1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-11-30 01:15:52 +00:00
Commit Graph

70 Commits

Author SHA1 Message Date
Mathieu Arnold
c39c3d4a40 Security update to fix CVE-2014-0591 as reported at
https://kb.isc.org/article/AA-01078/74/

9.9.4 -> 9.9.4-P2
9.8.6 -> 9.8.6-P2
9.6-ESV-R10 -> 9.6-ESV-R10-P2

Security:	CVE-2014-0591 Remote DOS
2014-01-13 17:38:28 +00:00
Mathieu Arnold
434aa8bf29 Fixup rndc.conf.sample installation
Spotted by:	antoine
2014-01-08 22:52:19 +00:00
Erwin Lansing
fe8682b27c There's always a default value for named_conf now, so no need to
check for it, and espcially not for a wrong value.

Noticed by:	Stefan Bethke <stb@lassitu.de>
Approved by:	mat (maintainer)
2014-01-07 09:55:06 +00:00
Mathieu Arnold
29d398ff32 Yet another round of fixes.
This time, it seems all of REPLACE_BASE, not REPLACE_BASE and post Bind removal
from base seem to work consistently.
2014-01-06 23:15:20 +00:00
Mathieu Arnold
3acb181ef3 Fix yet another bug, they're creeping like crazy... 2014-01-06 21:39:08 +00:00
Mathieu Arnold
422c80b630 Fix build with LINKS. 2014-01-06 14:29:24 +00:00
Mathieu Arnold
5d545c6f64 Convert to staging and new options. 2014-01-06 13:34:48 +00:00
Mathieu Arnold
0bea110783 Add the DOCS option to OPTIONS_DEFAULT. 2014-01-04 19:25:56 +00:00
Erwin Lansing
feaedb2576 Hand the BIND ports to a new volunteer. 2014-01-02 13:43:11 +00:00
Erwin Lansing
7b131f94df Fix build with GSSAPI option without Kerberos
PR:		184560
Submitted by:	Dewayne <dewayne@heuristicsystems.com.au>
2013-12-10 10:01:21 +00:00
John Marino
2c8e96c57c bind(96,98,99): Couple OSVERSION with OPSYS
OSVERSION is platform-specific and must be used with OPSYS.

Approved by:	maintainer (erwin)
2013-12-08 19:49:52 +00:00
Glen Barber
0dd076723f To prevent fallout of lowering __FreeBSD_version in releng/10.0 branch,
adjust OSVERSION evaluation in ports that specifically use '100050N'.

Approved by:	affected maintainers (implicit)
Sponsored by:	The FreeBSD Foundation
2013-12-07 10:50:23 +00:00
Erwin Lansing
ce2fd7b3ef Install named.conf as named.conf.sample and don't overwrite on upgrade
Bullet hole in foot:	joeld
Pointy hat:		erwin
2013-12-05 12:54:56 +00:00
Erwin Lansing
6c803a1da7 Fix build with GSSAPI
Submitted by:	sunpoet
2013-12-04 12:15:53 +00:00
Sunpoet Po-Chuan Hsieh
b7ffdb5d78 - Respect BIND_DESTETC and PREFIX
Submitted by:	sunpoet (myself)
Approved by:	erwin (maintainer)
2013-11-22 19:05:01 +00:00
Erwin Lansing
5340a9fcad Fix startup script.
PR:		184159 [1]
Submitted by:	Pawel Biernacki <pawel.biernacki@gmail.com> [1],
		Trond Endrestoel <Trond.Endrestol@ximalas.info> (private email)
2013-11-22 13:41:34 +00:00
Erwin Lansing
01f6667cca Create pid directory if it doesn't exist. 2013-11-12 08:55:46 +00:00
Erwin Lansing
f249b51fc4 Support FreeBSD 10.0.
On FreeBSD 10.0, all configuration is installed under
/usr/local/etc/namedb and installs its own rc script in
$PREFIX, which no longer support chroot installations.

LINKS and REPLACE_BASE options are not supported on 10.0
for obvious reasons.

Note for FreeBSD 9.x and earlier users, LINKS is no longer
the default option, though still supported.

