pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/net/bind910 Update bind910 to 9.10.4pl6 (BIND 9.10.4-P6).
details: https://anonhg.NetBSD.org/pkgsrc/rev/383993825a81
branches: trunk
changeset: 358300:383993825a81
user: taca <taca%pkgsrc.org@localhost>
date: Thu Feb 09 00:48:59 2017 +0000
description:
Update bind910 to 9.10.4pl6 (BIND 9.10.4-P6).
Security Fixes
* If a server is configured with a response policy zone (RPZ) that
rewrites an answer with local data, and is also configured for
DNS64 address mapping, a NULL pointer can be read triggering a
server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434]
* named could mishandle authority sections with missing RRSIGs,
triggering an assertion failure. This flaw is disclosed in
CVE-2016-9444. [RT #43632]
* named mishandled some responses where covering RRSIG records were
returned without the requested data, resulting in an assertion
failure. This flaw is disclosed in CVE-2016-9147. [RT #43548]
* named incorrectly tried to cache TKEY records which could trigger
an assertion failure when there was a class mismatch. This flaw is
disclosed in CVE-2016-9131. [RT #43522]
* It was possible to trigger assertions when processing responses
containing answers of type DNAME. This flaw is disclosed in
CVE-2016-8864. [RT #43465]
* Added the ability to specify the maximum number of records
permitted in a zone (max-records #;). This provides a mechanism to
block overly large zone transfers, which is a potential risk with
slave zones from other parties, as described in CVE-2016-6170. [RT
#42143]
* It was possible to trigger an assertion when rendering a message
using a specially crafted request. This flaw is disclosed in
CVE-2016-2776. [RT #43139]
* Calling getrrsetbyname() with a non absolute name could trigger an
infinite recursion bug in lwresd or named with lwres configured if,
when combined with a search list entry from resolv.conf, the
resulting name is too long. This flaw is disclosed in
CVE-2016-2775. [RT #42694]
New Features
* named now provides feedback to the owners of zones which have trust
anchors configured (trusted-keys, managed-keys, dnssec-validation
auto; and dnssec-lookaside auto;) by sending a daily query which
encodes the keyids of the configured trust anchors for the zone.
This is controlled by trust-anchor-telemetry and defaults to yes.
* A new tcp-only option has been added to server clauses, to indicate
that UDP should not be used when sending queries to a specified IP
address or prefix.
Feature Changes
* The built in mangaged keys for the global root zone have been
updated to include the upcoming key signing key (keyid 20326).
* The ISC DNSSEC Lookaside Validation (DLV) service is scheduled to
be disabled in 2017. A warning is now logged when named is
configured to use this service, either explicitly or via
dnssec-lookaside auto;. [RT #42207]
* If an ACL is specified with an address prefix in which the prefix
length is longer than the address portion (for example,
192.0.2.1/8), named will now log a warning. In future releases this
will be a fatal configuration error. [RT #43367]
Bug Fixes
* A synthesized CNAME record appearing in a response before the
associated DNAME could be cached, when it should not have been.
This was a regression introduced while addressing CVE-2016-8864.
[RT #44318]
* Named could deadlock there were multiple changes to NSEC/NSEC3
parameters for a zone being processed at the same time. [RT #42770]
* Named could trigger a assertion when sending notify messages. [RT
#44019]
* Fixed a crash when calling rndc stats on some Windows builds: some
Visual Studio compilers generate code that crashes when the "%z"
printf() format specifier is used. [RT #42380]
* Windows installs were failing due to triggering UAC without the
installation binary being signed.
* A change in the internal binary representation of the RBT database
node structure enabled a race condition to occur (especially when
BIND was built with certain compilers or optimizer settings),
leading to inconsistent database state which caused random
assertion failures. [RT #42380]
* Referencing a nonexistent zone in a response-policy statement could
cause an assertion failure during configuration. [RT #43787]
* rndc addzone could cause a crash when attempting to add a zone with
a type other than master or slave. Such zones are now rejected. [RT
#43665]
* named could hang when encountering log file names with large
apparent gaps in version number (for example, when files exist
called "logfile.0", "logfile.1", and "logfile.1482954169"). This is
now handled correctly. [RT #38688]
* If a zone was updated while named was processing a query for
nonexistent data, it could return out-of-sync NSEC3 records causing
potential DNSSEC validation failure. [RT #43247]
* named could crash when loading a zone which had RRISG records whose
expiry fields were far enough apart to cause an integer overflow
when comparing them. [RT #40571]
* The arpaname and named-rrchecker commands were not installed into
the correct prefix/bin directory. [RT #42910]
* When receiving a response from an authoritative server with a TTL
value of zero, named> will now only use that response once, to
answer the currently active clients that were waiting for it.
