pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: [pkgsrc-2022Q4] pkgsrc/net/bind918
Module Name: pkgsrc
Committed By: spz
Date: Sun Feb 12 19:52:24 UTC 2023
Modified Files:
pkgsrc/net/bind918 [pkgsrc-2022Q4]: Makefile PLIST distinfo
pkgsrc/net/bind918/patches [pkgsrc-2022Q4]: patch-lib_isc_siphash.c
patch-lib_isc_time.c patch-lib_ns_update.c
Removed Files:
pkgsrc/net/bind918/patches [pkgsrc-2022Q4]:
patch-bin_tests_system_keyfromlabel_tests.sh
Log Message:
Pullup ticket #6736 - requested by taca
net/bind918: security update
Revisions pulled up:
- net/bind918/Makefile 1.6
- net/bind918/PLIST 1.2
- net/bind918/distinfo 1.4
- net/bind918/patches/patch-bin_tests_system_keyfromlabel_tests.sh deleted
- net/bind918/patches/patch-lib_isc_siphash.c 1.2
- net/bind918/patches/patch-lib_isc_time.c 1.2
- net/bind918/patches/patch-lib_ns_update.c 1.2
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Wed Feb 8 00:13:44 UTC 2023
Modified Files:
pkgsrc/net/bind918: Makefile PLIST distinfo
pkgsrc/net/bind918/patches: patch-lib_isc_siphash.c
patch-lib_isc_time.c patch-lib_ns_update.c
Removed Files:
pkgsrc/net/bind918/patches:
patch-bin_tests_system_keyfromlabel_tests.sh
Log Message:
net/bind918: update to 9.18.11
Approved by MAINTAINER (sekiya@).
--- 9.18.11 released ---
6067. [security] Fix serve-stale crash when recursive clients soft quota
is reached. (CVE-2022-3924) [GL #3619]
6066. [security] Handle RRSIG lookups when serve-stale is active.
(CVE-2022-3736) [GL #3622]
6064. [security] An UPDATE message flood could cause named to exhaust all
available memory. This flaw was addressed by adding a
new "update-quota" statement that controls the number of
simultaneous UPDATE messages that can be processed or
forwarded. The default is 100. A stats counter has been
added to record events when the update quota is
exceeded, and the XML and JSON statistics version
numbers have been updated. (CVE-2022-3094) [GL #3523]
6062. [func] The DSCP implementation, which has been
nonfunctional for some time, is now marked as
obsolete and the implementation has been removed.
Configuring DSCP values in named.conf has no
effect, and a warning will be logged that
the feature should no longer be used. [GL #3773]
6061. [bug] Fix unexpected "Prohibited" extended DNS error
on allow-recursion. [GL #3743]
6060. [bug] Fix a use-after-free bug in dns_zonemgr_releasezone()
by detaching from the zone manager outside of the write
lock. [GL #3768]
6059. [bug] In some serve stale scenarios, like when following an
expired CNAME record, named could return SERVFAIL if the
previous request wasn't successful. Consider non-stale
data when in serve-stale mode. [GL #3678]
6058. [bug] Prevent named from crashing when "rndc delzone"
attempts to delete a zone added by a catalog zone.
[GL #3745]
6053. [bug] Fix an ADB quota management bug in resolver. [GL #3752]
6051. [bug] Improve thread safety in the dns_dispatch unit.
[GL #3178] [GL #3636]
6050. [bug] Changes to the RPZ response-policy min-update-interval
and add-soa options now take effect as expected when
named is reconfigured. [GL #3740]
6049. [bug] Exclude ABD hashtables from the ADB memory
overmem checks and don't clean ADB names
and ADB entries used in the last 10 seconds
(ADB_CACHE_MINIMUM). [GL #3739]
6048. [bug] Fix a log message error in dns_catz_update_from_db(),
where serials with values of 2^31 or larger were logged
incorrectly as negative numbers. [GL #3742]
6047. [bug] Try the next server instead of trying the same
server again on an outgoing query timeout.
