From owner-svn-ports-branches@freebsd.org Wed Sep 2 21:08:54 2015 Return-Path: Delivered-To: svn-ports-branches@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 109B19C9E2C; Wed, 2 Sep 2015 21:08:54 +0000 (UTC) (envelope-from mat@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F3B6E1391; Wed, 2 Sep 2015 21:08:53 +0000 (UTC) (envelope-from mat@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t82L8r7i029308; Wed, 2 Sep 2015 21:08:53 GMT (envelope-from mat@FreeBSD.org) Received: (from mat@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id t82L8pZc029300; Wed, 2 Sep 2015 21:08:51 GMT (envelope-from mat@FreeBSD.org) Message-Id: <201509022108.t82L8pZc029300@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: mat set sender to mat@FreeBSD.org using -f From: Mathieu Arnold Date: Wed, 2 Sep 2015 21:08:51 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r395909 - in branches/2015Q3/dns: bind910 bind910/files bind99 bind99/files X-SVN-Group: ports-branches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-branches@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for all the branches of the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Sep 2015 21:08:54 -0000 Author: mat Date: Wed Sep 2 21:08:51 2015 New Revision: 395909 URL: https://svnweb.freebsd.org/changeset/ports/395909 Log: MFH: r393161 r395660 r395703 r395908 Update BIND to 9.9.7-P3 and 9.10.2-P4. Also: - Add an option to enable the bind min override ttl patch. - When not using OpenSSL from ports, do not try to unmount the chrooted engines directory. - Add an option for embedding PORTREVISION in the server's version string. Security: CVE-2015-5722, CVE-2015-5986 Sponsored by: Absolight Added: branches/2015Q3/dns/bind910/files/extrapatch-bind-min-override-ttl - copied unchanged from r393161, head/dns/bind910/files/extrapatch-bind-min-override-ttl branches/2015Q3/dns/bind99/files/extrapatch-bind-min-override-ttl - copied unchanged from r393161, head/dns/bind99/files/extrapatch-bind-min-override-ttl Modified: branches/2015Q3/dns/bind910/Makefile branches/2015Q3/dns/bind910/distinfo branches/2015Q3/dns/bind910/files/named.in branches/2015Q3/dns/bind99/Makefile branches/2015Q3/dns/bind99/distinfo branches/2015Q3/dns/bind99/files/named.in Directory Properties: branches/2015Q3/ (props changed) Modified: branches/2015Q3/dns/bind910/Makefile ============================================================================== --- branches/2015Q3/dns/bind910/Makefile Wed Sep 2 20:46:55 2015 (r395908) +++ branches/2015Q3/dns/bind910/Makefile Wed Sep 2 21:08:51 2015 (r395909) @@ -21,7 +21,7 @@ COMMENT?= BIND DNS suite with updated DN LICENSE= ISCL # ISC releases things like 9.8.0-P1, which our versioning doesn't like -ISCVERSION= 9.10.2-P3 +ISCVERSION= 9.10.2-P4 MAKE_JOBS_UNSAFE= yes @@ -58,7 +58,8 @@ OPTIONS_RADIO_GOSTDEF= GOST GOST_ASN1 .if !defined(BIND_TOOLS_SLAVE) OPTIONS_DEFAULT+= RRL -OPTIONS_DEFINE+= LINKS RPZ_NSIP RPZ_NSDNAME RRL DOCS NEWSTATS GEOIP +OPTIONS_DEFINE+= LINKS RPZ_NSIP RPZ_NSDNAME RRL DOCS NEWSTATS GEOIP \ + MINCACHE PORTREVISION OPTIONS_GROUP= DLZ OPTIONS_GROUP_DLZ= DLZ_POSTGRESQL DLZ_MYSQL DLZ_BDB \ DLZ_LDAP DLZ_FILESYSTEM DLZ_STUB @@ -81,6 +82,8 @@ GOST_DESC= GOST raw keys (new default) GOST_ASN1_DESC= GOST using