pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2019Q1]: pkgsrc/net/bind912 Pullup ticket #5957 - requested by...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/83296ee553f5
branches:  pkgsrc-2019Q1
changeset: 334032:83296ee553f5
user:      spz <spz%pkgsrc.org@localhost>
date:      Sun May 12 20:37:28 2019 +0000

description:
Pullup ticket #5957 - requested by taca
net/bind912: security update

Revisions pulled up:
- net/bind912/DESCR                                             1.2
- net/bind912/MESSAGE                                           1.2
- net/bind912/Makefile                                          1.10-1.11
- net/bind912/PLIST                                             1.3
- net/bind912/distinfo                                          1.7-1.8
- net/bind912/options.mk                                        1.4
- net/bind912/patches/patch-bin_named_server.c                  1.1-1.2
- net/bind912/patches/patch-bin_pkcs11_pkcs11-keygen.c          1.1
- net/bind912/patches/patch-lib_dns_view.c                      1.1
- net/bind912/patches/patch-lib_isc_unix_socket.c               1.3

-------------------------------------------------------------------
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Tue Apr 30 02:46:16 UTC 2019

   Modified Files:
        pkgsrc/net/bind912: DESCR MESSAGE Makefile PLIST distinfo options.mk
        pkgsrc/net/bind912/patches: patch-lib_isc_unix_socket.c
   Added Files:
        pkgsrc/net/bind912/patches: patch-bin_named_server.c
            patch-bin_pkcs11_pkcs11-keygen.c patch-lib_dns_view.c

   Log Message:
   net/bind912: update to 9.12.4pl1

   Update bind912 to 9.12.4pl1 (BIND 9.12.4-P1).

   Fix security problem CVE-2018-5743 and CVE-2019-6467 and overhaul pkgsrc.
   Now no need to change namedb is permission under NetBSD.

   pkgsrc changes:

   * Simplify DESCR.
   * Update note about required directories.
   * Drop pkg-config from USE_TOOLS.
   * Drop none existing configure arguments and PKG_OPTIONS:
        - fetchlimit
        - sit
   * Sort PLIST.

   Please refer CHANGES file in detail before 9.12.4 release:

        --- 9.12.4-P1 released ---

   5200.        [security]      tcp-clients settings could be exceeded in some cases,
                        which could lead to exhaustion of file descriptors.
                        (CVE-2018-5743) [GL #615]

   5199.        [security]      In certain configurations, named could crash
                        if nxdomain-redirect was in use and a redirected
                        query resulted in an NXDOMAIN from the cache.
                        (CVE-2019-6467) [GL #880]

   5167.        [bug]           nxdomain-redirect could sometimes lookup the wrong
                        redirect name. [GL #892]


   To generate a diff of this commit:
   cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/bind912/DESCR pkgsrc/net/bind912/MESSAGE
   cvs rdiff -u -r1.9 -r1.10 pkgsrc/net/bind912/Makefile
   cvs rdiff -u -r1.2 -r1.3 pkgsrc/net/bind912/PLIST
   cvs rdiff -u -r1.6 -r1.7 pkgsrc/net/bind912/distinfo
   cvs rdiff -u -r1.3 -r1.4 pkgsrc/net/bind912/options.mk
   cvs rdiff -u -r0 -r1.1 pkgsrc/net/bind912/patches/patch-bin_named_server.c \
       pkgsrc/net/bind912/patches/patch-bin_pkcs11_pkcs11-keygen.c \
       pkgsrc/net/bind912/patches/patch-lib_dns_view.c
   cvs rdiff -u -r1.2 -r1.3 \
       pkgsrc/net/bind912/patches/patch-lib_isc_unix_socket.c

-------------------------------------------------------------------
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Thu May  2 13:31:07 UTC 2019

   Modified Files:
        pkgsrc/net/bind912: Makefile distinfo
        pkgsrc/net/bind912/patches: patch-bin_named_server.c

   Log Message:
   net/bind912: fix an error when reloading configuration

   Fix an error when reloading configuration.  There is on more check to
   "directory" in option statement is writable.

   Bump PKGREVISION.


