pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2017Q4]: pkgsrc/net/bind910 Pullup ticket #5684 - requested by...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/acbbcc8fb98f
branches:  pkgsrc-2017Q4
changeset: 373114:acbbcc8fb98f
user:      spz <spz%pkgsrc.org@localhost>
date:      Fri Jan 19 21:42:37 2018 +0000

description:
Pullup ticket #5684 - requested by taca
net/bind910: security update

Revisions pulled up:
- net/bind910/Makefile                                          1.39
- net/bind910/distinfo                                          1.30

-------------------------------------------------------------------
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Wed Jan 17 00:31:38 UTC 2018

   Modified Files:
        pkgsrc/net/bind910: Makefile distinfo

   Log Message:
   net/bind910: update to 9.10.6pl1 (BIND 9.10.6-P1).

   Release Notes for BIND Version 9.10.6-P1

   Introduction

      This document summarizes changes since BIND 9.10.6.

      BIND 9.10.6-P1 addresses the security issue described in CVE-2017-3145.

   Download

      The latest versions of BIND 9 software can always be found at
      http://www.isc.org/downloads/. There you will find additional
      information about each release, source code, and pre-compiled versions
      for Microsoft Windows operating systems.

   New DNSSEC Root Key

      ICANN is in the process of introducing a new Key Signing Key (KSK) for
      the global root zone. BIND has multiple methods for managing DNSSEC
      trust anchors, with somewhat different behaviors. If the root key is
      configured using the managed-keys statement, or if the pre-configured
      root key is enabled by using dnssec-validation auto, then BIND can keep
      keys up to date automatically. Servers configured in this way should
      have begun the process of rolling to the new key when it was published
      in the root zone in July 2017. However, keys configured using the
      trusted-keys statement are not automatically maintained. If your server
      is performing DNSSEC validation and is configured using trusted-keys,
      you are advised to change your configuration before the root zone
      begins signing with the new KSK. This is currently scheduled for
      October 11, 2017.

      This release includes an updated version of the bind.keys file
      containing the new root key. This file can also be downloaded from
      https://www.isc.org/bind-keys .

   Windows XP No Longer Supported

      As of BIND 9.10.6, Windows XP is no longer a supported platform for
      BIND, and Windows XP binaries are no longer available for download from
      ISC.

   Security Fixes

        * Addresses could be referenced after being freed during resolver
          processing, causing an assertion failure. The chances of this
          happening were remote, but the introduction of a delay in
          resolution increased them. (The delay will be addressed in an
          upcoming maintenance release.) This bug is disclosed in
          CVE-2017-3145. [RT #46839]
        * An error in TSIG handling could permit unauthorized zone transfers
          or zone updates. These flaws are disclosed in CVE-2017-3142 and
          CVE-2017-3143. [RT #45383]
        * The BIND installer on Windows used an unquoted service path, which
          can enable privilege escalation. This flaw is disclosed in
          CVE-2017-3141. [RT #45229]
        * With certain RPZ configurations, a response with TTL 0 could cause
          named to go into an infinite query loop. This flaw is disclosed in
          CVE-2017-3140. [RT #45181]

   Feature Changes

        * dig +ednsopt now accepts the names for EDNS options in addition to
          numeric values. For example, an EDNS Client-Subnet option could be
          sent using dig +ednsopt?s:.... Thanks to John Worley of Secure64
          for the contribution. [RT #44461]
        * Threads in named are now set to human-readable names to assist
          debugging on operating systems that support that. Threads will have
          names such as "isc-timer", "isc-sockmgr", "isc-worker0001", and so
          on. This will affect the reporting of subsidiary thread names in ps
          and top, but not the main thread. [RT #43234]
        * DiG now warns about .local queries which are reserved for Multicast
          DNS. [RT #44783]

   Bug Fixes

        * Fixed a bug that was introduced in an earlier development release
          which caused multi-packet AXFR and IXFR messages to fail validation
          if not all packets contained TSIG records; this caused
          interoperability problems with some other DNS implementations. [RT
          #45509]
        * Semicolons are no longer escaped when printing CAA and URI records.
          This may break applications that depend on the presence of the
          backslash before the semicolon. [RT #45216]
        * AD could be set on truncated answer with no records present in the
          answer and authority sections. [RT #45140]