Previously, such response could be cached and reused for up to one
second. [RT #42142]
* named-checkconf now checks the rate-limit clause for correctness.
[RT #42970]
* Corrected a bug in the rndc control channel that could allow a read
past the end of a buffer, crashing named. Thanks to Lian Yihan for
reporting this error.
Maintenance
* The built-in root hints have been updated to include IPv6 addresses
for B.ROOT-SERVERS.NET (2001:500:84::b), E.ROOT-SERVERS.NET
(2001:500:a8::e) and G.ROOT-SERVERS.NET (2001:500:12::d0d).
diffstat:
net/bind910/Makefile | 4 ++--
net/bind910/distinfo | 10 +++++-----
2 files changed, 7 insertions(+), 7 deletions(-)
diffs (36 lines):
diff -r 710d1c51856c -r 383993825a81 net/bind910/Makefile
--- a/net/bind910/Makefile Thu Feb 09 00:24:23 2017 +0000
+++ b/net/bind910/Makefile Thu Feb 09 00:48:59 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.28 2017/01/12 00:04:43 taca Exp $
+# $NetBSD: Makefile,v 1.29 2017/02/09 00:48:59 taca Exp $
DISTNAME= bind-${BIND_VERSION}
PKGNAME= ${DISTNAME:S/-P/pl/}
@@ -13,7 +13,7 @@
MAKE_JOBS_SAFE= no
-BIND_VERSION= 9.10.4-P5
+BIND_VERSION= 9.10.4-P6
.include "../../mk/bsd.prefs.mk"
diff -r 710d1c51856c -r 383993825a81 net/bind910/distinfo
--- a/net/bind910/distinfo Thu Feb 09 00:24:23 2017 +0000
+++ b/net/bind910/distinfo Thu Feb 09 00:48:59 2017 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.21 2017/01/12 00:04:43 taca Exp $
+$NetBSD: distinfo,v 1.22 2017/02/09 00:48:59 taca Exp $
-SHA1 (bind-9.10.4-P5.tar.gz) = e43d9230b4373dd1034c3714410885531541c56c
-RMD160 (bind-9.10.4-P5.tar.gz) = 30f73a7be375544bea8f2463e5d1185eed819e68
-SHA512 (bind-9.10.4-P5.tar.gz) = 09613b2a16a5784a1b0e4b685d1d2cea1c1539e11497c848f1c92a8a4f26c7fc0f08ef8f2bd17316559966aca04e1ec9d744304c36c002d66eaff6240473a101
-Size (bind-9.10.4-P5.tar.gz) = 9303205 bytes
+SHA1 (bind-9.10.4-P6.tar.gz) = c08bef47136b3b88844a4c3b8a6227445fca6f40
+RMD160 (bind-9.10.4-P6.tar.gz) = c082903758103ac9780cf92dbd634f6b3369478a
+SHA512 (bind-9.10.4-P6.tar.gz) = a881d81307b48922c062d672701e777a17d5130a10dc1c5e4022edbbc28c7136076c17a0c89b211cd3b07527b81fa9a3ac599d0c3c23d70a75e47c63cd2a59f5
+Size (bind-9.10.4-P6.tar.gz) = 9317598 bytes
SHA1 (patch-bin_dig_dighost.c) = 983e23a30d519982cbe88ed2277fcffc9cad616e
SHA1 (patch-bin_tests_system_Makefile.in) = aeb2de1b6c6cfdbae7ffbf38aeebf52e94af9e2f
SHA1 (patch-config.threads.in) = 227b83efe9cb3e301aaac9b97cf42f1fb8ad06b2
Home |
Main Index |
Thread Index |
Old Index