[Midnightbsd-cvs] mports [23643] trunk/dns/bind910: add security patch and allow it to work with current
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Mon Jul 23 00:10:53 EDT 2018
Revision: 23643
http://svnweb.midnightbsd.org/mports/?rev=23643
Author: laffer1
Date: 2018-07-23 00:10:52 -0400 (Mon, 23 Jul 2018)
Log Message:
-----------
add security patch and allow it to work with current
Modified Paths:
--------------
trunk/dns/bind910/Makefile
trunk/dns/bind910/files/pkg-message.in
trunk/dns/bind910/pkg-help
trunk/dns/bind910/pkg-plist
Added Paths:
-----------
trunk/dns/bind910/files/patch-CVE-2018-5738
Removed Paths:
-------------
trunk/dns/bind910/pkg-install
Modified: trunk/dns/bind910/Makefile
===================================================================
--- trunk/dns/bind910/Makefile 2018-07-23 03:03:33 UTC (rev 23642)
+++ trunk/dns/bind910/Makefile 2018-07-23 04:10:52 UTC (rev 23643)
@@ -2,29 +2,15 @@
# $FreeBSD: head/dns/bind910/Makefile 369044 2014-09-23 11:32:51Z mat $
PORTNAME= bind
-PORTVERSION= ${ISCVERSION:S/-P/P/}
-.if defined(BIND_TOOLS_SLAVE)
-# dns/bind-tools here
-PORTREVISION= 2
-.else
-# dns/bind910 here
-PORTREVISION= 3
-.endif
+PORTVERSION= ${ISCVERSION:S/-P/P/:S/b/.b/:S/a/.a/:S/rc/.rc/}
+PORTREVISION= 4
CATEGORIES= dns net ipv6
MASTER_SITES= ISC/bind9/${ISCVERSION}
-.if defined(BIND_TOOLS_SLAVE)
-PKGNAMESUFFIX= -tools
-.else
PKGNAMESUFFIX= 910
-.endif
DISTNAME= ${PORTNAME}-${ISCVERSION}
MAINTAINER= ports at MidnightBSD.org
-.if defined(BIND_TOOLS_SLAVE)
-COMMENT= Command line tools from BIND: delv, dig, host, nslookup...
-.else
COMMENT= BIND DNS suite with updated DNSSEC and DNS64
-.endif
LICENSE= iscl
LICENSE_FILE= ${WRKSRC}/COPYRIGHT
@@ -32,8 +18,6 @@
# ISC releases things like 9.8.0-P1, which our versioning doesn't like
ISCVERSION= 9.10.7
-MAKE_JOBS_UNSAFE= yes
-
USES= cpe libedit
CPE_VENDOR= isc
@@ -42,10 +26,10 @@
CPE_UPDATE= ${ISCVERSION:C/.*-//:tl}
.endif
-LIB_DEPENDS= libxml2.so:${PORTSDIR}/textproc/libxml2
+LIB_DEPENDS= libxml2.so:textproc/libxml2
GNU_CONFIGURE= yes
-CONFIGURE_ARGS+= --localstatedir=/var --disable-linux-caps \
+CONFIGURE_ARGS= --localstatedir=/var --disable-linux-caps \
--disable-symtable \
--with-randomdev=/dev/random \
--with-libxml2=${LOCALBASE} \
@@ -52,212 +36,177 @@
--with-readline="-L${LOCALBASE}/lib -ledit" \
--with-dlopen=yes \
--sysconfdir=${ETCDIR}
-.if defined(BIND_TOOLS_SLAVE)
-CONFIGURE_ARGS+= --disable-shared
-.endif
ETCDIR= ${PREFIX}/etc/namedb
-CONFLICTS+= bind9*-9.[456789].* bind9*-sdb-9.[456789].*
+CONFLICTS= bind-tools bind99 bind911 bind912 bind913 bind9-devel
-.if !defined(BIND_TOOLS_SLAVE)
-SUB_FILES= pkg-message
-.endif
+SUB_FILES= pkg-message named.conf
+USE_RC_SUBR= named
-OPTIONS_DEFAULT= IPV6 SSL THREADS SIGCHASE IDN GSSAPI_NONE
