svn commit: r395909 - in branches/2015Q3/dns: bind910 bind910/files bind99 bind99/files
Mathieu Arnold
mat at FreeBSD.org
Wed Sep 2 21:08:54 UTC 2015
Author: mat
Date: Wed Sep 2 21:08:51 2015
New Revision: 395909
URL: https://svnweb.freebsd.org/changeset/ports/395909
Log:
MFH: r393161 r395660 r395703 r395908
Update BIND to 9.9.7-P3 and 9.10.2-P4.
Also:
- Add an option to enable the bind min override ttl patch.
- When not using OpenSSL from ports, do not try to unmount the chrooted
engines directory.
- Add an option for embedding PORTREVISION in the server's version string.
Security: CVE-2015-5722, CVE-2015-5986
Sponsored by: Absolight
Added:
branches/2015Q3/dns/bind910/files/extrapatch-bind-min-override-ttl
- copied unchanged from r393161, head/dns/bind910/files/extrapatch-bind-min-override-ttl
branches/2015Q3/dns/bind99/files/extrapatch-bind-min-override-ttl
- copied unchanged from r393161, head/dns/bind99/files/extrapatch-bind-min-override-ttl
Modified:
branches/2015Q3/dns/bind910/Makefile
branches/2015Q3/dns/bind910/distinfo
branches/2015Q3/dns/bind910/files/named.in
branches/2015Q3/dns/bind99/Makefile
branches/2015Q3/dns/bind99/distinfo
branches/2015Q3/dns/bind99/files/named.in
Directory Properties:
branches/2015Q3/ (props changed)
Modified: branches/2015Q3/dns/bind910/Makefile
==============================================================================
--- branches/2015Q3/dns/bind910/Makefile Wed Sep 2 20:46:55 2015 (r395908)
+++ branches/2015Q3/dns/bind910/Makefile Wed Sep 2 21:08:51 2015 (r395909)
@@ -21,7 +21,7 @@ COMMENT?= BIND DNS suite with updated DN
LICENSE= ISCL
# ISC releases things like 9.8.0-P1, which our versioning doesn't like
-ISCVERSION= 9.10.2-P3
+ISCVERSION= 9.10.2-P4
MAKE_JOBS_UNSAFE= yes
@@ -58,7 +58,8 @@ OPTIONS_RADIO_GOSTDEF= GOST GOST_ASN1
.if !defined(BIND_TOOLS_SLAVE)
OPTIONS_DEFAULT+= RRL
-OPTIONS_DEFINE+= LINKS RPZ_NSIP RPZ_NSDNAME RRL DOCS NEWSTATS GEOIP
+OPTIONS_DEFINE+= LINKS RPZ_NSIP RPZ_NSDNAME RRL DOCS NEWSTATS GEOIP \
+ MINCACHE PORTREVISION
OPTIONS_GROUP= DLZ
OPTIONS_GROUP_DLZ= DLZ_POSTGRESQL DLZ_MYSQL DLZ_BDB \
DLZ_LDAP DLZ_FILESYSTEM DLZ_STUB
@@ -81,6 +82,8 @@ GOST_DESC= GOST raw keys (new default)
GOST_ASN1_DESC= GOST using ASN.1
PYTHON_DESC= Build with Python utilities
START_LATE_DESC= Start BIND late in the boot process
+MINCACHE_DESC= Use the mincachettl patch
+PORTREVISION_DESC= Show PORTREVISION in the version string
LINKS_DESC= Create conf file symlinks in ${PREFIX}
NEWSTATS_DESC= Enable alternate xml statistics channel format
@@ -98,6 +101,7 @@ GSSAPI_BASE_DESC= Using Heimdal in base
GSSAPI_HEIMDAL_DESC= Using security/heimdal
GSSAPI_MIT_DESC= Using security/krb5
GSSAPI_NONE_DESC= Disable
+MINCACHE_EXTRA_PATCHES= ${FILESDIR}/extrapatch-bind-min-override-ttl
.if !defined(BIND_TOOLS_SLAVE)
CONFLICTS+= bind-tools-9.*
@@ -223,6 +227,10 @@ post-patch:
${WRKSRC}/bin/${FILE}
.endfor
+post-patch-PORTREVISION-on:
+ @${REINPLACE_CMD} -e '/EXTENSIONS/s#=$$#=_${PORTREVISION}#' \
+ ${WRKSRC}/version
+
post-install:
.if ${PORT_OPTIONS:MDOCS}
${MKDIR} ${STAGEDIR}${DOCSDIR}/arm
Modified: branches/2015Q3/dns/bind910/distinfo
==============================================================================
--- branches/2015Q3/dns/bind910/distinfo Wed Sep 2 20:46:55 2015 (r395908)
+++ branches/2015Q3/dns/bind910/distinfo Wed Sep 2 21:08:51 2015 (r395909)
@@ -1,2 +1,2 @@
-SHA256 (bind-9.10.2-P3.tar.gz) = 78079a66dda455ffecfe93ef72d1ffc947f17b1c453d55ec06b860b49a5e1d4a
-SIZE (bind-9.10.2-P3.tar.gz) = 8469831
+SHA256 (bind-9.10.2-P4.tar.gz) = c00b21ec1def212957f28efe9d10aac52d6ec515e84fbf2c42143f5d71429cb8
+SIZE (bind-9.10.2-P4.tar.gz) = 8471531
Copied: branches/2015Q3/dns/bind910/files/extrapatch-bind-min-override-ttl (from r393161, head/dns/bind910/files/extrapatch-bind-min-override-ttl)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/2015Q3/dns/bind910/files/extrapatch-bind-min-override-ttl Wed Sep 2 21:08:51 2015 (r395909, copy of r393161, head/dns/bind910/files/extrapatch-bind-min-override-ttl)
@@ -0,0 +1,78 @@
+diff -Nabdur bind-9.6.0-P1.orig/bin/named/config.c bind-9.6.0-P1/bin/named/config.c
+--- bin/named/config.c 2009-05-22 12:24:49.000000000 +0400
++++ bin/named/config.c 2009-05-22 12:31:35.000000000 +0400
+@@ -129,6 +129,8 @@
+ min-roots 2;\n\
+ lame-ttl 600;\n\
+ max-ncache-ttl 10800; /* 3 hours */\n\
++ override-cache-ttl 0; /* do not override */\n\
++ min-cache-ttl 0; /* no minimal, zero is allowed */\n\
+ max-cache-ttl 604800; /* 1 week */\n\
+ transfer-format many-answers;\n\
+ max-cache-size 0;\n\
+diff -Nabdur bind-9.6.0-P1.orig/bin/named/server.c bind-9.6.0-P1/bin/named/server.c
+--- bin/named/server.c 2009-05-22 12:24:49.000000000 +0400
++++ bin/named/server.c 2009-05-22 12:32:18.000000000 +0400
+@@ -1727,6 +1727,16 @@
+ CHECK(mustbesecure(obj, view->resolver));
+
+ obj = NULL;
++ result = ns_config_get(maps, "override-cache-ttl", &obj);
++ INSIST(result == ISC_R_SUCCESS);
++ view->overridecachettl = cfg_obj_asuint32(obj);
++
++ obj = NULL;
++ result = ns_config_get(maps, "min-cache-ttl", &obj);
++ INSIST(result == ISC_R_SUCCESS);
++ view->mincachettl = cfg_obj_asuint32(obj);
++
++ obj = NULL;
+ result = ns_config_get(maps, "max-cache-ttl", &obj);
+ INSIST(result == ISC_R_SUCCESS);
+ view->maxcachettl = cfg_obj_asuint32(obj);
+diff -Nabdur bind-9.6.0-P1.orig/lib/dns/include/dns/view.h bind-9.6.0-P1/lib/dns/include/dns/view.h
+--- lib/dns/include/dns/view.h 2009-05-22 12:24:49.000000000 +0400
++++ lib/dns/include/dns/view.h 2009-05-22 12:29:03.000000000 +0400
+@@ -131,6 +131,8 @@
+ isc_boolean_t provideixfr;
+ isc_boolean_t requestnsid;
+ dns_ttl_t maxcachettl;
++ dns_ttl_t mincachettl;
++ dns_ttl_t overridecachettl;
+ dns_ttl_t maxncachettl;
+ in_port_t dstport;
+ dns_aclenv_t aclenv;
+diff -Nabdur bind-9.6.0-P1.orig/lib/dns/resolver.c bind-9.6.0-P1/lib/dns/resolver.c
+--- lib/dns/resolver.c 2009-05-22 12:24:49.000000000 +0400
++++ lib/dns/resolver.c 2009-05-22 12:30:41.000000000 +0400
+@@ -4054,6 +4054,18 @@
+ }
+
+ /*
++ * Enforce the configure cache TTL override.
