From 49b20cc2f21ef6aa64a1a407b1d23487d7774457 Mon Sep 17 00:00:00 2001 From: Doug Barton Date: Fri, 3 Nov 2006 07:47:21 +0000 Subject: Update to version 9.3.2-P2, which addresses the vulnerability announced by ISC dated 31 October (delivered via e-mail to the bind-announce@isc.org list today): Description: Because of OpenSSL's recently announced vulnerabilities (CAN-2006-4339, CVE-2006-2937 and CVE-2006-2940) which affect named, we are announcing this workaround and releasing patches. A proof of concept attack on OpenSSL has been demonstrated for CAN-2006-4339. OpenSSL is required to use DNSSEC with BIND. Fix for version 9.3.2-P1 and lower: Upgrade to BIND 9.2.3-P2, then generate new RSASHA1 and RSAMD5 keys for all old keys using the old default exponent and perform a key rollover to these new keys. These versions also change the default RSA exponent to be 65537 which is not vulnerable to the attacks described in CAN-2006-4339. --- dns/bind94/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'dns/bind94/Makefile') diff --git a/dns/bind94/Makefile b/dns/bind94/Makefile index 843831efd433..4f31d3240d22 100644 --- a/dns/bind94/Makefile +++ b/dns/bind94/Makefile @@ -12,7 +12,7 @@ # release you can generally build it cleanly from the source - Doug PORTNAME= bind9 -PORTVERSION= 9.3.2.1 +PORTVERSION= 9.3.2.2 CATEGORIES= dns net ipv6 MASTER_SITES= ${MASTER_SITE_ISC} \ http://dougbarton.us/Downloads/%SUBDIR%/ @@ -25,7 +25,7 @@ MAINTAINER= DougB@FreeBSD.org COMMENT= Completely new version of the BIND DNS suite with updated DNSSEC # ISC releases things like 9.3.0rc1, which our versioning doesn't like -ISCVERSION= 9.3.2-P1 +ISCVERSION= 9.3.2-P2 GNU_CONFIGURE= yes CONFIGURE_ARGS= --localstatedir=/var --disable-linux-caps \ -- cgit v1.2.3