-OPTIONS_DEFINE= IDN LARGE_FILE PYTHON START_LATE \
- FIXED_RRSET SIGCHASE IPV6 THREADS FILTER_AAAA
+MAKE_JOBS_UNSAFE= yes
+
+PORTDOCS= *
+
+OPTIONS_DEFAULT= SSL THREADS SIGCHASE IDN GSSAPI_NONE JSON \
+ DLZ_FILESYSTEM RPZ_NSIP RPZ_NSDNAME PYTHON FILTER_AAAA
+OPTIONS_DEFINE= IDN LARGE_FILE PYTHON JSON \
+ FIXED_RRSET SIGCHASE IPV6 THREADS FILTER_AAAA \
+ RPZ_NSIP RPZ_NSDNAME DOCS GEOIP \
+ MINCACHE PORTREVISION FETCHLIMIT QUERYTRACE \
+ START_LATE TUNING_LARGE
+
OPTIONS_RADIO= CRYPTO GOSTDEF
OPTIONS_RADIO_CRYPTO= SSL NATIVE_PKCS11
OPTIONS_RADIO_GOSTDEF= GOST GOST_ASN1
-.if !defined(BIND_TOOLS_SLAVE)
-OPTIONS_DEFAULT+= RRL
-OPTIONS_DEFINE+= LINKS RPZ_NSIP RPZ_NSDNAME RRL DOCS NEWSTATS GEOIP \
- MINCACHE PORTREVISION FETCHLIMIT QUERYTRACE
OPTIONS_GROUP= DLZ
OPTIONS_GROUP_DLZ= DLZ_POSTGRESQL DLZ_MYSQL DLZ_BDB \
DLZ_LDAP DLZ_FILESYSTEM DLZ_STUB
-.endif # BIND_TOOLS_SLAVE
OPTIONS_SINGLE= GSSAPI
OPTIONS_SINGLE_GSSAPI= GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT GSSAPI_NONE
OPTIONS_SUB= yes
-SSL_DESC= Build with OpenSSL (Required for DNSSEC)
-LARGE_FILE_DESC= 64-bit file support
-FIXED_RRSET_DESC= Enable fixed rrset ordering
-SIGCHASE_DESC= dig/host/nslookup will do DNSSEC validation
-FILTER_AAAA_DESC= Enable filtering of AAAA records
CRYPTO_DESC= Choose which crypto engine to use
-NATIVE_PKCS11_DESC= Use PKCS\#11 native API (**READ HELP**)
-GEOIP_DESC= Allow geographically based ACL.
-GOSTDEF_DESC= Enable GOST ciphers, needs SSL (see help on 8 and 9)
-GOST_DESC= GOST raw keys (new default)
-GOST_ASN1_DESC= GOST using ASN.1
-PYTHON_DESC= Build with Python utilities
-START_LATE_DESC= Start BIND late in the boot process
-MINCACHE_DESC= Use the mincachettl patch
-PORTREVISION_DESC= Show PORTREVISION in the version string
-FETCHLIMIT_DESC= Enable the query quotas for resolvers
-QUERYTRACE_DESC= Enable the very verbose query tracelogging
-
-LINKS_DESC= Create conf file symlinks in ${PREFIX}
-NEWSTATS_DESC= Enable alternate xml statistics channel format
-RPZ_NSIP_DESC= Enable RPZ NSIP trigger rules
-RPZ_NSDNAME_DESC= Enable RPZ NSDNAME policy records
-RRL_DESC= Response Rate Limiting
+DLZ_BDB_DESC= DLZ BDB driver
DLZ_DESC= Dynamically Loadable Zones
+DLZ_FILESYSTEM_DESC= DLZ filesystem driver
+DLZ_LDAP_DESC= DLZ LDAP driver
+DLZ_MYSQL_DESC= DLZ MySQL driver (no threading)
DLZ_POSTGRESQL_DESC= DLZ Postgres driver
-DLZ_MYSQL_DESC= DLZ MySQL driver (no threading)
-DLZ_BDB_DESC= DLZ BDB driver
-DLZ_LDAP_DESC= DLZ LDAP driver
-DLZ_FILESYSTEM_DESC= DLZ filesystem driver
DLZ_STUB_DESC= DLZ stub driver
+FETCHLIMIT_DESC= Enable the query quotas for resolvers
+FILTER_AAAA_DESC= Enable filtering of AAAA records
+FIXED_RRSET_DESC= Enable fixed rrset ordering
+GEOIP_DESC= Allow geographically based ACL.
