Version: 9.18.5, Package name: isc-bind-9.18.5 |
Maintained by: Stuart Henderson |
Master sites: |
Flavors (export FLAVOR=xyz, setenv FLAVOR xyz):
|
Description BIND is open source software that implements the Domain Name System (DNS) protocols for the Internet. It is a reference implementation of those protocols, but it is also production-grade software, suitable for use in high-volume and high-reliability applications. The BIND 9 Administrator Reference Manual is available online at https://bind9.readthedocs.io/. Flavours: geoip - include support for geolocation using GeoIP2 (libmaxminddb) |
Filesize: 5047.094 KB |
Version History (View Complete History) |
|
2021-11-28 14:10:21 by Stuart Henderson | Files touched by this commit (1) |
Log message: Bump isc-bind REVISION to force package updates. The change in base relating to emulated thread-local-storage used by OpenBSD (r1.2 of gnu/llvm/compiler-rt/lib/builtins/emutls.c) results in an undefined symbol __emutls_get_address if the old binaries are used. | $ nm -s libisc-9.16.23.so.old | grep __emutls_get_address | U __emutls_get_address | $ nm -s libisc-9.16.23.so.new | grep __emutls_get_address | 00081a40 W __emutls_get_address Other ports may be affected by this too but I have no idea how to find them, if anyone gets the following at runtime from other packages then it is likely to be the same issue and those will need bumps too: undefined symbol '__emutls_get_address' ld.so: named: lazy binding failed! |
2021-11-17 13:52:49 by Stuart Henderson | Files touched by this commit (1) |
Log message: bugfix update to isc-bind-9.16.23 |
2021-11-17 13:51:48 by Stuart Henderson | Files touched by this commit (2) |
Log message: bugfix update to isc-bind-9.16.23 |
2021-11-01 18:01:43 by Stuart Henderson | Files touched by this commit (139) |
Log message: bump REVISION for switch from Python 3.8 -> 3.9 |
2021-10-27 14:57:41 by Stuart Henderson | Files touched by this commit (2) |
Log message: update to BIND 9.16.22 - CVE-2021-25219 "Lame cache can be abused to severely degrade resolver performance" |
2021-10-27 14:57:06 by Stuart Henderson | Files touched by this commit (4) |
Log message: update to BIND 9.16.22 - CVE-2021-25219 "Lame cache can be abused to severely degrade resolver performance" Exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause significant delays in client query processing. The purpose of a resolver's lame cache is to ensure that if an authoritative server responds to a resolver's query in a specific broken way, subsequent client queries for the same <QNAME, QTYPE> tuple do not trigger further queries to the same server for a configurable amount of time. The lame cache is enabled by setting the lame-ttl option in named.conf to a value greater than 0. That option is set to lame-ttl 600; in the default configuration, which means the lame cache is enabled by default. Impact: Authoritative-only BIND 9 servers are NOT vulnerable to this flaw. A successful attack exploiting this flaw causes a named resolver to spend most of its CPU time on managing and checking the lame cache. This results in client queries being responded to with large delays, and increased likelihood of DNS timeouts on client hosts. |
2021-09-15 02:21:25 by Stuart Henderson | Files touched by this commit (3) |
Log message: update to BIND 9.16.21 |
2021-07-27 06:46:56 by Stuart Henderson | Files touched by this commit (2) |
Log message: patch isc-bind to stop using the IPV6_DONTFRAG socket option on OpenBSD; this was added in the recent update, but the port is patched to use pledge which doesn't allow this, resulting in it getting killed when trying to do a lookup over IPv6. found while checking that I did indeed have v6 glue on my domain when trying to receive mail from someone whose work network is currently carrying out an IPv6-only experiment (perhaps not intentionally ;) |
2021-07-22 06:28:53 by Stuart Henderson | Files touched by this commit (9) |
Log message: let's try an update to bind-9.16.19 |
2021-06-18 12:12:10 by Stuart Henderson | Files touched by this commit (4) |
Log message: Revert to BIND 9.16.16 to fix some issues with Ws. |
2021-06-16 16:03:54 by Stuart Henderson | Files touched by this commit (4) |
Log message: update to isc-bind-9.16.17 |
2021-05-24 10:27:38 by Stuart Henderson | Files touched by this commit (4) |
Log message: update to isc-bind-9.16.16 |
2021-05-02 08:46:06 by Stuart Henderson | Files touched by this commit (4) |
Log message: 6.9-stable: update bind to 9.16.15; cve fixes |
2021-04-29 03:28:31 by Stuart Henderson | Files touched by this commit (10) |
Log message: update to bind-9.16.15 for fixes for these 3 CVEs; if you are running this please test and report back if you see problems; in the run-up to OpenBSD 6.9 we dropped back to 9.16.10 due to problems in interim releases CVE-2021-25214: A broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly https://kb.isc.org/docs/cve-2021-25214 CVE-2021-25215: An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself https://kb.isc.org/docs/cve-2021-25215 CVE-2021-25216: A second vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack https://kb.isc.org/docs/cve-2021-25216 |
2021-02-27 13:57:10 by Stuart Henderson | Files touched by this commit (4) |
Log message: "upgrade" bind again, this time from patched 9.16.11 -> 9.16.10, which lacks the feature that it leaks memory when you reload it. |
2021-02-27 13:56:03 by Stuart Henderson | Files touched by this commit (9) |
