via crafted packet.
-
---- signer/src/wire/query.c.orig 2016-05-02 10:40:02.000000000 +0000
-+++ signer/src/wire/query.c
-@@ -869,6 +869,10 @@ query_process(query_type* q, void* engin
- return query_formerr(q);
- }
- rr = ldns_rr_list_rr(ldns_pkt_question(pkt), 0);
-+ if (rr == NULL) {
-+ ods_log_debug("[%s] no RRset in query, ignoring", query_str);
-+ return QUERY_DISCARDED; /* no RRset in query */
-+ }
- lock_basic_lock(&e->zonelist->zl_lock);
- /* we can just lookup the zone, because we will only handle SOA queries,
- zone transfers, updates and notifies */
Home |
Main Index |
Thread Index |
Old Index