+GOSTDEF_DESC= Enable GOST ciphers, needs SSL
+GOST_ASN1_DESC= GOST using ASN.1
+GOST_DESC= GOST raw keys (new default)
GSSAPI_BASE_DESC= Using Heimdal in base
GSSAPI_HEIMDAL_DESC= Using security/heimdal
GSSAPI_MIT_DESC= Using security/krb5
GSSAPI_NONE_DESC= Disable
-MINCACHE_EXTRA_PATCHES= ${FILESDIR}/extrapatch-bind-min-override-ttl
-FETCHLIMIT_CONFIGURE_ENABLE= fetchlimit
-QUERYTRACE_CONFIGURE_ENABLE= querytrace
+LARGE_FILE_DESC= 64-bit file support
+MINCACHE_DESC= Use the mincachettl patch
+NATIVE_PKCS11_DESC= Use PKCS\#11 native API (**READ HELP**)
+PORTREVISION_DESC= Show PORTREVISION in the version string
+PYTHON_DESC= Build with Python utilities
+QUERYTRACE_DESC= Enable the very verbose query tracelogging
+RPZ_NSDNAME_DESC= Enable RPZ NSDNAME policy records
+RPZ_NSIP_DESC= Enable RPZ NSIP trigger rules
+SIGCHASE_DESC= dig/host/nslookup will do DNSSEC validation
+SSL_DESC= Build with OpenSSL (Required for DNSSEC)
+START_LATE_DESC= Start BIND late in the boot process (see help)
+TUNING_LARGE_DESC= Tune named for large systems (**READ HELP**)
-.if defined(BIND_TOOLS_SLAVE)
-CONFLICTS+= bind910-9.10.*
-.else
-CONFLICTS+= bind-tools-9.*
-.endif # BIND_TOOLS_SLAVE
+DLZ_BDB_CONFIGURE_ON= --with-dlz-bdb=yes
+DLZ_BDB_USES= bdb
-SSL_CONFIGURE_ON= --with-openssl=${OPENSSLBASE}
-SSL_USE= ssl=yes
-SSL_CONFIGURE_OFF= --disable-openssl-version-check --without-openssl
+DLZ_FILESYSTEM_CONFIGURE_ON= --with-dlz-filesystem=yes
-NEWSTATS_CONFIGURE_ENABLE= newstats
+DLZ_LDAP_CONFIGURE_ON= --with-dlz-ldap=yes
+DLZ_LDAP_USE= openldap=yes
-IDN_USES= iconv
-IDN_CONFIGURE_ON= --with-idn=${LOCALBASE} ${ICONV_CONFIGURE_BASE}
-IDN_LIB_DEPENDS= libidnkit.so:${PORTSDIR}/dns/idnkit
-IDN_CONFIGURE_OFF= --without-idn
+DLZ_MYSQL_CONFIGURE_ON= --with-dlz-mysql=yes
+DLZ_MYSQL_PREVENTS= THREADS
+DLZ_MYSQL_USES= mysql
-LARGE_FILE_CONFIGURE_ENABLE= largefile
+DLZ_POSTGRESQL_CONFIGURE_ON= --with-dlz-postgres=yes
+DLZ_POSTGRESQL_USES= pgsql
-SIGCHASE_CONFIGURE_ON= STD_CDEFINES="-DDIG_SIGCHASE=1"
+DLZ_STUB_CONFIGURE_ON= --with-dlz-stub=yes
-IPV6_CONFIGURE_ENABLE= ipv6
+FETCHLIMIT_CONFIGURE_ENABLE= fetchlimit
FILTER_AAAA_CONFIGURE_ENABLE= filter-aaaa
-NATIVE_PKCS11_CONFIGURE_ENABLE= native-pkcs11
+FIXED_RRSET_CONFIGURE_ENABLE= fixed-rrset
GEOIP_CONFIGURE_WITH= geoip
-GEOIP_LIB_DEPENDS= libGeoIP.so:${PORTSDIR}/net/GeoIP
+GEOIP_LIB_DEPENDS= libGeoIP.so:net/GeoIP
-GOST_CONFIGURE_ON= --with-gost
GOST_ASN1_CONFIGURE_ON= --with-gost=asn1
-PYTHON_CONFIGURE_WITH= python
-PYTHON_USES= python
+GOST_CONFIGURE_ON= --with-gost
-DLZ_POSTGRESQL_CONFIGURE_ON= --with-dlz-postgres=yes
-DLZ_POSTGRESQL_USES= pgsql
+GSSAPI_BASE_CONFIGURE_ON= \
+ --with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}"
+GSSAPI_BASE_USES= gssapi
-FIXED_RRSET_CONFIGURE_ENABLE= fixed-rrset
