pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/net/bind912 net/bind912: update to 9.12.4pl1
details: https://anonhg.NetBSD.org/pkgsrc/rev/99f942322831
branches: trunk
changeset: 333068:99f942322831
user: taca <taca%pkgsrc.org@localhost>
date: Tue Apr 30 02:46:16 2019 +0000
description:
net/bind912: update to 9.12.4pl1
Update bind912 to 9.12.4pl1 (BIND 9.12.4-P1).
Fix security problem CVE-2018-5743 and CVE-2019-6467 and overhaul pkgsrc.
Now no need to change namedb is permission under NetBSD.
pkgsrc changes:
* Simplify DESCR.
* Update note about required directories.
* Drop pkg-config from USE_TOOLS.
* Drop none existing configure arguments and PKG_OPTIONS:
- fetchlimit
- sit
* Sort PLIST.
Please refer CHANGES file in detail before 9.12.4 release:
--- 9.12.4-P1 released ---
5200. [security] tcp-clients settings could be exceeded in some cases,
which could lead to exhaustion of file descriptors.
(CVE-2018-5743) [GL #615]
5199. [security] In certain configurations, named could crash
if nxdomain-redirect was in use and a redirected
query resulted in an NXDOMAIN from the cache.
(CVE-2019-6467) [GL #880]
5167. [bug] nxdomain-redirect could sometimes lookup the wrong
redirect name. [GL #892]
diffstat:
net/bind912/DESCR | 15 +--------
net/bind912/MESSAGE | 12 ++++++--
net/bind912/Makefile | 7 ++--
net/bind912/PLIST | 6 ++--
net/bind912/distinfo | 15 ++++++----
net/bind912/options.mk | 13 +-------
net/bind912/patches/patch-bin_named_server.c | 23 +++++++++++++++
net/bind912/patches/patch-bin_pkcs11_pkcs11-keygen.c | 30 ++++++++++++++++++++
net/bind912/patches/patch-lib_dns_view.c | 15 ++++++++++
net/bind912/patches/patch-lib_isc_unix_socket.c | 14 +--------
10 files changed, 98 insertions(+), 52 deletions(-)
diffs (291 lines):
diff -r e5c51e1d49cf -r 99f942322831 net/bind912/DESCR
--- a/net/bind912/DESCR Tue Apr 30 02:32:29 2019 +0000
+++ b/net/bind912/DESCR Tue Apr 30 02:46:16 2019 +0000
@@ -1,16 +1,5 @@
-BIND, the Berkeley Internet Name Daemon, version 9 is a major rewrite
-of nearly all aspects of the underlying BIND architecture. Some
-of the important features of BIND-9 are:
-
- - DNS Security
- - IP version 6
- - DNS Protocol Enhancements
- - Views
- - Multiprocessor Support
- - Improved Portability Architecture
- - Full NSEC3 support
- - Automatic zone re-signing
- - New update-policy methods tcp-self and 6to4-self
+BIND, the Berkeley Internet Name Daemon. This package contains the BIND
+9.12 release.
This package contains the BIND 9.12 release.
diff -r e5c51e1d49cf -r 99f942322831 net/bind912/MESSAGE
--- a/net/bind912/MESSAGE Tue Apr 30 02:32:29 2019 +0000
+++ b/net/bind912/MESSAGE Tue Apr 30 02:46:16 2019 +0000
@@ -1,5 +1,5 @@
===========================================================================
-$NetBSD: MESSAGE,v 1.1 2018/09/09 13:16:01 taca Exp $
+$NetBSD: MESSAGE,v 1.2 2019/04/30 02:46:16 taca Exp $
Please consider running BIND under the pseudo user account "${BIND_USER}"
in a chroot environment for security reasons.
@@ -7,7 +7,13 @@
To achieve this, set the variable "named_chrootdir" in /etc/rc.conf to
the directory with the chroot environment e.g. "${BIND_DIR}".
-Note: named(8) requires writable permission to current directory when
-start up or the directory specified by "directory" in options statement.
+Note: named(8) requires writable directories under "/etc/namedb" which
+specified by "directory" in "options" statement:
+
+ cache
+ keys
+ nta
+
+Make sure to these directories exists with writable by "${BIND_USER}" user.
