Only the change to lib/dns/zone.c is security relevant
Upstream changelog:
--- 9.10.1-P2 released ---
4053. [security] Revoking a managed trust anchor and supplying
an untrusted replacement could cause named
to crash with an assertion failure.
(CVE-2015-1349) [RT #38344]
4027. [port] Net::DNS 0.81 compatibility. [RT #38165]
- Fix a core dump when smtp_policy_maps specifies an invalid TLS level.
- Fix a missing " in \%s\", in postconf(1) fatal error messages, which
violated the C language spec. Reported by Iain Hibbert.
- Stop excessive recursion in the cleanup server while recovering from a
virtual alias expansion loop. Problem found at Two Sigma.
- Stop exponential memory allocation with virtual alias expansion loops.
This came to light after fixing the previous problem.
aarch64elf.em. Original commit message:
Recursively add DT_NEEDED entries from shared libraries if symbols are
used indirectly. This is more in line with the old GNU ld behavior, but
not exactly the desired semantic.
Patch from Martin Husemann.
under include/freetype2.
This change should fix non pkg-config build that uses freetype2,
for example, pkgsrc/lang/openjdk8.
netbsd-7 has also this problem.
h=c32e74763f77675b9e144126e375977ed6dc562c
The deref overlay in slapd 2.4.13 through 2.4.40 dereferences a NULL
pointer when a search request includes the Deref control with an empty
list of attributes to return (missing input validation). [CVE-2015-1545]
XXX: Pullup-7
h=2f1a2dd329b91afe561cd06b872d09630d4edb6a
Certain search queries including the Matched Values control can trigger
a double free in slapd 2.4.40 when freeing operation controls. This is a
regression in 2.4.40, no earlier releases are affected. [CVE-1546]
XXX: Pullup-7
Summary of changes in tzdata2015a (2015-01-29 22:35:20 -0800):
* The Mexican state of Quintana Roo, represented by America/Cancun,
will shift from Central Time with DST to Eastern Time without DST
on 2015-02-01 at 02:00.
* Chile will not change clocks in April or thereafter; its new standard time
will be its old daylight saving time. This affects America/Santiago,
Pacific/Easter, and Antarctica/Palmer. (Thanks to Juan Correa.)
* New leap second 2015-06-30 23:59:60 UTC as per IERS Bulletin C 49.
* Iceland observed DST in 1919 and 1921, and its 1939 fallback
transition was Oct.
* Some more zones have been turned into links, when they differed
from existing zones only for older time stamps.
* Changes affecting commentary.
* Only release the DHCPv6 lease when dropping it.
* Fix handling of ND6_IFF_OVERRIDE_RTADV on BSD.
* Include paths.h to get _PATH_BPF. Thanks to Joerg Sonnenberger.
* Report a better error of the kernel lacks a BPF equivalent filter.
* Implement RFC4941, Privacy Extensions for Stateless Address
Autoconfiguration in IPv6 when dhcpcd is overriding the in-kernel
RA support. For BSD, this is a full userland implementation.
* reject <option> will now reject any DHCP message that contains
that option.
* Ignore RA's from ourself for very badly configured stations.
- Old JIT is removed.
- Improvements to debug information handling.
- ARM: check for deprecated instructions and warn in the integrated
assembler
- PPC: VSX support, va_arg support for struct/union types, -fPIC vs
-fpic supported, faster atomics
- x86: improved vectorizer
Changes in version 2.0.22-stable (5 Jan 2015)
SECURITY FIXES (evbuffers)
o Avoid integer overflow bugs in evbuffer_add() and related functions.
See CVE-2014-6272 advisory for more information.
(20d6d4458bee5d88bda1511c225c25b2d3198d6c)
BUGFIXES (evhttp)
o fix#73 and fix http_connection_fail_test to catch it (crash fix)
(b618204 Greg Hazel)
o Avoid racy bufferevent activation (5eb1788 Nate Rosenblum)
BUGFIXES (compilation and portability)
o Fix compilation with WIN32_HAVE_CONDITION_VARIABLES enabled (7e45739)
o Fix missing AC_PROG_SED on older Autoconfs (9ab2b3f Tay Ray Chuan)
o Backport libevent to vanilla Autoconf 2.59 (as used in RHEL5)
(74d4c44 Kevin Bowling)
o Use AC_CONFIG_HEADERS in place of AM_CONFIG_HEADERS for
automake 1.13 compat (817ea36)
o Rename configure.in to configure.ac to appease newer autoconfs (0c79787)
o Avoid using top_srcdir in TESTS: new automakes do not like this (a55514e)
o Use windows vsnprintf fixup logic on all windows environments (e826f19)
o Fix a compiler warning when checking for arc4random_buf linker breakage.
