update to nsd 4.1.23, from the release notes:

------------------------------------------------------------------------
NSD versions 4.1.22 and before are vulnerable in comparing TSIG
information and this can be used to discover a TSIG secret.

NSD uses TSIG to protect zone transfers.  The TSIG code uses a secret
key to protect the data.  The secret key is shared with both sides of
the zone transfer connection.  The comparison code in NSD was not time
insensitive, causing the potential for an attacker to use timing
information to discover data about the key contents.

NSD versions from 2.2.0 to 4.1.22 are vulnerable.  Upgrade to 4.1.23 or
newer to get the fix.

It was reported by Ondrej Sury (ISC).
------------------------------------------------------------------------

OK tb, sthen

diff --git a/usr.sbin/nsd/configure b/usr.sbin/nsd/configure
index e034b54..79f500f 100644 (file)
--- a/usr.sbin/nsd/configure
+++ b/usr.sbin/nsd/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for NSD 4.1.22.
+# Generated by GNU Autoconf 2.69 for NSD 4.1.23.
 #
 # Report bugs to <nsd-bugs@nlnetlabs.nl>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='NSD'
 PACKAGE_TARNAME='nsd'
-PACKAGE_VERSION='4.1.22'
-PACKAGE_STRING='NSD 4.1.22'
+PACKAGE_VERSION='4.1.23'
+PACKAGE_STRING='NSD 4.1.23'
 PACKAGE_BUGREPORT='nsd-bugs@nlnetlabs.nl'
 PACKAGE_URL=''
 
@@ -1286,7 +1286,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures NSD 4.1.22 to adapt to many kinds of systems.
+\`configure' configures NSD 4.1.23 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1347,7 +1347,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of NSD 4.1.22:";;
+     short | recursive ) echo "Configuration of NSD 4.1.23:";;
    esac
   cat <<\_ACEOF
 
@@ -1496,7 +1496,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-NSD configure 4.1.22
+NSD configure 4.1.23
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2205,7 +2205,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by NSD $as_me 4.1.22, which was
+It was created by NSD $as_me 4.1.23, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -9784,7 +9784,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by NSD $as_me 4.1.22, which was
+This file was extended by NSD $as_me 4.1.23, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -9846,7 +9846,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-NSD config.status 4.1.22
+NSD config.status 4.1.23
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

diff --git a/usr.sbin/nsd/configure.ac b/usr.sbin/nsd/configure.ac
index 4c6772a..c17501c 100644 (file)
--- a/usr.sbin/nsd/configure.ac
+++ b/usr.sbin/nsd/configure.ac
@@ -4,7 +4,7 @@ dnl
 
 sinclude(acx_nlnetlabs.m4)
 
-AC_INIT(NSD,4.1.22,nsd-bugs@nlnetlabs.nl)
+AC_INIT(NSD,4.1.23,nsd-bugs@nlnetlabs.nl)
 AC_CONFIG_HEADER([config.h])
 
 CFLAGS="$CFLAGS"

diff --git a/usr.sbin/nsd/tsig.c b/usr.sbin/nsd/tsig.c
index a7cc66e..b0e4011 100644 (file)
--- a/usr.sbin/nsd/tsig.c
+++ b/usr.sbin/nsd/tsig.c
@@ -475,7 +475,7 @@ tsig_verify(tsig_record_type *tsig)
                                    &tsig->prior_mac_size);
 
        if (tsig->mac_size != tsig->prior_mac_size
-           || memcmp(tsig->mac_data,
+           || CRYPTO_memcmp(tsig->mac_data,
                      tsig->prior_mac_data,
                      tsig->mac_size) != 0)
        {