++ */
++ if (res->view->overridecachettl)
++ rdataset->ttl = res->view->overridecachettl;
++
++ /*
++ * Enforce the configure minimum cache TTL.
++ */
++ if (rdataset->ttl < res->view->mincachettl)
++ rdataset->ttl = res->view->mincachettl;
++
++ /*
+ * Enforce the configure maximum cache TTL.
+ */
+ if (rdataset->ttl > res->view->maxcachettl)
+diff -Nabdur bind-9.6.0-P1.orig/lib/isccfg/namedconf.c bind-9.6.0-P1/lib/isccfg/namedconf.c
+--- lib/isccfg/namedconf.c 2009-05-22 12:24:49.000000000 +0400
++++ lib/isccfg/namedconf.c 2009-05-22 12:31:21.000000000 +0400
+@@ -821,6 +821,8 @@
+ { "lame-ttl", &cfg_type_uint32, 0 },
+ { "max-acache-size", &cfg_type_sizenodefault, 0 },
+ { "max-cache-size", &cfg_type_sizenodefault, 0 },
++ { "override-cache-ttl", &cfg_type_uint32, 0 },
++ { "min-cache-ttl", &cfg_type_uint32, 0 },
+ { "max-cache-ttl", &cfg_type_uint32, 0 },
+ { "max-clients-per-query", &cfg_type_uint32, 0 },
+ { "max-ncache-ttl", &cfg_type_uint32, 0 },
Modified: branches/2015Q3/dns/bind910/files/named.in
==============================================================================
--- branches/2015Q3/dns/bind910/files/named.in Wed Sep 2 20:46:55 2015 (r395908)
+++ branches/2015Q3/dns/bind910/files/named.in Wed Sep 2 21:08:51 2015 (r395909)
@@ -232,10 +232,10 @@ named_stop()
named_poststop()
{
if [ -n "${named_chrootdir}" -a -c ${named_chrootdir}/dev/null ]; then
- # unmount OpenSSL engines, if they were not mounted but only
- # copied, do nothing.
- if [ `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 ]; then
- umount ${named_chrootdir}${_openssl_engines}
+ # if using OpenSSL from ports, unmount OpenSSL engines, if they
+ # were not mounted but only copied, do nothing.
+ if [ -d ${_openssl_engines} -a \( `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 \) ]; then
+ umount ${named_chrootdir}${_openssl_engines}
fi
# unmount /dev
if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then
Modified: branches/2015Q3/dns/bind99/Makefile
==============================================================================
--- branches/2015Q3/dns/bind99/Makefile Wed Sep 2 20:46:55 2015 (r395908)
+++ branches/2015Q3/dns/bind99/Makefile Wed Sep 2 21:08:51 2015 (r395909)
@@ -15,7 +15,7 @@ COMMENT= BIND DNS suite with updated DNS
LICENSE= ISCL
# ISC releases things like 9.8.0-P1, which our versioning doesn't like
-ISCVERSION= 9.9.7-P2
+ISCVERSION= 9.9.7-P3
MAKE_JOBS_UNSAFE= yes
@@ -43,8 +43,9 @@ SUB_FILES= pkg-message
OPTIONS_DEFAULT= IPV6 SSL THREADS SIGCHASE IDN GSSAPI_NONE RRL
OPTIONS_DEFINE= SSL IDN REPLACE_BASE LARGE_FILE FIXED_RRSET SIGCHASE \
- IPV6 THREADS FILTER_AAAA GOST PYTHON START_LATE \
- LINKS RPZ_NSIP RPZ_NSDNAME RRL DOCS RPZ_PATCH NEWSTATS
+ IPV6 THREADS FILTER_AAAA GOST PYTHON START_LATE MINCACHE \
+ LINKS RPZ_NSIP RPZ_NSDNAME RRL DOCS RPZ_PATCH NEWSTATS \
+ PORTREVISION
OPTIONS_GROUP= DLZ
OPTIONS_GROUP_DLZ= DLZ_POSTGRESQL DLZ_MYSQL DLZ_BDB \
DLZ_LDAP DLZ_FILESYSTEM DLZ_STUB
@@ -62,6 +63,8 @@ FILTER_AAAA_DESC= Enable filtering of AA
GOST_DESC= Enable GOST ciphers, needs SSL (see help on 8 and 9)
PYTHON_DESC= Build with Python utilities
