./net/isc-bind [Berkeley Internet Name Daemon: DNS server and tools]
[+] Add this package to your ports tracker

[ CVSweb ] [ Homepage ] [ RSS feed ]

Version: 9.10.6, Package name: isc-bind-9.10.6
Maintained by: Stuart Henderson
Master sites:
Flavors (export FLAVOR=xyz, setenv FLAVOR xyz):
  • geoip
  • no_ssl
Description
BIND is open source software that implements the Domain Name System
(DNS) protocols for the Internet. It is a reference implementation
of those protocols, but it is also production-grade software,
suitable for use in high-volume and high-reliability applications.

Flavours:
geoip - build BIND with support for geolocation using the GeoIP api.
no_ssl - build BIND without crypto support


Filesize: 9227.924 KB
Version History (View Complete History)
  • (2017-07-29) Updated to version: isc-bind-9.10.6
  • (2017-07-10) Updated to version: isc-bind-9.10.5pl3
  • (2017-06-30) Updated to version: isc-bind-9.10.5pl2
  • (2017-06-15) Updated to version: isc-bind-9.10.5pl1
  • (2017-05-04) Updated to version: isc-bind-9.10.5
  • (2017-04-13) Updated to version: isc-bind-9.10.4pl8
  • (2017-02-09) Updated to version: isc-bind-9.10.4pl6
  • (2017-01-12) Updated to version: isc-bind-9.10.4pl5
  • (2016-11-02) Updated to version: isc-bind-9.10.4pl4
  • (2016-09-28) Updated to version: isc-bind-9.10.4pl3
[show/hide] View available PLISTS (Can be a lot of data)

CVS Commit History:

   2017-07-28 17:38:06 by Stuart Henderson | Files touched by this commit (4)
Log message:
update to bind 9.10.6
   2017-07-28 17:38:06 by Stuart Henderson | Files touched by this commit (4)
Log message:
update to bind 9.10.6
   2017-07-28 17:38:06 by Stuart Henderson | Files touched by this commit (4)
Log message:
update to bind 9.10.6
   2017-07-28 17:38:06 by Stuart Henderson | Files touched by this commit (4)
Log message:
update to bind 9.10.6
   2017-07-28 14:53:33 by Marc Espie | Files touched by this commit (2)
Log message:
let it build with clang, just grab the unwinder from c++abi
   2017-07-28 14:53:33 by Marc Espie | Files touched by this commit (2)
Log message:
let it build with clang, just grab the unwinder from c++abi
   2017-07-10 01:38:05 by Stuart Henderson | Files touched by this commit (3)
Log message:
update to BIND-9.10.5-P3
9.10.5-P2 broke verification of TSIG signed TCP message sequences where
not all the messages contain TSIG records. These may be used in AXFR and
IXFR responses. [RT #45509]
   2017-07-10 01:38:04 by Stuart Henderson | Files touched by this commit (2)
Log message:
update to BIND-9.10.5-P3
9.10.5-P2 broke verification of TSIG signed TCP message sequences where
not all the messages contain TSIG records. These may be used in AXFR and
IXFR responses. [RT #45509]
   2017-07-10 01:38:04 by Stuart Henderson | Files touched by this commit (2)
Log message:
update to BIND-9.10.5-P3
9.10.5-P2 broke verification of TSIG signed TCP message sequences where
not all the messages contain TSIG records. These may be used in AXFR and
IXFR responses. [RT #45509]
   2017-06-29 15:15:31 by Stuart Henderson | Files touched by this commit (1)
Log message:
Update to BIND 9.10.5-P2
An error in TSIG handling could permit unauthorized zone transfers
or zone updates. CVE-2017-3142, CVE-2017-3143.
Also updates the address of b.root in hints.
   2017-06-29 15:14:54 by Stuart Henderson | Files touched by this commit (2)
Log message:
Update to BIND 9.10.5-P2
An error in TSIG handling could permit unauthorized zone transfers
or zone updates. CVE-2017-3142, CVE-2017-3143.
Also updates the address of b.root in hints.
   2017-06-29 15:14:54 by Stuart Henderson | Files touched by this commit (2)
Log message:
Update to BIND 9.10.5-P2
An error in TSIG handling could permit unauthorized zone transfers
or zone updates. CVE-2017-3142, CVE-2017-3143.
Also updates the address of b.root in hints.
