Module Name: src
Committed By: snj
Date: Sat Aug 12 05:16:40 UTC 2017
Modified Files:
src/doc [netbsd-7-0]: 3RDPARTY
src/external/bsd/bind [netbsd-7-0]: Makefile.inc
src/external/bsd/bind/dist [netbsd-7-0]: CHANGES README srcid version
src/external/bsd/bind/dist/doc/arm [netbsd-7-0]: Bv9ARM.ch01.html
Bv9ARM.ch02.html Bv9ARM.ch03.html Bv9ARM.ch04.html Bv9ARM.ch05.html
Bv9ARM.ch06.html Bv9ARM.ch07.html Bv9ARM.ch08.html Bv9ARM.ch09.html
Bv9ARM.ch10.html Bv9ARM.ch11.html Bv9ARM.ch12.html Bv9ARM.ch13.html
Bv9ARM.html Bv9ARM.pdf man.arpaname.html man.ddns-confgen.html
man.delv.html man.dig.html man.dnssec-checkds.html
man.dnssec-coverage.html man.dnssec-dsfromkey.html
man.dnssec-importkey.html man.dnssec-keyfromlabel.html
man.dnssec-keygen.html man.dnssec-revoke.html
man.dnssec-settime.html man.dnssec-signzone.html
man.dnssec-verify.html man.genrandom.html man.host.html
man.isc-hmac-fixup.html man.lwresd.html man.named-checkconf.html
man.named-checkzone.html man.named-journalprint.html
man.named-rrchecker.html man.named.conf.html man.named.html
man.nsec3hash.html man.nsupdate.html man.rndc-confgen.html
man.rndc.conf.html man.rndc.html notes.html notes.pdf notes.xml
src/external/bsd/bind/dist/lib/dns [netbsd-7-0]: api dnssec.c message.c
rootns.c tsig.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1489):
doc/3RDPARTY: patch
external/bsd/bind/Makefile.inc: up to 1.26 via patch
external/bsd/bind/dist/CHANGES: up to 1.28
external/bsd/bind/dist/README: up to 1.16
external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.26
external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.23
external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.28
external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.16
external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.29
external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.16
external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.16
external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.16
external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.16
external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.25
external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.14
external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.14
external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.14
external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.16
external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.21
external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.host.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.8
external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.8
external/bsd/bind/dist/doc/arm/man.named.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.16
external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.16
external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.14
external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.14
external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.14
external/bsd/bind/dist/lib/dns/api: up to 1.16
external/bsd/bind/dist/lib/dns/dnssec.c: up to 1.14
external/bsd/bind/dist/lib/dns/message.c: up to 1.24
external/bsd/bind/dist/lib/dns/rootns.c: up to 1.13
external/bsd/bind/dist/lib/dns/tsig.c: up to 1.11
external/bsd/bind/dist/srcid: up to 1.22
external/bsd/bind/dist/version: up to 1.26
external/bsd/bind/include/isc/platform.h: up to 1.23
Update BIND to 9.10.5-P2.
To generate a diff of this commit:
cvs rdiff -u -r1.1145.2.18.2.22 -r1.1145.2.18.2.23 src/doc/3RDPARTY
cvs rdiff -u -r1.21.2.1.2.5 -r1.21.2.1.2.6 src/external/bsd/bind/Makefile.inc
cvs rdiff -u -r1.12.2.5.2.7 -r1.12.2.5.2.8 src/external/bsd/bind/dist/CHANGES
cvs rdiff -u -r1.1.1.14.2.5.2.7 -r1.1.1.14.2.5.2.8 \
src/external/bsd/bind/dist/README
cvs rdiff -u -r1.6.2.5.2.7 -r1.6.2.5.2.8 src/external/bsd/bind/dist/srcid
cvs rdiff -u -r1.10.2.5.2.7 -r1.10.2.5.2.8 src/external/bsd/bind/dist/version
cvs rdiff -u -r1.1.1.11.2.4.2.7 -r1.1.1.11.2.4.2.8 \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html
cvs rdiff -u -r1.1.1.8.2.4.2.7 -r1.1.1.8.2.4.2.8 \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html
cvs rdiff -u -r1.1.1.13.2.4.2.7 -r1.1.1.13.2.4.2.8 \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html
cvs rdiff -u -r1.1.1.15.2.5.2.7 -r1.1.1.15.2.5.2.8 \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.html \
src/external/bsd/bind/dist/doc/arm/man.dig.html \
src/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html \
src/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html \
src/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html \
src/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html \
src/external/bsd/bind/dist/doc/arm/man.host.html \
src/external/bsd/bind/dist/doc/arm/man.named-checkconf.html \
src/external/bsd/bind/dist/doc/arm/man.named-checkzone.html \
src/external/bsd/bind/dist/doc/arm/man.named.html \
src/external/bsd/bind/dist/doc/arm/man.nsupdate.html \
src/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html \