START_LATE_DESC= Start BIND late in the boot process
+MINCACHE_DESC= Use the mincachettl patch
+PORTREVISION_DESC= Show PORTREVISION in the version string
LINKS_DESC= Create conf file symlinks in ${PREFIX}
NEWSTATS_DESC= Enable alternate xml statistics channel format
@@ -80,6 +83,7 @@ GSSAPI_BASE_DESC= ${GSSAPI_DESC} (Heimda
GSSAPI_HEIMDAL_DESC= ${GSSAPI_DESC} (security/heimdal)
GSSAPI_MIT_DESC= ${GSSAPI_DESC} (security/krb5)
GSSAPI_NONE_DESC= No ${GSSAPI_DESC}
+MINCACHE_EXTRA_PATCHES= ${FILESDIR}/extrapatch-bind-min-override-ttl
SSL_CONFIGURE_ON= --with-openssl=${OPENSSLBASE}
SSL_USE= openssl=yes
@@ -194,6 +198,10 @@ post-patch:
${WRKSRC}/bin/${FILE}
.endfor
+post-patch-PORTREVISION-on:
+ @${REINPLACE_CMD} -e '/EXTENSIONS/s#=$$#=_${PORTREVISION}#' \
+ ${WRKSRC}/version
+
post-configure:
@${REINPLACE_CMD} -e '/^SO_LDFLAGS/s/-Wl,-rpath,/-rpath /' ${WRKSRC}/bin/tests/system/dlzexternal/Makefile
Modified: branches/2015Q3/dns/bind99/distinfo
==============================================================================
--- branches/2015Q3/dns/bind99/distinfo Wed Sep 2 20:46:55 2015 (r395908)
+++ branches/2015Q3/dns/bind99/distinfo Wed Sep 2 21:08:51 2015 (r395909)
@@ -1,4 +1,4 @@
-SHA256 (bind-9.9.7-P2.tar.gz) = f5f433567e5f68d61460d86f691471259a49b6d10d7422acbd88b7fdb038b518
-SIZE (bind-9.9.7-P2.tar.gz) = 7935877
-SHA256 (9.9.7-P2-rpz2+rl.14038.05.patch.xz) = 149f8e2888466444138e37096ea57da181b7f21e7fad232c8eedeed12ffcd99b
-SIZE (9.9.7-P2-rpz2+rl.14038.05.patch.xz) = 39124
+SHA256 (bind-9.9.7-P3.tar.gz) = cb737dce18350890f350dd7d3bc836c62ea440103dfde184c09bc18cfad8a844
+SIZE (bind-9.9.7-P3.tar.gz) = 7939885
+SHA256 (9.9.7-P3-rpz2+rl.14038.05.patch.xz) = ec3c5c5a5011d605eeff664e41d3839c3ecda476a8a2eb20784dfaa79f8b8a77
+SIZE (9.9.7-P3-rpz2+rl.14038.05.patch.xz) = 39124
Copied: branches/2015Q3/dns/bind99/files/extrapatch-bind-min-override-ttl (from r393161, head/dns/bind99/files/extrapatch-bind-min-override-ttl)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/2015Q3/dns/bind99/files/extrapatch-bind-min-override-ttl Wed Sep 2 21:08:51 2015 (r395909, copy of r393161, head/dns/bind99/files/extrapatch-bind-min-override-ttl)
@@ -0,0 +1,78 @@
+diff -Nabdur bind-9.6.0-P1.orig/bin/named/config.c bind-9.6.0-P1/bin/named/config.c
+--- bin/named/config.c 2009-05-22 12:24:49.000000000 +0400
++++ bin/named/config.c 2009-05-22 12:31:35.000000000 +0400
+@@ -129,6 +129,8 @@
+ min-roots 2;\n\
+ lame-ttl 600;\n\
+ max-ncache-ttl 10800; /* 3 hours */\n\
++ override-cache-ttl 0; /* do not override */\n\
++ min-cache-ttl 0; /* no minimal, zero is allowed */\n\
+ max-cache-ttl 604800; /* 1 week */\n\
+ transfer-format many-answers;\n\
+ max-cache-size 0;\n\
+diff -Nabdur bind-9.6.0-P1.orig/bin/named/server.c bind-9.6.0-P1/bin/named/server.c
+--- bin/named/server.c 2009-05-22 12:24:49.000000000 +0400
++++ bin/named/server.c 2009-05-22 12:32:18.000000000 +0400
+@@ -1727,6 +1727,16 @@
+ CHECK(mustbesecure(obj, view->resolver));
+
+ obj = NULL;
++ result = ns_config_get(maps, "override-cache-ttl", &obj);
++ INSIST(result == ISC_R_SUCCESS);
