100 Commits

Author SHA1 Message Date
sthen
05c6373d73 update to isc-bind 9.11.9, switch the geoip support to newly added geoip2/libmaxminddb
CVE-2019-6471
2019-07-18 07:24:58 +00:00
sthen
9e7573b1f1 update to BIND 9.11.8
CVE-2019-6471:  A race condition when discarding malformed
packets can cause BIND to exit with an assertion failure
https://kb.isc.org/docs/cve-2019-6471
2019-06-20 14:44:20 +00:00
sthen
9c6e9626b9 s/PERMIT_PACKAGE_CDROM/PERMIT_PACKAGE/ and some light whitespace tidying
in ports which I maintain
2019-06-03 16:06:50 +00:00
sthen
587c11a359 update to BIND 9.11.7 2019-05-17 12:52:46 +00:00
sthen
e39953dc90 Security update to bind 9.11.6-P1, plus patches ("Replace atomic
operations in bin/named/client.c with isc_refcount reference counting")
from https://gitlab.isc.org/isc-projects/bind9/merge_requests/1864.patch
for wider arch support.

Fixes:

CVE-2018-5743: Limiting simultaneous TCP clients is ineffective
https://kb.isc.org/docs/cve-2018-5743
2019-04-27 22:26:55 +00:00
sthen
cd845628d0 update to BIND 9.11.6 2019-03-01 17:17:08 +00:00
sthen
115e360822 security update to isc-bind 9.11.5-P4
CVE-2018-5744: A specially crafted packet can cause named to leak memory
...
A failure to free memory can occur when processing messages
having a specific combination of EDNS options.

By exploiting this condition, an attacker can potentially cause
named's memory use to grow without bounds until all memory
available to the process is exhausted. Typically a server process
is limited as to the amount of memory it can use but if the named
process is not limited by the operating system all free memory
on the server could be exhausted.
...

CVE-2018-5745: An assertion failure can occur if a trust anchor
rolls over to an unsupported key algorithm when using managed-keys

(there is also CVE-2019-6465 but we don't build dlz)
2019-02-21 23:35:34 +00:00
sthen
d45adb82a3 update to BIND 9.11.5-P1
5108.   [bug]           Named could fail to determine bottom of zone when
                        removing out of date keys leading to invalid NSEC
                        and NSEC3 records being added to the zone. [GL #771]
2018-12-13 14:27:47 +00:00
sthen
3633dd875c drop back to isc-bind 9.11.x pending investigation into how to fix the
named's requirement that cwd is writable.

install bind.keys to the right path (it used the compiled-in default
anyway but this gives the wrong cue to anyone wanting to update dnssec
root zone trust anchors).

problems reported by Mikolaj Kucharski
2018-12-02 13:25:44 +00:00
sthen
a4878ebe1c update to BIND 9.12.3, switching to 9.12.x branch 2018-11-06 13:48:40 +00:00
sthen
460f3d9b19 update to bind-9.11.5
enable idn in utilities (dig/etc)
2018-10-19 14:04:45 +00:00
sthen
7698b7c358 update to isc-bind 9.11.4-P2, fixing dnssec inline signing
https://kb.isc.org/docs/change-4892-exposed-multiple-problems-affecting-dnssec-inline-signing
2018-09-20 09:36:49 +00:00
sthen
208a28ab06 update to BIND 9.11.4-P1
4997.   [security]      named could crash during recursive processing
                        of DNAME records when "deny-answer-aliases" was
                        in use. (CVE-2018-5740) [GL #387]
2018-08-09 15:02:28 +00:00
sthen
25b7234045 update to isc-bind-9.11.4 2018-07-12 10:12:30 +00:00
sthen
82a1c7999d drop hidden dep on lmdb responsible for zkt build failures, reported by
naddy@ landry@, thanks landry for testing which led to the cause
2018-06-25 20:42:32 +00:00
sthen
794a748a41 fix; we now have ECDSA_SIG accessors 2018-03-18 23:56:59 +00:00
sthen
a323878aee add a comment re upstream supported version policy 2018-03-16 15:02:04 +00:00
sthen
91f0e035f4 update to bind-9.11.3 2018-03-15 00:59:18 +00:00
sthen
307a93ca6a typo in ifdef, thanks patrick keshishian for noticing. 2018-03-04 21:12:03 +00:00
sthen
2ba0a9b0a4 fix, we have all the DH_ DSA_ RSA_ needed 2018-02-20 21:02:13 +00:00
sthen
7285026abb fix; we now have DSA_set0_key DH_set0_key 2018-02-19 18:19:28 +00:00
sthen
1b8f6daf1c handle next round of libressl changes 2018-02-18 14:09:40 +00:00
sthen
758d9b454a fix: various get0_key/pqg functions, ok jsing 2018-02-18 11:52:03 +00:00
sthen
ea032018e5 security update to BIND 9.11.2-P1
* Addresses could be referenced after being freed during resolver
processing, causing an assertion failure. The chances of this happening
were remote, but the introduction of a delay in resolution increased
them. (The delay will be addressed in an upcoming maintenance release.)
This bug is disclosed in CVE-2017-3145. [RT #46839]
2018-01-16 22:13:59 +00:00
sthen
75eb7f397b update BIND to 9.11.2, switching from 9.10 to 9.11 branch (which is a long
term support branch).

