From owner-cvs-ports@FreeBSD.ORG Tue Jul 5 21:19:20 2011 Return-Path: Delivered-To: cvs-ports@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EC38A106564A; Tue, 5 Jul 2011 21:19:20 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id DE17A8FC14; Tue, 5 Jul 2011 21:19:20 +0000 (UTC) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.4/8.14.4) with ESMTP id p65LJKd6016550; Tue, 5 Jul 2011 21:19:20 GMT (envelope-from dougb@repoman.freebsd.org) Received: (from dougb@localhost) by repoman.freebsd.org (8.14.4/8.14.4/Submit) id p65LJKOv016549; Tue, 5 Jul 2011 21:19:20 GMT (envelope-from dougb) Message-Id: <201107052119.p65LJKOv016549@repoman.freebsd.org> From: Doug Barton Date: Tue, 5 Jul 2011 21:19:20 +0000 (UTC) To: ports-committers@FreeBSD.org, cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org X-FreeBSD-CVS-Branch: HEAD Cc: Subject: cvs commit: ports/dns/bind98 Makefile distinfo ports/dns/bind98/files patch-bin__named__query.c X-BeenThere: cvs-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jul 2011 21:19:21 -0000 dougb 2011-07-05 21:19:20 UTC FreeBSD ports repository Modified files: dns/bind98 Makefile distinfo Removed files: dns/bind98/files patch-bin__named__query.c Log: Update to versions 9.8.0-P4, 9.7.3-P3, and 9.6-ESV-R4-P3. ALL BIND USERS ENCOURAGED TO UPGRADE IMMEDIATELY This update addresses the following vulnerabilities: CVE-2011-2464 ============= Severity: High Exploitable: Remotely Description: A defect in the affected BIND 9 versions allows an attacker to remotely cause the "named" process to exit using a specially crafted packet. This defect affects both recursive and authoritative servers. The code location of the defect makes it impossible to protect BIND using ACLs configured within named.conf or by disabling any features at compile-time or run-time. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464 https://www.isc.org/software/bind/advisories/cve-2011-2464 CVE-2011-2465 ============= Severity: High Exploitable: Remotely Description: A defect in the affected versions of BIND could cause the "named" process to exit when queried, if the server has recursion enabled and was configured with an RPZ zone containing certain types of records. Specifically, these are any DNAME record and certain kinds of CNAME records. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2465 https://www.isc.org/software/bind/advisories/cve-2011-2465 Additional changes in this version: * If named is configured to be both authoritative and resursive and receives a recursive query for a CNAME in a zone that it is authoritative for, if that CNAME also points to a zone the server is authoritative for, the recursive part of name will not follow the CNAME change and the response will not be a complete CNAME chain. [RT #24455] Thus the patch for this bug has been removed from the port * Using Response Policy Zone (RPZ) to query a wildcard CNAME label with QUERY type SIG/RRSIG, it can cause named to crash. Fix is query type independant. [RT #24715] [CVE-2011-1907] Revision Changes Path 1.9 +2 -2 ports/dns/bind98/Makefile 1.7 +4 -4 ports/dns/bind98/distinfo 1.2 +0 -18 ports/dns/bind98/files/patch-bin__named__query.c (dead)