From ced7835c06b507528a27a1ef54de7f2533a2200c Mon Sep 17 00:00:00 2001
From: dougb <dougb@FreeBSD.org>
Date: Sat, 28 May 2011 00:21:28 +0000
Subject: Upgrade to 9.6-ESV-R4-P1, which address the following issues:

1. Very large RRSIG RRsets included in a negative cache can trigger
an assertion failure that will crash named (BIND 9 DNS) due to an
off-by-one error in a buffer size check.

This bug affects all resolving name servers, whether DNSSEC validation
is enabled or not, on all BIND versions prior to today. There is a
possibility of malicious exploitation of this bug by remote users.

2. Named could fail to validate zones listed in a DLV that validated
insecure without using DLV and had DS records in the parent zone.

Add a patch provided by ru@ and confirmed by ISC to fix a crash at
shutdown time when a SIG(0) key is being used.
---
 contrib/bind9/bin/nsupdate/nsupdate.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'contrib/bind9/bin/nsupdate/nsupdate.c')

diff --git a/contrib/bind9/bin/nsupdate/nsupdate.c b/contrib/bind9/bin/nsupdate/nsupdate.c
index d9ee488..69d390d 100644
--- a/contrib/bind9/bin/nsupdate/nsupdate.c
+++ b/contrib/bind9/bin/nsupdate/nsupdate.c
@@ -617,8 +617,10 @@ setup_keyfile(void) {
 				keyfile, isc_result_totext(result));
 			return;
 		}
-	} else
+	} else {
 		dst_key_attach(dstkey, &sig0key);
+		dst_key_free(&dstkey);
+	}
 }
 
 static void
-- 
cgit v1.1