Log message: "upgrade" bind again, this time to 9.16.10, in comparison with what we currently have this removes the feature that it leaks memory when you reload it |
2021-02-25 09:37:39 by Stuart Henderson | Files touched by this commit (2) |
Log message: isc-bind: backport https://gitlab.isc.org/isc-projects/bind9/-/issues/2413 fix found the hard way by Christian Gut, thanks for tracking this down. https://gitlab.isc.org/isc-projects/bind9/-/commit/12c5b2a1b83376f420ecb112f1d5b10f06e18416.patch |
2021-02-25 09:37:22 by Stuart Henderson | Files touched by this commit (5) |
Log message: isc-bind: backport https://gitlab.isc.org/isc-projects/bind9/-/issues/2413 fix found the hard way by Christian Gut, thanks for tracking this down. https://gitlab.isc.org/isc-projects/bind9/-/commit/12c5b2a1b83376f420ecb112f1d5b10f06e18416.patch |
2021-02-23 15:04:35 by Stuart Henderson | Files touched by this commit (13) |
Log message: automatically handle ports which use the python module and have flavours other than the usual "python3/<blank>" python version selection and remove setting MODPY_VERSION=${MODPY_DEFAULT_VERSION_3} again from the affected ports. |
2021-02-23 14:45:50 by Stuart Henderson | Files touched by this commit (12) |
Log message: ports which use the python module and have flavours other than the usual "python3/<blank>" python version selection still require setting MODPY_VERSION for now. |
2021-02-23 12:39:53 by Stuart Henderson | Files touched by this commit (743) |
Log message: Reverse the polarity of MODPY_VERSION; default is now 3.x, if a port needs 2.x then set MODPY_VERSION=${MODPY_DEFAULT_VERSION_2}. This commit doesn't change any versions currently used; it may be that some ports have MODPY_DEFAULT_VERSION_2 but don't require it, those should be cleaned up in the course of updating ports where possible. Python module ports providing py3-* packages should still use FLAVOR=python3 so that we don't have a mixture of dependencies some using ${MODPY_FLAVOR} and others not. |
2021-02-20 08:59:17 by Stuart Henderson | Files touched by this commit (5) |
Log message: update -stable to bind-9.16.11 plus patches |
2021-02-20 08:49:52 by Stuart Henderson | Files touched by this commit (6) |
Log message: upgrade from BIND 9.16.12 to 9.16.11 plus backported patch for CVE-2020-8625. also add more recently committed "Rollback setting IP_DONTFRAG option on the UDP sockets" patch fixing https://gitlab.isc.org/isc-projects/bind9/-/issues/2466 https://gitlab.isc.org/isc-projects/bind9/-/issues/2487 re https://kb.isc.org/docs/operational-notification-enabling-new-bind-option-stale-answer-client-timeout-can-result-in-unexpected-server-termination https://kb.isc.org/docs/operational-notification-zone-journal-jnl-file-incompatibility-after-upgrading-to-bind-91612-and-917 |
2021-02-17 13:40:16 by Stuart Henderson | Files touched by this commit (5) |
Log message: update to BIND 9.16.12 https://kb.isc.org/docs/cve-2020-8625 https://downloads.isc.org/isc/bind9/9.16.12/doc/arm/html/notes.html#notes-for-bind-9-16-12 |
2021-01-21 06:38:54 by Stuart Henderson | Files touched by this commit (4) |
Log message: update to isc-bind-9.16.11 |
2020-12-16 14:44:50 by Stuart Henderson | Files touched by this commit (3) |
Log message: minor update to bind-9.16.10 |
2020-11-25 14:24:32 by Stuart Henderson | Files touched by this commit (3) |
Log message: update to isc-bind-9.16.9 includes assert crash fixes and others |
2020-11-25 14:22:23 by Stuart Henderson | Files touched by this commit (1) |
Log message: tweak comment |
2020-11-25 14:14:43 by Stuart Henderson | Files touched by this commit (4) |
Log message: update to bind-9.16.9 |
2020-10-22 05:30:05 by Stuart Henderson | Files touched by this commit (5) |
Log message: update to BIND 9.16.8 |
2020-09-17 02:16:03 by Stuart Henderson | Files touched by this commit (6) |
Log message: update to BIND-9.16.7 |
2020-08-21 00:12:14 by Stuart Henderson | Files touched by this commit (3) |
Log message: update to BIND 9.16.6, fixes various assertion failures. https://downloads.isc.org/isc/bind9/9.16.6/doc/arm/html/notes.html#notes-for-bind-9-16-6 |
2020-08-21 00:03:12 by Stuart Henderson | Files touched by this commit (4) |
Log message: update to BIND 9.16.6, fixes various assertion failures. https://downloads.isc.org/isc/bind9/9.16.6/doc/arm/html/notes.html#notes-for-bind-9-16-6 |
2020-07-16 04:07:54 by Stuart Henderson | Files touched by this commit (4) |
Log message: update to BIND 9.16.5 |
2020-07-11 16:54:41 by Stuart Henderson | Files touched by this commit (98) |
Log message: switch my maintainer email addresses to my own domain |
2020-07-04 03:45:38 by Stuart Henderson | Files touched by this commit (1) |
Log message: bump; plist changed but no forced python dep |
2020-06-17 14:47:43 by Stuart Henderson | Files touched by this commit (3) |
Log message: update to BIND 9.16.4 - It was possible to trigger an assertion when attempting to fill an oversized TCP buffer. This was disclosed in CVE-2020-8618. [GL #1850] - It was possible to trigger an INSIST failure when a zone with an interior wildcard label was queried in a certain pattern. This was disclosed in CVE-2020-8619. [GL #1111] [GL #1718] |
2020-06-17 14:46:54 by Stuart Henderson | Files touched by this commit (6) |