   2017-06-15 03:02:53 by Stuart Henderson | Files touched by this commit (3)
Log message:
update to BIND 9.10.5-P1
* With certain RPZ configurations, a response with TTL 0 could cause
named to go into an infinite query loop. This flaw is disclosed in
CVE-2017-3140. [RT #45181]
A server is potentially vulnerable to degradation of service if
1. the server is configured to use RPZ,
2. the server uses NSDNAME or NSIP policy rules, and
3. an attacker can cause the server to process a specific query
   2017-06-15 03:01:49 by Stuart Henderson | Files touched by this commit (2)
Log message:
update to BIND 9.10.5-P1
* With certain RPZ configurations, a response with TTL 0 could cause
named to go into an infinite query loop. This flaw is disclosed in
CVE-2017-3140. [RT #45181]
A server is potentially vulnerable to degradation of service if
1. the server is configured to use RPZ,
2. the server uses NSDNAME or NSIP policy rules, and
3. an attacker can cause the server to process a specific query
   2017-06-15 03:01:49 by Stuart Henderson | Files touched by this commit (2)
Log message:
update to BIND 9.10.5-P1
* With certain RPZ configurations, a response with TTL 0 could cause
named to go into an infinite query loop. This flaw is disclosed in
CVE-2017-3140. [RT #45181]
A server is potentially vulnerable to degradation of service if
1. the server is configured to use RPZ,
2. the server uses NSDNAME or NSIP policy rules, and
3. an attacker can cause the server to process a specific query
   2017-05-03 14:20:42 by Stuart Henderson | Files touched by this commit (7)
Log message:
update to BIND 9.10.5
   2017-05-03 14:20:42 by Stuart Henderson | Files touched by this commit (7)
Log message:
update to BIND 9.10.5
   2017-05-03 14:20:42 by Stuart Henderson | Files touched by this commit (7)
Log message:
update to BIND 9.10.5
   2017-05-03 14:20:42 by Stuart Henderson | Files touched by this commit (7)
Log message:
update to BIND 9.10.5
   2017-05-03 14:20:42 by Stuart Henderson | Files touched by this commit (7)
Log message:
update to BIND 9.10.5
   2017-05-03 14:20:42 by Stuart Henderson | Files touched by this commit (7)
Log message:
update to BIND 9.10.5
   2017-05-03 14:20:42 by Stuart Henderson | Files touched by this commit (7)
Log message:
update to BIND 9.10.5
   2017-04-13 04:36:11 by Stuart Henderson | Files touched by this commit (1)
Log message:
MFC update to BIND 9.10.4-P8 (-P7 was withdrawn)
CVE-2017-3136: An error handling synthesized records could cause an
assertion failure when using DNS64 with "break-dnssec yes;"
CVE-2017-3137: A response packet can cause a resolver to terminate when
processing an answer containing a CNAME or DNAME
CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives
a null command string on its control channel
   2017-04-13 04:35:33 by Stuart Henderson | Files touched by this commit (2)
Log message:
update to BIND 9.10.4-P8 (-P7 was withdrawn)
CVE-2017-3136: An error handling synthesized records could cause an
assertion failure when using DNS64 with "break-dnssec yes;"
CVE-2017-3137: A response packet can cause a resolver to terminate when
processing an answer containing a CNAME or DNAME
CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives
a null command string on its control channel
   2017-04-13 04:35:33 by Stuart Henderson | Files touched by this commit (2)
Log message:
update to BIND 9.10.4-P8 (-P7 was withdrawn)
CVE-2017-3136: An error handling synthesized records could cause an
assertion failure when using DNS64 with "break-dnssec yes;"
CVE-2017-3137: A response packet can cause a resolver to terminate when
processing an answer containing a CNAME or DNAME
CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives
a null command string on its control channel
   2017-02-08 17:05:52 by Stuart Henderson | Files touched by this commit (2)
Log message:
update to BIND 9.10.4-P6
* If a server is configured with a response policy zone (RPZ) that
rewrites an answer with local data, and is also configured for DNS64
address mapping, a NULL pointer can be read triggering a server crash.
This flaw is disclosed in CVE-2017-3135. [RT #44434]
* A synthesized CNAME record appearing in a response before the associated
DNAME could be cached, when it should not have been. This was a
regression introduced while addressing CVE-2016-8864. [RT #44318]
   2017-02-08 17:05:52 by Stuart Henderson | Files touched by this commit (2)
Log message:
update to BIND 9.10.4-P6
* If a server is configured with a response policy zone (RPZ) that
rewrites an answer with local data, and is also configured for DNS64
address mapping, a NULL pointer can be read triggering a server crash.
This flaw is disclosed in CVE-2017-3135. [RT #44434]
* A synthesized CNAME record appearing in a response before the associated
DNAME could be cached, when it should not have been. This was a
regression introduced while addressing CVE-2016-8864. [RT #44318]
   2017-02-08 17:04:40 by Stuart Henderson | Files touched by this commit (2)
Log message:
update to BIND 9.10.4-P6
* If a server is configured with a response policy zone (RPZ) that
rewrites an answer with local data, and is also configured for DNS64
address mapping, a NULL pointer can be read triggering a server crash.
This flaw is disclosed in CVE-2017-3135. [RT #44434]
* A synthesized CNAME record appearing in a response before the associated
DNAME could be cached, when it should not have been. This was a
regression introduced while addressing CVE-2016-8864. [RT #44318]
   2017-02-08 17:04:40 by Stuart Henderson | Files touched by this commit (2)
Log message:
update to BIND 9.10.4-P6
* If a server is configured with a response policy zone (RPZ) that
rewrites an answer with local data, and is also configured for DNS64
address mapping, a NULL pointer can be read triggering a server crash.
This flaw is disclosed in CVE-2017-3135. [RT #44434]
* A synthesized CNAME record appearing in a response before the associated
DNAME could be cached, when it should not have been. This was a
regression introduced while addressing CVE-2016-8864. [RT #44318]
   2017-01-24 04:46:35 by Stuart Henderson | Files touched by this commit (6)
Log message:
add pledges for dig/host/nslookup in the ports version of BIND. initial
pledge is "stdio rpath inet unix dns", dropping to "stdio inet dns"
after argument parsing.
access to resolv.conf is required late; the dns pledge is used for this
rather than requiring full rpath; however contrary to the version in
base, inet is allowed as well, so that it can be used as a debug tool
for servers on alternate ports.
works fine for me; no feedback after posting yet so committing to get
real-world testing. please report any issues.