[GL #3637]
6046. [bug] TLS session resumption might lead to handshake
failures when client certificates are used for
authentication (Mutual TLS). This has been fixed.
[GL #3725]
6045. [cleanup] The list of supported DNSSEC algorithms changed log
level from "warning" to "notice" to match named's other
startup messages. [GL !7217]
6044. [bug] There was an "RSASHA236" typo in a log message.
[GL !7206]
5830. [func] Implement incremental resizing of isc_ht hash tables to
perform the rehashing gradually. The catalog zone
implementation has been optimized to work with hundreds
of thousands of member zones. [GL #3212] [GL #3744]
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 pkgsrc/net/bind918/Makefile
cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/bind918/PLIST
cvs rdiff -u -r1.3 -r1.4 pkgsrc/net/bind918/distinfo
cvs rdiff -u -r1.1 -r0 \
pkgsrc/net/bind918/patches/patch-bin_tests_system_keyfromlabel_tests.sh
cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/bind918/patches/patch-lib_isc_siphash.c \
pkgsrc/net/bind918/patches/patch-lib_isc_time.c \
pkgsrc/net/bind918/patches/patch-lib_ns_update.c
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.3.2.1 pkgsrc/net/bind918/Makefile \
pkgsrc/net/bind918/distinfo
cvs rdiff -u -r1.1 -r1.1.2.1 pkgsrc/net/bind918/PLIST
cvs rdiff -u -r1.1 -r0 \
pkgsrc/net/bind918/patches/patch-bin_tests_system_keyfromlabel_tests.sh
cvs rdiff -u -r1.1 -r1.1.2.1 \
pkgsrc/net/bind918/patches/patch-lib_isc_siphash.c \
pkgsrc/net/bind918/patches/patch-lib_isc_time.c \
pkgsrc/net/bind918/patches/patch-lib_ns_update.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/net/bind918/Makefile
diff -u pkgsrc/net/bind918/Makefile:1.3 pkgsrc/net/bind918/Makefile:1.3.2.1
--- pkgsrc/net/bind918/Makefile:1.3 Wed Dec 14 21:44:03 2022
+++ pkgsrc/net/bind918/Makefile Sun Feb 12 19:52:24 2023
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.3 2022/12/14 21:44:03 sekiya Exp $
+# $NetBSD: Makefile,v 1.3.2.1 2023/02/12 19:52:24 spz Exp $
DISTNAME= bind-${BIND_VERSION}
PKGNAME= ${DISTNAME:S/-P/pl/}
-PKGREVISION= 1
CATEGORIES= net
MASTER_SITES= https://downloads.isc.org/isc/bind9/${BIND_VERSION}/
EXTRACT_SUFX= .tar.xz
@@ -16,7 +15,7 @@ CONFLICTS+= host-[0-9]*
MAKE_JOBS_SAFE= no
-BIND_VERSION= 9.18.9
+BIND_VERSION= 9.18.11
BUILD_DEFS+= BIND_DIR VARBASE
Index: pkgsrc/net/bind918/distinfo
diff -u pkgsrc/net/bind918/distinfo:1.3 pkgsrc/net/bind918/distinfo:1.3.2.1
