pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: [pkgsrc-2022Q4] pkgsrc/net/bind916
Module Name: pkgsrc
Committed By: bsiegert
Date: Thu Jan 26 20:01:44 UTC 2023
Modified Files:
pkgsrc/net/bind916 [pkgsrc-2022Q4]: Makefile builtin.mk distinfo
pkgsrc/net/bind916/patches [pkgsrc-2022Q4]: patch-lib_isc_siphash.c
patch-lib_ns_update.c
Log Message:
Pullup ticket #6726 - requested by taca
net/bind916: security fix
Revisions pulled up:
- net/bind916/Makefile 1.51-1.52
- net/bind916/builtin.mk 1.2
- net/bind916/distinfo 1.43-1.44
- net/bind916/patches/patch-lib_isc_siphash.c 1.4
- net/bind916/patches/patch-lib_ns_update.c 1.3
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Jan 9 06:48:53 UTC 2023
Modified Files:
pkgsrc/net/bind916: Makefile distinfo
Log Message:
net/bind916: update to 9.16.36
9.16.36 (2022-12-21)
Feature Changes
* The auto-dnssec option has been deprecated and will be removed in a future
BIND 9.19.x release. Please migrate to dnssec-policy. [GL #3667]
Bug Fixes
* When a catalog zone was removed from the configuration, in some cases a
dangling pointer could cause the named process to crash. This has been
fixed. [GL #3683]
* When a zone was deleted from a server, a key management object related to
that zone was inadvertently kept in memory and only released upon
shutdown. This could lead to constantly increasing memory use on servers
with a high rate of changes affecting the set of zones being served. This
has been fixed. [GL #3727]
* In certain cases, named waited for the resolution of outstanding recursive
queries to finish before shutting down. This was unintended and has been
fixed. [GL #3183]
* The zone <name>/<class>: final reference detached log message was moved
from the INFO log level to the DEBUG(1) log level to prevent the
named-checkzone tool from superfluously logging this message in non-debug
mode. [GL #3707]
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Jan 26 13:32:47 UTC 2023
Modified Files:
pkgsrc/net/bind916: Makefile builtin.mk distinfo
pkgsrc/net/bind916/patches: patch-lib_isc_siphash.c
patch-lib_ns_update.c
Log Message:
net/bind916: update to 9.16.37
--- 9.16.37 released ---
6067. [security] Fix serve-stale crash when recursive clients soft quota
is reached. (CVE-2022-3924) [GL #3619]
6066. [security] Handle RRSIG lookups when serve-stale is active.
(CVE-2022-3736) [GL #3622]
6064. [security] An UPDATE message flood could cause named to exhaust all
available memory. This flaw was addressed by adding a
new "update-quota" statement that controls the number of
simultaneous UPDATE messages that can be processed or
forwarded. The default is 100. A stats counter has been
added to record events when the update quota is
exceeded, and the XML and JSON statistics version
numbers have been updated. (CVE-2022-3094) [GL #3523]
6062. [func] The DSCP implementation, which has only been
partly operational since 9.16.0, is now marked as
deprecated. Configuring DSCP values in named.conf
will cause a warning will be logged. [GL #3773]
6060. [bug] Fix a use-after-free bug in dns_zonemgr_releasezone()
by detaching from the zone manager outside of the write
lock. [GL #3768]
6059. [bug] In some serve stale scenarios, like when following an
expired CNAME record, named could return SERVFAIL if the
previous request wasn't successful. Consider non-stale
data when in serve-stale mode. [GL #3678]
6058. [bug] Prevent named from crashing when "rndc delzone"
attempts to delete a zone added by a catalog zone.
[GL #3745]
6050. [bug] Changes to the RPZ response-policy min-update-interval
and add-soa options now take effect as expected when
named is reconfigured. [GL #3740]
6048. [bug] Fix a log message error in dns_catz_update_from_db(),
where serials with values of 2^31 or larger were logged
incorrectly as negative numbers. [GL #3742]
6045. [cleanup] The list of supported DNSSEC algorithms changed log
level from "warning" to "notice" to match named's other
startup messages. [GL !7217]
6044. [bug] There was an "RSASHA236" typo in a log message.
