---
- branch: pkgsrc-2020Q2
  date: Fri Aug 28 15:57:47 UTC 2020
  files:
  - new: 1.28.2.1
    old: '1.28'
    path: pkgsrc/net/bind911/Makefile
    pathrev: pkgsrc/net/bind911/Makefile@1.28.2.1
    type: modified
  - new: 1.20.2.1
    old: '1.20'
    path: pkgsrc/net/bind911/distinfo
    pathrev: pkgsrc/net/bind911/distinfo@1.20.2.1
    type: modified
  id: 20200828T155747Z.ec8153c724608311892d8b6a88108d636e5987f2
  log: "Pullup ticket #6311 - requested by taca\nnet/bind911: security fix\n\nRevisions
    pulled up:\n- net/bind911/Makefile                                          1.29\n-
    net/bind911/distinfo                                          1.21\n\n---\n   Module
    Name:\tpkgsrc\n   Committed By:\ttaca\n   Date:\t\tFri Aug 21 16:09:44 UTC 2020\n\n
    \  Modified Files:\n   \tpkgsrc/net/bind911: Makefile distinfo\n\n   Log Message:\n
    \  net/bind911: update to 9.11.22\n\n   Update bind911 to 9.11.22 (BIND 9.11.22).\n\n
    \  \t--- 9.11.22 released ---\n\n   5481.\t[security]\t\"update-policy\" rules
    of type \"subdomain\" were\n   \t\t\tincorrectly treated as \"zonesub\" rules,
    which allowed\n   \t\t\tkeys used in \"subdomain\" rules to update names outside\n
    \  \t\t\tof the specified subdomains. The problem was fixed by\n   \t\t\tmaking
    sure \"subdomain\" rules are again processed as\n   \t\t\tdescribed in the ARM.
    (CVE-2020-8624) [GL #2055]\n\n   5480.\t[security]\tWhen BIND 9 was compiled with
    native PKCS#11 support, it\n   \t\t\twas possible to trigger an assertion failure
    in code\n   \t\t\tdetermining the number of bits in the PKCS#11 RSA public\n   \t\t\tkey
    with a specially crafted packet. (CVE-2020-8623)\n   \t\t\t[GL #2037]\n\n   5476.\t[security]\tIt
    was possible to trigger an assertion failure when\n   \t\t\tverifying the response
    to a TSIG-signed request.\n   \t\t\t(CVE-2020-8622) [GL #2028]\n\n   5475.\t[bug]\t\tWildcard
    RPZ passthru rules could incorrectly be\n   \t\t\toverridden by other rules that
    were loaded from RPZ\n   \t\t\tzones which appeared later in the \"response-policy\"\n
    \  \t\t\tstatement. This has been fixed. [GL #1619]\n\n   5474.\t[bug]\t\tdns_rdata_hip_next()
    failed to return ISC_R_NOMORE\n   \t\t\twhen it should have. [GL !3880]\n\n   5465.\t[func]\t\tAdded
    fallback to built-in trust-anchors, managed-keys,\n   \t\t\tor trusted-keys if
    the bindkeys-file (bind.keys) cannot\n   \t\t\tbe parsed. [GL #1235]\n\n   5463.\t[bug]\t\tAddress
    a potential NULL pointer dereference when out of\n   \t\t\tmemory in dnstap.c.
    [GL #2010]\n\n   5462.\t[bug]\t\tMove LMDB locking from LMDB itself to named.
    [GL #1976]\n"
  module: pkgsrc
  subject: 'CVS commit: [pkgsrc-2020Q2] pkgsrc/net/bind911'
  unixtime: '1598630267'
  user: bsiegert