If one has the openssl port (version openssl-0.9.8h_1) installed and one tries to build & install the bind 9.5.0 port, the build of bind will die in the following horrible way: cc -O2 -fno-strict-aliasing -pipe -rpath=/usr/local/lib -o named builtin.o clie nt.o config.o control.o controlconf.o interfacemgr.o listenlist.o log.o logcon f.o main.o notify.o query.o server.o sortlist.o statschannel.o tkeyconf.o tsig conf.o update.o xfrout.o zoneconf.o lwaddr.o lwresd.o lwdclient.o lwderror.o l wdgabn.o lwdgnba.o lwdgrbn.o lwdnoop.o lwsearch.o unix/os.o ../../lib/lwres/ liblwres.a ../../lib/dns/libdns.a -lcrypto ../../lib/bind9/libbind9.a ../../li b/isccfg/libisccfg.a ../../lib/isccc/libisccc.a ../../lib/isc/libisc.a ../../lib/dns/libdns.a(openssldh_link.o)(.text+0x23d): In function `openssldh_ge nerate': : undefined reference to `DH_generate_parameters_ex' ../../lib/dns/libdns.a(openssldsa_link.o)(.text+0x365): In function `openssldsa_ generate': : undefined reference to `DSA_generate_parameters_ex' ../../lib/dns/libdns.a(opensslrsa_link.o)(.text+0x4e0): In function `opensslrsa_ generate': : undefined reference to `RSA_generate_key_ex' *** Error code 1 Stop in /usr/ports/dns/bind95/work/bind-9.5.0-P2/bin/named. *** Error code 1 Stop in /usr/ports/dns/bind95/work/bind-9.5.0-P2/bin. *** Error code 1 Stop in /usr/ports/dns/bind95/work/bind-9.5.0-P2. *** Error code 1 Stop in /usr/ports/dns/bind95. The problem is caused by the fact that (a) there is no port config option for the bind95 port which would allow the user to select or not select whether bind should be configured --with-openssl or not (it always _is_ configured that way in the current freebsd port, whether the installer wantss it that way or not) and also (b) unfortunately when bind gets configured --with-openssl but with no path arg specified for the --with-openssl ./configure option, then the build of bind9.5.0 will use the openssl include files from the port (/usr/local/include/openssl/) which can be one version, but then later on, an attempt is made to link *not* against the corresponding openssl libraries (in /usr/local/lib) but rather against, e.g. the libcrypto.so that's in /usr/lib. Result: Version skew/mismatch between the headers & librarys used duing the build of bind95 and a failed link of named. Fix: This is *not* a proper solution, but is rather a quick and dirty work-around. Just a one line hack to the bind95 port top-level Makefile. I validated that this made the linking errors go away. How-To-Repeat: install 6.3_RELEASE portsnap fetch portsnap extract portinstall openssl portinstall bind95
Responsible Changed From-To: freebsd-ports-bugs->dougb Over to maintainer (via the GNATS Auto Assign Tool)
dougb 2009-01-08 08:18:45 UTC FreeBSD ports repository Modified files: dns/bind9 Makefile distinfo dns/bind94 Makefile distinfo dns/bind95 Makefile distinfo dns/bind96 Makefile distinfo Log: Update to the -P1 versions of the current BIND ports which contain the fix for the following vulnerability: https://www.isc.org/node/373 Description: Return values from OpenSSL library functions EVP_VerifyFinal() and DSA_do_verify() were not checked properly. Impact: It is theoretically possible to spoof answers returned from zones using the DNSKEY algorithms DSA (3) and NSEC3DSA (6). In short, if you're not using DNSSEC to verify signatures you have nothing to worry about. While I'm here, address the issues raised in the PR by adding a knob to disable building with OpenSSL altogether (which eliminates DNSSEC capability), and fix the configure arguments to better deal with the situation where the user has ssl bits in both the base and LOCALBASE. PR: ports/126297 Submitted by: Ronald F.Guilmette <rfg@tristatelogic.com> Revision Changes Path 1.86 +11 -8 ports/dns/bind9/Makefile 1.48 +6 -6 ports/dns/bind9/distinfo 1.91 +11 -8 ports/dns/bind94/Makefile 1.51 +6 -6 ports/dns/bind94/distinfo 1.93 +12 -8 ports/dns/bind95/Makefile 1.53 +6 -6 ports/dns/bind95/distinfo 1.95 +11 -8 ports/dns/bind96/Makefile 1.55 +6 -6 ports/dns/bind96/distinfo _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->feedback What I believe to be an appropriate fix has been committed. Please test again with 9.5.1-P1 and let me know if it works for you. Thanks for bringing this to my attention, Doug
State Changed From-To: feedback->closed Feedback timeout