   2017-01-24 04:46:35 by Stuart Henderson | Files touched by this commit (6)
Log message:
add pledges for dig/host/nslookup in the ports version of BIND. initial
pledge is "stdio rpath inet unix dns", dropping to "stdio inet dns"
after argument parsing.
access to resolv.conf is required late; the dns pledge is used for this
rather than requiring full rpath; however contrary to the version in
base, inet is allowed as well, so that it can be used as a debug tool
for servers on alternate ports.
works fine for me; no feedback after posting yet so committing to get
real-world testing. please report any issues.
   2017-01-24 04:46:35 by Stuart Henderson | Files touched by this commit (6)
Log message:
add pledges for dig/host/nslookup in the ports version of BIND. initial
pledge is "stdio rpath inet unix dns", dropping to "stdio inet dns"
after argument parsing.
access to resolv.conf is required late; the dns pledge is used for this
rather than requiring full rpath; however contrary to the version in
base, inet is allowed as well, so that it can be used as a debug tool
for servers on alternate ports.
works fine for me; no feedback after posting yet so committing to get
real-world testing. please report any issues.
   2017-01-24 04:46:35 by Stuart Henderson | Files touched by this commit (6)
Log message:
add pledges for dig/host/nslookup in the ports version of BIND. initial
pledge is "stdio rpath inet unix dns", dropping to "stdio inet dns"
after argument parsing.
access to resolv.conf is required late; the dns pledge is used for this
rather than requiring full rpath; however contrary to the version in
base, inet is allowed as well, so that it can be used as a debug tool
for servers on alternate ports.
works fine for me; no feedback after posting yet so committing to get
real-world testing. please report any issues.
   2017-01-24 04:46:35 by Stuart Henderson | Files touched by this commit (6)
Log message:
add pledges for dig/host/nslookup in the ports version of BIND. initial
pledge is "stdio rpath inet unix dns", dropping to "stdio inet dns"
after argument parsing.
access to resolv.conf is required late; the dns pledge is used for this
rather than requiring full rpath; however contrary to the version in
base, inet is allowed as well, so that it can be used as a debug tool
for servers on alternate ports.
works fine for me; no feedback after posting yet so committing to get
real-world testing. please report any issues.
   2017-01-24 04:46:35 by Stuart Henderson | Files touched by this commit (6)
Log message:
add pledges for dig/host/nslookup in the ports version of BIND. initial
pledge is "stdio rpath inet unix dns", dropping to "stdio inet dns"
after argument parsing.
access to resolv.conf is required late; the dns pledge is used for this
rather than requiring full rpath; however contrary to the version in
base, inet is allowed as well, so that it can be used as a debug tool
for servers on alternate ports.
works fine for me; no feedback after posting yet so committing to get
real-world testing. please report any issues.
   2017-01-12 05:24:04 by Stuart Henderson | Files touched by this commit (1)
Log message:
MFC: SECURITY update to BIND 9.10.4-P5
Named could mishandle authority sections that were missing RRSIGs triggering
an assertion failure.  CVE-2016-9444
Named mishandled some responses where covering RRSIG records are returned
without the requested data resulting in a assertion failure.  CVE-2016-9147
Named incorrectly tried to cache TKEY records which could trigger an
assertion failure when there was a class mismatch.  CVE-2016-9131
   2017-01-12 05:22:20 by Stuart Henderson | Files touched by this commit (2)
Log message:
SECURITY update to BIND 9.10.4-P5
Named could mishandle authority sections that were missing RRSIGs triggering
an assertion failure.  CVE-2016-9444
Named mishandled some responses where covering RRSIG records are returned
without the requested data resulting in a assertion failure.  CVE-2016-9147
Named incorrectly tried to cache TKEY records which could trigger an
assertion failure when there was a class mismatch.  CVE-2016-9131
   2017-01-12 05:22:20 by Stuart Henderson | Files touched by this commit (2)
Log message:
SECURITY update to BIND 9.10.4-P5
Named could mishandle authority sections that were missing RRSIGs triggering
an assertion failure.  CVE-2016-9444
Named mishandled some responses where covering RRSIG records are returned
without the requested data resulting in a assertion failure.  CVE-2016-9147
Named incorrectly tried to cache TKEY records which could trigger an
assertion failure when there was a class mismatch.  CVE-2016-9131
   2016-11-01 15:05:37 by Stuart Henderson | Files touched by this commit (2)
Log message:
update to BIND 9.10.4-P1, fixing a resolver DoS in DNAME handling. CVE-2016-8864
   2016-11-01 15:05:37 by Stuart Henderson | Files touched by this commit (2)
Log message:
update to BIND 9.10.4-P1, fixing a resolver DoS in DNAME handling. CVE-2016-8864
   2016-11-01 15:02:03 by Stuart Henderson | Files touched by this commit (3)
Log message:
update to BIND 9.10.4-P1, fixing a resolver DoS in DNAME handling. CVE-2016-8864
   2016-11-01 15:02:03 by Stuart Henderson | Files touched by this commit (3)
Log message:
update to BIND 9.10.4-P1, fixing a resolver DoS in DNAME handling. CVE-2016-8864
   2016-11-01 15:02:03 by Stuart Henderson | Files touched by this commit (3)
Log message:
update to BIND 9.10.4-P1, fixing a resolver DoS in DNAME handling. CVE-2016-8864
   2016-09-27 13:49:58 by Stuart Henderson | Files touched by this commit (1)
Log message:
-stable update to BIND 9.10.4-P3, fixing
https://kb.isc.org/article/AA-01393/74/CVE-2016-2775 (lwres only)
https://kb.isc.org/article/AA-01419/74/CVE-2016-2776 ("all servers if
they can receive request packets from any source")
   2016-09-27 13:49:10 by Stuart Henderson | Files touched by this commit (2)
Log message:
update to BIND 9.10.4-P3, fixing
https://kb.isc.org/article/AA-01393/74/CVE-2016-2775 (lwres only)
https://kb.isc.org/article/AA-01419/74/CVE-2016-2776 ("all servers if
they can receive request packets from any source")
   2016-09-27 13:49:10 by Stuart Henderson | Files touched by this commit (2)
Log message:
update to BIND 9.10.4-P3, fixing
https://kb.isc.org/article/AA-01393/74/CVE-2016-2775 (lwres only)
https://kb.isc.org/article/AA-01419/74/CVE-2016-2776 ("all servers if
they can receive request packets from any source")
   2016-09-13 10:12:14 by Christian Weisgerber | Files touched by this commit (21)
Log message:
replace libiconv module
   2016-07-20 05:46:55 by Jasper Lievisse Adriaanse | Files touched by this commit (2)
Log message:
Update to BIND 9.10.4-P2, fixes CVE-2016-2775 ("getrrsetbyname with a non
absolute name could trigger an infinite recursion bug in lwres[..]"; affects
users of lwresd and users with "lwres" enabled in their configuration).
