Index: branches/2018Q3/dns/bind911/Makefile =================================================================== --- branches/2018Q3/dns/bind911/Makefile (revision 476686) +++ branches/2018Q3/dns/bind911/Makefile (revision 476687) @@ -1,257 +1,257 @@ # $FreeBSD$ # pkg-help formatted with fmt 59 63 PORTNAME= bind PORTVERSION= ${ISCVERSION:S/-P/P/:S/b/.b/:S/a/.a/:S/rc/.rc/} -PORTREVISION= 2 +PORTREVISION= 0 CATEGORIES= dns net ipv6 MASTER_SITES= ISC/bind9/${ISCVERSION} PKGNAMESUFFIX= 911 DISTNAME= ${PORTNAME}-${ISCVERSION} MAINTAINER= mat@FreeBSD.org COMMENT= BIND DNS suite with updated DNSSEC and DNS64 LICENSE= MPL20 LICENSE_FILE= ${WRKSRC}/COPYRIGHT LIB_DEPENDS= libxml2.so:textproc/libxml2 USES= cpe libedit # ISC releases things like 9.8.0-P1, which our versioning doesn't like -ISCVERSION= 9.11.3 +ISCVERSION= 9.11.4-P1 CPE_VENDOR= isc CPE_VERSION= ${ISCVERSION:C/-.*//} .if ${ISCVERSION:M*-*} CPE_UPDATE= ${ISCVERSION:C/.*-//:tl} .endif GNU_CONFIGURE= yes CONFIGURE_ARGS= --localstatedir=/var --disable-linux-caps \ --disable-symtable \ --with-randomdev=/dev/random \ --with-libxml2=${LOCALBASE} \ --with-readline="-L${LOCALBASE}/lib -ledit" \ --with-dlopen=yes \ --sysconfdir=${ETCDIR} ETCDIR= ${PREFIX}/etc/namedb CONFLICTS= bind-tools bind99 bind910 bind912 bind913 bind9-devel SUB_FILES= pkg-message named.conf USE_RC_SUBR= named MAKE_JOBS_UNSAFE= yes PORTDOCS= * OPTIONS_DEFAULT= SSL THREADS SIGCHASE IDN GSSAPI_NONE JSON PYTHON \ DLZ_FILESYSTEM LMDB RPZ_NSDNAME RPZ_NSIP TCP_FASTOPEN \ FILTER_AAAA OPTIONS_DEFINE= IDN LARGE_FILE PYTHON JSON \ FIXED_RRSET SIGCHASE IPV6 THREADS FILTER_AAAA \ RPZ_NSIP RPZ_NSDNAME DOCS GEOIP \ MINCACHE PORTREVISION QUERYTRACE LMDB DNSTAP \ START_LATE TUNING_LARGE TCP_FASTOPEN OPTIONS_RADIO= CRYPTO GOSTDEF OPTIONS_RADIO_CRYPTO= SSL NATIVE_PKCS11 OPTIONS_RADIO_GOSTDEF= GOST GOST_ASN1 OPTIONS_GROUP= DLZ OPTIONS_GROUP_DLZ= DLZ_POSTGRESQL DLZ_MYSQL DLZ_BDB \ DLZ_LDAP DLZ_FILESYSTEM DLZ_STUB OPTIONS_SINGLE= GSSAPI OPTIONS_SINGLE_GSSAPI= GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT GSSAPI_NONE OPTIONS_SUB= yes CRYPTO_DESC= Choose which crypto engine to use DLZ_BDB_DESC= DLZ BDB driver DLZ_DESC= Dynamically Loadable Zones DLZ_FILESYSTEM_DESC= DLZ filesystem driver DLZ_LDAP_DESC= DLZ LDAP driver DLZ_MYSQL_DESC= DLZ MySQL driver (no threading) DLZ_POSTGRESQL_DESC= DLZ Postgres driver DLZ_STUB_DESC= DLZ stub driver DNSTAP_DESC= Provides fast passive logging of DNS messages FILTER_AAAA_DESC= Enable filtering of AAAA records FIXED_RRSET_DESC= Enable fixed rrset ordering GEOIP_DESC= Allow geographically based ACL. GOSTDEF_DESC= Enable GOST ciphers, needs SSL GOST_ASN1_DESC= GOST using ASN.1 GOST_DESC= GOST raw keys (new default) GSSAPI_BASE_DESC= Using Heimdal in base GSSAPI_HEIMDAL_DESC= Using security/heimdal GSSAPI_MIT_DESC= Using security/krb5 GSSAPI_NONE_DESC= Disable LARGE_FILE_DESC= 64-bit file support LMDB_DESC= Use LMDB for zone management MINCACHE_DESC= Use the mincachettl patch NATIVE_PKCS11_DESC= Use PKCS\#11 native API (**READ HELP**) PORTREVISION_DESC= Show PORTREVISION in the version string PYTHON_DESC= Build with Python utilities QUERYTRACE_DESC= Enable the very verbose query tracelogging RPZ_NSDNAME_DESC= Enable RPZ NSDNAME policy records RPZ_NSIP_DESC= Enable RPZ NSIP trigger rules SIGCHASE_DESC= dig/host/nslookup will do DNSSEC validation SSL_DESC= Build with OpenSSL (Required for DNSSEC) START_LATE_DESC= Start BIND late in the boot process (see help) TCP_FASTOPEN_DESC= RFC 7413 support TUNING_LARGE_DESC= Tune named for large systems (**READ HELP**) DLZ_BDB_CONFIGURE_ON= --with-dlz-bdb=yes DLZ_BDB_USES= bdb DLZ_FILESYSTEM_CONFIGURE_ON= --with-dlz-filesystem=yes DLZ_LDAP_CONFIGURE_ON= --with-dlz-ldap=yes DLZ_LDAP_USE= openldap=yes DLZ_MYSQL_CONFIGURE_ON= --with-dlz-mysql=yes DLZ_MYSQL_PREVENTS= THREADS DLZ_MYSQL_USES= mysql DLZ_POSTGRESQL_CONFIGURE_ON= --with-dlz-postgres=yes DLZ_POSTGRESQL_USES= pgsql DLZ_STUB_CONFIGURE_ON= --with-dlz-stub=yes DNSTAP_CONFIGURE_ENABLE= dnstap DNSTAP_IMPLIES= THREADS DNSTAP_LIB_DEPENDS= libfstrm.so:devel/fstrm \ libprotobuf-c.so:devel/protobuf-c FILTER_AAAA_CONFIGURE_ENABLE= filter-aaaa FIXED_RRSET_CONFIGURE_ENABLE= fixed-rrset GEOIP_CONFIGURE_WITH= geoip GEOIP_LIB_DEPENDS= libGeoIP.so:net/GeoIP GOST_ASN1_CONFIGURE_ON= --with-gost=asn1 GOST_CONFIGURE_ON= --with-gost GSSAPI_BASE_CONFIGURE_ON=\ --with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}" GSSAPI_BASE_USES= gssapi GSSAPI_HEIMDAL_CONFIGURE_ON=\ --with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}" GSSAPI_HEIMDAL_USES= gssapi:heimdal GSSAPI_MIT_CONFIGURE_ON=\ --with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}" GSSAPI_MIT_USES= gssapi:mit GSSAPI_NONE_CONFIGURE_ON= --without-gssapi IDN_CONFIGURE_OFF= --without-idn IDN_CONFIGURE_ON= --with-idn=${LOCALBASE} ${ICONV_CONFIGURE_BASE} IDN_LIB_DEPENDS= libidnkit.so:dns/idnkit IDN_USES= iconv IPV6_CONFIGURE_ENABLE= ipv6 JSON_CONFIGURE_WITH= libjson=${LOCALBASE} JSON_LIB_DEPENDS= libjson-c.so:devel/json-c LARGE_FILE_CONFIGURE_ENABLE= largefile LMDB_CONFIGURE_WITH= lmdb=${LOCALBASE} LMDB_LIB_DEPENDS= liblmdb.so:databases/lmdb MINCACHE_EXTRA_PATCHES= ${FILESDIR}/extrapatch-bind-min-override-ttl NATIVE_PKCS11_CONFIGURE_ENABLE= native-pkcs11 NATIVE_PKCS11_IMPLIES= THREADS PYTHON_BUILD_DEPENDS= ${PYTHON_PKGNAMEPREFIX}ply>=0:devel/py-ply@${PY_FLAVOR} PYTHON_CONFIGURE_WITH= python=${PYTHON_CMD} PYTHON_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}ply>=0:devel/py-ply@${PY_FLAVOR} PYTHON_USES= python QUERYTRACE_CONFIGURE_ENABLE= querytrace RPZ_NSDNAME_CONFIGURE_ENABLE= rpz-nsdname RPZ_NSIP_CONFIGURE_ENABLE= rpz-nsip SIGCHASE_CONFIGURE_ON= STD_CDEFINES="-DDIG_SIGCHASE=1" SSL_CONFIGURE_OFF= --disable-openssl-version-check --without-openssl SSL_CONFIGURE_ON= --with-openssl=${OPENSSLBASE} SSL_USES= ssl START_LATE_SUB_LIST= NAMED_REQUIRE="SERVERS cleanvar" \ NAMED_BEFORE="LOGIN" START_LATE_SUB_LIST_OFF=NAMED_REQUIRE="NETWORKING ldconfig syslogd" \ NAMED_BEFORE="SERVERS" THREADS_CONFIGURE_ENABLE= threads TUNING_LARGE_IMPLIES= THREADS TUNING_LARGE_CONFIGURE_ON= --with-tuning=large TUNING_LARGE_CONFIGURE_OFF= --with-tuning=default .include .if !${PORT_OPTIONS:MGOST} && !${PORT_OPTIONS:MGOST_ASN1} CONFIGURE_ARGS+= --without-gost .endif .