Bug 211693

Summary: dns/nsd: Update to 4.1.11 (Fixes security vulnerability: Fixes CVE-2016-6173)
Product: Ports & Packages Reporter: Jaap Akkerhuis <jaap>
Component: Individual Port(s)Assignee: Jason Unovitch <junovitch>
Status: Closed FIXED    
Severity: Affects Many People CC: junovitch, ports-secteam
Priority: Normal Keywords: patch, security
Version: LatestFlags: junovitch: merge-quarterly+
Hardware: Any   
OS: Any   
See Also: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=790
Attachments:
Description Flags
Patch to upgrade jaap: maintainer-approval+

Description Jaap Akkerhuis 2016-08-09 13:08:14 UTC
Created attachment 173452 [details]
Patch to upgrade

Release Announcement

This release contains a patch for the unlimited AXFR vulnerability; with
a config option to limit AXFR sizes.

Bug fixes when without IPv6 and for serving DS records with no NS record
in parent-child co-hosted setups.

4.1.11 Details:

FEATURES:
- When tcp is more than half full, use short timeout for tcp session.
- Patch for {max,min}-{refresh,retry}-time from YAMAGUCHI Takanori.
- Fix #790: size-limit-xfr can stop NSD from downloading infinite zone
  transfer data size, from Toshifumi Sakaguchi.  Fixes CVE-2016-6173
  JVN#63359718 JPCERT#91251865.

BUG FIXES:
- Fix build without IPv6, patch from Zdenek Kaspar.
- Fix #783: Trying to run a root server without having configured it
  silently gives wrong answers.
- Fix #782: Serve DS record but parent zone has no NS record.
- Fix nsec3 missing for nsec3 signed parent and child for DS at zonecut.
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2016-08-09 14:30:30 UTC
Upstream bug: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=790
Comment 2 commit-hook freebsd_committer 2016-08-10 01:33:12 UTC
A commit references this bug:

Author: junovitch
Date: Wed Aug 10 01:32:15 UTC 2016
New revision: 419980
URL: https://svnweb.freebsd.org/changeset/ports/419980

Log:
  dns/nsd: update 4.1.10 -> 4.1.11

  - Restore configurable IPV6 option. Upstream integrated fix for issue.

  - FEATURES:
  * When tcp is more than half full, use short timeout for tcp session.
  * Patch for {max,min}-{refresh,retry}-time from YAMAGUCHI Takanori.
  * Fix #790: size-limit-xfr can stop NSD from downloading infinite zone transfer
    data size, from Toshifumi Sakaguchi.
    Fixes CVE-2016-6173 JVN#63359718 JPCERT#91251865.
  - BUGFIXES:
  * Fix build without IPv6, patch from Zdenek Kaspar.
  * Fix #783: Trying to run a root server without having configured it silently
    gives wrong answers.
  * Fix #782: Serve DS record but parent zone has no NS record.
  * Fix nsec3 missing for nsec3 signed parent and child for DS at zonecut.

  PR:		211693
  Submitted by:	jaap@NLnetLabs.nl (maintainer)
  Security:	CVE-2016-6173
  Security:	https://vuxml.FreeBSD.org/freebsd/7d08e608-5e95-11e6-b334-002590263bf5.html
  MFH:		2016Q3

Changes:
  head/dns/nsd/Makefile
  head/dns/nsd/distinfo
Comment 3 commit-hook freebsd_committer 2016-08-10 01:33:14 UTC
A commit references this bug:

Author: junovitch
Date: Wed Aug 10 01:33:01 UTC 2016
New revision: 419981
URL: https://svnweb.freebsd.org/changeset/ports/419981

Log:
  MFH: r419980

  dns/nsd: update 4.1.10 -> 4.1.11

  - Restore configurable IPV6 option. Upstream integrated fix for issue.

  - FEATURES:
  * When tcp is more than half full, use short timeout for tcp session.
  * Patch for {max,min}-{refresh,retry}-time from YAMAGUCHI Takanori.
  * Fix #790: size-limit-xfr can stop NSD from downloading infinite zone transfer
    data size, from Toshifumi Sakaguchi.
    Fixes CVE-2016-6173 JVN#63359718 JPCERT#91251865.
  - BUGFIXES:
  * Fix build without IPv6, patch from Zdenek Kaspar.
  * Fix #783: Trying to run a root server without having configured it silently
    gives wrong answers.
  * Fix #782: Serve DS record but parent zone has no NS record.
  * Fix nsec3 missing for nsec3 signed parent and child for DS at zonecut.

  PR:		211693
  Submitted by:	jaap@NLnetLabs.nl (maintainer)
  Approved by:	ports-secteam (with hat)
  Security:	CVE-2016-6173
  Security:	https://vuxml.FreeBSD.org/freebsd/7d08e608-5e95-11e6-b334-002590263bf5.html

Changes:
_U  branches/2016Q3/
  branches/2016Q3/dns/nsd/Makefile
  branches/2016Q3/dns/nsd/distinfo
Comment 4 Jason Unovitch freebsd_committer 2016-08-10 01:36:21 UTC
Committed.  I validated builds with and without IPV6 to confirm the issue is fixed and see no issues at runtime.  Thanks!