From owner-svn-ports-all@FreeBSD.ORG Tue Jul 24 19:23:24 2012 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 658FE1065674; Tue, 24 Jul 2012 19:23:24 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 4FE468FC0C; Tue, 24 Jul 2012 19:23:24 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q6OJNOep065027; Tue, 24 Jul 2012 19:23:24 GMT (envelope-from dougb@svn.freebsd.org) Received: (from dougb@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q6OJNNHZ065017; Tue, 24 Jul 2012 19:23:23 GMT (envelope-from dougb@svn.freebsd.org) Message-Id: <201207241923.q6OJNNHZ065017@svn.freebsd.org> From: Doug Barton Date: Tue, 24 Jul 2012 19:23:23 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r301487 - in head: dns/bind96 dns/bind97 dns/bind98 dns/bind99 security/vuxml X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jul 2012 19:23:24 -0000 Author: dougb Date: Tue Jul 24 19:23:23 2012 New Revision: 301487 URL: http://svn.freebsd.org/changeset/ports/301487 Log: Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion Failure in BIND9 High numbers of queries with DNSSEC validation enabled can cause an assertion failure in named, caused by using a "bad cache" data structure before it has been initialized. CVE: CVE-2012-3817 Posting date: 24 July, 2012 Modified: head/dns/bind96/Makefile head/dns/bind96/distinfo head/dns/bind97/Makefile head/dns/bind97/distinfo head/dns/bind98/Makefile head/dns/bind98/distinfo head/dns/bind99/Makefile head/dns/bind99/distinfo head/security/vuxml/vuln.xml Modified: head/dns/bind96/Makefile ============================================================================== --- head/dns/bind96/Makefile Tue Jul 24 18:17:56 2012 (r301486) +++ head/dns/bind96/Makefile Tue Jul 24 19:23:23 2012 (r301487) @@ -12,10 +12,9 @@ # release you can generally build it cleanly from the source - Doug PORTNAME= bind96 -PORTVERSION= 9.6.3.1.ESV.R7.1 +PORTVERSION= 9.6.3.1.ESV.R7.2 CATEGORIES= dns net ipv6 -MASTER_SITES= ${MASTER_SITE_ISC} \ - http://dougbarton.us/Downloads/%SUBDIR%/ +MASTER_SITES= ${MASTER_SITE_ISC} MASTER_SITE_SUBDIR= bind9/${ISCVERSION} DISTNAME= bind-${ISCVERSION} DISTFILES= ${DISTNAME}${EXTRACT_SUFX} ${DISTNAME}${EXTRACT_SUFX}.asc @@ -25,7 +24,7 @@ MAINTAINER= dougb@FreeBSD.org COMMENT= The BIND DNS suite with updated DNSSEC and threads # ISC releases things like 9.4.0b3, which our versioning doesn't like -ISCVERSION= 9.6-ESV-R7-P1 +ISCVERSION= 9.6-ESV-R7-P2 MAKE_JOBS_UNSAFE= yes Modified: head/dns/bind96/distinfo ============================================================================== --- head/dns/bind96/distinfo Tue Jul 24 18:17:56 2012 (r301486) +++ head/dns/bind96/distinfo Tue Jul 24 19:23:23 2012 (r301487) @@ -1,4 +1,4 @@ -SHA256 (bind-9.6-ESV-R7-P1.tar.gz) = 4f3ad2ddc03ca09b72b3f267ba1164ec522b10f066e348f1c24ac2616a8c6d16 -SIZE (bind-9.6-ESV-R7-P1.tar.gz) = 6415389 -SHA256 (bind-9.6-ESV-R7-P1.tar.gz.asc) = e169e7fa9adf08f0d386cc8fbc41e1334199e5e7fc44c25d8d567cd13b6f1f0f -SIZE (bind-9.6-ESV-R7-P1.tar.gz.asc) = 481 +SHA256 (bind-9.6-ESV-R7-P2.tar.gz) = 5dd1f751983f9658d34d1b31e384643554a94f79e1f3ee551d9af72a0550cf93 +SIZE (bind-9.6-ESV-R7-P2.tar.gz) = 6415767 +SHA256 (bind-9.6-ESV-R7-P2.tar.gz.asc) = 78d5afb1d87d51e5c6dedd92adcfceda02b371282f438f54cb1878d137f7a385 +SIZE (bind-9.6-ESV-R7-P2.tar.gz.asc) = 490 Modified: head/dns/bind97/Makefile ============================================================================== --- head/dns/bind97/Makefile Tue Jul 24 18:17:56 2012 (r301486) +++ head/dns/bind97/Makefile Tue Jul 24 19:23:23 2012 (r301487) @@ -6,11 +6,10 @@ # PORTNAME?