update to BIND 9.16.27

CVE-2021-25220: DNS forwarders - cache poisoning vulnerability https://kb.isc.org/docs/CVE-2021-25220 CVE-2022-0396: DoS from specifically crafted TCP packets https://kb.isc.org/docs/cve-2022-0396 CVE-2022-0635: DNAME insist with synth-from-dnssec enabled https://kb.isc.org/docs/cve-2022-0635 CVE-2022-0667: Assertion failure on delayed DS lookup https://kb.isc.org/docs/cve-2022-0667
2022-03-17 00:10:13 +00:00 · 2022-03-17 00:10:13 +00:00 · 02fe895ae8
commit 02fe895ae8
parent 45b5258a88
7 changed files with 4 additions and 88 deletions
--- a/net/isc-bind/Makefile
+++ b/net/isc-bind/Makefile
@ -2,7 +2,7 @@ COMMENT=	Berkeley Internet Name Daemon: DNS server and tools

 # Second digits: odd numbers devel, even numbers stable,
 # ESV branched occasionally.  9.16.x is ESV.
-V=		9.16.26
+V=		9.16.27
 SUBST_VARS+=	V
 PORTROACH=	limitw:1,even
 EXTRACT_SUFX=	.tar.xz
--- a/net/isc-bind/distinfo
+++ b/net/isc-bind/distinfo
@ -1,2 +1,2 @@
-SHA256 (bind-9.16.26.tar.xz) = cLOaXrcWUDWOybpB2jBQ0yrqwK60pGZoSyPzWv+n+0U=
-SIZE (bind-9.16.26.tar.xz) = 5083848
+SHA256 (bind-9.16.27.tar.xz) = kJAqrxBMgQGdddb4svfsQPzSSUBviUtE5KnGteCL9WY=
+SIZE (bind-9.16.27.tar.xz) = 5084340
--- a/net/isc-bind/patches/patch-configure_ac
+++ b/net/isc-bind/patches/patch-configure_ac
@ -4,7 +4,7 @@ https://gitlab.isc.org/isc-projects/bind9/-/issues/2905
 Index: configure.ac
 --- configure.ac.orig
 +++ configure.ac
-@@ -1859,7 +1859,7 @@ AC_DEFINE(NEED_OPTARG, 1, [Defined if extern char *opt
+@@ -1856,7 +1856,7 @@ AC_DEFINE(NEED_OPTARG, 1, [Defined if extern char *opt
 AC_MSG_CHECKING([for st_mtim.tv_nsec])
 AC_COMPILE_IFELSE(
   [AC_LANG_PROGRAM(
--- a/net/isc-bind/patches/patch-lib_dns_dst_openssl_h
+++ b/net/isc-bind/patches/patch-lib_dns_dst_openssl_h
@ -1,12 +0,0 @@
-Index: lib/dns/dst_openssl.h
--- lib/dns/dst_openssl.h.orig
-+++ lib/dns/dst_openssl.h
-@@ -25,7 +25,7 @@
- #include <isc/log.h>
- #include <isc/result.h>
- 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- /*
-  * These are new in OpenSSL 1.1.0.  BN_GENCB _cb needs to be declared in
-  * the function like this before the BN_GENCB_new call:
--- a/net/isc-bind/patches/patch-lib_dns_openssldh_link_c
+++ b/net/isc-bind/patches/patch-lib_dns_openssldh_link_c
@ -1,21 +0,0 @@
-Index: lib/dns/openssldh_link.c
--- lib/dns/openssldh_link.c.orig
-+++ lib/dns/openssldh_link.c
-@@ -263,7 +263,7 @@ static isc_result_t
- openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
- 	DH *dh = NULL;
- 	BN_GENCB *cb;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- 	BN_GENCB _cb;
- #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || \
- 	* defined(LIBRESSL_VERSION_NUMBER) */
-@@ -309,7 +309,7 @@ openssldh_generate(dst_key_t *key, int generator, void
- 			return (dst__openssl_toresult(ISC_R_NOMEMORY));
- 		}
- 		cb = BN_GENCB_new();
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- 		if (cb == NULL) {
- 			DH_free(dh);
- 			return (dst__openssl_toresult(ISC_R_NOMEMORY));
--- a/net/isc-bind/patches/patch-lib_dns_opensslrsa_link_c
+++ b/net/isc-bind/patches/patch-lib_dns_opensslrsa_link_c
@ -1,12 +0,0 @@
-Index: lib/dns/opensslrsa_link.c
--- lib/dns/opensslrsa_link.c.orig
-+++ lib/dns/opensslrsa_link.c
-@@ -453,7 +453,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*ca
- 	} u;
- 	RSA *rsa = RSA_new();
- 	BIGNUM *e = BN_new();
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- 	BN_GENCB _cb;
- #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || \
- 	* defined(LIBRESSL_VERSION_NUMBER) */
--- a/net/isc-bind/patches/patch-lib_isc_aes_c
+++ b/net/isc-bind/patches/patch-lib_isc_aes_c
@ -1,39 +0,0 @@
-Index: lib/isc/aes.c
--- lib/isc/aes.c.orig
-+++ lib/isc/aes.c
-@@ -23,7 +23,7 @@
- #include <isc/types.h>
- #include <isc/util.h>
- 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- #define EVP_CIPHER_CTX_new()   &(_context), EVP_CIPHER_CTX_init(&_context)
- #define EVP_CIPHER_CTX_free(c) RUNTIME_CHECK(EVP_CIPHER_CTX_cleanup(c) == 1)
- #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || \
-@@ -32,7 +32,7 @@
- void
- isc_aes128_crypt(const unsigned char *key, const unsigned char *in,
- 		 unsigned char *out) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- 	EVP_CIPHER_CTX _context;
- #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || \
- 	* defined(LIBRESSL_VERSION_NUMBER) */
-@@ -52,7 +52,7 @@ isc_aes128_crypt(const unsigned char *key, const unsig
- void
- isc_aes192_crypt(const unsigned char *key, const unsigned char *in,
- 		 unsigned char *out) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- 	EVP_CIPHER_CTX _context;
- #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || \
- 	* defined(LIBRESSL_VERSION_NUMBER) */
-@@ -72,7 +72,7 @@ isc_aes192_crypt(const unsigned char *key, const unsig
- void
- isc_aes256_crypt(const unsigned char *key, const unsigned char *in,
- 		 unsigned char *out) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- 	EVP_CIPHER_CTX _context;
- #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || \
- 	* defined(LIBRESSL_VERSION_NUMBER) */