From 388c408406e21261f6532fa2a2d8e485df9f22e9 Mon Sep 17 00:00:00 2001 From: florian Date: Mon, 30 Jul 2018 08:57:09 +0000 Subject: [PATCH] update to nsd 4.1.23, from the release notes: ------------------------------------------------------------------------ NSD versions 4.1.22 and before are vulnerable in comparing TSIG information and this can be used to discover a TSIG secret. NSD uses TSIG to protect zone transfers. The TSIG code uses a secret key to protect the data. The secret key is shared with both sides of the zone transfer connection. The comparison code in NSD was not time insensitive, causing the potential for an attacker to use timing information to discover data about the key contents. NSD versions from 2.2.0 to 4.1.22 are vulnerable. Upgrade to 4.1.23 or newer to get the fix. It was reported by Ondrej Sury (ISC). ------------------------------------------------------------------------ OK tb, sthen --- usr.sbin/nsd/configure | 18 +++++++++--------- usr.sbin/nsd/configure.ac | 2 +- usr.sbin/nsd/tsig.c | 2 +- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/usr.sbin/nsd/configure b/usr.sbin/nsd/configure index e034b5441ec..79f500f50fd 100644 --- a/usr.sbin/nsd/configure +++ b/usr.sbin/nsd/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for NSD 4.1.22. +# Generated by GNU Autoconf 2.69 for NSD 4.1.23. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='NSD' PACKAGE_TARNAME='nsd' -PACKAGE_VERSION='4.1.22' -PACKAGE_STRING='NSD 4.1.22' +PACKAGE_VERSION='4.1.23' +PACKAGE_STRING='NSD 4.1.23' PACKAGE_BUGREPORT='nsd-bugs@nlnetlabs.nl' PACKAGE_URL='' @@ -1286,7 +1286,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures NSD 4.1.22 to adapt to many kinds of systems. +\`configure' configures NSD 4.1.23 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1347,7 +1347,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of NSD 4.1.22:";; + short | recursive ) echo "Configuration of NSD 4.1.23:";; esac cat <<\_ACEOF @@ -1496,7 +1496,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -NSD configure 4.1.22 +NSD configure 4.1.23 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2205,7 +2205,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by NSD $as_me 4.1.22, which was +It was created by NSD $as_me 4.1.23, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -9784,7 +9784,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by NSD $as_me 4.1.22, which was +This file was extended by NSD $as_me 4.1.23, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -9846,7 +9846,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -NSD config.status 4.1.22 +NSD config.status 4.1.23 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/usr.sbin/nsd/configure.ac b/usr.sbin/nsd/configure.ac index 4c6772a47bd..c17501cb5a0 100644 --- a/usr.sbin/nsd/configure.ac +++ b/usr.sbin/nsd/configure.ac @@ -4,7 +4,7 @@ dnl sinclude(acx_nlnetlabs.m4) -AC_INIT(NSD,4.1.22,nsd-bugs@nlnetlabs.nl) +AC_INIT(NSD,4.1.23,nsd-bugs@nlnetlabs.nl) AC_CONFIG_HEADER([config.h]) CFLAGS="$CFLAGS" diff --git a/usr.sbin/nsd/tsig.c b/usr.sbin/nsd/tsig.c index a7cc66ee184..b0e40116f74 100644 --- a/usr.sbin/nsd/tsig.c +++ b/usr.sbin/nsd/tsig.c @@ -475,7 +475,7 @@ tsig_verify(tsig_record_type *tsig) &tsig->prior_mac_size); if (tsig->mac_size != tsig->prior_mac_size - || memcmp(tsig->mac_data, + || CRYPTO_memcmp(tsig->mac_data, tsig->prior_mac_data, tsig->mac_size) != 0) { -- 2.20.1