ASN.1 PYTHON_DESC= Build with Python utilities START_LATE_DESC= Start BIND late in the boot process +MINCACHE_DESC= Use the mincachettl patch +PORTREVISION_DESC= Show PORTREVISION in the version string LINKS_DESC= Create conf file symlinks in ${PREFIX} NEWSTATS_DESC= Enable alternate xml statistics channel format @@ -98,6 +101,7 @@ GSSAPI_BASE_DESC= Using Heimdal in base GSSAPI_HEIMDAL_DESC= Using security/heimdal GSSAPI_MIT_DESC= Using security/krb5 GSSAPI_NONE_DESC= Disable +MINCACHE_EXTRA_PATCHES= ${FILESDIR}/extrapatch-bind-min-override-ttl .if !defined(BIND_TOOLS_SLAVE) CONFLICTS+= bind-tools-9.* @@ -223,6 +227,10 @@ post-patch: ${WRKSRC}/bin/${FILE} .endfor +post-patch-PORTREVISION-on: + @${REINPLACE_CMD} -e '/EXTENSIONS/s#=$$#=_${PORTREVISION}#' \ + ${WRKSRC}/version + post-install: .if ${PORT_OPTIONS:MDOCS} ${MKDIR} ${STAGEDIR}${DOCSDIR}/arm Modified: branches/2015Q3/dns/bind910/distinfo ============================================================================== --- branches/2015Q3/dns/bind910/distinfo Wed Sep 2 20:46:55 2015 (r395908) +++ branches/2015Q3/dns/bind910/distinfo Wed Sep 2 21:08:51 2015 (r395909) @@ -1,2 +1,2 @@ -SHA256 (bind-9.10.2-P3.tar.gz) = 78079a66dda455ffecfe93ef72d1ffc947f17b1c453d55ec06b860b49a5e1d4a -SIZE (bind-9.10.2-P3.tar.gz) = 8469831 +SHA256 (bind-9.10.2-P4.tar.gz) = c00b21ec1def212957f28efe9d10aac52d6ec515e84fbf2c42143f5d71429cb8 +SIZE (bind-9.10.2-P4.tar.gz) = 8471531 Copied: branches/2015Q3/dns/bind910/files/extrapatch-bind-min-override-ttl (from r393161, head/dns/bind910/files/extrapatch-bind-min-override-ttl) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2015Q3/dns/bind910/files/extrapatch-bind-min-override-ttl Wed Sep 2 21:08:51 2015 (r395909, copy of r393161, head/dns/bind910/files/extrapatch-bind-min-override-ttl) @@ -0,0 +1,78 @@ +diff -Nabdur bind-9.6.0-P1.orig/bin/named/config.c bind-9.6.0-P1/bin/named/config.c +--- bin/named/config.c 2009-05-22 12:24:49.000000000 +0400 ++++ bin/named/config.c 2009-05-22 12:31:35.000000000 +0400 +@@ -129,6 +129,8 @@ + min-roots 2;\n\ + lame-ttl 600;\n\ + max-ncache-ttl 10800; /* 3 hours */\n\ ++ override-cache-ttl 0; /* do not override */\n\ ++ min-cache-ttl 0; /* no minimal, zero is allowed */\n\ + max-cache-ttl 604800; /* 1 week */\n\ + transfer-format many-answers;\n\ + max-cache-size 0;\n\ +diff -Nabdur bind-9.6.0-P1.orig/bin/named/server.c bind-9.6.0-P1/bin/named/server.c +--- bin/named/server.c 2009-05-22 12:24:49.000000000 +0400 ++++ bin/named/server.c 2009-05-22 12:32:18.000000000 +0400 +@@ -1727,6 +1727,16 @@ + CHECK(mustbesecure(obj, view->resolver)); + + obj = NULL; ++ result = ns_config_get(maps, "override-cache-ttl", &obj); ++ INSIST(result == ISC_R_SUCCESS); ++ view->overridecachettl = cfg_obj_asuint32(obj); ++ ++ obj = NULL; ++ result = ns_config_get(maps, "min-cache-ttl", &obj); ++ INSIST(result == ISC_R_SUCCESS); ++ view->mincachettl = cfg_obj_asuint32(obj); ++ ++ obj = NULL; + result = ns_config_get(maps, "max-cache-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + view->maxcachettl = cfg_obj_asuint32(obj); +diff -Nabdur bind-9.6.0-P1.orig/lib/dns/include/dns/view.h bind-9.6.0-P1/lib/dns/include/dns/view.h +--- lib/dns/include/dns/view.h 2009-05-22 12:24:49.000000000 +0400 ++++ lib/dns/include/dns/view.h 