The current version avilable for FreeBSD is vulnerable since 13.01.2017 and has already been patched upstream. See here: https://blog.powerdns.com/2017/01/13/powerdns-authoritative-server-4-0-2-released/ Available version: 4.0.1_3 Patched version: 4.0.2 Important Changes Security: - Don’t parse spurious RRs in queries when we don’t need them (Security Advisory 2016-02) - Don’t exit if the webserver can’t accept a connection (Security Advisory 2016-03) - Check TSIG signature on IXFR (Security Advisory 2016-04) - Correctly check unknown record content size (Security Advisory 2016-05) Fixes: - ODBC backend: actually prepare statements - Improve root-zone performance - Plug memory leak in postgresql backend (Christian Hofstaedtler) calidns: Don’t crash if we don’t have enough ‘unknown’ queries remaining - Improve PacketCache cleaning (Kees Monshouwer) - Bind backend: update status message on reload, keep the existing zone on failure - Fix TSIG for single thread distributor (Kees Monshouwer) - Change default for any-to-tcp to yes (Kees Monshouwer) - Don’t look up the packet cache for TSIG-enabled queries - Fix build with OpenSSL 1.1.0 final (Christian Hofstaedtler) - pdnsutil: create-slave-zone accept multiple masters (Hannu Ylitalo) -> Full Changelog: https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-402
Created attachment 178967 [details] dns/powerdns: Update to version 4.0.2 dns/powerdns: Update to version 4.0.2 - Bump version to 4.0.2 - patch-libressl is no longer needed [^1] Has been built successfully on following versions with all possible port options set: 10.2-RELEASE-p28/amd64 10.2-RELEASE-p28/i386 10.3-RELEASE-p15/amd64 10.3-RELEASE-p15/i386 11.0-RELEASE-p6/amd64 11.0-RELEASE-p6/i386 Full poudriere logs - https://gist.github.com/3afc69cb8985c71ab3d76fd503ed8984 [^1]: https://github.com/PowerDNS/pdns/commit/115f658
Looks good to me. Can be committed
Created attachment 178991 [details] Update to 4.0.3 This patch replaces the previous one. Also replaced CXXFLAGS and LDFLAGS with USES=localbase:ldflags
A commit references this bug: Author: junovitch Date: Wed Jan 18 11:22:48 UTC 2017 New revision: 431785 URL: https://svnweb.freebsd.org/changeset/ports/431785 Log: Document mulitiple PowerDNS vulnerabilities PR: 216135 PR: 216136 Reported by: Dani <i.dani@outlook.com> Security: CVE-2016-2120 Security: CVE-2016-7068 Security: CVE-2016-7072 Security: CVE-2016-7073 Security: CVE-2016-7074 Security: https://vuxml.FreeBSD.org/freebsd/e3200958-dd6c-11e6-ae1b-002590263bf5.html Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: junovitch Date: Wed Jan 18 11:23:11 UTC 2017 New revision: 431786 URL: https://svnweb.freebsd.org/changeset/ports/431786 Log: dns/powerdns: update 4.0.1 -> 4.0.3 - Switch to USES=localbase while here - Remove LibreSSL patch (see https://github.com/PowerDNS/pdns/pull/4310) Changes: https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-402 https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-403 PR: 216136 Reported by: Dani <i.dani@outlook.com> Submitted by: ghostonthewire@gmail.com (original 4.0.2 patch) Approved by: Ralf van der Enden <tremere@cainites.net> (maintainer) Security: CVE-2016-2120 Security: CVE-2016-7068 Security: CVE-2016-7072 Security: CVE-2016-7073 Security: CVE-2016-7074 Security: https://vuxml.FreeBSD.org/freebsd/e3200958-dd6c-11e6-ae1b-002590263bf5.html MFH: 2017Q1 Changes: head/dns/powerdns/Makefile head/dns/powerdns/distinfo head/dns/powerdns/files/patch-libressl
A commit references this bug: Author: junovitch Date: Wed Jan 18 11:23:59 UTC 2017 New revision: 431787 URL: https://svnweb.freebsd.org/changeset/ports/431787 Log: MFH: r431786 dns/powerdns: update 4.0.1 -> 4.0.3 - Switch to USES=localbase while here - Remove LibreSSL patch (see https://github.com/PowerDNS/pdns/pull/4310) Changes: https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-402 https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-403 PR: 216136 Reported by: Dani <i.dani@outlook.com> Submitted by: ghostonthewire@gmail.com (original 4.0.2 patch) Approved by: Ralf van der Enden <tremere@cainites.net> (maintainer) Approved by: ports-secteam (with hat) Security: CVE-2016-2120 Security: CVE-2016-7068 Security: CVE-2016-7072 Security: CVE-2016-7073 Security: CVE-2016-7074 Security: https://vuxml.FreeBSD.org/freebsd/e3200958-dd6c-11e6-ae1b-002590263bf5.html Changes: _U branches/2017Q1/ branches/2017Q1/dns/powerdns/Makefile branches/2017Q1/dns/powerdns/distinfo branches/2017Q1/dns/powerdns/files/patch-libressl
To all involved for the initial report, the patch, and the maintainer approval; thanks!