[GL !7206]
To generate a diff of this commit:
cvs rdiff -u -r1.50 -r1.50.2.1 pkgsrc/net/bind916/Makefile
cvs rdiff -u -r1.1 -r1.1.20.1 pkgsrc/net/bind916/builtin.mk
cvs rdiff -u -r1.42 -r1.42.2.1 pkgsrc/net/bind916/distinfo
cvs rdiff -u -r1.3 -r1.3.12.1 \
pkgsrc/net/bind916/patches/patch-lib_isc_siphash.c
cvs rdiff -u -r1.2 -r1.2.18.1 \
pkgsrc/net/bind916/patches/patch-lib_ns_update.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/net/bind916/Makefile
diff -u pkgsrc/net/bind916/Makefile:1.50 pkgsrc/net/bind916/Makefile:1.50.2.1
--- pkgsrc/net/bind916/Makefile:1.50 Wed Nov 23 16:20:48 2022
+++ pkgsrc/net/bind916/Makefile Thu Jan 26 20:01:44 2023
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.50 2022/11/23 16:20:48 adam Exp $
+# $NetBSD: Makefile,v 1.50.2.1 2023/01/26 20:01:44 bsiegert Exp $
DISTNAME= bind-${BIND_VERSION}
PKGNAME= ${DISTNAME:S/-P/pl/}
-PKGREVISION= 1
CATEGORIES= net
MASTER_SITES= ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/
EXTRACT_SUFX= .tar.xz
@@ -16,7 +15,7 @@ CONFLICTS+= host-[0-9]*
MAKE_JOBS_SAFE= no
-BIND_VERSION= 9.16.35
+BIND_VERSION= 9.16.37
BUILD_DEFS+= BIND_DIR VARBASE
Index: pkgsrc/net/bind916/builtin.mk
diff -u pkgsrc/net/bind916/builtin.mk:1.1 pkgsrc/net/bind916/builtin.mk:1.1.20.1
--- pkgsrc/net/bind916/builtin.mk:1.1 Sun Aug 9 15:20:21 2020
+++ pkgsrc/net/bind916/builtin.mk Thu Jan 26 20:01:44 2023
@@ -1,4 +1,4 @@
-# $NetBSD: builtin.mk,v 1.1 2020/08/09 15:20:21 taca Exp $
+# $NetBSD: builtin.mk,v 1.1.20.1 2023/01/26 20:01:44 bsiegert Exp $
BUILTIN_PKG:= bind
@@ -41,7 +41,7 @@ MAKEVARS+= IS_BUILTIN.bind
### a package name to represent the built-in package.
###
.if !defined(BUILTIN_PKG.bind) && \
- !empty(IS_BUILTIN.bind:M[yY][eE][sS]) && \
+ ${IS_BUILTIN.bind:tl} == "yes" && \
defined(BUILTIN_VERSION.bind)
BUILTIN_PKG.bind= bind-${BUILTIN_VERSION.bind}
.endif
@@ -57,10 +57,10 @@ USE_BUILTIN.bind= no
. else
USE_BUILTIN.bind= ${IS_BUILTIN.bind}
. if defined(BUILTIN_PKG.bind) && \
- !empty(IS_BUILTIN.bind:M[yY][eE][sS])
+ ${IS_BUILTIN.bind:tl} == "yes"
USE_BUILTIN.bind= yes
. for dep in ${BUILDLINK_API_DEPENDS.bind}
-. if !empty(USE_BUILTIN.bind:M[yY][eE][sS])
+. if ${USE_BUILTIN.bind:tl} == "yes"