ok sthen@
   2016-07-20 05:46:55 by Jasper Lievisse Adriaanse | Files touched by this commit (2)
Log message:
Update to BIND 9.10.4-P2, fixes CVE-2016-2775 ("getrrsetbyname with a non
absolute name could trigger an infinite recursion bug in lwres[..]"; affects
users of lwresd and users with "lwres" enabled in their configuration).
ok sthen@
   2016-07-19 04:46:15 by Stuart Henderson | Files touched by this commit (2)
Log message:
Update to BIND 9.10.4-P2, fixes CVE-2016-2775 ("getrrsetbyname with a non
absolute name could trigger an infinite recursion bug in lwres[..]"; affects
users of lwresd and users with "lwres" enabled in their configuration).
Also has a couple of regression fixes. OK naddy@
   2016-07-19 04:46:15 by Stuart Henderson | Files touched by this commit (2)
Log message:
Update to BIND 9.10.4-P2, fixes CVE-2016-2775 ("getrrsetbyname with a non
absolute name could trigger an infinite recursion bug in lwres[..]"; affects
users of lwresd and users with "lwres" enabled in their configuration).
Also has a couple of regression fixes. OK naddy@
   2016-05-26 03:25:25 by Stuart Henderson | Files touched by this commit (2)
Log message:
update to BIND 9.10.4-P1, fixing a problem where adjacent bitfields
were protected by different locks.
See http://fanf.livejournal.com/144615.html for an informative write-up
on the issue: "Even the Deathstation 9000 can't screw up the BIND 9.10.4
fix".
   2016-05-26 03:25:25 by Stuart Henderson | Files touched by this commit (2)
Log message:
update to BIND 9.10.4-P1, fixing a problem where adjacent bitfields
were protected by different locks.
See http://fanf.livejournal.com/144615.html for an informative write-up
on the issue: "Even the Deathstation 9000 can't screw up the BIND 9.10.4
fix".
   2016-04-29 05:01:02 by Stuart Henderson | Files touched by this commit (8)
Log message:
update to bind-9.10.4
   2016-04-29 05:01:02 by Stuart Henderson | Files touched by this commit (8)
Log message:
update to bind-9.10.4
   2016-04-29 05:01:02 by Stuart Henderson | Files touched by this commit (8)
Log message:
update to bind-9.10.4
   2016-04-29 05:01:02 by Stuart Henderson | Files touched by this commit (8)
Log message:
update to bind-9.10.4
   2016-04-29 05:01:02 by Stuart Henderson | Files touched by this commit (8)
Log message:
update to bind-9.10.4
   2016-04-29 05:01:02 by Stuart Henderson | Files touched by this commit (8)
Log message:
update to bind-9.10.4
   2016-04-29 05:01:02 by Stuart Henderson | Files touched by this commit (8)
Log message:
update to bind-9.10.4
   2016-04-29 05:01:02 by Stuart Henderson | Files touched by this commit (8)
Log message:
update to bind-9.10.4
   2016-03-11 13:28:34 by Christian Weisgerber | Files touched by this commit (247)
Log message:
garbage collect CONFIGURE_SHARED
   2016-03-10 02:57:19 by Jasper Lievisse Adriaanse | Files touched by this commit (1)
Log message:
update to BIND 9.10.3-P4
https://kb.isc.org/article/AA-01363/81/BIND-9.10.3-P4-Release-Notes.html
   2016-03-09 17:03:34 by Stuart Henderson | Files touched by this commit (2)
Log message:
update to BIND 9.10.3-P4, fixes crashes (assertion failures), one present
since 9.0.0.  CVE-2016-1285 CVE-2016-1286 CVE-2016-2088
   2016-03-09 17:03:34 by Stuart Henderson | Files touched by this commit (2)
Log message:
update to BIND 9.10.3-P4, fixes crashes (assertion failures), one present
since 9.0.0.  CVE-2016-1285 CVE-2016-1286 CVE-2016-2088
   2016-02-29 17:07:18 by Stuart Henderson | Files touched by this commit (16)
Log message:
bump (GeoIP pkgpath change)
   2016-01-22 07:54:09 by Jasper Lievisse Adriaanse | Files touched by this commit (1)
Log message:
- security update to BIND 9.10.3P3
https://kb.isc.org/article/AA-01346/0/BIND-9.10.3-P3-Release-Notes.html
   2016-01-19 15:24:05 by Stuart Henderson | Files touched by this commit (2)
Log message:
update to BIND 9.10.3P3
- Fixed a regression in resolver.c:possibly_mark() which caused
known-bogus servers to be queried anyway. [RT #41321]
- render_ecs errors were mishandled when printing out a OPT record
resulting in a assertion failure. (CVE-2015-8705) [RT #41397]
- Specific APL data could trigger a INSIST. (CVE-2015-8704) [RT #41396]
   2016-01-19 15:24:05 by Stuart Henderson | Files touched by this commit (2)
Log message:
update to BIND 9.10.3P3
- Fixed a regression in resolver.c:possibly_mark() which caused
