Bug 246655

Summary:

dns/powerdns-recursor: update to 4.3.1

Product:

Ports & Packages

Reporter:

Ralf van der Enden <tremere>

Component:

Individual Port(s)

Assignee:

Hiroki Tagato <tagattie>

Status:

Closed FIXED

Severity:

Affects Some People

CC:

fernape, i.dani, tagattie, yds

Priority:

---

Keywords:

patch

Version:

Latest

Flags:

tagattie: merge-quarterly+

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
Update to PowerDNS Recursor 4.3.1	tremere: maintainer-approval+
Security advisories for VuXML (3 CVE's)	tremere: maintainer-approval+
Update to PowerDNS Recursor 4.3.1 (new version)	tremere: maintainer-approval+
Update to PowerDNS Recursor 4.3.1	tremere: maintainer-approval+
Add legacy versions to VuXML for powerdns-recursor	none

Description Ralf van der Enden 2020-05-22 09:09:04 UTC

Created attachment 214751 [details]
Update to PowerDNS Recursor 4.3.1

Update to PowerDNS Recursor containing security fixes for three CVEs:

- CVE-2020-10995
- CVE-2020-12244
- CVE-2020-10030

The issues are:

CVE-2020-10995: An issue in the DNS protocol has been found that allows
malicious parties to use recursive DNS services to attack third party
authoritative name servers. Severity is medium. We would like to thank
Lior Shafir, Yehuda Afek and Anat Bremler-Barr for finding and
subsequently reporting this issue!

CVE-2020-12244: Records in the answer section of a NXDOMAIN response
lacking an SOA were not properly validated. Severity is medium. We would
like to thank Matt Nordhoff for finding and subsequently reporting this
issue!

CVE-2020-10030: An attacker with enough privileges to change the
hostname might be able to disclose uninitialized memory. This issue also
affects the Authoritative Server and dnsdist; since the attack requires
very high privileges and the issue does not affect Linux, we will not be
releasing new versions for those just for this issue. Severity is low.

As usual, there were also other smaller enhancements and bugfixes.

See https://doc.powerdns.com/recursor/changelog/4.3.html#change-4.3.1 for the full changelog.

QA:
portlint: OK (looks fine.)
testport: OK (12.1, amd64)

Regenerated some patches to make portlint happy.

Due to several reports of the recursor (also older versions) crashing on i386 I've marked it BROKEN on i386.

Also, added a patch from upstream to fix building since HOST_NAME_MAX has been deprecated on FreeBSD, but not on some other platforms. It will be part of the next official release.

Comment 1 Ralf van der Enden 2020-05-22 09:09:51 UTC

Created attachment 214752 [details]
Security advisories for VuXML (3 CVE's)

Comment 2 yds 2020-05-23 19:38:13 UTC

builds and runs on 12.1-STABLE :)

I noticed the build uses -DNODCACHEDIR="/var/lib/pdns-recursor"
shouldn't that be -DNODCACHEDIR="/var/db/pdns-recursor" on FreeBSD??

that dir does not seem to be used at runtime.
the port runs fine with this patch as is.
just an observation from testing the build.

Comment 3 Ralf van der Enden 2020-05-24 21:44:32 UTC

Created attachment 214821 [details]
Update to PowerDNS Recursor 4.3.1 (new version)


Regenerated one more patch to pet portlint.
Forgot to delete a patch, which is no longer required on 12.1.
Also changed the BROKEN_i386 to BROKEN_FreeBSD_12_i386, since it works fine on 11.3

Comment 4 Ralf van der Enden 2020-05-24 21:46:28 UTC

(In reply to yds from comment #2)

It's not used by the port at the moment, so I wouldn't worry about that ;)

Comment 5 Ralf van der Enden 2020-05-25 12:25:33 UTC

Created attachment 214843 [details]
Update to PowerDNS Recursor 4.3.1


I must have been on crack while creating my 11.3 jail, since I forgot to specify arch. Retested everything on 11.3, 12.0 and 12.1 i386, but all SIGSEGV on startup. Changed the BROKEN line to reflect that.

Also updated the hostnamemax patch with a slightly updated patch from upstream.