(5cb3865)
o Fix another arc4random_buf-related warning (e64a2b0)
o Add -Qunused-arguments for clang on macos (b56611d Trond Norbye)
BUGFIXES (resource leaks/lock errors on error)
o Avoid leaking fds on evconnlistener with no callback set (69db261)
o Avoid double-close on getsockname error in evutil_ersatz_socketpair
(0a822a6)
o Fix a locking error in bufferevent_socket_get_dns_error. (0a5eb2e)
o libevent/win32_dealloc() : fix sizeof(pointer) vs sizeof(*pointer)
(b8f5980 Frank Denis)
BUGFIXES: (other stability)
o bufferevent_pair: don't call downcast(NULL) (f2428a2)
o Consistently check for failure from evbuffer_pullup() (60f8f72)
o Fix race caused by event_active (3c7d6fc vjpai)
BUGFIXES (miscellaneous)
o Avoid redundant invocations of init_extension_functions for IOCP (3b77d62)
o Typo fixes from Linus Nordberg (cec62cb, 8cd695b)
o Add a few files created by "make verify" to .gitignore.
(1a8295a Pierre Phaneuf)
o regress_buffer: fix 'memcmp' compare size (79800df Maks Naumov)
o Fix bufferevent setwatermark suspend_read (b34e4ac ufo2243)
o Fix evbuffer_peek() with len==-1 and start_at non-NULL. (fb7e76a)
BUFGIXES (evdns)
o Checking request nameserver for NULL, before using it.
(5c710c0 Belobrov Andrey)
o Fix SEGFAULT after evdns_base_resume if no nameservers installed.
(f8d7df8 Azat Khuzhin)
o Fix a crash in evdns related to shutting down evdns (9f39c88,e8fe749)
BUGFIXES (epoll)
o Check does arch have the epoll_create and __NR_epoll_wait syscalls.
(dfe1e52 Marcin Juszkiewicz)
BUGFIXES (evutil_secure_random)
o Avoid other RNG initialization FS reads when urandom file is specified
(9695e9c, bb52471)
o When we seed from /proc/sys/kernel/random/uuid, count it as success (e35b540)
o Document that arc4random is not a great cryptographic PRNG. (6e49696)
o Add evutil_secure_rng_set_urandom_device_file (2bbb5d7)
o Really remove RNG seeds from the stack (f5ced88)
DOCUMENTATION FIXES
o Fix a mistake in evbuffer_remove() arguments in example http server
code (c322c20 Gyepi Sam)
o Fix a typo in a comment in buffer.h. Spotted by Alt_F4 (773b0a5)
o Clarify event_base_loop exit conditions (031a803)
o Use FindClose for handle from FindFirstFile in http-server.c (6466e88)
o Fix a typo in a doxygen comment. Reported by 亦得. (be1aeff)
- allow separate configurations for local and remote addresses, implementing
effectively whitelists, requested by dh@
- allow the mask of the filter to be specified, requested by dh@
- the db file format has been changed to accommodate these changes, and
needs to be removed.
- Fix for DMARC implementations based on SPF policy plus DKIM Milter. The
PREPEND access/policy action added headers ABOVE Postfix's own Received:
header, exposing Postfix's own Received: header to Milters (protocol
violation) and hiding the PREPENDed header from Milters. PREPENDed
headers are now added BELOW Postfix's own Received: header and remain
visible to Milters.
- The Postfix SMTP server logged an incorrect client name in reject
messages for check_reverse_client_hostname_access and
check_reverse_client_hostname_{mx,ns}_access. They replied with the
verified client name, instead of the name that was rejected.
- The TLS client logged that an anonymous TLS connection was "Untrusted",
instead of "Anonymous".
- Fix for configurations that prepend message headers with Postfix access
maps, policy servers or Milter applications. Postfix now hides its own
Received: header from Milters and exposes prepended headers to Milters,
regardless of the mechanism used to prepend a header. This fix reverts
a partial solution that was released on October 13, 2014, and replaces
it with a complete solution.
atf/atf-c++/macros_test/detect_unused_tests as expected failures
when using versions of GCC where they are known to fail, with a
reference to PR toolchain/49187.