Log message: update to BIND 9.16.4 - It was possible to trigger an assertion when attempting to fill an oversized TCP buffer. This was disclosed in CVE-2020-8618. [GL #1850] - It was possible to trigger an INSIST failure when a zone with an interior wildcard label was queried in a certain pattern. This was disclosed in CVE-2020-8619. [GL #1111] [GL #1718] |
2020-06-01 04:52:04 by Stuart Henderson | Files touched by this commit (2) |
Log message: isc-bind (6.7-stable): use absolute not relative paths in sample config, relative paths have $directory prepended. drop root.hint from sample config as a clue not to use it. update root.hint file for people who are using it anyway. handled differently in -current (by removing most of the sample config instead). |
2020-05-29 14:05:37 by Stuart Henderson | Files touched by this commit (8) |
Log message: isc-bind: drop most of the outdated sample config files (including a very old root.hint, the compiled-in defaults are better). there isn't really a "one size fits all" configuration, these files gave bad examples (combined recursive+auth hasn't been recommended in years), and as this is not the default nameserver on the OS any more hand-holding isn't really needed. by way of compensation: install the docs. |
2020-05-20 02:56:45 by Stuart Henderson | Files touched by this commit (1) |
Log message: isc-bind 6.7-stable: fix plist, from Ian McWilliam |
2020-05-19 03:33:39 by Stuart Henderson | Files touched by this commit (1) |
Log message: update 6.6-stable to BIND 9.11.19 CVE-2020-8616: BIND does not sufficiently limit the number of fetches performed when processing referrals CVE-2020-8617: A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c |
2020-05-19 03:32:59 by Stuart Henderson | Files touched by this commit (2) |
Log message: update 6.7-stable to BIND 9.16.3 CVE-2020-8616: BIND does not sufficiently limit the number of fetches performed when processing referrals CVE-2020-8617: A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c |
2020-05-19 03:32:38 by Stuart Henderson | Files touched by this commit (7) |
Log message: update to BIND 9.16.3 CVE-2020-8616: BIND does not sufficiently limit the number of fetches performed when processing referrals CVE-2020-8617: A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c More info on the referral problem in http://www.nxnsattack.com/dns-ns-paper.pdf |
2020-04-19 09:38:58 by Stuart Henderson | Files touched by this commit (1) |
Log message: isc-bind: remove obsolote CONFIGURE_ARGS (noop; they were ignored anyway). From Claus Assmann. |
2020-04-15 12:41:40 by Stuart Henderson | Files touched by this commit (3) |
Log message: update -stable to BIND 9.11.18, various fixes including "Fix ineffective DNS rebinding protection when BIND is configured as a forwarding DNS server." |
2020-04-15 12:41:07 by Stuart Henderson | Files touched by this commit (5) |
Log message: update to BIND 9.16.2, various fixes including "Fix ineffective DNS rebinding protection when BIND is configured as a forwarding DNS server." |
2020-04-06 16:10:30 by Stuart Henderson | Files touched by this commit (3) |
Log message: fix atomic for macppc base-clang |
2020-03-19 13:05:22 by Stuart Henderson | Files touched by this commit (1) |
Log message: isc-bind: don't pick up cmocka if present at autoconf time |
2020-03-19 11:07:20 by Stuart Henderson | Files touched by this commit (14) |
Log message: update net/isc-bind to 9.16.1 |
2020-03-06 05:08:46 by Stuart Henderson | Files touched by this commit (2) |
Log message: net/isc-bind: apply upstream patch for problem with TCP client quota limits https://kb.isc.org/docs/operational-notification-an-error-in-handling-tcp-client-quota-limits-can-exhaust-tcp-connections-in-bind-9160 |
2020-02-20 07:00:52 by Stuart Henderson | Files touched by this commit (1) |
Log message: update -stable to BIND 9.11.16 |
2020-02-20 07:00:32 by Stuart Henderson | Files touched by this commit (15) |
Log message: update to BIND 9.16.0 (new stable/ESV release) |
2020-01-23 15:08:08 by Stuart Henderson | Files touched by this commit (5) |
Log message: get rid of some of bind's "|| defined(LIBRESSL_VERSION_NUMBER)" for things that libressl now has |
2020-01-23 13:52:05 by Stuart Henderson | Files touched by this commit (2) |
Log message: update to BIND 9.14.10 |
2020-01-06 11:05:12 by Stuart Henderson | Files touched by this commit (1) |
Log message: garbage-collect DIG_SIGCHASE, no longer used upstream (use delv if you want to do full validation) |
2020-01-06 07:45:40 by Stuart Henderson | Files touched by this commit (2) |
Log message: struct stat definition is in sys/stat.h, not sys/fcntl.h. fix so that libisc knows that we do have nsec timestamps. spotted by florian@ in src/usr.sbin/bind. |
2019-12-24 03:49:11 by Stuart Henderson | Files touched by this commit (1) |
Log message: use COMPILER="base-clang ports-gcc" for all flavours, not just geoip. fixes build error relating to atomics on e.g. sparc64. (ports BIND in -current is built using this already). problem reported by solene@ |
2019-12-23 05:43:15 by Stuart Henderson | Files touched by this commit (1) |
Log message: remove SEPARATE_BUILD=Yes from -stable too, unbreak build on clean system |
2019-12-19 08:42:00 by Stuart Henderson | Files touched by this commit (1) |
Log message: disable SEPARATE_BUILD, fixes build failure (on a system which doesn't already have bind installed) reported by naddy |
2019-12-18 12:38:17 by Stuart Henderson | Files touched by this commit (6) |
Log message: update to bind 9.14.9 (released today) remove the no_openssl flavour, openssl/libressl is required in the current versions |