+GSSAPI_HEIMDAL_CONFIGURE_ON= \
+ --with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}"
+GSSAPI_HEIMDAL_USES= gssapi:heimdal
-RPZ_NSIP_CONFIGURE_ENABLE= rpz-nsip
+GSSAPI_MIT_CONFIGURE_ON= \
+ --with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}"
+GSSAPI_MIT_USES= gssapi:mit
-RPZ_NSDNAME_CONFIGURE_ENABLE= rpz-nsdname
+GSSAPI_NONE_CONFIGURE_ON= --without-gssapi
-RRL_CONFIGURE_ENABLE= rrl
+IDN_CONFIGURE_OFF= --without-idn
+IDN_CONFIGURE_ON= --with-idn=${LOCALBASE} ${ICONV_CONFIGURE_BASE}
+IDN_LIB_DEPENDS= libidnkit.so:dns/idnkit
+IDN_USES= iconv
-DLZ_MYSQL_CONFIGURE_ON= --with-dlz-mysql=yes
-DLZ_MYSQL_USE= mysql=yes
+IPV6_CONFIGURE_ENABLE= ipv6
-DLZ_BDB_CONFIGURE_ON= --with-dlz-bdb=yes
-DLZ_BDB_USE= bdb=yes
+JSON_CONFIGURE_WITH= libjson=${LOCALBASE}
+JSON_LIB_DEPENDS= libjson-c.so:devel/json-c
-DLZ_LDAP_CONFIGURE_ON= --with-dlz-ldap=yes
-DLZ_LDAP_USE= openldap=yes
+LARGE_FILE_CONFIGURE_ENABLE= largefile
-DLZ_FILESYSTEM_CONFIGURE_ON= --with-dlz-filesystem=yes
+MINCACHE_EXTRA_PATCHES= ${FILESDIR}/extrapatch-bind-min-override-ttl
-DLZ_STUB_CONFIGURE_ON= --with-dlz-stub=yes
+NATIVE_PKCS11_CONFIGURE_ENABLE= native-pkcs11
+NATIVE_PKCS11_IMPLIES= THREADS
+PYTHON_CONFIGURE_WITH= python=${PYTHON_CMD}
+PYTHON_USES= python
+
+QUERYTRACE_CONFIGURE_ENABLE= querytrace
+
+RPZ_NSDNAME_CONFIGURE_ENABLE= rpz-nsdname
+
+RPZ_NSIP_CONFIGURE_ENABLE= rpz-nsip
+
+SIGCHASE_CONFIGURE_ON= STD_CDEFINES="-DDIG_SIGCHASE=1"
+
+SSL_CONFIGURE_OFF= --disable-openssl-version-check --without-openssl
+SSL_CONFIGURE_ON= --with-openssl=${OPENSSLBASE}
+SSL_USES= ssl
+
START_LATE_SUB_LIST= NAMED_REQUIRE="SERVERS cleanvar" \
NAMED_BEFORE="LOGIN"
START_LATE_SUB_LIST_OFF=NAMED_REQUIRE="NETWORKING ldconfig syslogd" \
NAMED_BEFORE="SERVERS"
-GSSAPI_BASE_USES= gssapi
-GSSAPI_BASE_CONFIGURE_ON= \
- --with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}"
-GSSAPI_HEIMDAL_USES= gssapi:heimdal
-GSSAPI_HEIMDAL_CONFIGURE_ON= \
- --with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}"
-GSSAPI_MIT_USES= gssapi:mit
-GSSAPI_MIT_CONFIGURE_ON= \
- --with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}"
-GSSAPI_NONE_CONFIGURE_ON= --without-gssapi
+THREADS_CONFIGURE_ENABLE= threads
-.include <bsd.mport.options.mk>
+TUNING_LARGE_IMPLIES= THREADS
+TUNING_LARGE_CONFIGURE_ON= --with-tuning=large
+TUNING_LARGE_CONFIGURE_OFF= --with-tuning=default
+.include <bsd.port.pre.mk>
+
.if !${PORT_OPTIONS:MGOST} && !${PORT_OPTIONS:MGOST_ASN1}
CONFIGURE_ARGS+= --without-gost
.endif
-.if !${PORT_OPTIONS:MLINKS}
-PKGINSTALL=${NONEXISTENT}
+.if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT} == base
+BROKEN= OpenSSL from the base system does not support GOST, add \
+ DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild everything \
+ that needs SSL.
