Navigation:
Browse pkgsrc
(this page)| 2013-11-07 05:22:22 by Takahiro Kambe | Files touched by this commit (2) |
Log message: Update bind98 to 9.8.6pl1 (BIND 9.8.6-P1). Security Fixes Treat an all zero netmask as invalid when generating the localnets acl. A Winsock library call on some Windows systems can return an incorrect value for an interface's netmask, potentially causing unexpected matches to BIND's built-in "localnets" Access Control List. (CVE-2013-6230) [RT #34687] |
2013-09-21 17:59:01 by Takahiro Kambe | Files touched by this commit (7) |  |
Log message:
Update bind98 to 9.8.6 (BIND 9.8.6).
(CVE-2013-4854 and CVE-2013-3919 were already fixed in pkgsrc.)
Security Fixes
Previously an error in bounds checking on the private type
'keydata' could be used to deny service through a deliberately
triggerable REQUIRE failure (CVE-2013-4854). [RT #34238]
Prevents exploitation of a runtime_check which can crash named
when satisfying a recursive query for particular malformed zones.
(CVE-2013-3919) [RT #33690]
Feature Changes
rndc status now also shows the build-id. [RT #20422]
Improved OPT pseudo-record processing to make it easier to support
new EDNS options. [RT #34414]
"configure" now finishes by printing a summary of optional BIND
features and whether they are active or inactive. ("configure
--enable-full-report" increases the verbosity of the summary.)
[RT #31777]
Addressed compatibility issues with newer versions of Microsoft
Visual Studio. [RT #33916]
Improved the 'rndc' man page. [RT #33506]
'named -g' now no longer works with an invalid logging configuration.
[RT #33473]
The default (and minimum) value for tcp-listen-queue is now 10
instead of 3. This is a subtle control setting (not applicable
to all OS environments). When there is a high rate of inbound
TCP connections, it controls how many connections can be queued
before they are accepted by named. Once this limit is exceeded,
new TCP connections will be rejected. Note however that a value
of 10 does not imply a strict limit of 10 queued TCP connections
- the impact of changing this configuration setting will be
OS-dependent. Larger values for tcp-listen queue will permit
more pending tcp connections, which may be needed where there
is a high rate of TCP-based traffic (for example in a dynamic
environment where there are frequent zone updates and transfers).
For most production servers the new default value of 10 should
be adequate. [RT #33029]
Added support for OpenSSL versions 0.9.8y, 1.0.0k, and 1.0.1e
with PKCS#11. [RT #33463]
Added logging messages on slave servers when they forward DDNS
updates to a master. [RT #33240]
Bug Fixes
Fixed the "allow-query-on" option to correctly check the destination
address. [RT #34590]
Fix DNSSEC auto maintenance so signatures can be removed from a
zone with only KSK keys for an algorithm. [RT #34439]
Fix forwarding for forward only "zones" beneath automatic empty
zones. [RT #34583]
Fix DNSSEC auto maintenance so signatures from newly inactive
keys are removed (when publishing a new key while deactivating
another key at the same time). [RT #32178]
Remove bogus warning log message about missing signatures when
receiving a query for a SIG record. [RT #34600]
Fix Response Policy Zones on slave servers so new RPZ changes
take effect. [RT #34450]
Improved resistance to a theoretical authentication attack based
on differential timing. [RT #33939]
named was failing to answer queries during "rndc reload" [RT
#34098]
Fixed a broken 'Invalid keyfile' error message in dnssec-keygen.
[RT #34045]
The build of BIND now installs isc/stat.h so that it's available
to /isc/file.h when building other applications that reference
these header files - for example dnsperf (see Debian bug ticket
#692467). [RT #33056]
Better handle failures building XML for stats channel responses.
[RT #33706]
Fixed a memory leak in GSS-API processing. [RT #33574]
Fixed an acache-related race condition that could cause a crash.
[RT #33602]
rndc now properly fails when given an invalid '-c' argument. [RT
#33571]
Fixed an issue with the handling of zero TTL records that could
cause improper SERVFAILs. [RT #33411]
Fixed a crash-on-shutdown race condition with DNSSEC validation.
[RT #33573]
Corrected the way that "rndc addzone" and "rndc delzone" \
handle
non-standard characters in zone names. [RT #33419]
|
| 2013-07-27 05:20:53 by Takahiro Kambe | Files touched by this commit (2) |
Log message: Update bind98 to 9.8.5pl2 (BIND 9.8.5-P2). --- 9.8.5-P2 released --- 3621. [security] Incorrect bounds checking on private type 'keydata' can lead to a remotely triggerable REQUIRE failure (CVE-2013-4854). [RT #34238] |
| 2013-07-12 12:45:05 by Jonathan Perkin | Files touched by this commit (181) |
Log message: Bump PKGREVISION of all packages which create users, to pick up change of sysutils/user_* packages. |
| 2013-06-06 04:56:36 by Takahiro Kambe | Files touched by this commit (4) |
Log message: Update bind98 to 9.8.5pl1 (BIND 9.8.5-P1). Please refer CHANGES file for complete changes and here is quote from release announce. Introduction BIND 9.8.5-P1 is the latest production release of BIND 9.8. Security Fixes Prevents exploitation of a runtime_check which can crash named when satisfying a recursive query for particular malformed zones. (CVE-2013-3919) [RT #33690] A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. (CVE-2012-5166) [RT #31090] Now supports NAPTR regular expression validation on all platforms, and avoids memory exhaustion compiling pathological regular expressions. (CVE-2013-2266) [RT #32688] Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. (CVE-2012-5688) [RT #30792 / #30996] Prevents an assertion failure in named when RPZ and DNS64 are used together. (CVE-2012-5689) [RT #32141] New Features Adds a new configuration option, "check-spf"; valid values are "warn" (default) and "ignore". When set to \ "warn", checks SPF and TXT records in spf format, warning if either resource record type occurs without a corresponding record of the other resource record type. [RT #33355] Adds support for Uniform Resource Identifier (URI) resource records. [RT #23386] Adds support for the EUI48 and EUI64 RR types. [RT #33082] Adds support for the RFC 6742 ILNP record types (NID, LP, L32, and L64). [RT #31836] |
| 2013-05-31 14:42:58 by Thomas Klausner | Files touched by this commit (2880) |
Log message: Bump all packages for perl-5.18, that a) refer 'perl' in their Makefile, or b) have a directory name of p5-*, or c) have any dependency on any p5-* package Like last time, where this caused no complaints. |
| 2013-04-08 17:53:36 by Fredrik Pettai | Files touched by this commit (1) |
Log message: new rrl patch, new checksum |
| 2013-04-06 05:45:29 by Blue Rats | Files touched by this commit (152) |
Log message: Fixes: COMMENT should not be longer than 70 characters. COMMENT should not begin with 'A'. COMMENT should not begin with 'An'. COMMENT should not begin with 'a'. COMMENT should not end with a period. COMMENT should start with a capital letter. pkglint warnings. Some files also got minor formatting, spelling, and style corrections. |
| 2013-03-27 13:03:55 by Fredrik Pettai | Files touched by this commit (2) | |
Log message: Also update the corresponding RRL patch + distinfo file |
| 2013-03-26 23:12:56 by Takahiro Kambe | Files touched by this commit (2) |
Log message: Update bind98 to 9.8.4pl2 (BIND 9.8.4-P2). --- 9.8.4-P2 released --- 3516. [security] Removed the check for regex.h in configure in order to disable regex syntax checking, as it exposes BIND to a critical flaw in libregex on some platforms. [RT #32688] |
New packages: