Bug 229485 - dns/knot-resolver: Update to 2.4.1 (security fix - CVE-2018-10920)
Summary: dns/knot-resolver: Update to 2.4.1 (security fix - CVE-2018-10920)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Kurt Jaeger
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2018-07-03 10:07 UTC by nusenu
Modified: 2018-08-15 19:36 UTC (History)
4 users (show)

See Also:
pi: maintainer-feedback-
pi: merge-quarterly+


Attachments
patch (4.14 KB, patch)
2018-07-04 09:45 UTC, Kurt Jaeger
no flags Details | Diff
patch-v2 (4.07 KB, patch)
2018-08-13 05:31 UTC, Kurt Jaeger
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Kurt Jaeger freebsd_committer 2018-07-04 09:45:33 UTC
Created attachment 194872 [details]
patch

patch builds, but fails to build two modules:

===> Checking for items in pkg-plist which are not in STAGEDIR
Error: Missing: lib/kdns_modules/memcached.so
Error: Missing: lib/kdns_modules/redis.so

TODO: find the cause.
Comment 2 Vladimír Čunát 2018-07-05 07:38:24 UTC
Those two modules were removed upstream since 2.0.0 (by myself).  I can't see how that's related to 2.3.0 -> 2.4.0.
Comment 3 nusenu 2018-08-02 12:15:51 UTC
Knot Resolver 2.4.1 (2018-08-02)
================================

Security
--------
- fix CVE-2018-10920: Improper input validation bug in DNS resolver component
  (security!7, security!9)

Bugfixes
--------
- cache: fix TTL overflow in packet due to min_ttl (#388, security!8)
- TLS session resumption: avoid bad scheduling of rotation (#385)
- HTTP module: fix a regression in 2.4.0 which broke custom certs (!632)
- cache: NSEC3 negative cache even without NS record (#384)
  This fixes lower hit rate in NSEC3 zones (since 2.4.0).
- minor TCP and TLS fixes (!623, !624, !626)

https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v2.4.1/NEWS
Comment 4 Kurt Jaeger freebsd_committer 2018-08-12 21:18:53 UTC
(In reply to Vladimír Čunát from comment #2)
If the modules memcached and redis were removed in 2.0.x, they where still in the port, which confused me. I've removed the OPTIONs and I'm testbuilding right now.
Comment 5 Kurt Jaeger freebsd_committer 2018-08-13 05:31:44 UTC
Created attachment 196151 [details]
patch-v2

This version builds and has the memcache and redis options removed.
Comment 6 commit-hook freebsd_committer 2018-08-13 05:39:34 UTC
A commit references this bug:

Author: pi
Date: Mon Aug 13 05:38:36 UTC 2018
New revision: 477052
URL: https://svnweb.freebsd.org/changeset/ports/477052

Log:
  dns/knot-resolver: update 2.3.0 -> 2.4.1

  - CVE-2018-10920: Improper input validation bug in DNS resolver component

  PR:		229485
  Reported by:	freebsd-vheg@riseup.net,
  Approved by:	freebsd@dns.company (maintainer timeout)
  MFH:		2018Q3
  Relnotes:	https://www.knot-resolver.cz/2018-07-03-knot-resolver-2.4.0.html
  		https://www.knot-resolver.cz/2018-08-02-knot-resolver-2.4.1.html
  Security:	CVE-2018-10920

Changes:
  head/dns/knot-resolver/Makefile
  head/dns/knot-resolver/distinfo
  head/dns/knot-resolver/files/patch-Makefile
  head/dns/knot-resolver/pkg-plist
Comment 7 Kurt Jaeger freebsd_committer 2018-08-13 05:41:49 UTC
ups, still open until MFH
Comment 8 commit-hook freebsd_committer 2018-08-15 19:35:50 UTC
A commit references this bug:

Author: pi
Date: Wed Aug 15 19:35:16 UTC 2018
New revision: 477279
URL: https://svnweb.freebsd.org/changeset/ports/477279

Log:
  MFH: r477052

  dns/knot-resolver: update 2.3.0 -> 2.4.1

  - CVE-2018-10920: Improper input validation bug in DNS resolver component

  PR:		229485
  Reported by:	freebsd-vheg@riseup.net,
  Approved by:	freebsd@dns.company (maintainer timeout)
  Relnotes:	https://www.knot-resolver.cz/2018-07-03-knot-resolver-2.4.0.html
  		https://www.knot-resolver.cz/2018-08-02-knot-resolver-2.4.1.html
  Security:	CVE-2018-10920
  Approved by:	ports-secteam (miwi)

Changes:
_U  branches/2018Q3/
  branches/2018Q3/dns/knot-resolver/Makefile
  branches/2018Q3/dns/knot-resolver/distinfo
  branches/2018Q3/dns/knot-resolver/files/patch-Makefile
  branches/2018Q3/dns/knot-resolver/pkg-plist
Comment 9 Kurt Jaeger freebsd_committer 2018-08-15 19:36:06 UTC
Committed, thanks!