   To generate a diff of this commit:
   cvs rdiff -u -r1.10 -r1.11 pkgsrc/net/bind912/Makefile
   cvs rdiff -u -r1.7 -r1.8 pkgsrc/net/bind912/distinfo
   cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/bind912/patches/patch-bin_named_server.c

diffstat:

 net/bind912/DESCR                                    |  15 +------
 net/bind912/MESSAGE                                  |  12 ++++-
 net/bind912/Makefile                                 |   8 ++--
 net/bind912/PLIST                                    |   6 +-
 net/bind912/distinfo                                 |  15 ++++---
 net/bind912/options.mk                               |  13 +-----
 net/bind912/patches/patch-bin_named_server.c         |  39 ++++++++++++++++++++
 net/bind912/patches/patch-bin_pkcs11_pkcs11-keygen.c |  30 +++++++++++++++
 net/bind912/patches/patch-lib_dns_view.c             |  15 +++++++
 net/bind912/patches/patch-lib_isc_unix_socket.c      |  14 +------
 10 files changed, 115 insertions(+), 52 deletions(-)

diffs (truncated from 311 to 300 lines):

diff -r ba0277c69630 -r 83296ee553f5 net/bind912/DESCR
--- a/net/bind912/DESCR Sun May 12 20:30:06 2019 +0000
+++ b/net/bind912/DESCR Sun May 12 20:37:28 2019 +0000
@@ -1,16 +1,5 @@
-BIND, the Berkeley Internet Name Daemon, version 9 is a major rewrite
-of nearly all aspects of the underlying BIND architecture.  Some
-of the important features of BIND-9 are:
-
-       - DNS Security
-       - IP version 6
-       - DNS Protocol Enhancements
-       - Views
-       - Multiprocessor Support
-       - Improved Portability Architecture
-       - Full NSEC3 support
-       - Automatic zone re-signing
-       - New update-policy methods tcp-self and 6to4-self
+BIND, the Berkeley Internet Name Daemon.  This package contains the BIND
+9.12 release.
 
 This package contains the BIND 9.12 release.
 
diff -r ba0277c69630 -r 83296ee553f5 net/bind912/MESSAGE
--- a/net/bind912/MESSAGE       Sun May 12 20:30:06 2019 +0000
+++ b/net/bind912/MESSAGE       Sun May 12 20:37:28 2019 +0000
@@ -1,5 +1,5 @@
 ===========================================================================
-$NetBSD: MESSAGE,v 1.1 2018/09/09 13:16:01 taca Exp $
+$NetBSD: MESSAGE,v 1.1.6.1 2019/05/12 20:37:28 spz Exp $
 
 Please consider running BIND under the pseudo user account "${BIND_USER}"
 in a chroot environment for security reasons.
@@ -7,7 +7,13 @@
 To achieve this, set the variable "named_chrootdir" in /etc/rc.conf to
 the directory with the chroot environment e.g. "${BIND_DIR}".
 
-Note: named(8) requires writable permission to current directory when
-start up or the directory specified by "directory" in options statement.
+Note: named(8) requires writable directories under "/etc/namedb" which
+specified by "directory" in "options" statement:
+
+       cache
+       keys
+       nta
+
+Make sure to these directories exists with writable by "${BIND_USER}" user.
 
 ===========================================================================
diff -r ba0277c69630 -r 83296ee553f5 net/bind912/Makefile
--- a/net/bind912/Makefile      Sun May 12 20:30:06 2019 +0000
+++ b/net/bind912/Makefile      Sun May 12 20:37:28 2019 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.9 2019/02/22 01:24:24 taca Exp $
+# $NetBSD: Makefile,v 1.9.2.1 2019/05/12 20:37:28 spz Exp $
 
 DISTNAME=      bind-${BIND_VERSION}
 PKGNAME=       ${DISTNAME:S/-P/pl/}
+PKGREVISION=   1
 CATEGORIES=    net
 MASTER_SITES=  ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/
 
@@ -15,7 +16,7 @@
 MAKE_JOBS_SAFE=        no
 USE_CWRAPPERS= no
 
-BIND_VERSION=  9.12.3-P4
+BIND_VERSION=  9.12.4-P1
 
 .include "../../mk/bsd.prefs.mk"
 
@@ -23,14 +24,13 @@
 
 .include "options.mk"
 
-USE_TOOLS+=            pax perl pkg-config
+USE_TOOLS+=            pax perl
 USE_LIBTOOL=           yes
 GNU_CONFIGURE=         yes
 