--- pkgsrc/net/bind918/distinfo:1.3 Mon Dec 12 22:07:04 2022
+++ pkgsrc/net/bind918/distinfo Sun Feb 12 19:52:24 2023
@@ -1,12 +1,11 @@
-$NetBSD: distinfo,v 1.3 2022/12/12 22:07:04 sekiya Exp $
+$NetBSD: distinfo,v 1.3.2.1 2023/02/12 19:52:24 spz Exp $
-BLAKE2s (bind-9.18.9.tar.xz) = 8c3f2dcb57205959f78c02fd32a12d0897050897af9136b58972fde41468ec55
-SHA512 (bind-9.18.9.tar.xz) = 7d9bca47e29e8634416ab52819d78ce4ec6196c0dcbd9fe95a24687337f71c69b6472cf20bf49ea0ae1751a861944f354f9122acfb01780f51278ad4a3fdd817
-Size (bind-9.18.9.tar.xz) = 5281732 bytes
+BLAKE2s (bind-9.18.11.tar.xz) = c4aae1223078ef089a3f35ae15e3ea552383d235b7a9dfe1c0423a958409891f
+SHA512 (bind-9.18.11.tar.xz) = 1f71560efca3b6886d71861c76d4a11d59c28f0ffed684f040a59dd9c14be594985a3f15e6d610a4d88a40a16a19e259977d4a254e146469323d15587b23f3ad
+Size (bind-9.18.11.tar.xz) = 5284184 bytes
SHA1 (patch-bin_named_main.c) = 4e4a763c478f1fcecb7e65968cf6ca20dacf01f1
SHA1 (patch-bin_named_os.c) = 5ecb0883076575d8ac5fcad68f9daad6c9be0d0b
SHA1 (patch-bin_named_server.c) = 6e59d3f637ebb829eec2f76ba7c350fb5cf9be6d
-SHA1 (patch-bin_tests_system_keyfromlabel_tests.sh) = 63a1516b573adabe6ff2719532fd58bcf3ecd65b
SHA1 (patch-config.h.in) = 6072793048cdf590863046355eeffa1d93524c36
SHA1 (patch-configure.ac) = a6f10aec356691ca1075262a3e87c809cd3a558a
SHA1 (patch-lib_dns_byaddr.c) = 647ddaaaf040233e18d1a87d83bc2bd63d2a20e3
@@ -26,13 +25,13 @@ SHA1 (patch-lib_isc_net.c) = 743de2701fa
SHA1 (patch-lib_isc_netmgr_netmgr-int.h) = d84993edf254605f85421fbdd2fc523255c7316d
SHA1 (patch-lib_isc_netmgr_netmgr.c) = 3df1d37061f6ceb37e309a0dc4f782fc35863146
SHA1 (patch-lib_isc_rwlock.c) = 1d114248ddee20db7a7429afab446f8b2f0dca82
-SHA1 (patch-lib_isc_siphash.c) = 8999deb002e4fdb6b13e6f297298ef73c97042c3
-SHA1 (patch-lib_isc_time.c) = 04719dce1ad7328909fd584104b7bc20170b3c5e
+SHA1 (patch-lib_isc_siphash.c) = 2dd80dde7bd8e869a3cf03c1699665b56eaaf866
+SHA1 (patch-lib_isc_time.c) = 22780fd25d89a0ece46ec1624b3977ca4c46281a
SHA1 (patch-lib_isc_timer.c) = aea2019bbf3d84cad77af432a2bbdf0da8f2f893
SHA1 (patch-lib_ns_Makefile.am) = a91e1713185c4366e96bf52ebee38e3b7e35a0c6
SHA1 (patch-lib_ns_client.c) = 4093c82254321e6c6eaa40ea1cf738b3f9bda0bb
SHA1 (patch-lib_ns_include_ns_pfilter.h) = cc86752971b4f9f7492283c4ad3ff29bc1bae237
SHA1 (patch-lib_ns_pfilter.c) = b0345f9b27e2bdd4f9a992cfc23616e027de4988
SHA1 (patch-lib_ns_query.c) = d947318dc6a261931928c4bf8b7f48efa9004a38
-SHA1 (patch-lib_ns_update.c) = 2fb3457da333143508d28420490cbc1cb69ddb19
