pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2019Q1]: pkgsrc/net/bind912 Pullup ticket #5957 - requested by...
details: https://anonhg.NetBSD.org/pkgsrc/rev/45e592b72e41
branches: pkgsrc-2019Q1
changeset: 323550:45e592b72e41
user: spz <spz%pkgsrc.org@localhost>
date: Sun May 12 20:37:28 2019 +0000
description:
Pullup ticket #5957 - requested by taca
net/bind912: security update
Revisions pulled up:
- net/bind912/DESCR 1.2
- net/bind912/MESSAGE 1.2
- net/bind912/Makefile 1.10-1.11
- net/bind912/PLIST 1.3
- net/bind912/distinfo 1.7-1.8
- net/bind912/options.mk 1.4
- net/bind912/patches/patch-bin_named_server.c 1.1-1.2
- net/bind912/patches/patch-bin_pkcs11_pkcs11-keygen.c 1.1
- net/bind912/patches/patch-lib_dns_view.c 1.1
- net/bind912/patches/patch-lib_isc_unix_socket.c 1.3
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Tue Apr 30 02:46:16 UTC 2019
Modified Files:
pkgsrc/net/bind912: DESCR MESSAGE Makefile PLIST distinfo options.mk
pkgsrc/net/bind912/patches: patch-lib_isc_unix_socket.c
Added Files:
pkgsrc/net/bind912/patches: patch-bin_named_server.c
patch-bin_pkcs11_pkcs11-keygen.c patch-lib_dns_view.c
Log Message:
net/bind912: update to 9.12.4pl1
Update bind912 to 9.12.4pl1 (BIND 9.12.4-P1).
Fix security problem CVE-2018-5743 and CVE-2019-6467 and overhaul pkgsrc.
Now no need to change namedb is permission under NetBSD.
pkgsrc changes:
* Simplify DESCR.
* Update note about required directories.
* Drop pkg-config from USE_TOOLS.
* Drop none existing configure arguments and PKG_OPTIONS:
- fetchlimit
- sit
* Sort PLIST.
Please refer CHANGES file in detail before 9.12.4 release:
--- 9.12.4-P1 released ---
5200. [security] tcp-clients settings could be exceeded in some cases,
which could lead to exhaustion of file descriptors.
(CVE-2018-5743) [GL #615]
5199. [security] In certain configurations, named could crash
if nxdomain-redirect was in use and a redirected
query resulted in an NXDOMAIN from the cache.
(CVE-2019-6467) [GL #880]
5167. [bug] nxdomain-redirect could sometimes lookup the wrong
redirect name. [GL #892]
To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/bind912/DESCR pkgsrc/net/bind912/MESSAGE
cvs rdiff -u -r1.9 -r1.10 pkgsrc/net/bind912/Makefile
cvs rdiff -u -r1.2 -r1.3 pkgsrc/net/bind912/PLIST
cvs rdiff -u -r1.6 -r1.7 pkgsrc/net/bind912/distinfo
cvs rdiff -u -r1.3 -r1.4 pkgsrc/net/bind912/options.mk
cvs rdiff -u -r0 -r1.1 pkgsrc/net/bind912/patches/patch-bin_named_server.c \
pkgsrc/net/bind912/patches/patch-bin_pkcs11_pkcs11-keygen.c \
pkgsrc/net/bind912/patches/patch-lib_dns_view.c
cvs rdiff -u -r1.2 -r1.3 \
pkgsrc/net/bind912/patches/patch-lib_isc_unix_socket.c
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Thu May 2 13:31:07 UTC 2019
Modified Files:
pkgsrc/net/bind912: Makefile distinfo
pkgsrc/net/bind912/patches: patch-bin_named_server.c
Log Message:
net/bind912: fix an error when reloading configuration
Fix an error when reloading configuration. There is on more check to
"directory" in option statement is writable.
Bump PKGREVISION.
