works for me[tm]
OK?
------------------------------------------------------------------------
NSD versions 4.1.22 and before are vulnerable in comparing TSIG
information and this can be used to discover a TSIG secret.
NSD uses TSIG to protect zone transfers. The TSIG code uses a secret
key to protect the data. The secret key is shared with both sides of
the zone transfer connection. The comparison code in NSD was not time
insensitive, causing the potential for an attacker to use timing
information to discover data about the key contents.
NSD versions from 2.2.0 to 4.1.22 are vulnerable. Upgrade to 4.1.23 or
newer to get the fix.
It was reported by Ondrej Sury (ISC).
------------------------------------------------------------------------
diff --git configure configure
index e034b5441ec..79f500f50fd 100644
--- configure
+++ configure
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for NSD 4.1.22.
+# Generated by GNU Autoconf 2.69 for NSD 4.1.23.
#
# Report bugs to <nsd-b...@nlnetlabs.nl>.
#
@@ -580,8 +580,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='NSD'
PACKAGE_TARNAME='nsd'
-PACKAGE_VERSION='4.1.22'
-PACKAGE_STRING='NSD 4.1.22'
+PACKAGE_VERSION='4.1.23'
+PACKAGE_STRING='NSD 4.1.23'
PACKAGE_BUGREPORT='nsd-b...@nlnetlabs.nl'
PACKAGE_URL=''
@@ -1286,7 +1286,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures NSD 4.1.22 to adapt to many kinds of systems.
+\`configure' configures NSD 4.1.23 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1347,7 +1347,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of NSD 4.1.22:";;
+ short | recursive ) echo "Configuration of NSD 4.1.23:";;
esac
cat <<\_ACEOF
@@ -1496,7 +1496,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-NSD configure 4.1.22
+NSD configure 4.1.23
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2205,7 +2205,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by NSD $as_me 4.1.22, which was
+It was created by NSD $as_me 4.1.23, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -9784,7 +9784,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by NSD $as_me 4.1.22, which was
+This file was extended by NSD $as_me 4.1.23, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -9846,7 +9846,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //;
s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-NSD config.status 4.1.22
+NSD config.status 4.1.23
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff --git configure.ac configure.ac
index 4c6772a47bd..c17501cb5a0 100644
--- configure.ac
+++ configure.ac
@@ -4,7 +4,7 @@ dnl
sinclude(acx_nlnetlabs.m4)
-AC_INIT(NSD,4.1.22,nsd-b...@nlnetlabs.nl)
+AC_INIT(NSD,4.1.23,nsd-b...@nlnetlabs.nl)
AC_CONFIG_HEADER([config.h])
CFLAGS="$CFLAGS"
diff --git tsig.c tsig.c
index a7cc66ee184..b0e40116f74 100644
--- tsig.c
+++ tsig.c
@@ -475,7 +475,7 @@ tsig_verify(tsig_record_type *tsig)
&tsig->prior_mac_size);
if (tsig->mac_size != tsig->prior_mac_size
- || memcmp(tsig->mac_data,
+ || CRYPTO_memcmp(tsig->mac_data,
tsig->prior_mac_data,
tsig->mac_size) != 0)
{
--
I'm not entirely sure you are real.
