Bug 216136 - dns/powerdns: Upgrade to recent version (v4.0.2) - current(4.0.1) has critical vulnerabilities
Summary: dns/powerdns: Upgrade to recent version (v4.0.2) - current(4.0.1) has critica...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Jason Unovitch
URL:
Keywords: patch, patch-ready, security
Depends on:
Blocks:
 
Reported: 2017-01-16 10:22 UTC by Dani
Modified: 2017-01-18 11:29 UTC (History)
4 users (show)

See Also:
tremere: maintainer-feedback+
junovitch: merge-quarterly+


Attachments
dns/powerdns: Update to version 4.0.2 (2.38 KB, patch)
2017-01-16 18:55 UTC, ghostonthewire
no flags Details | Diff
Update to 4.0.3 (3.27 KB, patch)
2017-01-17 12:06 UTC, Ralf van der Enden
tremere: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Dani 2017-01-16 10:22:27 UTC
The current version avilable for FreeBSD is vulnerable since 13.01.2017 and has already been patched upstream.

See here: https://blog.powerdns.com/2017/01/13/powerdns-authoritative-server-4-0-2-released/

Available version: 4.0.1_3
Patched version: 4.0.2

Important Changes

Security:
- Don’t parse spurious RRs in queries when we don’t need them (Security Advisory 2016-02)
- Don’t exit if the webserver can’t accept a connection (Security Advisory 2016-03)
- Check TSIG signature on IXFR (Security Advisory 2016-04)
- Correctly check unknown record content size (Security Advisory 2016-05)

Fixes:
- ODBC backend: actually prepare statements
- Improve root-zone performance
- Plug memory leak in postgresql backend (Christian Hofstaedtler)
calidns: Don’t crash if we don’t have enough ‘unknown’ queries remaining
- Improve PacketCache cleaning (Kees Monshouwer)
- Bind backend: update status message on reload, keep the existing zone on failure
- Fix TSIG for single thread distributor (Kees Monshouwer)
- Change default for any-to-tcp to yes (Kees Monshouwer)
- Don’t look up the packet cache for TSIG-enabled queries
- Fix build with OpenSSL 1.1.0 final (Christian Hofstaedtler)
- pdnsutil: create-slave-zone accept multiple masters (Hannu Ylitalo)

-> Full Changelog: https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-402
Comment 1 ghostonthewire 2017-01-16 18:55:06 UTC
Created attachment 178967 [details]
dns/powerdns: Update to version 4.0.2

dns/powerdns: Update to version 4.0.2

- Bump version to 4.0.2
- patch-libressl is no longer needed [^1]

Has been built successfully on following versions with all possible port
options set:
10.2-RELEASE-p28/amd64
10.2-RELEASE-p28/i386
10.3-RELEASE-p15/amd64
10.3-RELEASE-p15/i386
11.0-RELEASE-p6/amd64
11.0-RELEASE-p6/i386

Full poudriere logs - https://gist.github.com/3afc69cb8985c71ab3d76fd503ed8984

[^1]: https://github.com/PowerDNS/pdns/commit/115f658
Comment 2 Ralf van der Enden 2017-01-17 09:27:37 UTC
Looks good to me. Can be committed
Comment 3 Ralf van der Enden 2017-01-17 12:06:23 UTC
Created attachment 178991 [details]
Update to 4.0.3

This patch replaces the previous one.

Also replaced CXXFLAGS and LDFLAGS with USES=localbase:ldflags
Comment 4 commit-hook freebsd_committer 2017-01-18 11:23:47 UTC
A commit references this bug:

Author: junovitch
Date: Wed Jan 18 11:22:48 UTC 2017
New revision: 431785
URL: https://svnweb.freebsd.org/changeset/ports/431785

Log:
  Document mulitiple PowerDNS vulnerabilities

  PR:		216135
  PR:		216136
  Reported by:	Dani <i.dani@outlook.com>
  Security:	CVE-2016-2120
  Security:	CVE-2016-7068
  Security:	CVE-2016-7072
  Security:	CVE-2016-7073
  Security:	CVE-2016-7074
  Security:	https://vuxml.FreeBSD.org/freebsd/e3200958-dd6c-11e6-ae1b-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml
Comment 5 commit-hook freebsd_committer 2017-01-18 11:23:49 UTC
A commit references this bug:

Author: junovitch
Date: Wed Jan 18 11:23:11 UTC 2017
New revision: 431786
URL: https://svnweb.freebsd.org/changeset/ports/431786

Log:
  dns/powerdns: update 4.0.1 -> 4.0.3

  - Switch to USES=localbase while here
  - Remove LibreSSL patch (see https://github.com/PowerDNS/pdns/pull/4310)

  Changes:	https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-402
  		https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-403

  PR:		216136
  Reported by:	Dani <i.dani@outlook.com>
  Submitted by:	ghostonthewire@gmail.com (original 4.0.2 patch)
  Approved by:	Ralf van der Enden <tremere@cainites.net> (maintainer)
  Security:	CVE-2016-2120
  Security:	CVE-2016-7068
  Security:	CVE-2016-7072
  Security:	CVE-2016-7073
  Security:	CVE-2016-7074
  Security:	https://vuxml.FreeBSD.org/freebsd/e3200958-dd6c-11e6-ae1b-002590263bf5.html
  MFH:		2017Q1

Changes:
  head/dns/powerdns/Makefile
  head/dns/powerdns/distinfo
  head/dns/powerdns/files/patch-libressl
Comment 6 commit-hook freebsd_committer 2017-01-18 11:24:52 UTC
A commit references this bug:

Author: junovitch
Date: Wed Jan 18 11:23:59 UTC 2017
New revision: 431787
URL: https://svnweb.freebsd.org/changeset/ports/431787

Log:
  MFH: r431786

  dns/powerdns: update 4.0.1 -> 4.0.3

  - Switch to USES=localbase while here
  - Remove LibreSSL patch (see https://github.com/PowerDNS/pdns/pull/4310)

  Changes:	https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-402
  		https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-403

  PR:		216136
  Reported by:	Dani <i.dani@outlook.com>
  Submitted by:	ghostonthewire@gmail.com (original 4.0.2 patch)
  Approved by:	Ralf van der Enden <tremere@cainites.net> (maintainer)
  Approved by:	ports-secteam (with hat)
  Security:	CVE-2016-2120
  Security:	CVE-2016-7068
  Security:	CVE-2016-7072
  Security:	CVE-2016-7073
  Security:	CVE-2016-7074
  Security:	https://vuxml.FreeBSD.org/freebsd/e3200958-dd6c-11e6-ae1b-002590263bf5.html

Changes:
_U  branches/2017Q1/
  branches/2017Q1/dns/powerdns/Makefile
  branches/2017Q1/dns/powerdns/distinfo
  branches/2017Q1/dns/powerdns/files/patch-libressl
Comment 7 Jason Unovitch freebsd_committer 2017-01-18 11:29:39 UTC
To all involved for the initial report, the patch, and the maintainer approval; thanks!