Bug 170208 - [SECURITY] [MAINTAINER] dns/nsd: update to 3.2.13
Summary: [SECURITY] [MAINTAINER] dns/nsd: update to 3.2.13
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Ryan Steinmetz
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-27 10:40 UTC by Jaap Akkerhuis
Modified: 2012-07-27 13:40 UTC (History)
1 user (show)

See Also:

Attachments
nsd-3.2.13.patch (798 bytes, patch)
2012-07-27 10:40 UTC, Jaap Akkerhuis 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jaap Akkerhuis 2012-07-27 10:40:04 UTC 
- Update to 3.2.13


NSD 3.2.11 and 3.2.12 are vulnerable to a denial of service attack if
and only if you have enabled per zone stats (--enable-zone-stats,
default off) [VU#517036 CVE-2012-2979 ].

BUG FIXES:
  - Fix for nsd-patch segfault if zone has been removed from nsd.conf
    (thanks Ilya Bakulin).
  - Bugfix #460: man page correction - identity.
  - Bugfix #461: NSD child segfaults when asked for out-of-zone data
    with --enable-zone-stats. [VU#517036 CVE-2012-2979]

Generated with FreeBSD Port Tools 0.99_6 (mode: update, diff: suffix)
Comment 1 Ryan Steinmetz freebsd_committer freebsd_triage 2012-07-27 13:25:55 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->zi

I'll take it.
Comment 2 Ryan Steinmetz freebsd_committer freebsd_triage 2012-07-27 13:39:13 UTC 
State Changed
From-To: open->closed

Committed. Thanks!
Comment 3 dfilter service freebsd_committer freebsd_triage 2012-07-27 13:39:21 UTC 
Author: zi
Date: Fri Jul 27 12:39:06 2012
New Revision: 301606
URL: http://svn.freebsd.org/changeset/ports/301606

Log:
  - Update to 3.2.13
  - Cleanup whitespace
  - Document vulnerability in dns/nsd (CVE-2012-29789)
  
  PR:		ports/170208
  Submitted by:	Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
  Security:	17f369dc-d7e7-11e1-90a2-000c299b62e1

Modified:
  head/dns/nsd/Makefile
  head/dns/nsd/distinfo
  head/security/vuxml/vuln.xml

Modified: head/dns/nsd/Makefile
==============================================================================
--- head/dns/nsd/Makefile	Fri Jul 27 12:34:54 2012	(r301605)
+++ head/dns/nsd/Makefile	Fri Jul 27 12:39:06 2012	(r301606)
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	nsd
-PORTVERSION=	3.2.12
+PORTVERSION=	3.2.13
 CATEGORIES=	dns ipv6
 MASTER_SITES=	http://www.nlnetlabs.nl/downloads/nsd/	\
 		ftp://ftp.rhnet.is/pub/nsd/
@@ -50,7 +50,7 @@ PORTDOCS=	CREDITS ChangeLog LICENSE NSD-
 		differences.tex
 
 OPTIONS_DEFINE=	ROOT_SERVER LARGEFILE IPV6 BIND8_STATS ZONE_STATS CHECKING \
-		MINRESPSIZE NSEC3 NSEC3PREHASH MMAP MAXIPS DOCS 
+		MINRESPSIZE NSEC3 NSEC3PREHASH MMAP MAXIPS DOCS
 OPTIONS_DEFAULT=	LARGEFILE IPV6 NSEC3 NSEC3PREHASH MINRESPSIZE
 
 ROOT_SERVER_DESC=	Configure as a root server

Modified: head/dns/nsd/distinfo
==============================================================================
--- head/dns/nsd/distinfo	Fri Jul 27 12:34:54 2012	(r301605)
+++ head/dns/nsd/distinfo	Fri Jul 27 12:39:06 2012	(r301606)
@@ -1,2 +1,2 @@
-SHA256 (nsd-3.2.12.tar.gz) = 73d78e3de88efdf5ebb0106fe3580cb887f5d2adc9ab147d15cf835de7de508e
-SIZE (nsd-3.2.12.tar.gz) = 889490
+SHA256 (nsd-3.2.13.tar.gz) = 6c0abd77d716a80047dac5cb2998b077686f41a93be7e9d10b2746e6f7ac1ac2
+SIZE (nsd-3.2.13.tar.gz) = 886216

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Fri Jul 27 12:34:54 2012	(r301605)
+++ head/security/vuxml/vuln.xml	Fri Jul 27 12:39:06 2012	(r301606)
@@ -52,6 +52,38 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="17f369dc-d7e7-11e1-90a2-000c299b62e1">
+    <topic>nsd -- Denial of Service</topic>
+    <affects>
+      <package>
+	<name>nsd</name>
+	<range><lt>3.2.13</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Tom Hendrikx reports:</p>
+	<blockquote cite="http://www.nlnetlabs.nl/downloads/CVE-2012-2979.txt">
+	  <p>It is possible to crash (SIGSEGV) a NSD child server process by
+	     sending it a DNS packet from any host on the internet and the per
+	     zone stats build option is enabled. A crashed child process will
+	     automatically be restarted by the parent process, but an attacker
+	     may keep the NSD server occupied restarting child processes by
+	     sending it a stream of such packets effectively preventing the
+	     NSD server to serve.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2012-2979</cvename>
+      <url>http://www.nlnetlabs.nl/downloads/CVE-2012-2979.txt</url>
+    </references>
+    <dates>
+      <discovery>2012-07-27</discovery>
+      <entry>2012-07-27</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="ae2fa87c-4bca-4138-8be1-67ce2a19b3a8">
      <topic>rubygem-actionpack -- Denial of Service</topic>
      <affects>
_______________________________________________
svn-ports-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"