Received: by mail.netbsd.org (Postfix, from userid 605) id B14D284F6F; Wed, 8 Feb 2023 00:13:47 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id DF70A84EAB for ; Wed, 8 Feb 2023 00:13:46 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id DQJlvDC0dz8u for ; Wed, 8 Feb 2023 00:13:45 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.netbsd.org [199.233.217.197]) by mail.netbsd.org (Postfix) with ESMTP id 66C5284D5F for ; Wed, 8 Feb 2023 00:13:45 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id 59ADDFA90; Wed, 8 Feb 2023 00:13:45 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1675815225126400" MIME-Version: 1.0 Date: Wed, 8 Feb 2023 00:13:45 +0000 From: "Takahiro Kambe" Subject: CVS commit: pkgsrc/net/bind918 To: pkgsrc-changes@NetBSD.org Reply-To: taca@netbsd.org X-Mailer: log_accum Message-Id: <20230208001345.59ADDFA90@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_1675815225126400 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: taca Date: Wed Feb 8 00:13:44 UTC 2023 Modified Files: pkgsrc/net/bind918: Makefile PLIST distinfo pkgsrc/net/bind918/patches: patch-lib_isc_siphash.c patch-lib_isc_time.c patch-lib_ns_update.c Removed Files: pkgsrc/net/bind918/patches: patch-bin_tests_system_keyfromlabel_tests.sh Log Message: net/bind918: update to 9.18.11 Approved by MAINTAINER (sekiya@). --- 9.18.11 released --- 6067. [security] Fix serve-stale crash when recursive clients soft quota is reached. (CVE-2022-3924) [GL #3619] 6066. [security] Handle RRSIG lookups when serve-stale is active. (CVE-2022-3736) [GL #3622] 6064. [security] An UPDATE message flood could cause named to exhaust all available memory. This flaw was addressed by adding a new "update-quota" statement that controls the number of simultaneous UPDATE messages that can be processed or forwarded. The default is 100. A stats counter has been added to record events when the update quota is exceeded, and the XML and JSON statistics version numbers have been updated. (CVE-2022-3094) [GL #3523] 6062. [func] The DSCP implementation, which has been nonfunctional for some time, is now marked as obsolete and the implementation has been removed. Configuring DSCP values in named.conf has no effect, and a warning will be logged that the feature should no longer be used. [GL #3773] 6061. [bug] Fix unexpected "Prohibited" extended DNS error on allow-recursion. [GL #3743] 6060. [bug] Fix a use-after-free bug in dns_zonemgr_releasezone() by detaching from the zone manager outside of the write lock. [GL #3768] 6059. [bug] In some serve stale scenarios, like when following an expired CNAME record, named could return SERVFAIL if the previous request wasn't successful. Consider non-stale data when in serve-stale mode. [GL #3678] 6058. [bug] Prevent named from crashing when "rndc delzone" attempts to delete a zone added by a catalog zone. [GL #3745] 6053. [bug] Fix an ADB quota management bug in resolver. [GL #3752] 6051. [bug] Improve thread safety in the dns_dispatch unit. [GL #3178] [GL #3636] 6050. [bug] Changes to the RPZ response-policy min-update-interval and add-soa options now take effect as expected when named is reconfigured. [GL #3740] 6049. [bug] Exclude ABD hashtables from the ADB memory overmem checks and don't clean ADB names and ADB entries used in the last 10 seconds (ADB_CACHE_MINIMUM). [GL #3739] 6048. [bug] Fix