--- - branch: pkgsrc-2014Q3 date: Wed Dec 10 19:53:09 UTC 2014 files: - new: 1.1.1.1.2.1 old: 1.1.1.1 path: pkgsrc/net/bind910/Makefile pathrev: pkgsrc/net/bind910/Makefile@1.1.1.1.2.1 type: modified - new: 1.1.1.1.2.1 old: 1.1.1.1 path: pkgsrc/net/bind910/PLIST pathrev: pkgsrc/net/bind910/PLIST@1.1.1.1.2.1 type: modified - new: 1.1.1.1.2.1 old: 1.1.1.1 path: pkgsrc/net/bind910/distinfo pathrev: pkgsrc/net/bind910/distinfo@1.1.1.1.2.1 type: modified - new: 1.1.1.1.2.1 old: 1.1.1.1 path: pkgsrc/net/bind910/patches/patch-bin_tests_system_Makefile.in pathrev: pkgsrc/net/bind910/patches/patch-bin_tests_system_Makefile.in@1.1.1.1.2.1 type: modified - new: 1.1.1.1.2.1 old: 1.1.1.1 path: pkgsrc/net/bind910/patches/patch-configure pathrev: pkgsrc/net/bind910/patches/patch-configure@1.1.1.1.2.1 type: modified - new: 1.1.1.1.2.1 old: 1.1.1.1 path: pkgsrc/net/bind910/patches/patch-lib_dns_rbt.c pathrev: pkgsrc/net/bind910/patches/patch-lib_dns_rbt.c@1.1.1.1.2.1 type: modified - new: 1.1.1.1.2.1 old: 1.1.1.1 path: pkgsrc/net/bind910/patches/patch-lib_lwres_getaddrinfo.c pathrev: pkgsrc/net/bind910/patches/patch-lib_lwres_getaddrinfo.c@1.1.1.1.2.1 type: modified - new: '0' old: 1.1.1.1 path: pkgsrc/net/bind910/patches/patch-lib_bind9_Makefile.in pathrev: pkgsrc/net/bind910/patches/patch-lib_bind9_Makefile.in@0 type: deleted - new: '0' old: 1.1.1.1 path: pkgsrc/net/bind910/patches/patch-lib_dns_Makefile.in pathrev: pkgsrc/net/bind910/patches/patch-lib_dns_Makefile.in@0 type: deleted - new: '0' old: 1.1.1.1 path: pkgsrc/net/bind910/patches/patch-lib_isc_Makefile.in pathrev: pkgsrc/net/bind910/patches/patch-lib_isc_Makefile.in@0 type: deleted - new: '0' old: 1.1.1.1 path: pkgsrc/net/bind910/patches/patch-lib_isccc_Makefile.in pathrev: pkgsrc/net/bind910/patches/patch-lib_isccc_Makefile.in@0 type: deleted - new: '0' old: 1.1.1.1 path: pkgsrc/net/bind910/patches/patch-lib_isccfg_Makefile.in pathrev: pkgsrc/net/bind910/patches/patch-lib_isccfg_Makefile.in@0 type: deleted - new: '0' old: 1.1.1.1 path: pkgsrc/net/bind910/patches/patch-lib_lwres_Makefile.in pathrev: pkgsrc/net/bind910/patches/patch-lib_lwres_Makefile.in@0 type: deleted id: 20141210T195309Z.224750cf2b146b3b2d0a161c0bea7c28b01bba08 log: "Pullup ticket #4570 - requested by taca\nnet/bind910: security update\n\nRevisions pulled up:\n- net/bind910/Makefile 1.2-1.3\n- net/bind910/PLIST 1.2-1.3\n- net/bind910/distinfo \ 1.2-1.3\n- net/bind910/patches/patch-bin_tests_system_Makefile.in \ 1.2\n- net/bind910/patches/patch-configure 1.2\n- net/bind910/patches/patch-lib_bind9_Makefile.in deleted\n- net/bind910/patches/patch-lib_dns_Makefile.in \ deleted\n- net/bind910/patches/patch-lib_dns_rbt.c 1.2\n- net/bind910/patches/patch-lib_isc_Makefile.in deleted\n- net/bind910/patches/patch-lib_isccc_Makefile.in \ deleted\n- net/bind910/patches/patch-lib_isccfg_Makefile.in deleted\n- net/bind910/patches/patch-lib_lwres_Makefile.in deleted\n- net/bind910/patches/patch-lib_lwres_getaddrinfo.c \ 1.2\n\n---\n Module Name:\tpkgsrc\n Committed By:\ttaca\n Date:\t\tTue Oct 14 16:23:19 UTC 2014\n\n Modified Files:\n \tpkgsrc/net/bind910: Makefile PLIST distinfo\n \tpkgsrc/net/bind910/patches: patch-bin_tests_system_Makefile.in\n \ \t patch-configure patch-lib_dns_rbt.c patch-lib_lwres_getaddrinfo.c\n Removed Files:\n \tpkgsrc/net/bind910/patches: patch-lib_bind9_Makefile.in\n \t patch-lib_dns_Makefile.in patch-lib_isc_Makefile.in\n \t patch-lib_isccc_Makefile.in patch-lib_isccfg_Makefile.in\n \ \t patch-lib_lwres_Makefile.in\n\n Log Message:\n Update bind910 to 9.10.1.