Bug 246655 - dns/powerdns-recursor: update to 4.3.1
Summary: dns/powerdns-recursor: update to 4.3.1
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Hiroki Tagato
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2020-05-22 09:09 UTC by Ralf van der Enden
Modified: 2020-05-29 06:53 UTC (History)
4 users (show)

See Also:
tagattie: merge-quarterly+


Attachments
Update to PowerDNS Recursor 4.3.1 (5.44 KB, patch)
2020-05-22 09:09 UTC, Ralf van der Enden
tremere: maintainer-approval+
Details | Diff
Security advisories for VuXML (3 CVE's) (2.75 KB, patch)
2020-05-22 09:09 UTC, Ralf van der Enden
tremere: maintainer-approval+
Details | Diff
Update to PowerDNS Recursor 4.3.1 (new version) (6.85 KB, patch)
2020-05-24 21:44 UTC, Ralf van der Enden
tremere: maintainer-approval+
Details | Diff
Update to PowerDNS Recursor 4.3.1 (6.82 KB, patch)
2020-05-25 12:25 UTC, Ralf van der Enden
tremere: maintainer-approval+
Details | Diff
Add legacy versions to VuXML for powerdns-recursor (452 bytes, patch)
2020-05-28 10:47 UTC, Ralf van der Enden
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ralf van der Enden 2020-05-22 09:09:04 UTC
Created attachment 214751 [details]
Update to PowerDNS Recursor 4.3.1

Update to PowerDNS Recursor containing security fixes for three CVEs:

- CVE-2020-10995
- CVE-2020-12244
- CVE-2020-10030

The issues are:

CVE-2020-10995: An issue in the DNS protocol has been found that allows
malicious parties to use recursive DNS services to attack third party
authoritative name servers. Severity is medium. We would like to thank
Lior Shafir, Yehuda Afek and Anat Bremler-Barr for finding and
subsequently reporting this issue!

CVE-2020-12244: Records in the answer section of a NXDOMAIN response
lacking an SOA were not properly validated. Severity is medium. We would
like to thank Matt Nordhoff for finding and subsequently reporting this
issue!

CVE-2020-10030: An attacker with enough privileges to change the
hostname might be able to disclose uninitialized memory. This issue also
affects the Authoritative Server and dnsdist; since the attack requires
very high privileges and the issue does not affect Linux, we will not be
releasing new versions for those just for this issue. Severity is low.

As usual, there were also other smaller enhancements and bugfixes.

See https://doc.powerdns.com/recursor/changelog/4.3.html#change-4.3.1 for the full changelog.

QA:
portlint: OK (looks fine.)
testport: OK (12.1, amd64)

Regenerated some patches to make portlint happy.

Due to several reports of the recursor (also older versions) crashing on i386 I've marked it BROKEN on i386.

Also, added a patch from upstream to fix building since HOST_NAME_MAX has been deprecated on FreeBSD, but not on some other platforms. It will be part of the next official release.
Comment 1 Ralf van der Enden 2020-05-22 09:09:51 UTC
Created attachment 214752 [details]
Security advisories for VuXML (3 CVE's)
Comment 2 yds 2020-05-23 19:38:13 UTC
builds and runs on 12.1-STABLE :)

I noticed the build uses -DNODCACHEDIR="/var/lib/pdns-recursor"
shouldn't that be -DNODCACHEDIR="/var/db/pdns-recursor" on FreeBSD??

that dir does not seem to be used at runtime.
the port runs fine with this patch as is.
just an observation from testing the build.
Comment 3 Ralf van der Enden 2020-05-24 21:44:32 UTC
Created attachment 214821 [details]
Update to PowerDNS Recursor 4.3.1 (new version)


Regenerated one more patch to pet portlint.
Forgot to delete a patch, which is no longer required on 12.1.
Also changed the BROKEN_i386 to BROKEN_FreeBSD_12_i386, since it works fine on 11.3
Comment 4 Ralf van der Enden 2020-05-24 21:46:28 UTC
(In reply to yds from comment #2)

It's not used by the port at the moment, so I wouldn't worry about that ;)
Comment 5 Ralf van der Enden 2020-05-25 12:25:33 UTC
Created attachment 214843 [details]
Update to PowerDNS Recursor 4.3.1


I must have been on crack while creating my 11.3 jail, since I forgot to specify arch. Retested everything on 11.3, 12.0 and 12.1 i386, but all SIGSEGV on startup. Changed the BROKEN line to reflect that.