a log message error in dns_catz_update_from_db(), where serials with values of 2^31 or larger were logged incorrectly as negative numbers. [GL #3742] 6047. [bug] Try the next server instead of trying the same server again on an outgoing query timeout. [GL #3637] 6046. [bug] TLS session resumption might lead to handshake failures when client certificates are used for authentication (Mutual TLS). This has been fixed. [GL #3725] 6045. [cleanup] The list of supported DNSSEC algorithms changed log level from "warning" to "notice" to match named's other startup messages. [GL !7217] 6044. [bug] There was an "RSASHA236" typo in a log message. [GL !7206] 5830. [func] Implement incremental resizing of isc_ht hash tables to perform the rehashing gradually. The catalog zone implementation has been optimized to work with hundreds of thousands of member zones. [GL #3212] [GL #3744] To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 pkgsrc/net/bind918/Makefile cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/bind918/PLIST cvs rdiff -u -r1.3 -r1.4 pkgsrc/net/bind918/distinfo cvs rdiff -u -r1.1 -r0 \ pkgsrc/net/bind918/patches/patch-bin_tests_system_keyfromlabel_tests.sh cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/bind918/patches/patch-lib_isc_siphash.c \ pkgsrc/net/bind918/patches/patch-lib_isc_time.c \ pkgsrc/net/bind918/patches/patch-lib_ns_update.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1675815225126400 Content-Disposition: inline Content-Length: 8794 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/net/bind918/Makefile diff -u pkgsrc/net/bind918/Makefile:1.5 pkgsrc/net/bind918/Makefile:1.6 --- pkgsrc/net/bind918/Makefile:1.5 Fri Jan 13 05:31:52 2023 +++ pkgsrc/net/bind918/Makefile Wed Feb 8 00:13:44 2023 @@ -1,8 +1,7 @@ -# $NetBSD: Makefile,v 1.5 2023/01/13 05:31:52 sekiya Exp $ +# $NetBSD: Makefile,v 1.6 2023/02/08 00:13:44 taca Exp $ DISTNAME= bind-${BIND_VERSION} PKGNAME= ${DISTNAME:S/-P/pl/} -PKGREVISION= 3 CATEGORIES= net MASTER_SITES= https://downloads.isc.org/isc/bind9/${BIND_VERSION}/ EXTRACT_SUFX= .tar.xz @@ -16,7 +15,7 @@ CONFLICTS+= host-[0-9]* MAKE_JOBS_SAFE= no -BIND_VERSION= 9.18.9 +BIND_VERSION= 9.18.11 BUILD_DEFS+= BIND_DIR VARBASE Index: pkgsrc/net/bind918/PLIST diff -u pkgsrc/net/bind918/PLIST:1.1 pkgsrc/net/bind918/PLIST:1.2 --- pkgsrc/net/bind918/PLIST:1.1 Sun Dec 11 01:57:55 2022 +++ pkgsrc/net/bind918/PLIST Wed Feb 8 00:13:44 2023 @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.1 2022/12/11 01:57:55 sekiya Exp $ +@comment $NetBSD: PLIST,v 1.2 2023/02/08 00:13:44 taca Exp $ bin/arpaname bin/delv bin/dig @@ -253,19 +253,12 @@ include/ns/update.h include/ns/xfrout.h lib/bind/filter-a.la lib/bind/filter-aaaa.la -lib/libbind9-9.18.9.so lib/libbind9.la -lib/libdns-9.18.9.so lib/libdns.la -lib/libirs-9.18.9.so lib/libirs.la -lib/libisc-9.18.9.so lib/libisc.la -lib/libisccc-9.18.9.so lib/libisccc.la -lib/libisccfg-9.18.9.so lib/libisccfg.la -lib/libns-9.18.9.so lib/libns.la man/man1/arpaname.1 man/man1/delv.1 Index: pkgsrc/net/bind918/distinfo diff -u pkgsrc/net/bind918/distinfo:1.3 pkgsrc/net/bind918/distinfo:1.4 --- pkgsrc/net/bind918/distinfo:1.3 Mon Dec 12 22:07:04 2022 +++ pkgsrc/net/bind918/distinfo Wed Feb 8 00:13:44 2023 @@ -1,12 +1,11 @@ -$NetBSD: distinfo,v 1.3 2022/12/12 22:07:04 sekiya Exp $ +$NetBSD: distinfo,v 1.4 2023/02/08 00:13:44 taca Exp $ -BLAKE2s (bind-9.18.9.tar.xz) = 8c3f2dcb57205959f78c02fd32a12d0897050897af9136b58972fde41468ec55 -SHA512 (bind-9.18.9.tar.xz) = 7d9bca47e29e8634416ab52819d78ce4ec6196c0dcbd9fe95a24687337f71c69b6472cf20bf49ea0ae1751a861944f354f9122acfb01780f51278ad4a3fdd817 -Size (bind-9.18.9.tar.xz) = 5281732 bytes +BLAKE2s (bind-9.18.11.tar.xz) = c4aae1223078ef089a3f35ae15e3ea552383d235b7a9dfe1c0423a958409891f +SHA512 (bind-9.18.11.tar.xz) = 1f71560efca3b6886d71861c76d4a11d59c28f0ffed684f040a59dd9c14be594985a3f15e6d610a4d88a40a16a19e259977d4a254e146469323d15587b23f3ad +Size (bind-9.18.11.tar.xz) = 5284184 bytes SHA1 (patch-bin_named_main.c) = 4e4a763c478f1fcecb7e65968cf6ca20dacf01f1 SHA1 (patch-bin_named_os.c) = 5ecb0883076575d8ac5fcad68f9daad6c9be0d0b SHA1 (patch-bin_named_server.c) = 6e59d3f637ebb829eec2f76ba7c350fb5cf9be6d -SHA1 (patch-bin_tests_system_keyfromlabel_tests.sh) = 63a1516b573adabe6ff2719532fd58bcf3ecd65b SHA1 (patch-config.h.in) = 6072793048cdf590863046355eeffa1d93524c36 SHA1 (patch-configure.ac) = a6f10aec356691ca1075262a3e87c809cd3a558a SHA1 (patch-lib_dns_byaddr.c) = 647ddaaaf040233e18d1a87d83bc2bd63d2a20e3 @@ -26,13 +25,13 @@ SHA1 (patch-lib_isc_net.c) = 743de2701fa SHA1 (patch-lib_isc_netmgr_netmgr-int.h) = d84993edf254605f85421fbdd2fc523255c7316d SHA1 (patch-lib_isc_netmgr_netmgr.c) = 3df1d37061f6ceb37e309a0dc4f782fc35863146 SHA1 (patch-lib_isc_rwlock.c) = 1d114248ddee20db7a7429afab446f8b2f0dca82 -SHA1 (patch-lib_isc_siphash.c) = 8999deb002e4fdb6b13e6f297298ef73c97042c3 -SHA1 (patch-lib_isc_time.c) = 04719dce1ad7328909fd584104b7bc20170b3c5e +SHA1 (patch-lib_isc_siphash.c) = 2dd80dde7bd8e869a3cf03c1699665b56eaaf866 +SHA1 (patch-lib_isc_time.c) = 22780fd25d89a0ece46ec1624b3977ca4c46281a SHA1 (patch-lib_isc_timer.c) = aea2019bbf3d84cad77af432a2bbdf0da8f2f893 SHA1 (patch-lib_ns_Makefile.am) = a91e1713185c4366e96bf52ebee38e3b7e35a0c6 SHA1 (patch-lib_ns_client.c) = 4093c82254321e6c6eaa40ea1cf738b3f9bda0bb SHA1 (patch-lib_ns_include_ns_pfilter.h) = cc86752971b4f9f7492283c4ad3ff29bc1bae237 SHA1 (patch-lib_ns_pfilter.c) = b0345f9b27e2bdd4f9a992cfc23616e027de4988 SHA1 (patch-lib_ns_query.c) = d947318dc6a261931928c4bf8b7f48efa9004a38 -SHA1 (patch-lib_ns_update.c) = 2fb3457da333143508d28420490cbc1cb69ddb19 +SHA1 (patch-lib_ns_update.c) = 941ca5601904e9b4cc5314148e955f5490a5d071 SHA1 (patch-lib_ns_xfrout.c) = 79d9e4add58ffd75ea9718f5501f1517e67416e3 Index: pkgsrc/net/bind918/patches/patch-lib_isc_siphash.c diff -u pkgsrc/net/bind918/patches/patch-lib_isc_siphash.c:1.1 pkgsrc/net/bind918/patches/patch-lib_isc_siphash.c:1.2 --- pkgsrc/net/bind918/patches/patch-lib_isc_siphash.c:1.1 Sun Dec 11 01:57:55 2022 +++ pkgsrc/net/bind918/patches/patch-lib_isc_siphash.c Wed Feb 8 00:13:44 2023 @@ -1,12 +1,12 @@ -$NetBSD: patch-lib_isc_siphash.c,v 1.1 2022/12/11 01:57:55 sekiya Exp $ +$NetBSD: patch-lib_isc_siphash.c,v 1.2 2023/02/08 00:13:44 taca Exp $ * Take from NetBSD base. ---- lib/isc/siphash.c.orig 2021-09-07 09:37:05.000000000 +0000 +--- lib/isc/siphash.c.orig 2023-01-12 22:21:15.270402532 +0000 +++ lib/isc/siphash.c -@@ -90,8 +90,14 @@ isc_siphash24(const uint8_t *k, const ui - REQUIRE(k != NULL); +@@ -93,8 +93,14 @@ isc_siphash24(const uint8_t *k, const ui REQUIRE(out != NULL); + REQUIRE(inlen == 0 || in != NULL); - uint64_t k0 = U8TO64_LE(k); - uint64_t k1 = U8TO64_LE(k + 8); Index: pkgsrc/net/bind918/patches/patch-lib_isc_time.c