known-bogus servers to be queried anyway. [RT #41321]
- render_ecs errors were mishandled when printing out a OPT record
resulting in a assertion failure. (CVE-2015-8705) [RT #41397]
- Specific APL data could trigger a INSIST. (CVE-2015-8704) [RT #41396]
   2015-12-17 10:07:41 by Stuart Henderson | Files touched by this commit (1)
Log message:
bump isc-bind REVISION to avoid warnings with updates (different deps
between 5.8-stable and -current)
   2015-12-17 10:06:39 by Stuart Henderson | Files touched by this commit (3)
Log message:
MFC update to bind-9.10.3-P2
4260.   [security]      Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #40987]
4253.   [security]      Address fetch context reference count handling error
on socket error. (CVE-2015-8461) [RT#40945]
   2015-12-17 10:06:39 by Stuart Henderson | Files touched by this commit (3)
Log message:
MFC update to bind-9.10.3-P2
4260.   [security]      Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #40987]
4253.   [security]      Address fetch context reference count handling error
on socket error. (CVE-2015-8461) [RT#40945]
   2015-12-15 15:43:37 by Stuart Henderson | Files touched by this commit (4)
Log message:
update to bind-9.10.3-P2
4260.   [security]      Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #40987]
4253.   [security]      Address fetch context reference count handling error
on socket error. (CVE-2015-8461) [RT#40945]
   2015-12-15 15:43:37 by Stuart Henderson | Files touched by this commit (4)
Log message:
update to bind-9.10.3-P2
4260.   [security]      Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #40987]
4253.   [security]      Address fetch context reference count handling error
on socket error. (CVE-2015-8461) [RT#40945]
   2015-12-15 15:43:37 by Stuart Henderson | Files touched by this commit (4)
Log message:
update to bind-9.10.3-P2
4260.   [security]      Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #40987]
4253.   [security]      Address fetch context reference count handling error
on socket error. (CVE-2015-8461) [RT#40945]
   2015-12-15 15:43:37 by Stuart Henderson | Files touched by this commit (4)
Log message:
update to bind-9.10.3-P2
4260.   [security]      Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #40987]
4253.   [security]      Address fetch context reference count handling error
on socket error. (CVE-2015-8461) [RT#40945]
   2015-10-07 13:36:50 by Stuart Henderson | Files touched by this commit (1)
Log message:
oops, forgot to re-add json-c to WANTLIB/LIB_DEPENDS in previous commit.
spotted by nigel@
   2015-10-03 13:44:51 by Stuart Henderson | Files touched by this commit (1)
Log message:
reenable json stats in BIND, there used to be a problem with build on arch
without sync_val_compare_and_swap_4 but this was worked around in json-c.
reminded by jca.
   2015-09-25 08:02:31 by Stuart Henderson | Files touched by this commit (1)
Log message:
build dig with SIGCHASE support
   2015-09-16 09:28:16 by Stuart Henderson | Files touched by this commit (8)
Log message:
update to BIND 9.10.3. add a bunch of patches because they now support
OpenSSL 1.1 api (OPENSSL_VERSION_NUMBER < / >= 0x10100000L checks).
   2015-09-16 09:28:16 by Stuart Henderson | Files touched by this commit (8)
Log message:
update to BIND 9.10.3. add a bunch of patches because they now support
OpenSSL 1.1 api (OPENSSL_VERSION_NUMBER < / >= 0x10100000L checks).
   2015-09-16 09:28:16 by Stuart Henderson | Files touched by this commit (8)
Log message:
update to BIND 9.10.3. add a bunch of patches because they now support
OpenSSL 1.1 api (OPENSSL_VERSION_NUMBER < / >= 0x10100000L checks).
   2015-09-16 09:28:16 by Stuart Henderson | Files touched by this commit (8)
Log message:
update to BIND 9.10.3. add a bunch of patches because they now support
OpenSSL 1.1 api (OPENSSL_VERSION_NUMBER < / >= 0x10100000L checks).
   2015-09-16 09:28:16 by Stuart Henderson | Files touched by this commit (8)
Log message:
update to BIND 9.10.3. add a bunch of patches because they now support
OpenSSL 1.1 api (OPENSSL_VERSION_NUMBER < / >= 0x10100000L checks).
   2015-09-16 09:28:16 by Stuart Henderson | Files touched by this commit (8)
Log message:
update to BIND 9.10.3. add a bunch of patches because they now support
OpenSSL 1.1 api (OPENSSL_VERSION_NUMBER < / >= 0x10100000L checks).