 CONFIGURE_ARGS+=       --with-libtool
 CONFIGURE_ARGS+=       --sysconfdir=${PKG_SYSCONFDIR}
 CONFIGURE_ARGS+=       --localstatedir=${VARBASE}
-CONFIGURE_ARGS+=       --disable-openssl-version-check
 CONFIGURE_ARGS+=       --with-openssl=${SSLBASE:Q}
 CONFIGURE_ARGS+=       --with-python=no
 .if !empty(MACHINE_PLATFORM:MNetBSD-*-m68k) || \
diff -r ba0277c69630 -r 83296ee553f5 net/bind912/PLIST
--- a/net/bind912/PLIST Sun May 12 20:30:06 2019 +0000
+++ b/net/bind912/PLIST Sun May 12 20:37:28 2019 +0000
@@ -1,15 +1,15 @@
-@comment $NetBSD: PLIST,v 1.2 2019/01/17 08:53:37 he Exp $
+@comment $NetBSD: PLIST,v 1.2.2.1 2019/05/12 20:37:28 spz Exp $
 bin/arpaname
 bin/bind9-config
 bin/delv
 bin/dig
+${PLIST.dnstap}bin/dnstap-read
 bin/host
 bin/isc-config.sh
 bin/mdig
 bin/named-rrchecker
 bin/nslookup
 bin/nsupdate
-${PLIST.dnstap}bin/dnstap-read
 include/bind9/check.h
 include/bind9/getaddresses.h
 include/bind9/version.h
@@ -283,6 +283,7 @@
 man/man1/bind9-config.1
 man/man1/delv.1
 man/man1/dig.1
+${PLIST.dnstap}man/man1/dnstap-read.1
 man/man1/host.1
 man/man1/isc-config.sh.1
 man/man1/mdig.1
@@ -312,7 +313,6 @@
 ${PLIST.pkcs11}man/man8/pkcs11-keygen.8
 ${PLIST.pkcs11}man/man8/pkcs11-list.8
 ${PLIST.pkcs11}man/man8/pkcs11-tokens.8
-${PLIST.dnstap}man/man1/dnstap-read.1
 man/man8/rndc-confgen.8
 man/man8/rndc.8
 man/man8/tsig-keygen.8
diff -r ba0277c69630 -r 83296ee553f5 net/bind912/distinfo
--- a/net/bind912/distinfo      Sun May 12 20:30:06 2019 +0000
+++ b/net/bind912/distinfo      Sun May 12 20:37:28 2019 +0000
@@ -1,12 +1,15 @@
-$NetBSD: distinfo,v 1.6 2019/02/22 01:24:24 taca Exp $
+$NetBSD: distinfo,v 1.6.2.1 2019/05/12 20:37:28 spz Exp $
 