Comment 6 commit-hook freebsd_committer

2020-05-27 12:09:03 UTC

A commit references this bug:

Author: tagattie
Date: Wed May 27 12:08:47 UTC 2020
New revision: 536689
URL: https://svnweb.freebsd.org/changeset/ports/536689

Log:
  Document powerdns-recursor vulnerabilities

  PR:		246655
  Submitted by:	Ralf van der Enden <tremere@cainites.net>
  Approved by:	ehaupt (mentor)

Changes:
  head/security/vuxml/vuln.xml

Comment 7 commit-hook freebsd_committer

2020-05-27 12:11:05 UTC

A commit references this bug:

Author: tagattie
Date: Wed May 27 12:11:03 UTC 2020
New revision: 536690
URL: https://svnweb.freebsd.org/changeset/ports/536690

Log:
  - Update to 4.3.1
  - Mark broken on i386
  - Updated hostnamemax patch

  PR:		246655
  Submitted by:	Ralf van der Enden <tremere@cainites.net> (maintainer)
  Approved by:	ehaupt (mentor)
  MFH:		2020Q2 (blanket, security fixes)
  Security:	f9c5a410-9b4e-11ea-ac3f-6805ca2fa271
  Changelog:	https://doc.powerdns.com/recursor/changelog/4.3.html#change-4.3.1

Changes:
  head/dns/powerdns-recursor/Makefile
  head/dns/powerdns-recursor/distinfo
  head/dns/powerdns-recursor/files/patch-configure
  head/dns/powerdns-recursor/files/patch-dns_random.cc
  head/dns/powerdns-recursor/files/patch-dnsname.hh
  head/dns/powerdns-recursor/files/patch-hostnamemax
  head/dns/powerdns-recursor/files/patch-pdns_recursor.cc

Comment 8 commit-hook freebsd_committer

2020-05-27 12:49:11 UTC

A commit references this bug:

Author: tagattie
Date: Wed May 27 12:48:57 UTC 2020
New revision: 536692
URL: https://svnweb.freebsd.org/changeset/ports/536692

Log:
  MFH: r536690

  - Update to 4.3.1
  - Mark broken on i386
  - Updated hostnamemax patch

  PR:		246655
  Submitted by:	Ralf van der Enden <tremere@cainites.net> (maintainer)
  Approved by:	ehaupt (mentor)
  Security:	f9c5a410-9b4e-11ea-ac3f-6805ca2fa271
  Changelog:	https://doc.powerdns.com/recursor/changelog/4.3.html#change-4.3.1

  Approved by:	ports-secteam (joneum)

Changes:
  branches/2020Q2/dns/powerdns-recursor/Makefile
  branches/2020Q2/dns/powerdns-recursor/distinfo
  branches/2020Q2/dns/powerdns-recursor/files/extrapatch-setuid
  branches/2020Q2/dns/powerdns-recursor/files/patch-configure
  branches/2020Q2/dns/powerdns-recursor/files/patch-dnsname.hh
  branches/2020Q2/dns/powerdns-recursor/files/patch-hostnamemax
  branches/2020Q2/dns/powerdns-recursor/files/patch-pdns_dns__random.cc
  branches/2020Q2/dns/powerdns-recursor/files/patch-pdns_recursor.cc
  branches/2020Q2/dns/powerdns-recursor/files/pdns-recursor.in
  branches/2020Q2/dns/powerdns-recursor/files/pkg-message.in
  branches/2020Q2/dns/powerdns-recursor/pkg-descr
  branches/2020Q2/dns/powerdns-recursor/pkg-plist

Comment 9 Hiroki Tagato freebsd_committer

2020-05-27 12:52:20 UTC

Committed, thanks!

Comment 10 Dani I. 2020-05-27 16:40:30 UTC

(In reply to Hiroki Tagato from comment #9)

Hey Guys, thanks for the security update. We build our own ports and use powerdns-recursor 4.2.x for stability reasons. The 4.2.x-Branch also received an update for this security fix and isn't vulnerable. Could you therefore mark powerdns-recursor 4.2.2 as fix version too? Thanks!

See: https://blog.powerdns.com/2020/05/19/powerdns-recursor-4-3-1-4-2-2-and-4-1-16-released/

Comment 11 Hiroki Tagato freebsd_committer

2020-05-28 07:18:57 UTC

(In reply to Dani from comment #10)

Hi, thanks for letting us know this.

Can you post a patch to vuln.xml for update?

Comment 12 Ralf van der Enden 2020-05-28 10:47:35 UTC

Created attachment 214959 [details]
Add legacy versions to VuXML for powerdns-recursor

Comment 13 commit-hook freebsd_committer

2020-05-29 06:52:14 UTC

A commit references this bug:

Author: tagattie
Date: Fri May 29 06:51:38 UTC 2020
New revision: 536950
URL: https://svnweb.freebsd.org/changeset/ports/536950

Log:
  Correct vulnerable version range of powerdns-recursor

  PR:		246655
  Submitted by:	Ralf van der Enden <tremere@cainites.net>
  Approved by:	ehaupt (mentor)

Changes:
  head/security/vuxml/vuln.xml

Comment 14 Hiroki Tagato freebsd_committer

2020-05-29 06:53:12 UTC

(In reply to Ralf van der Enden from comment #12)

Committed, thanks for the update!