diff -u pkgsrc/net/bind918/patches/patch-lib_isc_time.c:1.1 pkgsrc/net/bind918/patches/patch-lib_isc_time.c:1.2 --- pkgsrc/net/bind918/patches/patch-lib_isc_time.c:1.1 Sun Dec 11 01:57:55 2022 +++ pkgsrc/net/bind918/patches/patch-lib_isc_time.c Wed Feb 8 00:13:44 2023 @@ -1,10 +1,10 @@ -$NetBSD: patch-lib_isc_time.c,v 1.1 2022/12/11 01:57:55 sekiya Exp $ +$NetBSD: patch-lib_isc_time.c,v 1.2 2023/02/08 00:13:44 taca Exp $ * More check time_t range. ---- lib/isc/time.c.orig 2020-05-06 09:59:35.000000000 +0000 +--- lib/isc/time.c.orig 2023-01-12 22:21:15.270402532 +0000 +++ lib/isc/time.c -@@ -285,7 +285,7 @@ isc_time_seconds(const isc_time_t *t) { +@@ -318,7 +318,7 @@ isc_time_seconds(const isc_time_t *t) { isc_result_t isc_time_secondsastimet(const isc_time_t *t, time_t *secondsp) { @@ -12,8 +12,8 @@ $NetBSD: patch-lib_isc_time.c,v 1.1 2022 + time_t seconds, i; REQUIRE(t != NULL); - INSIST(t->nanoseconds < NS_PER_S); -@@ -312,7 +312,18 @@ isc_time_secondsastimet(const isc_time_t + INSIST(t->nanoseconds < NS_PER_SEC); +@@ -345,7 +345,18 @@ isc_time_secondsastimet(const isc_time_t INSIST(sizeof(unsigned int) == sizeof(uint32_t)); INSIST(sizeof(time_t) >= sizeof(uint32_t)); Index: pkgsrc/net/bind918/patches/patch-lib_ns_update.c diff -u pkgsrc/net/bind918/patches/patch-lib_ns_update.c:1.1 pkgsrc/net/bind918/patches/patch-lib_ns_update.c:1.2 --- pkgsrc/net/bind918/patches/patch-lib_ns_update.c:1.1 Sun Dec 11 01:57:55 2022 +++ pkgsrc/net/bind918/patches/patch-lib_ns_update.c Wed Feb 8 00:13:44 2023 @@ -1,10 +1,10 @@ -$NetBSD: patch-lib_ns_update.c,v 1.1 2022/12/11 01:57:55 sekiya Exp $ +$NetBSD: patch-lib_ns_update.c,v 1.2 2023/02/08 00:13:44 taca Exp $ * Based on NetBSD, add support for blocklist(blacklist). ---- lib/ns/update.c.orig 2020-12-07 08:16:53.000000000 +0000 +--- lib/ns/update.c.orig 2023-01-12 22:21:15.274402517 +0000 +++ lib/ns/update.c -@@ -52,6 +52,10 @@ +@@ -55,6 +55,10 @@ #include #include @@ -15,27 +15,27 @@ $NetBSD: patch-lib_ns_update.c,v 1.1 202 /*! \file * \brief * This module implements dynamic update as in RFC2136. -@@ -340,6 +344,9 @@ checkqueryacl(ns_client_t *client, dns_a - - result = ns_client_checkaclsilent(client, NULL, queryacl, true); +@@ -358,6 +362,9 @@ checkqueryacl(ns_client_t *client, dns_a if (result != ISC_R_SUCCESS) { + int level = update_possible ? ISC_LOG_ERROR : ISC_LOG_INFO; + +#if defined(HAVE_BLACKLIST_H) || defined(HAVE_BLOCKLIST_H) + pfilter_notify(result, client, "queryacl"); +#endif dns_name_format(zonename, namebuf, sizeof(namebuf)); dns_rdataclass_format(client->view->rdclass, classbuf, sizeof(classbuf)); -@@ -352,6 +359,9 @@ checkqueryacl(ns_client_t *client, dns_a +@@ -367,6 +374,9 @@ checkqueryacl(ns_client_t *client, dns_a "update '%s/%s' denied due to allow-query", namebuf, classbuf); - } else if (updateacl == NULL && ssutable == NULL) { + } else if (!update_possible) { +#if defined(HAVE_BLACKLIST_H) || defined(HAVE_BLOCKLIST_H) + pfilter_notify(result, client, "updateacl"); +#endif dns_name_format(zonename, namebuf, sizeof(namebuf)); dns_rdataclass_format(client->view->rdclass, classbuf, sizeof(classbuf)); -@@ -393,6 +403,9 @@ checkupdateacl(ns_client_t *client, dns_ +@@ -409,6 +419,9 @@ checkupdateacl(ns_client_t *client, dns_ msg = "disabled"; } else { result = ns_client_checkaclsilent(client, NULL, acl, false); --_----------=_1675815225126400--