.endif
-.if ${PORT_OPTIONS:MTHREADS} && !${PORT_OPTIONS:MDLZ_MYSQL}
-CONFIGURE_ARGS+= --enable-threads
-.else
-CONFIGURE_ARGS+= --disable-threads
-.endif
-
-.if ${OPSYS} == DragonFly || (${OPSYS} == FreeBSD && ${OSVERSION} >= 1000100)
-PKGINSTALL= ${NONEXISTENT}
-PLIST_SUB+= NOBASE="" BASE="@comment "
-SUB_LIST+= NOBASE="" BASE="@comment "
-.if !defined(BIND_TOOLS_SLAVE)
-USE_RC_SUBR+= named
-SUB_FILES+= named.conf
-.endif # !defined(BIND_TOOLS_SLAVE)
-.if ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1}
-WITH_OPENSSL_PORT=yes
-.endif
-.else
-PLIST_SUB+= NOBASE="@comment " BASE=""
-SUB_LIST+= NOBASE="@comment " BASE=""
-.if ${PORT_OPTIONS:MSSL}
-WITH_OPENSSL_PORT= yes
-.endif
-.endif
-
-PKGDEINSTALL= ${PKGINSTALL}
-
-
-PORTDOCS= *
-
post-patch:
-.if defined(BIND_TOOLS_SLAVE)
- @${REINPLACE_CMD} -e 's#^SUBDIRS.*#SUBDIRS = lib bin#' \
- -e 's#isc-config.sh installdirs#installdirs#' \
- -e 's#.*INSTALL.*isc-config.*##' \
- -e 's#.*INSTALL.*bind.keys.*##' \
- ${WRKSRC}/Makefile.in
- @${REINPLACE_CMD} -e 's#^SUBDIRS.*#SUBDIRS = delv dig dnssec nsupdate \\#' \
- -e 's#^ .*check confgen ##' \
- ${WRKSRC}/bin/Makefile.in
-.else
-. for FILE in check/named-checkconf.8 named/named.8 nsupdate/nsupdate.1 \
+.for FILE in check/named-checkconf.8 named/named.8 nsupdate/nsupdate.1 \
rndc/rndc.8
@${REINPLACE_CMD} -e 's#/etc/named.conf#${ETCDIR}/named.conf#g' \
-e 's#/etc/rndc.conf#${ETCDIR}/rndc.conf#g' \
-e "s#/var\/run\/named\/named.pid#/var/run/named/pid#" \
${WRKSRC}/bin/${FILE}
-. endfor
-.endif
+.endfor
-.if !defined(BIND_TOOLS_SLAVE)
.if ${PORTREVISION:N0}
post-patch-PORTREVISION-on:
@${REINPLACE_CMD} -e '/EXTENSIONS/s#=$$#=_${PORTREVISION}#' \
@@ -265,15 +214,6 @@
.endif
post-install:
-.if ${PORT_OPTIONS:MDOCS}
- ${MKDIR} ${STAGEDIR}${DOCSDIR}/arm
- ${INSTALL_DATA} ${WRKSRC}/doc/arm/*.html ${STAGEDIR}${DOCSDIR}/arm
- ${INSTALL_DATA} ${WRKSRC}/doc/arm/Bv9ARM.pdf ${STAGEDIR}${DOCSDIR}
- ${INSTALL_DATA} ${WRKSRC}/CHANGES ${WRKSRC}/COPYRIGHT ${WRKSRC}/FAQ* \
- ${WRKSRC}/HISTORY ${WRKSRC}/README* ${STAGEDIR}${DOCSDIR}
-.endif
-
-.if ${OPSYS} == DragonFly || (${OPSYS} == FreeBSD && ${OSVERSION} >= 1000100)
${MKDIR} ${STAGEDIR}${PREFIX}/etc/mtree
${MKDIR} ${STAGEDIR}${ETCDIR}
.for i in dynamic master slave working
@@ -284,12 +224,20 @@
${INSTALL_DATA} ${FILESDIR}/empty.db ${STAGEDIR}${ETCDIR}/master
${INSTALL_DATA} ${FILESDIR}/localhost-forward.db ${STAGEDIR}${ETCDIR}/master
${INSTALL_DATA} ${FILESDIR}/localhost-reverse.db ${STAGEDIR}${ETCDIR}/master
- ${INSTALL_DATA} ${FILESDIR}/BIND.chroot.dist ${STAGEDIR}${PREFIX}/etc/mtree
- ${INSTALL_DATA} ${FILESDIR}/BIND.chroot.local.dist ${STAGEDIR}${PREFIX}/etc/mtree
-.endif
+ ${INSTALL_DATA} ${FILESDIR}/BIND.chroot.dist ${STAGEDIR}${PREFIX}/etc/mtree/BIND.chroot.dist.sample
+ ${INSTALL_DATA} ${FILESDIR}/BIND.chroot.local.dist ${STAGEDIR}${PREFIX}/etc/mtree/BIND.chroot.local.dist.sample
${INSTALL_DATA} ${WRKSRC}/bin/rndc/rndc.conf \
${STAGEDIR}${ETCDIR}/rndc.conf.sample
-.endif # BIND_TOOLS_SLAVE
+post-install-DOCS-on:
+ ${MKDIR} ${STAGEDIR}${DOCSDIR}/arm
+ ${INSTALL_DATA} ${WRKSRC}/doc/arm/*.html ${STAGEDIR}${DOCSDIR}/arm
+ ${INSTALL_DATA} ${WRKSRC}/doc/arm/Bv9ARM.pdf ${STAGEDIR}${DOCSDIR}
+ ${INSTALL_DATA} ${WRKSRC}/CHANGES ${WRKSRC}/FAQ* \
+ ${WRKSRC}/HISTORY* ${WRKSRC}/README* ${STAGEDIR}${DOCSDIR}
-.include <bsd.port.mk>
+# Can't use USE_PYTHON=autoplist
+post-install-PYTHON-on:
+ @${FIND} ${STAGEDIR}${PYTHON_SITELIBDIR} -type f | ${SED} -e 's|${STAGEDIR}||' >> ${TMPPLIST}
+
+.include <bsd.port.post.mk>
Added: trunk/dns/bind910/files/patch-CVE-2018-5738
===================================================================
--- trunk/dns/bind910/files/patch-CVE-2018-5738 (rev 0)
+++ trunk/dns/bind910/files/patch-CVE-2018-5738 2018-07-23 04:10:52 UTC (rev 23643)
@@ -0,0 +1,127 @@
+commit 97600626c711585e7bb26cbc67711d072e87a62a
+Author: Evan Hunt <each at isc.org>
+Date: 2018-06-04 21:57:49 -0700
+
+ allow-recursion could incorrectly inherit from the default allow-query
+
+--- CHANGES.orig 2018-03-08 20:55:52 UTC
++++ CHANGES
+@@ -1,3 +1,10 @@
++4960. [security] When recursion is enabled, but the "allow-recursion"
++ and "allow-query-cache" ACLs are not specified,
++ they should be limited to local networks,
++ but were inadvertently set to match the default
++ "allow-query", thus allowing remote queries.
