upgrade from BIND 9.16.12 to 9.16.11 plus backported patch for
CVE-2020-8625. also add more recently committed "Rollback setting IP_DONTFRAG option on the UDP sockets" patch fixing https://gitlab.isc.org/isc-projects/bind9/-/issues/2466 https://gitlab.isc.org/isc-projects/bind9/-/issues/2487 re https://kb.isc.org/docs/operational-notification-enabling-new-bind-option-stale-answer-client-timeout-can-result-in-unexpected-server-termination https://kb.isc.org/docs/operational-notification-zone-journal-jnl-file-incompatibility-after-upgrading-to-bind-91612-and-917
This commit is contained in:
parent
64442dc460
commit
7948330fd4
@ -1,17 +1,26 @@
|
||||
# $OpenBSD: Makefile,v 1.130 2021/02/17 20:40:16 sthen Exp $
|
||||
# $OpenBSD: Makefile,v 1.131 2021/02/20 15:49:52 sthen Exp $
|
||||
|
||||
COMMENT= Berkeley Internet Name Daemon: DNS server and tools
|
||||
|
||||
# Second digits: odd numbers devel, even numbers stable,
|
||||
# ESV branched occasionally. 9.16.x is ESV.
|
||||
V= 9.16.12
|
||||
V= 9.16.11
|
||||
PORTROACH= limitw:1,even
|
||||
EXTRACT_SUFX= .tar.xz
|
||||
EPOCH= 0
|
||||
EPOCH= 1
|
||||
|
||||
DISTNAME= bind-$V
|
||||
PKGNAME= isc-bind-${V:S/-P/pl/}
|
||||
|
||||
# in shared_libs.log but not installed: isc-nosymtbl, t_api
|
||||
SHARED_LIBS += isc 9.0
|
||||
SHARED_LIBS += isccc 3.0
|
||||
SHARED_LIBS += dns 10.2
|
||||
SHARED_LIBS += isccfg 4.2
|
||||
SHARED_LIBS += bind9 1.0
|
||||
SHARED_LIBS += irs 3.0
|
||||
SHARED_LIBS += ns 0.0
|
||||
|
||||
CATEGORIES= net
|
||||
|
||||
HOMEPAGE= https://www.isc.org/bind/
|
||||
@ -93,6 +102,5 @@ post-install:
|
||||
ln -fs $i ${PREFIX}/bin/e$i; ln -fs $i.1 ${PREFIX}/man/man1/e$i.1
|
||||
.endfor
|
||||
${INSTALL_DATA} ${FILESDIR}/[a-z]* ${PREFIX}/share/examples/bind9/
|
||||
rm ${PREFIX}/lib/lib{bind9,dns,irs,isc,isccc,isccfg,ns}.so
|
||||
|
||||
.include <bsd.port.mk>
|
||||
|
@ -1,2 +1,2 @@
|
||||
SHA256 (bind-9.16.12.tar.xz) = mRSvkxH9NJyrRBCXiY2U+yjQv9m/btBP4fl/BCZE2n8=
|
||||
SIZE (bind-9.16.12.tar.xz) = 5017756
|
||||
SHA256 (bind-9.16.11.tar.xz) = ARH2TdfY9RXPoSnhgczpb/ggcNGyfxGiH2hWEQ0GmcE=
|
||||
SIZE (bind-9.16.11.tar.xz) = 5007520
|
||||
|
@ -1,4 +1,4 @@
|
||||
$OpenBSD: patch-bin_dig_dig_c,v 1.21 2021/02/17 20:40:16 sthen Exp $
|
||||
$OpenBSD: patch-bin_dig_dig_c,v 1.22 2021/02/20 15:49:52 sthen Exp $
|
||||
|
||||
Index: bin/dig/dig.c
|
||||
--- bin/dig/dig.c.orig
|
||||
@ -11,7 +11,7 @@ Index: bin/dig/dig.c
|
||||
|
||||
#include <isc/app.h>
|
||||
#include <isc/netaddr.h>
|
||||
@@ -2639,6 +2640,15 @@ dig_setup(int argc, char **argv) {
|
||||
@@ -2635,6 +2636,15 @@ dig_setup(int argc, char **argv) {
|
||||
ISC_LIST_INIT(server_list);
|
||||
ISC_LIST_INIT(search_list);
|
||||
|
||||
@ -27,7 +27,7 @@ Index: bin/dig/dig.c
|
||||
debug("dig_setup()");
|
||||
|
||||
/* setup dighost callbacks */
|
||||
@@ -2670,6 +2680,16 @@ dig_query_setup(bool is_batchfile, bool config_only, i