2019-12-18 12:24:26 by Stuart Henderson | Files touched by this commit (2) |
Log message: update -stable to bind 9.11.14 and merge the pledge improvements from -current |
2019-12-18 08:05:44 by Stuart Henderson | Files touched by this commit (12) |
Log message: major version update to BIND 9.14.8 |
2019-12-17 11:03:22 by Stuart Henderson | Files touched by this commit (3) |
Log message: update HOMEPAGE |
2019-12-17 07:18:43 by Stuart Henderson | Files touched by this commit (5) |
Log message: add edig/ehost/enslookup symlinks move another pledge to a better place, drop some rpath |
2019-12-16 17:46:15 by Stuart Henderson | Files touched by this commit (2) |
Log message: move down the second ratchetted pledge in the ports-BIND version of dig, it should have been done after loading a tsig keyfile. drop rpath from that pledge, it used to be needed for charset conversion with idn names, but this just prints "Cannot represent '%s' in the current locale" now for !utf8 locales (maybe as a result of dropping the !utf8 ctype files?) |
2019-11-20 15:16:11 by Stuart Henderson | Files touched by this commit (2) |
Log message: update to bind-9.11.13 CVE-2019-6477, TCP-pipelined queries can bypass tcp-clients limit |
2019-11-20 15:15:58 by Stuart Henderson | Files touched by this commit (5) |
Log message: update to bind-9.11.13 CVE-2019-6477, TCP-pipelined queries can bypass tcp-clients limit |
2019-10-16 15:33:06 by Stuart Henderson | Files touched by this commit (2) |
Log message: update to isc-bind-9.11.12 |
2019-09-19 08:46:47 by Stuart Henderson | Files touched by this commit (3) |
Log message: update to isc-bind-9.11.11 |
2019-08-22 10:16:47 by Stuart Henderson | Files touched by this commit (10) |
Log message: update to bind-9.11.10 |
2019-07-27 08:01:45 by Stuart Henderson | Files touched by this commit (1) |
Log message: the geoip flavour requires COMPILER=base-clang ports-gcc / COMPILER_LANGS=c |
2019-07-18 01:27:06 by Stuart Henderson | Files touched by this commit (1) |
Log message: update to isc-bind-9.11.9, staying with old geoip for -stable CVE-2019-6471 |
2019-07-18 01:24:58 by Stuart Henderson | Files touched by this commit (3) |
Log message: update to isc-bind 9.11.9, switch the geoip support to newly added geoip2/libmaxminddb CVE-2019-6471 |
2019-06-20 08:44:22 by Stuart Henderson | Files touched by this commit (2) |
Log message: update to BIND 9.11.8 CVE-2019-6471: A race condition when discarding malformed packets can cause BIND to exit with an assertion failure https://kb.isc.org/docs/cve-2019-6471 |
2019-06-20 08:44:20 by Stuart Henderson | Files touched by this commit (2) |
Log message: update to BIND 9.11.8 CVE-2019-6471: A race condition when discarding malformed packets can cause BIND to exit with an assertion failure https://kb.isc.org/docs/cve-2019-6471 |
2019-06-03 10:06:58 by Stuart Henderson | Files touched by this commit (153) |
Log message: s/PERMIT_PACKAGE_CDROM/PERMIT_PACKAGE/ and some light whitespace tidying in ports which I maintain |
2019-05-17 06:52:46 by Stuart Henderson | Files touched by this commit (6) |
Log message: update to BIND 9.11.7 |
2019-04-27 16:26:55 by Stuart Henderson | Files touched by this commit (5) |
Log message: Security update to bind 9.11.6-P1, plus patches ("Replace atomic operations in bin/named/client.c with isc_refcount reference counting") from https://gitlab.isc.org/isc-projects/bind9/merge_requests/1864.patch for wider arch support. Fixes: CVE-2018-5743: Limiting simultaneous TCP clients is ineffective https://kb.isc.org/docs/cve-2018-5743 |
2019-03-01 10:17:08 by Stuart Henderson | Files touched by this commit (7) |
Log message: update to BIND 9.11.6 |
2019-02-21 16:37:24 by Stuart Henderson | Files touched by this commit (4) |
Log message: MFC security update to isc-bind 9.11.5-P4 |
2019-02-21 16:35:34 by Stuart Henderson | Files touched by this commit (2) |
Log message: security update to isc-bind 9.11.5-P4 CVE-2018-5744: A specially crafted packet can cause named to leak memory ... A failure to free memory can occur when processing messages having a specific combination of EDNS options. By exploiting this condition, an attacker can potentially cause named's memory use to grow without bounds until all memory available to the process is exhausted. Typically a server process is limited as to the amount of memory it can use but if the named process is not limited by the operating system all free memory on the server could be exhausted. ... CVE-2018-5745: An assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys (there is also CVE-2019-6465 but we don't build dlz) |
2018-12-13 07:27:47 by Stuart Henderson | Files touched by this commit (2) |
Log message: update to BIND 9.11.5-P1 5108. [bug] Named could fail to determine bottom of zone when removing out of date keys leading to invalid NSEC and NSEC3 records being added to the zone. [GL #771] |
2018-12-02 06:25:44 by Stuart Henderson | Files touched by this commit (8) |
Log message: drop back to isc-bind 9.11.x pending investigation into how to fix the named's requirement that cwd is writable. install bind.keys to the right path (it used the compiled-in default anyway but this gives the wrong cue to anyone wanting to update dnssec root zone trust anchors). problems reported by Mikolaj Kucharski |
2018-11-06 06:48:40 by Stuart Henderson | Files touched by this commit (8) |
Log message: update to BIND 9.12.3, switching to 9.12.x branch |
