---
- branch: MAIN
  date: Thu Apr 29 05:55:54 UTC 2021
  files:
  - new: '1.13'
    old: '1.12'
    path: pkgsrc/net/bind916/Makefile
    pathrev: pkgsrc/net/bind916/Makefile@1.13
    type: modified
  - new: '1.12'
    old: '1.11'
    path: pkgsrc/net/bind916/distinfo
    pathrev: pkgsrc/net/bind916/distinfo@1.12
    type: modified
  id: 20210429T055554Z.c53193e622ce256e32d61bef73d83e1c76ddb00f
  log: "net/bind916: update to 9.16.15\n\nSecurity release.\n\n\t--- 9.16.15 released
    ---\n\n5621.\t[bug]\t\tDue to a backporting mistake in change 5609, named\n\t\t\tbinaries
    built against a Kerberos/GSSAPI library whose\n\t\t\theader files did not define
    the GSS_SPNEGO_MECHANISM\n\t\t\tpreprocessor macro were not able to start if their\n\t\t\tconfiguration
    included the \"tkey-gssapi-credential\"\n\t\t\toption. This has been fixed. [GL
    #2634]\n\n5620.\t[bug]\t\tIf zone journal files written by BIND 9.16.11 or earlier\n\t\t\twere
    present when BIND was upgraded, the zone file for\n\t\t\tthat zone could have
    been inadvertently rewritten with\n\t\t\tthe current zone contents. This caused
    the original zone\n\t\t\tfile structure (e.g. comments, $INCLUDE directives) to\n\t\t\tbe
    lost, although the zone data itself was preserved.\n\t\t\tThis has been fixed.
    [GL #2623]\n\n\t--- 9.16.14 released ---\n\n5617.\t[security]\tA specially crafted
    GSS-TSIG query could cause a buffer\n\t\t\toverflow in the ISC implementation
    of SPNEGO.\n\t\t\t(CVE-2021-25216) [GL #2604]\n\n5616.\t[security]\tnamed crashed
    when a DNAME record placed in the ANSWER\n\t\t\tsection during DNAME chasing turned
    out to be the final\n\t\t\tanswer to a client query. (CVE-2021-25215) [GL #2540]\n\n5615.\t[security]\tInsufficient
    IXFR checks could result in named serving a\n\t\t\tzone without an SOA record
    at the apex, leading to a\n\t\t\tRUNTIME_CHECK assertion failure when the zone
    was\n\t\t\tsubsequently refreshed. This has been fixed by adding an\n\t\t\towner
    name check for all SOA records which are included\n\t\t\tin a zone transfer. (CVE-2021-25214)
    [GL #2467]\n\n5614.\t[bug]\t\tEnsure all resources are properly cleaned up when
    a call\n\t\t\tto gss_accept_sec_context() fails. [GL #2620]\n\n5613.\t[bug]\t\tIt
    was possible to write an invalid transaction header\n\t\t\tin the journal file
    for a managed-keys database after\n\t\t\tupgrading. This has been fixed. Invalid
    headers in\n\t\t\texisting journal files are detected and named is able\n\t\t\tto
    recover from them. [GL #2600]\n\n5611.\t[func]\t\tSet \"stale-answer-client-timeout\"
    to \"off\" by default.\n\t\t\t[GL #2608]\n\n5610.\t[bug]\t\tPrevent a crash which
    could happen when a lookup\n\t\t\ttriggered by \"stale-answer-client-timeout\"
    was attempted\n\t\t\tright after recursion for a client query finished.\n\t\t\t[GL
    #2594]\n\n5609.\t[func]\t\tThe ISC implementation of SPNEGO was removed from BIND
    9\n\t\t\tsource code. It was no longer necessary as all major\n\t\t\tcontemporary
    Kerberos/GSSAPI libraries include support\n\t\t\tfor SPNEGO. [GL #2607]\n\n5608.\t[bug]\t\tWhen
    sending queries over TCP, dig now properly handles\n\t\t\t\"+tries=1 +retry=0\"
    by not retrying the connection when\n\t\t\tthe remote server closes the connection
    prematurely.\n\t\t\t[GL #2490]\n\n5607.\t[bug]\t\tAs \"rndc dnssec -checkds\"
    and \"rndc dnssec -rollover\"\n\t\t\tcommands may affect the next scheduled key
    event,\n\t\t\treconfiguration of zone keys is now triggered after\n\t\t\treceiving
    either of these commands to prevent\n\t\t\tunnecessary key rollover delays. [GL
    #2488]\n\n5606.\t[bug]\t\tCDS/CDNSKEY DELETE records are now removed when a zone\n\t\t\ttransitions
    from a secure to an insecure state.\n\t\t\tnamed-checkzone also no longer reports
    an error when\n\t\t\tsuch records are found in an unsigned zone. [GL #2517]\n\n5605.\t[bug]\t\t\"dig
    -u\" now uses the CLOCK_REALTIME clock source for\n\t\t\tmore accurate time reporting.
    [GL #2592]\n\n5603.\t[bug]\t\tFix a memory leak that occurred when named failed
    to\n\t\t\tbind a UDP socket to a network interface. [GL #2575]\n\n5602.\t[bug]\t\tFix
    TCPDNS and TLSDNS timers in Network Manager. This\n\t\t\tmakes the \"tcp-initial-timeout\"
    and \"tcp-idle-timeout\"\n\t\t\toptions work correctly again. [GL #2583]\n\n5601.\t[bug]\t\tZones
    using KASP could not be thawed after they were\n\t\t\tfrozen using \"rndc freeze\".
    This has been fixed.\n\t\t\t[GL #2523]\n"
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/net/bind916'
  unixtime: '1619675754'
  user: taca