Subject: CVS commit: [pkgsrc-2014Q3] pkgsrc/net/bind910
From: Matthias Scheler
Date: 2014-12-10 20:53:09
Message id: 20141210195309.6205698@cvs.netbsd.org

Log Message:
Pullup ticket #4570 - requested by taca
net/bind910: security update

Revisions pulled up:
- net/bind910/Makefile                                          1.2-1.3
- net/bind910/PLIST                                             1.2-1.3
- net/bind910/distinfo                                          1.2-1.3
- net/bind910/patches/patch-bin_tests_system_Makefile.in        1.2
- net/bind910/patches/patch-configure                           1.2
- net/bind910/patches/patch-lib_bind9_Makefile.in               deleted
- net/bind910/patches/patch-lib_dns_Makefile.in                 deleted
- net/bind910/patches/patch-lib_dns_rbt.c                       1.2
- net/bind910/patches/patch-lib_isc_Makefile.in                 deleted
- net/bind910/patches/patch-lib_isccc_Makefile.in               deleted
- net/bind910/patches/patch-lib_isccfg_Makefile.in              deleted
- net/bind910/patches/patch-lib_lwres_Makefile.in               deleted
- net/bind910/patches/patch-lib_lwres_getaddrinfo.c             1.2

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Tue Oct 14 16:23:19 UTC 2014

   Modified Files:
   	pkgsrc/net/bind910: Makefile PLIST distinfo
   	pkgsrc/net/bind910/patches: patch-bin_tests_system_Makefile.in
   	    patch-configure patch-lib_dns_rbt.c patch-lib_lwres_getaddrinfo.c
   Removed Files:
   	pkgsrc/net/bind910/patches: patch-lib_bind9_Makefile.in
   	    patch-lib_dns_Makefile.in patch-lib_isc_Makefile.in
   	    patch-lib_isccc_Makefile.in patch-lib_isccfg_Makefile.in
   	    patch-lib_lwres_Makefile.in

   Log Message:
   Update bind910 to 9.10.1.

   Security Fixes

      A query specially crafted to exploit a defect in EDNS option
      processing could cause named to terminate with an assertion
      failure, due to a missing isc_buffer_availablelength() check
      when formatting packet contents for logging. For more information,
      see the security advisory at https://kb.isc.org/article/AA-01166/.
      [CVE-2014-3859] [RT #36078]

      A programming error in the prefetch feature could cause named
      to crash with a "REQUIRE" assertion failure in name.c. For more
      information, see the security advisory at
      https://kb.isc.org/article/AA-01161/. [CVE-2014-3214] [RT #35899]

   New Features

      Support for CAA record types, as described in RFC 6844 "DNS
      Certification Authority Authorization (CAA) Resource Record",
      was added. [RT#36625] [RT #36737]

      Disallow "request-ixfr" from being specified in zone statements
      where it is not valid (it is only valid for slave and redirect
      zones) [RT #36608]

      Support for CDS and CDNSKEY resource record types was added. For
      details see the proposed Informational Internet-Draft "Automating
      DNSSEC Delegation Trust Maintenance" at
      http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14.
      [RT #36333]

      Added version printing options to various BIND utilities. [RT #26057]
      [RT #10686]

      Optionally allows libseccomp-based (secure computing mode)
      system-call filtering on Linux. This sandboxing mechanism may
      be used to isolate "named" from various system resources. Use
      "configure --enable-seccomp" at build time to enable it.  Thank you
      to Loganaden Velvindron of AFRINIC for the contribution. [RT #35347]

   Feature Changes

      "geoip asnum" ACL elements would not match unless the full
      organization name was specified.  They can now match against the
      AS number alone (e.g., AS1234). [RT #36945]

      Adds RPZ SOA to the additional section of responses to clearly
      indicate the use of RPZ in a manner that is intended to avoid
      causing issues for downstream resolvers and forwarders [RT #36507]

      rndc now gives distinct error messages when an unqualified zone
      name matches multiple views vs. matching no views [RT #36691]

      Improves the accuracy of dig's reported round trip times.  [RT #36611]

      When an SPF record exists in a zone but no equivalent TXT record
      does, a warning will be issued.  The warning for the reverse
      condition is no longer issued. See the check-spf option in the
      documentation for details. [RT #36210]

      Aging of smoothed round-trip time measurements is now limited
      to no more than once per second, to improve accuracy in selecting
      the best name server. [RT #32909]

      DNSSEC keys that have been marked active but have no publication
      date are no longer presumed to be publishable. [RT #35063]

   Bug Fixes

      The Makefile in bin/python was changed to work around a bmake
      bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**)

      Corrected bugs in the handling of wildcard records by the DNSSEC
      validator: invalid wildcard expansions could be treated as valid
      if signed, and valid wildcard expansions in NSEC3 opt-out ranges
      had the AD bit set incorrectly in responses. [RT #37093] [RT #37072]

      An assertion failure could occur if a route event arrived while
      shutting down. [RT #36887]

      When resigning, dnssec-signzone was removing all signatures from
      delegation nodes. It now retains DS and (if applicable) NSEC
      signatures.  [RT #36946]