= bind97 -PORTVERSION= 9.7.6.1 +PORTVERSION= 9.7.6.2 PORTREVISION?= 0 CATEGORIES= dns net ipv6 -MASTER_SITES= ${MASTER_SITE_ISC} \ - http://dougbarton.us/Downloads/%SUBDIR%/ +MASTER_SITES= ${MASTER_SITE_ISC} MASTER_SITE_SUBDIR= bind9/${ISCVERSION} DISTNAME= bind-${ISCVERSION} DISTFILES= ${DISTNAME}${EXTRACT_SUFX} ${DISTNAME}${EXTRACT_SUFX}.asc @@ -20,7 +19,7 @@ MAINTAINER= dougb@FreeBSD.org COMMENT?= The BIND DNS suite with updated DNSSEC and threads # ISC releases things like 9.4.0b3, which our versioning doesn't like -ISCVERSION= 9.7.6-P1 +ISCVERSION= 9.7.6-P2 MAKE_JOBS_UNSAFE= yes Modified: head/dns/bind97/distinfo ============================================================================== --- head/dns/bind97/distinfo Tue Jul 24 18:17:56 2012 (r301486) +++ head/dns/bind97/distinfo Tue Jul 24 19:23:23 2012 (r301487) @@ -1,4 +1,4 @@ -SHA256 (bind-9.7.6-P1.tar.gz) = 33703cc68d94e6a639fe95f24bcbedf9b088123bae9ef357f0668d78dd60e7f6 -SIZE (bind-9.7.6-P1.tar.gz) = 6978457 -SHA256 (bind-9.7.6-P1.tar.gz.asc) = 02f5d7cbec706fd22a1168c88d19cf318f932f45302b48dbc6aa91c0c96b4098 -SIZE (bind-9.7.6-P1.tar.gz.asc) = 481 +SHA256 (bind-9.7.6-P2.tar.gz) = f1ff8b778c6569198a88994dfdbfb6fb453648227c28656e65aee357a993b07d +SIZE (bind-9.7.6-P2.tar.gz) = 6979194 +SHA256 (bind-9.7.6-P2.tar.gz.asc) = ad5ee83dfe27684c9af4c949bfdb4c4f2b72f37ab833c08b633baeb4ba707007 +SIZE (bind-9.7.6-P2.tar.gz.asc) = 490 Modified: head/dns/bind98/Makefile ============================================================================== --- head/dns/bind98/Makefile Tue Jul 24 18:17:56 2012 (r301486) +++ head/dns/bind98/Makefile Tue Jul 24 19:23:23 2012 (r301487) @@ -12,10 +12,9 @@ # release you can generally build it cleanly from the source - Doug PORTNAME= bind98 -PORTVERSION= 9.8.3.1 +PORTVERSION= 9.8.3.2 CATEGORIES= dns net ipv6 -MASTER_SITES= ${MASTER_SITE_ISC} \ - http://dougbarton.us/Downloads/%SUBDIR%/ +MASTER_SITES= ${MASTER_SITE_ISC} MASTER_SITE_SUBDIR= bind9/${ISCVERSION} DISTNAME= bind-${ISCVERSION} DISTFILES= ${DISTNAME}${EXTRACT_SUFX} ${DISTNAME}${EXTRACT_SUFX}.asc @@ -25,7 +24,7 @@ MAINTAINER= dougb@FreeBSD.org COMMENT= The BIND DNS suite with updated DNSSEC and DNS64 # ISC releases things like 9.8.0-P1, which our versioning doesn't like -ISCVERSION= 9.8.3-P1 +ISCVERSION= 9.8.3-P2 MAKE_JOBS_UNSAFE= yes Modified: head/dns/bind98/distinfo ============================================================================== --- head/dns/bind98/distinfo Tue Jul 24 18:17:56 2012 (r301486) +++ head/dns/bind98/distinfo Tue Jul 24 19:23:23 2012 (r301487) @@ -1,4 +1,4 @@ -SHA256 (bind-9.8.3-P1.tar.gz) = 850aede364f89e706dbfcbe7d70887bc3c2df468146da5cae8c8ab9ee4621891 -SIZE (bind-9.8.3-P1.tar.gz) = 7112920 -SHA256 (bind-9.8.3-P1.tar.gz.asc) = df23470f353b4f4eb70e7d34ebc7e94b55b1fc543445230a42c31ab9a49a5dc3 -SIZE (bind-9.8.3-P1.tar.gz.asc) = 