diff options
| author | Doug Barton <dougb@FreeBSD.org> | 2011-05-27 23:47:39 +0000 |
|---|---|---|
| committer | Doug Barton <dougb@FreeBSD.org> | 2011-05-27 23:47:39 +0000 |
| commit | 55533b257f47aeadc486169c52d367bb04b014e8 (patch) | |
| tree | d7dd372dc20c07ee64c251a6694169acd0f194fb /dns/bind96 | |
| parent | 612e91cca50315c1a9286da02c9883380ce3f532 (diff) | |
| download | ports-55533b257f47aeadc486169c52d367bb04b014e8.tar.gz ports-55533b257f47aeadc486169c52d367bb04b014e8.zip | |
Upgrade to 9.6-ESV-R4-P1 and 9.7.3-P1, which address the following issues:
1. Very large RRSIG RRsets included in a negative cache can trigger
an assertion failure that will crash named (BIND 9 DNS) due to an
off-by-one error in a buffer size check.
This bug affects all resolving name servers, whether DNSSEC validation
is enabled or not, on all BIND versions prior to today. There is a
possibility of malicious exploitation of this bug by remote users.
2. Named could fail to validate zones listed in a DLV that validated
insecure without using DLV and had DS records in the parent zone.
Add a patch provided by ru@ and confirmed by ISC to fix a crash at
shutdown time when a SIG(0) key is being used.
Notes
Notes:
svn path=/head/; revision=274746
Diffstat (limited to 'dns/bind96')
| -rw-r--r-- | dns/bind96/Makefile | 4 | ||||
| -rw-r--r-- | dns/bind96/distinfo | 8 | ||||
| -rw-r--r-- | dns/bind96/files/patch-bin__nsupdate__nsupdate.c | 14 |
3 files changed, 20 insertions, 6 deletions
diff --git a/dns/bind96/Makefile b/dns/bind96/Makefile index e8581c5376f2..d7a410ac6720 100644 --- a/dns/bind96/Makefile +++ b/dns/bind96/Makefile @@ -12,7 +12,7 @@ # release you can generally build it cleanly from the source - Doug PORTNAME= bind96 -PORTVERSION= 9.6.3 +PORTVERSION= 9.6.3.1.ESV.R4.1 CATEGORIES= dns net ipv6 MASTER_SITES= ${MASTER_SITE_ISC} \ http://dougbarton.us/Downloads/%SUBDIR%/ @@ -25,7 +25,7 @@ MAINTAINER= dougb@FreeBSD.org COMMENT= The BIND DNS suite with updated DNSSEC and threads # ISC releases things like 9.4.0b3, which our versioning doesn't like -ISCVERSION= 9.6.3 +ISCVERSION= 9.6-ESV-R4-P1 MAKE_JOBS_UNSAFE= yes diff --git a/dns/bind96/distinfo b/dns/bind96/distinfo index 2cea0cd47de3..047ca0c7b0f2 100644 --- a/dns/bind96/distinfo +++ b/dns/bind96/distinfo @@ -1,4 +1,4 @@ -SHA256 (bind-9.6.3.tar.gz) = 17d21c729bc50046ad30481a54b1610deb75a3b93e1584405f8e0b442d13081d -SIZE (bind-9.6.3.tar.gz) = 7203094 -SHA256 (bind-9.6.3.tar.gz.asc) = 40edbf3b1332f8bddd2f348a9e52713724ab49be8267b7dc7e77499e0b08727b -SIZE (bind-9.6.3.tar.gz.asc) = 481 +SHA256 (bind-9.6-ESV-R4-P1.tar.gz) = e1152921fd57d3cdad7ec42f608b33dadce23fbd83f8346f037034a1ec0674d9 +SIZE (bind-9.6-ESV-R4-P1.tar.gz) = 7160025 +SHA256 (bind-9.6-ESV-R4-P1.tar.gz.asc) = 5c86d28e656fbdd12f5564c339591af0af7561b4edab49b27d224d0cb40cb51b +SIZE (bind-9.6-ESV-R4-P1.tar.gz.asc) = 481 diff --git a/dns/bind96/files/patch-bin__nsupdate__nsupdate.c b/dns/bind96/files/patch-bin__nsupdate__nsupdate.c new file mode 100644 index 000000000000..91e5b518253f --- /dev/null +++ b/dns/bind96/files/patch-bin__nsupdate__nsupdate.c @@ -0,0 +1,14 @@ +--- bin/nsupdate/nsupdate.c.orig 2010-12-08 20:30:57.000000000 -0800 ++++ bin/nsupdate/nsupdate.c 2011-05-27 15:17:58.000000000 -0700 +@@ -617,8 +617,10 @@ + keyfile, isc_result_totext(result)); + return; + } +- } else ++ } else { + dst_key_attach(dstkey, &sig0key); ++ dst_key_free(&dstkey); ++ } + } + + static void |