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT} == base BROKEN= OpenSSL from the base system does not support GOST, add \ DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild everything \ that needs SSL. .endif post-patch: .for FILE in check/named-checkconf.8 named/named.8 nsupdate/nsupdate.1 \ rndc/rndc.8 @${REINPLACE_CMD} -e 's#/etc/named.conf#${ETCDIR}/named.conf#g' \ -e 's#/etc/rndc.conf#${ETCDIR}/rndc.conf#g' \ -e "s#/var\/run\/named\/named.pid#/var/run/named/pid#" \ ${WRKSRC}/bin/${FILE} .endfor .if ${PORTREVISION:N0} post-patch-PORTREVISION-on: @${REINPLACE_CMD} -e '/EXTENSIONS/s#=$$#=_${PORTREVISION}#' \ ${WRKSRC}/version .endif post-patch-TCP_FASTOPEN-off: @${REINPLACE_CMD} -e 's/#define ISC_PLATFORM_HAVETFO 1/#undef ISC_PLATFORM_HAVETFO/' ${WRKSRC}/configure post-install: ${MKDIR} ${STAGEDIR}${PREFIX}/etc/mtree ${MKDIR} ${STAGEDIR}${ETCDIR} .for i in dynamic master slave working @${MKDIR} ${STAGEDIR}${ETCDIR}/$i .endfor ${INSTALL_DATA} ${WRKDIR}/named.conf ${STAGEDIR}${ETCDIR}/named.conf.sample ${INSTALL_DATA} ${FILESDIR}/named.root ${STAGEDIR}${ETCDIR} ${INSTALL_DATA} ${FILESDIR}/empty.db ${STAGEDIR}${ETCDIR}/master ${INSTALL_DATA} ${FILESDIR}/localhost-forward.db ${STAGEDIR}${ETCDIR}/master ${INSTALL_DATA} ${FILESDIR}/localhost-reverse.db ${STAGEDIR}${ETCDIR}/master ${INSTALL_DATA} ${FILESDIR}/BIND.chroot.dist ${STAGEDIR}${PREFIX}/etc/mtree/BIND.chroot.dist.sample ${INSTALL_DATA} ${FILESDIR}/BIND.chroot.local.dist ${STAGEDIR}${PREFIX}/etc/mtree/BIND.chroot.local.dist.sample ${INSTALL_DATA} ${WRKSRC}/bin/rndc/rndc.conf \ ${STAGEDIR}${ETCDIR}/rndc.conf.sample post-install-DOCS-on: ${MKDIR} ${STAGEDIR}${DOCSDIR}/arm ${INSTALL_DATA} ${WRKSRC}/doc/arm/*.html ${STAGEDIR}${DOCSDIR}/arm ${INSTALL_DATA} ${WRKSRC}/doc/arm/Bv9ARM.pdf ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${WRKSRC}/CHANGES \ ${WRKSRC}/HISTORY* ${WRKSRC}/README* ${STAGEDIR}${DOCSDIR} # Can't use USE_PYTHON=autoplist post-install-PYTHON-on: @${FIND} ${STAGEDIR}${PYTHON_SITELIBDIR} -type f | ${SED} -e 's|${STAGEDIR}||' >> ${TMPPLIST} .include Index: branches/2018Q3/dns/bind911/distinfo =================================================================== --- branches/2018Q3/dns/bind911/distinfo (revision 476686) +++ branches/2018Q3/dns/bind911/distinfo (revision 476687) @@ -1,3 +1,3 @@ -TIMESTAMP = 1521455716 -SHA256 (bind-9.11.3.tar.gz) = 0d9dde14b2ec7f9cdc3b69f19540c7a2e4eee7b6c727965dfae48810965876f5 -SIZE (bind-9.11.3.tar.gz) = 9523375 +TIMESTAMP = 1533712466 +SHA256 (bind-9.11.4-P1.tar.gz) = b0e0dc3c8bf26989b1cad53f90d44a48e39404afc68f65c45bae79b446f0fe23 +SIZE (bind-9.11.4-P1.tar.gz) = 9623403 Index: branches/2018Q3/dns/bind911/files/patch-CVE-2018-5738 =================================================================== --- branches/2018Q3/dns/bind911/files/patch-CVE-2018-5738 (revision 476686) +++ branches/2018Q3/dns/bind911/files/patch-CVE-2018-5738 (nonexistent) @@ -1,127 +0,0 @@ -commit 3d71785ef143b670409affee203145eb39266d87 -Author: Evan Hunt -Date: 2018-06-04 21:55:41 -0700 - - allow-recursion could incorrectly inherit from the default allow-query - ---- CHANGES.orig 2018-03-08 20:55:28 UTC -+++ CHANGES -@@ -1,3 +1,10 @@ -+4960. [security] When recursion is enabled, but the "allow-recursion" -+ and "allow-query-cache" ACLs are not specified, -+ they should be limited to local networks, -+ but were inadvertently set to match the default -+ "allow-query", thus allowing remote queries. -+ (CVE-2018-5738) [GL #309] -+ - --- 9.11.3 released --- - --- 9.11.3rc2 released --- - ---- bin/named/server.c.orig 2018-03-08 20:55:28 UTC -+++ bin/named/server.c -@@ -3376,10 +3376,6 @@ configure_view(dns_view_t *view, dns_vie - dns_acache_setcachesize(view->acache, max_acache_size); - } - -- CHECK(configure_view_acl(vconfig, config, ns_g_config, -- "allow-query", NULL, actx, -- ns_g_mctx, &view->queryacl)); -- - /* - * Make the list of response policy zone names for a view that - * is used for real lookups and so cares about hints. -@@ -4258,9 +4254,6 @@ configure_view(dns_view_t *view, dns_vie - INSIST(result == ISC_R_SUCCESS); - view->trust_anchor_telemetry = cfg_obj_asboolean(obj); - -- CHECK(configure_view_acl(vconfig, config, ns_g_config, -- "allow-query-cache-on", NULL, actx, -- ns_g_mctx, &view->cacheonacl)); - /* - * Set sources where additional data and CNAME/DNAME - * targets for authoritative answers may be found. -@@ -4287,22 +4280,40 @@ configure_view(dns_view_t *view, dns_vie - view->additionalfromcache = ISC_TRUE; - } - -+ CHECK(configure_view_acl(vconfig, config, ns_g_config, -+ "allow-query-cache-on", NULL, actx, -+ ns_g_mctx, &view->cacheonacl)); -+ - /* -- * Set "allow-query-cache", "allow-recursion", and -- * "allow-recursion-on" acls if configured in named.conf. -- * (Ignore the global defaults for now, because these ACLs -- * can inherit from each other when only some of them set at -- * the options/view level.) -+ * Set the "allow-query", "allow-query-cache", "allow-recursion", -+ * and "allow-recursion-on" ACLs if configured in named.conf, but -+ * NOT from the global defaults. This is done by leaving the third -+ * argument to configure_view_acl() NULL. -+ * -+ * We ignore the global defaults here because these ACLs -+ * can inherit from each other. If any are still unset after -+ * applying the inheritance rules, we'll look up the defaults at -+ * that time. - */ -- CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache", -- NULL, actx, ns_g_mctx, &view->cacheacl)); -+ -+ /* named.conf only */ -+ CHECK(configure_view_acl(vconfig, config, NULL, -+ "allow-query", NULL, actx, -+ ns_g_mctx, &view->queryacl)); -+ -+ /* named.conf only */ -+ CHECK(configure_view_acl(vconfig, config, NULL, -+ "allow-query-cache", NULL, actx, -+ ns_g_mctx, &view->cacheacl)); - - if (strcmp(view->name, "_bind") != 0 && - view->rdclass != dns_rdataclass_chaos) - { -+ /* named.conf only */ - CHECK(configure_view_acl(vconfig, config, NULL, - "allow-recursion", NULL, actx, - ns_g_mctx, &view->recursionacl)); -+ /* named.conf only */ - CHECK(configure_view_acl(vconfig, config, NULL, - "allow-recursion-on", NULL, actx, - ns_g_mctx, &view->recursiononacl)); -@@ -4340,18 +4351,21 @@ configure_view(dns_view_t *view, dns_vie - * the global config. - */ - if (view->recursionacl == NULL) { -+ /* global default only */ - CHECK(configure_view_acl(NULL, NULL, ns_g_config, - "allow-recursion", NULL, - actx, ns_g_mctx, - &view->recursionacl)); - } - if (view->recursiononacl == NULL) { -+ /* global default only */ - CHECK(configure_view_acl(NULL, NULL, ns_g_config, - "allow-recursion-on", NULL, - actx, ns_g_mctx, - &view->recursiononacl)); - } - if (view->cacheacl == NULL) { -+ /* global default only */ - CHECK(configure_view_acl(NULL, NULL, ns_g_config, - "allow-query-cache", NULL, - actx, ns_g_mctx, -@@ -4365,6 +4379,14 @@ configure_view(dns_view_t *view, dns_vie - CHECK(dns_acl_none(mctx, &view->cacheacl)); - } - -+ if (view->queryacl == NULL) { -+ /* global default only */ -+ CHECK(configure_view_acl(NULL, NULL, ns_g_config, -+ "allow-query", NULL, -+ actx, ns_g_mctx, -+ &view->queryacl)); -+ } -+ - /* - * Ignore case when compressing responses to the specified - * clients. This causes case not always to be preserved, Property changes on: branches/2018Q3/dns/bind911/files/patch-CVE-2018-5738 ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: branches/2018Q3/dns/bind911/files/extrapatch-bind-min-override-ttl =================================================================== --- branches/2018Q3/dns/bind911/files/extrapatch-bind-min-override-ttl (revision 476686) +++ branches/2018Q3/dns/bind911/files/extrapatch-bind-min-override-ttl (revision 476687) @@ -1,73 +1,73 @@ ---- bin/named/config.c.orig 2018-01-24 21:23:16 UTC +--- bin/named/config.c.orig 2018-06-10 06:06:33 UTC +++ bin/named/config.c -@@ -171,6 +171,8 @@ options {\n\ +@@ -176,6 +176,8 @@ options {\n\ " max-acache-size 16M;\n\ max-cache-size 90%;\n\ max-cache-ttl 604800; /* 1 week */\n\ + min-cache-ttl 0; /* no minimal, zero is allowed */\n\ + override-cache-ttl 0; /* do not override */\n\ max-clients-per-query 100;\n\ max-ncache-ttl 10800; /* 3 hours */\n\ max-recursion-depth 7;\n\ ---- bin/named/server.c.orig 2018-01-24 21:23:16 UTC +--- bin/named/server.c.orig 2018-06-10 06:06:33 UTC +++ bin/named/server.c -@@ -3699,6 +3699,16 @@ configure_view(dns_view_t *view, dns_vie +@@ -3692,6 +3692,16 @@ configure_view(dns_view_t *view, dns_vie } obj = NULL; + result = ns_config_get(maps, "override-cache-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + view->overridecachettl = cfg_obj_asuint32(obj); + + obj = NULL; + result = ns_config_get(maps, "min-cache-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + view->mincachettl = cfg_obj_asuint32(obj); + + obj = NULL; result = ns_config_get(maps, "max-cache-ttl", &obj); INSIST(result == ISC_R_SUCCESS); view->maxcachettl = cfg_obj_asuint32(obj); ---- lib/dns/include/dns/view.h.orig 2018-01-24 21:23:16 UTC +--- lib/dns/include/dns/view.h.orig 2018-06-10 06:06:33 UTC +++ lib/dns/include/dns/view.h -@@ -146,6 +146,8 @@ struct dns_view { +@@ -150,6 +150,8 @@ struct dns_view { isc_boolean_t requestnsid; isc_boolean_t sendcookie; dns_ttl_t maxcachettl; + dns_ttl_t mincachettl; + dns_ttl_t overridecachettl; dns_ttl_t maxncachettl; isc_uint32_t nta_lifetime; isc_uint32_t nta_recheck; ---- lib/dns/resolver.c.orig 2018-01-24 21:23:16 UTC +--- lib/dns/resolver.c.orig 2018-06-10 06:06:33 UTC +++ lib/dns/resolver.c -@@ -5477,6 +5477,18 @@ cache_name(fetchctx_t *fctx, dns_name_t +@@ -5473,6 +5473,18 @@ cache_name(fetchctx_t *fctx, dns_name_t } /* + * Enforce the configure cache TTL override. + */ + if (res->view->overridecachettl) + rdataset->ttl = res->view->overridecachettl; + + /* + * Enforce the configure minimum cache TTL. + */ + if (rdataset->ttl < res->view->mincachettl) + rdataset->ttl = res->view->mincachettl; + + /* * Enforce the configure maximum cache TTL. */ if (rdataset->ttl > res->view->maxcachettl) { ---- lib/isccfg/namedconf.c.orig 2018-01-24 21:23:16 UTC +--- lib/isccfg/namedconf.c.orig 2018-06-10 06:06:33 UTC +++ lib/isccfg/namedconf.c -@@ -1766,6 +1766,8 @@ view_clauses[] = { +@@ -1770,6 +1770,8 @@ view_clauses[] = { #endif { "max-acache-size", &cfg_type_sizenodefault, 0 }, { "max-cache-size", &cfg_type_sizeorpercent, 0 }, + { "override-cache-ttl", &cfg_type_uint32, 0 }, + { "min-cache-ttl", &cfg_type_uint32, 0 }, { "max-cache-ttl", &cfg_type_uint32, 0 }, { "max-clients-per-query", &cfg_type_uint32, 0 }, { "max-ncache-ttl", &cfg_type_uint32, 0 }, Index: branches/2018Q3/dns/bind911/files/patch-bin_named_include_named_globals.h =================================================================== --- branches/2018Q3/dns/bind911/files/patch-bin_named_include_named_globals.h (revision 476686) +++ branches/2018Q3/dns/bind911/files/patch-bin_named_include_named_globals.h (revision 476687) @@ -1,13 +1,13 @@ We reference the pid file as being run/named/pid everywere else. ---- bin/named/include/named/globals.h.orig 2018-01-04 05:28:11 UTC +--- bin/named/include/named/globals.h.orig 2018-06-10 06:06:33 UTC +++ bin/named/include/named/globals.h -@@ -135,7 +135,7 @@ EXTERN isc_boolean_t ns_g_forcelock IN +@@ -138,7 +138,7 @@ EXTERN isc_boolean_t ns_g_forcelock IN #if NS_RUN_PID_DIR EXTERN const char * ns_g_defaultpidfile INIT(NS_LOCALSTATEDIR "/run/named/" - "named.pid"); + "pid"); EXTERN const char * lwresd_g_defaultpidfile INIT(NS_LOCALSTATEDIR "/run/lwresd/" "lwresd.pid"); Index: branches/2018Q3/dns/bind911/files/patch-bin_tests_system_dlzexternal_Makefile.in =================================================================== --- branches/2018Q3/dns/bind911/files/patch-bin_tests_system_dlzexternal_Makefile.in (revision 476686) +++ branches/2018Q3/dns/bind911/files/patch-bin_tests_system_dlzexternal_Makefile.in (revision 476687) @@ -1,11 +1,11 @@ ---- bin/tests/system/dlzexternal/Makefile.in.orig 2017-04-14 03:58:25 UTC +--- bin/tests/system/dlzexternal/Makefile.in.orig 2018-06-10 06:06:33 UTC +++ bin/tests/system/dlzexternal/Makefile.in -@@ -31,7 +31,7 @@ OBJS = +@@ -34,7 +34,7 @@ OBJS = @BIND9_MAKE_RULES@ CFLAGS = @CFLAGS@ @SO_CFLAGS@ -SO_LDFLAGS = @LDFLAGS@ @SO_LDFLAGS@ +SO_LDFLAGS = @SO_LDFLAGS@ driver.@SO@: ${SO_OBJS} ${LIBTOOL_MODE_LINK} @SO_LD@ ${SO_LDFLAGS} -o $@ driver.@O@ Index: branches/2018Q3/dns/bind911/files/patch-configure =================================================================== --- branches/2018Q3/dns/bind911/files/patch-configure (revision 476686) +++ branches/2018Q3/dns/bind911/files/patch-configure (revision 476687) @@ -1,90 +1,90 @@ ---- configure.orig 2018-03-08 20:55:28 UTC +--- configure.orig 2018-06-10 06:06:33 UTC +++ configure -@@ -14465,27 +14465,9 @@ done +@@ -14961,27 +14961,9 @@ done # problems start to show up. saved_libs="$LIBS" for TRY_LIBS in \ - "-lgssapi_krb5" \ - "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \ - "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \ - "-lgssapi" \ - "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \ - "-lgssapi -lkrb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \ - "-lgssapi -lkrb5 -lgssapi_krb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \ - "-lgssapi -lkrb5 -lhx509 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \ - "-lgss -lkrb5" + "$($KRB5CONFIG gssapi --libs)"; \ do - # Note that this does not include $saved_libs, because - # on FreeBSD machines this configure script has added - # -L/usr/local/lib to LIBS, which can make the - # -lgssapi_krb5 test succeed with shared libraries even - # when you are trying to build with KTH in /usr/lib. - if test "/usr" = "$use_gssapi" - then - LIBS="$TRY_LIBS" - else - LIBS="-L$use_gssapi/lib $TRY_LIBS" - fi + LIBS="$TRY_LIBS" { $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5 $as_echo_n "checking linking as $TRY_LIBS... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext -@@ -14528,47 +14510,7 @@ $as_echo "no" >&6; } ;; +@@ -15024,47 +15006,7 @@ $as_echo "no" >&6; } ;; no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;; esac - # - # XXXDCL Major kludge. Tries to cope with KTH in /usr/lib - # but MIT in /usr/local/lib and trying to build with KTH. - # /usr/local/lib can end up earlier on the link lines. - # Like most kludges, this one is not only inelegant it - # is also likely to be the wrong thing to do at least as - # many times as it is the right thing. Something better - # needs to be done. - # - if test "/usr" = "$use_gssapi" -a \ - -f /usr/local/lib/libkrb5.a; then - FIX_KTH_VS_MIT=yes - fi - - case "$FIX_KTH_VS_MIT" in - yes) - case "$enable_static_linking" in - yes) gssapi_lib_suffix=".a" ;; - *) gssapi_lib_suffix=".so" ;; - esac - - for lib in $LIBS; do - case $lib in - -L*) - ;; - -l*) - new_lib=`echo $lib | - sed -e s%^-l%$use_gssapi/lib/lib% \ - -e s%$%$gssapi_lib_suffix%` - NEW_LIBS="$NEW_LIBS $new_lib" - ;; - *) - as_fn_error $? "KTH vs MIT Kerberos confusion!" "$LINENO" 5 - ;; - esac - done - LIBS="$NEW_LIBS" - ;; - esac - - DST_GSSAPI_INC="-I$use_gssapi/include" + DST_GSSAPI_INC="$($KRB5CONFIG gssapi --cflags)" DNS_GSSAPI_LIBS="$LIBS" { $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5 -@@ -23242,7 +23184,7 @@ $as_echo "" >&6; } +@@ -23847,7 +23789,7 @@ $as_echo "" >&6; } # Check other locations for includes. # Order is important (sigh). - bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db" + bdb_incdirs="/db6 /db5 /db48" # include a blank element first for d in "" $bdb_incdirs do Index: branches/2018Q3/dns/bind912/Makefile =================================================================== --- branches/2018Q3/dns/bind912/Makefile (revision 476686) +++ branches/2018Q3/dns/bind912/Makefile (revision 476687) @@ -1,288 +1,288 @@ # $FreeBSD$ # pkg-help formatted with fmt 59 63 PORTNAME= bind PORTVERSION= ${ISCVERSION:S/-P/P/:S/b/.b/:S/a/.a/:S/rc/.rc/} .if defined(BIND_TOOLS_SLAVE) # dns/bind-tools here PORTREVISION= 0 .else # dns/bind912 here -PORTREVISION= 1 +PORTREVISION= 0 .endif CATEGORIES= dns net ipv6 MASTER_SITES= ISC/bind9/${ISCVERSION} .if defined(BIND_TOOLS_SLAVE) PKGNAMESUFFIX= -tools .else PKGNAMESUFFIX= 912 .endif DISTNAME= ${PORTNAME}-${ISCVERSION} MAINTAINER= mat@FreeBSD.org .if defined(BIND_TOOLS_SLAVE) COMMENT= Command line tools from BIND: delv, dig, host, nslookup... .else COMMENT= BIND DNS suite with updated DNSSEC and DNS64 .endif LICENSE= MPL20 LICENSE_FILE= ${WRKSRC}/COPYRIGHT BROKEN_powerpc64= fails to link: /usr/bin/ld: cannot find -latomic LIB_DEPENDS= libxml2.so:textproc/libxml2 USES= cpe libedit # ISC releases things like 9.8.0-P1, which our versioning doesn't like -ISCVERSION= 9.12.1-P2 +ISCVERSION= 9.12.2-P1 CPE_VENDOR= isc CPE_VERSION= ${ISCVERSION:C/-.*//} .if ${ISCVERSION:M*-*} CPE_UPDATE= ${ISCVERSION:C/.*-//:tl} .endif GNU_CONFIGURE= yes CONFIGURE_ARGS= --localstatedir=/var --disable-linux-caps \ --disable-symtable \ --with-randomdev=/dev/random \ --with-libxml2=${LOCALBASE} \ --with-readline="-L${LOCALBASE}/lib -ledit" \ --with-dlopen=yes \ --sysconfdir=${ETCDIR} ETCDIR= ${PREFIX}/etc/namedb CONFLICTS= bind99 bind910 bind911 bind913 bind9-devel .if defined(BIND_TOOLS_SLAVE) CONFIGURE_ARGS+= --disable-shared CONFLICTS+= bind912 .else USE_RC_SUBR= named SUB_FILES= pkg-message named.conf CONFLICTS+= bind-tools .endif # BIND_TOOLS_SLAVE MAKE_JOBS_UNSAFE= yes PORTDOCS= * OPTIONS_DEFAULT= SSL THREADS SIGCHASE IDN GSSAPI_NONE JSON PYTHON OPTIONS_DEFINE= IDN LARGE_FILE PYTHON JSON \ FIXED_RRSET SIGCHASE IPV6 THREADS OPTIONS_RADIO= CRYPTO GOSTDEF OPTIONS_RADIO_CRYPTO= SSL NATIVE_PKCS11 OPTIONS_RADIO_GOSTDEF= GOST GOST_ASN1 .if !defined(BIND_TOOLS_SLAVE) OPTIONS_DEFAULT+= DLZ_FILESYSTEM LMDB RPZ_NSDNAME RPZ_NSIP TCP_FASTOPEN OPTIONS_DEFINE+= RPZ_NSIP RPZ_NSDNAME DOCS GEOIP \ MINCACHE PORTREVISION QUERYTRACE LMDB DNSTAP \ START_LATE TUNING_LARGE TCP_FASTOPEN OPTIONS_GROUP= DLZ OPTIONS_GROUP_DLZ= DLZ_POSTGRESQL DLZ_MYSQL DLZ_BDB \ DLZ_LDAP DLZ_FILESYSTEM DLZ_STUB .endif # BIND_TOOLS_SLAVE OPTIONS_SINGLE= GSSAPI OPTIONS_SINGLE_GSSAPI= GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT GSSAPI_NONE OPTIONS_SUB= yes CRYPTO_DESC= Choose which crypto engine to use DLZ_BDB_DESC= DLZ BDB driver DLZ_DESC= Dynamically Loadable Zones DLZ_FILESYSTEM_DESC= DLZ filesystem driver DLZ_LDAP_DESC= DLZ LDAP driver DLZ_MYSQL_DESC= DLZ MySQL driver (no threading) DLZ_POSTGRESQL_DESC= DLZ Postgres driver DLZ_STUB_DESC= DLZ stub driver DNSTAP_DESC= Provides fast passive logging of DNS messages FIXED_RRSET_DESC= Enable fixed rrset ordering GEOIP_DESC= Allow geographically based ACL. GOSTDEF_DESC= Enable GOST ciphers, needs SSL GOST_ASN1_DESC= GOST using ASN.1 GOST_DESC= GOST raw keys (new default) GSSAPI_BASE_DESC= Using Heimdal in base GSSAPI_HEIMDAL_DESC= Using security/heimdal GSSAPI_MIT_DESC= Using security/krb5 GSSAPI_NONE_DESC= Disable LARGE_FILE_DESC= 64-bit file support LMDB_DESC= Use LMDB for zone management MINCACHE_DESC= Use the mincachettl patch NATIVE_PKCS11_DESC= Use PKCS\#11 native API (**READ HELP**) PORTREVISION_DESC= Show PORTREVISION in the version string PYTHON_DESC= Build with Python utilities QUERYTRACE_DESC= Enable the very verbose query tracelogging RPZ_NSDNAME_DESC= Enable RPZ NSDNAME policy records RPZ_NSIP_DESC= Enable RPZ NSIP trigger rules SIGCHASE_DESC= dig/host/nslookup will do DNSSEC validation SSL_DESC= Build with OpenSSL (Required for DNSSEC) START_LATE_DESC= Start BIND late in the boot process (see help) TCP_FASTOPEN_DESC= RFC 7413 support TUNING_LARGE_DESC= Tune named for large systems (**READ HELP**) DLZ_BDB_CONFIGURE_ON= --with-dlz-bdb=yes DLZ_BDB_USES= bdb DLZ_FILESYSTEM_CONFIGURE_ON= --with-dlz-filesystem=yes DLZ_LDAP_CONFIGURE_ON= --with-dlz-ldap=yes DLZ_LDAP_USE= openldap=yes DLZ_MYSQL_CONFIGURE_ON= --with-dlz-mysql=yes DLZ_MYSQL_PREVENTS= THREADS DLZ_MYSQL_USES= mysql DLZ_POSTGRESQL_CONFIGURE_ON= --with-dlz-postgres=yes DLZ_POSTGRESQL_USES= pgsql DLZ_STUB_CONFIGURE_ON= --with-dlz-stub=yes DNSTAP_CONFIGURE_ENABLE= dnstap DNSTAP_IMPLIES= THREADS DNSTAP_LIB_DEPENDS= libfstrm.so:devel/fstrm \ libprotobuf-c.so:devel/protobuf-c FIXED_RRSET_CONFIGURE_ENABLE= fixed-rrset GEOIP_CONFIGURE_WITH= geoip GEOIP_LIB_DEPENDS= libGeoIP.so:net/GeoIP GOST_ASN1_CONFIGURE_ON= --with-gost=asn1 GOST_CONFIGURE_ON= --with-gost GSSAPI_BASE_CONFIGURE_ON=\ --with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}" GSSAPI_BASE_USES= gssapi GSSAPI_HEIMDAL_CONFIGURE_ON=\ --with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}" GSSAPI_HEIMDAL_USES= gssapi:heimdal GSSAPI_MIT_CONFIGURE_ON=\ --with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}" GSSAPI_MIT_USES= gssapi:mit GSSAPI_NONE_CONFIGURE_ON= --without-gssapi IDN_CONFIGURE_OFF= --without-idn IDN_CONFIGURE_ON= --with-idn=${LOCALBASE} ${ICONV_CONFIGURE_BASE} IDN_LIB_DEPENDS= libidnkit.so:dns/idnkit IDN_USES= iconv IPV6_CONFIGURE_ENABLE= ipv6 JSON_CONFIGURE_WITH= libjson=${LOCALBASE} JSON_LIB_DEPENDS= libjson-c.so:devel/json-c LARGE_FILE_CONFIGURE_ENABLE= largefile