   2015-09-16 09:28:16 by Stuart Henderson | Files touched by this commit (8)
Log message:
update to BIND 9.10.3. add a bunch of patches because they now support
OpenSSL 1.1 api (OPENSSL_VERSION_NUMBER < / >= 0x10100000L checks).
   2015-09-16 09:28:16 by Stuart Henderson | Files touched by this commit (8)
Log message:
update to BIND 9.10.3. add a bunch of patches because they now support
OpenSSL 1.1 api (OPENSSL_VERSION_NUMBER < / >= 0x10100000L checks).
   2015-09-02 14:28:13 by Stuart Henderson | Files touched by this commit (1)
Log message:
SECURITY update to bind-9.10.2-P4: CVE-2015-5722, CVE-2015-5986
   2015-09-02 14:27:37 by Stuart Henderson | Files touched by this commit (1)
Log message:
SECURITY update to bind-9.10.2-P4: CVE-2015-5722, CVE-2015-5986
   2015-09-02 14:25:43 by Stuart Henderson | Files touched by this commit (2)
Log message:
SECURITY update to bind-9.10.2-P4: CVE-2015-5722, CVE-2015-5986
   2015-09-02 14:25:43 by Stuart Henderson | Files touched by this commit (2)
Log message:
SECURITY update to bind-9.10.2-P4: CVE-2015-5722, CVE-2015-5986
   2015-08-24 14:46:50 by Stuart Henderson | Files touched by this commit (2)
Log message:
Add a no_ssl flavour to BIND.
Expand the comment about json-c as that's broken on mips64 as well as hppa.
   2015-08-24 14:46:50 by Stuart Henderson | Files touched by this commit (2)
Log message:
Add a no_ssl flavour to BIND.
Expand the comment about json-c as that's broken on mips64 as well as hppa.
   2015-07-30 17:26:59 by Stuart Henderson | Files touched by this commit (2)
Log message:
Apply BIND security update to OPENBSD_5_6 as well
Security update to BIND 9.10.2p3 - a failure to reset a value to NULL in tkey.c
could result in an assertion failure. (CVE-2015-5477)
   2015-07-30 17:26:59 by Stuart Henderson | Files touched by this commit (2)
Log message:
Apply BIND security update to OPENBSD_5_6 as well
Security update to BIND 9.10.2p3 - a failure to reset a value to NULL in tkey.c
could result in an assertion failure. (CVE-2015-5477)
   2015-07-28 14:04:17 by Stuart Henderson | Files touched by this commit (2)
Log message:
Security update to BIND 9.10.2p3 - a failure to reset a value to NULL in tkey.c
could result in an assertion failure. (CVE-2015-5477)
   2015-07-28 14:03:35 by Stuart Henderson | Files touched by this commit (2)
Log message:
Security update to BIND 9.10.2p3 - a failure to reset a value to NULL in tkey.c
could result in an assertion failure. (CVE-2015-5477)
   2015-07-28 14:03:35 by Stuart Henderson | Files touched by this commit (2)
Log message:
Security update to BIND 9.10.2p3 - a failure to reset a value to NULL in tkey.c
could result in an assertion failure. (CVE-2015-5477)
   2015-07-15 00:43:31 by Stuart Henderson | Files touched by this commit (1)
Log message:
Build BIND with --enable-filter-aaaa, no change by default, but this allows
use of the filter-aaaa-on-v4 config option. Req'd by Marcus Andree.
   2015-07-07 13:34:10 by Stuart Henderson | Files touched by this commit (1)
Log message:
MFC update to BIND 9.10.2-P2, fixes CVE-2015-4620 - querying a malicious zone
can trigger a "REQUIRE" assertion failure in the resolver if DNSSEC validation
is enabled.
   2015-07-07 13:32:47 by Stuart Henderson | Files touched by this commit (2)
Log message:
update to BIND 9.10.2-P2, fixes CVE-2015-4620 - querying a malicious zone can
trigger a "REQUIRE" assertion failure in the resolver if DNSSEC validation
is enabled.
   2015-07-07 13:32:47 by Stuart Henderson | Files touched by this commit (2)
Log message:
update to BIND 9.10.2-P2, fixes CVE-2015-4620 - querying a malicious zone can
trigger a "REQUIRE" assertion failure in the resolver if DNSSEC validation
is enabled.
   2015-06-10 16:47:24 by Stuart Henderson | Files touched by this commit (3)
Log message:
MFC: SECURITY update to BIND 9.10.2-P1, various problems with RPZ (policy zones),
and a possible crash with async zone loads. https://kb.isc.org/article/AA-01266
"If you are using RPZ in BIND 9.10 in a production environment, and
particularly if you have multiple policy zones, you should upgrade to
BIND 9.10.2-P1. Otherwise, this upgrade is not urgent."
   2015-06-10 16:47:24 by Stuart Henderson | Files touched by this commit (3)
Log message:
MFC: SECURITY update to BIND 9.10.2-P1, various problems with RPZ (policy zones),
and a possible crash with async zone loads. https://kb.isc.org/article/AA-01266
"If you are using RPZ in BIND 9.10 in a production environment, and
particularly if you have multiple policy zones, you should upgrade to
BIND 9.10.2-P1. Otherwise, this upgrade is not urgent."
   2015-06-10 16:47:24 by Stuart Henderson | Files touched by this commit (3)
Log message:
MFC: SECURITY update to BIND 9.10.2-P1, various problems with RPZ (policy zones),
and a possible crash with async zone loads. https://kb.isc.org/article/AA-01266
"If you are using RPZ in BIND 9.10 in a production environment, and
particularly if you have multiple policy zones, you should upgrade to
BIND 9.10.2-P1. Otherwise, this upgrade is not urgent."