++ (CVE-2018-5738) [GL #309]
++
+ --- 9.10.7 released ---
+ --- 9.10.7rc2 released ---
+
+--- bin/named/server.c.orig 2018-03-08 20:55:52 UTC
++++ bin/named/server.c
+@@ -2565,10 +2565,6 @@ configure_view(dns_view_t *view, dns_vie
+ dns_acache_setcachesize(view->acache, max_acache_size);
+ }
+
+- CHECK(configure_view_acl(vconfig, config, ns_g_config,
+- "allow-query", NULL, actx,
+- ns_g_mctx, &view->queryacl));
+-
+ /*
+ * Make the list of response policy zone names for a view that
+ * is used for real lookups and so cares about hints.
+@@ -3399,9 +3395,6 @@ configure_view(dns_view_t *view, dns_vie
+ INSIST(result == ISC_R_SUCCESS);
+ view->trust_anchor_telemetry = cfg_obj_asboolean(obj);
+
+- CHECK(configure_view_acl(vconfig, config, ns_g_config,
+- "allow-query-cache-on", NULL, actx,
+- ns_g_mctx, &view->cacheonacl));
+ /*
+ * Set sources where additional data and CNAME/DNAME
+ * targets for authoritative answers may be found.
+@@ -3428,22 +3421,40 @@ configure_view(dns_view_t *view, dns_vie
+ view->additionalfromcache = ISC_TRUE;
+ }
+
++ CHECK(configure_view_acl(vconfig, config, ns_g_config,
++ "allow-query-cache-on", NULL, actx,
++ ns_g_mctx, &view->cacheonacl));
++
+ /*
+- * Set "allow-query-cache", "allow-recursion", and
+- * "allow-recursion-on" acls if configured in named.conf.
+- * (Ignore the global defaults for now, because these ACLs
+- * can inherit from each other when only some of them set at
+- * the options/view level.)
++ * Set the "allow-query", "allow-query-cache", "allow-recursion",
++ * and "allow-recursion-on" ACLs if configured in named.conf, but
++ * NOT from the global defaults. This is done by leaving the third
++ * argument to configure_view_acl() NULL.
++ *
++ * We ignore the global defaults here because these ACLs
++ * can inherit from each other. If any are still unset after
++ * applying the inheritance rules, we'll look up the defaults at
++ * that time.
+ */
+- CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache",
+- NULL, actx, ns_g_mctx, &view->cacheacl));
++
++ /* named.conf only */
++ CHECK(configure_view_acl(vconfig, config, NULL,
++ "allow-query", NULL, actx,
++ ns_g_mctx, &view->queryacl));
++
++ /* named.conf only */
++ CHECK(configure_view_acl(vconfig, config, NULL,
++ "allow-query-cache", NULL, actx,
++ ns_g_mctx, &view->cacheacl));
+
+ if (strcmp(view->name, "_bind") != 0 &&
+ view->rdclass != dns_rdataclass_chaos)
+ {
++ /* named.conf only */
+ CHECK(configure_view_acl(vconfig, config, NULL,
+ "allow-recursion", NULL, actx,
+ ns_g_mctx, &view->recursionacl));
++ /* named.conf only */
+ CHECK(configure_view_acl(vconfig, config, NULL,
+ "allow-recursion-on", NULL, actx,
+ ns_g_mctx, &view->recursiononacl));
+@@ -3481,18 +3492,21 @@ configure_view(dns_view_t *view, dns_vie
+ * the global config.