++ view->overridecachettl = cfg_obj_asuint32(obj);
++
++ obj = NULL;
++ result = ns_config_get(maps, "min-cache-ttl", &obj);
++ INSIST(result == ISC_R_SUCCESS);
++ view->mincachettl = cfg_obj_asuint32(obj);
++
++ obj = NULL;
+ result = ns_config_get(maps, "max-cache-ttl", &obj);
+ INSIST(result == ISC_R_SUCCESS);
+ view->maxcachettl = cfg_obj_asuint32(obj);
+diff -Nabdur bind-9.6.0-P1.orig/lib/dns/include/dns/view.h bind-9.6.0-P1/lib/dns/include/dns/view.h
+--- lib/dns/include/dns/view.h 2009-05-22 12:24:49.000000000 +0400
++++ lib/dns/include/dns/view.h 2009-05-22 12:29:03.000000000 +0400
+@@ -131,6 +131,8 @@
+ isc_boolean_t provideixfr;
+ isc_boolean_t requestnsid;
+ dns_ttl_t maxcachettl;
++ dns_ttl_t mincachettl;
++ dns_ttl_t overridecachettl;
+ dns_ttl_t maxncachettl;
+ in_port_t dstport;
+ dns_aclenv_t aclenv;
+diff -Nabdur bind-9.6.0-P1.orig/lib/dns/resolver.c bind-9.6.0-P1/lib/dns/resolver.c
+--- lib/dns/resolver.c 2009-05-22 12:24:49.000000000 +0400
++++ lib/dns/resolver.c 2009-05-22 12:30:41.000000000 +0400
+@@ -4054,6 +4054,18 @@
+ }
+
+ /*
++ * Enforce the configure cache TTL override.
++ */
++ if (res->view->overridecachettl)
++ rdataset->ttl = res->view->overridecachettl;
++
++ /*
++ * Enforce the configure minimum cache TTL.
++ */
++ if (rdataset->ttl < res->view->mincachettl)
++ rdataset->ttl = res->view->mincachettl;
++
++ /*
+ * Enforce the configure maximum cache TTL.
+ */
+ if (rdataset->ttl > res->view->maxcachettl)
+diff -Nabdur bind-9.6.0-P1.orig/lib/isccfg/namedconf.c bind-9.6.0-P1/lib/isccfg/namedconf.c
+--- lib/isccfg/namedconf.c 2009-05-22 12:24:49.000000000 +0400
++++ lib/isccfg/namedconf.c 2009-05-22 12:31:21.000000000 +0400
+@@ -821,6 +821,8 @@
+ { "lame-ttl", &cfg_type_uint32, 0 },
+ { "max-acache-size", &cfg_type_sizenodefault, 0 },
+ { "max-cache-size", &cfg_type_sizenodefault, 0 },
++ { "override-cache-ttl", &cfg_type_uint32, 0 },
++ { "min-cache-ttl", &cfg_type_uint32, 0 },
+ { "max-cache-ttl", &cfg_type_uint32, 0 },
+ { "max-clients-per-query", &cfg_type_uint32, 0 },
+ { "max-ncache-ttl", &cfg_type_uint32, 0 },
Modified: branches/2015Q3/dns/bind99/files/named.in
==============================================================================
--- branches/2015Q3/dns/bind99/files/named.in Wed Sep 2 20:46:55 2015 (r395908)
+++ branches/2015Q3/dns/bind99/files/named.in Wed Sep 2 21:08:51 2015 (r395909)
@@ -230,10 +230,10 @@ named_stop()
named_poststop()
{
if [ -n "${named_chrootdir}" -a -c ${named_chrootdir}/dev/null ]; then
- # unmount OpenSSL engines, if they were not mounted but only
- # copied, do nothing.
- if [ `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 ]; then
- umount ${named_chrootdir}${_openssl_engines}
+ # if using OpenSSL from ports, unmount OpenSSL engines, if they
+ # were not mounted but only copied, do nothing.
+ if [ -d ${_openssl_engines} -a \( `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 \) ]; then
+ umount ${named_chrootdir}${_openssl_engines}
fi
# unmount /dev
if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then
More information about the svn-ports-all
mailing list