Also updated the hostnamemax patch with a slightly updated patch from upstream.
Comment 6 commit-hook freebsd_committer 2020-05-27 12:09:03 UTC
A commit references this bug:

Author: tagattie
Date: Wed May 27 12:08:47 UTC 2020
New revision: 536689
URL: https://svnweb.freebsd.org/changeset/ports/536689

Log:
  Document powerdns-recursor vulnerabilities

  PR:		246655
  Submitted by:	Ralf van der Enden <tremere@cainites.net>
  Approved by:	ehaupt (mentor)

Changes:
  head/security/vuxml/vuln.xml
Comment 7 commit-hook freebsd_committer 2020-05-27 12:11:05 UTC
A commit references this bug:

Author: tagattie
Date: Wed May 27 12:11:03 UTC 2020
New revision: 536690
URL: https://svnweb.freebsd.org/changeset/ports/536690

Log:
  - Update to 4.3.1
  - Mark broken on i386
  - Updated hostnamemax patch

  PR:		246655
  Submitted by:	Ralf van der Enden <tremere@cainites.net> (maintainer)
  Approved by:	ehaupt (mentor)
  MFH:		2020Q2 (blanket, security fixes)
  Security:	f9c5a410-9b4e-11ea-ac3f-6805ca2fa271
  Changelog:	https://doc.powerdns.com/recursor/changelog/4.3.html#change-4.3.1

Changes:
  head/dns/powerdns-recursor/Makefile
  head/dns/powerdns-recursor/distinfo
  head/dns/powerdns-recursor/files/patch-configure
  head/dns/powerdns-recursor/files/patch-dns_random.cc
  head/dns/powerdns-recursor/files/patch-dnsname.hh
  head/dns/powerdns-recursor/files/patch-hostnamemax
  head/dns/powerdns-recursor/files/patch-pdns_recursor.cc
Comment 8 commit-hook freebsd_committer 2020-05-27 12:49:11 UTC
A commit references this bug:

Author: tagattie
Date: Wed May 27 12:48:57 UTC 2020
New revision: 536692
URL: https://svnweb.freebsd.org/changeset/ports/536692

Log:
  MFH: r536690

  - Update to 4.3.1
  - Mark broken on i386
  - Updated hostnamemax patch

  PR:		246655
  Submitted by:	Ralf van der Enden <tremere@cainites.net> (maintainer)
  Approved by:	ehaupt (mentor)
  Security:	f9c5a410-9b4e-11ea-ac3f-6805ca2fa271
  Changelog:	https://doc.powerdns.com/recursor/changelog/4.3.html#change-4.3.1

  Approved by:	ports-secteam (joneum)

Changes:
  branches/2020Q2/dns/powerdns-recursor/Makefile
  branches/2020Q2/dns/powerdns-recursor/distinfo
  branches/2020Q2/dns/powerdns-recursor/files/extrapatch-setuid
  branches/2020Q2/dns/powerdns-recursor/files/patch-configure
  branches/2020Q2/dns/powerdns-recursor/files/patch-dnsname.hh
  branches/2020Q2/dns/powerdns-recursor/files/patch-hostnamemax
  branches/2020Q2/dns/powerdns-recursor/files/patch-pdns_dns__random.cc
  branches/2020Q2/dns/powerdns-recursor/files/patch-pdns_recursor.cc
  branches/2020Q2/dns/powerdns-recursor/files/pdns-recursor.in
  branches/2020Q2/dns/powerdns-recursor/files/pkg-message.in
  branches/2020Q2/dns/powerdns-recursor/pkg-descr
  branches/2020Q2/dns/powerdns-recursor/pkg-plist
Comment 9 Hiroki Tagato freebsd_committer 2020-05-27 12:52:20 UTC
Committed, thanks!
Comment 10 Dani 2020-05-27 16:40:30 UTC
(In reply to Hiroki Tagato from comment #9)

Hey Guys, thanks for the security update. We build our own ports and use powerdns-recursor 4.2.x for stability reasons. The 4.2.x-Branch also received an update for this security fix and isn't vulnerable. Could you therefore mark powerdns-recursor 4.2.2 as fix version too? Thanks!

See: https://blog.powerdns.com/2020/05/19/powerdns-recursor-4-3-1-4-2-2-and-4-1-16-released/
Comment 11 Hiroki Tagato freebsd_committer 2020-05-28 07:18:57 UTC
(In reply to Dani from comment #10)

Hi, thanks for letting us know this.

Can you post a patch to vuln.xml for update?
Comment 12 Ralf van der Enden 2020-05-28 10:47:35 UTC
Created attachment 214959 [details]
Add legacy versions to VuXML for powerdns-recursor
Comment 13 commit-hook freebsd_committer 2020-05-29 06:52:14 UTC
A commit references this bug:

Author: tagattie
Date: Fri May 29 06:51:38 UTC 2020
New revision: 536950
URL: https://svnweb.freebsd.org/changeset/ports/536950

Log:
  Correct vulnerable version range of powerdns-recursor

  PR:		246655
  Submitted by:	Ralf van der Enden <tremere@cainites.net>
  Approved by:	ehaupt (mentor)

Changes:
  head/security/vuxml/vuln.xml
Comment 14 Hiroki Tagato freebsd_committer 2020-05-29 06:53:12 UTC
(In reply to Ralf van der Enden from comment #12)

Committed, thanks for the update!