===========================================================================
diff -r e5c51e1d49cf -r 99f942322831 net/bind912/Makefile
--- a/net/bind912/Makefile Tue Apr 30 02:32:29 2019 +0000
+++ b/net/bind912/Makefile Tue Apr 30 02:46:16 2019 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.9 2019/02/22 01:24:24 taca Exp $
+# $NetBSD: Makefile,v 1.10 2019/04/30 02:46:16 taca Exp $
DISTNAME= bind-${BIND_VERSION}
PKGNAME= ${DISTNAME:S/-P/pl/}
@@ -15,7 +15,7 @@
MAKE_JOBS_SAFE= no
USE_CWRAPPERS= no
-BIND_VERSION= 9.12.3-P4
+BIND_VERSION= 9.12.4-P1
.include "../../mk/bsd.prefs.mk"
@@ -23,14 +23,13 @@
.include "options.mk"
-USE_TOOLS+= pax perl pkg-config
+USE_TOOLS+= pax perl
USE_LIBTOOL= yes
GNU_CONFIGURE= yes
CONFIGURE_ARGS+= --with-libtool
CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR}
CONFIGURE_ARGS+= --localstatedir=${VARBASE}
-CONFIGURE_ARGS+= --disable-openssl-version-check
CONFIGURE_ARGS+= --with-openssl=${SSLBASE:Q}
CONFIGURE_ARGS+= --with-python=no
.if !empty(MACHINE_PLATFORM:MNetBSD-*-m68k) || \
diff -r e5c51e1d49cf -r 99f942322831 net/bind912/PLIST
--- a/net/bind912/PLIST Tue Apr 30 02:32:29 2019 +0000
+++ b/net/bind912/PLIST Tue Apr 30 02:46:16 2019 +0000
@@ -1,15 +1,15 @@
-@comment $NetBSD: PLIST,v 1.2 2019/01/17 08:53:37 he Exp $
+@comment $NetBSD: PLIST,v 1.3 2019/04/30 02:46:16 taca Exp $
bin/arpaname
bin/bind9-config
bin/delv
bin/dig
+${PLIST.dnstap}bin/dnstap-read
bin/host
bin/isc-config.sh
bin/mdig
bin/named-rrchecker
bin/nslookup
bin/nsupdate
-${PLIST.dnstap}bin/dnstap-read
include/bind9/check.h
include/bind9/getaddresses.h
include/bind9/version.h
@@ -283,6 +283,7 @@
man/man1/bind9-config.1
man/man1/delv.1
man/man1/dig.1
+${PLIST.dnstap}man/man1/dnstap-read.1
man/man1/host.1
man/man1/isc-config.sh.1
man/man1/mdig.1
@@ -312,7 +313,6 @@
${PLIST.pkcs11}man/man8/pkcs11-keygen.8
${PLIST.pkcs11}man/man8/pkcs11-list.8
${PLIST.pkcs11}man/man8/pkcs11-tokens.8
-${PLIST.dnstap}man/man1/dnstap-read.1
man/man8/rndc-confgen.8
man/man8/rndc.8
man/man8/tsig-keygen.8
diff -r e5c51e1d49cf -r 99f942322831 net/bind912/distinfo
--- a/net/bind912/distinfo Tue Apr 30 02:32:29 2019 +0000
+++ b/net/bind912/distinfo Tue Apr 30 02:46:16 2019 +0000
@@ -1,12 +1,15 @@
-$NetBSD: distinfo,v 1.6 2019/02/22 01:24:24 taca Exp $
+$NetBSD: distinfo,v 1.7 2019/04/30 02:46:16 taca Exp $
-SHA1 (bind-9.12.3-P4.tar.gz) = 883c1513e0c97887db2c57625b1c6ad5f15f8078
-RMD160 (bind-9.12.3-P4.tar.gz) = a5a314a370e53ac2cb3c743c4886b8b538a2bd63
-SHA512 (bind-9.12.3-P4.tar.gz) = 42c41f47a0282dc08ee875fe098ce84b26384dba5efbaf99b557d34c4271e0d6aac70126f280a3ee157e8604cce16901c8cd51fab791dec82f4a3d00c054f363
-Size (bind-9.12.3-P4.tar.gz) = 8627833 bytes
+SHA1 (bind-9.12.4-P1.tar.gz) = e1406e294aee810e32f93d60bd45b15b5d1f76e9
+RMD160 (bind-9.12.4-P1.tar.gz) = b656fbd38b80fc59bcd592803671e80825e6e24a
