Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_167476330437920"
MIME-Version: 1.0
Date: Thu, 26 Jan 2023 20:01:44 +0000
From: "Benny Siegert" <bsiegert@netbsd.org>
Subject: CVS commit: [pkgsrc-2022Q4] pkgsrc/net/bind916
To: pkgsrc-changes@NetBSD.org
Reply-To: bsiegert@netbsd.org
Message-Id: <20230126200144.8C970FA90@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
Precedence: bulk

This is a multi-part message in MIME format.

--_----------=_167476330437920
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	bsiegert
Date:		Thu Jan 26 20:01:44 UTC 2023

Modified Files:
	pkgsrc/net/bind916 [pkgsrc-2022Q4]: Makefile builtin.mk distinfo
	pkgsrc/net/bind916/patches [pkgsrc-2022Q4]: patch-lib_isc_siphash.c
	    patch-lib_ns_update.c

Log Message:
Pullup ticket #6726 - requested by taca
net/bind916: security fix

Revisions pulled up:
- net/bind916/Makefile                                          1.51-1.52
- net/bind916/builtin.mk                                        1.2
- net/bind916/distinfo                                          1.43-1.44
- net/bind916/patches/patch-lib_isc_siphash.c                   1.4
- net/bind916/patches/patch-lib_ns_update.c                     1.3

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Mon Jan  9 06:48:53 UTC 2023

   Modified Files:
   	pkgsrc/net/bind916: Makefile distinfo

   Log Message:
   net/bind916: update to 9.16.36

   9.16.36 (2022-12-21)

   Feature Changes

   * The auto-dnssec option has been deprecated and will be removed in a future
     BIND 9.19.x release. Please migrate to dnssec-policy.  [GL #3667]

   Bug Fixes

   * When a catalog zone was removed from the configuration, in some cases a
     dangling pointer could cause the named process to crash.  This has been
     fixed. [GL #3683]

   * When a zone was deleted from a server, a key management object related to
     that zone was inadvertently kept in memory and only released upon
     shutdown.  This could lead to constantly increasing memory use on servers
     with a high rate of changes affecting the set of zones being served.  This
     has been fixed.  [GL #3727]

   * In certain cases, named waited for the resolution of outstanding recursive
     queries to finish before shutting down.  This was unintended and has been
     fixed.  [GL #3183]

   * The zone <name>/<class>: final reference detached log message was moved
     from the INFO log level to the DEBUG(1) log level to prevent the
     named-checkzone tool from superfluously logging this message in non-debug
     mode.  [GL #3707]

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Thu Jan 26 13:32:47 UTC 2023

   Modified Files:
   	pkgsrc/net/bind916: Makefile builtin.mk distinfo
   	pkgsrc/net/bind916/patches: patch-lib_isc_siphash.c
   	    patch-lib_ns_update.c

   Log Message:
   net/bind916: update to 9.16.37

   	--- 9.16.37 released ---

   6067.	[security]	Fix serve-stale crash when recursive clients soft quota
   			is reached. (CVE-2022-3924) [GL #3619]

   6066.	[security]	Handle RRSIG lookups when serve-stale is active.
   			(CVE-2022-3736) [GL #3622]

   6064.	[security]	An UPDATE message flood could cause named to exhaust all
   			available memory. This flaw was addressed by adding a
   			new "update-quota" statement that controls the number of
   			simultaneous UPDATE messages that can be processed or
   			forwarded. The default is 100. A stats counter has been
   			added to record events when the update quota is
   			exceeded, and the XML and JSON statistics version
   			numbers have been updated. (CVE-2022-3094) [GL #3523]

   6062.	[func]		The DSCP implementation, which has only been
   			partly operational since 9.16.0, is now marked as
   			deprecated. Configuring DSCP values in named.conf
   			will cause a warning will be logged. [GL #3773]

   6060.	[bug]		Fix a use-after-free bug in dns_zonemgr_releasezone()
   			by detaching from the zone manager outside of the write
   			lock. [GL #3768]

   6059.	[bug]		In some serve stale scenarios, like when following an
   			expired CNAME record, named could return SERVFAIL if the
   			previous request wasn't successful. Consider non-stale
   			data when in serve-stale mode. [GL #3678]

   6058.	[bug]		Prevent named from crashing when "rndc delzone"
   			attempts to delete a zone added by a catalog zone.
   			[GL #3745]

   6050.	[bug]		Changes to the RPZ response-policy min-update-interval
   			and add-soa options now take effect as expected when
   			named is reconfigured. [GL #3740]

   6048.	[bug]		Fix a log message error in dns_catz_update_from_db(),
   			where serials with values of 2^31 or larger were logged
   			incorrectly as negative numbers. [GL #3742]