LMDB_CONFIGURE_WITH= lmdb=${LOCALBASE} LMDB_LIB_DEPENDS= liblmdb.so:databases/lmdb MINCACHE_EXTRA_PATCHES= ${FILESDIR}/extrapatch-bind-min-override-ttl NATIVE_PKCS11_CONFIGURE_ENABLE= native-pkcs11 NATIVE_PKCS11_IMPLIES= THREADS PYTHON_BUILD_DEPENDS= ${PYTHON_PKGNAMEPREFIX}ply>=0:devel/py-ply@${PY_FLAVOR} PYTHON_CONFIGURE_WITH= python=${PYTHON_CMD} PYTHON_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}ply>=0:devel/py-ply@${PY_FLAVOR} PYTHON_USES= python QUERYTRACE_CONFIGURE_ENABLE= querytrace RPZ_NSDNAME_CONFIGURE_ENABLE= rpz-nsdname RPZ_NSIP_CONFIGURE_ENABLE= rpz-nsip SIGCHASE_CONFIGURE_ON= STD_CDEFINES="-DDIG_SIGCHASE=1" SSL_CONFIGURE_OFF= --disable-openssl-version-check --without-openssl SSL_CONFIGURE_ON= --with-openssl=${OPENSSLBASE} SSL_USES= ssl START_LATE_SUB_LIST= NAMED_REQUIRE="SERVERS cleanvar" \ NAMED_BEFORE="LOGIN" START_LATE_SUB_LIST_OFF=NAMED_REQUIRE="NETWORKING ldconfig syslogd" \ NAMED_BEFORE="SERVERS" TCP_FASTOPEN_CONFIGURE_ENABLE= tcp-fastopen THREADS_CONFIGURE_ENABLE= threads TUNING_LARGE_IMPLIES= THREADS TUNING_LARGE_CONFIGURE_ON= --with-tuning=large TUNING_LARGE_CONFIGURE_OFF= --with-tuning=default .include .if !${PORT_OPTIONS:MGOST} && !${PORT_OPTIONS:MGOST_ASN1} CONFIGURE_ARGS+= --without-gost .endif .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT} == base BROKEN= OpenSSL from the base system does not support GOST, add \ DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild everything \ that needs SSL. .endif post-patch: .if defined(BIND_TOOLS_SLAVE) @${REINPLACE_CMD} -e 's#^SUBDIRS.*#SUBDIRS = lib bin#' \ -e 's#isc-config.sh installdirs#installdirs#' \ -e 's#.*INSTALL.*isc-config.*##' \ -e 's#.*INSTALL.*bind.keys.*##' \ ${WRKSRC}/Makefile.in @${REINPLACE_CMD} -e 's#^SUBDIRS.*#SUBDIRS = delv dig dnssec tools nsupdate \\#' \ -e 's#^ .*check confgen ##' \ ${WRKSRC}/bin/Makefile.in .else . for FILE in check/named-checkconf.8 named/named.8 nsupdate/nsupdate.1 \ rndc/rndc.8 @${REINPLACE_CMD} -e 's#/etc/named.conf#${ETCDIR}/named.conf#g' \ -e 's#/etc/rndc.conf#${ETCDIR}/rndc.conf#g' \ -e "s#/var\/run\/named\/named.pid#/var/run/named/pid#" \ ${WRKSRC}/bin/${FILE} . endfor .endif .if !defined(BIND_TOOLS_SLAVE) . if ${PORTREVISION:N0} post-patch-PORTREVISION-on: @${REINPLACE_CMD} -e '/EXTENSIONS/s#=$$#=_${PORTREVISION}#' \ ${WRKSRC}/version . endif post-install: ${MKDIR} ${STAGEDIR}${PREFIX}/etc/mtree ${MKDIR} ${STAGEDIR}${ETCDIR} . for i in dynamic master slave working @${MKDIR} ${STAGEDIR}${ETCDIR}/$i . endfor ${INSTALL_DATA} ${WRKDIR}/named.conf ${STAGEDIR}${ETCDIR}/named.conf.sample ${INSTALL_DATA} ${FILESDIR}/named.root ${STAGEDIR}${ETCDIR} ${INSTALL_DATA} ${FILESDIR}/empty.db ${STAGEDIR}${ETCDIR}/master ${INSTALL_DATA} ${FILESDIR}/localhost-forward.db ${STAGEDIR}${ETCDIR}/master ${INSTALL_DATA} ${FILESDIR}/localhost-reverse.db ${STAGEDIR}${ETCDIR}/master ${INSTALL_DATA} ${FILESDIR}/BIND.chroot.dist ${STAGEDIR}${PREFIX}/etc/mtree/BIND.chroot.dist.sample ${INSTALL_DATA} ${FILESDIR}/BIND.chroot.local.dist ${STAGEDIR}${PREFIX}/etc/mtree/BIND.chroot.local.dist.sample ${INSTALL_DATA} ${WRKSRC}/bin/rndc/rndc.conf \ ${STAGEDIR}${ETCDIR}/rndc.conf.sample post-install-DOCS-on: ${MKDIR} ${STAGEDIR}${DOCSDIR}/arm ${INSTALL_DATA} ${WRKSRC}/doc/arm/*.html ${STAGEDIR}${DOCSDIR}/arm ${INSTALL_DATA} ${WRKSRC}/doc/arm/Bv9ARM.pdf ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${WRKSRC}/CHANGES* ${WRKSRC}/HISTORY.md \ ${WRKSRC}/README.md ${STAGEDIR}${DOCSDIR} .endif # BIND_TOOLS_SLAVE # Can't use USE_PYTHON=autoplist post-install-PYTHON-on: @${FIND} ${STAGEDIR}${PYTHON_SITELIBDIR} -type f | ${SED} -e 's|${STAGEDIR}||' >> ${TMPPLIST} .include Index: branches/2018Q3/dns/bind912/distinfo =================================================================== --- branches/2018Q3/dns/bind912/distinfo (revision 476686) +++ branches/2018Q3/dns/bind912/distinfo (revision 476687) @@ -1,3 +1,3 @@ -TIMESTAMP = 1526711298 -SHA256 (bind-9.12.1-P2.tar.gz) = 0de7c3453461e2f0505ac634b984f8e7afa1952cf7fc972cbefbcc169edf2d29 -SIZE (bind-9.12.1-P2.tar.gz) = 9305005 +TIMESTAMP = 1533712498 +SHA256 (bind-9.12.2-P1.tar.gz) = 9c4b55c2b8a2052ce488ebaeca1b715721d1a6cbffd7da3634c41287b86954a4 +SIZE (bind-9.12.2-P1.tar.gz) = 9429002 Index: branches/2018Q3/dns/bind912/files/patch-CVE-2018-5738 =================================================================== --- branches/2018Q3/dns/bind912/files/patch-CVE-2018-5738 (revision 476686) +++ branches/2018Q3/dns/bind912/files/patch-CVE-2018-5738 (nonexistent) @@ -1,112 +0,0 @@ -commit be02bf65712ee54148496aac3edb3ca7d061327f -Author: Evan Hunt -Date: 2018-06-04 21:46:23 -0700 - - allow-recursion could incorrectly inherit from the default allow-query - ---- CHANGES.orig 2018-05-16 18:06:47 UTC -+++ CHANGES -@@ -1,3 +1,10 @@ -+4960. [security] When recursion is enabled, but the "allow-recursion" -+ and "allow-query-cache" ACLs are not specified, -+ they should be limited to local networks, -+ but were inadvertently set to match the default -+ "allow-query", thus allowing remote queries. -+ (CVE-2018-5738) [GL #309] -+ - --- 9.12.1-P2 released --- - - --- 9.12.1-P1 (withdrawn) --- ---- bin/named/server.c.orig 2018-05-16 18:06:47 UTC -+++ bin/named/server.c -@@ -3725,10 +3725,6 @@ configure_view(dns_view_t *view, dns_vie - CHECKM(named_config_getport(config, &port), "port"); - dns_view_setdstport(view, port); - -- CHECK(configure_view_acl(vconfig, config, named_g_config, -- "allow-query", NULL, actx, -- named_g_mctx, &view->queryacl)); -- - /* - * Make the list of response policy zone names for a view that - * is used for real lookups and so cares about hints. -@@ -4692,21 +4688,35 @@ configure_view(dns_view_t *view, dns_vie - "allow-query-cache-on", NULL, actx, - named_g_mctx, &view->cacheonacl)); - /* -- * Set "allow-query-cache", "allow-recursion", and -- * "allow-recursion-on" acls if configured in named.conf. -- * (Ignore the global defaults for now, because these ACLs -- * can inherit from each other when only some of them set at -- * the options/view level.) -+ * Set the "allow-query", "allow-query-cache", "allow-recursion", -+ * and "allow-recursion-on" ACLs if configured in named.conf, but -+ * NOT from the global defaults. This is done by leaving the third -+ * argument to configure_view_acl() NULL. -+ * -+ * We ignore the global defaults here because these ACLs -+ * can inherit from each other. If any are still unset after -+ * applying the inheritance rules, we'll look up the defaults at -+ * that time. - */ -- CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache", -- NULL, actx, named_g_mctx, &view->cacheacl)); -+ -+ /* named.conf only */ -+ CHECK(configure_view_acl(vconfig, config, NULL, -+ "allow-query", NULL, actx, -+ named_g_mctx, &view->queryacl)); -+ -+ /* named.conf only */ -+ CHECK(configure_view_acl(vconfig, config, NULL, -+ "allow-query-cache", NULL, actx, -+ named_g_mctx, &view->cacheacl)); - - if (strcmp(view->name, "_bind") != 0 && - view->rdclass != dns_rdataclass_chaos) - { -+ /* named.conf only */ - CHECK(configure_view_acl(vconfig, config, NULL, - "allow-recursion", NULL, actx, - named_g_mctx, &view->recursionacl)); -+ /* named.conf only */ - CHECK(configure_view_acl(vconfig, config, NULL, - "allow-recursion-on", NULL, actx, - named_g_mctx, &view->recursiononacl)); -@@ -4744,18 +4754,21 @@ configure_view(dns_view_t *view, dns_vie - * the global config. - */ - if (view->recursionacl == NULL) { -+ /* global default only */ - CHECK(configure_view_acl(NULL, NULL, named_g_config, - "allow-recursion", NULL, - actx, named_g_mctx, - &view->recursionacl)); - } - if (view->recursiononacl == NULL) { -+ /* global default only */ - CHECK(configure_view_acl(NULL, NULL, named_g_config, - "allow-recursion-on", NULL, - actx, named_g_mctx, - &view->recursiononacl)); - } - if (view->cacheacl == NULL) { -+ /* global default only */ - CHECK(configure_view_acl(NULL, NULL, named_g_config, - "allow-query-cache", NULL, - actx, named_g_mctx, -@@ -4769,6 +4782,14 @@ configure_view(dns_view_t *view, dns_vie - CHECK(dns_acl_none(mctx, &view->cacheacl)); - } - -+ if (view->queryacl == NULL) { -+ /* global default only */ -+ CHECK(configure_view_acl(NULL, NULL, named_g_config, -+ "allow-query", NULL, -+ actx, named_g_mctx, -+ &view->queryacl)); -+ } -+ - /* - * Ignore case when compressing responses to the specified - * clients. This causes case not always to be preserved, Property changes on: branches/2018Q3/dns/bind912/files/patch-CVE-2018-5738 ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: branches/2018Q3/dns/bind912/files/patch-libressl2.7 =================================================================== --- branches/2018Q3/dns/bind912/files/patch-libressl2.7 (revision 476686) +++ branches/2018Q3/dns/bind912/files/patch-libressl2.7 (nonexistent) @@ -1,386 +0,0 @@ -From 1e64b869b5b33e2deda7059e4348d9870f86d315 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= -Date: Thu, 3 May 2018 13:59:04 +0200 -Subject: [PATCH 1/3] Add support for LibreSSL 2.7 - -(cherry picked from commit 29ff62a1492ce3dc702a887e864d00bf1949aed3) ---- - config.h.in | 12 +++++++ - configure | 13 +++++++ - configure.in | 2 ++ - lib/dns/openssldh_link.c | 69 +++++++++++++++++++++++-------------- - lib/dns/openssldsa_link.c | 2 +- - lib/dns/opensslecdsa_link.c | 11 +++--- - lib/dns/opensslrsa_link.c | 36 ++++++++++++------- - 7 files changed, 103 insertions(+), 42 deletions(-) - -diff --git config.h.in config.h.in -index 0cc04c5dd9..65ee20eeb5 100644 ---- config.h.in -+++ config.h.in -@@ -206,6 +206,9 @@ int sigwait(const unsigned int *set, int *sig); - /* Define to 1 if you have the header file. */ - #undef HAVE_DEVPOLL_H - -+/* Define to 1 if you have the `DH_get0_key' function. */ -+#undef HAVE_DH_GET0_KEY -+ - /* Define to 1 if you have the `dlclose' function. */ - #undef HAVE_DLCLOSE - -@@ -221,6 +224,12 @@ int sigwait(const unsigned int *set, int *sig); - /* Define to 1 to enable dnstap support */ - #undef HAVE_DNSTAP - -+/* Define to 1 if you have the `DSA_get0_pqg' function. */ -+#undef HAVE_DSA_GET0_PQG -+ -+/* Define to 1 if you have the `ECDSA_SIG_get0' function. */ -+#undef HAVE_ECDSA_SIG_GET0 -+ - /* Define to 1 if you have the header file. */ - #undef HAVE_EDITLINE_READLINE_H - -@@ -431,6 +440,9 @@ int sigwait(const unsigned int *set, int *sig); - /* Define to 1 if you have the header file. */ - #undef HAVE_REGEX_H - -+/* Define to 1 if you have the `RSA_set0_key' function. */ -+#undef HAVE_RSA_SET0_KEY -+ - /* Define to 1 if you have the header file. */ - #undef HAVE_SCHED_H - -diff --git configure configure -index fc9256fa8d..2dde1a681d 100755 ---- configure -+++ configure -@@ -16724,6 +16724,19 @@ if eval test \"x\$"$as_ac_var"\" = x"yes"; then : - #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 - _ACEOF - -+fi -+done -+ -+ -+ for ac_func in DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg -+do : -+ as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` -+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" -+if eval test \"x\$"$as_ac_var"\" = x"yes"; then : -+ cat >>confdefs.h <<_ACEOF -+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 -+_ACEOF -+ - fi - done - -diff --git configure.in configure.in -index 99139ba5ac..193562c783 100644 ---- configure.in -+++ configure.in -@@ -1781,6 +1781,8 @@ DSO_METHOD_dlfcn(); - - AC_CHECK_FUNCS(EVP_sha256 EVP_sha384 EVP_sha512) - -+ AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg]) -+ - AC_MSG_CHECKING(for OpenSSL ECDSA support) - have_ecdsa="" - AC_TRY_RUN([ -diff --git lib/dns/openssldh_link.c lib/dns/openssldh_link.c -index e74bee2e2d..0db673dd31 100644 ---- lib/dns/openssldh_link.c -+++ lib/dns/openssldh_link.c -@@ -71,62 +71,81 @@ static isc_result_t openssldh_todns(const dst_key_t *key, isc_buffer_t *data); - - static BIGNUM *bn2, *bn768, *bn1024, *bn1536; - --#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -+#if !defined(HAVE_DH_GET0_KEY) - /* - * DH_get0_key, DH_set0_key, DH_get0_pqg and DH_set0_pqg - * are from OpenSSL 1.1.0. - */ - static void - DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) { -- if (pub_key != NULL) -+ if (pub_key != NULL) { - *pub_key = dh->pub_key; -- if (priv_key != NULL) -+ } -+ if (priv_key != NULL) { - *priv_key = dh->priv_key; -+ } - } - - static int - DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) { -- /* Note that it is valid for priv_key to be NULL */ -- if (pub_key == NULL) -- return 0; -+ if (pub_key != NULL) { -+ BN_free(dh->pub_key); -+ dh->pub_key = pub_key; -+ } - -- BN_free(dh->pub_key); -- BN_free(dh->priv_key); -- dh->pub_key = pub_key; -- dh->priv_key = priv_key; -+ if (priv_key != NULL) { -+ BN_free(dh->priv_key); -+ dh->priv_key = priv_key; -+ } - -- return 1; -+ return (1); - } - - static void - DH_get0_pqg(const DH *dh, - const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) - { -- if (p != NULL) -+ if (p != NULL) { - *p = dh->p; -- if (q != NULL) -+ } -+ if (q != NULL) { - *q = dh->q; -- if (g != NULL) -+ } -+ if (g != NULL) { - *g = dh->g; -+ } - } - - static int --DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) { -- /* q is optional */ -- if (p == NULL || g == NULL) -- return(0); -- BN_free(dh->p); -- BN_free(dh->q); -- BN_free(dh->g); -- dh->p = p; -- dh->q = q; -- dh->g = g; -+DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) -+{ -+ /* If the fields p and g in d are NULL, the corresponding input -+ * parameters MUST be non-NULL. q may remain NULL. -+ */ -+ if ((dh->p == NULL && p == NULL) -+ || (dh->g == NULL && g == NULL)) -+ { -+ return 0; -+ } -+ -+ if (p != NULL) { -+ BN_free(dh->p); -+ dh->p = p; -+ } -+ if (q != NULL) { -+ BN_free(dh->q); -+ dh->q = q; -+ } -+ if (g != NULL) { -+ BN_free(dh->g); -+ dh->g = g; -+ } - - if (q != NULL) { - dh->length = BN_num_bits(q); - } - -- return(1); -+ return (1); - } - - #define DH_clear_flags(d, f) (d)->flags &= ~(f) -diff --git lib/dns/openssldsa_link.c lib/dns/openssldsa_link.c -index 1c541ae73a..dfbd484247 100644 ---- lib/dns/openssldsa_link.c -+++ lib/dns/openssldsa_link.c -@@ -52,7 +52,7 @@ - - static isc_result_t openssldsa_todns(const dst_key_t *key, isc_buffer_t *data); - --#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -+#if !defined(HAVE_DSA_GET0_PQG) - static void - DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, - const BIGNUM **g) -diff --git lib/dns/opensslecdsa_link.c lib/dns/opensslecdsa_link.c -index a8941a808a..2e47459249 100644 ---- lib/dns/opensslecdsa_link.c -+++ lib/dns/opensslecdsa_link.c -@@ -45,20 +45,23 @@ - - #define DST_RET(a) {ret = a; goto err;} - --#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -+#if !defined(HAVE_ECDSA_SIG_GET0) - /* From OpenSSL 1.1 */ - static void - ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) { -- if (pr != NULL) -+ if (pr != NULL) { - *pr = sig->r; -- if (ps != NULL) -+ } -+ if (ps != NULL) { - *ps = sig->s; -+ } - } - - static int - ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) { -- if (r == NULL || s == NULL) -+ if (r == NULL || s == NULL) { - return 0; -+ } - - BN_clear_free(sig->r); - BN_clear_free(sig->s); -diff --git lib/dns/opensslrsa_link.c lib/dns/opensslrsa_link.c -index bdb0a3931d..43f6d317bc 100644 ---- lib/dns/opensslrsa_link.c -+++ lib/dns/opensslrsa_link.c -@@ -123,7 +123,7 @@ - #endif - #define DST_RET(a) {ret = a; goto err;} - --#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -+#if !defined(HAVE_RSA_SET0_KEY) - /* From OpenSSL 1.1.0 */ - static int - RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) { -@@ -133,8 +133,9 @@ RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) { - * parameters MUST be non-NULL for n and e. d may be - * left NULL (in case only the public key is used). - */ -- if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) -+ if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) { - return 0; -+ } - - if (n != NULL) { - BN_free(r->n); -@@ -159,8 +160,9 @@ RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) { - * If the fields p and q in r are NULL, the corresponding input - * parameters MUST be non-NULL. - */ -- if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) -+ if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) { - return 0; -+ } - - if (p != NULL) { - BN_free(r->p); -@@ -183,7 +185,9 @@ RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) { - if ((r->dmp1 == NULL && dmp1 == NULL) || - (r->dmq1 == NULL && dmq1 == NULL) || - (r->iqmp == NULL && iqmp == NULL)) -+ { - return 0; -+ } - - if (dmp1 != NULL) { - BN_free(r->dmp1); -@@ -205,32 +209,40 @@ static void - RSA_get0_key(const RSA *r, - const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) - { -- if (n != NULL) -+ if (n != NULL) { - *n = r->n; -- if (e != NULL) -+ } -+ if (e != NULL) { - *e = r->e; -- if (d != NULL) -+ } -+ if (d != NULL) { - *d = r->d; -+ } - } - - static void - RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) { -- if (p != NULL) -+ if (p != NULL) { - *p = r->p; -- if (q != NULL) -- *q = r->q; -+ } -+ if (q != NULL) { -+ *q = r->q; -+ } - } - - static void - RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, - const BIGNUM **iqmp) - { -- if (dmp1 != NULL) -+ if (dmp1 != NULL) { - *dmp1 = r->dmp1; -- if (dmq1 != NULL) -+ } -+ if (dmq1 != NULL) { - *dmq1 = r->dmq1; -- if (iqmp != NULL) -+ } -+ if (iqmp != NULL) { - *iqmp = r->iqmp; -+ } - } - - static int --- -2.17.1 - -From e3a318e8d3e050677cfe603b25eaa9607c202276 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= -Date: Wed, 2 May 2018 14:18:06 +0200 -Subject: [PATCH 2/3] Workaround LibreSSL 2.7.0-2.7.2 quirk in DH_set0_key - -(cherry picked from commit 6b9e3b7b069509e79c59f89403a91761c300bdee) ---- - lib/dns/openssldh_link.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git lib/dns/openssldh_link.c lib/dns/openssldh_link.c -index 0db673dd31..8dfda0d2fa 100644 ---- lib/dns/openssldh_link.c -+++ lib/dns/openssldh_link.c -@@ -44,6 +44,8 @@ - - #include - -+#include -+ - #include "dst_internal.h" - #include "dst_openssl.h" - #include "dst_parse.h" -@@ -564,7 +566,15 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { - DH_free(dh); - return (dst__openssl_toresult(ISC_R_NOMEMORY)); - } -+#if (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) && (LIBRESSL_VERSION_NUMBER <= 0x2070200fL) -+ /* -+ * LibreSSL << 2.7.3 DH_get0_key requires priv_key to be set when -+ * DH structure is empty, hence we cannot use DH_get0_key(). -+ */ -+ dh->pub_key = pub_key; -+#else /* LIBRESSL_VERSION_NUMBER */ - DH_set0_key(dh, pub_key, NULL); -+#endif /* LIBRESSL_VERSION_NUMBER */ - isc_region_consume(&r, publen); - - key->key_size = BN_num_bits(p); --- -2.17.1 - Property changes on: branches/2018Q3/dns/bind912/files/patch-libressl2.7 ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: branches/2018Q3/dns/bind912/files/extrapatch-bind-min-override-ttl =================================================================== --- branches/2018Q3/dns/bind912/files/extrapatch-bind-min-override-ttl (revision 476686) +++ branches/2018Q3/dns/bind912/files/extrapatch-bind-min-override-ttl (revision 476687) @@ -1,79 +1,79 @@ ---- bin/named/config.c.orig 2018-02-18 05:26:12 UTC +--- bin/named/config.c.orig 2018-07-03 07:08:14 UTC +++ bin/named/config.c -@@ -176,12 +176,14 @@ options {\n\ +@@ -182,12 +182,14 @@ options {\n\ max-recursion-queries 75;\n\ max-stale-ttl 604800; /* 1 week */\n\ message-compression yes;\n\ + min-cache-ttl 0; /* no minimal, zero is allowed */\n\ # min-roots ;\n\ minimal-any false;\n\ minimal-responses no-auth-recursive;\n\ notify-source *;\n\ notify-source-v6 *;\n\ nsec3-test-zone no;\n\ + override-cache-ttl 0; /* do not override */\n\ provide-ixfr true;\n\ query-source address *;\n\ query-source-v6 address *;\n\ ---- bin/named/server.c.orig 2018-02-18 05:26:12 UTC +--- bin/named/server.c.orig 2018-07-03 07:08:14 UTC +++ bin/named/server.c -@@ -4074,6 +4074,16 @@ configure_view(dns_view_t *view, dns_vie +@@ -4072,6 +4072,16 @@ configure_view(dns_view_t *view, dns_vie } obj = NULL; + result = named_config_get(maps, "override-cache-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + view->overridecachettl = cfg_obj_asuint32(obj); + + obj = NULL; + result = named_config_get(maps, "min-cache-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + view->mincachettl = cfg_obj_asuint32(obj); + + obj = NULL; result = named_config_get(maps, "max-cache-ttl", &obj); INSIST(result == ISC_R_SUCCESS); view->maxcachettl = cfg_obj_asuint32(obj); ---- lib/dns/include/dns/view.h.orig 