+SHA1 (patch-lib_ns_update.c) = 941ca5601904e9b4cc5314148e955f5490a5d071
SHA1 (patch-lib_ns_xfrout.c) = 79d9e4add58ffd75ea9718f5501f1517e67416e3
Index: pkgsrc/net/bind918/PLIST
diff -u pkgsrc/net/bind918/PLIST:1.1 pkgsrc/net/bind918/PLIST:1.1.2.1
--- pkgsrc/net/bind918/PLIST:1.1 Sun Dec 11 01:57:55 2022
+++ pkgsrc/net/bind918/PLIST Sun Feb 12 19:52:24 2023
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.1 2022/12/11 01:57:55 sekiya Exp $
+@comment $NetBSD: PLIST,v 1.1.2.1 2023/02/12 19:52:24 spz Exp $
bin/arpaname
bin/delv
bin/dig
@@ -253,19 +253,12 @@ include/ns/update.h
include/ns/xfrout.h
lib/bind/filter-a.la
lib/bind/filter-aaaa.la
-lib/libbind9-9.18.9.so
lib/libbind9.la
-lib/libdns-9.18.9.so
lib/libdns.la
-lib/libirs-9.18.9.so
lib/libirs.la
-lib/libisc-9.18.9.so
lib/libisc.la
-lib/libisccc-9.18.9.so
lib/libisccc.la
-lib/libisccfg-9.18.9.so
lib/libisccfg.la
-lib/libns-9.18.9.so
lib/libns.la
man/man1/arpaname.1
man/man1/delv.1
Index: pkgsrc/net/bind918/patches/patch-lib_isc_siphash.c
diff -u pkgsrc/net/bind918/patches/patch-lib_isc_siphash.c:1.1 pkgsrc/net/bind918/patches/patch-lib_isc_siphash.c:1.1.2.1
--- pkgsrc/net/bind918/patches/patch-lib_isc_siphash.c:1.1 Sun Dec 11 01:57:55 2022
+++ pkgsrc/net/bind918/patches/patch-lib_isc_siphash.c Sun Feb 12 19:52:24 2023
@@ -1,12 +1,12 @@
-$NetBSD: patch-lib_isc_siphash.c,v 1.1 2022/12/11 01:57:55 sekiya Exp $
+$NetBSD: patch-lib_isc_siphash.c,v 1.1.2.1 2023/02/12 19:52:24 spz Exp $
* Take from NetBSD base.
---- lib/isc/siphash.c.orig 2021-09-07 09:37:05.000000000 +0000
+--- lib/isc/siphash.c.orig 2023-01-12 22:21:15.270402532 +0000
+++ lib/isc/siphash.c
-@@ -90,8 +90,14 @@ isc_siphash24(const uint8_t *k, const ui
- REQUIRE(k != NULL);
+@@ -93,8 +93,14 @@ isc_siphash24(const uint8_t *k, const ui
REQUIRE(out != NULL);
+ REQUIRE(inlen == 0 || in != NULL);
- uint64_t k0 = U8TO64_LE(k);
- uint64_t k1 = U8TO64_LE(k + 8);
Index: pkgsrc/net/bind918/patches/patch-lib_isc_time.c
diff -u pkgsrc/net/bind918/patches/patch-lib_isc_time.c:1.1 pkgsrc/net/bind918/patches/patch-lib_isc_time.c:1.1.2.1
--- pkgsrc/net/bind918/patches/patch-lib_isc_time.c:1.1 Sun Dec 11 01:57:55 2022
+++ pkgsrc/net/bind918/patches/patch-lib_isc_time.c Sun Feb 12 19:52:24 2023
@@ -1,10 +1,10 @@
-$NetBSD: patch-lib_isc_time.c,v 1.1 2022/12/11 01:57:55 sekiya Exp $
+$NetBSD: patch-lib_isc_time.c,v 1.1.2.1 2023/02/12 19:52:24 spz Exp $
* More check time_t range.