+SHA512 (bind-9.12.4-P1.tar.gz) = 1c07f6e10cb9fd499c4231e8290da94da1f5f4294c664635eac82bdb10be9a01119208fe2c15f5d28f50e3c2cdec7b553851b7676b65792f3f21de071587297d
+Size (bind-9.12.4-P1.tar.gz) = 7914907 bytes
+SHA1 (patch-bin_named_server.c) = dee624cc8a664abe74959ab40cea53d85872f672
+SHA1 (patch-bin_pkcs11_pkcs11-keygen.c) = d953bf48aadcdf7e95975d335167cc50f54ef91e
SHA1 (patch-bin_tests_system_metadata_tests.sh) = d01a492d0b7738760bdbff714248e279a78fef28
SHA1 (patch-config.threads.in) = 8341bdb11888d3efdde5f115de91b1f46aa40bd0
SHA1 (patch-configure) = 7d74eef1002351a5513c7c617e28721b39de65d0
SHA1 (patch-contrib_dlz_config.dlz.in) = 6c53d61aaaf1a952a867e4c4da0194db94f511d7
SHA1 (patch-lib_dns_rbt.c) = 8af91b6d40b591d28d15f7f98c9b7a82df234381
-SHA1 (patch-lib_isc_unix_socket.c) = 2b73d1fb3b5d807e83aab125325b7096ed9e4036
+SHA1 (patch-lib_dns_view.c) = 93ef5f1e303cc362818ddd0135f267c5090af40d
+SHA1 (patch-lib_isc_unix_socket.c) = d02f33800eb17d4818c72d79a226ab01b6bf12ad
diff -r e5c51e1d49cf -r 99f942322831 net/bind912/options.mk
--- a/net/bind912/options.mk Tue Apr 30 02:32:29 2019 +0000
+++ b/net/bind912/options.mk Tue Apr 30 02:46:16 2019 +0000
@@ -1,11 +1,10 @@
-# $NetBSD: options.mk,v 1.3 2019/01/17 08:53:37 he Exp $
+# $NetBSD: options.mk,v 1.4 2019/04/30 02:46:16 taca Exp $
PKG_OPTIONS_VAR= PKG_OPTIONS.bind912
PKG_SUPPORTED_OPTIONS= bind-dig-sigchase bind-xml-statistics-server
PKG_SUPPORTED_OPTIONS+= bind-json-statistics-server
PKG_SUPPORTED_OPTIONS+= inet6 threads readline mysql pgsql ldap dlz-filesystem
-PKG_SUPPORTED_OPTIONS+= fetchlimit geoip pkcs11 sit tuning dnstap
-PKG_SUGGESTED_OPTIONS+= readline
+PKG_SUPPORTED_OPTIONS+= geoip pkcs11 tuning dnstap
PLIST_VARS+= inet6 pkcs11 dnstap
@@ -59,10 +58,6 @@
CONFIGURE_ARGS+= --with-dlz-filesystem
.endif
-.if !empty(PKG_OPTIONS:Mfetchlimit)
-CONFIGURE_ARGS+= --enable-fetchlimit
-.endif
-
.if !empty(PKG_OPTIONS:Mgeoip)
CONFIGURE_ARGS+= --with-geoip=${PREFIX}
LDFLAGS+= -lGeoIP
@@ -74,10 +69,6 @@
PLIST.pkcs11= yes
.endif
-.if !empty(PKG_OPTIONS:Msit)
-CONFIGURE_ARGS+= --enable-sit
-.endif
-
.if !empty(PKG_OPTIONS:Mtuning)
CONFIGURE_ARGS+= --with-tuning=large
.endif
diff -r e5c51e1d49cf -r 99f942322831 net/bind912/patches/patch-bin_named_server.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/bind912/patches/patch-bin_named_server.c Tue Apr 30 02:46:16 2019 +0000
@@ -0,0 +1,23 @@
+$NetBSD: patch-bin_named_server.c,v 1.1 2019/04/30 02:46:16 taca Exp $
+
+* Disable checking working directory is writable as BIND_USER in NetBSD
+ base system.
+
+--- bin/named/server.c.orig 2019-04-06 01:27:27.000000000 +0000
++++ bin/named/server.c
+@@ -8760,6 +8760,7 @@ load_configuration(const char *filename,
+ named_os_changeuser();
+ }
+
++#if 0
+ /*
+ * Check that the working directory is writable.
