this please test and report back if you see problems; in the run-up
to OpenBSD 6.9 we dropped back to 9.16.10 due to problems in interim
releases
CVE-2021-25214: A broken inbound incremental zone update (IXFR)
can cause named to terminate unexpectedly
https://kb.isc.org/docs/cve-2021-25214
CVE-2021-25215: An assertion check can fail while answering queries for
DNAME records that require the DNAME to be processed to resolve itself
https://kb.isc.org/docs/cve-2021-25215
CVE-2021-25216: A second vulnerability in BIND's GSSAPI security policy
negotiation can be targeted by a buffer overflow attack
https://kb.isc.org/docs/cve-2021-25216
other than the usual "python3/<blank>" python version selection and
remove setting MODPY_VERSION=${MODPY_DEFAULT_VERSION_3} again from the
affected ports.
if a port needs 2.x then set MODPY_VERSION=${MODPY_DEFAULT_VERSION_2}.
This commit doesn't change any versions currently used; it may be that
some ports have MODPY_DEFAULT_VERSION_2 but don't require it, those
should be cleaned up in the course of updating ports where possible.
Python module ports providing py3-* packages should still use
FLAVOR=python3 so that we don't have a mixture of dependencies some
using ${MODPY_FLAVOR} and others not.
- It was possible to trigger an assertion when attempting to fill an
oversized TCP buffer. This was disclosed in CVE-2020-8618. [GL #1850]
- It was possible to trigger an INSIST failure when a zone with an
interior wildcard label was queried in a certain pattern. This was
disclosed in CVE-2020-8619. [GL #1111] [GL #1718]
old root.hint, the compiled-in defaults are better). there isn't really a
"one size fits all" configuration, these files gave bad examples (combined
recursive+auth hasn't been recommended in years), and as this is not the
default nameserver on the OS any more hand-holding isn't really needed.
by way of compensation: install the docs.
CVE-2020-8616: BIND does not sufficiently limit the number of fetches
performed when processing referrals
CVE-2020-8617: A logic error in code which checks TSIG validity can be
used to trigger an assertion failure in tsig.c
More info on the referral problem in http://www.nxnsattack.com/dns-ns-paper.pdf
it should have been done after loading a tsig keyfile.
drop rpath from that pledge, it used to be needed for charset conversion
with idn names, but this just prints "Cannot represent '%s' in the current
locale" now for !utf8 locales (maybe as a result of dropping the !utf8
ctype files?)
CVE-2019-6471: A race condition when discarding malformed
packets can cause BIND to exit with an assertion failure
https://kb.isc.org/docs/cve-2019-6471
