Date: Thu, 8 Jan 2009 08:18:45 +0000 (UTC) From: Doug Barton <dougb@FreeBSD.org> To: ports-committers@FreeBSD.org, cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo ports/dns/bind96 Makefile distinfo Message-ID: <200901080818.n088IjL7063447@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
dougb 2009-01-08 08:18:45 UTC
FreeBSD ports repository
Modified files:
dns/bind9 Makefile distinfo
dns/bind94 Makefile distinfo
dns/bind95 Makefile distinfo
dns/bind96 Makefile distinfo
Log:
Update to the -P1 versions of the current BIND ports which contain
the fix for the following vulnerability: https://www.isc.org/node/373
Description:
Return values from OpenSSL library functions EVP_VerifyFinal()
and DSA_do_verify() were not checked properly.
Impact:
It is theoretically possible to spoof answers returned from
zones using the DNSKEY algorithms DSA (3) and NSEC3DSA (6).
In short, if you're not using DNSSEC to verify signatures you have
nothing to worry about.
While I'm here, address the issues raised in the PR by adding a knob
to disable building with OpenSSL altogether (which eliminates DNSSEC
capability), and fix the configure arguments to better deal with the
situation where the user has ssl bits in both the base and LOCALBASE.
PR: ports/126297
Submitted by: Ronald F.Guilmette <rfg@tristatelogic.com>
Revision Changes Path
1.86 +11 -8 ports/dns/bind9/Makefile
1.48 +6 -6 ports/dns/bind9/distinfo
1.91 +11 -8 ports/dns/bind94/Makefile
1.51 +6 -6 ports/dns/bind94/distinfo
1.93 +12 -8 ports/dns/bind95/Makefile
1.53 +6 -6 ports/dns/bind95/distinfo
1.95 +11 -8 ports/dns/bind96/Makefile
1.55 +6 -6 ports/dns/bind96/distinfo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200901080818.n088IjL7063447>