---- lib/isc/time.c.orig 2020-05-06 09:59:35.000000000 +0000
+--- lib/isc/time.c.orig 2023-01-12 22:21:15.270402532 +0000
+++ lib/isc/time.c
-@@ -285,7 +285,7 @@ isc_time_seconds(const isc_time_t *t) {
+@@ -318,7 +318,7 @@ isc_time_seconds(const isc_time_t *t) {
isc_result_t
isc_time_secondsastimet(const isc_time_t *t, time_t *secondsp) {
@@ -12,8 +12,8 @@ $NetBSD: patch-lib_isc_time.c,v 1.1 2022
+ time_t seconds, i;
REQUIRE(t != NULL);
- INSIST(t->nanoseconds < NS_PER_S);
-@@ -312,7 +312,18 @@ isc_time_secondsastimet(const isc_time_t
+ INSIST(t->nanoseconds < NS_PER_SEC);
+@@ -345,7 +345,18 @@ isc_time_secondsastimet(const isc_time_t
INSIST(sizeof(unsigned int) == sizeof(uint32_t));
INSIST(sizeof(time_t) >= sizeof(uint32_t));
Index: pkgsrc/net/bind918/patches/patch-lib_ns_update.c
diff -u pkgsrc/net/bind918/patches/patch-lib_ns_update.c:1.1 pkgsrc/net/bind918/patches/patch-lib_ns_update.c:1.1.2.1
--- pkgsrc/net/bind918/patches/patch-lib_ns_update.c:1.1 Sun Dec 11 01:57:55 2022
+++ pkgsrc/net/bind918/patches/patch-lib_ns_update.c Sun Feb 12 19:52:24 2023
@@ -1,10 +1,10 @@
-$NetBSD: patch-lib_ns_update.c,v 1.1 2022/12/11 01:57:55 sekiya Exp $
+$NetBSD: patch-lib_ns_update.c,v 1.1.2.1 2023/02/12 19:52:24 spz Exp $
* Based on NetBSD, add support for blocklist(blacklist).
---- lib/ns/update.c.orig 2020-12-07 08:16:53.000000000 +0000
+--- lib/ns/update.c.orig 2023-01-12 22:21:15.274402517 +0000
+++ lib/ns/update.c
-@@ -52,6 +52,10 @@
+@@ -55,6 +55,10 @@
#include <ns/stats.h>
#include <ns/update.h>
@@ -15,27 +15,27 @@ $NetBSD: patch-lib_ns_update.c,v 1.1 202
/*! \file
* \brief
* This module implements dynamic update as in RFC2136.
-@@ -340,6 +344,9 @@ checkqueryacl(ns_client_t *client, dns_a
-
- result = ns_client_checkaclsilent(client, NULL, queryacl, true);
+@@ -358,6 +362,9 @@ checkqueryacl(ns_client_t *client, dns_a
if (result != ISC_R_SUCCESS) {
+ int level = update_possible ? ISC_LOG_ERROR : ISC_LOG_INFO;
+
+#if defined(HAVE_BLACKLIST_H) || defined(HAVE_BLOCKLIST_H)
+ pfilter_notify(result, client, "queryacl");
+#endif
dns_name_format(zonename, namebuf, sizeof(namebuf));
dns_rdataclass_format(client->view->rdclass, classbuf,
sizeof(classbuf));
-@@ -352,6 +359,9 @@ checkqueryacl(ns_client_t *client, dns_a
+@@ -367,6 +374,9 @@ checkqueryacl(ns_client_t *client, dns_a
"update '%s/%s' denied due to allow-query",
namebuf, classbuf);
- } else if (updateacl == NULL && ssutable == NULL) {
+ } else if (!update_possible) {
+#if defined(HAVE_BLACKLIST_H) || defined(HAVE_BLOCKLIST_H)
+ pfilter_notify(result, client, "updateacl");
+#endif
dns_name_format(zonename, namebuf, sizeof(namebuf));
dns_rdataclass_format(client->view->rdclass, classbuf,
sizeof(classbuf));
-@@ -393,6 +403,9 @@ checkupdateacl(ns_client_t *client, dns_
+@@ -409,6 +419,9 @@ checkupdateacl(ns_client_t *client, dns_
msg = "disabled";
} else {
result = ns_client_checkaclsilent(client, NULL, acl, false);
Home |
Main Index |
Thread Index |
Old Index