2018-10-19 08:04:45 by Stuart Henderson | Files touched by this commit (9) |
Log message: update to bind-9.11.5 enable idn in utilities (dig/etc) |
2018-09-20 03:36:49 by Stuart Henderson | Files touched by this commit (2) |
Log message: update to isc-bind 9.11.4-P2, fixing dnssec inline signing https://kb.isc.org/docs/change-4892-exposed-multiple-problems-affecting-dnssec-inline-signing |
2018-08-09 09:02:28 by Stuart Henderson | Files touched by this commit (2) |
Log message: update to BIND 9.11.4-P1 4997. [security] named could crash during recursive processing of DNAME records when "deny-answer-aliases" was in use. (CVE-2018-5740) [GL #387] |
2018-07-12 04:12:30 by Stuart Henderson | Files touched by this commit (15) |
Log message: update to isc-bind-9.11.4 |
2018-06-25 14:42:32 by Stuart Henderson | Files touched by this commit (1) |
Log message: drop hidden dep on lmdb responsible for zkt build failures, reported by naddy@ landry@, thanks landry for testing which led to the cause |
2018-03-18 17:56:59 by Stuart Henderson | Files touched by this commit (1) |
Log message: fix; we now have ECDSA_SIG accessors |
2018-03-16 09:02:05 by Stuart Henderson | Files touched by this commit (1) |
Log message: add a comment re upstream supported version policy |
2018-03-14 18:59:18 by Stuart Henderson | Files touched by this commit (8) |
Log message: update to bind-9.11.3 |
2018-03-04 14:12:03 by Stuart Henderson | Files touched by this commit (1) |
Log message: typo in ifdef, thanks patrick keshishian for noticing. |
2018-02-20 14:02:13 by Stuart Henderson | Files touched by this commit (3) |
Log message: fix, we have all the DH_ DSA_ RSA_ needed |
2018-02-19 11:19:28 by Stuart Henderson | Files touched by this commit (2) |
Log message: fix; we now have DSA_set0_key DH_set0_key |
2018-02-18 07:09:40 by Stuart Henderson | Files touched by this commit (3) |
Log message: handle next round of libressl changes |
2018-02-18 04:52:03 by Stuart Henderson | Files touched by this commit (5) |
Log message: fix: various get0_key/pqg functions, ok jsing |
2018-01-16 15:15:31 by Stuart Henderson | Files touched by this commit (1) |
Log message: update BIND in -stable to 9.10.6-P1 * Addresses could be referenced after being freed during resolver processing, causing an assertion failure. The chances of this happening were remote, but the introduction of a delay in resolution increased them. (The delay will be addressed in an upcoming maintenance release.) This bug is disclosed in CVE-2017-3145. [RT #46839] |
2018-01-16 15:13:59 by Stuart Henderson | Files touched by this commit (2) |
Log message: security update to BIND 9.11.2-P1 * Addresses could be referenced after being freed during resolver processing, causing an assertion failure. The chances of this happening were remote, but the introduction of a delay in resolution increased them. (The delay will be addressed in an upcoming maintenance release.) This bug is disclosed in CVE-2017-3145. [RT #46839] |
2018-01-12 10:08:01 by Stuart Henderson | Files touched by this commit (10) |
Log message: update BIND to 9.11.2, switching from 9.10 to 9.11 branch (which is a long term support branch). note, the license changed to MPL. |
2018-01-11 12:27:12 by Robert Peichaer | Files touched by this commit (624) |
Log message: Change the shebang line from /bin/sh to /bin/ksh in all ports rc.d daemon scripts and bump subpackages that contain the *.rc scripts. discussed with and OK aja@ OK tb |
2017-07-28 17:38:06 by Stuart Henderson | Files touched by this commit (4) |
Log message: update to bind 9.10.6 |
2017-07-28 14:53:33 by Marc Espie | Files touched by this commit (2) |
Log message: let it build with clang, just grab the unwinder from c++abi |
2017-07-10 01:38:05 by Stuart Henderson | Files touched by this commit (3) |
Log message: update to BIND-9.10.5-P3 9.10.5-P2 broke verification of TSIG signed TCP message sequences where not all the messages contain TSIG records. These may be used in AXFR and IXFR responses. [RT #45509] |
2017-07-10 01:38:04 by Stuart Henderson | Files touched by this commit (2) |
Log message: update to BIND-9.10.5-P3 9.10.5-P2 broke verification of TSIG signed TCP message sequences where not all the messages contain TSIG records. These may be used in AXFR and IXFR responses. [RT #45509] |
2017-06-29 15:15:31 by Stuart Henderson | Files touched by this commit (1) |
Log message: Update to BIND 9.10.5-P2 An error in TSIG handling could permit unauthorized zone transfers or zone updates. CVE-2017-3142, CVE-2017-3143. Also updates the address of b.root in hints. |
2017-06-29 15:14:54 by Stuart Henderson | Files touched by this commit (2) |
Log message: Update to BIND 9.10.5-P2 An error in TSIG handling could permit unauthorized zone transfers or zone updates. CVE-2017-3142, CVE-2017-3143. Also updates the address of b.root in hints. |
2017-06-15 03:02:53 by Stuart Henderson | Files touched by this commit (3) |
Log message: update to BIND 9.10.5-P1 * With certain RPZ configurations, a response with TTL 0 could cause named to go into an infinite query loop. This flaw is disclosed in CVE-2017-3140. [RT #45181] A server is potentially vulnerable to degradation of service if 1. the server is configured to use RPZ, 2. the server uses NSDNAME or NSIP policy rules, and 3. an attacker can cause the server to process a specific query |
2017-06-15 03:01:49 by Stuart Henderson | Files touched by this commit (2) |
Log message: update to BIND 9.10.5-P1 * With certain RPZ configurations, a response with TTL 0 could cause named to go into an infinite query loop. This flaw is disclosed in CVE-2017-3140. [RT #45181] A server is potentially vulnerable to degradation of service if 1. the server is configured to use RPZ, 2. the server uses NSDNAME or NSIP policy rules, and 3. an attacker can cause the server to process a specific query |
2017-05-03 14:20:42 by Stuart Henderson | Files touched by this commit (7) |
Log message: update to BIND 9.10.5 |
2017-04-13 04:36:11 by Stuart Henderson | Files touched by this commit (1) |
Log message: MFC update to BIND 9.10.4-P8 (-P7 was withdrawn) CVE-2017-3136: An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;" CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives a null command string on its control channel |
2017-04-13 04:35:33 by Stuart Henderson | Files touched by this commit (2) |
Log message: update to BIND 9.10.4-P8 (-P7 was withdrawn) CVE-2017-3136: An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;" CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives a null command string on its control channel |
2017-02-08 17:05:52 by Stuart Henderson | Files touched by this commit (2) |
Log message: update to BIND 9.10.4-P6 * If a server is configured with a response policy zone (RPZ) that rewrites an answer with local data, and is also configured for DNS64 address mapping, a NULL pointer can be read triggering a server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434] * A synthesized CNAME record appearing in a response before the associated DNAME could be cached, when it should not have been. This was a regression introduced while addressing CVE-2016-8864. [RT #44318] |
2017-02-08 17:04:40 by Stuart Henderson | Files touched by this commit (2) |
Log message: update to BIND 9.10.4-P6 * If a server is configured with a response policy zone (RPZ) that rewrites an answer with local data, and is also configured for DNS64 address mapping, a NULL pointer can be read triggering a server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434] * A synthesized CNAME record appearing in a response before the associated DNAME could be cached, when it should not have been. This was a regression introduced while addressing CVE-2016-8864. [RT #44318] |
2017-01-24 04:46:35 by Stuart Henderson | Files touched by this commit (6) |
Log message: add pledges for dig/host/nslookup in the ports version of BIND. initial pledge is "stdio rpath inet unix dns", dropping to "stdio inet dns" after argument parsing. access to resolv.conf is required late; the dns pledge is used for this rather than requiring full rpath; however contrary to the version in base, inet is allowed as well, so that it can be used as a debug tool for servers on alternate ports. works fine for me; no feedback after posting yet so committing to get real-world testing. please report any issues. |
2017-01-12 05:24:04 by Stuart Henderson | Files touched by this commit (1) |
Log message: MFC: SECURITY update to BIND 9.10.4-P5 Named could mishandle authority sections that were missing RRSIGs triggering an assertion failure. CVE-2016-9444 Named mishandled some responses where covering RRSIG records are returned without the requested data resulting in a assertion failure. CVE-2016-9147 Named incorrectly tried to cache TKEY records which could trigger an assertion failure when there was a class mismatch. CVE-2016-9131 |
2017-01-12 05:22:20 by Stuart Henderson | Files touched by this commit (2) |
Log message: SECURITY update to BIND 9.10.4-P5 Named could mishandle authority sections that were missing RRSIGs triggering an assertion failure. CVE-2016-9444 Named mishandled some responses where covering RRSIG records are returned without the requested data resulting in a assertion failure. CVE-2016-9147 Named incorrectly tried to cache TKEY records which could trigger an assertion failure when there was a class mismatch. CVE-2016-9131 |
2016-11-01 15:05:37 by Stuart Henderson | Files touched by this commit (2) |
Log message: update to BIND 9.10.4-P1, fixing a resolver DoS in DNAME handling. CVE-2016-8864 |
2016-11-01 15:02:03 by Stuart Henderson | Files touched by this commit (3) |
Log message: update to BIND 9.10.4-P1, fixing a resolver DoS in DNAME handling. CVE-2016-8864 |
2016-09-27 13:49:58 by Stuart Henderson | Files touched by this commit (1) |
Log message: -stable update to BIND 9.10.4-P3, fixing https://kb.isc.org/article/AA-01393/74/CVE-2016-2775 (lwres only) https://kb.isc.org/article/AA-01419/74/CVE-2016-2776 ("all servers if they can receive request packets from any source") |
2016-09-27 13:49:10 by Stuart Henderson | Files touched by this commit (2) |
Log message: update to BIND 9.10.4-P3, fixing https://kb.isc.org/article/AA-01393/74/CVE-2016-2775 (lwres only) https://kb.isc.org/article/AA-01419/74/CVE-2016-2776 ("all servers if they can receive request packets from any source") |
2016-09-13 10:12:14 by Christian Weisgerber | Files touched by this commit (21) |
Log message: replace libiconv module |
2016-07-20 05:46:55 by Jasper Lievisse Adriaanse | Files touched by this commit (2) |
Log message: Update to BIND 9.10.4-P2, fixes CVE-2016-2775 ("getrrsetbyname with a non absolute name could trigger an infinite recursion bug in lwres[..]"; affects users of lwresd and users with "lwres" enabled in their configuration). ok sthen@ |
2016-07-19 04:46:15 by Stuart Henderson | Files touched by this commit (2) |
