From owner-svn-src-stable-8@FreeBSD.ORG Wed Jan 6 21:45:31 2010 Return-Path: Delivered-To: svn-src-stable-8@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 587071065698; Wed, 6 Jan 2010 21:45:31 +0000 (UTC) (envelope-from simon@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 43F488FC1F; Wed, 6 Jan 2010 21:45:31 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id o06LjVpw048832; Wed, 6 Jan 2010 21:45:31 GMT (envelope-from simon@svn.freebsd.org) Received: (from simon@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id o06LjVI9048830; Wed, 6 Jan 2010 21:45:31 GMT (envelope-from simon@svn.freebsd.org) Message-Id: <201001062145.o06LjVI9048830@svn.freebsd.org> From: "Simon L. Nielsen" Date: Wed, 6 Jan 2010 21:45:31 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org X-SVN-Group: stable-8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r201679 - releng/6.3 releng/6.3/contrib/bind9/bin/named releng/6.3/contrib/bind9/lib/dns releng/6.3/contrib/bind9/lib/dns/include/dns releng/6.3/contrib/ntp/ntpd releng/6.3/sys/conf rel... X-BeenThere: svn-src-stable-8@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for only the 8-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jan 2010 21:45:31 -0000 Author: simon Date: Wed Jan 6 21:45:30 2010 New Revision: 201679 URL: http://svn.freebsd.org/changeset/base/201679 Log: Fix BIND named(8) cache poisoning with DNSSEC validation. [SA-10:01] Fix ntpd mode 7 denial of service. [SA-10:02] Fix ZFS ZIL playback with insecure permissions. [SA-10:03] Various FreeBSD 8.0-RELEASE improvements. [EN-10:01] Security: FreeBSD-SA-10:01.bind Security: FreeBSD-SA-10:02.ntpd Security: FreeBSD-SA-10:03.zfs Errata: FreeBSD-EN-10:01.freebsd Approved by: so (simon) Modified: stable/8/contrib/ntp/ntpd/ntp_request.c Changes in other areas also in this revision: Modified: releng/6.3/UPDATING releng/6.3/contrib/bind9/bin/named/query.c releng/6.3/contrib/bind9/lib/dns/include/dns/types.h releng/6.3/contrib/bind9/lib/dns/masterdump.c releng/6.3/contrib/bind9/lib/dns/rbtdb.c releng/6.3/contrib/bind9/lib/dns/resolver.c releng/6.3/contrib/bind9/lib/dns/validator.c releng/6.3/contrib/ntp/ntpd/ntp_request.c releng/6.3/sys/conf/newvers.sh releng/6.4/UPDATING releng/6.4/contrib/bind9/bin/named/query.c releng/6.4/contrib/bind9/lib/dns/include/dns/types.h releng/6.4/contrib/bind9/lib/dns/masterdump.c releng/6.4/contrib/bind9/lib/dns/rbtdb.c releng/6.4/contrib/bind9/lib/dns/resolver.c releng/6.4/contrib/bind9/lib/dns/validator.c releng/6.4/contrib/ntp/ntpd/ntp_request.c releng/6.4/sys/conf/newvers.sh releng/7.1/UPDATING releng/7.1/contrib/bind9/bin/named/query.c releng/7.1/contrib/bind9/lib/dns/include/dns/types.h releng/7.1/contrib/bind9/lib/dns/masterdump.c releng/7.1/contrib/bind9/lib/dns/rbtdb.c releng/7.1/contrib/bind9/lib/dns/resolver.c releng/7.1/contrib/bind9/lib/dns/validator.c releng/7.1/contrib/ntp/ntpd/ntp_request.c releng/7.1/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c releng/7.1/sys/conf/newvers.sh releng/7.2/UPDATING releng/7.2/contrib/bind9/bin/named/query.c releng/7.2/contrib/bind9/lib/dns/include/dns/types.h releng/7.2/contrib/bind9/lib/dns/masterdump.c releng/7.2/contrib/bind9/lib/dns/rbtdb.c releng/7.2/contrib/bind9/lib/dns/resolver.c releng/7.2/contrib/bind9/lib/dns/validator.c releng/7.2/contrib/ntp/ntpd/ntp_request.c releng/7.2/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c releng/7.2/sys/conf/newvers.sh releng/8.0/UPDATING releng/8.0/contrib/bind9/bin/named/query.c releng/8.0/contrib/bind9/lib/dns/include/dns/types.h releng/8.0/contrib/bind9/lib/dns/masterdump.c releng/8.0/contrib/bind9/lib/dns/rbtdb.c releng/8.0/contrib/bind9/lib/dns/resolver.c releng/8.0/contrib/bind9/lib/dns/validator.c releng/8.0/contrib/ntp/ntpd/ntp_request.c releng/8.0/sys/cddl/compat/opensolaris/sys/vnode.h releng/8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c releng/8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c releng/8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_znode.c releng/8.0/sys/cddl/contrib/opensolaris/uts/common/sys/vnode.h releng/8.0/sys/conf/newvers.sh releng/8.0/sys/kern/vfs_lookup.c releng/8.0/sys/netinet/ip_mroute.c releng/8.0/sys/netinet/raw_ip.c releng/8.0/sys/netinet/sctp_input.c releng/8.0/sys/netinet6/raw_ip6.c releng/8.0/sys/rpc/clnt_vc.c stable/6/contrib/bind9/bin/named/query.c stable/6/contrib/bind9/lib/dns/include/dns/types.h stable/6/contrib/bind9/lib/dns/masterdump.c stable/6/contrib/bind9/lib/dns/rbtdb.c stable/6/contrib/bind9/lib/dns/resolver.c stable/6/contrib/bind9/lib/dns/validator.c stable/6/contrib/ntp/ntpd/ntp_request.c stable/7/contrib/ntp/ntpd/ntp_request.c stable/7/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c Modified: stable/8/contrib/ntp/ntpd/ntp_request.c ============================================================================== --- stable/8/contrib/ntp/ntpd/ntp_request.c Wed Jan 6 21:36:33 2010 (r201678) +++ stable/8/contrib/ntp/ntpd/ntp_request.c Wed Jan 6 21:45:30 2010 (r201679) @@ -409,6 +409,7 @@ process_private( int mod_okay ) { + static u_long quiet_until; struct req_pkt *inpkt; struct req_pkt_tail *tailinpkt; struct sockaddr_storage *srcadr; @@ -444,8 +445,14 @@ process_private( || (++ec, INFO_MBZ(inpkt->mbz_itemsize) != 0) || (++ec, rbufp->recv_length < REQ_LEN_HDR) ) { - msyslog(LOG_ERR, "process_private: INFO_ERR_FMT: test %d failed, pkt from %s", ec, stoa(srcadr)); - req_ack(srcadr, inter, inpkt, INFO_ERR_FMT); + NLOG(NLOG_SYSEVENT) + if (current_time >= quiet_until) { + msyslog(LOG_ERR, + "process_private: drop test %d" + " failed, pkt from %s", + ec, stoa(srcadr)); + quiet_until = current_time + 60; + } return; }