\n\n Security Fixes\n\n A query specially crafted to exploit a defect in EDNS option\n processing could cause named to terminate with an assertion\n \ failure, due to a missing isc_buffer_availablelength() check\n when formatting packet contents for logging. For more information,\n see the security advisory at https://kb.isc.org/article/AA-01166/.\n [CVE-2014-3859] [RT #36078]\n\n \ A programming error in the prefetch feature could cause named\n to crash with a \"REQUIRE\" assertion failure in name.c. For more\n information, see the security advisory at\n https://kb.isc.org/article/AA-01161/. [CVE-2014-3214] [RT #35899]\n\n New Features\n\n Support for CAA record types, as described in RFC 6844 \"DNS\n Certification Authority Authorization (CAA) Resource Record\",\n was added. [RT#36625] [RT #36737]\n\n Disallow \"request-ixfr\" from being specified in zone statements\n where it is not valid (it is only valid for slave and redirect\n zones) [RT #36608]\n\n Support for CDS and CDNSKEY resource record types was added. For\n details see the proposed Informational Internet-Draft \"Automating\n DNSSEC Delegation Trust Maintenance\" at\n http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14.\n \ [RT #36333]\n\n Added version printing options to various BIND utilities. [RT #26057]\n [RT #10686]\n\n Optionally allows libseccomp-based (secure computing mode)\n system-call filtering on Linux. This sandboxing mechanism may\n be used to isolate \"named\" from various system resources. Use\n \"configure --enable-seccomp\" at build time to enable it. Thank you\n to Loganaden Velvindron of AFRINIC for the contribution. [RT #35347]\n\n Feature Changes\n\n \ \"geoip asnum\" ACL elements would not match unless the full\n organization name was specified. They can now match against the\n AS number alone (e.g., AS1234). [RT #36945]\n\n Adds RPZ SOA to the additional section of responses to clearly\n indicate the use of RPZ in a manner that is intended to avoid\n \ causing issues for downstream resolvers and forwarders [RT #36507]\n\n rndc now gives distinct error messages when an unqualified zone\n name matches multiple views vs. matching no views [RT #36691]\n\n Improves the accuracy of dig's reported round trip times. [RT #36611]\n\n When an SPF record exists in a zone but no equivalent TXT record\n does, a warning will be issued. \ The warning for the reverse\n condition is no longer issued. See the check-spf option in the\n documentation for details. [RT #36210]\n\n Aging of smoothed round-trip time measurements is now limited\n to no more than once per second, to improve accuracy in selecting\n the best name server. [RT #32909]\n\n DNSSEC keys that have been marked active but have no publication\n \ date are no longer presumed to be publishable. [RT #35063]\n\n Bug Fixes\n\n \ The Makefile in bin/python was changed to work around a bmake\n bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**)\n\n Corrected bugs in the handling of wildcard records by the DNSSEC\n validator: invalid wildcard expansions could be treated as valid\n if signed, and valid wildcard expansions in NSEC3 opt-out ranges\n had the AD bit set incorrectly in responses. [RT #37093] [RT #37072]\n\n An assertion failure could occur if a route event arrived while\n shutting down. [RT #36887]\n\n When resigning, dnssec-signzone was removing all signatures from\n delegation nodes. It now retains DS and (if applicable) NSEC\n signatures. [RT #36946]\n\n The AD flag was being set inappopriately on RPZ responses. [RT #36833]\n\n Updates the URI record type to current draft standard,\n draft-faltstrom-uri-08, and allows the value field to be zero\n length [RT #36642] [RT #36737]\n\n On some platforms, overhead from DSCP tagging caused a performance\n regression between BIND 9.9 and BIND 