Number of commits found: 12

Upgrade to BIND versions 9.9.1, 9.8.3, 9.7.6, and 9.6-ESV-R7,
the latest from ISC. These versions all contain the following:

Feature Change

*  BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)
   [RT #28989]

Bug Fix

*  The locking strategy around the handling of iterative queries
   has been tuned to reduce unnecessary contention in a multi-
   threaded environment.

Each version also contains other critical bug fixes.

All BIND users are encouraged to upgrade to these latest versions.

BIND 9.8.2 tarball was re-rolled to remove 9.8.1 release notes. This change
was noticed by ISC at:

https://lists.isc.org/pipermail/bind-users/2012-April/087345.html

and verified by me both by comparing the contents of the old and new
distfiles and by verifying the PGP signature on the new distfile.

No PORTREVISION bump because these files were not installed.

Update to version 9.8.2, the latest from ISC, which contains numerous bug fixes.

For the port, switch to using the PORTDOCS macro.

Feature safe:   yes

Upgrade to the latest security patch releases to address the
following DDOS bug:

Recursive name servers are failing with an assertion:
INSIST(! dns_rdataset_isassociated(sigrdataset))

At this time it is not thought that authoritative-only servers
are affected, but information about this bug is evolving rapidly.

Because it may be possible to trigger this bug even on networks
that do not allow untrusted users to access the recursive name
servers (perhaps via specially crafted e-mail messages, and/or
malicious web sites) it is recommended that ALL operators of
recursive name servers upgrade immediately.

For more information see:
https://www.isc.org/software/bind/advisories/cve-2011-tbd
which will be updated as more information becomes available.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313

Feature safe:   yes

Upgrade to version 9.8.1. Release notes at:

https://deepthought.isc.org/article/AA-00446/81/
or
/usr/local/share/doc/bind98/CHANGES

Remove the patch incorporated upstream, and add new include to plist.

Update to versions 9.8.0-P4, 9.7.3-P3, and 9.6-ESV-R4-P3.

ALL BIND USERS ENCOURAGED TO UPGRADE IMMEDIATELY

This update addresses the following vulnerabilities:

CVE-2011-2464
=============
Severity:       High
Exploitable:    Remotely

Description:

A defect in the affected BIND 9 versions allows an attacker to remotely
cause the "named" process to exit using a specially crafted packet. This

(Only the first 15 lines of the commit message are shown above )

Upgrade to 9.8.0-P2, which addresses the following issues:

1. Very large RRSIG RRsets included in a negative cache can trigger
an assertion failure that will crash named (BIND 9 DNS) due to an
off-by-one error in a buffer size check.

This bug affects all resolving name servers, whether DNSSEC validation
is enabled or not, on all BIND versions prior to today. There is a
possibility of malicious exploitation of this bug by remote users.

2. Named could fail to validate zones listed in a DLV that validated
insecure without using DLV and had DS records in the parent zone.

Add a patch provided by ru@ and confirmed by ISC to fix a crash at
shutdown time when a SIG(0) key is being used.

Add a patch from ISC that will be in 9.8.1 to handle intermittent
failure of recursive queries involving CNAMEs and previously cached
responses.

Upgrade to version 9.8.0-P1:

Certain response policy zone configurations could trigger an INSIST
when receiving a query of type RRSIG.

https://www.isc.org/CVE-2011-1907

This vulnerability is only possible if you have enable the new RPZ feature.

This is 9.8.0, the first release version in the 9.8 series.

New features versus previous release candidates include:

* There is a new option in dig, +onesoa, that allows the final SOA
  record in an AXFR response to be suppressed. [RT #20929
* There is additional information displayed in the recursing log
  (qtype, qclass, qid and whether we are following the original
  name). [RT #22043]
* Added option 'resolver-query-timeout' in named.conf (max query
  timeout in seconds) to set a different value than the default (30
  seconds). A value of 0 means 'use the compiled in default';
  anything longer than 30 will be silently set to 30. [RT #22852]
* For Mac OS X, you can now have the test interfaces used during
  "make test" stay beyond reboot. See bin/tests/system/README for
  details.

There are also numerous bug fixes and enhancements. See
http://ftp.isc.org/isc/bind9/9.8.0/RELEASE-NOTES-BIND-9.8.html
for more information.

Update to 9.8.0rc1, the latest from ISC:

 * The ADB hash table stores informations about which authoritative
   servers to query about particular domains. Previous versions of
   BIND had the hash table size as a fixed value. On a busy recursive
   server, this could lead to hash table collisions in the ADB cache,
   resulting in degraded response time to queries. Bind 9.8 now has a
   dynamically scalable ADB hash table, which helps a busy server to
   avoid hash table collisions and maintain a consistent query
   response time.

Update to 9.8.0b1, which in addition to DNS64 support also has
the following new features:

* BIND now supports a new zone type, static-stub. This allows the
administrator of a recursive nameserver to force queries for a
particular zone to go to IP addresses of the administrator's choosing,
on a per zone basis, both globally or per view.

* BIND now supports Response Policy Zones, a way of expressing
"reputation" in real time via specially constructed DNS zones. See the
draft specification here:
http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt

* Dynamically Loadable Zones (DLZ) now support dynamic updates.
Contributed by Andrew Tridgell of the Samba Project.

(Only the first 15 lines of the commit message are shown above )

Add a -devel port for 9.8.0a1, which will allow people to experiment
with DNS64. Once 9.8.0 is released officially the -devel tag will be
removed.

BIND version 9 is a major rewrite of nearly all aspects of the underlying BIND
architecture.  Some of the important features of BIND 9 are:

DNS Security: DNSSEC (signed zones), TSIG (signed DNS requests)
IP version 6: Answers DNS queries on IPv6 sockets, IPv6 resource records (AAAA)
     Experimental IPv6 Resolver Library
DNS Protocol Enhancements: IXFR, DDNS, Notify, EDNS0
     Improved standards conformance
Views: One server process can provide multiple "views" of the DNS namespace,
     e.g. an "inside" view to certain clients, and an "outside" view to others.
Multiprocessor Support

BIND 9.8 includes a number of changes from BIND 9.7 and earlier releases,
including:
        Preliminary DNS64 support (AAAA synthesis only initially)

See the CHANGES file for more information on features.

WWW: https://www.isc.org/software/bind

Number of commits found: 12

12 vulnerabilities affecting 17 ports have been reported in the past 14 days

^* - modified, not new

All vulnerabilities