Bug 211693 - dns/nsd: Update to 4.1.11 (Fixes security vulnerability: Fixes CVE-2016-6173)
Summary: dns/nsd: Update to 4.1.11 (Fixes security vulnerability: Fixes CVE-2016-6173)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Jason Unovitch
URL:
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2016-08-09 13:08 UTC by Jaap Akkerhuis
Modified: 2016-08-10 01:36 UTC (History)
2 users (show)

See Also:
junovitch: merge-quarterly+


Attachments
Patch to upgrade (1.61 KB, patch)
2016-08-09 13:08 UTC, Jaap Akkerhuis
jaap: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jaap Akkerhuis 2016-08-09 13:08:14 UTC
Created attachment 173452 [details]
Patch to upgrade

Release Announcement

This release contains a patch for the unlimited AXFR vulnerability; with
a config option to limit AXFR sizes.

Bug fixes when without IPv6 and for serving DS records with no NS record
in parent-child co-hosted setups.

4.1.11 Details:

FEATURES:
- When tcp is more than half full, use short timeout for tcp session.
- Patch for {max,min}-{refresh,retry}-time from YAMAGUCHI Takanori.
- Fix #790: size-limit-xfr can stop NSD from downloading infinite zone
  transfer data size, from Toshifumi Sakaguchi.  Fixes CVE-2016-6173
  JVN#63359718 JPCERT#91251865.

BUG FIXES:
- Fix build without IPv6, patch from Zdenek Kaspar.
- Fix #783: Trying to run a root server without having configured it
  silently gives wrong answers.
- Fix #782: Serve DS record but parent zone has no NS record.
- Fix nsec3 missing for nsec3 signed parent and child for DS at zonecut.
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2016-08-09 14:30:30 UTC
Upstream bug: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=790
Comment 2 commit-hook freebsd_committer 2016-08-10 01:33:12 UTC
A commit references this bug:

Author: junovitch
Date: Wed Aug 10 01:32:15 UTC 2016
New revision: 419980
URL: https://svnweb.freebsd.org/changeset/ports/419980

Log:
  dns/nsd: update 4.1.10 -> 4.1.11

  - Restore configurable IPV6 option. Upstream integrated fix for issue.

  - FEATURES:
  * When tcp is more than half full, use short timeout for tcp session.
  * Patch for {max,min}-{refresh,retry}-time from YAMAGUCHI Takanori.
  * Fix #790: size-limit-xfr can stop NSD from downloading infinite zone transfer
    data size, from Toshifumi Sakaguchi.
    Fixes CVE-2016-6173 JVN#63359718 JPCERT#91251865.
  - BUGFIXES:
  * Fix build without IPv6, patch from Zdenek Kaspar.
  * Fix #783: Trying to run a root server without having configured it silently
    gives wrong answers.
  * Fix #782: Serve DS record but parent zone has no NS record.
  * Fix nsec3 missing for nsec3 signed parent and child for DS at zonecut.

  PR:		211693
  Submitted by:	jaap@NLnetLabs.nl (maintainer)
  Security:	CVE-2016-6173
  Security:	https://vuxml.FreeBSD.org/freebsd/7d08e608-5e95-11e6-b334-002590263bf5.html
  MFH:		2016Q3

Changes:
  head/dns/nsd/Makefile
  head/dns/nsd/distinfo
Comment 3 commit-hook freebsd_committer 2016-08-10 01:33:14 UTC
A commit references this bug:

Author: junovitch
Date: Wed Aug 10 01:33:01 UTC 2016
New revision: 419981
URL: https://svnweb.freebsd.org/changeset/ports/419981

Log:
  MFH: r419980

  dns/nsd: update 4.1.10 -> 4.1.11

  - Restore configurable IPV6 option. Upstream integrated fix for issue.

  - FEATURES:
  * When tcp is more than half full, use short timeout for tcp session.
  * Patch for {max,min}-{refresh,retry}-time from YAMAGUCHI Takanori.
  * Fix #790: size-limit-xfr can stop NSD from downloading infinite zone transfer
    data size, from Toshifumi Sakaguchi.
    Fixes CVE-2016-6173 JVN#63359718 JPCERT#91251865.
  - BUGFIXES:
  * Fix build without IPv6, patch from Zdenek Kaspar.
  * Fix #783: Trying to run a root server without having configured it silently
    gives wrong answers.
  * Fix #782: Serve DS record but parent zone has no NS record.
  * Fix nsec3 missing for nsec3 signed parent and child for DS at zonecut.

  PR:		211693
  Submitted by:	jaap@NLnetLabs.nl (maintainer)
  Approved by:	ports-secteam (with hat)
  Security:	CVE-2016-6173
  Security:	https://vuxml.FreeBSD.org/freebsd/7d08e608-5e95-11e6-b334-002590263bf5.html

Changes:
_U  branches/2016Q3/
  branches/2016Q3/dns/nsd/Makefile
  branches/2016Q3/dns/nsd/distinfo
Comment 4 Jason Unovitch freebsd_committer 2016-08-10 01:36:21 UTC
Committed.  I validated builds with and without IPV6 to confirm the issue is fixed and see no issues at runtime.  Thanks!