From 7831c2a97e7c5e8dc70ac36a5eee0583a6156009 Mon Sep 17 00:00:00 2001 From: Mathieu Arnold Date: Wed, 19 Jun 2019 22:46:46 +0000 Subject: Update to 9.11.8 and 9.14.3. Security: CVE-2019-6471 --- dns/bind911/Makefile | 2 +- dns/bind911/distinfo | 6 ++-- dns/bind911/files/extrapatch-bind-min-override-ttl | 12 ++++---- dns/bind911/files/patch-configure | 8 ++--- dns/bind914/Makefile | 4 +-- dns/bind914/distinfo | 6 ++-- dns/bind914/files/extrapatch-bind-min-override-ttl | 14 ++++----- dns/bind914/files/patch-configure | 8 ++--- dns/bind914/files/patch-lib_isc_unix_socket.c | 35 ---------------------- 9 files changed, 30 insertions(+), 65 deletions(-) delete mode 100644 dns/bind914/files/patch-lib_isc_unix_socket.c diff --git a/dns/bind911/Makefile b/dns/bind911/Makefile index 3f9cf2d3251d..bf6abbe7291c 100644 --- a/dns/bind911/Makefile +++ b/dns/bind911/Makefile @@ -20,7 +20,7 @@ LIB_DEPENDS= libxml2.so:textproc/libxml2 USES= cpe libedit # ISC releases things like 9.8.0-P1, which our versioning doesn't like -ISCVERSION= 9.11.6-P1 +ISCVERSION= 9.11.8 CPE_VENDOR= isc CPE_VERSION= ${ISCVERSION:C/-.*//} diff --git a/dns/bind911/distinfo b/dns/bind911/distinfo index b86baff84480..5f5237f0cc53 100644 --- a/dns/bind911/distinfo +++ b/dns/bind911/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1556110950 -SHA256 (bind-9.11.6-P1.tar.gz) = 58ace2abb4d048b67abcdef0649ecd6cbd3b0652734a41a1d34f942d5500f8ef -SIZE (bind-9.11.6-P1.tar.gz) = 8102241 +TIMESTAMP = 1560947427 +SHA256 (bind-9.11.8.tar.gz) = 669fcc02a9a1864d93992e526d2186ec8923511c0260b2c037fec8ea45406651 +SIZE (bind-9.11.8.tar.gz) = 8119490 diff --git a/dns/bind911/files/extrapatch-bind-min-override-ttl b/dns/bind911/files/extrapatch-bind-min-override-ttl index f279b2db8fff..d276c7bab934 100644 --- a/dns/bind911/files/extrapatch-bind-min-override-ttl +++ b/dns/bind911/files/extrapatch-bind-min-override-ttl @@ -1,4 +1,4 @@ ---- bin/named/config.c.orig 2019-02-27 23:28:15 UTC +--- bin/named/config.c.orig 2019-05-10 05:03:58 UTC +++ bin/named/config.c @@ -177,6 +177,8 @@ options {\n\ " max-acache-size 16M;\n\ @@ -9,7 +9,7 @@ max-clients-per-query 100;\n\ max-ncache-ttl 10800; /* 3 hours */\n\ max-recursion-depth 7;\n\ ---- bin/named/server.c.orig 2019-02-27 23:28:15 UTC +--- bin/named/server.c.orig 2019-05-10 05:03:58 UTC +++ bin/named/server.c @@ -3718,6 +3718,16 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewl } @@ -28,7 +28,7 @@ result = ns_config_get(maps, "max-cache-ttl", &obj); INSIST(result == ISC_R_SUCCESS); view->maxcachettl = cfg_obj_asuint32(obj); ---- lib/dns/include/dns/view.h.orig 2019-02-27 23:28:15 UTC +--- lib/dns/include/dns/view.h.orig 2019-05-10 05:03:58 UTC +++ lib/dns/include/dns/view.h @@ -152,6 +152,8 @@ struct dns_view { bool requestnsid; @@ -39,9 +39,9 @@ dns_ttl_t maxncachettl; uint32_t nta_lifetime; uint32_t nta_recheck; ---- lib/dns/resolver.c.orig 2019-02-27 23:28:15 UTC +--- lib/dns/resolver.c.orig 2019-05-10 05:03:58 UTC +++ lib/dns/resolver.c -@@ -5514,6 +5514,18 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adb +@@ -5525,6 +5525,18 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adb } /* @@ -60,7 +60,7 @@ * Enforce the configure maximum cache TTL. */ if (rdataset->ttl > res->view->maxcachettl) { ---- lib/isccfg/namedconf.c.orig 2019-02-27 23:28:15 UTC +--- lib/isccfg/namedconf.c.orig 2019-05-10 05:03:58 UTC +++ lib/isccfg/namedconf.c @@ -1773,6 +1773,8 @@ view_clauses[] = { #endif diff --git a/dns/bind911/files/patch-configure b/dns/bind911/files/patch-configure index a05765e38e3f..e64883a8d5e8 100644 --- a/dns/bind911/files/patch-configure +++ b/dns/bind911/files/patch-configure @@ -1,6 +1,6 @@ ---- configure.orig 2019-02-27 23:28:15 UTC +--- configure.orig 2019-06-04 16:01:00 UTC +++ configure -@@ -15157,27 +15157,9 @@ done +@@ -15170,27 +15170,9 @@ done # problems start to show up. saved_libs="$LIBS" for TRY_LIBS in \ @@ -30,7 +30,7 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5 $as_echo_n "checking linking as $TRY_LIBS... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext -@@ -15220,47 +15202,7 @@ $as_echo "no" >&6; } ;; +@@ -15233,47 +15215,7 @@ $as_echo "no" >&6; } ;; no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;; esac @@ -79,7 +79,7 @@ DNS_GSSAPI_LIBS="$LIBS" { $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5 -@@ -24267,7 +24209,7 @@ $as_echo "" >&6; } +@@ -24332,7 +24274,7 @@ $as_echo "" >&6; } # Check other locations for includes. # Order is important (sigh). diff --git a/dns/bind914/Makefile b/dns/bind914/Makefile index 3469d933a1b1..326881c4830f 100644 --- a/dns/bind914/Makefile +++ b/dns/bind914/Makefile @@ -8,7 +8,7 @@ PORTVERSION= ${ISCVERSION:S/-P/P/:S/b/.b/:S/a/.a/:S/rc/.rc/} PORTREVISION= 0 .else # dns/bind913 here -PORTREVISION= 2 +PORTREVISION= 0 .endif CATEGORIES= dns net ipv6 MASTER_SITES= ISC/bind9/${ISCVERSION} @@ -33,7 +33,7 @@ LIB_DEPENDS= libxml2.so:textproc/libxml2 USES= compiler:c11 cpe libedit ssl # ISC releases things like 9.8.0-P1, which our versioning doesn't like -ISCVERSION= 9.14.1 +ISCVERSION= 9.14.3 CPE_VENDOR= isc CPE_VERSION= ${ISCVERSION:C/-.*//} diff --git a/dns/bind914/distinfo b/dns/bind914/distinfo index 24a584c2fb7d..9f4ef6d88b32 100644 --- a/dns/bind914/distinfo +++ b/dns/bind914/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1556117981 -SHA256 (bind-9.14.1.tar.gz) = c3c7485d900a03271a9918a071c123e8951871a219f4c1c4383e37717f11db48 -SIZE (bind-9.14.1.tar.gz) = 6235968 +TIMESTAMP = 1560947468 +SHA256 (bind-9.14.3.tar.gz) = ce878aabcf01b61ed114522c32fff9e268b02da55b3c248349860bc3d0c8bdfa +SIZE (bind-9.14.3.tar.gz) = 6258311 diff --git a/dns/bind914/files/extrapatch-bind-min-override-ttl b/dns/bind914/files/extrapatch-bind-min-override-ttl index 6c5006302a58..a6c479c86e96 100644 --- a/dns/bind914/files/extrapatch-bind-min-override-ttl +++ b/dns/bind914/files/extrapatch-bind-min-override-ttl @@ -1,4 +1,4 @@ ---- bin/named/config.c.orig 2019-04-06 20:09:59 UTC +--- bin/named/config.c.orig 2019-05-10 04:51:34 UTC +++ bin/named/config.c @@ -179,6 +179,7 @@ options {\n\ notify-source *;\n\ @@ -8,9 +8,9 @@ provide-ixfr true;\n\ qname-minimization relaxed;\n\ query-source address *;\n\ ---- bin/named/server.c.orig 2019-04-06 20:09:59 UTC +--- bin/named/server.c.orig 2019-05-10 04:51:34 UTC +++ bin/named/server.c -@@ -4178,6 +4178,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewl +@@ -4245,6 +4245,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewl } obj = NULL; @@ -22,7 +22,7 @@ result = named_config_get(maps, "max-cache-ttl", &obj); INSIST(result == ISC_R_SUCCESS); view->maxcachettl = cfg_obj_asuint32(obj); ---- lib/dns/include/dns/view.h.orig 