+ */
+ if (view->recursionacl == NULL) {
++ /* global default only */
+ CHECK(configure_view_acl(NULL, NULL, ns_g_config,
+ "allow-recursion", NULL,
+ actx, ns_g_mctx,
+ &view->recursionacl));
+ }
+ if (view->recursiononacl == NULL) {
++ /* global default only */
+ CHECK(configure_view_acl(NULL, NULL, ns_g_config,
+ "allow-recursion-on", NULL,
+ actx, ns_g_mctx,
+ &view->recursiononacl));
+ }
+ if (view->cacheacl == NULL) {
++ /* global default only */
+ CHECK(configure_view_acl(NULL, NULL, ns_g_config,
+ "allow-query-cache", NULL,
+ actx, ns_g_mctx,
+@@ -3506,6 +3520,14 @@ configure_view(dns_view_t *view, dns_vie
+ CHECK(dns_acl_none(mctx, &view->cacheacl));
+ }
+
++ if (view->queryacl == NULL) {
++ /* global default only */
++ CHECK(configure_view_acl(NULL, NULL, ns_g_config,
++ "allow-query", NULL,
++ actx, ns_g_mctx,
++ &view->queryacl));
++ }
++
+ /*
+ * Ignore case when compressing responses to the specified
+ * clients. This causes case not always to be preserved,
Property changes on: trunk/dns/bind910/files/patch-CVE-2018-5738
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Modified: trunk/dns/bind910/files/pkg-message.in
===================================================================
--- trunk/dns/bind910/files/pkg-message.in 2018-07-23 03:03:33 UTC (rev 23642)
+++ trunk/dns/bind910/files/pkg-message.in 2018-07-23 04:10:52 UTC (rev 23643)
@@ -10,13 +10,14 @@
* 'rndc-confgen -a' to generate the proper conf file, with a new *
* random key, and appropriate file permissions. *
* *
-%%NOBASE%%* The %%PREFIX%%/etc/rc.d/named script will do that for you. *
-%%BASE%%* The /etc/rc.d/named script in the base will do that for you. *
-%%BASE%%* *
-%%BASE%%* You will need to make sure that you have the following line *
-%%BASE%%* in your /etc/rc.conf in order to have the startup script *
-%%BASE%%* run the named version from the port: *
-%%BASE%%* *
-%%BASE%%* named_program="%%PREFIX%%/sbin/named" *
+* The %%PREFIX%%/etc/rc.d/named script will do that for you. *
* *
+* If using syslog to log the BIND9 activity, and using a *
+* chroot'ed installation, you will need to tell syslog to *
+* install a log socket in the BIND9 chroot by running: *
+* *
+* # sysrc altlog_proglist+=named *
+* *
+* And then restarting syslogd with: service syslogd restart *
+* *
**********************************************************************
Modified: trunk/dns/bind910/pkg-help
===================================================================
--- trunk/dns/bind910/pkg-help 2018-07-23 03:03:33 UTC (rev 23642)
+++ trunk/dns/bind910/pkg-help 2018-07-23 04:10:52 UTC (rev 23643)
@@ -14,17 +14,15 @@
API functions needed for signature verification.
- GOST
-If using a chrooted instance of BIND on FreeBSD 8.x and 9.x,
-the OpenSSL engines MUST be accessible from within the chroot.
-If BIND is chrooted in /var/named, this can be achieved by
-either copying content of /usr/local/lib/engines into
-/var/named/usr/local/lib/engines, or by creating that directory
-and adding this line to /etc/fstab:
-/usr/local/lib/engines /var/named/usr/local/lib/engines nullfs ro 0 0
-
-
START_LATE
Most of the time, BIND needs to start early in the boot
process. Enable this if BIND starts too early for you and
you need it to start later.
+
+
+ TUNING_LARGE
+ https://kb.isc.org/article/AA-01314/0
+Tunes certain compiled-in constants and default settings to
+values better suited to large servers with 12/16GB+ of memory.
+This can improve performance on such servers, but will consume
+more memory and may degrade performance on smaller systems.