-SHA1 (bind-9.12.3-P4.tar.gz) = 883c1513e0c97887db2c57625b1c6ad5f15f8078
-RMD160 (bind-9.12.3-P4.tar.gz) = a5a314a370e53ac2cb3c743c4886b8b538a2bd63
-SHA512 (bind-9.12.3-P4.tar.gz) = 42c41f47a0282dc08ee875fe098ce84b26384dba5efbaf99b557d34c4271e0d6aac70126f280a3ee157e8604cce16901c8cd51fab791dec82f4a3d00c054f363
-Size (bind-9.12.3-P4.tar.gz) = 8627833 bytes
+SHA1 (bind-9.12.4-P1.tar.gz) = e1406e294aee810e32f93d60bd45b15b5d1f76e9
+RMD160 (bind-9.12.4-P1.tar.gz) = b656fbd38b80fc59bcd592803671e80825e6e24a
+SHA512 (bind-9.12.4-P1.tar.gz) = 1c07f6e10cb9fd499c4231e8290da94da1f5f4294c664635eac82bdb10be9a01119208fe2c15f5d28f50e3c2cdec7b553851b7676b65792f3f21de071587297d
+Size (bind-9.12.4-P1.tar.gz) = 7914907 bytes
+SHA1 (patch-bin_named_server.c) = fc54c9014104bfb0c73ec59e2a490de51a5e5b78
+SHA1 (patch-bin_pkcs11_pkcs11-keygen.c) = d953bf48aadcdf7e95975d335167cc50f54ef91e
 SHA1 (patch-bin_tests_system_metadata_tests.sh) = d01a492d0b7738760bdbff714248e279a78fef28
 SHA1 (patch-config.threads.in) = 8341bdb11888d3efdde5f115de91b1f46aa40bd0
 SHA1 (patch-configure) = 7d74eef1002351a5513c7c617e28721b39de65d0
 SHA1 (patch-contrib_dlz_config.dlz.in) = 6c53d61aaaf1a952a867e4c4da0194db94f511d7
 SHA1 (patch-lib_dns_rbt.c) = 8af91b6d40b591d28d15f7f98c9b7a82df234381
-SHA1 (patch-lib_isc_unix_socket.c) = 2b73d1fb3b5d807e83aab125325b7096ed9e4036
+SHA1 (patch-lib_dns_view.c) = 93ef5f1e303cc362818ddd0135f267c5090af40d
+SHA1 (patch-lib_isc_unix_socket.c) = d02f33800eb17d4818c72d79a226ab01b6bf12ad
diff -r ba0277c69630 -r 83296ee553f5 net/bind912/options.mk
--- a/net/bind912/options.mk    Sun May 12 20:30:06 2019 +0000
+++ b/net/bind912/options.mk    Sun May 12 20:37:28 2019 +0000
@@ -1,11 +1,10 @@
-# $NetBSD: options.mk,v 1.3 2019/01/17 08:53:37 he Exp $
+# $NetBSD: options.mk,v 1.3.2.1 2019/05/12 20:37:28 spz Exp $
 
 PKG_OPTIONS_VAR=       PKG_OPTIONS.bind912
 PKG_SUPPORTED_OPTIONS= bind-dig-sigchase bind-xml-statistics-server
 PKG_SUPPORTED_OPTIONS+=        bind-json-statistics-server
 PKG_SUPPORTED_OPTIONS+=        inet6 threads readline mysql pgsql ldap dlz-filesystem
-PKG_SUPPORTED_OPTIONS+=        fetchlimit geoip pkcs11 sit tuning dnstap
-PKG_SUGGESTED_OPTIONS+=        readline
+PKG_SUPPORTED_OPTIONS+=        geoip pkcs11 tuning dnstap
 
 PLIST_VARS+=   inet6 pkcs11 dnstap
 
@@ -59,10 +58,6 @@
 CONFIGURE_ARGS+=       --with-dlz-filesystem
 .endif
 
-.if !empty(PKG_OPTIONS:Mfetchlimit)
-CONFIGURE_ARGS+=       --enable-fetchlimit
-.endif
-
 .if !empty(PKG_OPTIONS:Mgeoip)
 CONFIGURE_ARGS+=       --with-geoip=${PREFIX}
 LDFLAGS+=              -lGeoIP
@@ -74,10 +69,6 @@
 PLIST.pkcs11=          yes
 .endif
 