   2015-06-10 16:40:41 by Stuart Henderson | Files touched by this commit (2)
Log message:
SECURITY update to BIND 9.10.2-P1, various problems with RPZ (policy zones),
and a possible crash with async zone loads. https://kb.isc.org/article/AA-01266
"If you are using RPZ in BIND 9.10 in a production environment, and
particularly if you have multiple policy zones, you should upgrade to
BIND 9.10.2-P1. Otherwise, this upgrade is not urgent."
   2015-06-10 16:40:41 by Stuart Henderson | Files touched by this commit (2)
Log message:
SECURITY update to BIND 9.10.2-P1, various problems with RPZ (policy zones),
and a possible crash with async zone loads. https://kb.isc.org/article/AA-01266
"If you are using RPZ in BIND 9.10 in a production environment, and
particularly if you have multiple policy zones, you should upgrade to
BIND 9.10.2-P1. Otherwise, this upgrade is not urgent."
   2015-05-16 04:15:53 by Mark Kettenis | Files touched by this commit (2)
Log message:
Use $CC to link shared library to make sure crtbeginS.o gets linked in.
Switches CONFIGURE_STYLE to autoconf to make sure configure gets regenerated.
ok (and help from) sthen@
   2015-05-16 04:15:53 by Mark Kettenis | Files touched by this commit (2)
Log message:
Use $CC to link shared library to make sure crtbeginS.o gets linked in.
Switches CONFIGURE_STYLE to autoconf to make sure configure gets regenerated.
ok (and help from) sthen@
   2015-03-14 16:26:21 by Stuart Henderson | Files touched by this commit (1)
Log message:
take MAINTAINER
   2015-03-14 15:01:54 by Stuart Henderson | Files touched by this commit (5)
Log message:
update to BIND 9.10.2
   2015-03-14 15:01:54 by Stuart Henderson | Files touched by this commit (5)
Log message:
update to BIND 9.10.2
   2015-03-14 15:01:54 by Stuart Henderson | Files touched by this commit (5)
Log message:
update to BIND 9.10.2
   2015-03-14 15:01:54 by Stuart Henderson | Files touched by this commit (5)
Log message:
update to BIND 9.10.2
   2015-03-14 15:01:54 by Stuart Henderson | Files touched by this commit (5)
Log message:
update to BIND 9.10.2
   2015-02-18 15:51:18 by Stuart Henderson | Files touched by this commit (1)
Log message:
Update to BIND 9.10.1P2
On servers configured to perform DNSSEC validation using managed
trust anchors (i.e., keys configured explicitly via managed-keys, or
implicitly via dnssec-validation auto; or dnssec-lookaside auto;),
revoking a trust anchor and sending a new untrusted replacement could
cause named to crash with an assertion failure.  This could occur in
the event of a botched key rollover, or potentially as a result of a
deliberate attack if the attacker was in position to monitor the
victim's DNS traffic.  This flaw was discovered by Jan-Piet Mens, and
is disclosed in [CVE-2015-1349] [RT #38344] (**)
   2015-02-18 15:49:44 by Stuart Henderson | Files touched by this commit (2)
Log message:
update to BIND 9.10.2P2
On servers configured to perform DNSSEC validation using managed
trust anchors (i.e., keys configured explicitly via managed-keys, or
implicitly via dnssec-validation auto; or dnssec-lookaside auto;),
revoking a trust anchor and sending a new untrusted replacement could
cause named to crash with an assertion failure.  This could occur in
the event of a botched key rollover, or potentially as a result of a
deliberate attack if the attacker was in position to monitor the
victim's DNS traffic.  This flaw was discovered by Jan-Piet Mens, and
is disclosed in [CVE-2015-1349] [RT #38344] (**)
   2015-02-18 15:49:44 by Stuart Henderson | Files touched by this commit (2)
Log message:
update to BIND 9.10.2P2
On servers configured to perform DNSSEC validation using managed
trust anchors (i.e., keys configured explicitly via managed-keys, or
implicitly via dnssec-validation auto; or dnssec-lookaside auto;),
revoking a trust anchor and sending a new untrusted replacement could
cause named to crash with an assertion failure.  This could occur in
the event of a botched key rollover, or potentially as a result of a
deliberate attack if the attacker was in position to monitor the
victim's DNS traffic.  This flaw was discovered by Jan-Piet Mens, and
is disclosed in [CVE-2015-1349] [RT #38344] (**)
   2015-01-30 08:15:42 by Stuart Henderson | Files touched by this commit (1)
Log message:
previous change ("Disable json stats in bind") resulted in losing a couple
of symbols from libdns; bump SHARED_LIBS version and REVISION.
   2015-01-15 15:34:02 by Stuart Henderson | Files touched by this commit (1)
Log message:
Disable json stats in bind and zap BROKEN-hppa.
   2015-01-15 11:10:39 by Landry Breuil | Files touched by this commit (1)
Log message:
BROKEN-hppa =   uses json-c which requires atomic ops
   2014-12-17 16:39:17 by Stuart Henderson | Files touched by this commit (4)
Log message:
Revert previous BIND workaround for query failures when coming up cold.
Instead, cherrypick a fix from git at source.isc.org; this exempts TLD and
root zone lookups from max-recursion-queries and changes the default to 75.
   2014-12-17 16:39:17 by Stuart Henderson | Files touched by this commit (4)
Log message:
Revert previous BIND workaround for query failures when coming up cold.