src/external/bsd/bind/dist/doc/arm/man.rndc.conf.html \
src/external/bsd/bind/dist/doc/arm/man.rndc.html
cvs rdiff -u -r1.1.1.14.2.4.2.7 -r1.1.1.14.2.4.2.8 \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html
cvs rdiff -u -r1.1.1.10.2.4.2.7 -r1.1.1.10.2.4.2.8 \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html
cvs rdiff -u -r1.1.1.1.2.4.2.7 -r1.1.1.1.2.4.2.8 \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html \
src/external/bsd/bind/dist/doc/arm/notes.html \
src/external/bsd/bind/dist/doc/arm/notes.pdf \
src/external/bsd/bind/dist/doc/arm/notes.xml
cvs rdiff -u -r1.7.2.4.2.6 -r1.7.2.4.2.7 \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.pdf
cvs rdiff -u -r1.1.1.12.2.5.2.7 -r1.1.1.12.2.5.2.8 \
src/external/bsd/bind/dist/doc/arm/man.arpaname.html \
src/external/bsd/bind/dist/doc/arm/man.genrandom.html \
src/external/bsd/bind/dist/doc/arm/man.named-journalprint.html \
src/external/bsd/bind/dist/doc/arm/man.nsec3hash.html
cvs rdiff -u -r1.1.1.13.2.5.2.7 -r1.1.1.13.2.5.2.8 \
src/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html \
src/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html \
src/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html
cvs rdiff -u -r1.1.1.1.4.5.2.7 -r1.1.1.1.4.5.2.8 \
src/external/bsd/bind/dist/doc/arm/man.delv.html
cvs rdiff -u -r1.1.1.3.2.5.2.7 -r1.1.1.3.2.5.2.8 \
src/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html \
src/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html
cvs rdiff -u -r1.1.1.2.2.5.2.7 -r1.1.1.2.2.5.2.8 \
src/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html \
src/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html
cvs rdiff -u -r1.1.1.5.2.5.2.7 -r1.1.1.5.2.5.2.8 \
src/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html
cvs rdiff -u -r1.1.1.11.2.5.2.7 -r1.1.1.11.2.5.2.8 \
src/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html
cvs rdiff -u -r1.1.1.2.2.7 -r1.1.1.2.2.8 \
src/external/bsd/bind/dist/doc/arm/man.lwresd.html \
src/external/bsd/bind/dist/doc/arm/man.named.conf.html
cvs rdiff -u -r1.1.1.16.2.5.2.7 -r1.1.1.16.2.5.2.8 \
src/external/bsd/bind/dist/lib/dns/api
cvs rdiff -u -r1.9.4.2.2.2 -r1.9.4.2.2.3 \
src/external/bsd/bind/dist/lib/dns/dnssec.c
cvs rdiff -u -r1.13.2.2.2.5 -r1.13.2.2.2.6 \
src/external/bsd/bind/dist/lib/dns/message.c
cvs rdiff -u -r1.7.2.1.2.3 -r1.7.2.1.2.4 \
src/external/bsd/bind/dist/lib/dns/rootns.c
cvs rdiff -u -r1.6.4.2.2.2 -r1.6.4.2.2.3 \
src/external/bsd/bind/dist/lib/dns/tsig.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/doc/3RDPARTY
diff -u src/doc/3RDPARTY:1.1145.2.18.2.22 src/doc/3RDPARTY:1.1145.2.18.2.23
--- src/doc/3RDPARTY:1.1145.2.18.2.22 Wed Jul 26 15:50:28 2017
+++ src/doc/3RDPARTY Sat Aug 12 05:16:36 2017
@@ -1,4 +1,4 @@
-# $NetBSD: 3RDPARTY,v 1.1145.2.18.2.22 2017/07/26 15:50:28 snj Exp $
+# $NetBSD: 3RDPARTY,v 1.1145.2.18.2.23 2017/08/12 05:16:36 snj Exp $
#
# This file contains a list of the software that has been integrated into
# NetBSD where we are not the primary maintainer.
@@ -113,8 +113,8 @@ Notes:
bc includes dc, both of which are in the NetBSD tree.
Package: bind [named and utils]
-Version: 9.10.5-P1/BSD
-Current Vers: 9.10.5-P1/BSD
+Version: 9.10.5-P2/BSD
+Current Vers: 9.10.5-P2/BSD
Maintainer: Paul Vixie <vi...@vix.com>
Archive Site: ftp://ftp.isc.org/isc/bind9/
Home Page: http://www.isc.org/software/bind/
Index: src/external/bsd/bind/Makefile.inc
diff -u src/external/bsd/bind/Makefile.inc:1.21.2.1.2.5 src/external/bsd/bind/Makefile.inc:1.21.2.1.2.6
--- src/external/bsd/bind/Makefile.inc:1.21.2.1.2.5 Tue Jun 20 16:39:54 2017
+++ src/external/bsd/bind/Makefile.inc Sat Aug 12 05:16:36 2017
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.inc,v 1.21.2.1.2.5 2017/06/20 16:39:54 snj Exp $
+# $NetBSD: Makefile.inc,v 1.21.2.1.2.6 2017/08/12 05:16:36 snj Exp $
.if !defined(BIND9_MAKEFILE_INC)
BIND9_MAKEFILE_INC=yes
Index: src/external/bsd/bind/dist/CHANGES
diff -u src/external/bsd/bind/dist/CHANGES:1.12.2.5.2.7 src/external/bsd/bind/dist/CHANGES:1.12.2.5.2.8
--- src/external/bsd/bind/dist/CHANGES:1.12.2.5.2.7 Tue Jun 20 16:39:55 2017
+++ src/external/bsd/bind/dist/CHANGES Sat Aug 12 05:16:36 2017
@@ -1,3 +1,11 @@
+ --- 9.10.5-P2 released ---
+
+4643. [security] An error in TSIG handling could permit unauthorized
+ zone transfers or zone updates. (CVE-2017-3142)
+ (CVE-2017-3143) [RT #45383]
+
+4633. [maint] Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET.
+
--- 9.10.5-P1 released ---
4632. [security] The BIND installer on Windows used an unquoted
Index: src/external/bsd/bind/dist/README
diff -u src/external/bsd/bind/dist/README:1.1.1.14.2.5.2.7 src/external/bsd/bind/dist/README:1.1.1.14.2.5.2.8
--- src/external/bsd/bind/dist/README:1.1.1.14.2.5.2.7 Tue Jun 20 16:39:55 2017
+++ src/external/bsd/bind/dist/README Sat Aug 12 05:16:36 2017
@@ -51,6 +51,11 @@ BIND 9
For up-to-date release notes and errata, see
http://www.isc.org/software/bind9/releasenotes
+BIND 9.10.5-P2
+
+ This version contains a fix for the security flaws
+ disclosed in CVE-2017-3142 and CVE-2017-3143.
+
BIND 9.10.5-P1
This version contains a fix for the security flaws
Index: src/external/bsd/bind/dist/srcid
diff -u src/external/bsd/bind/dist/srcid:1.6.2.5.2.7 src/external/bsd/bind/dist/srcid:1.6.2.5.2.8
--- src/external/bsd/bind/dist/srcid:1.6.2.5.2.7 Tue Jun 20 16:39:55 2017
+++ src/external/bsd/bind/dist/srcid Sat Aug 12 05:16:36 2017
@@ -1 +1 @@
-SRCID=34fd9c6
+SRCID=a39c587
Index: src/external/bsd/bind/dist/version
diff -u src/external/bsd/bind/dist/version:1.10.2.5.2.7 src/external/bsd/bind/dist/version:1.10.2.5.2.8
--- src/external/bsd/bind/dist/version:1.10.2.5.2.7 Tue Jun 20 16:39:55 2017
+++ src/external/bsd/bind/dist/version Sat Aug 12 05:16:36 2017
@@ -7,5 +7,5 @@ MAJORVER=9
MINORVER=10
PATCHVER=5
RELEASETYPE=-P
-RELEASEVER=1
+RELEASEVER=2
EXTENSIONS=
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html:1.1.1.11.2.4.2.7 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html:1.1.1.11.2.4.2.8
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html:1.1.1.11.2.4.2.7 Tue Jun 20 16:40:16 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html Sat Aug 12 05:16:36 2017
@@ -611,6 +611,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html:1.1.1.8.2.4.2.7 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html:1.1.1.8.2.4.2.8
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html:1.1.1.8.2.4.2.7 Tue Jun 20 16:40:16 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html Sat Aug 12 05:16:36 2017
@@ -160,6 +160,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html:1.1.1.13.2.4.2.7 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html:1.1.1.13.2.4.2.8
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html:1.1.1.13.2.4.2.7 Tue Jun 20 16:40:16 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html Sat Aug 12 05:16:37 2017
@@ -768,6 +768,6 @@ controls {
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html:1.1.1.15.2.5.2.7 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html:1.1.1.15.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html:1.1.1.15.2.5.2.7 Tue Jun 20 16:40:16 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html Sat Aug 12 05:16:37 2017
@@ -2498,6 +2498,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html:1.1.1.15.2.5.2.7 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html:1.1.1.15.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html:1.1.1.15.2.5.2.7 Tue Jun 20 16:40:16 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html Sat Aug 12 05:16:37 2017
@@ -13790,6 +13790,6 @@ HOST-127.EXAMPLE. MX 0 .
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html:1.1.1.15.2.5.2.7 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html:1.1.1.15.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html:1.1.1.15.2.5.2.7 Tue Jun 20 16:40:16 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html Sat Aug 12 05:16:37 2017
@@ -262,6 +262,6 @@ zone "example.com" {
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html:1.1.1.15.2.5.2.7 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html:1.1.1.15.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html:1.1.1.15.2.5.2.7 Tue Jun 20 16:40:16 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html Sat Aug 12 05:16:37 2017
@@ -145,6 +145,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html:1.1.1.15.2.5.2.7 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html:1.1.1.15.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html:1.1.1.15.2.5.2.7 Tue Jun 20 16:40:16 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html Sat Aug 12 05:16:37 2017
@@ -45,7 +45,7 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.5-P1</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.5-P2</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
@@ -58,7 +58,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.10.2"></a>Release Notes for BIND Version 9.10.5-P1</h2></div></div></div>
+<a name="id-1.10.2"></a>Release Notes for BIND Version 9.10.5-P2</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
@@ -70,6 +70,11 @@
BIND 9.10.5-P1 addresses the security issues described in
CVE-2017-3140 and CVE-2017-3141.
</p>
+ <p>
+ BIND 9.11.1-P2 addresses the security issues described in
+ CVE-2017-3142 and CVE-2017-3143. It also includes an update
+ to the address of the B root server.
+ </p>
</div>
@@ -121,6 +126,13 @@
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
+ An error in TSIG handling could permit unauthorized zone
+ transfers or zone updates. These flaws are disclosed in
+ CVE-2017-3142 and CVE-2017-3143. [RT #45383]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
The BIND installer on Windows used an unquoted service path,
which can enable privilege escalation. This flaw is disclosed
in CVE-2017-3141. [RT #45229]
@@ -177,6 +189,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.html:1.1.1.15.2.5.2.7 src/external/bsd/bind/dist/doc/arm/Bv9ARM.html:1.1.1.15.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.html:1.1.1.15.2.5.2.7 Tue Jun 20 16:40:16 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.html Sat Aug 12 05:16:37 2017
@@ -41,7 +41,7 @@
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.10.5-P1</p></div>
+<div><p class="releaseinfo">BIND Version 9.10.5-P2</p></div>
<div><p class="copyright">Copyright © 2004-2016 Internet Systems Consortium, Inc. ("ISC")</p></div>
<div><p class="copyright">Copyright © 2000-2003 Internet Software Consortium.</p></div>
</div>
@@ -240,7 +240,7 @@
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt>
<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.5-P1</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.5-P2</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
@@ -410,6 +410,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.dig.html
diff -u src/external/bsd/bind/dist/doc/arm/man.dig.html:1.1.1.15.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.dig.html:1.1.1.15.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.dig.html:1.1.1.15.2.5.2.7 Tue Jun 20 16:40:18 2017
+++ src/external/bsd/bind/dist/doc/arm/man.dig.html Sat Aug 12 05:16:39 2017
@@ -1035,6 +1035,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html
diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html:1.1.1.15.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html:1.1.1.15.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html:1.1.1.15.2.5.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html Sat Aug 12 05:16:39 2017
@@ -298,6 +298,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html
diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html:1.1.1.15.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html:1.1.1.15.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html:1.1.1.15.2.5.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html Sat Aug 12 05:16:39 2017
@@ -485,6 +485,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html
diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html:1.1.1.15.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html:1.1.1.15.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html:1.1.1.15.2.5.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html Sat Aug 12 05:16:39 2017
@@ -572,6 +572,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html
diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html:1.1.1.15.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html:1.1.1.15.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html:1.1.1.15.2.5.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html Sat Aug 12 05:16:39 2017
@@ -711,6 +711,6 @@ db.example.com.signed
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.host.html
diff -u src/external/bsd/bind/dist/doc/arm/man.host.html:1.1.1.15.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.host.html:1.1.1.15.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.host.html:1.1.1.15.2.5.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/man.host.html Sat Aug 12 05:16:39 2017
@@ -362,6 +362,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.named-checkconf.html
diff -u src/external/bsd/bind/dist/doc/arm/man.named-checkconf.html:1.1.1.15.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.named-checkconf.html:1.1.1.15.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.named-checkconf.html:1.1.1.15.2.5.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/man.named-checkconf.html Sat Aug 12 05:16:39 2017
@@ -201,6 +201,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.named-checkzone.html
diff -u src/external/bsd/bind/dist/doc/arm/man.named-checkzone.html:1.1.1.15.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.named-checkzone.html:1.1.1.15.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.named-checkzone.html:1.1.1.15.2.5.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/man.named-checkzone.html Sat Aug 12 05:16:39 2017
@@ -472,6 +472,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.named.html
diff -u src/external/bsd/bind/dist/doc/arm/man.named.html:1.1.1.15.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.named.html:1.1.1.15.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.named.html:1.1.1.15.2.5.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/man.named.html Sat Aug 12 05:16:39 2017
@@ -476,6 +476,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.nsupdate.html
diff -u src/external/bsd/bind/dist/doc/arm/man.nsupdate.html:1.1.1.15.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.nsupdate.html:1.1.1.15.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.nsupdate.html:1.1.1.15.2.5.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/man.nsupdate.html Sat Aug 12 05:16:39 2017
@@ -804,6 +804,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html
diff -u src/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html:1.1.1.15.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html:1.1.1.15.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html:1.1.1.15.2.5.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html Sat Aug 12 05:16:39 2017
@@ -286,6 +286,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.rndc.conf.html
diff -u src/external/bsd/bind/dist/doc/arm/man.rndc.conf.html:1.1.1.15.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.rndc.conf.html:1.1.1.15.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.rndc.conf.html:1.1.1.15.2.5.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/man.rndc.conf.html Sat Aug 12 05:16:39 2017
@@ -277,6 +277,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.rndc.html
diff -u src/external/bsd/bind/dist/doc/arm/man.rndc.html:1.1.1.15.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.rndc.html:1.1.1.15.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.rndc.html:1.1.1.15.2.5.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/man.rndc.html Sat Aug 12 05:16:39 2017
@@ -723,6 +723,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html:1.1.1.14.2.4.2.7 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html:1.1.1.14.2.4.2.8
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html:1.1.1.14.2.4.2.7 Tue Jun 20 16:40:16 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html Sat Aug 12 05:16:37 2017
@@ -145,6 +145,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html:1.1.1.10.2.4.2.7 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html:1.1.1.10.2.4.2.8
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html:1.1.1.10.2.4.2.7 Tue Jun 20 16:40:16 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html Sat Aug 12 05:16:37 2017
@@ -157,6 +157,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html:1.1.1.1.2.4.2.7 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html:1.1.1.1.2.4.2.8
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html:1.1.1.1.2.4.2.7 Tue Jun 20 16:40:16 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html Sat Aug 12 05:16:37 2017
@@ -923,6 +923,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html:1.1.1.1.2.4.2.7 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html:1.1.1.1.2.4.2.8
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html:1.1.1.1.2.4.2.7 Tue Jun 20 16:40:16 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html Sat Aug 12 05:16:37 2017
@@ -584,6 +584,6 @@ $ <strong class="userinput"><code>sample
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html:1.1.1.1.2.4.2.7 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html:1.1.1.1.2.4.2.8
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html:1.1.1.1.2.4.2.7 Tue Jun 20 16:40:16 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html Sat Aug 12 05:16:37 2017
@@ -184,6 +184,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/notes.html
diff -u src/external/bsd/bind/dist/doc/arm/notes.html:1.1.1.1.2.4.2.7 src/external/bsd/bind/dist/doc/arm/notes.html:1.1.1.1.2.4.2.8
--- src/external/bsd/bind/dist/doc/arm/notes.html:1.1.1.1.2.4.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/notes.html Sat Aug 12 05:16:39 2017
@@ -23,7 +23,7 @@
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.10.5-P1</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.10.5-P2</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
@@ -35,6 +35,11 @@
BIND 9.10.5-P1 addresses the security issues described in
CVE-2017-3140 and CVE-2017-3141.
</p>
+ <p>
+ BIND 9.11.1-P2 addresses the security issues described in
+ CVE-2017-3142 and CVE-2017-3143. It also includes an update
+ to the address of the B root server.
+ </p>
</div>
@@ -86,6 +91,13 @@
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>
+ An error in TSIG handling could permit unauthorized zone
+ transfers or zone updates. These flaws are disclosed in
+ CVE-2017-3142 and CVE-2017-3143. [RT #45383]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
The BIND installer on Windows used an unquoted service path,
which can enable privilege escalation. This flaw is disclosed
in CVE-2017-3141. [RT #45229]
Index: src/external/bsd/bind/dist/doc/arm/notes.pdf
Binary files are different
Index: src/external/bsd/bind/dist/doc/arm/notes.xml
diff -u src/external/bsd/bind/dist/doc/arm/notes.xml:1.1.1.1.2.4.2.7 src/external/bsd/bind/dist/doc/arm/notes.xml:1.1.1.1.2.4.2.8
--- src/external/bsd/bind/dist/doc/arm/notes.xml:1.1.1.1.2.4.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/notes.xml Sat Aug 12 05:16:39 2017
@@ -27,6 +27,11 @@
BIND 9.10.5-P1 addresses the security issues described in
CVE-2017-3140 and CVE-2017-3141.
</para>
+ <para>
+ BIND 9.11.1-P2 addresses the security issues described in
+ CVE-2017-3142 and CVE-2017-3143. It also includes an update
+ to the address of the B root server.
+ </para>
</section>
@@ -73,6 +78,13 @@
<itemizedlist>
<listitem>
<para>
+ An error in TSIG handling could permit unauthorized zone
+ transfers or zone updates. These flaws are disclosed in
+ CVE-2017-3142 and CVE-2017-3143. [RT #45383]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
The BIND installer on Windows used an unquoted service path,
which can enable privilege escalation. This flaw is disclosed
in CVE-2017-3141. [RT #45229]
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.pdf
Binary files are different
Index: src/external/bsd/bind/dist/doc/arm/man.arpaname.html
diff -u src/external/bsd/bind/dist/doc/arm/man.arpaname.html:1.1.1.12.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.arpaname.html:1.1.1.12.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.arpaname.html:1.1.1.12.2.5.2.7 Tue Jun 20 16:40:18 2017
+++ src/external/bsd/bind/dist/doc/arm/man.arpaname.html Sat Aug 12 05:16:39 2017
@@ -100,6 +100,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.genrandom.html
diff -u src/external/bsd/bind/dist/doc/arm/man.genrandom.html:1.1.1.12.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.genrandom.html:1.1.1.12.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.genrandom.html:1.1.1.12.2.5.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/man.genrandom.html Sat Aug 12 05:16:39 2017
@@ -136,6 +136,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.named-journalprint.html
diff -u src/external/bsd/bind/dist/doc/arm/man.named-journalprint.html:1.1.1.12.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.named-journalprint.html:1.1.1.12.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.named-journalprint.html:1.1.1.12.2.5.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/man.named-journalprint.html Sat Aug 12 05:16:39 2017
@@ -126,6 +126,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.nsec3hash.html
diff -u src/external/bsd/bind/dist/doc/arm/man.nsec3hash.html:1.1.1.12.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.nsec3hash.html:1.1.1.12.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.nsec3hash.html:1.1.1.12.2.5.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/man.nsec3hash.html Sat Aug 12 05:16:39 2017
@@ -136,6 +136,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html
diff -u src/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html:1.1.1.13.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html:1.1.1.13.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html:1.1.1.13.2.5.2.7 Tue Jun 20 16:40:18 2017
+++ src/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html Sat Aug 12 05:16:39 2017
@@ -245,6 +245,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html
diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html:1.1.1.13.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html:1.1.1.13.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html:1.1.1.13.2.5.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html Sat Aug 12 05:16:39 2017
@@ -180,6 +180,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html
diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html:1.1.1.13.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html:1.1.1.13.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html:1.1.1.13.2.5.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html Sat Aug 12 05:16:39 2017
@@ -337,6 +337,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.delv.html
diff -u src/external/bsd/bind/dist/doc/arm/man.delv.html:1.1.1.1.4.5.2.7 src/external/bsd/bind/dist/doc/arm/man.delv.html:1.1.1.1.4.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.delv.html:1.1.1.1.4.5.2.7 Tue Jun 20 16:40:18 2017
+++ src/external/bsd/bind/dist/doc/arm/man.delv.html Sat Aug 12 05:16:39 2017
@@ -619,6 +619,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html
diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html:1.1.1.3.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html:1.1.1.3.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html:1.1.1.3.2.5.2.7 Tue Jun 20 16:40:18 2017
+++ src/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html Sat Aug 12 05:16:39 2017
@@ -160,6 +160,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html
diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html:1.1.1.3.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html:1.1.1.3.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html:1.1.1.3.2.5.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html Sat Aug 12 05:16:39 2017
@@ -279,6 +279,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html
diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html:1.1.1.2.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html:1.1.1.2.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html:1.1.1.2.2.5.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html Sat Aug 12 05:16:39 2017
@@ -241,6 +241,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html
diff -u src/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html:1.1.1.2.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html:1.1.1.2.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html:1.1.1.2.2.5.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html Sat Aug 12 05:16:39 2017
@@ -130,6 +130,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html
diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html:1.1.1.5.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html:1.1.1.5.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html:1.1.1.5.2.5.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html Sat Aug 12 05:16:39 2017
@@ -211,6 +211,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html
diff -u src/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html:1.1.1.11.2.5.2.7 src/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html:1.1.1.11.2.5.2.8
--- src/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html:1.1.1.11.2.5.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html Sat Aug 12 05:16:39 2017
@@ -135,6 +135,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.lwresd.html
diff -u src/external/bsd/bind/dist/doc/arm/man.lwresd.html:1.1.1.2.2.7 src/external/bsd/bind/dist/doc/arm/man.lwresd.html:1.1.1.2.2.8
--- src/external/bsd/bind/dist/doc/arm/man.lwresd.html:1.1.1.2.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/man.lwresd.html Sat Aug 12 05:16:39 2017
@@ -336,6 +336,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.named.conf.html
diff -u src/external/bsd/bind/dist/doc/arm/man.named.conf.html:1.1.1.2.2.7 src/external/bsd/bind/dist/doc/arm/man.named.conf.html:1.1.1.2.2.8
--- src/external/bsd/bind/dist/doc/arm/man.named.conf.html:1.1.1.2.2.7 Tue Jun 20 16:40:19 2017
+++ src/external/bsd/bind/dist/doc/arm/man.named.conf.html Sat Aug 12 05:16:39 2017
@@ -736,6 +736,6 @@ zone <em class="replaceable"><code>strin