An UPDATING entry will follow after bind96 and bind99 are fixed
as well.
2013-11-12 07:38:56 +00:00
Erwin Lansing
2c5222234e Drop support for REPLACE_BIND option after BIND was removed from base,
there's nothing to replace.
2013-11-04 11:23:11 +00:00
Erwin Lansing
5a61b6cd8d Fix PATCH_SITES
Submitted by:	"Felix J. Ogris" <fjo@ogris.de>
2013-11-01 10:26:17 +00:00
Erwin Lansing
bd33f08ef3 Update to 9.8.6 2013-09-28 12:32:53 +00:00
Erwin Lansing
5efd401380 Add an option for filter-aaaa
Submitted by:	Matej Gregr <matej.gregr@gmail.com>
2013-09-23 10:20:56 +00:00
Baptiste Daroussin
24a1652ff4 Add NO_STAGE all over the place in preparation for the staging support (cat: dns) 2013-09-20 16:31:57 +00:00
Erwin Lansing
8576e9d9a0 Make GSSAPI support optional
PR:		182122
Submitted by:	Uwe Doering <gemini@geminix.org>
2013-09-17 11:31:49 +00:00
Boris Samorodov
54e44467d7 . introduce ICONV_CONFIGURE_BASE variable at Mk/Uses/iconv.mk. It's value is
"--with-libiconv=${LOCALBASE}" at systems pre OSVERSION 100043 and "" (null)
  otherwise;
. convert all ports which has CONFIGURE_ARGS=--with-libiconv=${LOCALBASE}.

Approved by:	portmgr (bapt, implicit)
2013-09-05 20:18:30 +00:00
Ollivier Robert
b3392148de Update the RPZ+RL patches for both versions.
Approved by:	erwin
2013-07-27 21:08:35 +00:00
Ollivier Robert
290764c8ba Put back the two patches for RPZ-RL that were removed during the previous
update.
2013-07-26 22:19:27 +00:00
Ollivier Robert
3726e2cae1 Security update to fix CVE-2013-4854 as reported at
https://kb.isc.org/article/AA-01015/0

9.9.3-p1 -> 9.9.3-P2
9.8.5-p1 -> 9.8.5-P2

9.6.x is not affected, neither is 10.x.

Security:	CVE-2013-4854 Remote DOS
2013-07-26 22:05:05 +00:00
Erwin Lansing
92b781fac4 Update to 9.8.5-P1
Security Fixes

   Prevents exploitation of a runtime_check which can crash named
   when satisfying a recursive query for particular malformed zones.
   (CVE-2013-3919) [RT #33690]

   A deliberately constructed combination of records could cause
   named to hang while populating the additional section of a
   response. (CVE-2012-5166) [RT #31090]

   Now supports NAPTR regular expression validation on all platforms,
   and avoids memory exhaustion compiling pathological regular
   expressions. (CVE-2013-2266)  [RT #32688]

   Prevents named from aborting with a require assertion failure
   on servers with DNS64 enabled.  These crashes might occur as a
   result of specific queries that are received.  (CVE-2012-5688)
   [RT #30792 / #30996]

   Prevents an assertion failure in named when RPZ and DNS64 are
   used together. (CVE-2012-5689) [RT #32141]

See release notes for further features and bug fixes:
https://kb.isc.org/article/AA-00969/0/BIND-9.8.5-P1-Release-Notes.html

Security:	CVE-2013-3919
		CVE-2012-5166
		CVE-2013-2266
		CVE-2012-5688
		CVE-2012-5689
2013-06-05 11:49:51 +00:00
Erwin Lansing
bb37a21123 Update to 9.8.5 2013-05-31 09:32:28 +00:00
Erwin Lansing
56bb308f3e Update RPZ and RRL patch set:
- address the issue raised by Bob Harold. RRL on recursive servers
     applies rate limits after waiting for recursion except on
     sub-domains of domains for which the server is authoritative.

  - fix the bug reported by Roy Arends in which "slipped" NXDOMAIN
     responses had rcode values of 0 (NoError) instead of 3 (NXDOMAIN).

  - move reports of RRL drop and slip actions from the "queries"
     log category to the "query-errors" category. Because they are not
     in the "queres" category, enabling or disabling query logging no
     longer affects them.
2013-05-31 08:10:56 +00:00
Erwin Lansing
2a0e1389ad Make pkg-message and pkg-install a local file to the bind98 and bind99
ports and not include the one from the deprecated bind97 port, which is
to be removed.
2013-04-23 08:26:48 +00:00
Erwin Lansing
fb20fb9362 Update RPZ+RRL patchset to the latest version.
The change makes "slip 1;" send only truncated (TC=1) responses.
Without the change, "slip 1;" is the same as the default of "slip 2;".
That default, which alternates truncated with dropped responses
when the rate limit is exceeded, is better for authoritative DNS
servers, because it further reduces the amplification of an attack
from about 1X to about 0.5X.

DNS RRL is not recommended for recursive servers.