To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 pkgsrc/net/bind912/Makefile
cvs rdiff -u -r1.7 -r1.8 pkgsrc/net/bind912/distinfo
cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/bind912/patches/patch-bin_named_server.c
diffstat:
net/bind912/DESCR | 15 +------
net/bind912/MESSAGE | 12 ++++-
net/bind912/Makefile | 8 ++--
net/bind912/PLIST | 6 +-
net/bind912/distinfo | 15 ++++---
net/bind912/options.mk | 13 +-----
net/bind912/patches/patch-bin_named_server.c | 39 ++++++++++++++++++++
net/bind912/patches/patch-bin_pkcs11_pkcs11-keygen.c | 30 +++++++++++++++
net/bind912/patches/patch-lib_dns_view.c | 15 +++++++
net/bind912/patches/patch-lib_isc_unix_socket.c | 14 +------
10 files changed, 115 insertions(+), 52 deletions(-)
diffs (truncated from 311 to 300 lines):
diff -r 71f679034ab8 -r 45e592b72e41 net/bind912/DESCR
--- a/net/bind912/DESCR Sun May 12 20:30:06 2019 +0000
+++ b/net/bind912/DESCR Sun May 12 20:37:28 2019 +0000
@@ -1,16 +1,5 @@
-BIND, the Berkeley Internet Name Daemon, version 9 is a major rewrite
-of nearly all aspects of the underlying BIND architecture. Some
-of the important features of BIND-9 are:
-
- - DNS Security
- - IP version 6
- - DNS Protocol Enhancements
- - Views
- - Multiprocessor Support
- - Improved Portability Architecture
- - Full NSEC3 support
- - Automatic zone re-signing
- - New update-policy methods tcp-self and 6to4-self
+BIND, the Berkeley Internet Name Daemon. This package contains the BIND
+9.12 release.
This package contains the BIND 9.12 release.
diff -r 71f679034ab8 -r 45e592b72e41 net/bind912/MESSAGE
--- a/net/bind912/MESSAGE Sun May 12 20:30:06 2019 +0000
+++ b/net/bind912/MESSAGE Sun May 12 20:37:28 2019 +0000
@@ -1,5 +1,5 @@
===========================================================================
-$NetBSD: MESSAGE,v 1.1 2018/09/09 13:16:01 taca Exp $
+$NetBSD: MESSAGE,v 1.1.6.1 2019/05/12 20:37:28 spz Exp $
Please consider running BIND under the pseudo user account "${BIND_USER}"
in a chroot environment for security reasons.
@@ -7,7 +7,13 @@
To achieve this, set the variable "named_chrootdir" in /etc/rc.conf to
the directory with the chroot environment e.g. "${BIND_DIR}".
-Note: named(8) requires writable permission to current directory when
-start up or the directory specified by "directory" in options statement.
+Note: named(8) requires writable directories under "/etc/namedb" which
+specified by "directory" in "options" statement:
+
+ cache
+ keys
+ nta
+
+Make sure to these directories exists with writable by "${BIND_USER}" user.
===========================================================================
diff -r 71f679034ab8 -r 45e592b72e41 net/bind912/Makefile
--- a/net/bind912/Makefile Sun May 12 20:30:06 2019 +0000
+++ b/net/bind912/Makefile Sun May 12 20:37:28 2019 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.9 2019/02/22 01:24:24 taca Exp $
+# $NetBSD: Makefile,v 1.9.2.1 2019/05/12 20:37:28 spz Exp $
