Update to version 9.3.2-P2, which addresses the vulnerability

announced by ISC dated 31 October (delivered via e-mail to the
bind-announce@isc.org list on 2 November):

Description:
        Because of OpenSSL's recently announced vulnerabilities
        (CAN-2006-4339, CVE-2006-2937 and CVE-2006-2940) which affect named,
        we are announcing this workaround and releasing patches.  A proof of
        concept attack on OpenSSL has been demonstrated for CAN-2006-4339.

        OpenSSL is required to use DNSSEC with BIND.

Fix for version 9.3.2-P1 and lower:
        Upgrade to BIND 9.3.2-P2, then generate new RSASHA1 and
        RSAMD5 keys for all old keys using the old default exponent
        and perform a key rollover to these new keys.

        These versions also change the default RSA exponent to be
        65537 which is not vulnerable to the attacks described in
        CAN-2006-4339.

1 files changed, 46 insertions, 34 deletions

diff --git a/contrib/bind9/configure.in b/contrib/bind9/configure.in
index b14b489..cf7517b 100644
--- a/contrib/bind9/configure.in
+++ b/contrib/bind9/configure.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.294.2.23.2.51 $)
+AC_REVISION($Revision: 1.294.2.23.2.51.4.3 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.13)
@@ -357,6 +357,7 @@ AC_C_BIGENDIAN
 #
 # was --with-openssl specified?
 #
+OPENSSL_WARNING=
 AC_MSG_CHECKING(for OpenSSL library)
 AC_ARG_WITH(openssl,
 [  --with-openssl[=PATH]   Build with OpenSSL [yes|no|path].
@@ -462,51 +463,38 @@ shared library configuration (e.g., LD_LIBRARY_PATH).)],
 		[AC_MSG_RESULT(assuming it does work on target platform)]
 		)
 		 
-#
-#	OpenSSLDie is new with CERT CS-2002-23.  If we see it we have may
-#	have a patched library otherwise check that we are greater than
-#	the fixed versions
-#
-		AC_CHECK_FUNC(OpenSSLDie,
+AC_ARG_ENABLE(openssl-version-check,
+[AC_HELP_STRING([--enable-openssl-version-check],
+	[Check OpenSSL Version @<:@default=yes@:>@])])
+case "$enable_openssl_version_check" in
+yes|'')
 		AC_MSG_CHECKING(OpenSSL library version)
 		AC_TRY_RUN([
 #include <stdio.h>
 #include <openssl/opensslv.h>
 int main() {
-        if (OPENSSL_VERSION_NUMBER >= 0x0090581fL)
+	if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
+	     OPENSSL_VERSION_NUMBER < 0x009080000L) ||
+	    OPENSSL_VERSION_NUMBER >= 0x0090804fL)
                 return (0);
 	printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
 		OPENSSL_VERSION_NUMBER);
-	printf("Require OPENSSL_VERSION_NUMBER 0x0090581f or greater\n\n");
+	printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
+	       "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n");
         return (1);
 }
-],
+		],
 	        [AC_MSG_RESULT(ok)],
 		[AC_MSG_RESULT(not compatible)
-		 AC_MSG_ERROR(you need OpenSSL 0.9.5a or newer)],
+                 OPENSSL_WARNING=yes
+		],
 		[AC_MSG_RESULT(assuming target platform has compatible version)])
-		,
-	        AC_MSG_RESULT(did not find fixes for CERT CA-2002-23)
-		AC_MSG_CHECKING(OpenSSL library version)
-		AC_TRY_RUN([
-#include <stdio.h>
-#include <openssl/opensslv.h>
-int main() {
-        if ((OPENSSL_VERSION_NUMBER >= 0x0090605fL &&
-	     OPENSSL_VERSION_NUMBER < 0x009070000L) ||
-	     OPENSSL_VERSION_NUMBER >= 0x00907003L)
-                return (0);
-	printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
-		OPENSSL_VERSION_NUMBER);
-	printf("Require OPENSSL_VERSION_NUMBER 0x0090605f or greater (0.9.6e)\n"
-	       "Require OPENSSL_VERSION_NUMBER 0x00907003 or greater (0.9.7-beta2)\n\n");
-        return (1);
-}
-],
-	        [AC_MSG_RESULT(ok)],
-		[AC_MSG_RESULT(not compatible)
-		 AC_MSG_ERROR(you need OpenSSL 0.9.6e/0.9.7-beta2 (or newer): CERT CA-2002-23)],
-		[AC_MSG_RESULT(assuming target platform has compatible version)]))
+;;
+no)
+	AC_MSG_RESULT(Skipped OpenSSL version check)
+;;
+esac
+
 		AC_MSG_CHECKING(for OpenSSL DSA support)
 		if test -f $use_openssl/include/openssl/dsa.h
 		then
@@ -2116,6 +2104,30 @@ AC_OUTPUT(
 )
 chmod a+x isc-config.sh
 
+if test "X$OPENSSL_WARNING" != "X"; then
+cat << \EOF
+WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+WARNING                                                                 WARNING
+WARNING         Your OpenSSL crypto library may be vulnerable to        WARNING
+WARNING         one or more of the the following known security         WARNING
+WARNING         flaws:                                                  WARNING
+WARNING                                                                 WARNING
+WARNING         CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and         WARNING
+WARNING         CVE-2006-2940.                                          WARNING
+WARNING                                                                 WARNING
+WARNING         It is recommended that you upgrade to OpenSSL           WARNING
+WARNING         version 0.9.8d/0.9.7l (or greater).                     WARNING
+WARNING                                                                 WARNING
+WARNING         You can disable this warning by specifying:             WARNING
+WARNING                                                                 WARNING
+WARNING               --disable-openssl-version-check          	        WARNING
+WARNING                                                                 WARNING
+WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+EOF
+fi
+
 # Tell Emacs to edit this file in shell mode.
 # Local Variables:
 # mode: sh