Created attachment 269334 [details] upgrade to 2.0.3 Here is my proposal of the update. Rust/Cargo components updated to latest versions supported by dnsdist. Tested on adm64 stable/15 freebsd. The issues fixed in these releases are: CVE-2026-0396: An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either "DynBlockRulesGroup:setSuffixMatchRule" or "DynBlockRulesGroup:setSuffixMatchRuleFFI" CVE-2026-0397: When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard CVE-2026-24028: An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses "newDNSPacketOverlay" to parse DNS packets CVE-2026-24029: When the "early_acl_drop" ("earlyACLDrop" in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the "nghttp2" provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL CVE-2026-24030: An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in denial of service CVE-2026-27853: An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the "DNSQuestion:changeName" or "DNSResponse:changeName" methods in custom Lua code. In some cases the rewritten packet might become larger than the initial response and even exceed 65535 bytes, potentially leading to a crash resulting in denial of service CVE-2026-27854: Denial of service when using DNSQuestion:getEDNSOptions method in custom Lua code
Created attachment 269338 [details] Update dnsdist to 2.0.3 It should not be necessary to update crates manually. Just use whatever 'make cargo-crates' generates and put that into 'Makefile.crate'. distinfo contained a leftover entry from an upstream commit which this patch cleans up.
(In reply to Ralf van der Enden from comment #1) It's exactly what I've make: make extract cd work/dnsdist-2.0.3/dnsdist-rust-lib/rust/ cargo update cd ../../../.. make cargo-crates > Makefile.crates make makes
Tested version with updated rust/cargo components versions also on 14.4-RELEASE-p1.
(In reply to Jordan Ostreff from comment #2) You should not run cargo update yourself. This should only be done by upstream. So with a clean port directory you just run 'make cargo-crates > Makefile.crates' and you should be set. If upstream decides to update crates (in for example 2.0.4), those will be picked up running just that.
(In reply to Ralf van der Enden from comment #4) Understood what was my mistake. I believed that it's better to made this on every update of PORTVERSION. Thanks for explanation.
Hi, Thank you for the collaboration! I have tested the patch (not runtime, but build) in Poudriere (14.3-RELEASE-p9, amd64, main(c927d063a7ee)) and it seems OK. However, hopefully I did a bit of improvement to Makefile over the maintainer's patch. ``` -DISTFILES= ${DISTNAME}${EXTRACT_SUFX} +DISTFILES+= ${DISTNAME}${EXTRACT_SUFX} ... -.include <bsd.port.pre.mk> +.include <bsd.port.options.mk> ... -.include <bsd.port.post.mk> +.include <bsd.port.mk> ``` 1. regarding distfiles= => distfiles+= change reduces portlint warnings from 4 to just 2. I'd like to also solve the warning about IPCIPHER but could not figure it out, harmless i guess. BEFORE: ``` $ portlint -AC WARN: /home/yusuf/doc/git/ports/dns/dnsdist/pkg-descr: exceeds 24 lines, make it shorter if possible.(currently 27 lines) WARN: Makefile: IPCIPHER is listed in OPTIONS_DEFINE, but no PORT_OPTIONS:MIPCIPHER appears. WARN: Makefile: use of DISTFILES with single file is discouraged. distribution filename should be set by DISTNAME and EXTRACT_SUFX. WARN: Makefile: DISTFILES/DISTNAME affects WRKSRC. take caution when changing them. 0 fatal errors and 4 warnings found. ``` AFTER: ``` $ portlint -AC WARN: /home/yusuf/doc/git/ports/dns/dnsdist/pkg-descr: exceeds 24 lines, make it shorter if possible.(currently 27 lines) WARN: Makefile: IPCIPHER is listed in OPTIONS_DEFINE, but no PORT_OPTIONS:MIPCIPHER appears. 0 fatal errors and 2 warnings found. ``` 2. I think it is advised to use <bsd.port.options.mk> rather than <bsd.port.pre.mk> and <bsd.port.post.mk>. I need to ask for approval from my mentors first. Thanks.
Created attachment 269392 [details] Maintainer's patch with some adjustments
(In reply to Yusuf Yaman from comment #7) Hi Yusuf, I don't understand the IPCHIPHER warning either. It's probably because there's only a MESON_ENABLED line option as the other ones all also have at lease a LIB_DEPENDS line. Probably something to do with how portlint performs those checks. As for the DISTFILES and .mk changes... it works as it is, but if that's best practice, by all means change it. Since the port uses crates I have to use DISTFILES, or the main tarball won't be included.
To get rid of the IPCIPHER warning I added the following to the 'my @options_helpers' array in portlint: MESON_OFF MESON_ON MESON_DISABLED MESON_ENABLED MESON_NO MESON_YES
(In reply to Ralf van der Enden from comment #9) I forgot to add MESON_FALSE and MESON_TRUE to that list.