DISTNAME= bind-${BIND_VERSION}
PKGNAME= ${DISTNAME:S/-P/pl/}
+PKGREVISION= 1
CATEGORIES= net
MASTER_SITES= ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/
@@ -15,7 +16,7 @@
MAKE_JOBS_SAFE= no
USE_CWRAPPERS= no
-BIND_VERSION= 9.12.3-P4
+BIND_VERSION= 9.12.4-P1
.include "../../mk/bsd.prefs.mk"
@@ -23,14 +24,13 @@
.include "options.mk"
-USE_TOOLS+= pax perl pkg-config
+USE_TOOLS+= pax perl
USE_LIBTOOL= yes
GNU_CONFIGURE= yes
CONFIGURE_ARGS+= --with-libtool
CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR}
CONFIGURE_ARGS+= --localstatedir=${VARBASE}
-CONFIGURE_ARGS+= --disable-openssl-version-check
CONFIGURE_ARGS+= --with-openssl=${SSLBASE:Q}
CONFIGURE_ARGS+= --with-python=no
.if !empty(MACHINE_PLATFORM:MNetBSD-*-m68k) || \
diff -r 71f679034ab8 -r 45e592b72e41 net/bind912/PLIST
--- a/net/bind912/PLIST Sun May 12 20:30:06 2019 +0000
+++ b/net/bind912/PLIST Sun May 12 20:37:28 2019 +0000
@@ -1,15 +1,15 @@
-@comment $NetBSD: PLIST,v 1.2 2019/01/17 08:53:37 he Exp $
+@comment $NetBSD: PLIST,v 1.2.2.1 2019/05/12 20:37:28 spz Exp $
bin/arpaname
bin/bind9-config
bin/delv
bin/dig
+${PLIST.dnstap}bin/dnstap-read
bin/host
bin/isc-config.sh
bin/mdig
bin/named-rrchecker
bin/nslookup
bin/nsupdate
-${PLIST.dnstap}bin/dnstap-read
include/bind9/check.h
include/bind9/getaddresses.h
include/bind9/version.h
@@ -283,6 +283,7 @@
man/man1/bind9-config.1
man/man1/delv.1
man/man1/dig.1
+${PLIST.dnstap}man/man1/dnstap-read.1
man/man1/host.1
man/man1/isc-config.sh.1
man/man1/mdig.1
@@ -312,7 +313,6 @@
${PLIST.pkcs11}man/man8/pkcs11-keygen.8
${PLIST.pkcs11}man/man8/pkcs11-list.8
${PLIST.pkcs11}man/man8/pkcs11-tokens.8
-${PLIST.dnstap}man/man1/dnstap-read.1
man/man8/rndc-confgen.8
man/man8/rndc.8
man/man8/tsig-keygen.8
diff -r 71f679034ab8 -r 45e592b72e41 net/bind912/distinfo
--- a/net/bind912/distinfo Sun May 12 20:30:06 2019 +0000
+++ b/net/bind912/distinfo Sun May 12 20:37:28 2019 +0000
@@ -1,12 +1,15 @@
-$NetBSD: distinfo,v 1.6 2019/02/22 01:24:24 taca Exp $
+$NetBSD: distinfo,v 1.6.2.1 2019/05/12 20:37:28 spz Exp $
-SHA1 (bind-9.12.3-P4.tar.gz) = 883c1513e0c97887db2c57625b1c6ad5f15f8078
-RMD160 (bind-9.12.3-P4.tar.gz) = a5a314a370e53ac2cb3c743c4886b8b538a2bd63
-SHA512 (bind-9.12.3-P4.tar.gz) = 42c41f47a0282dc08ee875fe098ce84b26384dba5efbaf99b557d34c4271e0d6aac70126f280a3ee157e8604cce16901c8cd51fab791dec82f4a3d00c054f363
-Size (bind-9.12.3-P4.tar.gz) = 8627833 bytes
+SHA1 (bind-9.12.4-P1.tar.gz) = e1406e294aee810e32f93d60bd45b15b5d1f76e9
+RMD160 (bind-9.12.4-P1.tar.gz) = b656fbd38b80fc59bcd592803671e80825e6e24a
+SHA512 (bind-9.12.4-P1.tar.gz) = 1c07f6e10cb9fd499c4231e8290da94da1f5f4294c664635eac82bdb10be9a01119208fe2c15f5d28f50e3c2cdec7b553851b7676b65792f3f21de071587297d
+Size (bind-9.12.4-P1.tar.gz) = 7914907 bytes
+SHA1 (patch-bin_named_server.c) = fc54c9014104bfb0c73ec59e2a490de51a5e5b78
+SHA1 (patch-bin_pkcs11_pkcs11-keygen.c) = d953bf48aadcdf7e95975d335167cc50f54ef91e