Feature safe:	yes
2013-04-17 07:57:54 +00:00
Erwin Lansing
3311832790 Update to 9.8.4-P2
Removed the check for regex.h in configure in order
to disable regex syntax checking, as it exposes
BIND to a critical flaw in libregex on some
platforms. [RT #32688]

Security:	CVE-2013-2266
2013-03-27 07:55:22 +00:00
Erwin Lansing
715dba2977 Update the RPZ+RRL patch files which remove
working files that should not have been in the patches[1]
Also move to a versioned filename for the patches[2]

Submitted by:	Robert Sargent <robtsgt@gmail.com> [1],
		Vernon Schryver <vjs@rhyolite.com> [2]
2013-03-15 10:56:33 +00:00
Erwin Lansing
2e85b58e49 Update RPZ+RRL patch to 028.23
A serious Multiple Zone Response Policy Zone (RPZ2)
Speed Improvement bug has been fixed.

`./configure --enable-rpz-nsip --enable-rpz-nsdname`
is now the default.

Responses affected by the all-per-second parameter
are always dropped. The slip value has no effect on them.

There are improved log messages for responses that aredropped or "slipped," because they would require an
excessive identical referral.
2013-02-05 09:35:28 +00:00
Erwin Lansing
dc0e56bb80 Reduce lenght of the option description for RPZRRL_PATCH to
avoid problems with the older dialog(1) on FreeBSD 8.x

Noticed by:   Terry Kennedy <terry@tmk.com>
2013-01-10 10:37:18 +00:00
Erwin Lansing
bad9ad12ae Update the response rate limiting patch to the latest
released version of January 5, 2013.

This also includes performance patches to the BIND9
Response Policy Zones (DNS RPZ), Single Zone Response
Policy Zone (RPZ) Speed Improvement, in the same
patch.

More information: http://ss.vix.su/~vjs/rrlrpz.html
2013-01-09 10:20:16 +00:00
Erwin Lansing
d2c1b13640 Add LICENSE. 2013-01-04 10:47:28 +00:00
Erwin Lansing
38649eeb03 Add experimental option for Response Rate Limiting patch. 2013-01-04 10:39:41 +00:00
Erwin Lansing
b0e7b6c04c - Use new OPTIONS_GROUP for DLZ options.[1]
- This also allows more than one DLZ option
  to be set.[2]

Submitted by:	bapt [1] (as RADIO)
Suggested by:	az [2] (thus GROUP instead)
2012-12-14 10:43:35 +00:00
Erwin Lansing
f7345394fe Update to the latest patch level from ISC:
BIND 9 nameservers using the DNS64 IPv6 transition mechanism are
  vulnerable to a software defect that allows a crafted query to
  crash the server with a REQUIRE assertion failure.  Remote
  exploitation of this defect can be achieved without extensive
  effort, resulting in a denial-of-service (DoS) vector against
  affected servers.

Security:	2892a8e2-3d68-11e2-8e01-0800273fe665
		CVE-2012-5688
Feature safe:	yes
2012-12-05 07:46:03 +00:00
Erwin Lansing
534bdf4937 Improve the SSL option description
Submitted by:	Kazunori Fujiwara <fujiwara@jprs.co.jp>
Feature safe:	yes
2012-12-03 10:52:11 +00:00
Erwin Lansing
680f311898 Remove gpg signature checking that in itself does not
provide any additional security.

Feature safe:	yes
2012-12-03 10:48:18 +00:00
Erwin Lansing
e8882f0ecc - Update CONFLICTS
- Fix a typo in the OPTIONSNG conversion
- Add FIXED_RRSET option
- Add RPZ options (9.8 and 9.8 only)

PR:		172586
Submitted by:	Craig Leres <leres@ee.lbl.gov>
Feature safe:	yes
2012-11-27 10:05:32 +00:00
Erwin Lansing
fc2b7bdc9a Reduce lenght of the option description for DLZ_MYSQL to
avoid problems with the older dialog(1) on FreeBSD 8.x

Noticed by:	Terry Kennedy <terry@tmk.com>
Feature safe:	yes
2012-10-26 08:37:10 +00:00
Erwin Lansing
311da8020a - Convert to OPTIONSNG
- Turn on IPv6 support by default

Feature safe:	yes
2012-10-25 10:53:57 +00:00
Erwin Lansing
fee03cc166 Update to 9.8.4
Feature safe:	yes
2012-10-19 09:32:00 +00:00
Erwin Lansing
b6095ca45c Upgrade to the latest BIND patch level:
A deliberately constructed combination of records could cause named
to hang while populating the additional section of a response.

Security:	  http://www.vuxml.org/freebsd/57a700f9-12c0-11e2-9f86-001d923933b6.html
2012-10-10 11:54:44 +00:00
Erwin Lansing
0a8fc4d0e4 Take maintainership of the BIND ports while I'm working on the latest
security releases.
2012-10-10 09:11:41 +00:00