Update to 9.11.8 and 9.14.3.
Security: CVE-2019-6471
This commit is contained in:
Mathieu Arnold
parent
a155c6e389
commit
7831c2a97e
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/branches/2019Q2/; revision=504598
@ -20,7 +20,7 @@ LIB_DEPENDS= libxml2.so:textproc/libxml2
|
||||
USES= cpe libedit
|
||||
|
||||
# ISC releases things like 9.8.0-P1, which our versioning doesn't like
|
||||
ISCVERSION= 9.11.6-P1
|
||||
ISCVERSION= 9.11.8
|
||||
|
||||
CPE_VENDOR= isc
|
||||
CPE_VERSION= ${ISCVERSION:C/-.*//}
|
||||
|
||||
@ -1,3 +1,3 @@
|
||||
TIMESTAMP = 1556110950
|
||||
SHA256 (bind-9.11.6-P1.tar.gz) = 58ace2abb4d048b67abcdef0649ecd6cbd3b0652734a41a1d34f942d5500f8ef
|
||||
SIZE (bind-9.11.6-P1.tar.gz) = 8102241
|
||||
TIMESTAMP = 1560947427
|
||||
SHA256 (bind-9.11.8.tar.gz) = 669fcc02a9a1864d93992e526d2186ec8923511c0260b2c037fec8ea45406651
|
||||
SIZE (bind-9.11.8.tar.gz) = 8119490
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
--- bin/named/config.c.orig 2019-02-27 23:28:15 UTC
|
||||
--- bin/named/config.c.orig 2019-05-10 05:03:58 UTC
|
||||
+++ bin/named/config.c
|
||||
@@ -177,6 +177,8 @@ options {\n\
|
||||
" max-acache-size 16M;\n\
|
||||
@ -9,7 +9,7 @@
|
||||
max-clients-per-query 100;\n\
|
||||
max-ncache-ttl 10800; /* 3 hours */\n\
|
||||
max-recursion-depth 7;\n\
|
||||
--- bin/named/server.c.orig 2019-02-27 23:28:15 UTC
|
||||
--- bin/named/server.c.orig 2019-05-10 05:03:58 UTC
|
||||
+++ bin/named/server.c
|
||||
@@ -3718,6 +3718,16 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewl
|
||||
}
|
||||
@ -28,7 +28,7 @@
|
||||
result = ns_config_get(maps, "max-cache-ttl", &obj);
|
||||
INSIST(result == ISC_R_SUCCESS);
|
||||
view->maxcachettl = cfg_obj_asuint32(obj);
|
||||
--- lib/dns/include/dns/view.h.orig 2019-02-27 23:28:15 UTC
|
||||
--- lib/dns/include/dns/view.h.orig 2019-05-10 05:03:58 UTC
|
||||
+++ lib/dns/include/dns/view.h
|
||||
@@ -152,6 +152,8 @@ struct dns_view {
|
||||
bool requestnsid;
|
||||
@ -39,9 +39,9 @@
|
||||
dns_ttl_t maxncachettl;
|
||||
uint32_t nta_lifetime;
|
||||
uint32_t nta_recheck;
|
||||
--- lib/dns/resolver.c.orig 2019-02-27 23:28:15 UTC
|
||||
--- lib/dns/resolver.c.orig 2019-05-10 05:03:58 UTC
|
||||
+++ lib/dns/resolver.c
|
||||
@@ -5514,6 +5514,18 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adb
|
||||
@@ -5525,6 +5525,18 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adb
|
||||
}
|
||||
|
||||
/*
|
||||
@ -60,7 +60,7 @@
|
||||
* Enforce the configure maximum cache TTL.