(In reply to Ralf van der Enden from comment #8) > I don't understand the IPCHIPHER warning either. It's probably because > there's only a MESON_ENABLED line option as the other ones all also have > at lease a LIB_DEPENDS line. Probably something to do with how portlint > performs those checks. Yeah, guess so. > As for the DISTFILES and .mk changes... it works as it is, but if that's > best practice, by all means change it. Since the port uses crates I have > to use DISTFILES, or the main tarball won't be included. Daniel Engberg (diizzy@) was told me to use <bsd.port.options.mk> instead where possible and in this case it works the same as before, and with the DISTFILES -> DISTFILES+= change, it reduces portlint warnings.
I tried setting the maintainer approval flag on your patch, but for some reason cannot. Also cannot remove the flag from my own patch. But yours works fine, so consider this comment as my approval for yours.
Created attachment 269593 [details] 0001-security-vuxml-Add-DNSdist-vulnerabilities.patch (In reply to Ralf van der Enden from comment #12) Thanks. I have created security/vuxml entry for security issues.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=0ad58b7e668391fc44e965e211f4a86eeb87b808 commit 0ad58b7e668391fc44e965e211f4a86eeb87b808 Author: Ralf van der Enden <tremere@cainites.net> AuthorDate: 2026-03-31 12:46:29 +0000 Commit: Yusuf Yaman <nxjoseph@FreeBSD.org> CommitDate: 2026-04-10 20:20:08 +0000 dns/dnsdist: Update 2.0.2 => 2.0.3 (security) While here: * Drop backported patch since they're in new release * Reduce portlint warnings by using increment for DISTFILES * Use <bsd.port.options.mk> instead of <bsd.port.{pre,post}.mk> Release notes: https://blog.powerdns.com/2026/03/31/powerdns-dnsdist-1.9.12-and-2.0.3-released Changelog: https://www.dnsdist.org/changelog.html#change-2.0.3 PR: 294225 Reported by: Jordan Ostreff <jordan@ostreff.info> Approved by: Ralf van der Enden <tremere@cainites.net> (maintainer) Approved by: osa (mentor) Security: CVE-2026-0396 Security: CVE-2026-0397 Security: CVE-2026-24028 Security: CVE-2026-24029 Security: CVE-2026-24030 Security: CVE-2026-27853 Security: CVE-2026-27854 MFH: 2026Q2 dns/dnsdist/Makefile | 9 +++-- dns/dnsdist/distinfo | 8 ++--- dns/dnsdist/files/patch-dnsdist-lua.cc (gone) | 50 --------------------------- 3 files changed, 7 insertions(+), 60 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=050b652ec0a002f88a1373b816ef2b7d7b53756b commit 050b652ec0a002f88a1373b816ef2b7d7b53756b Author: Yusuf Yaman <nxjoseph@FreeBSD.org> AuthorDate: 2026-04-10 17:39:31 +0000 Commit: Yusuf Yaman <nxjoseph@FreeBSD.org> CommitDate: 2026-04-10 20:20:08 +0000 security/vuxml: Add DNSdist vulnerabilities PR: 294225 Approved by: osa (mentor) security/vuxml/vuln/2026.xml | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+)
A commit in branch 2026Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=96b44b2bde8ca0e82f933deeb0b39f5af21396ee commit 96b44b2bde8ca0e82f933deeb0b39f5af21396ee Author: Ralf van der Enden <tremere@cainites.net> AuthorDate: 2026-03-31 12:46:29 +0000 Commit: Yusuf Yaman <nxjoseph@FreeBSD.org> CommitDate: 2026-04-10 20:21:33 +0000 dns/dnsdist: Update 2.0.2 => 2.0.3 (security) While here: * Drop backported patch since they're in new release * Reduce portlint warnings by using increment for DISTFILES * Use <bsd.port.options.mk> instead of <bsd.port.{pre,post}.mk> Release notes: https://blog.powerdns.com/2026/03/31/powerdns-dnsdist-1.9.12-and-2.0.3-released Changelog: https://www.dnsdist.org/changelog.html#change-2.0.3 PR: 294225 Reported by: Jordan Ostreff <jordan@ostreff.info> Approved by: Ralf van der Enden <tremere@cainites.net> (maintainer) Approved by: osa (mentor) Security: CVE-2026-0396 Security: CVE-2026-0397 Security: CVE-2026-24028 Security: CVE-2026-24029 Security: CVE-2026-24030 Security: CVE-2026-27853 Security: CVE-2026-27854 MFH: 2026Q2 (cherry picked from commit 0ad58b7e668391fc44e965e211f4a86eeb87b808) dns/dnsdist/Makefile | 9 +++-- dns/dnsdist/distinfo | 8 ++--- dns/dnsdist/files/patch-dnsdist-lua.cc (gone) | 50 --------------------------- 3 files changed, 7 insertions(+), 60 deletions(-)
Committed, thanks!