diff options
author | tron <tron> | 2014-12-16 23:23:22 +0000 |
---|---|---|
committer | tron <tron> | 2014-12-16 23:23:22 +0000 |
commit | c9441175831ca3bad3d2e47f9c9946feed5b46bb (patch) | |
tree | e53f9e66c1ab565e0e14502b0fa78649282eafac | |
parent | 7a24fb77e2dea44c12fe1c6f301a195838adeb0d (diff) | |
download | pkgsrc-c9441175831ca3bad3d2e47f9c9946feed5b46bb.tar.gz |
Pullup ticket #4573 - requested by roy
net/powerdns-recursor: security patch
Revisions pulled up:
- net/powerdns-recursor/Makefile 1.16
- net/powerdns-recursor/distinfo 1.12
- net/powerdns-recursor/patches/patch-CVE-2014-8601 1.1
---
Module Name: pkgsrc
Committed By: roy
Date: Thu Dec 11 20:18:17 UTC 2014
Modified Files:
pkgsrc/net/powerdns-recursor: Makefile distinfo
Added Files:
pkgsrc/net/powerdns-recursor/patches: patch-CVE-2014-8601
Log Message:
Add upstream patch to fix CVE-2014-8601.
Remove myself as maintainer.
-rw-r--r-- | net/powerdns-recursor/Makefile | 6 | ||||
-rw-r--r-- | net/powerdns-recursor/distinfo | 3 | ||||
-rw-r--r-- | net/powerdns-recursor/patches/patch-CVE-2014-8601 | 60 |
3 files changed, 65 insertions, 4 deletions
diff --git a/net/powerdns-recursor/Makefile b/net/powerdns-recursor/Makefile index 5d293b69a7f..bfa1ee61ff9 100644 --- a/net/powerdns-recursor/Makefile +++ b/net/powerdns-recursor/Makefile @@ -1,13 +1,13 @@ -# $NetBSD: Makefile,v 1.14 2014/05/03 13:01:24 alnsn Exp $ +# $NetBSD: Makefile,v 1.14.4.1 2014/12/16 23:23:22 tron Exp $ # DISTNAME= pdns-recursor-3.3 -PKGREVISION= 3 +PKGREVISION= 5 CATEGORIES= net MASTER_SITES= http://downloads.powerdns.com/releases/ EXTRACT_SUFX= .tar.bz2 -MAINTAINER= roy@NetBSD.org +MAINTAINER= pkgsrc-users@NetBSD.org HOMEPAGE= http://www.powerdns.com/ COMMENT= PowerDNS resolver/recursing nameserver LICENSE= gnu-gpl-v2 diff --git a/net/powerdns-recursor/distinfo b/net/powerdns-recursor/distinfo index 6e498b052dd..4716191279a 100644 --- a/net/powerdns-recursor/distinfo +++ b/net/powerdns-recursor/distinfo @@ -1,8 +1,9 @@ -$NetBSD: distinfo,v 1.11 2013/06/27 10:56:22 wiz Exp $ +$NetBSD: distinfo,v 1.11.12.1 2014/12/16 23:23:22 tron Exp $ SHA1 (pdns-recursor-3.3.tar.bz2) = 2f42955b8b8de355709e9072da2d5dbfadd7ffac RMD160 (pdns-recursor-3.3.tar.bz2) = 17bd7ac68892c3fca218c3dc3e70074dd9e748d6 Size (pdns-recursor-3.3.tar.bz2) = 145785 bytes +SHA1 (patch-CVE-2014-8601) = dae3dec54e53022183a8889eb1c741b00d08cd0b SHA1 (patch-Makefile) = 840d0be6dd7decf4b037efc4f9da05a97815ce8e SHA1 (patch-brg_endian.h) = 2fb9d3231e969b2be57d160b0952e11091ae6e26 SHA1 (patch-cachecleaner.hh) = e9a9ade3fe63160eb897df959f6921b791122499 diff --git a/net/powerdns-recursor/patches/patch-CVE-2014-8601 b/net/powerdns-recursor/patches/patch-CVE-2014-8601 new file mode 100644 index 00000000000..03e70358999 --- /dev/null +++ b/net/powerdns-recursor/patches/patch-CVE-2014-8601 @@ -0,0 +1,60 @@ +$NetBSD: patch-CVE-2014-8601,v 1.1.2.2 2014/12/16 23:23:22 tron Exp $ + +Upstream backported fix for CVE-2014-8601 + +commit 62d189c81359c70821523d7ba9831d0f6e57b012 +Author: Your Name <you@example.com> +Date: Tue Dec 2 08:50:41 2014 +0000 + + backport query limiter to 3.3 + +diff --git pdns_recursor.cc pdns_recursor.cc +index 0f9b08f..3bb71e0 100644 +--- pdns_recursor.cc ++++ pdns_recursor.cc +@@ -522,7 +522,14 @@ void startDoResolve(void *p) + bool variableAnswer = false; + // if there is a PowerDNSLua active, and it 'took' the query in preResolve, we don't launch beginResolve + if(!t_pdl->get() || !(*t_pdl)->preresolve(dc->d_remote, g_listenSocketsAddresses[dc->d_socket], dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), ret, res, &variableAnswer)) { +- res = sr.beginResolve(dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_mdp.d_qclass, ret); ++ try { ++ res = sr.beginResolve(dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_mdp.d_qclass, ret); ++ } ++ catch(ImmediateServFailException &e) { ++ L<<Logger::Error<<"Sending SERVFAIL during resolve of '"<<dc->d_mdp.d_qname<<"' because: "<<e.reason<<endl; ++ ++ res = RCode::ServFail; ++ } + + if(t_pdl->get()) { + if(res == RCode::NXDomain) +diff --git a/syncres.cc b/syncres.cc +index 4b05acf..08b2930 100644 +--- syncres.cc ++++ syncres.cc +@@ -874,6 +874,7 @@ int SyncRes::doResolveAt(set<string, CIStringCompare> nameservers, string auth, + } + else { + s_outqueries++; d_outqueries++; ++ if(d_outqueries > 50) throw ImmediateServFailException("more than 50 queries sent while resolving "+qname); + TryTCP: + if(doTCP) { + LOG<<prefix<<qname<<": using TCP with "<< remoteIP->toStringWithPort() <<endl; +diff --git a/syncres.hh b/syncres.hh +index e3249d2..6c151e0 100644 +--- syncres.hh ++++ syncres.hh +@@ -502,6 +502,13 @@ private: + static AtomicCounter s_currentConnections; //!< total number of current TCP connections + }; + ++class ImmediateServFailException ++{ ++public: ++ ImmediateServFailException(string r){reason=r;}; ++ ++ string reason; //! Print this to tell the user what went wrong ++}; + + struct RemoteKeeper + { |