|
||||
*/
|
||||
if (rdataset->ttl > res->view->maxcachettl) {
|
||||
--- lib/isccfg/namedconf.c.orig 2019-02-27 23:28:15 UTC
|
||||
--- lib/isccfg/namedconf.c.orig 2019-05-10 05:03:58 UTC
|
||||
+++ lib/isccfg/namedconf.c
|
||||
@@ -1773,6 +1773,8 @@ view_clauses[] = {
|
||||
#endif
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
--- configure.orig 2019-02-27 23:28:15 UTC
|
||||
--- configure.orig 2019-06-04 16:01:00 UTC
|
||||
+++ configure
|
||||
@@ -15157,27 +15157,9 @@ done
|
||||
@@ -15170,27 +15170,9 @@ done
|
||||
# problems start to show up.
|
||||
saved_libs="$LIBS"
|
||||
for TRY_LIBS in \
|
||||
@ -30,7 +30,7 @@
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5
|
||||
$as_echo_n "checking linking as $TRY_LIBS... " >&6; }
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
@@ -15220,47 +15202,7 @@ $as_echo "no" >&6; } ;;
|
||||
@@ -15233,47 +15215,7 @@ $as_echo "no" >&6; } ;;
|
||||
no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;;
|
||||
esac
|
||||
|
||||
@ -79,7 +79,7 @@
|
||||
DNS_GSSAPI_LIBS="$LIBS"
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5
|
||||
@@ -24267,7 +24209,7 @@ $as_echo "" >&6; }
|
||||
@@ -24332,7 +24274,7 @@ $as_echo "" >&6; }
|
||||
# Check other locations for includes.
|
||||
# Order is important (sigh).
|
||||
|
||||
|
||||
@ -8,7 +8,7 @@ PORTVERSION= ${ISCVERSION:S/-P/P/:S/b/.b/:S/a/.a/:S/rc/.rc/}
|
||||
PORTREVISION= 0
|
||||
.else
|
||||
# dns/bind913 here
|
||||
PORTREVISION= 2
|
||||
PORTREVISION= 0
|
||||
.endif
|
||||
CATEGORIES= dns net ipv6
|
||||
MASTER_SITES= ISC/bind9/${ISCVERSION}
|
||||
@ -33,7 +33,7 @@ LIB_DEPENDS= libxml2.so:textproc/libxml2
|
||||
|
||||
USES= compiler:c11 cpe libedit ssl
|
||||
# ISC releases things like 9.8.0-P1, which our versioning doesn't like
|
||||
ISCVERSION= 9.14.1
|
||||
ISCVERSION= 9.14.3
|
||||
|
||||
CPE_VENDOR= isc
|
||||
CPE_VERSION= ${ISCVERSION:C/-.*//}
|
||||
|
||||
@ -1,3 +1,3 @@
|
||||
TIMESTAMP = 1556117981
|
||||
SHA256 (bind-9.14.1.tar.gz) = c3c7485d900a03271a9918a071c123e8951871a219f4c1c4383e37717f11db48
|
||||
SIZE (bind-9.14.1.tar.gz) = 6235968
|
||||
TIMESTAMP = 1560947468
|
||||
SHA256 (bind-9.14.3.tar.gz) = ce878aabcf01b61ed114522c32fff9e268b02da55b3c248349860bc3d0c8bdfa
|
||||
SIZE (bind-9.14.3.tar.gz) = 6258311
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
--- bin/named/config.c.orig 2019-04-06 20:09:59 UTC
|
||||
--- bin/named/config.c.orig 2019-05-10 04:51:34 UTC
|
||||
+++ bin/named/config.c
|
||||
@@ -179,6 +179,7 @@ options {\n\
|
||||
notify-source *;\n\
|
||||
@ -8,9 +8,9 @@
|
||||
provide-ixfr true;\n\
|
||||
qname-minimization relaxed;\n\
|
||||
query-source address *;\n\
|
||||
--- bin/named/server.c.orig 2019-04-06 20:09:59 UTC
|
||||
--- bin/named/server.c.orig 2019-05-10 04:51:34 UTC
|
||||
+++ bin/named/server.c
|
||||
@@ -4178,6 +4178,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewl
|
||||
@@ -4245,6 +4245,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewl
|
||||
}
|
||||
|
||||
obj = NULL;
|
||||
@ -22,7 +22,7 @@
|
||||
result = named_config_get(maps, "max-cache-ttl", &obj);
|
||||
INSIST(result == ISC_R_SUCCESS);
|
||||
view->maxcachettl = cfg_obj_asuint32(obj);
|
||||
--- lib/dns/include/dns/view.h.orig 2019-04-06 20:09:59 UTC
|
||||
--- lib/dns/include/dns/view.h.orig 2019-05-10 04:51:34 UTC
|
||||
+++ lib/dns/include/dns/view.h
|
||||
@@ -153,6 +153,7 @@ struct dns_view {
|
||||
bool requestnsid;
|
||||
@ -32,9 +32,9 @@
|
||||
dns_ttl_t maxncachettl;
|
||||
dns_ttl_t mincachettl;
|
||||
dns_ttl_t minncachettl;
|
||||
--- lib/dns/resolver.c.orig 2019-04-06 20:09:59 UTC
|
||||
--- lib/dns/resolver.c.orig 2019-05-10 04:51:34 UTC
|
||||
+++ lib/dns/resolver.c
|
||||
@@ -6013,6 +6013,12 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adb
|
||||
@@ -6026,6 +6026,12 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adb
|
||||
}
|
||||
|
||||
/*
|
||||
@ -47,7 +47,7 @@
|
||||
* Enforce the configure maximum cache TTL.
