Created attachment 173452 [details] Patch to upgrade Release Announcement This release contains a patch for the unlimited AXFR vulnerability; with a config option to limit AXFR sizes. Bug fixes when without IPv6 and for serving DS records with no NS record in parent-child co-hosted setups. 4.1.11 Details: FEATURES: - When tcp is more than half full, use short timeout for tcp session. - Patch for {max,min}-{refresh,retry}-time from YAMAGUCHI Takanori. - Fix #790: size-limit-xfr can stop NSD from downloading infinite zone transfer data size, from Toshifumi Sakaguchi. Fixes CVE-2016-6173 JVN#63359718 JPCERT#91251865. BUG FIXES: - Fix build without IPv6, patch from Zdenek Kaspar. - Fix #783: Trying to run a root server without having configured it silently gives wrong answers. - Fix #782: Serve DS record but parent zone has no NS record. - Fix nsec3 missing for nsec3 signed parent and child for DS at zonecut.
Upstream bug: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=790
A commit references this bug: Author: junovitch Date: Wed Aug 10 01:32:15 UTC 2016 New revision: 419980 URL: https://svnweb.freebsd.org/changeset/ports/419980 Log: dns/nsd: update 4.1.10 -> 4.1.11 - Restore configurable IPV6 option. Upstream integrated fix for issue. - FEATURES: * When tcp is more than half full, use short timeout for tcp session. * Patch for {max,min}-{refresh,retry}-time from YAMAGUCHI Takanori. * Fix #790: size-limit-xfr can stop NSD from downloading infinite zone transfer data size, from Toshifumi Sakaguchi. Fixes CVE-2016-6173 JVN#63359718 JPCERT#91251865. - BUGFIXES: * Fix build without IPv6, patch from Zdenek Kaspar. * Fix #783: Trying to run a root server without having configured it silently gives wrong answers. * Fix #782: Serve DS record but parent zone has no NS record. * Fix nsec3 missing for nsec3 signed parent and child for DS at zonecut. PR: 211693 Submitted by: jaap@NLnetLabs.nl (maintainer) Security: CVE-2016-6173 Security: https://vuxml.FreeBSD.org/freebsd/7d08e608-5e95-11e6-b334-002590263bf5.html MFH: 2016Q3 Changes: head/dns/nsd/Makefile head/dns/nsd/distinfo
A commit references this bug: Author: junovitch Date: Wed Aug 10 01:33:01 UTC 2016 New revision: 419981 URL: https://svnweb.freebsd.org/changeset/ports/419981 Log: MFH: r419980 dns/nsd: update 4.1.10 -> 4.1.11 - Restore configurable IPV6 option. Upstream integrated fix for issue. - FEATURES: * When tcp is more than half full, use short timeout for tcp session. * Patch for {max,min}-{refresh,retry}-time from YAMAGUCHI Takanori. * Fix #790: size-limit-xfr can stop NSD from downloading infinite zone transfer data size, from Toshifumi Sakaguchi. Fixes CVE-2016-6173 JVN#63359718 JPCERT#91251865. - BUGFIXES: * Fix build without IPv6, patch from Zdenek Kaspar. * Fix #783: Trying to run a root server without having configured it silently gives wrong answers. * Fix #782: Serve DS record but parent zone has no NS record. * Fix nsec3 missing for nsec3 signed parent and child for DS at zonecut. PR: 211693 Submitted by: jaap@NLnetLabs.nl (maintainer) Approved by: ports-secteam (with hat) Security: CVE-2016-6173 Security: https://vuxml.FreeBSD.org/freebsd/7d08e608-5e95-11e6-b334-002590263bf5.html Changes: _U branches/2016Q3/ branches/2016Q3/dns/nsd/Makefile branches/2016Q3/dns/nsd/distinfo
Committed. I validated builds with and without IPV6 to confirm the issue is fixed and see no issues at runtime. Thanks!