2206. [security] "allow-query-cache" and "allow-recursion" now
cross inherit from each other.
If allow-query-cache is not set in named.conf then
allow-recursion is used if set, otherwise allow-query
is used if set, otherwise the default (localnets;
localhost;) is used.
If allow-recursion is not set in named.conf then
allow-query-cache is used if set, otherwise allow-query
is used if set, otherwise the default (localnets;
localhost;) is used.
[RT #16987]
2203. [security] Query id generation was cryptographically weak.
[RT # 16915]
2202. [security] The default acls for allow-query-cache and
allow-recursion were not being applied. [RT #16960]
2193. [port] win32: BINDInstall.exe is now linked statically.
[RT #16906]
2192. [port] win32: use vcredist_x86.exe to install Visual
Studio's redistributable dlls if building with
Visual Stdio 2005 or later.
insufficient check of snprintf()'s return value, see gentoo bug #184815.
The exploit provided appearently doesn't trigger the overflow in
NetBSD; this might be due to different error return behavior of snprintf
implementations, or due to the fact that out tcpdump is still 3.8.3
while the bug was reported against 3.9.x. The fix looks correct in any
case.
The exploit caused an endless loop at another place instead, due
to an obvious bug, so fix this too.
Also apply another patch which was applied to the 3.8 branch upstream
but never released: rev. 1.72.2.5, infinite loop protection for ldp and bgp
We should update tcpdump to 3.9.x.
This is part one of moving the authoritive version from
src/usr.sbin/pkg_install to pkgsrc/pkgtools/pkg_install/files.
Discussed with and agreed by: jlam@, agc@, adrianp@
Raised issue to and not objected by: core@
yamt's reading of RFC 3720 is correct (see section 12.10, InitialR2T).
The desired transfer length in the initial ready to transmit
negotiation should not include any immediate data.
before system header file inclusion magically causing what "read" is
#defined to to pick up a read-like prototype. For sanity's sake, put
prototypes for revolting trace_mr stuff in their own header file (instead
of nowhere at all and using the trick referenced above).
"state lock" flag (if-bound, gr-bound, floating) at the end of a
NAT rule. The new syntax is backwards-compatbile with the old
syntax.
PF (kernel): change the macro BOUND_IFACE() to the inline function
bound_iface(), and add a new argument, the applicable NAT rule.
Use both the flags on the applicable filter rule and on the applicable
NAT rule to decide whether or not to bind a state to the interface
or the group where it is created.
a "long long" - giving a compilation warning.
Check for the presence of PRIu64 and use that in preference.
Adjust code to avoid multiple printf() calls.
Use unsigned format specifiers in all cases.