   6045.	[cleanup]	The list of supported DNSSEC algorithms changed log
   			level from "warning" to "notice" to match named's other
   			startup messages. [GL !7217]

   6044.	[bug]		There was an "RSASHA236" typo in a log message.
   			[GL !7206]


To generate a diff of this commit:
cvs rdiff -u -r1.50 -r1.50.2.1 pkgsrc/net/bind916/Makefile
cvs rdiff -u -r1.1 -r1.1.20.1 pkgsrc/net/bind916/builtin.mk
cvs rdiff -u -r1.42 -r1.42.2.1 pkgsrc/net/bind916/distinfo
cvs rdiff -u -r1.3 -r1.3.12.1 \
    pkgsrc/net/bind916/patches/patch-lib_isc_siphash.c
cvs rdiff -u -r1.2 -r1.2.18.1 \
    pkgsrc/net/bind916/patches/patch-lib_ns_update.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_167476330437920
Content-Disposition: inline
Content-Length: 8286
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/net/bind916/Makefile
diff -u pkgsrc/net/bind916/Makefile:1.50 pkgsrc/net/bind916/Makefile:1.50.2.1
--- pkgsrc/net/bind916/Makefile:1.50	Wed Nov 23 16:20:48 2022
+++ pkgsrc/net/bind916/Makefile	Thu Jan 26 20:01:44 2023
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.50 2022/11/23 16:20:48 adam Exp $
+# $NetBSD: Makefile,v 1.50.2.1 2023/01/26 20:01:44 bsiegert Exp $
 
 DISTNAME=	bind-${BIND_VERSION}
 PKGNAME=	${DISTNAME:S/-P/pl/}
-PKGREVISION=	1
 CATEGORIES=	net
 MASTER_SITES=	ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/
 EXTRACT_SUFX=	.tar.xz
@@ -16,7 +15,7 @@ CONFLICTS+=	host-[0-9]*
 
 MAKE_JOBS_SAFE=	no
 
-BIND_VERSION=	9.16.35
+BIND_VERSION=	9.16.37
 
 BUILD_DEFS+=	BIND_DIR VARBASE
 

Index: pkgsrc/net/bind916/builtin.mk
diff -u pkgsrc/net/bind916/builtin.mk:1.1 pkgsrc/net/bind916/builtin.mk:1.1.20.1
--- pkgsrc/net/bind916/builtin.mk:1.1	Sun Aug  9 15:20:21 2020
+++ pkgsrc/net/bind916/builtin.mk	Thu Jan 26 20:01:44 2023
@@ -1,4 +1,4 @@
-# $NetBSD: builtin.mk,v 1.1 2020/08/09 15:20:21 taca Exp $
+# $NetBSD: builtin.mk,v 1.1.20.1 2023/01/26 20:01:44 bsiegert Exp $
 
 BUILTIN_PKG:=	bind
 
@@ -41,7 +41,7 @@ MAKEVARS+=		IS_BUILTIN.bind
 ### a package name to represent the built-in package.
 ###
 .if !defined(BUILTIN_PKG.bind) && \
-    !empty(IS_BUILTIN.bind:M[yY][eE][sS]) && \
+    ${IS_BUILTIN.bind:tl} == "yes" && \
     defined(BUILTIN_VERSION.bind)
 BUILTIN_PKG.bind=	bind-${BUILTIN_VERSION.bind}
 .endif
@@ -57,10 +57,10 @@ USE_BUILTIN.bind=	no
 .  else
 USE_BUILTIN.bind=	${IS_BUILTIN.bind}
 .    if defined(BUILTIN_PKG.bind) && \
-        !empty(IS_BUILTIN.bind:M[yY][eE][sS])
+        ${IS_BUILTIN.bind:tl} == "yes"
 USE_BUILTIN.bind=	yes
 .      for dep in ${BUILDLINK_API_DEPENDS.bind}
-.        if !empty(USE_BUILTIN.bind:M[yY][eE][sS])
+.        if ${USE_BUILTIN.bind:tl} == "yes"
 USE_BUILTIN.bind!=							\
 	if ${PKG_ADMIN} pmatch ${dep:Q} ${BUILTIN_PKG.bind:Q}; then	\
 		${ECHO} yes;						\
@@ -79,13 +79,13 @@ MAKEVARS+=		USE_BUILTIN.bind
 ### solely to determine whether a built-in implementation exists.
 ###
 CHECK_BUILTIN.bind?=	no
-.if !empty(CHECK_BUILTIN.bind:M[nN][oO])
+.if ${CHECK_BUILTIN.bind:tl} == "no"
 