Log message: Update to BIND 9.10.4-P2, fixes CVE-2016-2775 ("getrrsetbyname with a non absolute name could trigger an infinite recursion bug in lwres[..]"; affects users of lwresd and users with "lwres" enabled in their configuration). Also has a couple of regression fixes. OK naddy@ |
2016-05-26 03:25:25 by Stuart Henderson | Files touched by this commit (2) |
Log message: update to BIND 9.10.4-P1, fixing a problem where adjacent bitfields were protected by different locks. See http://fanf.livejournal.com/144615.html for an informative write-up on the issue: "Even the Deathstation 9000 can't screw up the BIND 9.10.4 fix". |
2016-04-29 05:01:02 by Stuart Henderson | Files touched by this commit (8) |
Log message: update to bind-9.10.4 |
2016-03-11 13:28:34 by Christian Weisgerber | Files touched by this commit (247) |
Log message: garbage collect CONFIGURE_SHARED |
2016-03-10 02:57:19 by Jasper Lievisse Adriaanse | Files touched by this commit (1) |
Log message: update to BIND 9.10.3-P4 https://kb.isc.org/article/AA-01363/81/BIND-9.10.3-P4-Release-Notes.html |
2016-03-09 17:03:34 by Stuart Henderson | Files touched by this commit (2) |
Log message: update to BIND 9.10.3-P4, fixes crashes (assertion failures), one present since 9.0.0. CVE-2016-1285 CVE-2016-1286 CVE-2016-2088 |
2016-02-29 17:07:18 by Stuart Henderson | Files touched by this commit (16) |
Log message: bump (GeoIP pkgpath change) |
2016-01-22 07:54:09 by Jasper Lievisse Adriaanse | Files touched by this commit (1) |
Log message: - security update to BIND 9.10.3P3 https://kb.isc.org/article/AA-01346/0/BIND-9.10.3-P3-Release-Notes.html |
2016-01-19 15:24:05 by Stuart Henderson | Files touched by this commit (2) |
Log message: update to BIND 9.10.3P3 - Fixed a regression in resolver.c:possibly_mark() which caused known-bogus servers to be queried anyway. [RT #41321] - render_ecs errors were mishandled when printing out a OPT record resulting in a assertion failure. (CVE-2015-8705) [RT #41397] - Specific APL data could trigger a INSIST. (CVE-2015-8704) [RT #41396] |
2015-12-17 10:07:41 by Stuart Henderson | Files touched by this commit (1) |
Log message: bump isc-bind REVISION to avoid warnings with updates (different deps between 5.8-stable and -current) |
2015-12-17 10:06:39 by Stuart Henderson | Files touched by this commit (3) |
Log message: MFC update to bind-9.10.3-P2 4260. [security] Insufficient testing when parsing a message allowed records with an incorrect class to be be accepted, triggering a REQUIRE failure when those records were subsequently cached. (CVE-2015-8000) [RT #40987] 4253. [security] Address fetch context reference count handling error on socket error. (CVE-2015-8461) [RT#40945] |
2015-12-15 15:43:37 by Stuart Henderson | Files touched by this commit (4) |
Log message: update to bind-9.10.3-P2 4260. [security] Insufficient testing when parsing a message allowed records with an incorrect class to be be accepted, triggering a REQUIRE failure when those records were subsequently cached. (CVE-2015-8000) [RT #40987] 4253. [security] Address fetch context reference count handling error on socket error. (CVE-2015-8461) [RT#40945] |
2015-10-07 13:36:50 by Stuart Henderson | Files touched by this commit (1) |
Log message: oops, forgot to re-add json-c to WANTLIB/LIB_DEPENDS in previous commit. spotted by nigel@ |
2015-10-03 13:44:51 by Stuart Henderson | Files touched by this commit (1) |
Log message: reenable json stats in BIND, there used to be a problem with build on arch without sync_val_compare_and_swap_4 but this was worked around in json-c. reminded by jca. |
2015-09-25 08:02:31 by Stuart Henderson | Files touched by this commit (1) |
Log message: build dig with SIGCHASE support |
2015-09-16 09:28:16 by Stuart Henderson | Files touched by this commit (8) |
Log message: update to BIND 9.10.3. add a bunch of patches because they now support OpenSSL 1.1 api (OPENSSL_VERSION_NUMBER < / >= 0x10100000L checks). |
2015-09-02 14:28:13 by Stuart Henderson | Files touched by this commit (1) |
Log message: SECURITY update to bind-9.10.2-P4: CVE-2015-5722, CVE-2015-5986 |
2015-09-02 14:27:37 by Stuart Henderson | Files touched by this commit (1) |
Log message: SECURITY update to bind-9.10.2-P4: CVE-2015-5722, CVE-2015-5986 |
2015-09-02 14:25:43 by Stuart Henderson | Files touched by this commit (2) |
Log message: SECURITY update to bind-9.10.2-P4: CVE-2015-5722, CVE-2015-5986 |
2015-08-24 14:46:50 by Stuart Henderson | Files touched by this commit (2) |
Log message: Add a no_ssl flavour to BIND. Expand the comment about json-c as that's broken on mips64 as well as hppa. |
2015-07-30 17:26:59 by Stuart Henderson | Files touched by this commit (2) |
Log message: Apply BIND security update to OPENBSD_5_6 as well Security update to BIND 9.10.2p3 - a failure to reset a value to NULL in tkey.c could result in an assertion failure. (CVE-2015-5477) |
2015-07-28 14:04:17 by Stuart Henderson | Files touched by this commit (2) |
Log message: Security update to BIND 9.10.2p3 - a failure to reset a value to NULL in tkey.c could result in an assertion failure. (CVE-2015-5477) |
2015-07-28 14:03:35 by Stuart Henderson | Files touched by this commit (2) |
Log message: Security update to BIND 9.10.2p3 - a failure to reset a value to NULL in tkey.c could result in an assertion failure. (CVE-2015-5477) |
2015-07-15 00:43:31 by Stuart Henderson | Files touched by this commit (1) |
