Bug 216135 - dns/powerdns-recursor: Upgrade to recent version (v4.0.4) - current(4.0.3) is vulnerable
Summary: dns/powerdns-recursor: Upgrade to recent version (v4.0.4) - current(4.0.3) is...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Jason Unovitch
URL:
Keywords: patch, patch-ready, security
Depends on:
Blocks:
 
Reported: 2017-01-16 10:18 UTC by Dani I.
Modified: 2017-01-18 11:29 UTC (History)
4 users (show)

See Also:
tremere: maintainer-feedback+
junovitch: merge-quarterly+

Attachments
dns/powerdns-recursor: Update to version 4.0.4 (11.52 KB, patch)
2017-01-17 04:17 UTC, ghostonthewire 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dani I. 2017-01-16 10:18:44 UTC 
The current version avilable for FreeBSD is vulnerable since 13.01.2017 and has already been patched upstream.

See here: https://blog.powerdns.com/2017/01/13/powerdns-recursor-4-0-4-released/

Available version: 4.0.3_3
Patched version: 4.0.4 

Changelog

Security:
    Check TSIG signature on IXFR (Security Advisory 2016-04)
    Don’t parse spurious RRs in queries when we don’t need them (Security Advisory 2016-02)

Fixes:
    Add `max-recursion-depth` to limit the number of internal recursion
    Wait until after daemonizing to start the RPZ and protobuf threads
    On RPZ customPolicy, follow the resulting CNAME
    Make the negcache forwarded zones aware
    Cache records for zones that were delegated to from a forwarded zone
    DNSSEC: don’t go bogus on zero configured DSs
    DNSSEC: NSEC3 optout and Bogus insecure forward fixes
    DNSSEC: Handle CNAMEs at the apex of secure zones to other secure zones
Comment 1 ghostonthewire 2017-01-17 04:17:10 UTC 
Created attachment 178975 [details]
dns/powerdns-recursor: Update to version 4.0.4

dns/powerdns-recursor: Update to version 4.0.4

- Bump version to 4.0.4
- patch-lua-recursor4.cc is no longer needed [^1]
- patch-mtasker__fcontext.cc is no longer needed [^2]
- Adapt patches that are still relevant

Has been built successfully on following versions:
10.2-RELEASE-p28/amd64
10.2-RELEASE-p28/i386
10.3-RELEASE-p15/amd64
10.3-RELEASE-p15/i386
11.0-RELEASE-p6/amd64
11.0-RELEASE-p6/i386

Full poudriere logs - https://gist.github.com/edfaf1d5c7b819e05397105f90b1a000

[^1]: https://github.com/PowerDNS/pdns/commit/f8a00d4
[^2]: https://github.com/PowerDNS/pdns/commit/b28b185,
https://github.com/PowerDNS/pdns/commit/ddf6fa5
Comment 2 Ralf van der Enden 2017-01-17 09:25:40 UTC 
Looks good to me and can be committed.
Comment 3 commit-hook freebsd_committer freebsd_triage 2017-01-18 11:23:45 UTC 
A commit references this bug:

Author: junovitch
Date: Wed Jan 18 11:22:48 UTC 2017
New revision: 431785
URL: https://svnweb.freebsd.org/changeset/ports/431785

Log:
  Document mulitiple PowerDNS vulnerabilities

  PR:		216135
  PR:		216136
  Reported by:	Dani <i.dani@outlook.com>
  Security:	CVE-2016-2120
  Security:	CVE-2016-7068
  Security:	CVE-2016-7072
  Security:	CVE-2016-7073
  Security:	CVE-2016-7074
  Security:	https://vuxml.FreeBSD.org/freebsd/e3200958-dd6c-11e6-ae1b-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml
Comment 4 commit-hook freebsd_committer freebsd_triage 2017-01-18 11:24:54 UTC 
A commit references this bug:

Author: junovitch
Date: Wed Jan 18 11:24:41 UTC 2017
New revision: 431788
URL: https://svnweb.freebsd.org/changeset/ports/431788

Log:
  dns/powerdns-recursor: update 4.0.3 -> 4.0.4

  Changes:	https://doc.powerdns.com/md/changelog/#powerdns-recursor-404

  PR:		216135
  Reported by:	Dani <i.dani@outlook.com>
  Submitted by:	ghostonthewire@gmail.com
  Approved by:	Ralf van der Enden <tremere@cainites.net> (maintainer)
  Security:	CVE-2016-7068
  Security:	CVE-2016-7073
  Security:	CVE-2016-7074
  Security:	https://vuxml.FreeBSD.org/freebsd/e3200958-dd6c-11e6-ae1b-002590263bf5.html
  MFH:		2017Q1

Changes:
  head/dns/powerdns-recursor/Makefile
  head/dns/powerdns-recursor/distinfo
  head/dns/powerdns-recursor/files/extrapatch-setuid
  head/dns/powerdns-recursor/files/patch-dnsname.hh
  head/dns/powerdns-recursor/files/patch-lua-recursor4.cc
  head/dns/powerdns-recursor/files/patch-mtasker__fcontext.cc
Comment 5 commit-hook freebsd_committer freebsd_triage 2017-01-18 11:25:56 UTC 
A commit references this bug:

Author: junovitch
Date: Wed Jan 18 11:25:18 UTC 2017
New revision: 431789
URL: https://svnweb.freebsd.org/changeset/ports/431789

Log:
  MFH: r431788

  dns/powerdns-recursor: update 4.0.3 -> 4.0.4

  Changes:	https://doc.powerdns.com/md/changelog/#powerdns-recursor-404

  PR:		216135
  Reported by:	Dani <i.dani@outlook.com>
  Submitted by:	ghostonthewire@gmail.com
  Approved by:	Ralf van der Enden <tremere@cainites.net> (maintainer)
  Approved by:	ports-secteam (with hat)
  Security:	CVE-2016-7068
  Security:	CVE-2016-7073
  Security:	CVE-2016-7074
  Security:	https://vuxml.FreeBSD.org/freebsd/e3200958-dd6c-11e6-ae1b-002590263bf5.html

Changes:
_U  branches/2017Q1/
  branches/2017Q1/dns/powerdns-recursor/Makefile
  branches/2017Q1/dns/powerdns-recursor/distinfo
  branches/2017Q1/dns/powerdns-recursor/files/extrapatch-setuid
  branches/2017Q1/dns/powerdns-recursor/files/patch-dnsname.hh
  branches/2017Q1/dns/powerdns-recursor/files/patch-lua-recursor4.cc
  branches/2017Q1/dns/powerdns-recursor/files/patch-mtasker__fcontext.cc
Comment 6 Jason Unovitch freebsd_committer freebsd_triage 2017-01-18 11:29:41 UTC 
To all involved for the initial report, the patch, and the maintainer approval; thanks!