Date: Wed, 18 Feb 2015 21:56:09 +0000 (UTC) From: Mathieu Arnold <mat@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r379318 - in head/dns: bind910 bind910/files bind99 bind99/files Message-ID: <201502182156.t1ILu91q028025@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mat Date: Wed Feb 18 21:56:08 2015 New Revision: 379318 URL: https://svnweb.freebsd.org/changeset/ports/379318 QAT: https://qat.redports.org/buildarchive/r379318/ Log: Add a patch for CVE-2015-1349 while I work on updating both ports to the new version. Security: CVE-2015-1349 Sponsored by: Absolight Added: head/dns/bind910/files/patch-CVE-2015-1349 (contents, props changed) head/dns/bind99/files/patch-CVE-2015-1349 (contents, props changed) Modified: head/dns/bind910/Makefile head/dns/bind99/Makefile Modified: head/dns/bind910/Makefile ============================================================================== --- head/dns/bind910/Makefile Wed Feb 18 21:52:22 2015 (r379317) +++ head/dns/bind910/Makefile Wed Feb 18 21:56:08 2015 (r379318) @@ -7,7 +7,7 @@ PORTVERSION= ${ISCVERSION:S/-P/P/} PORTREVISION= 1 .else # dns/bind910 here -PORTREVISION= 1 +PORTREVISION= 2 .endif CATEGORIES= dns net ipv6 MASTER_SITES= ISC/bind9/${ISCVERSION} Added: head/dns/bind910/files/patch-CVE-2015-1349 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/dns/bind910/files/patch-CVE-2015-1349 Wed Feb 18 21:56:08 2015 (r379318) @@ -0,0 +1,52 @@ +commit 12df718c23e29b16fcb5c12eace4b4a924de104d +Author: Evan Hunt <each@isc.org> +Date: Tue Feb 3 18:32:05 2015 -0800 + + [v9_10_1_patch] avoid crash due to managed-key rollover + + 4053. [security] Revoking a managed trust anchor and supplying + an untrusted replacement could cause named + to crash with an assertion failure. + (CVE-2015-1349) [RT #38344] + +diff --git a/CHANGES b/CHANGES +index 1234469..fc58de7 100644 +--- CHANGES ++++ CHANGES +@@ -1,3 +1,10 @@ ++ --- 9.10.1-P2 released --- ++ ++4053. [security] Revoking a managed trust anchor and supplying ++ an untrusted replacement could cause named ++ to crash with an assertion failure. ++ (CVE-2015-1349) [RT #38344] ++ + --- 9.10.1-P1 released --- + + 4006. [security] A flaw in delegation handling could be exploited +diff --git a/lib/dns/zone.c b/lib/dns/zone.c +index ef60454..2c4558e 100644 +--- lib/dns/zone.c ++++ lib/dns/zone.c +@@ -8946,6 +8946,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { + namebuf, tag); + trustkey = ISC_TRUE; + } ++ } else { ++ /* ++ * No previously known key, and the key is not ++ * secure, so skip it. ++ */ ++ continue; + } + + /* Delete old version */ +@@ -8994,7 +9000,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { + trust_key(zone, keyname, &dnskey, mctx); + } + +- if (!deletekey) { ++ if (secure && !deletekey) { + INSIST(newkey || updatekey); + set_refreshkeytimer(zone, &keydata, now); + } Modified: head/dns/bind99/Makefile ============================================================================== --- head/dns/bind99/Makefile Wed Feb 18 21:52:22 2015 (r379317) +++ head/dns/bind99/Makefile Wed Feb 18 21:56:08 2015 (r379318) @@ -2,7 +2,7 @@ PORTNAME= bind PORTVERSION= ${ISCVERSION:S/-P/P/} -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= dns net ipv6 MASTER_SITES= ISC/bind9/${ISCVERSION} PKGNAMESUFFIX= 99 Added: head/dns/bind99/files/patch-CVE-2015-1349 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/dns/bind99/files/patch-CVE-2015-1349 Wed Feb 18 21:56:08 2015 (r379318) @@ -0,0 +1,52 @@ +commit 2e9d79f169663c9aff5f0dcdc626a2cd2dbb5892 +Author: Evan Hunt <each@isc.org> +Date: Tue Feb 3 18:30:38 2015 -0800 + + [v9_9_6_patch] avoid crash due to managed-key rollover + + 4053. [security] Revoking a managed trust anchor and supplying + an untrusted replacement could cause named + to crash with an assertion failure. + (CVE-2015-1349) [RT #38344] + +diff --git a/CHANGES b/CHANGES +index e8d75ea..b45be6d 100644 +--- CHANGES ++++ CHANGES +@@ -1,3 +1,10 @@ ++ --- 9.9.6-P2 released --- ++ ++4053. [security] Revoking a managed trust anchor and supplying ++ an untrusted replacement could cause named ++ to crash with an assertion failure. ++ (CVE-2015-1349) [RT #38344] ++ + --- 9.9.6-P1 released --- + + 4006. [security] A flaw in delegation handling could be exploited +diff --git a/lib/dns/zone.c b/lib/dns/zone.c +index 7a9825b..5db2844 100644 +--- lib/dns/zone.c ++++ lib/dns/zone.c +@@ -8508,6 +8508,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { + namebuf, tag); + trustkey = ISC_TRUE; + } ++ } else { ++ /* ++ * No previously known key, and the key is not ++ * secure, so skip it. ++ */ ++ continue; + } + + /* Delete old version */ +@@ -8556,7 +8562,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { + trust_key(zone, keyname, &dnskey, mctx); + } + +- if (!deletekey) { ++ if (secure && !deletekey) { + INSIST(newkey || updatekey); + set_refreshkeytimer(zone, &keydata, now); + }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201502182156.t1ILu91q028025>