|
||||
*/
|
||||
if (rdataset->ttl > res->view->maxcachettl) {
|
||||
--- lib/isccfg/namedconf.c.orig 2019-04-06 20:09:59 UTC
|
||||
--- lib/isccfg/namedconf.c.orig 2019-05-10 04:51:34 UTC
|
||||
+++ lib/isccfg/namedconf.c
|
||||
@@ -1901,6 +1901,7 @@ view_clauses[] = {
|
||||
#endif
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
--- configure.orig 2019-04-06 20:09:59 UTC
|
||||
--- configure.orig 2019-06-04 15:20:04 UTC
|
||||
+++ configure
|
||||
@@ -16317,27 +16317,9 @@ done
|
||||
@@ -16347,27 +16347,9 @@ done
|
||||
# problems start to show up.
|
||||
saved_libs="$LIBS"
|
||||
for TRY_LIBS in \
|
||||
@ -30,7 +30,7 @@
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5
|
||||
$as_echo_n "checking linking as $TRY_LIBS... " >&6; }
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
@@ -16380,47 +16362,7 @@ $as_echo "no" >&6; } ;;
|
||||
@@ -16410,47 +16392,7 @@ $as_echo "no" >&6; } ;;
|
||||
no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;;
|
||||
esac
|
||||
|
||||
@ -79,7 +79,7 @@
|
||||
DNS_GSSAPI_LIBS="$LIBS"
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5
|
||||
@@ -20924,7 +20866,7 @@ $as_echo "" >&6; }
|
||||
@@ -20960,7 +20902,7 @@ $as_echo "" >&6; }
|
||||
# Check other locations for includes.
|
||||
# Order is important (sigh).
|
||||
|
||||
|
||||
@ -1,35 +0,0 @@
|
||||
From e517c18d98c248e891558ce5194e3663d244f956 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= <wpk@isc.org>
|
||||
Date: Fri, 31 May 2019 10:40:52 +0200
|
||||
Subject: [PATCH 1/2] Fix a possible race between udp dispatch and socket code
|
||||
|
||||
There's a small possibility of race between udp dispatcher and
|
||||
socket code - socket code can still hold internal reference to a
|
||||
socket while dispatcher calls isc_socket_open, which can cause
|
||||
an assertion failure. Fix it by relaxing the assertion test, and
|
||||
instead simply locking the socket in isc_socket_open.
|
||||
|
||||
--- lib/isc/unix/socket.c.orig 2019-05-10 04:51:34 UTC
|
||||
+++ lib/isc/unix/socket.c
|
||||
@@ -2598,15 +2598,16 @@ isc_socket_open(isc_socket_t *sock0) {
|
||||
|
||||
REQUIRE(VALID_SOCKET(sock));
|
||||
|
||||
- REQUIRE(isc_refcount_current(&sock->references) == 1);
|
||||
- /*
|
||||
- * We don't need to retain the lock hereafter, since no one else has
|
||||
- * this socket.
|
||||
- */
|
||||
+ LOCK(&sock->lock);
|
||||
+
|
||||
+ REQUIRE(isc_refcount_current(&sock->references) >= 1);
|
||||
REQUIRE(sock->fd == -1);
|
||||
REQUIRE(sock->threadid == -1);
|
||||
|
||||
result = opensocket(sock->manager, sock, NULL);
|
||||
+
|
||||
+ UNLOCK(&sock->lock);
|
||||
+
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
sock->fd = -1;
|
||||
} else {
|
||||
Loading…
Reference in New Issue
Block a user