From owner-svn-ports-head@FreeBSD.ORG Fri Sep 20 08:22:46 2013 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 3C84D6BF; Fri, 20 Sep 2013 08:22:46 +0000 (UTC) (envelope-from erwin@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 197412694; Fri, 20 Sep 2013 08:22:46 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r8K8MjFo092449; Fri, 20 Sep 2013 08:22:45 GMT (envelope-from erwin@svn.freebsd.org) Received: (from erwin@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r8K8MjRd092446; Fri, 20 Sep 2013 08:22:45 GMT (envelope-from erwin@svn.freebsd.org) Message-Id: <201309200822.r8K8MjRd092446@svn.freebsd.org> From: Erwin Lansing Date: Fri, 20 Sep 2013 08:22:45 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r327668 - head/dns/bind99 X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Sep 2013 08:22:46 -0000 Author: erwin Date: Fri Sep 20 08:22:45 2013 New Revision: 327668 URL: http://svnweb.freebsd.org/changeset/ports/327668 Log: Update to 9.9.4 Note that the Rate Limiting option has been renamed. Security Fixes Previously an error in bounds checking on the private type 'keydata' could be used to deny service through a deliberately triggerable REQUIRE failure (CVE-2013-4854). [RT #34238] Prevents exploitation of a runtime_check which can crash named when satisfying a recursive query for particular malformed zones. (CVE-2013-3919) [RT #33690] New Features Added Response Rate Limiting (RRL) functionality to reduce the effectiveness of DNS as an amplifier for reflected denial-of-service attacks by rate-limiting substantially-identical responses. [RT #28130] Feature Changes rndc status now also shows the build-id. [RT #20422] Improved OPT pseudo-record processing to make it easier to support new EDNS options. [RT #34414] "configure" now finishes by printing a summary of optional BIND features and whether they are active or inactive. ("configure --enable-full-report" increases the verbosity of the summary.) [RT #31777] Addressed compatibility issues with newer versions of Microsoft Visual Studio. [RT #33916] Improved the 'rndc' man page. [RT #33506] 'named -g' now no longer works with an invalid logging configuration. [RT #33473] The default (and minimum) value for tcp-listen-queue is now 10 instead of 3. This is a subtle control setting (not applicable to all OS environments). When there is a high rate of inbound TCP connections, it controls how many connections can be queued before they are accepted by named. Once this limit is exceeded, new TCP connections will be rejected. Note however that a value of 10 does not imply a strict limit of 10 queued TCP connections - the impact of changing this configuration setting will be OS-dependent. Larger values for tcp-listen queue will permit more pending tcp connections, which may be needed where there is a high rate of TCP-based traffic (for example in a dynamic environment where there are frequent zone updates and transfers). For most production servers the new default value of 10 should be adequate. [RT #33029] Added support for OpenSSL versions 0.9.8y, 1.0.0k, and 1.0.1e with PKCS#11. [RT #33463] Added logging messages on slave servers when they forward DDNS updates to a master. [RT #33240] Changed the logging category for RRL events from 'queries' to 'query-errors'. [RT #33540] Modified: head/dns/bind99/Makefile head/dns/bind99/distinfo head/dns/bind99/pkg-plist Modified: head/dns/bind99/Makefile ============================================================================== --- head/dns/bind99/Makefile Fri Sep 20 08:20:36 2013 (r327667) +++ head/dns/bind99/Makefile Fri Sep 20 08:22:45 2013 (r327668) @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME?= bind99 -PORTVERSION= 9.9.3.2 +PORTVERSION= 9.9.4 PORTREVISION?= 0 CATEGORIES= dns net ipv6 MASTER_SITES= ${MASTER_SITE_ISC} @@ -14,7 +14,7 @@ COMMENT= BIND DNS suite with updated DNS LICENSE= ISCL # ISC releases things like 9.8.0-P1, which our versioning doesn't like -ISCVERSION= 9.9.3-P2 +ISCVERSION= 9.9.4 MAKE_JOBS_UNSAFE= yes @@ -30,7 +30,7 @@ OPTIONS_DEFAULT= IPV6 SSL LINKS XML THRE OPTIONS_DEFINE= SSL IDN REPLACE_BASE LARGE_FILE \ FIXED_RRSET SIGCHASE IPV6 THREADS GSSAPI .if !defined(BIND_TOOLS_SLAVE) -OPTIONS_DEFINE+= LINKS XML RPZ_NSIP RPZ_NSDNAME RPZRRL_PATCH +OPTIONS_DEFINE+= LINKS XML RPZ_NSIP RPZ_NSDNAME RRL OPTIONS_GROUP= DLZ OPTIONS_GROUP_DLZ= DLZ_POSTGRESQL DLZ_MYSQL DLZ_BDB \ DLZ_LDAP DLZ_FILESYSTEM DLZ_STUB @@ -47,7 +47,7 @@ LINKS_DESC= Create conf file symlinks i XML_DESC= Support for xml statistics output RPZ_NSIP_DESC= Enable RPZ NSIP trigger rules RPZ_NSDNAME_DESC= Enable RPZ NSDNAME policy records -RPZRRL_PATCH_DESC= RPZ improvements + RRL patch (experimental) +RRL_DESC= Response Rate Limiting DLZ_DESC= Dynamically Loadable Zones DLZ_POSTGRESQL_DESC= DLZ Postgres driver DLZ_MYSQL_DESC= DLZ MySQL driver (no threading) @@ -123,9 +123,8 @@ CONFIGURE_ARGS+= --enable-rpz-nsip CONFIGURE_ARGS+= --enable-rpz-nsdname .endif -.if ${PORT_OPTIONS:MRPZRRL_PATCH} -PATCHFILES= 9.9.3-rpz+rl.13208.13-P2.patch -PATCH_SITES= http://ss.vix.com/~vjs/ +.if ${PORT_OPTIONS:MRRL} +CONFIGURE_ARGS+= --enable-rrl .endif .if ${PORT_OPTIONS:MDLZ_MYSQL} Modified: head/dns/bind99/distinfo ============================================================================== --- head/dns/bind99/distinfo Fri Sep 20 08:20:36 2013 (r327667) +++ head/dns/bind99/distinfo Fri Sep 20 08:22:45 2013 (r327668) @@ -1,4 +1,2 @@ -SHA256 (bind-9.9.3-P2.tar.gz) = 5e8ab06c7b73f38b47ce9ad12ca0afa7c714bbba2f6b7421c26c0d8b84b6c678 -SIZE (bind-9.9.3-P2.tar.gz) = 7459422 -SHA256 (9.9.3-rpz+rl.13208.13-P2.patch) = 55f9393449a8e9b00484eaab8cc9f7a1b10a3bd431b0ba2455aface2c3a3cead -SIZE (9.9.3-rpz+rl.13208.13-P2.patch) = 356951 +SHA256 (bind-9.9.4.tar.gz) = fe0f16653382e428b10282ce9850722d19589d66f2b45a528e98be3153f654c8 +SIZE (bind-9.9.4.tar.gz) = 7513017 Modified: head/dns/bind99/pkg-plist ============================================================================== --- head/dns/bind99/pkg-plist Fri Sep 20 08:20:36 2013 (r327667) +++ head/dns/bind99/pkg-plist Fri Sep 20 08:22:45 2013 (r327668) @@ -145,11 +145,13 @@ include/isc/resource.h include/isc/result.h include/isc/resultclass.h include/isc/rwlock.h +include/isc/safe.h include/isc/serial.h include/isc/sha1.h include/isc/sha2.h include/isc/sockaddr.h include/isc/socket.h +include/isc/stat.h include/isc/stdio.h include/isc/stdlib.h include/isc/stdtime.h