Navigation:
Browse pkgsrc
(this page)| 2012-04-05 02:39:34 by Takahiro Kambe | Files touched by this commit (6) |
Log message:
Update bind98 pacakge to 9.8.2.
Security Fixes
+ BIND 9 nameservers performing recursive queries could cache an
invalid record and subsequent queries for that record could
crash the resolvers with an assertion failure. [RT #26590]
[CVE-2011-4313]
Feature Changes
+ RPZ implementation now conforms to version 3 of the specification.
[RT #27316]
+ It is now possible to explicitly disable DLV in named.conf by
specifying "dnssec-lookaside no;". This is the default, but the
ability to configure it makes it clearly visible to administrators.
[RT #24858]
+ --enable-developer, a new composite argument to the configure
script, enables a set of build options normally disabled but
frequently selected in test or development builds, specifically:
enable_fixed_rrset, with_atf, enable_filter_aaaa, enable_rpz_nsip,
enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and
Darwin, also enable_exportlib) [RT #27103]
|
| 2012-03-12 16:40:16 by Takahiro Kambe | Files touched by this commit (3) |
Log message: Don't install doc/arm HTML files twice. |
| 2011-11-17 01:48:09 by Takahiro Kambe | Files touched by this commit (2) |
Log message: Fix build problem on NetBSD current, maybe caused by newer gcc. * Avoid to use true as variable name. |
| 2011-11-16 22:34:44 by S.P.Zeidler | Files touched by this commit (2) |
Log message: BIND 9.8.1-P1 is security patch for BIND 9.8.1. * BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. [RT #26590] |
| 2011-10-08 00:37:06 by Sergey Svishchev | Files touched by this commit (40) |
Log message: PR/29576 -- Use @RCD_SCRIPTS_SHELL@ in rc.d scripts, not /bin/sh |
| 2011-09-01 05:44:35 by Takahiro Kambe | Files touched by this commit (5) |
Log message:
Update bind98 package to 9.8.1.
pkgsrc change: add a patch to fix build problem with some PKG_OPTIONS,
such as "ldap".
New Features
9.8.1
* Added a new include file with function typedefs for the DLZ
"dlopen" driver. [RT #23629]
* Added a tool able to generate malformed packets to allow testing of
how named handles them. [RT #24096]
* The root key is now provided in the file bind.keys allowing DNSSEC
validation to be switched on at start up by adding
"dnssec-validation auto;" to named.conf. If the root key provided
has expired, named will log the expiration and validation will not
work. More information and the most current copy of bind.keys can
be found at http://www.isc.org/bind-keys. *Please note this feature
was actually added in 9.8.0 but was not included in the 9.8.0
release notes. [RT #21727]
Security Fixes
9.8.1
* If named is configured with a response policy zone (RPZ) and a
query of type RRSIG is received for a name configured for RRset
replacement in that RPZ, it will trigger an INSIST and crash the
server. RRSIG. [RT #24280]
* named, set up to be a caching resolver, is vulnerable to a user
querying a domain with very large resource record sets (RRSets)
when trying to negatively cache the response. Due to an off-by-one
error, caching the response could cause named to crash. [RT #24650]
[CVE-2011-1910]
* Using Response Policy Zone (RPZ) to query a wildcard CNAME label
with QUERY type SIG/RRSIG, it can cause named to crash. Fix is
query type independant. [RT #24715]
* Using Response Policy Zone (RPZ) with DNAME records and querying
the subdomain of that label can cause named to crash. Now logs that
DNAME is not supported. [RT #24766]
* Change #2912 populated the message section in replies to UPDATE
requests, which some Windows clients wanted. This exposed a latent
bug that allowed the response message to crash named. With this
fix, change 2912 has been reduced to copy only the zone section to
the reply. A more complete fix for the latent bug will be released
later. [RT #24777]
Feature Changes
9.8.1
* Merged in the NetBSD ATF test framework (currently version 0.12)
for development of future unit tests. Use configure --with-atf to
build ATF internally or configure --with-atf=prefix to use an
external copy. [RT #23209]
* Added more verbose error reporting from DLZ LDAP. [RT #23402]
* The DLZ "dlopen" driver is now built by default, no longer
requiring a configure option. To disable it, use "configure
--without-dlopen". (Note: driver not supported on win32.) [RT
#23467]
* Replaced compile time constant with STDTIME_ON_32BITS. [RT #23587]
* Make --with-gssapi default for ./configure. [RT #23738]
* Improved the startup time for an authoritative server with a large
number of zones by making the zone task table of variable size
rather than fixed size. This means that authoritative servers with
lots of zones will be serving that zone data much sooner. [RT
#24406]
* Per RFC 6303, RFC 1918 reverse zones are now part of the built-in
list of empty zones. [RT #24990]
|
| 2011-07-05 15:35:29 by Takahiro Kambe | Files touched by this commit (2) |
Log message: Update bind98 package to 9.8.0pl4 (9.8.0-P4), security release. Introduction BIND 9.8.0-P4 is security patch for BIND 9.8.0. Please see the CHANGES file in the source code release for a complete list of all changes. --- 9.8.0-P4 released --- 3124. [bug] Use an rdataset attribute flag to indicate negative-cache records rather than using rrtype 0; this will prevent problems when that rrtype is used in actual DNS packets. [RT #24777] --- 9.8.0-P3 released (withdrawn) --- 3126. [security] Using DNAME record to generate replacements caused RPZ to exit with a assertion failure. [RT #23766] 3125. [security] Using wildcard CNAME records as a replacement with RPZ caused named to exit with a assertion failure. [RT #24715] 3123. [security] Change #2912 exposed a latent flaw in dns_rdataset_totext() that could cause named to crash with an assertion failure. [RT #24777] 3115. [bug] Named could fail to return requested data when following a CNAME that points into the same zone. [RT #2445] |
| 2011-05-27 08:45:31 by Takahiro Kambe | Files touched by this commit (2) |
Log message:
Update bind98 package to 9.8.0pl2(9.8.0-P2)
--- 9.8.0-P2 released ---
3121. [security] An authoritative name server sending a negative
response containing a very large RRset could
trigger an off-by-one error in the ncache code
and crash named. [RT #24650]
3120. [bug] Named could fail to validate zones listed in a DLV
that validated insecure without using DLV and had
DS records in the parent zone. [RT #24631]
|
| 2011-05-06 02:34:32 by Takahiro Kambe | Files touched by this commit (2) |
Log message: Update bind98 pacakge to 9.8.0p1 (9.8.0-P1). Fixes https://www.isc.org/CVE-2011-1907. --- 9.8.0-P1 released --- 3100. [security] Certain response policy zone configurations could trigger an INSIST when receiving a query of type RRSIG. [RT #24280] |
New packages: