Bug 253795 - dns/opendnssec2: Update to 2.1.8
Summary: dns/opendnssec2: Update to 2.1.8
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Neel Chauhan
URL: https://www.opendnssec.org/2021/02/op...
Depends on:
Reported: 2021-02-23 14:58 UTC by Jaap Akkerhuis
Modified: 2021-03-05 19:53 UTC (History)
1 user (show)

See Also:

patch to upgrade (1.15 KB, patch)
2021-02-23 14:58 UTC, Jaap Akkerhuis
jaap: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jaap Akkerhuis 2021-02-23 14:58:51 UTC
Created attachment 222758 [details]
patch to upgrade

The port itself incorporates fixes for the issue signalled in PR #253536

This release of 2.1.8 fixes a number of bugs related to the purging of
keys, a potential denial of service vulnerability in some installations,
and a few rarer but nasty potential crashes.  Earlier versions of
OpenDNSSEC 2.1 might not have all keys purged from the HSM if instructed
to do so.  Since this is now done automatically this is worth pointing out
that this was a bug and old keys will be permanently removed from the HSM.

Either when manually purging keys, or having specified a <Purge> in
your key policy (kasp.xml), the keys are supposed to be removed from
the HSM.  However, for some time, the keys were marked for deletion,
and became invisible, but the removal from the HSM was skipped.  In this
release candidate this is fixed, but still allowing keys not to be
removed entirely.  When you specify an automatic purge then the keys
will, after the specified period, will be completely removed.  When you
purge manually, keys are not removed from the HSM unless you specify an
additional flag (the --delete or -d flag).

Special thanks to the people that help us in making OpenDNSSEC better
and better, mentioned in the NEWS file as always.  Two of the bugs
were only traceable using this help.

* OPENDNSSEC-954: Upgrade autoconf/automake configuration chain for
  version 2.69/1.16.2.
* SUPPORT-261: Fix to crash when using ods-enforcer set-policy command.
* OPENDNSSEC-953: Fix to crash in case zone file not present while getting
  a signconf update and state flush command.
  Thanks to Stefan Ubbink from SIDN for the co-operation in this fix.
* OPENDNSSEC-951: Modify the purging of keys, to make it automatic to purge
  keys from the HSM.
  Thanks to Stefan Ubbink from SIDN for the co-operation in this fix.
* OPENDNSSEC-950: Fix that caused crash when signer was offline for a
  prolonged period (but the enforcer wasn't) in the middle of a ZSK roll.
* OPENDNSSEC-952: memory leak in when receiving NOTIFY for non-existent zone
  Thanks Sébastien Tisserant to for reporting).
Comment 1 Neel Chauhan freebsd_committer 2021-03-05 19:53:18 UTC
Comment 2 commit-hook freebsd_committer 2021-03-05 19:53:40 UTC
A commit references this bug:

Author: nc
Date: Fri Mar  5 19:53:12 UTC 2021
New revision: 567416
URL: https://svnweb.freebsd.org/changeset/ports/567416

  dns/opendnssec2: Update to 2.1.8

  Changes: https://www.opendnssec.org/2021/02/opendnssec-2-1-8/

  PR:		253795
  Submitted by:	Jaap Akkerhuis <jaap AT NLnetLabs DOT nl> (maintainer)