Include a patch from ISC to deal with the following vulnerability:

Name:			BIND: Self Check Failing [Added 2005.25.01]
Versions affected:	BIND 9.3.0
Severity:		LOW
Exploitable:		Remotely
Type:			Denial of Service
Description:
An incorrect assumption in the validator (authvalidated) can result in a
REQUIRE (internal consistancy) test failing and named exiting.

Workarounds:
Turn off dnssec validation (off by default) at the options/view level.

	dnssec-enable no;

Active Exploits:	None known

Bump PORTREVISION accordingly.

It should be noted that the vast majority of users would not have
DNSSEC enabled, and therefore are not vulnerable to this bug.

1 files changed, 9 insertions, 1 deletions

diff --git a/dns/bind95/Makefile b/dns/bind95/Makefile
index 5dffd8c4d851..6b430e243906 100644
--- a/dns/bind95/Makefile
+++ b/dns/bind95/Makefile
@@ -13,11 +13,13 @@
 
 PORTNAME=	bind9
 PORTVERSION=	9.3.0
+PORTREVISION=	1
 CATEGORIES=	dns net ipv6
 MASTER_SITES=	${MASTER_SITE_ISC}
 MASTER_SITE_SUBDIR=	bind9/${ISCVERSION}
 DISTNAME=	bind-${ISCVERSION}
-DISTFILES=	${DISTNAME}${EXTRACT_SUFX} ${DISTNAME}${EXTRACT_SUFX}.asc
+DISTFILES=	${DISTNAME}${EXTRACT_SUFX} ${DISTNAME}${EXTRACT_SUFX}.asc \
+		9.3.0-patch1 9.3.0-patch1.asc
 EXTRACT_ONLY=	${DISTNAME}${EXTRACT_SUFX}
 
 MAINTAINER=	DougB@FreeBSD.org
@@ -91,6 +93,12 @@ MAN5=	named.conf.5 rndc.conf.5
 MAN8=	dnssec-keygen.8 dnssec-signzone.8 lwresd.8 named-checkconf.8 \
 	named-checkzone.8 named.8 nsupdate.8 rndc-confgen.8 rndc.8
 
+pre-patch:
+	@${SED} -e 's#bind9/lib/dns/validator.c#lib/dns/validator.c#g' \
+		${DISTDIR}/9.3.0-patch1 > ${WRKDIR}/9.3.0-patch1
+
+EXTRA_PATCHES=	${WRKDIR}/9.3.0-patch1
+
 post-patch:
 .for FILE in check/named-checkconf.8 named/named.8 nsupdate/nsupdate.8 \
 	rndc/rndc.8