SHA1 (patch-bin_tests_system_metadata_tests.sh) = d01a492d0b7738760bdbff714248e279a78fef28
SHA1 (patch-config.threads.in) = 8341bdb11888d3efdde5f115de91b1f46aa40bd0
SHA1 (patch-configure) = 7d74eef1002351a5513c7c617e28721b39de65d0
SHA1 (patch-contrib_dlz_config.dlz.in) = 6c53d61aaaf1a952a867e4c4da0194db94f511d7
SHA1 (patch-lib_dns_rbt.c) = 8af91b6d40b591d28d15f7f98c9b7a82df234381
-SHA1 (patch-lib_isc_unix_socket.c) = 2b73d1fb3b5d807e83aab125325b7096ed9e4036
+SHA1 (patch-lib_dns_view.c) = 93ef5f1e303cc362818ddd0135f267c5090af40d
+SHA1 (patch-lib_isc_unix_socket.c) = d02f33800eb17d4818c72d79a226ab01b6bf12ad
diff -r 71f679034ab8 -r 45e592b72e41 net/bind912/options.mk
--- a/net/bind912/options.mk Sun May 12 20:30:06 2019 +0000
+++ b/net/bind912/options.mk Sun May 12 20:37:28 2019 +0000
@@ -1,11 +1,10 @@
-# $NetBSD: options.mk,v 1.3 2019/01/17 08:53:37 he Exp $
+# $NetBSD: options.mk,v 1.3.2.1 2019/05/12 20:37:28 spz Exp $
PKG_OPTIONS_VAR= PKG_OPTIONS.bind912
PKG_SUPPORTED_OPTIONS= bind-dig-sigchase bind-xml-statistics-server
PKG_SUPPORTED_OPTIONS+= bind-json-statistics-server
PKG_SUPPORTED_OPTIONS+= inet6 threads readline mysql pgsql ldap dlz-filesystem
-PKG_SUPPORTED_OPTIONS+= fetchlimit geoip pkcs11 sit tuning dnstap
-PKG_SUGGESTED_OPTIONS+= readline
+PKG_SUPPORTED_OPTIONS+= geoip pkcs11 tuning dnstap
PLIST_VARS+= inet6 pkcs11 dnstap
@@ -59,10 +58,6 @@
CONFIGURE_ARGS+= --with-dlz-filesystem
.endif
-.if !empty(PKG_OPTIONS:Mfetchlimit)
-CONFIGURE_ARGS+= --enable-fetchlimit
-.endif
-
.if !empty(PKG_OPTIONS:Mgeoip)
CONFIGURE_ARGS+= --with-geoip=${PREFIX}
LDFLAGS+= -lGeoIP
@@ -74,10 +69,6 @@
PLIST.pkcs11= yes
.endif
-.if !empty(PKG_OPTIONS:Msit)
-CONFIGURE_ARGS+= --enable-sit
-.endif
-
.if !empty(PKG_OPTIONS:Mtuning)
CONFIGURE_ARGS+= --with-tuning=large
.endif
diff -r 71f679034ab8 -r 45e592b72e41 net/bind912/patches/patch-bin_named_server.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/bind912/patches/patch-bin_named_server.c Sun May 12 20:37:28 2019 +0000
@@ -0,0 +1,39 @@
+$NetBSD: patch-bin_named_server.c,v 1.2.2.2 2019/05/12 20:37:29 spz Exp $
+
+* Disable checking working directory is writable as BIND_USER in NetBSD
+ base system.
+
+--- bin/named/server.c.orig 2019-04-06 01:27:27.000000000 +0000
++++ bin/named/server.c
+@@ -6297,6 +6297,7 @@ directory_callback(const char *clausenam
+ "option 'directory' contains relative path '%s'",
+ directory);
+
++#if 0
+ if (!isc_file_isdirwritable(directory)) {
+ isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+ NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+@@ -6304,6 +6305,7 @@ directory_callback(const char *clausenam
+ directory);
+ return (ISC_R_NOPERM);
+ }
++#endif
+
+ result = isc_dir_chdir(directory);
+ if (result != ISC_R_SUCCESS) {
+@@ -8760,6 +8762,7 @@ load_configuration(const char *filename,
+ named_os_changeuser();
+ }
+
++#if 0
+ /*
+ * Check that the working directory is writable.