-.if !empty(PKG_OPTIONS:Msit)
-CONFIGURE_ARGS+=       --enable-sit
-.endif
-
 .if !empty(PKG_OPTIONS:Mtuning)
 CONFIGURE_ARGS+=       --with-tuning=large
 .endif
diff -r ba0277c69630 -r 83296ee553f5 net/bind912/patches/patch-bin_named_server.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/net/bind912/patches/patch-bin_named_server.c      Sun May 12 20:37:28 2019 +0000
@@ -0,0 +1,39 @@
+$NetBSD: patch-bin_named_server.c,v 1.2.2.2 2019/05/12 20:37:29 spz Exp $
+
+* Disable checking working directory is writable as BIND_USER in NetBSD
+  base system.
+
+--- bin/named/server.c.orig    2019-04-06 01:27:27.000000000 +0000
++++ bin/named/server.c
+@@ -6297,6 +6297,7 @@ directory_callback(const char *clausenam
+                           "option 'directory' contains relative path '%s'",
+                           directory);
+ 
++#if 0
+       if (!isc_file_isdirwritable(directory)) {
+               isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+                             NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+@@ -6304,6 +6305,7 @@ directory_callback(const char *clausenam
+                             directory);
+               return (ISC_R_NOPERM);
+       }
++#endif
+ 
+       result = isc_dir_chdir(directory);
+       if (result != ISC_R_SUCCESS) {
+@@ -8760,6 +8762,7 @@ load_configuration(const char *filename,
+               named_os_changeuser();
+       }
+ 
++#if 0
+       /*
+        * Check that the working directory is writable.
+        */
+@@ -8770,6 +8773,7 @@ load_configuration(const char *filename,
+               result = ISC_R_NOPERM;
+               goto cleanup;
+       }
++#endif
+ 
+ #ifdef HAVE_LMDB
+       /*
diff -r ba0277c69630 -r 83296ee553f5 net/bind912/patches/patch-bin_pkcs11_pkcs11-keygen.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/net/bind912/patches/patch-bin_pkcs11_pkcs11-keygen.c      Sun May 12 20:37:28 2019 +0000
@@ -0,0 +1,30 @@
+$NetBSD: patch-bin_pkcs11_pkcs11-keygen.c,v 1.1.2.2 2019/05/12 20:37:29 spz Exp $
+
+* Honor HAVE_PKCS11_ECDSA.
+
+--- bin/pkcs11/pkcs11-keygen.c.orig    2019-02-27 23:42:04.000000000 +0000
++++ bin/pkcs11/pkcs11-keygen.c
+@@ -421,13 +421,23 @@ main(int argc, char *argv[]) {
+               id_offset = ECC_ID;
+ 
+               if (bits == 256) {
++#if HAVE_PKCS11_ECDSA
+                       public_template[4].pValue = pk11_ecc_prime256v1;
+                       public_template[4].ulValueLen =
+                               sizeof(pk11_ecc_prime256v1);
++#else
++                      fprintf(stderr, "PRIME256v1 is not supported\n");
++                      usage();
++#endif
+               } else {
++#if HAVE_PKCS11_ECDSA
+                       public_template[4].pValue = pk11_ecc_secp384r1;
+                       public_template[4].ulValueLen =
+                               sizeof(pk11_ecc_secp384r1);
++#else
++                      fprintf(stderr, "SEP384r1 is not supported\n");
++                      usage();
++#endif
+               }
+ 
+               break;
diff -r ba0277c69630 -r 83296ee553f5 net/bind912/patches/patch-lib_dns_view.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/net/bind912/patches/patch-lib_dns_view.c  Sun May 12 20:37:28 2019 +0000
@@ -0,0 +1,15 @@
+$NetBSD: patch-lib_dns_view.c,v 1.1.2.2 2019/05/12 20:37:29 spz Exp $
+
+* Use nta sub-directory as NetBSD base system.
+
+--- lib/dns/view.c.orig        2019-04-06 01:27:27.000000000 +0000
++++ lib/dns/view.c
+@@ -106,7 +106,7 @@ dns_view_create(isc_mem_t *mctx, dns_rda
+               goto cleanup_view;
+       }
+ 
+-      result = isc_file_sanitize(NULL, view->name, "nta",
++      result = isc_file_sanitize("nta", view->name, "nta",
+                                  buffer, sizeof(buffer));
+       if (result != ISC_R_SUCCESS)
+               goto cleanup_name;
diff -r ba0277c69630 -r 83296ee553f5 net/bind912/patches/patch-lib_isc_unix_socket.c
--- a/net/bind912/patches/patch-lib_isc_unix_socket.c   Sun May 12 20:30:06 2019 +0000
+++ b/net/bind912/patches/patch-lib_isc_unix_socket.c   Sun May 12 20:37:28 2019 +0000
@@ -1,8 +1,8 @@
-$NetBSD: patch-lib_isc_unix_socket.c,v 1.2 2018/10/21 15:51:46 taca Exp $
+$NetBSD: patch-lib_isc_unix_socket.c,v 1.2.4.1 2019/05/12 20:37:29 spz Exp $
 
 Apply fix from NetBSD revision 1.24.
 
---- lib/isc/unix/socket.c.orig 2018-10-06 05:51:22.000000000 +0000
+--- lib/isc/unix/socket.c.orig 2019-02-27 23:42:04.000000000 +0000
 +++ lib/isc/unix/socket.c
 @@ -257,6 +257,7 @@ typedef enum { poll_idle, poll_active, p
                         (e) == EWOULDBLOCK || \
@@ -12,13 +12,3 @@
                         (e) == 0)
  



Home | Main Index | Thread Index | Old Index