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P1</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.5-P2</p>
</body>
</html>
Index: src/external/bsd/bind/dist/lib/dns/api
diff -u src/external/bsd/bind/dist/lib/dns/api:1.1.1.16.2.5.2.7 src/external/bsd/bind/dist/lib/dns/api:1.1.1.16.2.5.2.8
--- src/external/bsd/bind/dist/lib/dns/api:1.1.1.16.2.5.2.7 Tue Jun 20 16:40:20 2017
+++ src/external/bsd/bind/dist/lib/dns/api Sat Aug 12 05:16:40 2017
@@ -7,5 +7,5 @@
# 9.10: 140-149, 170-179
# 9.11: 160-169
LIBINTERFACE = 170
-LIBREVISION = 2
+LIBREVISION = 3
LIBAGE = 0
Index: src/external/bsd/bind/dist/lib/dns/dnssec.c
diff -u src/external/bsd/bind/dist/lib/dns/dnssec.c:1.9.4.2.2.2 src/external/bsd/bind/dist/lib/dns/dnssec.c:1.9.4.2.2.3
--- src/external/bsd/bind/dist/lib/dns/dnssec.c:1.9.4.2.2.2 Tue Jun 20 16:40:20 2017
+++ src/external/bsd/bind/dist/lib/dns/dnssec.c Sat Aug 12 05:16:40 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: dnssec.c,v 1.9.4.2.2.2 2017/06/20 16:40:20 snj Exp $ */
+/* $NetBSD: dnssec.c,v 1.9.4.2.2.3 2017/08/12 05:16:40 snj Exp $ */
/*
* Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC")
@@ -982,6 +982,8 @@ dns_dnssec_verifymessage(isc_buffer_t *s
mctx = msg->mctx;
msg->verify_attempted = 1;
+ msg->verified_sig = 0;
+ msg->sig0status = dns_tsigerror_badsig;
if (is_response(msg)) {
if (msg->query.base == NULL)
@@ -1077,6 +1079,7 @@ dns_dnssec_verifymessage(isc_buffer_t *s
}
msg->verified_sig = 1;
+ msg->sig0status = dns_rcode_noerror;
dst_context_destroy(&ctx);
dns_rdata_freestruct(&sig);
Index: src/external/bsd/bind/dist/lib/dns/message.c
diff -u src/external/bsd/bind/dist/lib/dns/message.c:1.13.2.2.2.5 src/external/bsd/bind/dist/lib/dns/message.c:1.13.2.2.2.6
--- src/external/bsd/bind/dist/lib/dns/message.c:1.13.2.2.2.5 Tue Jun 20 16:40:20 2017
+++ src/external/bsd/bind/dist/lib/dns/message.c Sat Aug 12 05:16:40 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: message.c,v 1.13.2.2.2.5 2017/06/20 16:40:20 snj Exp $ */
+/* $NetBSD: message.c,v 1.13.2.2.2.6 2017/08/12 05:16:40 snj Exp $ */
/*
* Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC")
@@ -3060,12 +3060,19 @@ dns_message_signer(dns_message_t *msg, d
result = dns_rdata_tostruct(&rdata, &tsig, NULL);
INSIST(result == ISC_R_SUCCESS);
- if (msg->tsigstatus != dns_rcode_noerror)
+ if (msg->verified_sig &&
+ msg->tsigstatus == dns_rcode_noerror &&
+ tsig.error == dns_rcode_noerror)
+ {
+ result = ISC_R_SUCCESS;
+ } else if ((!msg->verified_sig) ||
+ (msg->tsigstatus != dns_rcode_noerror))
+ {
result = DNS_R_TSIGVERIFYFAILURE;
- else if (tsig.error != dns_rcode_noerror)
+ } else {
+ INSIST(tsig.error != dns_rcode_noerror);
result = DNS_R_TSIGERRORSET;
- else
- result = ISC_R_SUCCESS;
+ }
dns_rdata_freestruct(&tsig);
if (msg->tsigkey == NULL) {
Index: src/external/bsd/bind/dist/lib/dns/rootns.c
diff -u src/external/bsd/bind/dist/lib/dns/rootns.c:1.7.2.1.2.3 src/external/bsd/bind/dist/lib/dns/rootns.c:1.7.2.1.2.4
--- src/external/bsd/bind/dist/lib/dns/rootns.c:1.7.2.1.2.3 Tue Jun 20 16:40:20 2017
+++ src/external/bsd/bind/dist/lib/dns/rootns.c Sat Aug 12 05:16:40 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: rootns.c,v 1.7.2.1.2.3 2017/06/20 16:40:20 snj Exp $ */
+/* $NetBSD: rootns.c,v 1.7.2.1.2.4 2017/08/12 05:16:40 snj Exp $ */
/*
* Copyright (C) 2004, 2005, 2007, 2008, 2010, 2012-2016 Internet Systems Consortium, Inc. ("ISC")
@@ -64,7 +64,7 @@ static char root_ns[] =
"A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4\n"
"A.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:BA3E::2:30\n"
"B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201\n"
-"B.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:84::b\n"
+"B.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:200::b\n"
"C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12\n"
"C.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:2::c\n"
"D.ROOT-SERVERS.NET. 3600000 IN A 199.7.91.13\n"
Index: src/external/bsd/bind/dist/lib/dns/tsig.c
diff -u src/external/bsd/bind/dist/lib/dns/tsig.c:1.6.4.2.2.2 src/external/bsd/bind/dist/lib/dns/tsig.c:1.6.4.2.2.3
--- src/external/bsd/bind/dist/lib/dns/tsig.c:1.6.4.2.2.2 Tue Jun 20 16:40:20 2017
+++ src/external/bsd/bind/dist/lib/dns/tsig.c Sat Aug 12 05:16:40 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: tsig.c,v 1.6.4.2.2.2 2017/06/20 16:40:20 snj Exp $ */
+/* $NetBSD: tsig.c,v 1.6.4.2.2.3 2017/08/12 05:16:40 snj Exp $ */
/*
* Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC")
@@ -969,11 +969,20 @@ dns_tsig_sign(dns_message_t *msg) {
isc_buffer_putuint48(&otherbuf, tsig.timesigned);
}
- if (key->key != NULL && tsig.error != dns_tsigerror_badsig) {
+ if ((key->key != NULL) &&
+ (tsig.error != dns_tsigerror_badsig) &&
+ (tsig.error != dns_tsigerror_badkey))
+ {
unsigned char header[DNS_MESSAGE_HEADERLEN];
isc_buffer_t headerbuf;
isc_uint16_t digestbits;
+ /*
+ * If it is a response, we assume that the request MAC
+ * has validated at this point. This is why we include a
+ * MAC length > 0 in the reply.
+ */
+
ret = dst_context_create3(key->key, mctx,
DNS_LOGCATEGORY_DNSSEC,
ISC_TRUE, &ctx);
@@ -981,7 +990,7 @@ dns_tsig_sign(dns_message_t *msg) {
return (ret);
/*
- * If this is a response, digest the query signature.
+ * If this is a response, digest the request's MAC.
*/
if (response) {
dns_rdata_t querytsigrdata = DNS_RDATA_INIT;
@@ -1111,6 +1120,17 @@ dns_tsig_sign(dns_message_t *msg) {
dst_context_destroy(&ctx);
digestbits = dst_key_getbits(key->key);
if (digestbits != 0) {
+ /*
+ * XXXRAY: Is this correct? What is the
+ * expected behavior when digestbits is not an
+ * integral multiple of 8? It looks like bytes
+ * should either be (digestbits/8) or
+ * (digestbits+7)/8.
+ *
+ * In any case, for current algorithms,
+ * digestbits are an integral multiple of 8, so
+ * it has the same effect as (digestbits/8).
+ */
unsigned int bytes = (digestbits + 1) / 8;
if (response && bytes < querytsig.siglen)
bytes = querytsig.siglen;
@@ -1220,6 +1240,8 @@ dns_tsig_verify(isc_buffer_t *source, dn
REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey));
msg->verify_attempted = 1;
+ msg->verified_sig = 0;
+ msg->tsigstatus = dns_tsigerror_badsig;
if (msg->tcp_continuation) {
if (tsigkey == NULL || msg->querytsig == NULL)
@@ -1318,19 +1340,6 @@ dns_tsig_verify(isc_buffer_t *source, dn
key = tsigkey->key;
/*
- * Is the time ok?
- */
- if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
- msg->tsigstatus = dns_tsigerror_badtime;
- tsig_log(msg->tsigkey, 2, "signature has expired");
- return (DNS_R_CLOCKSKEW);
- } else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) {
- msg->tsigstatus = dns_tsigerror_badtime;
- tsig_log(msg->tsigkey, 2, "signature is in the future");
- return (DNS_R_CLOCKSKEW);
- }
-
- /*
* Check digest length.