Log message: Build BIND with --enable-filter-aaaa, no change by default, but this allows use of the filter-aaaa-on-v4 config option. Req'd by Marcus Andree. |
2015-07-07 13:34:10 by Stuart Henderson | Files touched by this commit (1) |
Log message: MFC update to BIND 9.10.2-P2, fixes CVE-2015-4620 - querying a malicious zone can trigger a "REQUIRE" assertion failure in the resolver if DNSSEC validation is enabled. |
2015-07-07 13:32:47 by Stuart Henderson | Files touched by this commit (2) |
Log message: update to BIND 9.10.2-P2, fixes CVE-2015-4620 - querying a malicious zone can trigger a "REQUIRE" assertion failure in the resolver if DNSSEC validation is enabled. |
2015-06-10 16:47:24 by Stuart Henderson | Files touched by this commit (3) |
Log message: MFC: SECURITY update to BIND 9.10.2-P1, various problems with RPZ (policy zones), and a possible crash with async zone loads. https://kb.isc.org/article/AA-01266 "If you are using RPZ in BIND 9.10 in a production environment, and particularly if you have multiple policy zones, you should upgrade to BIND 9.10.2-P1. Otherwise, this upgrade is not urgent." |
2015-06-10 16:40:41 by Stuart Henderson | Files touched by this commit (2) |
Log message: SECURITY update to BIND 9.10.2-P1, various problems with RPZ (policy zones), and a possible crash with async zone loads. https://kb.isc.org/article/AA-01266 "If you are using RPZ in BIND 9.10 in a production environment, and particularly if you have multiple policy zones, you should upgrade to BIND 9.10.2-P1. Otherwise, this upgrade is not urgent." |
2015-05-16 04:15:53 by Mark Kettenis | Files touched by this commit (2) |
Log message: Use $CC to link shared library to make sure crtbeginS.o gets linked in. Switches CONFIGURE_STYLE to autoconf to make sure configure gets regenerated. ok (and help from) sthen@ |
2015-03-14 16:26:21 by Stuart Henderson | Files touched by this commit (1) |
Log message: take MAINTAINER |
2015-03-14 15:01:54 by Stuart Henderson | Files touched by this commit (5) |
Log message: update to BIND 9.10.2 |
2015-02-18 15:51:18 by Stuart Henderson | Files touched by this commit (1) |
Log message: Update to BIND 9.10.1P2 On servers configured to perform DNSSEC validation using managed trust anchors (i.e., keys configured explicitly via managed-keys, or implicitly via dnssec-validation auto; or dnssec-lookaside auto;), revoking a trust anchor and sending a new untrusted replacement could cause named to crash with an assertion failure. This could occur in the event of a botched key rollover, or potentially as a result of a deliberate attack if the attacker was in position to monitor the victim's DNS traffic. This flaw was discovered by Jan-Piet Mens, and is disclosed in [CVE-2015-1349] [RT #38344] (**) |
2015-02-18 15:49:44 by Stuart Henderson | Files touched by this commit (2) |
Log message: update to BIND 9.10.2P2 On servers configured to perform DNSSEC validation using managed trust anchors (i.e., keys configured explicitly via managed-keys, or implicitly via dnssec-validation auto; or dnssec-lookaside auto;), revoking a trust anchor and sending a new untrusted replacement could cause named to crash with an assertion failure. This could occur in the event of a botched key rollover, or potentially as a result of a deliberate attack if the attacker was in position to monitor the victim's DNS traffic. This flaw was discovered by Jan-Piet Mens, and is disclosed in [CVE-2015-1349] [RT #38344] (**) |
2015-01-30 08:15:42 by Stuart Henderson | Files touched by this commit (1) |
Log message: previous change ("Disable json stats in bind") resulted in losing a couple of symbols from libdns; bump SHARED_LIBS version and REVISION. |
2015-01-15 15:34:02 by Stuart Henderson | Files touched by this commit (1) |
Log message: Disable json stats in bind and zap BROKEN-hppa. |
2015-01-15 11:10:39 by Landry Breuil | Files touched by this commit (1) |
Log message: BROKEN-hppa = uses json-c which requires atomic ops |
2014-12-17 16:39:17 by Stuart Henderson | Files touched by this commit (4) |
Log message: Revert previous BIND workaround for query failures when coming up cold. Instead, cherrypick a fix from git at source.isc.org; this exempts TLD and root zone lookups from max-recursion-queries and changes the default to 75. |
2014-12-09 10:54:11 by Stuart Henderson | Files touched by this commit (5) |
Log message: MFC BIND update: Update to BIND 9.10.1-P1, including query limits for recursion (DoS avoidance, CVE-2014-8500), assertion DoS (recursive only, only with prefetch enabled, CVE-2014-3214), assertion DoS (EDNS option processing, CVE-2014-3859) and fixes to GeoIP (CVE-2014-8680 and another unclassified). https://kb.isc.org/article/AA-01223/81/BIND-9.10.1-P1-Release-Notes.html Add a local patch to increase the default query limit, during testing it appears that the standard defaults can be easily falsely triggered during priming at startup. |
2014-12-09 10:21:36 by Stuart Henderson | Files touched by this commit (4) |
Log message: Update to BIND 9.10.1-P1, including query limits for recursion (DoS avoidance, CVE-2014-8500), assertion DoS (recursive only, only with prefetch enabled, CVE-2014-3214), assertion DoS (EDNS option processing, CVE-2014-3859) and fixes to GeoIP (CVE-2014-8680 and another unclassified). https://kb.isc.org/article/AA-01223/81/BIND-9.10.1-P1-Release-Notes.html Add a local patch to increase the default query limit, during testing it appears that the standard defaults can be easily falsely triggered during priming at startup. |