-.  if !empty(USE_BUILTIN.bind:M[yY][eE][sS])
-.    if !empty(BUILTIN_LIB_FOUND.bind:M[yY][eE][sS])
+.  if ${USE_BUILTIN.bind:tl} == "yes"
+.    if ${BUILTIN_LIB_FOUND.bind:tl} == "yes"
 BUILDLINK_LDADD.bind?=	-lbind
 .    endif
-.  elif !empty(USE_BUILTIN.bind:M[nN][oO])
+.  elif ${USE_BUILTIN.bind:tl} == "no"
 BUILDLINK_LDADD.bind?=	-lbind
 .  endif
 

Index: pkgsrc/net/bind916/distinfo
diff -u pkgsrc/net/bind916/distinfo:1.42 pkgsrc/net/bind916/distinfo:1.42.2.1
--- pkgsrc/net/bind916/distinfo:1.42	Wed Nov 16 13:47:38 2022
+++ pkgsrc/net/bind916/distinfo	Thu Jan 26 20:01:44 2023
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.42 2022/11/16 13:47:38 taca Exp $
+$NetBSD: distinfo,v 1.42.2.1 2023/01/26 20:01:44 bsiegert Exp $
 
-BLAKE2s (bind-9.16.35.tar.xz) = bd44cf0b71d352e4d2baa71e3dee7ce78a47f02ad9dcb2feb3ce6dfaa0bfcf29
-SHA512 (bind-9.16.35.tar.xz) = c979e7a9bcea1c9fb1049a2708d8643c71ad2448a195454fcb3dfacf5d874221e95473e140a6944c3fa249f516718416fb67a50e267522d6bcb2915cdb46e6ea
-Size (bind-9.16.35.tar.xz) = 5102476 bytes
+BLAKE2s (bind-9.16.37.tar.xz) = d40e5ca3b87dfdaff9d8f49e231dbc4b0db96c0acb123d66dbca83e97773cb85
+SHA512 (bind-9.16.37.tar.xz) = 2c4b01f6cc598849688b5b2710caf48db47e1e860df785783ef2b140a25507b48357a9becf7911ba0feda285c4bca87764e21128fac5cf17efa47fd5134dc59f
+Size (bind-9.16.37.tar.xz) = 5109440 bytes
 SHA1 (patch-bin_dig_dighost.c) = b1073911d80ecd519af98b6678968296ff8c0c98
 SHA1 (patch-bin_dig_include_dig_dig.h) = 10166f5bb98b208c7b10d63eb31e8253f704acc8
 SHA1 (patch-bin_named_Makefile.in) = f1367da6a226ba44d0ee13acf00b8abeb5b1b7eb
@@ -42,7 +42,7 @@ SHA1 (patch-lib_isc_include_isc_types.h)
 SHA1 (patch-lib_isc_netmgr_netmgr-int.h) = d84993edf254605f85421fbdd2fc523255c7316d
 SHA1 (patch-lib_isc_netmgr_netmgr.c) = 3df1d37061f6ceb37e309a0dc4f782fc35863146
 SHA1 (patch-lib_isc_rwlock.c) = 1d114248ddee20db7a7429afab446f8b2f0dca82
-SHA1 (patch-lib_isc_siphash.c) = 8999deb002e4fdb6b13e6f297298ef73c97042c3
+SHA1 (patch-lib_isc_siphash.c) = a6642bd91aef22afb7ec4e2e0912275371644a3f
 SHA1 (patch-lib_isc_stats.c) = 8d962fa360740770588fccf1d303d7fe22ae724b
 SHA1 (patch-lib_isc_timer.c) = aea2019bbf3d84cad77af432a2bbdf0da8f2f893
 SHA1 (patch-lib_isc_unix_include_isc_stdatomic.h) = b73b0224be47c1733f6346fce9243e97f54e1865
@@ -55,6 +55,6 @@ SHA1 (patch-lib_ns_include_ns_client.h) 
 SHA1 (patch-lib_ns_include_ns_pfilter.h) = cc86752971b4f9f7492283c4ad3ff29bc1bae237
 SHA1 (patch-lib_ns_pfilter.c) = 8f4a3b3a729360a131eb1962c42a9f9f985c7e7b
 SHA1 (patch-lib_ns_query.c) = 0c3c4a20aa4b40c144c4f986599cda67db3e2491
-SHA1 (patch-lib_ns_update.c) = 2fb3457da333143508d28420490cbc1cb69ddb19
+SHA1 (patch-lib_ns_update.c) = 2c5a9302178abe9dc9b6396b053319e39e1ef950
 SHA1 (patch-lib_ns_xfrout.c) = 79d9e4add58ffd75ea9718f5501f1517e67416e3
 SHA1 (patch-make_rules.in) = 5fb3a44ff0066c93872c25596267fbabffc6da8f

Index: pkgsrc/net/bind916/patches/patch-lib_isc_siphash.c
diff -u pkgsrc/net/bind916/patches/patch-lib_isc_siphash.c:1.3 pkgsrc/net/bind916/patches/patch-lib_isc_siphash.c:1.3.12.1
--- pkgsrc/net/bind916/patches/patch-lib_isc_siphash.c:1.3	Sun Oct 24 06:40:28 2021
+++ pkgsrc/net/bind916/patches/patch-lib_isc_siphash.c	Thu Jan 26 20:01:44 2023
@@ -1,12 +1,12 @@
-$NetBSD: patch-lib_isc_siphash.c,v 1.3 2021/10/24 06:40:28 taca Exp $
+$NetBSD: patch-lib_isc_siphash.c,v 1.3.12.1 2023/01/26 20:01:44 bsiegert Exp $
 
 * Take from NetBSD base.
 