*/
alg = dst_key_alg(key);
@@ -1343,31 +1352,19 @@ dns_tsig_verify(isc_buffer_t *source, dn
#endif
alg == DST_ALG_HMACSHA1 ||
alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
- alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) {
- isc_uint16_t digestbits = dst_key_getbits(key);
+ alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512)
+ {
if (tsig.siglen > siglen) {
tsig_log(msg->tsigkey, 2, "signature length too big");
return (DNS_R_FORMERR);
}
if (tsig.siglen > 0 &&
- (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2))) {
+ (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2)))
+ {
tsig_log(msg->tsigkey, 2,
"signature length below minimum");
return (DNS_R_FORMERR);
}
- if (tsig.siglen > 0 && digestbits != 0 &&
- tsig.siglen < ((digestbits + 1) / 8)) {
- msg->tsigstatus = dns_tsigerror_badtrunc;
- tsig_log(msg->tsigkey, 2,
- "truncated signature length too small");
- return (DNS_R_TSIGVERIFYFAILURE);
- }
- if (tsig.siglen > 0 && digestbits == 0 &&
- tsig.siglen < siglen) {
- msg->tsigstatus = dns_tsigerror_badtrunc;
- tsig_log(msg->tsigkey, 2, "signature length too small");
- return (DNS_R_TSIGVERIFYFAILURE);
- }
}
if (tsig.siglen > 0) {
@@ -1482,34 +1479,92 @@ dns_tsig_verify(isc_buffer_t *source, dn
ret = dst_context_verify(ctx, &sig_r);
if (ret == DST_R_VERIFYFAILURE) {
- msg->tsigstatus = dns_tsigerror_badsig;
ret = DNS_R_TSIGVERIFYFAILURE;
tsig_log(msg->tsigkey, 2,
"signature failed to verify(1)");
goto cleanup_context;
- } else if (ret != ISC_R_SUCCESS)
+ } else if (ret != ISC_R_SUCCESS) {
goto cleanup_context;
-
- dst_context_destroy(&ctx);
+ }
} else if (tsig.error != dns_tsigerror_badsig &&
tsig.error != dns_tsigerror_badkey) {
- msg->tsigstatus = dns_tsigerror_badsig;
tsig_log(msg->tsigkey, 2, "signature was empty");
return (DNS_R_TSIGVERIFYFAILURE);
}
- msg->tsigstatus = dns_rcode_noerror;
+ /*
+ * Here at this point, the MAC has been verified. Even if any of
+ * the following code returns a TSIG error, the reply will be
+ * signed and WILL always include the request MAC in the digest
+ * computation.
+ */
+
+ /*
+ * Is the time ok?
+ */
+ if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
+ msg->tsigstatus = dns_tsigerror_badtime;
+ tsig_log(msg->tsigkey, 2, "signature has expired");
+ ret = DNS_R_CLOCKSKEW;
+ goto cleanup_context;
+ } else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) {
+ msg->tsigstatus = dns_tsigerror_badtime;
+ tsig_log(msg->tsigkey, 2, "signature is in the future");
+ ret = DNS_R_CLOCKSKEW;
+ goto cleanup_context;
+ }
+
+ if (
+#ifndef PK11_MD5_DISABLE
+ alg == DST_ALG_HMACMD5 ||
+#endif
+ alg == DST_ALG_HMACSHA1 ||
+ alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
+ alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512)
+ {
+ isc_uint16_t digestbits = dst_key_getbits(key);
+
+ /*
+ * XXXRAY: Is this correct? What is the expected
+ * behavior when digestbits is not an integral multiple
+ * of 8? It looks like bytes should either be
+ * (digestbits/8) or (digestbits+7)/8.
+ *
+ * In any case, for current algorithms, digestbits are
+ * an integral multiple of 8, so it has the same effect
+ * as (digestbits/8).
+ */
+ if (tsig.siglen > 0 && digestbits != 0 &&
+ tsig.siglen < ((digestbits + 1) / 8))
+ {
+ msg->tsigstatus = dns_tsigerror_badtrunc;
+ tsig_log(msg->tsigkey, 2,
+ "truncated signature length too small");
+ ret = DNS_R_TSIGVERIFYFAILURE;
+ goto cleanup_context;
+ }
+ if (tsig.siglen > 0 && digestbits == 0 &&
+ tsig.siglen < siglen)
+ {
+ msg->tsigstatus = dns_tsigerror_badtrunc;
+ tsig_log(msg->tsigkey, 2, "signature length too small");
+ ret = DNS_R_TSIGVERIFYFAILURE;
+ goto cleanup_context;
+ }
+ }
if (tsig.error != dns_rcode_noerror) {
+ msg->tsigstatus = tsig.error;
if (tsig.error == dns_tsigerror_badtime)
- return (DNS_R_CLOCKSKEW);
+ ret = DNS_R_CLOCKSKEW;
else
- return (DNS_R_TSIGERRORSET);
+ ret = DNS_R_TSIGERRORSET;
+ goto cleanup_context;
}
+ msg->tsigstatus = dns_rcode_noerror;
msg->verified_sig = 1;
-
- return (ISC_R_SUCCESS);
+ ret = ISC_R_SUCCESS;
cleanup_context:
if (ctx != NULL)
@@ -1534,6 +1589,8 @@ tsig_verify_tcp(isc_buffer_t *source, dn
isc_uint16_t addcount, id;
isc_boolean_t has_tsig = ISC_FALSE;
isc_mem_t *mctx;
+ unsigned int siglen;
+ unsigned int alg;
REQUIRE(source != NULL);
REQUIRE(msg != NULL);
@@ -1541,12 +1598,16 @@ tsig_verify_tcp(isc_buffer_t *source, dn
REQUIRE(msg->tcp_continuation == 1);
REQUIRE(msg->querytsig != NULL);
+ msg->verified_sig = 0;
+ msg->tsigstatus = dns_tsigerror_badsig;
+
if (!is_response(msg))
return (DNS_R_EXPECTEDRESPONSE);
mctx = msg->mctx;
tsigkey = dns_message_gettsigkey(msg);
+ key = tsigkey->key;
/*
* Extract and parse the previous TSIG
@@ -1579,7 +1640,8 @@ tsig_verify_tcp(isc_buffer_t *source, dn
* Do the key name and algorithm match that of the query?
*/
if (!dns_name_equal(keyname, &tsigkey->name) ||
- !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)) {
+ !dns_name_equal(&tsig.algorithm, &querytsig.algorithm))
+ {
msg->tsigstatus = dns_tsigerror_badkey;
ret = DNS_R_TSIGVERIFYFAILURE;
tsig_log(msg->tsigkey, 2,
@@ -1588,27 +1650,40 @@ tsig_verify_tcp(isc_buffer_t *source, dn
}
/*
- * Is the time ok?
+ * Check digest length.
