other than the usual "python3/<blank>" python version selection and
remove setting MODPY_VERSION=${MODPY_DEFAULT_VERSION_3} again from the
affected ports.
if a port needs 2.x then set MODPY_VERSION=${MODPY_DEFAULT_VERSION_2}.
This commit doesn't change any versions currently used; it may be that
some ports have MODPY_DEFAULT_VERSION_2 but don't require it, those
should be cleaned up in the course of updating ports where possible.
Python module ports providing py3-* packages should still use
FLAVOR=python3 so that we don't have a mixture of dependencies some
using ${MODPY_FLAVOR} and others not.
- It was possible to trigger an assertion when attempting to fill an
oversized TCP buffer. This was disclosed in CVE-2020-8618. [GL #1850]
- It was possible to trigger an INSIST failure when a zone with an
interior wildcard label was queried in a certain pattern. This was
disclosed in CVE-2020-8619. [GL #1111] [GL #1718]
old root.hint, the compiled-in defaults are better). there isn't really a
"one size fits all" configuration, these files gave bad examples (combined
recursive+auth hasn't been recommended in years), and as this is not the
default nameserver on the OS any more hand-holding isn't really needed.
by way of compensation: install the docs.
CVE-2020-8616: BIND does not sufficiently limit the number of fetches
performed when processing referrals
CVE-2020-8617: A logic error in code which checks TSIG validity can be
used to trigger an assertion failure in tsig.c
More info on the referral problem in http://www.nxnsattack.com/dns-ns-paper.pdf
it should have been done after loading a tsig keyfile.
drop rpath from that pledge, it used to be needed for charset conversion
with idn names, but this just prints "Cannot represent '%s' in the current
locale" now for !utf8 locales (maybe as a result of dropping the !utf8
ctype files?)
CVE-2019-6471: A race condition when discarding malformed
packets can cause BIND to exit with an assertion failure
https://kb.isc.org/docs/cve-2019-6471
CVE-2018-5744: A specially crafted packet can cause named to leak memory
...
A failure to free memory can occur when processing messages
having a specific combination of EDNS options.
By exploiting this condition, an attacker can potentially cause
named's memory use to grow without bounds until all memory
available to the process is exhausted. Typically a server process
is limited as to the amount of memory it can use but if the named
process is not limited by the operating system all free memory
on the server could be exhausted.
...
CVE-2018-5745: An assertion failure can occur if a trust anchor
rolls over to an unsupported key algorithm when using managed-keys
(there is also CVE-2019-6465 but we don't build dlz)
5108. [bug] Named could fail to determine bottom of zone when
removing out of date keys leading to invalid NSEC
and NSEC3 records being added to the zone. [GL #771]