+ */
+@@ -8770,6 +8771,7 @@ load_configuration(const char *filename,
+ result = ISC_R_NOPERM;
+ goto cleanup;
+ }
++#endif
+
+ #ifdef HAVE_LMDB
+ /*
diff -r e5c51e1d49cf -r 99f942322831 net/bind912/patches/patch-bin_pkcs11_pkcs11-keygen.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/bind912/patches/patch-bin_pkcs11_pkcs11-keygen.c Tue Apr 30 02:46:16 2019 +0000
@@ -0,0 +1,30 @@
+$NetBSD: patch-bin_pkcs11_pkcs11-keygen.c,v 1.1 2019/04/30 02:46:16 taca Exp $
+
+* Honor HAVE_PKCS11_ECDSA.
+
+--- bin/pkcs11/pkcs11-keygen.c.orig 2019-02-27 23:42:04.000000000 +0000
++++ bin/pkcs11/pkcs11-keygen.c
+@@ -421,13 +421,23 @@ main(int argc, char *argv[]) {
+ id_offset = ECC_ID;
+
+ if (bits == 256) {
++#if HAVE_PKCS11_ECDSA
+ public_template[4].pValue = pk11_ecc_prime256v1;
+ public_template[4].ulValueLen =
+ sizeof(pk11_ecc_prime256v1);
++#else
++ fprintf(stderr, "PRIME256v1 is not supported\n");
++ usage();
++#endif
+ } else {
++#if HAVE_PKCS11_ECDSA
+ public_template[4].pValue = pk11_ecc_secp384r1;
+ public_template[4].ulValueLen =
+ sizeof(pk11_ecc_secp384r1);
++#else
++ fprintf(stderr, "SEP384r1 is not supported\n");
++ usage();
++#endif
+ }
+
+ break;
diff -r e5c51e1d49cf -r 99f942322831 net/bind912/patches/patch-lib_dns_view.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/bind912/patches/patch-lib_dns_view.c Tue Apr 30 02:46:16 2019 +0000
@@ -0,0 +1,15 @@
+$NetBSD: patch-lib_dns_view.c,v 1.1 2019/04/30 02:46:16 taca Exp $
+
+* Use nta sub-directory as NetBSD base system.
+
+--- lib/dns/view.c.orig 2019-04-06 01:27:27.000000000 +0000
++++ lib/dns/view.c
+@@ -106,7 +106,7 @@ dns_view_create(isc_mem_t *mctx, dns_rda
+ goto cleanup_view;
+ }
+
+- result = isc_file_sanitize(NULL, view->name, "nta",
++ result = isc_file_sanitize("nta", view->name, "nta",
+ buffer, sizeof(buffer));
+ if (result != ISC_R_SUCCESS)
+ goto cleanup_name;
diff -r e5c51e1d49cf -r 99f942322831 net/bind912/patches/patch-lib_isc_unix_socket.c
--- a/net/bind912/patches/patch-lib_isc_unix_socket.c Tue Apr 30 02:32:29 2019 +0000
+++ b/net/bind912/patches/patch-lib_isc_unix_socket.c Tue Apr 30 02:46:16 2019 +0000
@@ -1,8 +1,8 @@
-$NetBSD: patch-lib_isc_unix_socket.c,v 1.2 2018/10/21 15:51:46 taca Exp $
+$NetBSD: patch-lib_isc_unix_socket.c,v 1.3 2019/04/30 02:46:16 taca Exp $
Apply fix from NetBSD revision 1.24.
---- lib/isc/unix/socket.c.orig 2018-10-06 05:51:22.000000000 +0000
+--- lib/isc/unix/socket.c.orig 2019-02-27 23:42:04.000000000 +0000
+++ lib/isc/unix/socket.c
@@ -257,6 +257,7 @@ typedef enum { poll_idle, poll_active, p
(e) == EWOULDBLOCK || \
@@ -12,13 +12,3 @@
(e) == 0)
#define DLVL(x) ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(x)
-@@ -1574,7 +1575,8 @@ build_msghdr_send(isc__socket_t *sock, c
-
- #if defined(IPV6_USE_MIN_MTU)
- if ((sock->type == isc_sockettype_udp) &&
-- ((dev->attributes & ISC_SOCKEVENTATTR_USEMINMTU) != 0))
-+ ((dev->attributes & ISC_SOCKEVENTATTR_USEMINMTU) != 0) &&
-+ (sock->pf == AF_INET6))
- {
- int use_min_mtu = 1; /* -1, 0, 1 */
-
Home |
Main Index |
Thread Index |
Old Index