*/
- isc_stdtime_get(&now);
-
- if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
- msg->tsigstatus = dns_tsigerror_badtime;
- tsig_log(msg->tsigkey, 2, "signature has expired");
- ret = DNS_R_CLOCKSKEW;
- goto cleanup_querystruct;
- } else if (now + msg->timeadjust <
- tsig.timesigned - tsig.fudge) {
- msg->tsigstatus = dns_tsigerror_badtime;
- tsig_log(msg->tsigkey, 2,
- "signature is in the future");
- ret = DNS_R_CLOCKSKEW;
+ alg = dst_key_alg(key);
+ ret = dst_key_sigsize(key, &siglen);
+ if (ret != ISC_R_SUCCESS)
goto cleanup_querystruct;
+ if (
+#ifndef PK11_MD5_DISABLE
+ alg == DST_ALG_HMACMD5 ||
+#endif
+ alg == DST_ALG_HMACSHA1 ||
+ alg == DST_ALG_HMACSHA224 ||
+ alg == DST_ALG_HMACSHA256 ||
+ alg == DST_ALG_HMACSHA384 ||
+ alg == DST_ALG_HMACSHA512)
+ {
+ if (tsig.siglen > siglen) {
+ tsig_log(tsigkey, 2,
+ "signature length too big");
+ ret = DNS_R_FORMERR;
+ goto cleanup_querystruct;
+ }
+ if (tsig.siglen > 0 &&
+ (tsig.siglen < 10 ||
+ tsig.siglen < ((siglen + 1) / 2)))
+ {
+ tsig_log(tsigkey, 2,
+ "signature length below minimum");
+ ret = DNS_R_FORMERR;
+ goto cleanup_querystruct;
+ }
}
}
- key = tsigkey->key;
-
if (msg->tsigctx == NULL) {
ret = dst_context_create3(key, mctx,
DNS_LOGCATEGORY_DNSSEC,
@@ -1704,10 +1779,12 @@ tsig_verify_tcp(isc_buffer_t *source, dn
sig_r.length = tsig.siglen;
if (tsig.siglen == 0) {
if (tsig.error != dns_rcode_noerror) {
- if (tsig.error == dns_tsigerror_badtime)
+ msg->tsigstatus = tsig.error;
+ if (tsig.error == dns_tsigerror_badtime) {
ret = DNS_R_CLOCKSKEW;
- else
+ } else {
ret = DNS_R_TSIGERRORSET;
+ }
} else {
tsig_log(msg->tsigkey, 2,
"signature is empty");
@@ -1718,29 +1795,111 @@ tsig_verify_tcp(isc_buffer_t *source, dn
ret = dst_context_verify(msg->tsigctx, &sig_r);
if (ret == DST_R_VERIFYFAILURE) {
- msg->tsigstatus = dns_tsigerror_badsig;
tsig_log(msg->tsigkey, 2,
"signature failed to verify(2)");
ret = DNS_R_TSIGVERIFYFAILURE;
goto cleanup_context;
+ } else if (ret != ISC_R_SUCCESS) {
+ goto cleanup_context;
+ }
+
+ /*
+ * Here at this point, the MAC has been verified. Even
+ * if any of the following code returns a TSIG error,
+ * the reply will be signed and WILL always include the
+ * request MAC in the digest computation.
+ */
+
+ /*
+ * Is the time ok?
+ */
+ isc_stdtime_get(&now);
+
+ if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
+ msg->tsigstatus = dns_tsigerror_badtime;
+ tsig_log(msg->tsigkey, 2, "signature has expired");
+ ret = DNS_R_CLOCKSKEW;
+ goto cleanup_context;
+ } else if (now + msg->timeadjust <
+ tsig.timesigned - tsig.fudge)
+ {
+ msg->tsigstatus = dns_tsigerror_badtime;
+ tsig_log(msg->tsigkey, 2,
+ "signature is in the future");
+ ret = DNS_R_CLOCKSKEW;
+ goto cleanup_context;
}
- else if (ret != ISC_R_SUCCESS)
+
+ alg = dst_key_alg(key);
+ ret = dst_key_sigsize(key, &siglen);
+ if (ret != ISC_R_SUCCESS)
goto cleanup_context;
+ if (
+#ifndef PK11_MD5_DISABLE
+ alg == DST_ALG_HMACMD5 ||
+#endif
+ alg == DST_ALG_HMACSHA1 ||
+ alg == DST_ALG_HMACSHA224 ||
+ alg == DST_ALG_HMACSHA256 ||
+ alg == DST_ALG_HMACSHA384 ||
+ alg == DST_ALG_HMACSHA512)
+ {
+ isc_uint16_t digestbits = dst_key_getbits(key);
- dst_context_destroy(&msg->tsigctx);
+ /*
+ * XXXRAY: Is this correct? What is the
+ * expected behavior when digestbits is not an
+ * integral multiple of 8? It looks like bytes
+ * should either be (digestbits/8) or
+ * (digestbits+7)/8.
+ *
+ * In any case, for current algorithms,
+ * digestbits are an integral multiple of 8, so
+ * it has the same effect as (digestbits/8).
+ */
+ if (tsig.siglen > 0 && digestbits != 0 &&
+ tsig.siglen < ((digestbits + 1) / 8))
+ {
+ msg->tsigstatus = dns_tsigerror_badtrunc;
+ tsig_log(msg->tsigkey, 2,
+ "truncated signature length "
+ "too small");
+ ret = DNS_R_TSIGVERIFYFAILURE;
+ goto cleanup_context;
+ }
+ if (tsig.siglen > 0 && digestbits == 0 &&
+ tsig.siglen < siglen)
+ {
+ msg->tsigstatus = dns_tsigerror_badtrunc;
+ tsig_log(msg->tsigkey, 2,
+ "signature length too small");
+ ret = DNS_R_TSIGVERIFYFAILURE;
+ goto cleanup_context;
+ }
+ }
+
+ if (tsig.error != dns_rcode_noerror) {
+ msg->tsigstatus = tsig.error;
+ if (tsig.error == dns_tsigerror_badtime)
+ ret = DNS_R_CLOCKSKEW;
+ else
+ ret = DNS_R_TSIGERRORSET;
+ goto cleanup_context;
+ }
}
msg->tsigstatus = dns_rcode_noerror;
- return (ISC_R_SUCCESS);
+ msg->verified_sig = 1;
+ ret = ISC_R_SUCCESS;
cleanup_context:
- dst_context_destroy(&msg->tsigctx);
+ if (msg->tsigctx != NULL)
+ dst_context_destroy(&msg->tsigctx);
cleanup_querystruct:
dns_rdata_freestruct(&querytsig);
return (ret);
-
}
isc_result_t
