Bug 247707 - dns/powerdns-recursor: update to 4.3.2
Summary: dns/powerdns-recursor: update to 4.3.2
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Jochen Neumeister
URL: https://doc.powerdns.com/recursor/cha...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-02 08:44 UTC by Ralf van der Enden
Modified: 2020-07-03 02:14 UTC (History)
1 user (show)

See Also:
koobs: merge-quarterly+


Attachments
Update to PowerDNS Recursor 4.3.2 (3.76 KB, patch)
2020-07-02 08:44 UTC, Ralf van der Enden
tremere: maintainer-approval+
Details | Diff
Security advisory for VuXML (1 CVE) (1.71 KB, patch)
2020-07-02 08:45 UTC, Ralf van der Enden
tremere: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ralf van der Enden 2020-07-02 08:44:36 UTC
Created attachment 216129 [details]
Update to PowerDNS Recursor 4.3.2

This update contains a security fix for CVE-2020-14196.

The issue is:

CVE-2020-14196: An issue has been found in PowerDNS Recursor where the ACL applied to the internal web server via webserver-allow-from is not properly enforced, allowing a remote attacker to send HTTP queries to the internal web server, bypassing the restriction.

In the default configuration the API webserver is not enabled. Only installations using a non-default value for webserver and webserver-address are affected.

As usual, there were also other smaller enhancements and bugfixes. In particular, the 4.3.2 release contains fixes that allow long CNAME chains to resolve properly, where previously they could fail if qname minimization is enabled.

QA:
portlint: OK (looks fine.)
testport: OK (12.1, amd64)

Removed file(s):
files/patch-hostnamemax (no longer necessary since it has been merged by upstream)
Comment 1 Ralf van der Enden 2020-07-02 08:45:59 UTC
Created attachment 216130 [details]
Security advisory for VuXML (1 CVE)
Comment 2 commit-hook freebsd_committer 2020-07-02 08:59:40 UTC
A commit references this bug:

Author: joneum
Date: Thu Jul  2 08:58:43 UTC 2020
New revision: 541025
URL: https://svnweb.freebsd.org/changeset/ports/541025

Log:
  Add entrx for dns/powerdns-recursor

  PR:		247707
  Submitted by:	Ralf van der Enden <tremere@cainites.net>
  Sponsored by:	Netzkommune GmbH

Changes:
  head/security/vuxml/vuln.xml
Comment 3 commit-hook freebsd_committer 2020-07-02 10:20:55 UTC
A commit references this bug:

Author: joneum
Date: Thu Jul  2 10:20:53 UTC 2020
New revision: 541029
URL: https://svnweb.freebsd.org/changeset/ports/541029

Log:
  Update to 4.3.2

  This update contains a security fix for CVE-2020-14196.

  The issue is:

  CVE-2020-14196: An issue has been found in PowerDNS Recursor where the ACL applied to the internal web server via webserver-allow-from is not properly enforced, allowing a remote attacker to send HTTP queries to the internal web server, bypassing the restriction.

  In the default configuration the API webserver is not enabled. Only installations using a non-default value for webserver and webserver-address are affected.

  As usual, there were also other smaller enhancements and bugfixes. In particular, the 4.3.2 release contains fixes that allow long CNAME chains to resolve properly, where previously they could fail if qname minimization is enabled.

  PR:		247707
  Submitted by:	Ralf van der Enden <tremere@cainites.net> (maintainer)
  MFH:		2020Q3
  Security:	641cd669-bc37-11ea-babf-6805ca2fa271
  Sponsored by:	Netzkommune GmbH

Changes:
  head/dns/powerdns-recursor/Makefile
  head/dns/powerdns-recursor/distinfo
  head/dns/powerdns-recursor/files/patch-hostnamemax
Comment 4 commit-hook freebsd_committer 2020-07-02 10:22:57 UTC
A commit references this bug:

Author: joneum
Date: Thu Jul  2 10:22:07 UTC 2020
New revision: 541030
URL: https://svnweb.freebsd.org/changeset/ports/541030

Log:
  MFH: r541029

  Update to 4.3.2

  This update contains a security fix for CVE-2020-14196.

  The issue is:

  CVE-2020-14196: An issue has been found in PowerDNS Recursor where the ACL applied to the internal web server via webserver-allow-from is not properly enforced, allowing a remote attacker to send HTTP queries to the internal web server, bypassing the restriction.

  In the default configuration the API webserver is not enabled. Only installations using a non-default value for webserver and webserver-address are affected.

  As usual, there were also other smaller enhancements and bugfixes. In particular, the 4.3.2 release contains fixes that allow long CNAME chains to resolve properly, where previously they could fail if qname minimization is enabled.

  PR:		247707
  Submitted by:	Ralf van der Enden <tremere@cainites.net> (maintainer)
  Security:	641cd669-bc37-11ea-babf-6805ca2fa271
  Sponsored by:	Netzkommune GmbH

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2020Q3/
  branches/2020Q3/dns/powerdns-recursor/Makefile
  branches/2020Q3/dns/powerdns-recursor/distinfo
  branches/2020Q3/dns/powerdns-recursor/files/patch-hostnamemax
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2020-07-03 02:14:57 UTC
^Triage: 

- Set security issues (severity: affects many, priority: normal)
- Track merge (merge-quarterly +)