From owner-freebsd-ports-bugs@freebsd.org Tue Feb 23 14:58:52 2021 Return-Path: Delivered-To: freebsd-ports-bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0087C546E3B for ; Tue, 23 Feb 2021 14:58:52 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org [IPv6:2610:1c1:1:606c::50:13]) by mx1.freebsd.org (Postfix) with ESMTP id 4DlMd76PjYz3N3g for ; Tue, 23 Feb 2021 14:58:51 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id DBD18546B55; Tue, 23 Feb 2021 14:58:51 +0000 (UTC) Delivered-To: ports-bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DB915546E3A for ; Tue, 23 Feb 2021 14:58:51 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DlMd75jxRz3NH1 for ; Tue, 23 Feb 2021 14:58:51 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B77C81B421 for ; Tue, 23 Feb 2021 14:58:51 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 11NEwpZk055457 for ; Tue, 23 Feb 2021 14:58:51 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 11NEwpTb055456 for ports-bugs@FreeBSD.org; Tue, 23 Feb 2021 14:58:51 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 253795] dns/opendnssec2: Update to 2.1.8 Date: Tue, 23 Feb 2021 14:58:51 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: jaap@NLnetLabs.nl X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ports-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform bug_file_loc op_sys bug_status bug_severity priority component assigned_to reporter flagtypes.name attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Feb 2021 14:58:52 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D253795 Bug ID: 253795 Summary: dns/opendnssec2: Update to 2.1.8 Product: Ports & Packages Version: Latest Hardware: Any URL: https://www.opendnssec.org/2021/02/opendnssec-2-1-8/ OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: jaap@NLnetLabs.nl Attachment #222758 maintainer-approval+ Flags: Created attachment 222758 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D222758&action= =3Dedit patch to upgrade The port itself incorporates fixes for the issue signalled in PR #253536 This release of 2.1.8 fixes a number of bugs related to the purging of keys, a potential denial of service vulnerability in some installations, and a few rarer but nasty potential crashes. Earlier versions of OpenDNSSEC 2.1 might not have all keys purged from the HSM if instructed to do so. Since this is now done automatically this is worth pointing out that this was a bug and old keys will be permanently removed from the HSM. Either when manually purging keys, or having specified a in your key policy (kasp.xml), the keys are supposed to be removed from the HSM. However, for some time, the keys were marked for deletion, and became invisible, but the removal from the HSM was skipped. In this release candidate this is fixed, but still allowing keys not to be removed entirely. When you specify an automatic purge then the keys will, after the specified period, will be completely removed. When you purge manually, keys are not removed from the HSM unless you specify an additional flag (the --delete or -d flag). Special thanks to the people that help us in making OpenDNSSEC better and better, mentioned in the NEWS file as always. Two of the bugs were only traceable using this help. Issues: * OPENDNSSEC-954: Upgrade autoconf/automake configuration chain for version 2.69/1.16.2. * SUPPORT-261: Fix to crash when using ods-enforcer set-policy command. * OPENDNSSEC-953: Fix to crash in case zone file not present while getting a signconf update and state flush command. Thanks to Stefan Ubbink from SIDN for the co-operation in this fix. * OPENDNSSEC-951: Modify the purging of keys, to make it automatic to purge keys from the HSM. Thanks to Stefan Ubbink from SIDN for the co-operation in this fix. * OPENDNSSEC-950: Fix that caused crash when signer was offline for a prolonged period (but the enforcer wasn't) in the middle of a ZSK roll. * OPENDNSSEC-952: memory leak in when receiving NOTIFY for non-existent zone Thanks S=C3=A9bastien Tisserant to for reporting). --=20 You are receiving this mail because: You are the assignee for the bug.=