---
- branch: MAIN
  date: Sun Dec 13 17:37:00 UTC 2015
  files:
  - new: '1.49'
    old: '1.48'
    path: pkgsrc/net/bind99/Makefile
    pathrev: pkgsrc/net/bind99/Makefile@1.49
    type: modified
  - new: '1.34'
    old: '1.33'
    path: pkgsrc/net/bind99/distinfo
    pathrev: pkgsrc/net/bind99/distinfo@1.34
    type: modified
  - new: '1.5'
    old: '1.4'
    path: pkgsrc/net/bind99/patches/patch-bin_dig_dighost.c
    pathrev: pkgsrc/net/bind99/patches/patch-bin_dig_dighost.c@1.5
    type: modified
  - new: '1.6'
    old: '1.5'
    path: pkgsrc/net/bind99/patches/patch-bin_tests_system_Makefile.in
    pathrev: pkgsrc/net/bind99/patches/patch-bin_tests_system_Makefile.in@1.6
    type: modified
  - new: '1.11'
    old: '1.10'
    path: pkgsrc/net/bind99/patches/patch-configure
    pathrev: pkgsrc/net/bind99/patches/patch-configure@1.11
    type: modified
  id: 20151213T173700Z.c8312a32ef178626a0492a74e5323e137b1bcf46
  log: "Update bind99 to 9.9.8.\n\nSecurity Fixes\n\n     * An incorrect boundary
    check in the OPENPGPKEY rdatatype could\n       trigger an assertion failure.
    This flaw is disclosed in\n       CVE-2015-5986. [RT #40286]\n     * A buffer
    accounting error could trigger an assertion failure when\n       parsing certain
    malformed DNSSEC keys.\n       This flaw was discovered by Hanno Bæ\x97¦ck of
    the Fuzzing Project, and\n       is disclosed in CVE-2015-5722. [RT #40212]\n
    \    * A specially crafted query could trigger an assertion failure in\n       message.c.\n
    \      This flaw was discovered by Jonathan Foote, and is disclosed in\n       CVE-2015-5477.
    [RT #40046]\n     * On servers configured to perform DNSSEC validation, an assertion\n
    \      failure could be triggered on answers from a specially configured\n       server.\n
    \      This flaw was discovered by Breno Silveira Soares, and is disclosed\n       in
    CVE-2015-4620. [RT #39795]\n\nNew Features\n\n     * New quotas have been added
    to limit the queries that are sent by\n       recursive resolvers to authoritative
    servers experiencing\n       denial-of-service attacks. When configured, these
    options can both\n       reduce the harm done to authoritative servers and also
    avoid the\n       resource exhaustion that can be experienced by recursives when
    they\n       are being used as a vehicle for such an attack.\n       NOTE: These
    options are not available by default; use configure\n       --enable-fetchlimit
    to include them in the build.\n          + fetches-per-server limits the number
    of simultaneous queries\n            that can be sent to any single authoritative
    server. The\n            configured value is a starting point; it is automatically\n
    \           adjusted downward if the server is partially or completely\n            non-responsive.
    The algorithm used to adjust the quota can be\n            configured via the
    fetch-quota-params option.\n          + fetches-per-zone limits the number of
    simultaneous queries\n            that can be sent for names within a single domain.
    (Note:\n            Unlike \"fetches-per-server\", this value is not self-tuning.)\n
    \      Statistics counters have also been added to track the number of\n       queries
    affected by these quotas.\n     * An --enable-querytrace configure switch is now
    available to enable\n       very verbose query tracelogging. This option can only
    be set at\n       compile time. This option has a negative performance impact
    and\n       should be used only for debugging.\n     * EDNS COOKIE options content
    is now displayed as \"COOKIE:\n       <hexvalue>\".\n\nFeature Changes\n\n     *
    Large inline-signing changes should be less disruptive. Signature\n       generation
    is now done incrementally; the number of signatures to\n       be generated in
    each quantum is controlled by\n       \"sig-signing-signatures number;\". [RT
    #37927]\n     * Retrieving the local port range from net.ipv4.ip_local_port_range\n
    \      on Linux is now supported.\n     * Active Directory names of the form gc._msdcs.<forest>
    are now\n       accepted as valid hostnames when using the check-names option.\n
    \      <forest> is still restricted to letters, digits and hyphens.\n     * Names
    containing rich text are now accepted as valid hostnames in\n       PTR records
    in DNS-SD reverse lookup zones, as specified in RFC\n       6763. [RT #37889]\n\nBug
    Fixes\n\n     * Asynchronous zone loads were not handled correctly when the zone\n
    \      load was already in progress; this could trigger a crash in zt.c.\n       [RT
    #37573]\n     * A race during shutdown or reconfiguration could cause an assertion\n
    \      failure in mem.c. [RT #38979]\n     * Some answer formatting options didn't
    work correctly with dig\n       +short. [RT #39291]\n     * Malformed records
    of some types, including NSAP and UNSPEC, could\n       trigger assertion failures
    when loading text zone files. [RT\n       #40274] [RT #40285]\n     * Fixed a
    possible crash in ratelimiter.c caused by NOTIFY messages\n       being removed
    from the wrong rate limiter queue. [RT #40350]\n     * The default rrset-order
    of random was inconsistently applied. [RT\n       #40456]\n     * BADVERS responses
    from broken authoritative name servers were not\n       handled correctly. [RT
    #40427]\n"
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/net/bind99'
  unixtime: '1450028220'
  user: taca