USE_BUILTIN.bind!= \
if ${PKG_ADMIN} pmatch ${dep:Q} ${BUILTIN_PKG.bind:Q}; then \
${ECHO} yes; \
@@ -79,13 +79,13 @@ MAKEVARS+= USE_BUILTIN.bind
### solely to determine whether a built-in implementation exists.
###
CHECK_BUILTIN.bind?= no
-.if !empty(CHECK_BUILTIN.bind:M[nN][oO])
+.if ${CHECK_BUILTIN.bind:tl} == "no"
-. if !empty(USE_BUILTIN.bind:M[yY][eE][sS])
-. if !empty(BUILTIN_LIB_FOUND.bind:M[yY][eE][sS])
+. if ${USE_BUILTIN.bind:tl} == "yes"
+. if ${BUILTIN_LIB_FOUND.bind:tl} == "yes"
BUILDLINK_LDADD.bind?= -lbind
. endif
-. elif !empty(USE_BUILTIN.bind:M[nN][oO])
+. elif ${USE_BUILTIN.bind:tl} == "no"
BUILDLINK_LDADD.bind?= -lbind
. endif
Index: pkgsrc/net/bind916/distinfo
diff -u pkgsrc/net/bind916/distinfo:1.42 pkgsrc/net/bind916/distinfo:1.42.2.1
--- pkgsrc/net/bind916/distinfo:1.42 Wed Nov 16 13:47:38 2022
+++ pkgsrc/net/bind916/distinfo Thu Jan 26 20:01:44 2023
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.42 2022/11/16 13:47:38 taca Exp $
+$NetBSD: distinfo,v 1.42.2.1 2023/01/26 20:01:44 bsiegert Exp $
-BLAKE2s (bind-9.16.35.tar.xz) = bd44cf0b71d352e4d2baa71e3dee7ce78a47f02ad9dcb2feb3ce6dfaa0bfcf29
-SHA512 (bind-9.16.35.tar.xz) = c979e7a9bcea1c9fb1049a2708d8643c71ad2448a195454fcb3dfacf5d874221e95473e140a6944c3fa249f516718416fb67a50e267522d6bcb2915cdb46e6ea
-Size (bind-9.16.35.tar.xz) = 5102476 bytes
+BLAKE2s (bind-9.16.37.tar.xz) = d40e5ca3b87dfdaff9d8f49e231dbc4b0db96c0acb123d66dbca83e97773cb85
+SHA512 (bind-9.16.37.tar.xz) = 2c4b01f6cc598849688b5b2710caf48db47e1e860df785783ef2b140a25507b48357a9becf7911ba0feda285c4bca87764e21128fac5cf17efa47fd5134dc59f
+Size (bind-9.16.37.tar.xz) = 5109440 bytes
SHA1 (patch-bin_dig_dighost.c) = b1073911d80ecd519af98b6678968296ff8c0c98
SHA1 (patch-bin_dig_include_dig_dig.h) = 10166f5bb98b208c7b10d63eb31e8253f704acc8
SHA1 (patch-bin_named_Makefile.in) = f1367da6a226ba44d0ee13acf00b8abeb5b1b7eb
@@ -42,7 +42,7 @@ SHA1 (patch-lib_isc_include_isc_types.h)
SHA1 (patch-lib_isc_netmgr_netmgr-int.h) = d84993edf254605f85421fbdd2fc523255c7316d
SHA1 (patch-lib_isc_netmgr_netmgr.c) = 3df1d37061f6ceb37e309a0dc4f782fc35863146
SHA1 (patch-lib_isc_rwlock.c) = 1d114248ddee20db7a7429afab446f8b2f0dca82
-SHA1 (patch-lib_isc_siphash.c) = 8999deb002e4fdb6b13e6f297298ef73c97042c3
+SHA1 (patch-lib_isc_siphash.c) = a6642bd91aef22afb7ec4e2e0912275371644a3f
SHA1 (patch-lib_isc_stats.c) = 8d962fa360740770588fccf1d303d7fe22ae724b
SHA1 (patch-lib_isc_timer.c) = aea2019bbf3d84cad77af432a2bbdf0da8f2f893
SHA1 (patch-lib_isc_unix_include_isc_stdatomic.h) = b73b0224be47c1733f6346fce9243e97f54e1865
@@ -55,6 +55,6 @@ SHA1 (patch-lib_ns_include_ns_client.h)
SHA1 (patch-lib_ns_include_ns_pfilter.h) = cc86752971b4f9f7492283c4ad3ff29bc1bae237
SHA1 (patch-lib_ns_pfilter.c) = 8f4a3b3a729360a131eb1962c42a9f9f985c7e7b
SHA1 (patch-lib_ns_query.c) = 0c3c4a20aa4b40c144c4f986599cda67db3e2491
-SHA1 (patch-lib_ns_update.c) = 2fb3457da333143508d28420490cbc1cb69ddb19
+SHA1 (patch-lib_ns_update.c) = 2c5a9302178abe9dc9b6396b053319e39e1ef950
SHA1 (patch-lib_ns_xfrout.c) = 79d9e4add58ffd75ea9718f5501f1517e67416e3
SHA1 (patch-make_rules.in) = 5fb3a44ff0066c93872c25596267fbabffc6da8f
Index: pkgsrc/net/bind916/patches/patch-lib_isc_siphash.c
diff -u pkgsrc/net/bind916/patches/patch-lib_isc_siphash.c:1.3 pkgsrc/net/bind916/patches/patch-lib_isc_siphash.c:1.3.12.1
--- pkgsrc/net/bind916/patches/patch-lib_isc_siphash.c:1.3 Sun Oct 24 06:40:28 2021
+++ pkgsrc/net/bind916/patches/patch-lib_isc_siphash.c Thu Jan 26 20:01:44 2023
@@ -1,12 +1,12 @@
-$NetBSD: patch-lib_isc_siphash.c,v 1.3 2021/10/24 06:40:28 taca Exp $
+$NetBSD: patch-lib_isc_siphash.c,v 1.3.12.1 2023/01/26 20:01:44 bsiegert Exp $
* Take from NetBSD base.