   End of Life

      The end of life for BIND 9.10 is yet to be determined but will not be
      before BIND 9.12.0 has been released for 6 months.
      https://www.isc.org/downloads/software-support-policy/


   To generate a diff of this commit:
   cvs rdiff -u -r1.38 -r1.39 pkgsrc/net/bind910/Makefile
   cvs rdiff -u -r1.29 -r1.30 pkgsrc/net/bind910/distinfo

diffstat:

 net/bind910/Makefile |   6 +++---
 net/bind910/distinfo |  10 +++++-----
 2 files changed, 8 insertions(+), 8 deletions(-)

diffs (45 lines):

diff -r 35d7379d2cd2 -r acbbcc8fb98f net/bind910/Makefile
--- a/net/bind910/Makefile      Fri Jan 19 21:33:24 2018 +0000
+++ b/net/bind910/Makefile      Fri Jan 19 21:42:37 2018 +0000
@@ -1,20 +1,20 @@
-# $NetBSD: Makefile,v 1.38 2017/11/07 02:16:44 kamil Exp $
+# $NetBSD: Makefile,v 1.38.2.1 2018/01/19 21:42:37 spz Exp $
 
 DISTNAME=      bind-${BIND_VERSION}
 PKGNAME=       ${DISTNAME:S/-P/pl/}
-PKGREVISION=   1
 CATEGORIES=    net
 MASTER_SITES=  ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/
 
 MAINTAINER=    pkgsrc-users%NetBSD.org@localhost
 HOMEPAGE=      http://www.isc.org/software/bind/
 COMMENT=       Berkeley Internet Name Daemon implementation of DNS, version 9.10
+LICENSE=       mpl-2.0
 
 CONFLICTS+=    host-[0-9]*
 
 MAKE_JOBS_SAFE=        no
 
-BIND_VERSION=  9.10.6
+BIND_VERSION=  9.10.6-P1
 
 .include "../../mk/bsd.prefs.mk"
 
diff -r 35d7379d2cd2 -r acbbcc8fb98f net/bind910/distinfo
--- a/net/bind910/distinfo      Fri Jan 19 21:33:24 2018 +0000
+++ b/net/bind910/distinfo      Fri Jan 19 21:42:37 2018 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.29 2017/11/07 02:16:44 kamil Exp $
+$NetBSD: distinfo,v 1.29.2.1 2018/01/19 21:42:37 spz Exp $
 
-SHA1 (bind-9.10.6.tar.gz) = a00f58a389616a8ccf8e30fe3150ecf4ce654e31
-RMD160 (bind-9.10.6.tar.gz) = c136d4698351160dd8851c10c117c788ecd88296
-SHA512 (bind-9.10.6.tar.gz) = dc4623b00277ba6862bf20bf458c78e409541fa4068e65a5de48dc9893a724e7ab6cd1ff3c11727f5984eee9beaf303f3a76dbfaf548c56d0ec63d320dac4bb7
-Size (bind-9.10.6.tar.gz) = 9449394 bytes
+SHA1 (bind-9.10.6-P1.tar.gz) = adb06033d5538f2412c8f61ffca123e293ca393a
+RMD160 (bind-9.10.6-P1.tar.gz) = 9795dab8352b17638915a4252252fba08111ae17
+SHA512 (bind-9.10.6-P1.tar.gz) = f45647ad6f6afc26098bdc4a18fd3468a1d769ebaddeb92aee87b4f93791c2cff27f07d49116c0b9c53547f8eb93e7c720bec1cec38b9cecb3829da1fe9ae833
+Size (bind-9.10.6-P1.tar.gz) = 9452495 bytes
 SHA1 (patch-bin_dig_dighost.c) = 983e23a30d519982cbe88ed2277fcffc9cad616e
 SHA1 (patch-bin_tests_system_Makefile.in) = ba368204f8eeaa12be366a532c75a2e3cc8fae98
 SHA1 (patch-config.threads.in) = 227b83efe9cb3e301aaac9b97cf42f1fb8ad06b2



Home | Main Index | Thread Index | Old Index