9.10. [RT #36534]\n\n RRSIG sets that were not loaded in a single transaction at start\n up were not being correctly added to re-signing heaps. [RT #36302]\n\n Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452]\n\n Fixed a bug where some updated policy zone contents could be\n ignored due to stale RPZ summary information [RT #35885]\n\n A race condition could cause a crash in isc_event_free during\n shutdown. [RT #36720]\n\n Addresses some problems with unrecoverable lookup failures. [RT #36330]\n\n Addresses a race condition issue in dispatch. [RT #36731]\n\n \ acl elements could be miscounted, causing a crash while loading\n a config [RT #36675]\n\n Corrects a deadlock between view.c and adb.c. [RT #36341]\n\n liblwres wasn't properly handling link-local addresses in\n nameserver clauses in resolv.conf. [RT #36039]\n\n Disable the GCC 4.9 \"delete null pointer check\" optimizer option,\n and refactor dns_rdataslab_fromrdataset() to separate out the\n handling of an rdataset with no records. This fixes problems\n when using GNU GCC 4.9.0 where its compiler code optimizations\n \ may cause crashes in BIND. For more information, see the operational\n advisory at https://kb.isc.org/article/AA-01167/. [RT #35968]\n\n Fixed a bug that could cause repeated resigning of records in\n dynamically signed zones. [RT #35273]\n\n Fixed a bug that could cause an assertion failure after forwarding\n \ was disabled. [RT #35979]\n\n Fixed a bug that caused GeoIP ACLs not to work when referenced\n indirectly via named or nested ACLs. [RT #35879]\n\n \ FIxed a bug that could cause problems with cache cleaning when\n SIT was enabled. [RT #35858]\n\n Fixed a bug that caused SERVFAILs when using RPZ on a system\n configured as a forwarder. [RT #36060]\n\n Worked around a limitation in Solaris's /dev/poll implementation\n that could cause named to fail to start when configured to use\n more sockets than the system could accomodate. [RT #35878]\n\n Fixed a bug that could cause an assertion failure when inserting\n and deleting parent and child nodes in a response-policy zone.\n [RT #36272]\n\n---\n Module Name:\tpkgsrc\n Committed By:\ttaca\n \ Date:\t\tMon Dec 8 21:59:09 UTC 2014\n\n Modified Files:\n \tpkgsrc/net/bind910: Makefile PLIST distinfo\n\n Log Message:\n Update bind910 to 9.10.1pl1 (BIND 9.10.1-P1).\n\n \t--- 9.10.1-P1 released ---\n\n 4006.\t[security]\tA flaw in delegation handling could be exploited\n \t\t\tto put named into an infinite loop. This has\n \t\t\tbeen addressed by placing limits on the number\n \t\t\tof levels of recursion named will allow (default 7),\n \t\t\tand the number of iterative queries that it will\n \t\t\tsend (default 50) before terminating a recursive\n \t\t\tquery (CVE-2014-8500).\n\n \t\t\tThe recursion depth limit is configured via the\n \t\t\t\"max-recursion-depth\" option, and the query limit\n \t\t\tvia the \"max-recursion-queries\" option. [RT #37580]\n\n 4003.\t[security]\tWhen geoip-directory was reconfigured during\n \t\t\tnamed run-time, the previously loaded GeoIP\n \t\t\tdata could remain, potentially causing wrong\n \t\t\tACLs to be used or wrong results to be served\n \t\t\tbased on geolocation (CVE-2014-8680). [RT #37720]\n\n 4002.\t[security]\tLookups in GeoIP databases that were not\n \ \t\t\tloaded could cause an assertion failure\n \t\t\t(CVE-2014-8680). [RT #37679]\n\n 4001.\t[security]\tThe caching of GeoIP lookups did not always\n \ \t\t\thandle address families correctly, potentially\n \t\t\tresulting in an assertion failure (CVE-2014-8680).\n \t\t\t[RT #37672]\n" module: pkgsrc subject: 'CVS commit: [pkgsrc-2014Q3] pkgsrc/net/bind910' unixtime: '1418241189' user: tron