note, the license changed to MPL.
2018-01-12 17:08:01 +00:00
rpe
9a8b5ccd06 Change the shebang line from /bin/sh to /bin/ksh in all ports rc.d
daemon scripts and bump subpackages that contain the *.rc scripts.

discussed with and OK aja@
OK tb
2018-01-11 19:27:01 +00:00
sthen
b4415079f5 Force use of /dev/random for BIND, overriding an OpenBSD-specific check in
upstream's autoconf script to prefer /dev/arandom. One of a couple of options
suggested by naddy@.
2017-10-30 22:19:38 +00:00
sthen
c9959dc190 update to bind 9.10.6 2017-07-28 23:38:06 +00:00
espie
7f713eb1f5 let it build with clang, just grab the unwinder from c++abi 2017-07-28 20:53:33 +00:00
sthen
807c691ab5 update to BIND-9.10.5-P3
9.10.5-P2 broke verification of TSIG signed TCP message sequences where
not all the messages contain TSIG records. These may be used in AXFR and
IXFR responses. [RT #45509]
2017-07-10 07:38:04 +00:00
sthen
ab9e1e6794 Update to BIND 9.10.5-P2
An error in TSIG handling could permit unauthorized zone transfers
or zone updates. CVE-2017-3142, CVE-2017-3143.

Also updates the address of b.root in hints.
2017-06-29 21:14:54 +00:00
sthen
ad2da6a263 update to BIND 9.10.5-P1
* With certain RPZ configurations, a response with TTL 0 could cause
named to go into an infinite query loop. This flaw is disclosed in
CVE-2017-3140. [RT #45181]

A server is potentially vulnerable to degradation of service if
1. the server is configured to use RPZ,
2. the server uses NSDNAME or NSIP policy rules, and
3. an attacker can cause the server to process a specific query
2017-06-15 09:01:49 +00:00
sthen
605258dc87 update to BIND 9.10.5 2017-05-03 20:20:42 +00:00
sthen
3699ab4692 update to BIND 9.10.4-P8 (-P7 was withdrawn)
CVE-2017-3136: An error handling synthesized records could cause an
assertion failure when using DNS64 with "break-dnssec yes;"

CVE-2017-3137: A response packet can cause a resolver to terminate when
processing an answer containing a CNAME or DNAME

CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives
a null command string on its control channel
2017-04-13 10:35:33 +00:00
sthen
b3152d3371 update to BIND 9.10.4-P6
* If a server is configured with a response policy zone (RPZ) that
rewrites an answer with local data, and is also configured for DNS64
address mapping, a NULL pointer can be read triggering a server crash.
This flaw is disclosed in CVE-2017-3135. [RT #44434]

* A synthesized CNAME record appearing in a response before the associated
DNAME could be cached, when it should not have been. This was a
regression introduced while addressing CVE-2016-8864. [RT #44318]
2017-02-09 00:04:40 +00:00
sthen
50473a77bb add pledges for dig/host/nslookup in the ports version of BIND. initial
pledge is "stdio rpath inet unix dns", dropping to "stdio inet dns"
after argument parsing.

