Bug 229485

Summary: dns/knot-resolver: Update to 2.4.1 (security fix - CVE-2018-10920)
Product: Ports & Packages Reporter: nusenu <freebsd-vheg>
Component: Individual Port(s)Assignee: Kurt Jaeger <pi>
Status: Closed FIXED    
Severity: Affects Some People CC: freebsd, pi, swills, vcunat
Priority: --- Keywords: security
Version: LatestFlags: pi: maintainer-feedback-
pi: merge-quarterly+
Hardware: Any   
OS: Any   
Attachments:
Description Flags
patch
none
patch-v2 none

Comment 1 Kurt Jaeger freebsd_committer freebsd_triage 2018-07-04 09:45:33 UTC 
Created attachment 194872 [details]
patch

patch builds, but fails to build two modules:

===> Checking for items in pkg-plist which are not in STAGEDIR
Error: Missing: lib/kdns_modules/memcached.so
Error: Missing: lib/kdns_modules/redis.so

TODO: find the cause.
Comment 2 Vladimír Čunát 2018-07-05 07:38:24 UTC 
Those two modules were removed upstream since 2.0.0 (by myself).  I can't see how that's related to 2.3.0 -> 2.4.0.
Comment 3 nusenu 2018-08-02 12:15:51 UTC 
Knot Resolver 2.4.1 (2018-08-02)
================================

Security
--------
- fix CVE-2018-10920: Improper input validation bug in DNS resolver component
  (security!7, security!9)

Bugfixes
--------
- cache: fix TTL overflow in packet due to min_ttl (#388, security!8)
- TLS session resumption: avoid bad scheduling of rotation (#385)
- HTTP module: fix a regression in 2.4.0 which broke custom certs (!632)
- cache: NSEC3 negative cache even without NS record (#384)
  This fixes lower hit rate in NSEC3 zones (since 2.4.0).
- minor TCP and TLS fixes (!623, !624, !626)

https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v2.4.1/NEWS
Comment 4 Kurt Jaeger freebsd_committer freebsd_triage 2018-08-12 21:18:53 UTC 
(In reply to Vladimír Čunát from comment #2)
If the modules memcached and redis were removed in 2.0.x, they where still in the port, which confused me. I've removed the OPTIONs and I'm testbuilding right now.
Comment 5 Kurt Jaeger freebsd_committer freebsd_triage 2018-08-13 05:31:44 UTC 
Created attachment 196151 [details]
patch-v2

This version builds and has the memcache and redis options removed.
Comment 6 commit-hook freebsd_committer freebsd_triage 2018-08-13 05:39:34 UTC 
A commit references this bug:

Author: pi
Date: Mon Aug 13 05:38:36 UTC 2018
New revision: 477052
URL: https://svnweb.freebsd.org/changeset/ports/477052

Log:
  dns/knot-resolver: update 2.3.0 -> 2.4.1

  - CVE-2018-10920: Improper input validation bug in DNS resolver component

  PR:		229485
  Reported by:	freebsd-vheg@riseup.net,
  Approved by:	freebsd@dns.company (maintainer timeout)
  MFH:		2018Q3
  Relnotes:	https://www.knot-resolver.cz/2018-07-03-knot-resolver-2.4.0.html
  		https://www.knot-resolver.cz/2018-08-02-knot-resolver-2.4.1.html
  Security:	CVE-2018-10920

Changes:
  head/dns/knot-resolver/Makefile
  head/dns/knot-resolver/distinfo
  head/dns/knot-resolver/files/patch-Makefile
  head/dns/knot-resolver/pkg-plist
Comment 7 Kurt Jaeger freebsd_committer freebsd_triage 2018-08-13 05:41:49 UTC 
ups, still open until MFH
Comment 8 commit-hook freebsd_committer freebsd_triage 2018-08-15 19:35:50 UTC 
A commit references this bug:

Author: pi
Date: Wed Aug 15 19:35:16 UTC 2018
New revision: 477279
URL: https://svnweb.freebsd.org/changeset/ports/477279

Log:
  MFH: r477052

  dns/knot-resolver: update 2.3.0 -> 2.4.1

  - CVE-2018-10920: Improper input validation bug in DNS resolver component

  PR:		229485
  Reported by:	freebsd-vheg@riseup.net,
  Approved by:	freebsd@dns.company (maintainer timeout)
  Relnotes:	https://www.knot-resolver.cz/2018-07-03-knot-resolver-2.4.0.html
  		https://www.knot-resolver.cz/2018-08-02-knot-resolver-2.4.1.html
  Security:	CVE-2018-10920
  Approved by:	ports-secteam (miwi)

Changes:
_U  branches/2018Q3/
  branches/2018Q3/dns/knot-resolver/Makefile
  branches/2018Q3/dns/knot-resolver/distinfo
  branches/2018Q3/dns/knot-resolver/files/patch-Makefile
  branches/2018Q3/dns/knot-resolver/pkg-plist
Comment 9 Kurt Jaeger freebsd_committer freebsd_triage 2018-08-15 19:36:06 UTC 
Committed, thanks!