Instead, cherrypick a fix from git at source.isc.org; this exempts TLD and
root zone lookups from max-recursion-queries and changes the default to 75.
   2014-12-17 16:39:17 by Stuart Henderson | Files touched by this commit (4)
Log message:
Revert previous BIND workaround for query failures when coming up cold.
Instead, cherrypick a fix from git at source.isc.org; this exempts TLD and
root zone lookups from max-recursion-queries and changes the default to 75.
   2014-12-17 16:39:17 by Stuart Henderson | Files touched by this commit (4)
Log message:
Revert previous BIND workaround for query failures when coming up cold.
Instead, cherrypick a fix from git at source.isc.org; this exempts TLD and
root zone lookups from max-recursion-queries and changes the default to 75.
   2014-12-09 10:54:11 by Stuart Henderson | Files touched by this commit (5)
Log message:
MFC BIND update:
Update to BIND 9.10.1-P1, including query limits for recursion (DoS avoidance,
CVE-2014-8500), assertion DoS (recursive only, only with prefetch enabled,
CVE-2014-3214), assertion DoS (EDNS option processing, CVE-2014-3859) and
fixes to GeoIP (CVE-2014-8680 and another unclassified).
https://kb.isc.org/article/AA-01223/81/BIND-9.10.1-P1-Release-Notes.html
Add a local patch to increase the default query limit, during testing it
appears that the standard defaults can be easily falsely triggered during
priming at startup.
   2014-12-09 10:54:11 by Stuart Henderson | Files touched by this commit (5)
Log message:
MFC BIND update:
Update to BIND 9.10.1-P1, including query limits for recursion (DoS avoidance,
CVE-2014-8500), assertion DoS (recursive only, only with prefetch enabled,
CVE-2014-3214), assertion DoS (EDNS option processing, CVE-2014-3859) and
fixes to GeoIP (CVE-2014-8680 and another unclassified).
https://kb.isc.org/article/AA-01223/81/BIND-9.10.1-P1-Release-Notes.html
Add a local patch to increase the default query limit, during testing it
appears that the standard defaults can be easily falsely triggered during
priming at startup.
   2014-12-09 10:54:11 by Stuart Henderson | Files touched by this commit (5)
Log message:
MFC BIND update:
Update to BIND 9.10.1-P1, including query limits for recursion (DoS avoidance,
CVE-2014-8500), assertion DoS (recursive only, only with prefetch enabled,
CVE-2014-3214), assertion DoS (EDNS option processing, CVE-2014-3859) and
fixes to GeoIP (CVE-2014-8680 and another unclassified).
https://kb.isc.org/article/AA-01223/81/BIND-9.10.1-P1-Release-Notes.html
Add a local patch to increase the default query limit, during testing it
appears that the standard defaults can be easily falsely triggered during
priming at startup.
   2014-12-09 10:21:36 by Stuart Henderson | Files touched by this commit (4)
Log message:
Update to BIND 9.10.1-P1, including query limits for recursion (DoS avoidance,
CVE-2014-8500), assertion DoS (recursive only, only with prefetch enabled,
CVE-2014-3214), assertion DoS (EDNS option processing, CVE-2014-3859) and
fixes to GeoIP (CVE-2014-8680 and another unclassified).
https://kb.isc.org/article/AA-01223/81/BIND-9.10.1-P1-Release-Notes.html
Add a local patch to increase the default query limit, during testing it
appears that the standard defaults can be easily falsely triggered during
priming at startup.
   2014-12-09 10:21:36 by Stuart Henderson | Files touched by this commit (4)
Log message:
Update to BIND 9.10.1-P1, including query limits for recursion (DoS avoidance,
CVE-2014-8500), assertion DoS (recursive only, only with prefetch enabled,
CVE-2014-3214), assertion DoS (EDNS option processing, CVE-2014-3859) and
fixes to GeoIP (CVE-2014-8680 and another unclassified).
https://kb.isc.org/article/AA-01223/81/BIND-9.10.1-P1-Release-Notes.html
Add a local patch to increase the default query limit, during testing it
appears that the standard defaults can be easily falsely triggered during
priming at startup.
   2014-12-09 10:21:36 by Stuart Henderson | Files touched by this commit (4)
Log message:
Update to BIND 9.10.1-P1, including query limits for recursion (DoS avoidance,
CVE-2014-8500), assertion DoS (recursive only, only with prefetch enabled,
CVE-2014-3214), assertion DoS (EDNS option processing, CVE-2014-3859) and
fixes to GeoIP (CVE-2014-8680 and another unclassified).
https://kb.isc.org/article/AA-01223/81/BIND-9.10.1-P1-Release-Notes.html
Add a local patch to increase the default query limit, during testing it
appears that the standard defaults can be easily falsely triggered during
priming at startup.
   2014-12-09 10:21:36 by Stuart Henderson | Files touched by this commit (4)
Log message:
Update to BIND 9.10.1-P1, including query limits for recursion (DoS avoidance,
CVE-2014-8500), assertion DoS (recursive only, only with prefetch enabled,
CVE-2014-3214), assertion DoS (EDNS option processing, CVE-2014-3859) and
fixes to GeoIP (CVE-2014-8680 and another unclassified).
https://kb.isc.org/article/AA-01223/81/BIND-9.10.1-P1-Release-Notes.html
Add a local patch to increase the default query limit, during testing it
appears that the standard defaults can be easily falsely triggered during
priming at startup.