|
||||
@@ -2666,6 +2676,16 @@ dig_query_setup(bool is_batchfile, bool config_only, i
|
||||
} else if (keysecret[0] != 0) {
|
||||
setup_text_key();
|
||||
}
|
||||
|
16
net/isc-bind/patches/patch-lib_dns_spnego_c
Normal file
16
net/isc-bind/patches/patch-lib_dns_spnego_c
Normal file
@ -0,0 +1,16 @@
|
||||
$OpenBSD: patch-lib_dns_spnego_c,v 1.1 2021/02/20 15:49:52 sthen Exp $
|
||||
|
||||
https://downloads.isc.org/isc/bind9/9.16.12/patches/CVE-2020-8625.patch
|
||||
|
||||
Index: lib/dns/spnego.c
|
||||
--- lib/dns/spnego.c.orig
|
||||
+++ lib/dns/spnego.c
|
||||
@@ -848,7 +848,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *d
|
||||
return (ASN1_OVERRUN);
|
||||
}
|
||||
|
||||
- data->components = malloc(len * sizeof(*data->components));
|
||||
+ data->components = malloc((len + 1) * sizeof(*data->components));
|
||||
if (data->components == NULL) {
|
||||
return (ENOMEM);
|
||||
}
|
81
net/isc-bind/patches/patch-lib_isc_netmgr_netmgr_c
Normal file
81
net/isc-bind/patches/patch-lib_isc_netmgr_netmgr_c
Normal file
@ -0,0 +1,81 @@
|
||||
$OpenBSD: patch-lib_isc_netmgr_netmgr_c,v 1.1 2021/02/20 15:49:52 sthen Exp $
|
||||
|
||||
From 66eefac78c92b64b6689a1655cc677a2b1d13496 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
|
||||
Date: Thu, 11 Feb 2021 08:37:52 +0100
|
||||
Subject: [PATCH 1/2] Rollback setting IP_DONTFRAG option on the UDP sockets
|
||||
|
||||
In DNS Flag Day 2020, the development branch started setting the
|
||||
IP_DONTFRAG option on the UDP sockets. It turned out, that this
|
||||
code was incomplete leading to dropping the outgoing UDP packets.
|
||||
Henceforth this commit rolls back this setting until we have a
|
||||
proper fix that would send back empty response with TC flag set.
|
||||
|
||||
Index: lib/isc/netmgr/netmgr.c
|
||||
--- lib/isc/netmgr/netmgr.c.orig
|
||||
+++ lib/isc/netmgr/netmgr.c
|
||||
@@ -2101,6 +2101,9 @@ isc__nm_closesocket(uv_os_sock_t sock) {
|
||||
#define setsockopt_on(socket, level, name) \
|
||||
setsockopt(socket, level, name, &(int){ 1 }, sizeof(int))
|
||||
|
||||
+#define setsockopt_off(socket, level, name) \
|
||||
+ setsockopt(socket, level, name, &(int){ 1 }, sizeof(int))
|
||||
+
|
||||
isc_result_t
|
||||
isc__nm_socket_freebind(uv_os_sock_t fd, sa_family_t sa_family) {
|
||||
/*
|
||||
@@ -2226,32 +2229,48 @@ isc__nm_socket_dontfrag(uv_os_sock_t fd, sa_family_t s
|
||||
*/
|
||||
if (sa_family == AF_INET6) {
|
||||
#if defined(IPV6_DONTFRAG)
|
||||
- if (setsockopt_on(fd, IPPROTO_IPV6, IPV6_DONTFRAG) == -1) {
|
||||
+ if (setsockopt_off(fd, IPPROTO_IPV6, IPV6_DONTFRAG) == -1) {
|
||||
return (ISC_R_FAILURE);
|
||||
} else {
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
-#elif defined(IPV6_MTU_DISCOVER)
|
||||
+#elif defined(IPV6_MTU_DISCOVER) && defined(IP_PMTUDISC_OMIT)
|
||||