2009-05-22 12:29:03.000000000 +0400 +@@ -131,6 +131,8 @@ + isc_boolean_t provideixfr; + isc_boolean_t requestnsid; + dns_ttl_t maxcachettl; ++ dns_ttl_t mincachettl; ++ dns_ttl_t overridecachettl; + dns_ttl_t maxncachettl; + in_port_t dstport; + dns_aclenv_t aclenv; +diff -Nabdur bind-9.6.0-P1.orig/lib/dns/resolver.c bind-9.6.0-P1/lib/dns/resolver.c +--- lib/dns/resolver.c 2009-05-22 12:24:49.000000000 +0400 ++++ lib/dns/resolver.c 2009-05-22 12:30:41.000000000 +0400 +@@ -4054,6 +4054,18 @@ + } + + /* ++ * Enforce the configure cache TTL override. ++ */ ++ if (res->view->overridecachettl) ++ rdataset->ttl = res->view->overridecachettl; ++ ++ /* ++ * Enforce the configure minimum cache TTL. ++ */ ++ if (rdataset->ttl < res->view->mincachettl) ++ rdataset->ttl = res->view->mincachettl; ++ ++ /* + * Enforce the configure maximum cache TTL. + */ + if (rdataset->ttl > res->view->maxcachettl) +diff -Nabdur bind-9.6.0-P1.orig/lib/isccfg/namedconf.c bind-9.6.0-P1/lib/isccfg/namedconf.c +--- lib/isccfg/namedconf.c 2009-05-22 12:24:49.000000000 +0400 ++++ lib/isccfg/namedconf.c 2009-05-22 12:31:21.000000000 +0400 +@@ -821,6 +821,8 @@ + { "lame-ttl", &cfg_type_uint32, 0 }, + { "max-acache-size", &cfg_type_sizenodefault, 0 }, + { "max-cache-size", &cfg_type_sizenodefault, 0 }, ++ { "override-cache-ttl", &cfg_type_uint32, 0 }, ++ { "min-cache-ttl", &cfg_type_uint32, 0 }, + { "max-cache-ttl", &cfg_type_uint32, 0 }, + { "max-clients-per-query", &cfg_type_uint32, 0 }, + { "max-ncache-ttl", &cfg_type_uint32, 0 }, Modified: branches/2015Q3/dns/bind910/files/named.in ============================================================================== --- branches/2015Q3/dns/bind910/files/named.in Wed Sep 2 20:46:55 2015 (r395908) +++ branches/2015Q3/dns/bind910/files/named.in Wed Sep 2 21:08:51 2015 (r395909) @@ -232,10 +232,10 @@ named_stop() named_poststop() { if [ -n "${named_chrootdir}" -a -c ${named_chrootdir}/dev/null ]; then - # unmount OpenSSL engines, if they were not mounted but only - # copied, do nothing. - if [ `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 ]; then - umount ${named_chrootdir}${_openssl_engines} + # if using OpenSSL from ports, unmount OpenSSL engines, if they + # were not mounted but only copied, do nothing. + if [ -d ${_openssl_engines} -a \( `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 \) ]; then + umount ${named_chrootdir}${_openssl_engines} fi # unmount /dev if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then Modified: branches/2015Q3/dns/bind99/Makefile ============================================================================== --- branches/2015Q3/dns/bind99/Makefile Wed Sep 2 20:46:55 2015 (r395908) +++ branches/2015Q3/dns/bind99/Makefile Wed Sep 2 21:08:51 2015 (r395909) @@ -15,7 +15,7 @@ COMMENT= BIND DNS suite with updated DNS LICENSE= ISCL # ISC releases things like 9.8.0-P1, which our versioning doesn't like -ISCVERSION= 9.9.7-P2 +ISCVERSION= 9.9.7-P3 MAKE_JOBS_UNSAFE= yes @@ -43,8 +43,9 @@ SUB_FILES= pkg-message OPTIONS_DEFAULT= IPV6 SSL THREADS SIGCHASE IDN GSSAPI_NONE RRL OPTIONS_DEFINE= SSL IDN REPLACE_BASE LARGE_FILE FIXED_RRSET SIGCHASE \ - IPV6 THREADS FILTER_AAAA GOST PYTHON START_LATE \ - LINKS RPZ_NSIP RPZ_NSDNAME RRL DOCS RPZ_PATCH NEWSTATS + IPV6 THREADS FILTER_AAAA GOST PYTHON START_LATE MINCACHE \ + LINKS RPZ_NSIP RPZ_NSDNAME RRL DOCS RPZ_PATCH NEWSTATS \ + PORTREVISION OPTIONS_GROUP= DLZ OPTIONS_GROUP_DLZ= DLZ_POSTGRESQL DLZ_MYSQL DLZ_BDB \ DLZ_LDAP DLZ_FILESYSTEM DLZ_STUB @@ -62,6 +63,8 @@ FILTER_AAAA_DESC= Enable filtering of AA GOST_DESC= Enable GOST ciphers, needs SSL (see help on 8 and 9) PYTHON_DESC= Build with Python utilities START_LATE_DESC= Start BIND late in the boot process +MINCACHE_DESC= Use the mincachettl patch +PORTREVISION_DESC= Show PORTREVISION in the version string LINKS_DESC= Create conf file symlinks in ${PREFIX} NEWSTATS_DESC= Enable alternate xml statistics channel format @@ -80,6 +83,7 @@ GSSAPI_BASE_DESC= ${GSSAPI_DESC} (Heimda GSSAPI_HEIMDAL_DESC= ${GSSAPI_DESC} (security/heimdal) GSSAPI_MIT_DESC= ${GSSAPI_DESC} (security/krb5) GSSAPI_NONE_DESC= No ${GSSAPI_DESC} +MINCACHE_EXTRA_PATCHES= ${FILESDIR}/extrapatch-bind-min-override-ttl SSL_CONFIGURE_ON= --with-openssl=${OPENSSLBASE} SSL_USE= openssl=yes @@ -194,6 +198,10 @@ post-patch: ${WRKSRC}/bin/${FILE} .endfor +post-patch-PORTREVISION-on: + @${REINPLACE_CMD} -e '/EXTENSIONS/s#=$$#=_${PORTREVISION}#' \ + ${WRKSRC}/version + post-configure: @${REINPLACE_CMD} -e '/^SO_LDFLAGS/s/-Wl,-rpath,/-rpath /' ${WRKSRC}/bin/tests/system/dlzexternal/Makefile Modified: branches/2015Q3/dns/bind99/distinfo ============================================================================== --- branches/2015Q3/dns/bind99/distinfo Wed Sep 2 20:46:55 2015 (r395908) +++ branches/2015Q3/dns/bind99/distinfo Wed Sep 2 21:08:51 2015 (r395909) @@ -1,4 +1,4 @@ -SHA256 (bind-9.9.7-P2.tar.gz) = f5f433567e5f68d61460d86f691471259a49b6d10d7422acbd88b7fdb038b518 -SIZE (bind-9.9.7-P2.tar.gz) = 7935877 -SHA256 (9.9.7-P2-rpz2+rl.14038.05.patch.xz) = 149f8e2888466444138e37096ea57da181b7f21e7fad232c8eedeed12ffcd99b -SIZE (9.9.7-P2-rpz2+rl.14038.05.patch.xz) = 39124 +SHA256 (bind-9.9.7-P3.tar.gz) = cb737dce18350890f350dd7d3bc836c62ea440103dfde184c09bc18cfad8a844 +SIZE (bind-9.9.7-P3.tar.gz) = 7939885 +SHA256 (9.9.7-P3-rpz2+rl.14038.05.patch.xz) = ec3c5c5a5011d605eeff664e41d3839c3ecda476a8a2eb20784dfaa79f8b8a77 +SIZE (9.9.7-P3-rpz2+rl.14038.05.patch.xz) = 39124 Copied: branches/2015Q3/dns/bind99/files/extrapatch-bind-min-override-ttl (from r393161, head/dns/bind99/files/extrapatch-bind-min-override-ttl) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2015Q3/dns/bind99/files/extrapatch-bind-min-override-ttl Wed Sep 2 21:08:51 2015 (r395909, copy of r393161, head/dns/bind99/files/extrapatch-bind-min-override-ttl) @@ -0,0 +1,78 @@ +diff -Nabdur bind-9.6.0-P1.orig/bin/named/config.c bind-9.6.0-P1/bin/named/config.c +--- bin/named/config.c 2009-05-22 12:24:49.000000000 +0400 ++++ bin/named/config.c 2009-05-22 12:31:35.000000000 +0400 +@@ -129,6 +129,8 @@ + min-roots 2;\n\ + lame-ttl 600;\n\ + max-ncache-ttl 10800; /* 3 hours */\n\ ++ override-cache-ttl 0; /* do not override */\n\ ++ min-cache-ttl 0; /* no minimal, zero is allowed */\n\ + max-cache-ttl 604800; /* 1 week */\n\ + transfer-format many-answers;\n\ + max-cache-size 0;\n\ +diff -Nabdur bind-9.6.0-P1.orig/bin/named/server.c bind-9.6.0-P1/bin/named/server.c +--- bin/named/server.c 2009-05-22 12:24:49.000000000 +0400 ++++ bin/named/server.c 