From owner-cvs-ports@FreeBSD.ORG Thu Jan 8 08:18:45 2009 Return-Path: Delivered-To: cvs-ports@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5C4F3106564A; Thu, 8 Jan 2009 08:18:45 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id 49F398FC19; Thu, 8 Jan 2009 08:18:45 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id n088IjvY063448; Thu, 8 Jan 2009 08:18:45 GMT (envelope-from dougb@repoman.freebsd.org) Received: (from dougb@localhost) by repoman.freebsd.org (8.14.3/8.14.3/Submit) id n088IjL7063447; Thu, 8 Jan 2009 08:18:45 GMT (envelope-from dougb) Message-Id: <200901080818.n088IjL7063447@repoman.freebsd.org> From: Doug Barton Date: Thu, 8 Jan 2009 08:18:45 +0000 (UTC) To: ports-committers@FreeBSD.org, cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org X-FreeBSD-CVS-Branch: HEAD Cc: Subject: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo ports/dns/bind96 Makefile distinfo X-BeenThere: cvs-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2009 08:18:45 -0000 dougb 2009-01-08 08:18:45 UTC FreeBSD ports repository Modified files: dns/bind9 Makefile distinfo dns/bind94 Makefile distinfo dns/bind95 Makefile distinfo dns/bind96 Makefile distinfo Log: Update to the -P1 versions of the current BIND ports which contain the fix for the following vulnerability: https://www.isc.org/node/373 Description: Return values from OpenSSL library functions EVP_VerifyFinal() and DSA_do_verify() were not checked properly. Impact: It is theoretically possible to spoof answers returned from zones using the DNSKEY algorithms DSA (3) and NSEC3DSA (6). In short, if you're not using DNSSEC to verify signatures you have nothing to worry about. While I'm here, address the issues raised in the PR by adding a knob to disable building with OpenSSL altogether (which eliminates DNSSEC capability), and fix the configure arguments to better deal with the situation where the user has ssl bits in both the base and LOCALBASE. PR: ports/126297 Submitted by: Ronald F.Guilmette Revision Changes Path 1.86 +11 -8 ports/dns/bind9/Makefile 1.48 +6 -6 ports/dns/bind9/distinfo 1.91 +11 -8 ports/dns/bind94/Makefile 1.51 +6 -6 ports/dns/bind94/distinfo 1.93 +12 -8 ports/dns/bind95/Makefile 1.53 +6 -6 ports/dns/bind95/distinfo 1.95 +11 -8 ports/dns/bind96/Makefile 1.55 +6 -6 ports/dns/bind96/distinfo