2019-04-06 20:09:59 UTC +--- lib/dns/include/dns/view.h.orig 2019-05-10 04:51:34 UTC +++ lib/dns/include/dns/view.h @@ -153,6 +153,7 @@ struct dns_view { bool requestnsid; @@ -32,9 +32,9 @@ dns_ttl_t maxncachettl; dns_ttl_t mincachettl; dns_ttl_t minncachettl; ---- lib/dns/resolver.c.orig 2019-04-06 20:09:59 UTC +--- lib/dns/resolver.c.orig 2019-05-10 04:51:34 UTC +++ lib/dns/resolver.c -@@ -6013,6 +6013,12 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adb +@@ -6026,6 +6026,12 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adb } /* @@ -47,7 +47,7 @@ * Enforce the configure maximum cache TTL. */ if (rdataset->ttl > res->view->maxcachettl) { ---- lib/isccfg/namedconf.c.orig 2019-04-06 20:09:59 UTC +--- lib/isccfg/namedconf.c.orig 2019-05-10 04:51:34 UTC +++ lib/isccfg/namedconf.c @@ -1901,6 +1901,7 @@ view_clauses[] = { #endif diff --git a/dns/bind914/files/patch-configure b/dns/bind914/files/patch-configure index 38f01eb95d96..60bc8b47b833 100644 --- a/dns/bind914/files/patch-configure +++ b/dns/bind914/files/patch-configure @@ -1,6 +1,6 @@ ---- configure.orig 2019-04-06 20:09:59 UTC +--- configure.orig 2019-06-04 15:20:04 UTC +++ configure -@@ -16317,27 +16317,9 @@ done +@@ -16347,27 +16347,9 @@ done # problems start to show up. saved_libs="$LIBS" for TRY_LIBS in \ @@ -30,7 +30,7 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5 $as_echo_n "checking linking as $TRY_LIBS... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext -@@ -16380,47 +16362,7 @@ $as_echo "no" >&6; } ;; +@@ -16410,47 +16392,7 @@ $as_echo "no" >&6; } ;; no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;; esac @@ -79,7 +79,7 @@ DNS_GSSAPI_LIBS="$LIBS" { $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5 -@@ -20924,7 +20866,7 @@ $as_echo "" >&6; } +@@ -20960,7 +20902,7 @@ $as_echo "" >&6; } # Check other locations for includes. # Order is important (sigh). diff --git a/dns/bind914/files/patch-lib_isc_unix_socket.c b/dns/bind914/files/patch-lib_isc_unix_socket.c deleted file mode 100644 index 06db1cc3e9f5..000000000000 --- a/dns/bind914/files/patch-lib_isc_unix_socket.c +++ /dev/null @@ -1,35 +0,0 @@ -From e517c18d98c248e891558ce5194e3663d244f956 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= -Date: Fri, 31 May 2019 10:40:52 +0200 -Subject: [PATCH 1/2] Fix a possible race between udp dispatch and socket code - -There's a small possibility of race between udp dispatcher and -socket code - socket code can still hold internal reference to a -socket while dispatcher calls isc_socket_open, which can cause -an assertion failure. Fix it by relaxing the assertion test, and -instead simply locking the socket in isc_socket_open. - ---- lib/isc/unix/socket.c.orig 2019-05-10 04:51:34 UTC -+++ lib/isc/unix/socket.c -@@ -2598,15 +2598,16 @@ isc_socket_open(isc_socket_t *sock0) { - - REQUIRE(VALID_SOCKET(sock)); - -- REQUIRE(isc_refcount_current(&sock->references) == 1); -- /* -- * We don't need to retain the lock hereafter, since no one else has -- * this socket. -- */ -+ LOCK(&sock->lock); -+ -+ REQUIRE(isc_refcount_current(&sock->references) >= 1); - REQUIRE(sock->fd == -1); - REQUIRE(sock->threadid == -1); - - result = opensocket(sock->manager, sock, NULL); -+ -+ UNLOCK(&sock->lock); -+ - if (result != ISC_R_SUCCESS) { - sock->fd = -1; - } else { -- cgit v1.2.3