2009-05-22 12:32:18.000000000 +0400 +@@ -1727,6 +1727,16 @@ + CHECK(mustbesecure(obj, view->resolver)); + + obj = NULL; ++ result = ns_config_get(maps, "override-cache-ttl", &obj); ++ INSIST(result == ISC_R_SUCCESS); ++ view->overridecachettl = cfg_obj_asuint32(obj); ++ ++ obj = NULL; ++ result = ns_config_get(maps, "min-cache-ttl", &obj); ++ INSIST(result == ISC_R_SUCCESS); ++ view->mincachettl = cfg_obj_asuint32(obj); ++ ++ obj = NULL; + result = ns_config_get(maps, "max-cache-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + view->maxcachettl = cfg_obj_asuint32(obj); +diff -Nabdur bind-9.6.0-P1.orig/lib/dns/include/dns/view.h bind-9.6.0-P1/lib/dns/include/dns/view.h +--- lib/dns/include/dns/view.h 2009-05-22 12:24:49.000000000 +0400 ++++ lib/dns/include/dns/view.h 2009-05-22 12:29:03.000000000 +0400 +@@ -131,6 +131,8 @@ + isc_boolean_t provideixfr; + isc_boolean_t requestnsid; + dns_ttl_t maxcachettl; ++ dns_ttl_t mincachettl; ++ dns_ttl_t overridecachettl; + dns_ttl_t maxncachettl; + in_port_t dstport; + dns_aclenv_t aclenv; +diff -Nabdur bind-9.6.0-P1.orig/lib/dns/resolver.c bind-9.6.0-P1/lib/dns/resolver.c +--- lib/dns/resolver.c 2009-05-22 12:24:49.000000000 +0400 ++++ lib/dns/resolver.c 2009-05-22 12:30:41.000000000 +0400 +@@ -4054,6 +4054,18 @@ + } + + /* ++ * Enforce the configure cache TTL override. ++ */ ++ if (res->view->overridecachettl) ++ rdataset->ttl = res->view->overridecachettl; ++ ++ /* ++ * Enforce the configure minimum cache TTL. ++ */ ++ if (rdataset->ttl < res->view->mincachettl) ++ rdataset->ttl = res->view->mincachettl; ++ ++ /* + * Enforce the configure maximum cache TTL. + */ + if (rdataset->ttl > res->view->maxcachettl) +diff -Nabdur bind-9.6.0-P1.orig/lib/isccfg/namedconf.c bind-9.6.0-P1/lib/isccfg/namedconf.c +--- lib/isccfg/namedconf.c 2009-05-22 12:24:49.000000000 +0400 ++++ lib/isccfg/namedconf.c 2009-05-22 12:31:21.000000000 +0400 +@@ -821,6 +821,8 @@ + { "lame-ttl", &cfg_type_uint32, 0 }, + { "max-acache-size", &cfg_type_sizenodefault, 0 }, + { "max-cache-size", &cfg_type_sizenodefault, 0 }, ++ { "override-cache-ttl", &cfg_type_uint32, 0 }, ++ { "min-cache-ttl", &cfg_type_uint32, 0 }, + { "max-cache-ttl", &cfg_type_uint32, 0 }, + { "max-clients-per-query", &cfg_type_uint32, 0 }, + { "max-ncache-ttl", &cfg_type_uint32, 0 }, Modified: branches/2015Q3/dns/bind99/files/named.in ============================================================================== --- branches/2015Q3/dns/bind99/files/named.in Wed Sep 2 20:46:55 2015 (r395908) +++ branches/2015Q3/dns/bind99/files/named.in Wed Sep 2 21:08:51 2015 (r395909) @@ -230,10 +230,10 @@ named_stop() named_poststop() { if [ -n "${named_chrootdir}" -a -c ${named_chrootdir}/dev/null ]; then - # unmount OpenSSL engines, if they were not mounted but only - # copied, do nothing. - if [ `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 ]; then - umount ${named_chrootdir}${_openssl_engines} + # if using OpenSSL from ports, unmount OpenSSL engines, if they + # were not mounted but only copied, do nothing. + if [ -d ${_openssl_engines} -a \( `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 \) ]; then + umount ${named_chrootdir}${_openssl_engines} fi # unmount /dev if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then