if (setsockopt(fd, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
|
||||
- &(int){ IP_PMTUDISC_DO }, sizeof(int)) == -1)
|
||||
+ &(int){ IP_PMTUDISC_OMIT }, sizeof(int)) == -1)
|
||||
{
|
||||
return (ISC_R_FAILURE);
|
||||
} else {
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
+#elif defined(IPV6_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
|
||||
+ if (setsockopt(fd, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
|
||||
+ &(int){ IP_PMTUDISC_DONT }, sizeof(int)) == -1)
|
||||
+ {
|
||||
+ return (ISC_R_FAILURE);
|
||||
+ } else {
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
#else
|
||||
UNUSED(fd);
|
||||
#endif
|
||||
} else if (sa_family == AF_INET) {
|
||||
#if defined(IP_DONTFRAG)
|
||||
- if (setsockopt_on(fd, IPPROTO_IP, IP_DONTFRAG) == -1) {
|
||||
+ if (setsockopt_off(fd, IPPROTO_IP, IP_DONTFRAG) == -1) {
|
||||
return (ISC_R_FAILURE);
|
||||
} else {
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
-#elif defined(IP_MTU_DISCOVER)
|
||||
+#elif defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_OMIT)
|
||||
if (setsockopt(fd, IPPROTO_IP, IP_MTU_DISCOVER,
|
||||
- &(int){ IP_PMTUDISC_DO }, sizeof(int)) == -1)
|
||||
+ &(int){ IP_PMTUDISC_OMIT }, sizeof(int)) == -1)
|
||||
+ {
|
||||
+ return (ISC_R_FAILURE);
|
||||
+ } else {
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
+#elif defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
|
||||
+ if (setsockopt(fd, IPPROTO_IP, IP_MTU_DISCOVER,
|
||||
+ &(int){ IP_PMTUDISC_DONT }, sizeof(int)) == -1)
|
||||
{
|
||||
return (ISC_R_FAILURE);
|
||||
} else {
|
@ -1,4 +1,4 @@
|
||||
@comment $OpenBSD: PLIST,v 1.27 2021/02/17 20:40:16 sthen Exp $
|
||||
@comment $OpenBSD: PLIST,v 1.28 2021/02/20 15:49:52 sthen Exp $
|
||||
@pkgpath net/isc-bind,ratelimit
|
||||
@newgroup _bind:741
|
||||
@newuser _bind:741:_bind:daemon:bind user:/nonexistent:/sbin/nologin
|
||||
@ -284,20 +284,20 @@ include/pk11/result.h
|
||||
include/pk11/site.h
|
||||
include/pkcs11/
|
||||
include/pkcs11/pkcs11.h
|
||||
@so lib/libbind9-9.16.12.so
|
||||
lib/libbind9.la
|
||||
@so lib/libdns-9.16.12.so
|
||||
@lib lib/libbind9.so.${LIBbind9_VERSION}
|
||||
lib/libdns.la
|
||||
@so lib/libirs-9.16.12.so
|
||||
@lib lib/libdns.so.${LIBdns_VERSION}
|
||||
lib/libirs.la
|
||||
@so lib/libisc-9.16.12.so
|
||||
@lib lib/libirs.so.${LIBirs_VERSION}
|
||||
lib/libisc.la
|
||||
@so lib/libisccc-9.16.12.so
|
||||
@lib lib/libisc.so.${LIBisc_VERSION}
|
||||
lib/libisccc.la
|
||||
@so lib/libisccfg-9.16.12.so
|
||||
@lib lib/libisccc.so.${LIBisccc_VERSION}
|
||||
lib/libisccfg.la
|
||||
@so lib/libns-9.16.12.so
|
||||
@lib lib/libisccfg.so.${LIBisccfg_VERSION}
|
||||
lib/libns.la
|
||||
@lib lib/libns.so.${LIBns_VERSION}
|
||||
lib/named/
|
||||
@so lib/named/filter-aaaa.so
|
||||
lib/python${MODPY_VERSION}/
|
||||
|
Loading…
Reference in New Issue
Block a user