access to resolv.conf is required late; the dns pledge is used for this
rather than requiring full rpath; however contrary to the version in
base, inet is allowed as well, so that it can be used as a debug tool
for servers on alternate ports.

works fine for me; no feedback after posting yet so committing to get
real-world testing. please report any issues.
2017-01-24 11:46:35 +00:00
sthen
59278df8ab SECURITY update to BIND 9.10.4-P5
Named could mishandle authority sections that were missing RRSIGs triggering
an assertion failure.  CVE-2016-9444

Named mishandled some responses where covering RRSIG records are returned
without the requested data resulting in a assertion failure.  CVE-2016-9147

Named incorrectly tried to cache TKEY records which could trigger an
assertion failure when there was a class mismatch.  CVE-2016-9131
2017-01-12 12:22:20 +00:00
sthen
773d2b6dc7 update to BIND 9.10.4-P1, fixing a resolver DoS in DNAME handling. CVE-2016-8864 2016-11-01 21:02:03 +00:00
sthen
fe29ebcaad update to BIND 9.10.4-P3, fixing
https://kb.isc.org/article/AA-01393/74/CVE-2016-2775 (lwres only)
https://kb.isc.org/article/AA-01419/74/CVE-2016-2776 ("all servers if
they can receive request packets from any source")
2016-09-27 19:49:10 +00:00
naddy
2594c2979f replace libiconv module 2016-09-13 16:12:14 +00:00
sthen
2b012a1821 Update to BIND 9.10.4-P2, fixes CVE-2016-2775 ("getrrsetbyname with a non
absolute name could trigger an infinite recursion bug in lwres[..]"; affects
users of lwresd and users with "lwres" enabled in their configuration).
Also has a couple of regression fixes. OK naddy@
2016-07-19 10:46:15 +00:00
sthen
159edcc4ce update to BIND 9.10.4-P1, fixing a problem where adjacent bitfields
were protected by different locks.

See http://fanf.livejournal.com/144615.html for an informative write-up
on the issue: "Even the Deathstation 9000 can't screw up the BIND 9.10.4
fix".
2016-05-26 09:25:25 +00:00
sthen
7924de779f update to bind-9.10.4 2016-04-29 11:01:02 +00:00
naddy
ce859edcb4 garbage collect CONFIGURE_SHARED 2016-03-11 20:28:21 +00:00
sthen
d5803c3bbe update to BIND 9.10.3-P4, fixes crashes (assertion failures), one present
since 9.0.0.  CVE-2016-1285 CVE-2016-1286 CVE-2016-2088
2016-03-10 00:03:34 +00:00
sthen
99d5f42fce bump (GeoIP pkgpath change) 2016-03-01 00:07:17 +00:00
sthen
1268bf479e update to BIND 9.10.3P3
- Fixed a regression in resolver.c:possibly_mark() which caused
known-bogus servers to be queried anyway. [RT #41321]

- render_ecs errors were mishandled when printing out a OPT record
resulting in a assertion failure. (CVE-2015-8705) [RT #41397]

- Specific APL data could trigger a INSIST. (CVE-2015-8704) [RT #41396]
2016-01-19 22:24:05 +00:00
sthen
64e6e88b23 bump isc-bind REVISION to avoid warnings with updates (different deps
between 5.8-stable and -current)
2015-12-17 17:07:41 +00:00
sthen
73a350007e update to bind-9.10.3-P2
4260.   [security]      Insufficient testing when parsing a message allowed
                        records with an incorrect class to be be accepted,
                        triggering a REQUIRE failure when those records
                        were subsequently cached. (CVE-2015-8000) [RT #40987]

4253.   [security]      Address fetch context reference count handling error
                        on socket error. (CVE-2015-8461) [RT#40945]
2015-12-15 22:43:37 +00:00
sthen
aec87238b3 oops, forgot to re-add json-c to WANTLIB/LIB_DEPENDS in previous commit.
spotted by nigel@
2015-10-07 19:36:50 +00:00