Deleted: trunk/dns/bind910/pkg-install
===================================================================
--- trunk/dns/bind910/pkg-install 2018-07-23 03:03:33 UTC (rev 23642)
+++ trunk/dns/bind910/pkg-install 2018-07-23 04:10:52 UTC (rev 23643)
@@ -1,32 +0,0 @@
-#!/bin/sh
-# ex:sw=8 sts=8
-
-if [ "$2" = 'POST-INSTALL' ]
-then
- /bin/mkdir -p /var/named${PKG_PREFIX}/etc/namedb
-fi
-
-for DIR in ${PKG_PREFIX}/etc/namedb /var/named${PKG_PREFIX}/etc/namedb; do
- for FILE in named.conf rndc.conf rndc.key; do
- if [ "$2" = 'POST-INSTALL' ]
- then
- if [ -e ${PKG_PREFIX}/etc/${FILE} ]
- then
- /bin/cp -a ${PKG_PREFIX}/etc/${FILE} ${DIR}/${FILE}
- else
- /bin/ln -sf /etc/namedb/${FILE} ${DIR}/${FILE}
- fi
- fi
- if [ "$2" = 'POST-DEINSTALL' ]
- then
- [ -L ${DIR}/${FILE} ] && rm -f ${DIR}/${FILE}
- fi
- done
-done
-
-if [ "$2" = 'POST-DEINSTALL' ]
-then
- cd /var/named && /bin/rmdir -p ./${PKG_PREFIX}/etc/namedb > /dev/null 2>&1 || :
-fi
-
-exit 0
Modified: trunk/dns/bind910/pkg-plist
===================================================================
--- trunk/dns/bind910/pkg-plist 2018-07-23 03:03:33 UTC (rev 23642)
+++ trunk/dns/bind910/pkg-plist 2018-07-23 04:10:52 UTC (rev 23643)
@@ -1,10 +1,21 @@
+bin/arpaname
bin/bind9-config
bin/delv
bin/dig
bin/host
bin/isc-config.sh
+bin/named-rrchecker
bin/nslookup
bin/nsupdate
+ at sample etc/mtree/BIND.chroot.dist.sample
+ at sample etc/mtree/BIND.chroot.local.dist.sample
+%%ETCDIR%%/bind.keys
+%%ETCDIR%%/master/empty.db
+%%ETCDIR%%/master/localhost-forward.db
+%%ETCDIR%%/master/localhost-reverse.db
+ at sample %%ETCDIR%%/named.conf.sample
+%%ETCDIR%%/named.root
+%%ETCDIR%%/rndc.conf.sample
include/bind9/check.h
include/bind9/getaddresses.h
include/bind9/version.h
@@ -376,7 +387,6 @@
man/man8/named-journalprint.8.gz
man/man8/named.8.gz
man/man8/nsec3hash.8.gz
-man/man8/tsig-keygen.8.gz
%%NATIVE_PKCS11%%man/man8/pkcs11-destroy.8.gz
%%NATIVE_PKCS11%%man/man8/pkcs11-keygen.8.gz
%%NATIVE_PKCS11%%man/man8/pkcs11-list.8.gz
@@ -383,7 +393,7 @@
%%NATIVE_PKCS11%%man/man8/pkcs11-tokens.8.gz
man/man8/rndc-confgen.8.gz
man/man8/rndc.8.gz
-bin/arpaname
+man/man8/tsig-keygen.8.gz
sbin/ddns-confgen
%%PYTHON%%sbin/dnssec-checkds
%%PYTHON%%sbin/dnssec-coverage
@@ -403,7 +413,6 @@
sbin/named-checkzone
sbin/named-compilezone
sbin/named-journalprint
-bin/named-rrchecker
sbin/nsec3hash
%%NATIVE_PKCS11%%sbin/pkcs11-destroy
%%NATIVE_PKCS11%%sbin/pkcs11-keygen
@@ -412,16 +421,7 @@
sbin/rndc
sbin/rndc-confgen
sbin/tsig-keygen
-%%ETCDIR%%/rndc.conf.sample
-%%ETCDIR%%/bind.keys
-%%NOBASE%%etc/mtree/BIND.chroot.dist
-%%NOBASE%%etc/mtree/BIND.chroot.local.dist
-%%NOBASE%%@sample %%ETCDIR%%/named.conf.sample
-%%NOBASE%%%%ETCDIR%%/named.root
-%%NOBASE%%%%ETCDIR%%/master/empty.db
-%%NOBASE%%%%ETCDIR%%/master/localhost-forward.db
-%%NOBASE%%%%ETCDIR%%/master/localhost-reverse.db
-%%NOBASE%%@dir(bind,bind,) %%ETCDIR%%/dynamic
-%%NOBASE%%@dir %%ETCDIR%%/master
-%%NOBASE%%@dir(bind,bind,) %%ETCDIR%%/slave
-%%NOBASE%%@dir(bind,bind,) %%ETCDIR%%/working
+ at dir(bind,bind,) %%ETCDIR%%/dynamic
+ at dir %%ETCDIR%%/master
+ at dir(bind,bind,) %%ETCDIR%%/slave
+ at dir(bind,bind,) %%ETCDIR%%/working
More information about the Midnightbsd-cvs
mailing list