      The AD flag was being set inappopriately on RPZ responses. [RT #36833]

      Updates the URI record type to current draft standard,
      draft-faltstrom-uri-08, and allows the value field to be zero
      length [RT #36642] [RT #36737]

      On some platforms, overhead from DSCP tagging caused a performance
      regression between BIND 9.9 and BIND 9.10.  [RT #36534]

      RRSIG sets that were not loaded in a single transaction at start
      up were not being correctly added to re-signing heaps.  [RT #36302]

      Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452]

      Fixed a bug where some updated policy zone contents could be
      ignored due to stale RPZ summary information [RT #35885]

      A race condition could cause a crash in isc_event_free during
      shutdown.  [RT #36720]

      Addresses some problems with unrecoverable lookup failures. [RT #36330]

      Addresses a race condition issue in dispatch. [RT #36731]

      acl elements could be miscounted, causing a crash while loading
      a config [RT #36675]

      Corrects a deadlock between view.c and adb.c. [RT #36341]

      liblwres wasn't properly handling link-local addresses in
      nameserver clauses in resolv.conf. [RT #36039]

      Disable the GCC 4.9 "delete null pointer check" optimizer option,
      and refactor dns_rdataslab_fromrdataset() to separate out the
      handling of an rdataset with no records. This fixes problems
      when using GNU GCC 4.9.0 where its compiler code optimizations
      may cause crashes in BIND. For more information, see the operational
      advisory at https://kb.isc.org/article/AA-01167/. [RT #35968]

      Fixed a bug that could cause repeated resigning of records in
      dynamically signed zones. [RT #35273]

      Fixed a bug that could cause an assertion failure after forwarding
      was disabled. [RT #35979]

      Fixed a bug that caused GeoIP ACLs not to work when referenced
      indirectly via named or nested ACLs. [RT #35879]

      FIxed a bug that could cause problems with cache cleaning when
      SIT was enabled. [RT #35858]

      Fixed a bug that caused SERVFAILs when using RPZ on a system
      configured as a forwarder. [RT #36060]

      Worked around a limitation in Solaris's /dev/poll implementation
      that could cause named to fail to start when configured to use
      more sockets than the system could accomodate. [RT #35878]

      Fixed a bug that could cause an assertion failure when inserting
      and deleting parent and child nodes in a response-policy zone.
      [RT #36272]

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Mon Dec  8 21:59:09 UTC 2014

   Modified Files:
   	pkgsrc/net/bind910: Makefile PLIST distinfo

   Log Message:
   Update bind910 to 9.10.1pl1 (BIND 9.10.1-P1).

   	--- 9.10.1-P1 released ---

   4006.	[security]	A flaw in delegation handling could be exploited
   			to put named into an infinite loop.  This has
   			been addressed by placing limits on the number
   			of levels of recursion named will allow (default 7),
   			and the number of iterative queries that it will
   			send (default 50) before terminating a recursive
   			query (CVE-2014-8500).

   			The recursion depth limit is configured via the
   			"max-recursion-depth" option, and the query limit
   			via the "max-recursion-queries" option.  [RT #37580]

   4003.	[security]	When geoip-directory was reconfigured during
   			named run-time, the previously loaded GeoIP
   			data could remain, potentially causing wrong
   			ACLs to be used or wrong results to be served
   			based on geolocation (CVE-2014-8680). [RT #37720]

   4002.	[security]	Lookups in GeoIP databases that were not
   			loaded could cause an assertion failure
   			(CVE-2014-8680). [RT #37679]

   4001.	[security]	The caching of GeoIP lookups did not always
   			handle address families correctly, potentially
   			resulting in an assertion failure (CVE-2014-8680).
   			[RT #37672]

Files:
RevisionActionfile
1.1.1.1.2.1modifypkgsrc/net/bind910/Makefile
1.1.1.1.2.1modifypkgsrc/net/bind910/PLIST
1.1.1.1.2.1modifypkgsrc/net/bind910/distinfo
1.1.1.1.2.1modifypkgsrc/net/bind910/patches/patch-bin_tests_system_Makefile.in
1.1.1.1.2.1modifypkgsrc/net/bind910/patches/patch-configure
1.1.1.1.2.1modifypkgsrc/net/bind910/patches/patch-lib_dns_rbt.c
1.1.1.1.2.1modifypkgsrc/net/bind910/patches/patch-lib_lwres_getaddrinfo.c
1.1.1.1removepkgsrc/net/bind910/patches/patch-lib_bind9_Makefile.in
1.1.1.1removepkgsrc/net/bind910/patches/patch-lib_dns_Makefile.in
1.1.1.1removepkgsrc/net/bind910/patches/patch-lib_isc_Makefile.in
1.1.1.1removepkgsrc/net/bind910/patches/patch-lib_isccc_Makefile.in
1.1.1.1removepkgsrc/net/bind910/patches/patch-lib_isccfg_Makefile.in
1.1.1.1removepkgsrc/net/bind910/patches/patch-lib_lwres_Makefile.in