+ */
+@@ -8770,6 +8773,7 @@ load_configuration(const char *filename,
+ result = ISC_R_NOPERM;
+ goto cleanup;
+ }
++#endif
+
+ #ifdef HAVE_LMDB
+ /*
diff -r 71f679034ab8 -r 45e592b72e41 net/bind912/patches/patch-bin_pkcs11_pkcs11-keygen.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/bind912/patches/patch-bin_pkcs11_pkcs11-keygen.c Sun May 12 20:37:28 2019 +0000
@@ -0,0 +1,30 @@
+$NetBSD: patch-bin_pkcs11_pkcs11-keygen.c,v 1.1.2.2 2019/05/12 20:37:29 spz Exp $
+
+* Honor HAVE_PKCS11_ECDSA.
+
+--- bin/pkcs11/pkcs11-keygen.c.orig 2019-02-27 23:42:04.000000000 +0000
++++ bin/pkcs11/pkcs11-keygen.c
+@@ -421,13 +421,23 @@ main(int argc, char *argv[]) {
+ id_offset = ECC_ID;
+
+ if (bits == 256) {
++#if HAVE_PKCS11_ECDSA
+ public_template[4].pValue = pk11_ecc_prime256v1;
+ public_template[4].ulValueLen =
+ sizeof(pk11_ecc_prime256v1);
++#else
++ fprintf(stderr, "PRIME256v1 is not supported\n");
++ usage();
++#endif
+ } else {
++#if HAVE_PKCS11_ECDSA
+ public_template[4].pValue = pk11_ecc_secp384r1;
+ public_template[4].ulValueLen =
+ sizeof(pk11_ecc_secp384r1);
++#else
++ fprintf(stderr, "SEP384r1 is not supported\n");
++ usage();
++#endif
+ }
+
+ break;
diff -r 71f679034ab8 -r 45e592b72e41 net/bind912/patches/patch-lib_dns_view.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/bind912/patches/patch-lib_dns_view.c Sun May 12 20:37:28 2019 +0000
@@ -0,0 +1,15 @@
+$NetBSD: patch-lib_dns_view.c,v 1.1.2.2 2019/05/12 20:37:29 spz Exp $
+
+* Use nta sub-directory as NetBSD base system.
+
+--- lib/dns/view.c.orig 2019-04-06 01:27:27.000000000 +0000
++++ lib/dns/view.c
+@@ -106,7 +106,7 @@ dns_view_create(isc_mem_t *mctx, dns_rda
+ goto cleanup_view;
+ }
+
+- result = isc_file_sanitize(NULL, view->name, "nta",
++ result = isc_file_sanitize("nta", view->name, "nta",
+ buffer, sizeof(buffer));
+ if (result != ISC_R_SUCCESS)
+ goto cleanup_name;
diff -r 71f679034ab8 -r 45e592b72e41 net/bind912/patches/patch-lib_isc_unix_socket.c
--- a/net/bind912/patches/patch-lib_isc_unix_socket.c Sun May 12 20:30:06 2019 +0000
+++ b/net/bind912/patches/patch-lib_isc_unix_socket.c Sun May 12 20:37:28 2019 +0000
@@ -1,8 +1,8 @@
-$NetBSD: patch-lib_isc_unix_socket.c,v 1.2 2018/10/21 15:51:46 taca Exp $
+$NetBSD: patch-lib_isc_unix_socket.c,v 1.2.4.1 2019/05/12 20:37:29 spz Exp $
Apply fix from NetBSD revision 1.24.
---- lib/isc/unix/socket.c.orig 2018-10-06 05:51:22.000000000 +0000
+--- lib/isc/unix/socket.c.orig 2019-02-27 23:42:04.000000000 +0000
+++ lib/isc/unix/socket.c
@@ -257,6 +257,7 @@ typedef enum { poll_idle, poll_active, p
(e) == EWOULDBLOCK || \
@@ -12,13 +12,3 @@
(e) == 0)
Home |
Main Index |
Thread Index |
Old Index