Comment 1 Kurt Jaeger 2018-07-04 09:45:33 UTC

Created attachment 194872 [details]
patch

patch builds, but fails to build two modules:

===> Checking for items in pkg-plist which are not in STAGEDIR
Error: Missing: lib/kdns_modules/memcached.so
Error: Missing: lib/kdns_modules/redis.so

TODO: find the cause.

Those two modules were removed upstream since 2.0.0 (by myself).  I can't see how that's related to 2.3.0 -> 2.4.0.

Knot Resolver 2.4.1 (2018-08-02)
================================

Security
--------
- fix CVE-2018-10920: Improper input validation bug in DNS resolver component
  (security!7, security!9)

Bugfixes
--------
- cache: fix TTL overflow in packet due to min_ttl (#388, security!8)
- TLS session resumption: avoid bad scheduling of rotation (#385)
- HTTP module: fix a regression in 2.4.0 which broke custom certs (!632)
- cache: NSEC3 negative cache even without NS record (#384)
  This fixes lower hit rate in NSEC3 zones (since 2.4.0).
- minor TCP and TLS fixes (!623, !624, !626)

https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v2.4.1/NEWS

Comment 4 Kurt Jaeger 2018-08-12 21:18:53 UTC

(In reply to Vladimír Čunát from comment #2)
If the modules memcached and redis were removed in 2.0.x, they where still in the port, which confused me. I've removed the OPTIONs and I'm testbuilding right now.

Comment 5 Kurt Jaeger 2018-08-13 05:31:44 UTC

Created attachment 196151 [details]
patch-v2

This version builds and has the memcache and redis options removed.

Comment 6 commit-hook 2018-08-13 05:39:34 UTC

A commit references this bug:

Author: pi
Date: Mon Aug 13 05:38:36 UTC 2018
New revision: 477052
URL: https://svnweb.freebsd.org/changeset/ports/477052

Log:
  dns/knot-resolver: update 2.3.0 -> 2.4.1

  - CVE-2018-10920: Improper input validation bug in DNS resolver component

  PR:		229485
  Reported by:	freebsd-vheg@riseup.net,
  Approved by:	freebsd@dns.company (maintainer timeout)
  MFH:		2018Q3
  Relnotes:	https://www.knot-resolver.cz/2018-07-03-knot-resolver-2.4.0.html
  		https://www.knot-resolver.cz/2018-08-02-knot-resolver-2.4.1.html
  Security:	CVE-2018-10920

Changes:
  head/dns/knot-resolver/Makefile
  head/dns/knot-resolver/distinfo
  head/dns/knot-resolver/files/patch-Makefile
  head/dns/knot-resolver/pkg-plist

Comment 7 Kurt Jaeger 2018-08-13 05:41:49 UTC

ups, still open until MFH

Comment 8 commit-hook 2018-08-15 19:35:50 UTC

A commit references this bug:

Author: pi
Date: Wed Aug 15 19:35:16 UTC 2018
New revision: 477279
URL: https://svnweb.freebsd.org/changeset/ports/477279

Log:
  MFH: r477052

  dns/knot-resolver: update 2.3.0 -> 2.4.1

  - CVE-2018-10920: Improper input validation bug in DNS resolver component

  PR:		229485
  Reported by:	freebsd-vheg@riseup.net,
  Approved by:	freebsd@dns.company (maintainer timeout)
  Relnotes:	https://www.knot-resolver.cz/2018-07-03-knot-resolver-2.4.0.html
  		https://www.knot-resolver.cz/2018-08-02-knot-resolver-2.4.1.html
  Security:	CVE-2018-10920
  Approved by:	ports-secteam (miwi)

Changes:
_U  branches/2018Q3/
  branches/2018Q3/dns/knot-resolver/Makefile
  branches/2018Q3/dns/knot-resolver/distinfo
  branches/2018Q3/dns/knot-resolver/files/patch-Makefile
  branches/2018Q3/dns/knot-resolver/pkg-plist

Comment 9 Kurt Jaeger 2018-08-15 19:36:06 UTC

Committed, thanks!