---- lib/isc/siphash.c.orig	2021-09-07 09:37:05.000000000 +0000
+--- lib/isc/siphash.c.orig	2023-01-12 22:45:02.000000000 +0000
 +++ lib/isc/siphash.c
-@@ -90,8 +90,14 @@ isc_siphash24(const uint8_t *k, const ui
- 	REQUIRE(k != NULL);
+@@ -93,8 +93,14 @@ isc_siphash24(const uint8_t *k, const ui
  	REQUIRE(out != NULL);
+ 	REQUIRE(inlen == 0 || in != NULL);
  
 -	uint64_t k0 = U8TO64_LE(k);
 -	uint64_t k1 = U8TO64_LE(k + 8);

Index: pkgsrc/net/bind916/patches/patch-lib_ns_update.c
diff -u pkgsrc/net/bind916/patches/patch-lib_ns_update.c:1.2 pkgsrc/net/bind916/patches/patch-lib_ns_update.c:1.2.18.1
--- pkgsrc/net/bind916/patches/patch-lib_ns_update.c:1.2	Sat Dec 19 16:41:36 2020
+++ pkgsrc/net/bind916/patches/patch-lib_ns_update.c	Thu Jan 26 20:01:44 2023
@@ -1,10 +1,10 @@
-$NetBSD: patch-lib_ns_update.c,v 1.2 2020/12/19 16:41:36 taca Exp $
+$NetBSD: patch-lib_ns_update.c,v 1.2.18.1 2023/01/26 20:01:44 bsiegert Exp $
 
 * Based on NetBSD, add support for blocklist(blacklist).
 
---- lib/ns/update.c.orig	2020-12-07 08:16:53.000000000 +0000
+--- lib/ns/update.c.orig	2023-01-12 22:45:02.000000000 +0000
 +++ lib/ns/update.c
-@@ -52,6 +52,10 @@
+@@ -54,6 +54,10 @@
  #include <ns/stats.h>
  #include <ns/update.h>
  
@@ -15,27 +15,27 @@ $NetBSD: patch-lib_ns_update.c,v 1.2 202
  /*! \file
   * \brief
   * This module implements dynamic update as in RFC2136.
-@@ -340,6 +344,9 @@ checkqueryacl(ns_client_t *client, dns_a
- 
- 	result = ns_client_checkaclsilent(client, NULL, queryacl, true);
+@@ -349,6 +353,9 @@ checkqueryacl(ns_client_t *client, dns_a
  	if (result != ISC_R_SUCCESS) {
+ 		int level = update_possible ? ISC_LOG_ERROR : ISC_LOG_INFO;
+ 
 +#if defined(HAVE_BLACKLIST_H) || defined(HAVE_BLOCKLIST_H)
 +		pfilter_notify(result, client, "queryacl");
 +#endif
  		dns_name_format(zonename, namebuf, sizeof(namebuf));
  		dns_rdataclass_format(client->view->rdclass, classbuf,
  				      sizeof(classbuf));
-@@ -352,6 +359,9 @@ checkqueryacl(ns_client_t *client, dns_a
+@@ -358,6 +365,9 @@ checkqueryacl(ns_client_t *client, dns_a
  			      "update '%s/%s' denied due to allow-query",
  			      namebuf, classbuf);
- 	} else if (updateacl == NULL && ssutable == NULL) {
+ 	} else if (!update_possible) {
 +#if defined(HAVE_BLACKLIST_H) || defined(HAVE_BLOCKLIST_H)
 +		pfilter_notify(result, client, "updateacl");
 +#endif
  		dns_name_format(zonename, namebuf, sizeof(namebuf));
  		dns_rdataclass_format(client->view->rdclass, classbuf,
  				      sizeof(classbuf));
-@@ -393,6 +403,9 @@ checkupdateacl(ns_client_t *client, dns_
+@@ -399,6 +409,9 @@ checkupdateacl(ns_client_t *client, dns_
  		msg = "disabled";
  	} else {
  		result = ns_client_checkaclsilent(client, NULL, acl, false);


--_----------=_167476330437920--