---- lib/isc/siphash.c.orig 2021-09-07 09:37:05.000000000 +0000
+--- lib/isc/siphash.c.orig 2023-01-12 22:45:02.000000000 +0000
+++ lib/isc/siphash.c
-@@ -90,8 +90,14 @@ isc_siphash24(const uint8_t *k, const ui
- REQUIRE(k != NULL);
+@@ -93,8 +93,14 @@ isc_siphash24(const uint8_t *k, const ui
REQUIRE(out != NULL);
+ REQUIRE(inlen == 0 || in != NULL);
- uint64_t k0 = U8TO64_LE(k);
- uint64_t k1 = U8TO64_LE(k + 8);
Index: pkgsrc/net/bind916/patches/patch-lib_ns_update.c
diff -u pkgsrc/net/bind916/patches/patch-lib_ns_update.c:1.2 pkgsrc/net/bind916/patches/patch-lib_ns_update.c:1.2.18.1
--- pkgsrc/net/bind916/patches/patch-lib_ns_update.c:1.2 Sat Dec 19 16:41:36 2020
+++ pkgsrc/net/bind916/patches/patch-lib_ns_update.c Thu Jan 26 20:01:44 2023
@@ -1,10 +1,10 @@
-$NetBSD: patch-lib_ns_update.c,v 1.2 2020/12/19 16:41:36 taca Exp $
+$NetBSD: patch-lib_ns_update.c,v 1.2.18.1 2023/01/26 20:01:44 bsiegert Exp $
* Based on NetBSD, add support for blocklist(blacklist).
---- lib/ns/update.c.orig 2020-12-07 08:16:53.000000000 +0000
+--- lib/ns/update.c.orig 2023-01-12 22:45:02.000000000 +0000
+++ lib/ns/update.c
-@@ -52,6 +52,10 @@
+@@ -54,6 +54,10 @@
#include <ns/stats.h>
#include <ns/update.h>
@@ -15,27 +15,27 @@ $NetBSD: patch-lib_ns_update.c,v 1.2 202
/*! \file
* \brief
* This module implements dynamic update as in RFC2136.
-@@ -340,6 +344,9 @@ checkqueryacl(ns_client_t *client, dns_a
-
- result = ns_client_checkaclsilent(client, NULL, queryacl, true);
+@@ -349,6 +353,9 @@ checkqueryacl(ns_client_t *client, dns_a
if (result != ISC_R_SUCCESS) {
+ int level = update_possible ? ISC_LOG_ERROR : ISC_LOG_INFO;
+
+#if defined(HAVE_BLACKLIST_H) || defined(HAVE_BLOCKLIST_H)
+ pfilter_notify(result, client, "queryacl");
+#endif
dns_name_format(zonename, namebuf, sizeof(namebuf));
dns_rdataclass_format(client->view->rdclass, classbuf,
sizeof(classbuf));
-@@ -352,6 +359,9 @@ checkqueryacl(ns_client_t *client, dns_a
+@@ -358,6 +365,9 @@ checkqueryacl(ns_client_t *client, dns_a
"update '%s/%s' denied due to allow-query",
namebuf, classbuf);
- } else if (updateacl == NULL && ssutable == NULL) {
+ } else if (!update_possible) {
+#if defined(HAVE_BLACKLIST_H) || defined(HAVE_BLOCKLIST_H)
+ pfilter_notify(result, client, "updateacl");
+#endif
dns_name_format(zonename, namebuf, sizeof(namebuf));
dns_rdataclass_format(client->view->rdclass, classbuf,
sizeof(classbuf));
-@@ -393,6 +403,9 @@ checkupdateacl(ns_client_t *client, dns_
+@@ -399,6 +409,9 @@ checkupdateacl(ns_client_t *client, dns_
msg = "disabled";
} else {
result = ns_client_checkaclsilent(client, NULL, acl, false);
Home |
Main Index |
Thread Index |
Old Index