Bug 225397 - [MAINTAINER-UPDATE] dns/powerdns-recursor: update to 4.1.1
Summary: [MAINTAINER-UPDATE] dns/powerdns-recursor: update to 4.1.1
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Kirill Ponomarev
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-23 10:44 UTC by Ralf van der Enden
Modified: 2018-01-23 15:46 UTC (History)
0 users

See Also:


Attachments
Update to PowerDNS Recursor 4.1.1 (1.89 KB, patch)
2018-01-23 10:44 UTC, Ralf van der Enden
tremere: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ralf van der Enden 2018-01-23 10:44:35 UTC
Created attachment 189992 [details]
Update to PowerDNS Recursor 4.1.1

This release contains a fix for a security advisory. Details (and the other changes) can be found here: https://blog.powerdns.com/2018/01/22/powerdns-recursor-4-1-1/

The 4.0.x branch is not vulnerable.

Also simplified the Lua/LuaJIT engine choice.
Comment 1 Kirill Ponomarev freebsd_committer freebsd_triage 2018-01-23 10:47:28 UTC
Take.
Comment 2 commit-hook freebsd_committer freebsd_triage 2018-01-23 11:04:29 UTC
A commit references this bug:

Author: krion
Date: Tue Jan 23 11:04:07 UTC 2018
New revision: 459742
URL: https://svnweb.freebsd.org/changeset/ports/459742

Log:
  Update to version 4.1.1

  - Fixes "PowerDNS Security Advisory 2018-01: Insufficient validation
    of DNSSEC signatures". An issue has been found in the DNSSEC
    validation component of PowerDNS Recursor, allowing an ancestor
    delegation NSEC or NSEC3 record to be used to wrongfully prove the
    non-existence of a RR below the owner name of that record. This
    would allow an attacker in position of man-in-the-middle to send a
    NXDOMAIN answer for a name that does exist.
    The 4.0.x branch is not vulnerable.

  - Add support for algo16 and simplify Lua/LuaJIT engine choice.

  PR:		225397
  Submitted by:	maintainer
  Security:	CVE-2018-1000003

Changes:
  head/dns/powerdns-recursor/Makefile
  head/dns/powerdns-recursor/distinfo
Comment 3 commit-hook freebsd_committer freebsd_triage 2018-01-23 15:46:18 UTC
A commit references this bug:

Author: krion
Date: Tue Jan 23 15:45:26 UTC 2018
New revision: 459779
URL: https://svnweb.freebsd.org/changeset/ports/459779

Log:
  MFH: r459742

  Update to version 4.1.1

  - Fixes "PowerDNS Security Advisory 2018-01: Insufficient validation
    of DNSSEC signatures". An issue has been found in the DNSSEC
    validation component of PowerDNS Recursor, allowing an ancestor
    delegation NSEC or NSEC3 record to be used to wrongfully prove the
    non-existence of a RR below the owner name of that record. This
    would allow an attacker in position of man-in-the-middle to send a
    NXDOMAIN answer for a name that does exist.
    The 4.0.x branch is not vulnerable.

  - Add support for algo16 and simplify Lua/LuaJIT engine choice.

  PR:		225397
  Submitted by:	maintainer
  Security:	CVE-2018-1000003

  Approved by:	ports-secteam

Changes:
_U  branches/2018Q1/
  branches/2018Q1/dns/powerdns-recursor/Makefile
  branches/2018Q1/dns/powerdns-recursor/distinfo