481 +SHA256 (bind-9.8.3-P2.tar.gz) = b95d2e81b54ba972215c7fd52744fbe4711bd3fd6f217845ba95114d82c43588 +SIZE (bind-9.8.3-P2.tar.gz) = 7113192 +SHA256 (bind-9.8.3-P2.tar.gz.asc) = fe9e34fcd701ab312025665e825f2f840fae7067f6c6f361af4712bb22fcdb80 +SIZE (bind-9.8.3-P2.tar.gz.asc) = 490 Modified: head/dns/bind99/Makefile ============================================================================== --- head/dns/bind99/Makefile Tue Jul 24 18:17:56 2012 (r301486) +++ head/dns/bind99/Makefile Tue Jul 24 19:23:23 2012 (r301487) @@ -11,10 +11,9 @@ # release you can generally build it cleanly from the source - Doug PORTNAME= bind99 -PORTVERSION= 9.9.1.1 +PORTVERSION= 9.9.1.2 CATEGORIES= dns net ipv6 -MASTER_SITES= ${MASTER_SITE_ISC} \ - http://dougbarton.us/Downloads/%SUBDIR%/ +MASTER_SITES= ${MASTER_SITE_ISC} MASTER_SITE_SUBDIR= bind9/${ISCVERSION} DISTNAME= bind-${ISCVERSION} DISTFILES= ${DISTNAME}${EXTRACT_SUFX} ${DISTNAME}${EXTRACT_SUFX}.asc @@ -24,7 +23,7 @@ MAINTAINER= dougb@FreeBSD.org COMMENT= The BIND DNS suite with updated DNSSEC and DNS64 # ISC releases things like 9.8.0-P1, which our versioning doesn't like -ISCVERSION= 9.9.1-P1 +ISCVERSION= 9.9.1-P2 MAKE_JOBS_UNSAFE= yes Modified: head/dns/bind99/distinfo ============================================================================== --- head/dns/bind99/distinfo Tue Jul 24 18:17:56 2012 (r301486) +++ head/dns/bind99/distinfo Tue Jul 24 19:23:23 2012 (r301487) @@ -1,4 +1,4 @@ -SHA256 (bind-9.9.1-P1.tar.gz) = 2dc5886b3eb6768d312b43dbe1e23a5b67b4f4dcfa1a65b1017e7710bb764627 -SIZE (bind-9.9.1-P1.tar.gz) = 7223197 -SHA256 (bind-9.9.1-P1.tar.gz.asc) = 9692338123284f8d7b580d4368f59ff845868f3534c6a5efcfb4d6fc8a69ad58 -SIZE (bind-9.9.1-P1.tar.gz.asc) = 481 +SHA256 (bind-9.9.1-P2.tar.gz) = a46ecf6177b69d6e9a83a15f792d0594adcc8e800086208dd9b84452afb84d0e +SIZE (bind-9.9.1-P2.tar.gz) = 7223896 +SHA256 (bind-9.9.1-P2.tar.gz.asc) = 0620c92284e6e00209ce47d3cff14161cc19be978762036cef9ec98e500cd8ed +SIZE (bind-9.9.1-P2.tar.gz.asc) = 490 Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Jul 24 18:17:56 2012 (r301486) +++ head/security/vuxml/vuln.xml Tue Jul 24 19:23:23 2012 (r301487) @@ -52,6 +52,53 @@ Note: Please add new entries to the beg --> + + dns/bind9* -- Heavy DNSSEC Validation Load Can Cause a 'Bad Cache' Assertion Failure + + + bind99 + 9.9.1.2 + + + bind98 + 9.8.3.2 + + + bind97 + 9.7.6.2 + + + bind96 + 9.6.3.1.ESV.R7.2 + + + + +

ISC reports:

+
+

High numbers of queries with DNSSEC validation enabled can + cause an assertion failure in named, caused by using a 'bad cache' + data structure before it has been initialized.

+

BIND 9 stores a cache of query names that are known to be failing due + to misconfigured name servers or a broken chain of trust. Under high query + loads when DNSSEC validation is active, it is possible for a condition + to arise in which data from this cache of failing queries could be used + before it was fully initialized, triggering an assertion failure.

+

This bug cannot be encountered unless your server is doing DNSSEC + validation.

+
+ + + + CVE-2012-3817 + https://kb.isc.org/article/AA-00729 + + + 2012-07-24 + 2012-07-24 + + + rubygem-activerecord -- multiple vulnerabilities