notbugAs an Amazon Associate I earn from qualifying purchases.
Want a good read? Try FreeBSD Mastery: Jails (IT Mastery Book 15)
Want a good monitor light? See my photosAll times are UTC
Ukraine
This referral link gives you 10% off a Fastmail.com account and gives me a discount on my Fastmail account.
New feature planned: get notified when the package is available. Now is the time to contribute ideas/suggestions.
non port: dns/bind9/distinfo

Number of commits found: 20

Wednesday, 1 Dec 2010
00:48 dougb search for other commits by this committer
As previously advertised, remove BIND 9.3.x coincident with the
EOL of RELENG_6.
Original commit
Thursday, 8 Jan 2009
08:18 dougb search for other commits by this committer
Update to the -P1 versions of the current BIND ports which contain
the fix for the following vulnerability: https://www.isc.org/node/373

Description:
Return values from OpenSSL library functions EVP_VerifyFinal()
and DSA_do_verify() were not checked properly.

Impact:
It is theoretically possible to spoof answers returned from
zones using the DNSKEY algorithms DSA (3) and NSEC3DSA (6).

In short, if you're not using DNSSEC to verify signatures you have
nothing to worry about.

While I'm here, address the issues raised in the PR by adding a knob
to disable building with OpenSSL altogether (which eliminates DNSSEC
capability), and fix the configure arguments to better deal with the
situation where the user has ssl bits in both the base and LOCALBASE.

PR:             ports/126297
Submitted by:   Ronald F.Guilmette <rfg@tristatelogic.com>
Original commit
Friday, 19 Dec 2008
22:30 dougb search for other commits by this committer
Upgrade to version 9.3.6.

Add a note to pkg-message indicating that ISC declared this version EOL
as of 1 December, but that we will support the port through the RELENG_6
lifetime.
Original commit
Saturday, 9 Aug 2008
07:23 dougb search for other commits by this committer
All -P2 versions now have PGP signatures with ISC's standard
signing key.

PR:             ports/126389 (for bind9)
Submitted by:   Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
Original commit
Saturday, 2 Aug 2008
07:01 dougb search for other commits by this committer
Update to patchlevel 2 for all versions:

- performance improvement over the P1 releases, namely
   + significantly remedying the port allocation issues
   + allowing TCP queries and zone transfers while issuing as many
      outstanding UDP queries as possible
   + additional security of port randomization at the same level as P1

- also includes fixes for several bugs in the 9.5.0 base code
Original commit
Wednesday, 9 Jul 2008
19:02 dougb search for other commits by this committer
Upgrade to the -P1 versions of each port, which add stronger randomization
of the UDP query-source ports. The server will still use the same query
port for the life of the process, so users for whom the issue of cache
poisoning is highly significant may wish to periodically restart their
server using /etc/rc.d/named restart, or other suitable method.

In order to take advantage of this randomization users MUST have an
appropriate firewall configuration to allow UDP queries to be sent and
answers to be received on random ports; and users MUST NOT specify a
port number using the query-source[-v6] option.

The avoid-v[46]-udp-ports options exist for users who wish to eliminate
certain port numbers from being chosen by named for this purpose. See
the ARM Chatper 6 for more information.

Also please note, this issue applies only to UDP query ports. A random
ephemeral port is always chosen for TCP queries.

This issue applies primarily to name servers whose main purpose is to
resolve random queries (sometimes referred to as "caching" servers, or
more properly as "resolving" servers), although even an "authoritative"
name server will make some queries, primarily at startup time.

This update addresses issues raised in:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://www.kb.cert.org/vuls/id/800113
http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience
Original commit
Monday, 2 Jun 2008
05:20 dougb search for other commits by this committer
Update to version 9.3.5. It contains the latest bug fixes, updates
to root server addresses, and a fix for the vulnerability mentioned
here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0122

Users of BIND 9.3.x are strongly encouraged to upgrade to this
version. Also, the 9.3.x branch is now in maintenance-only mode.
Users are encouraged to investigate BIND 9.4.x or perhaps 9.5.x.

http://www.isc.org/index.pl?/sw/bind/versions_and_support.php
Original commit
Tuesday, 24 Jul 2007
22:00 dougb search for other commits by this committer
Update to 9.3.4-P1, which fixes the following:

The DNS query id generation is vulnerable to cryptographic
analysis which provides a 1 in 8 chance of guessing the next
query id for 50% of the query ids. This can be used to perform
cache poisoning by an attacker.

This bug only affects outgoing queries, generated by BIND 9 to
answer questions as a resolver, or when it is looking up data
for internal uses, such as when sending NOTIFYs to slave name
servers.

All users are encouraged to upgrade.

See also:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926
Original commit
Thursday, 25 Jan 2007
01:57 dougb search for other commits by this committer
Upgrade to version 9.3.4, the latest from ISC, which addresses the
following security issues. All users of BIND are encouraged to upgrade
to this version.

2126.   [security]      Serialise validation of type ANY responses. [RT #16555]

2124.   [security]      It was possible to dereference a freed fetch
                        context. [RT #16584]

2089.   [security]      Raise the minimum safe OpenSSL versions to
                        OpenSSL 0.9.7l and OpenSSL 0.9.8d.  Versions
                        prior to these have known security flaws which
                        are (potentially) exploitable in named. [RT #16391]

2088.   [security]      Change the default RSA exponent from 3 to 65537.
                        [RT #16391]

2066.   [security]      Handle SIG queries gracefully. [RT #16300]

1941.   [bug]           ncache_adderesult() should set eresult even if no
                        rdataset is passed to it. [RT #15642]
Original commit
Saturday, 9 Dec 2006
22:20 dougb search for other commits by this committer
Upgrade to version 9.3.3, the latest from ISC. This is
a maintenance release, with the usual round of bug and
security fixes.

All users of BIND 9 are encouraged to upgrade to this
version.
Original commit
Friday, 3 Nov 2006
07:47 dougb search for other commits by this committer
Update to version 9.3.2-P2, which addresses the vulnerability
announced by ISC dated 31 October (delivered via e-mail to the
bind-announce@isc.org list today):

Description:
        Because of OpenSSL's recently announced vulnerabilities
        (CAN-2006-4339, CVE-2006-2937 and CVE-2006-2940) which affect named,
        we are announcing this workaround and releasing patches.  A proof of
        concept attack on OpenSSL has been demonstrated for CAN-2006-4339.

        OpenSSL is required to use DNSSEC with BIND.

Fix for version 9.3.2-P1 and lower:
        Upgrade to BIND 9.2.3-P2, then generate new RSASHA1 and
        RSAMD5 keys for all old keys using the old default exponent
        and perform a key rollover to these new keys.

        These versions also change the default RSA exponent to be
        65537 which is not vulnerable to the attacks described in
        CAN-2006-4339.
Original commit
Wednesday, 6 Sep 2006
18:42 dougb search for other commits by this committer
Upgrade to version 9.3.2-P1, which addresses the following security
vulnerabilities:

http://www.niscc.gov.uk/niscc/docs/re-20060905-00590.pdf?lang=en
2066.  [security]      Handle SIG queries gracefully. [RT #16300]

http://www.kb.cert.org/vuls/id/697164
1941.  [bug]           ncache_adderesult() should set eresult even if no
                       rdataset is passed to it. [RT #15642]

All users of BIND 9 are encouraged to upgrade to this version.
Original commit
Wednesday, 28 Dec 2005
01:07 dougb search for other commits by this committer
Update to 9.3.2, the latest from ISC
Original commit
Thursday, 24 Nov 2005
00:08 dougb search for other commits by this committer
Add SHA256 checksums to my ports
Original commit
Sunday, 13 Mar 2005
10:52 dougb search for other commits by this committer
Upgrade to 9.3.1, the latest version from ISC. This version contains
several important fixes, including a remote (although unlikely) exploit.
See the CHANGES file for details.

All users of BIND 9 are highly encouraged to upgrade to this version.

Changes to the port include:
1. Remove ISC patch to 9.3.0 that addressed the remote exploit
2. Change to OPTIONS, and thereby
3. --enable-threads is now the default. Users report that the new thread
code in 9.3.x works significantly better than the old on all versions of
FreeBSD.
4. Add a temporary shim for the old PORT_REPLACES_BASE_BIND9 option.
The OPTIONS framework requires knobs to start with WITH_ or WITHOUT_
5. Remove patch that shoehorned named.conf.5 into the right place,
it has been fixed in the code.
Original commit
Friday, 28 Jan 2005
20:47 dougb search for other commits by this committer
Include a patch from ISC to deal with the following vulnerability:

Name:                   BIND: Self Check Failing [Added 2005.25.01]
Versions affected:      BIND 9.3.0
Severity:               LOW
Exploitable:            Remotely
Type:                   Denial of Service
Description:
An incorrect assumption in the validator (authvalidated) can result in a
REQUIRE (internal consistancy) test failing and named exiting.

Workarounds:
Turn off dnssec validation (off by default) at the options/view level.

        dnssec-enable no;

Active Exploits:        None known

Bump PORTREVISION accordingly.

It should be noted that the vast majority of users would not have
DNSSEC enabled, and therefore are not vulnerable to this bug.
Original commit
Friday, 24 Sep 2004
04:03 dougb search for other commits by this committer
Update to BIND 9.3.0, the latest from ISC. This version has several
significant updates, not the least of which is the new and improved
DNSSEC code based on the latest standards (including DS).

Various updates to the port, including:
1. Download the PGP signature
2. If running on ${OSVERSION} >= 503000, configure with threads
3. Update pkg-descr re IPv6 RRs
4. Update pkg-message to reflect a world with 6-current

There is also a patch to correct a man page installation error.
This problem should be fixed in the next release.

Approved by:    portmgr (marcus)
Original commit
Sunday, 14 Mar 2004
00:17 dougb search for other commits by this committer
Now that the SIZE thing has stabilized, add it to the ports I maintain.
Original commit
Friday, 24 Oct 2003
23:10 dougb search for other commits by this committer
Upgrade to the 9.2.3 release version
Original commit
Thursday, 25 Sep 2003
05:08 dougb search for other commits by this committer
Upgrade to version 9.2.3rc4.

The 9.2.3 code has many many bugs fixed from 9.2.2, check CHANGES
for more information.

The rc4 code has the delegation-only options. Check the ARM for
information on how to enable it.
Original commit

Number of commits found: 20