2018-02-18 05:26:12 UTC +--- lib/dns/include/dns/view.h.orig 2018-07-03 07:08:14 UTC +++ lib/dns/include/dns/view.h -@@ -145,6 +145,8 @@ struct dns_view { +@@ -149,6 +149,8 @@ struct dns_view { isc_boolean_t requestnsid; isc_boolean_t sendcookie; dns_ttl_t maxcachettl; + dns_ttl_t mincachettl; + dns_ttl_t overridecachettl; dns_ttl_t maxncachettl; isc_uint32_t nta_lifetime; isc_uint32_t nta_recheck; ---- lib/dns/resolver.c.orig 2018-02-18 05:26:12 UTC +--- lib/dns/resolver.c.orig 2018-07-03 07:08:14 UTC +++ lib/dns/resolver.c -@@ -5762,6 +5762,18 @@ cache_name(fetchctx_t *fctx, dns_name_t +@@ -5756,6 +5756,18 @@ cache_name(fetchctx_t *fctx, dns_name_t } /* + * Enforce the configure cache TTL override. + */ + if (res->view->overridecachettl) + rdataset->ttl = res->view->overridecachettl; + + /* + * Enforce the configure minimum cache TTL. + */ + if (rdataset->ttl < res->view->mincachettl) + rdataset->ttl = res->view->mincachettl; + + /* * Enforce the configure maximum cache TTL. */ if (rdataset->ttl > res->view->maxcachettl) { ---- lib/isccfg/namedconf.c.orig 2018-02-18 05:26:12 UTC +--- lib/isccfg/namedconf.c.orig 2018-07-03 07:08:14 UTC +++ lib/isccfg/namedconf.c -@@ -1910,6 +1910,8 @@ view_clauses[] = { +@@ -1914,6 +1914,8 @@ view_clauses[] = { { "max-acache-size", &cfg_type_sizenodefault, CFG_CLAUSEFLAG_OBSOLETE }, { "max-cache-size", &cfg_type_sizeorpercent, 0 }, + { "override-cache-ttl", &cfg_type_uint32, 0 }, + { "min-cache-ttl", &cfg_type_uint32, 0 }, { "max-cache-ttl", &cfg_type_uint32, 0 }, { "max-clients-per-query", &cfg_type_uint32, 0 }, { "max-ncache-ttl", &cfg_type_uint32, 0 }, Index: branches/2018Q3/dns/bind912/files/patch-bin_named_include_named_globals.h =================================================================== --- branches/2018Q3/dns/bind912/files/patch-bin_named_include_named_globals.h (revision 476686) +++ branches/2018Q3/dns/bind912/files/patch-bin_named_include_named_globals.h (revision 476687) @@ -1,13 +1,13 @@ We reference the pid file as being run/named/pid everywere else. ---- bin/named/include/named/globals.h.orig 2018-01-17 06:56:09 UTC +--- bin/named/include/named/globals.h.orig 2018-06-10 06:06:19 UTC +++ bin/named/include/named/globals.h -@@ -125,7 +125,7 @@ EXTERN isc_boolean_t named_g_forcelock +@@ -128,7 +128,7 @@ EXTERN isc_boolean_t named_g_forcelock #if NAMED_RUN_PID_DIR EXTERN const char * named_g_defaultpidfile INIT(NAMED_LOCALSTATEDIR "/run/named/" - "named.pid"); + "pid"); #else EXTERN const char * named_g_defaultpidfile INIT(NAMED_LOCALSTATEDIR "/run/named.pid"); Index: branches/2018Q3/dns/bind912/files/patch-bin_tests_system_dlzexternal_Makefile.in =================================================================== --- branches/2018Q3/dns/bind912/files/patch-bin_tests_system_dlzexternal_Makefile.in (revision 476686) +++ branches/2018Q3/dns/bind912/files/patch-bin_tests_system_dlzexternal_Makefile.in (revision 476687) @@ -1,11 +1,11 @@ ---- bin/tests/system/dlzexternal/Makefile.in.orig 2016-11-01 20:46:42 UTC +--- bin/tests/system/dlzexternal/Makefile.in.orig 2018-06-10 06:06:19 UTC +++ bin/tests/system/dlzexternal/Makefile.in -@@ -31,7 +31,7 @@ OBJS = +@@ -34,7 +34,7 @@ OBJS = @BIND9_MAKE_RULES@ CFLAGS = @CFLAGS@ @SO_CFLAGS@ -SO_LDFLAGS = @LDFLAGS@ @SO_LDFLAGS@ +SO_LDFLAGS = @SO_LDFLAGS@ driver.@SO@: ${SO_OBJS} ${LIBTOOL_MODE_LINK} @SO_LD@ ${SO_LDFLAGS} -o $@ driver.@O@ Index: branches/2018Q3/dns/bind912/files/patch-configure =================================================================== --- branches/2018Q3/dns/bind912/files/patch-configure (revision 476686) +++ branches/2018Q3/dns/bind912/files/patch-configure (revision 476687) @@ -1,90 +1,90 @@ ---- configure.orig 2018-03-08 20:56:40 UTC +--- configure.orig 2018-06-10 06:06:19 UTC +++ configure -@@ -14455,27 +14455,9 @@ done +@@ -14939,27 +14939,9 @@ done # problems start to show up. saved_libs="$LIBS" for TRY_LIBS in \ - "-lgssapi_krb5" \ - "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \ - "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \ - "-lgssapi" \ - "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \ - "-lgssapi -lkrb5 -lcrypt -lasn1 -lroken -lcom_err" \ - "-lgssapi -lkrb5 -lgssapi_krb5 -lcrypt -lasn1 -lroken -lcom_err" \ - "-lgssapi -lkrb5 -lhx509 -lcrypt -lasn1 -lroken -lcom_err" \ - "-lgss -lkrb5" + "$($KRB5CONFIG gssapi --libs)"; \ do - # Note that this does not include $saved_libs, because - # on FreeBSD machines this configure script has added - # -L/usr/local/lib to LIBS, which can make the - # -lgssapi_krb5 test succeed with shared libraries even - # when you are trying to build with KTH in /usr/lib. - if test "/usr" = "$use_gssapi" - then - LIBS="$TRY_LIBS $ISC_OPENSSL_LIBS" - else - LIBS="-L$use_gssapi/lib $TRY_LIBS $ISC_OPENSSL_LIBS" - fi + LIBS="$TRY_LIBS" { $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5 $as_echo_n "checking linking as $TRY_LIBS... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext -@@ -14518,47 +14500,7 @@ $as_echo "no" >&6; } ;; +@@ -15002,47 +14984,7 @@ $as_echo "no" >&6; } ;; no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;; esac - # - # XXXDCL Major kludge. Tries to cope with KTH in /usr/lib - # but MIT in /usr/local/lib and trying to build with KTH. - # /usr/local/lib can end up earlier on the link lines. - # Like most kludges, this one is not only inelegant it - # is also likely to be the wrong thing to do at least as - # many times as it is the right thing. Something better - # needs to be done. - # - if test "/usr" = "$use_gssapi" -a \ - -f /usr/local/lib/libkrb5.a; then - FIX_KTH_VS_MIT=yes - fi - - case "$FIX_KTH_VS_MIT" in - yes) - case "$enable_static_linking" in - yes) gssapi_lib_suffix=".a" ;; - *) gssapi_lib_suffix=".so" ;; - esac - - for lib in $LIBS; do - case $lib in - -L*) - ;; - -l*) - new_lib=`echo $lib | - sed -e s%^-l%$use_gssapi/lib/lib% \ - -e s%$%$gssapi_lib_suffix%` - NEW_LIBS="$NEW_LIBS $new_lib" - ;; - *) - as_fn_error $? "KTH vs MIT Kerberos confusion!" "$LINENO" 5 - ;; - esac - done - LIBS="$NEW_LIBS" - ;; - esac - - DST_GSSAPI_INC="-I$use_gssapi/include" + DST_GSSAPI_INC="$($KRB5CONFIG gssapi --cflags)" DNS_GSSAPI_LIBS="$LIBS" { $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5 -@@ -23197,7 +23139,7 @@ $as_echo "" >&6; } +@@ -23790,7 +23732,7 @@ $as_echo "" >&6; } # Check other locations for includes. # Order is important (sigh). - bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db" + bdb_incdirs="/db6 /db5 /db48" # include a blank element first for d in "" $bdb_incdirs do Index: branches/2018Q3 =================================================================== --- branches/2018Q3 (revision 476686) +++ branches/2018Q3 (revision 476687) Property changes on: branches/2018Q3 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /head:r474430,476686