Mail archive
alpine-aports

[alpine-aports] [PATCH v3.5] community/pdns: security upgrade to 4.0.3 - fixes #7044

From: Sergei Lukin <sergej.lukin_at_gmail.com>
Date: Mon, 3 Apr 2017 10:33:49 +0000

CVE-2016-2120: Crafted zone record can cause a denial of service
CVE-2016-7068: Crafted queries can cause abnormal CPU usage
CVE-2016-7072: Denial of service via the web server
CVE-2016-7073, CVE-2016-7074: Insufficient validation of TSIG signatures
---
 community/pdns/APKBUILD       | 23 +++++++++++++---------
 community/pdns/libressl.patch | 46 -------------------------------------------
 2 files changed, 14 insertions(+), 55 deletions(-)
 delete mode 100644 community/pdns/libressl.patch
diff --git a/community/pdns/APKBUILD b/community/pdns/APKBUILD
index 7720d0ae4c..bda1ef2aa7 100644
--- a/community/pdns/APKBUILD
+++ b/community/pdns/APKBUILD
_at_@ -1,10 +1,11 @@
+# Contributor: Sergei Lukin <sergej.lukin_at_gmail.com>
 # Contributor: Ɓukasz Jendrysik <scadu_at_yandex.com>
 # Contributor: Matt Smith <mcs_at_darkregion.net>
 # Contributor: Olivier Mauras <olivier_at_mauras.ch>
 # Maintainer:  Matt Smith <mcs_at_darkregion.net>
 pkgname=pdns
-pkgver=4.0.1
-pkgrel=1
+pkgver=4.0.3
+pkgrel=0
 pkgdesc="PowerDNS Authoritative Server"
 url="http://www.powerdns.com/"
 arch="all"
_at_@ -25,11 +26,18 @@ subpackages="$pkgname-doc
 pkgusers="pdns"
 pkggroups="pdns"
 source="http://downloads.powerdns.com/releases/pdns-$pkgver.tar.bz2
-	libressl.patch
 	pdns.initd
 	pdns.conf
 	"
 
+# secfixes:
+#   4.0.3-r0:
+#   - CVE-2016-2120
+#   - CVE-2016-7068
+#   - CVE-2016-7072
+#   - CVE-2016-7073
+#   - CVE-2016-7074
+
 _builddir="$srcdir/$pkgname-$pkgver"
 
 prepare() {
_at_@ -92,15 +100,12 @@ _mv_backend() {
 		"$subpkgdir"/usr/lib/pdns/pdns/ || return 1
 }
 
-md5sums="d34a390672aa043f8a287e5bb2284f4a  pdns-4.0.1.tar.bz2
-262a16352b63b3bb89eda6ff01292f52  libressl.patch
+md5sums="bbb1ebed50edc0f2127d6c4331c1429a  pdns-4.0.3.tar.bz2
 db11dfe72474858f706155c817f2ded5  pdns.initd
 351bac7f784a1a40e768466d9e6f1a79  pdns.conf"
-sha256sums="d191eed4a6664430e85969f49835c59e810ecbb7b3eb506e64c6b2734091edd7  pdns-4.0.1.tar.bz2
-81b86dca30af161d0bb6f944e7e89b84f21494bf9534c2a223baff71cd84f53e  libressl.patch
+sha256sums="60fa21550b278b41f58701af31c9f2b121badf271fb9d7642f6d35bfbea8e282  pdns-4.0.3.tar.bz2
 081835f812e419b153a9cc716ad55b9cb22c6c185b748e0aafc40430fa5e8b5e  pdns.initd
 5fdf423f829dca0b50bc81bab773d7ec4ee6627e35f861124d8c2ccd79a2f50c  pdns.conf"
-sha512sums="77fce9963a05198afeb569f92fbb0f6a1cb3426c28dd77b0921128189c80d9a72ebdbfc249dfc0b5b89cc7a65a83887a0388d6cc3461453b1e3096e563afdd1e  pdns-4.0.1.tar.bz2
-21e88422c6a7cd7d9fbe0de972f85d7ea6e5c3b63e96d742d5cbee99de21f35a1ccd5cdde713a31a932414cc9e43d1b20dcd8d9cfd8f9ce3827915d03f6ba497  libressl.patch
+sha512sums="58d33ac6cf457a916bae6abd8d2dc17f76fbcd1bd9e649948584dd669f5596b43e3e4d91841700ea1ea2cd1ac102749e503cd9075273540f33a2321e20d8bfc2  pdns-4.0.3.tar.bz2
 71257be925fe57b15ebf29a7810cd70581cb867416ab9562300a1bbc3eb94fcb92ea2eb95f15e3ee3bd409468911077c50f90a2501801b0c8c49ed979f41f3a4  pdns.initd
 9913551bb4d685aaced806134b1037d85ce759e7d9e780e256e67651d9d346aad5e608b4a45a4933f0ba879605b69d06e579c38b7f917f7a9be37c7797c5953b  pdns.conf"
diff --git a/community/pdns/libressl.patch b/community/pdns/libressl.patch
deleted file mode 100644
index 0fecb70814..0000000000
--- a/community/pdns/libressl.patch
+++ /dev/null
_at_@ -1,46 +0,0 @@
-From 115f658ee2000a4cdcc13e999da50b3634c6a907 Mon Sep 17 00:00:00 2001
-From: Remi Gacogne <remi.gacogne_at_powerdns.com>
-Date: Fri, 12 Aug 2016 09:52:08 +0200
-Subject: [PATCH] Fix build with LibreSSL, for which OPENSSL_VERSION_NUMBER is
- irrelevant
-
----
- pdns/dns_random.cc     | 4 ++--
- pdns/opensslsigners.cc | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/pdns/dns_random.cc b/pdns/dns_random.cc
-index 623e3aa..4a8ef82 100644
---- a/pdns/dns_random.cc
-+++ b/pdns/dns_random.cc
-_at_@ -2,7 +2,7 @@
- #include "config.h"
- #endif
- #include <openssl/aes.h>
--#if OPENSSL_VERSION_NUMBER > 0x1000100fL
-+#if OPENSSL_VERSION_NUMBER > 0x1000100fL && !defined LIBRESSL_VERSION_NUMBER
- // Older OpenSSL does not have CRYPTO_ctr128_encrypt. Before 1.1.0 the header
- // file did not have the necessary extern "C" wrapper. In 1.1.0, AES_ctr128_encrypt
- // was removed.
-_at_@ -53,7 +53,7 @@ unsigned int dns_random(unsigned int n)
-   if(!g_initialized)
-     abort();
-   uint32_t out;
--#if OPENSSL_VERSION_NUMBER > 0x1000100fL
-+#if OPENSSL_VERSION_NUMBER > 0x1000100fL && !defined LIBRESSL_VERSION_NUMBER
-   CRYPTO_ctr128_encrypt((const unsigned char*)&g_in, (unsigned char*) &out, sizeof(g_in), &aes_key, g_counter, g_stream, &g_offset, (block128_f) AES_encrypt);
- #else
-   AES_ctr128_encrypt((const unsigned char*)&g_in, (unsigned char*) &out, sizeof(g_in), &aes_key, g_counter, g_stream, &g_offset);
-diff --git a/pdns/opensslsigners.cc b/pdns/opensslsigners.cc
-index 3496992..18b78cd 100644
---- a/pdns/opensslsigners.cc
-+++ b/pdns/opensslsigners.cc
-_at_@ -12,7 +12,7 @@
- #include "opensslsigners.hh"
- #include "dnssecinfra.hh"
- 
--#if OPENSSL_VERSION_NUMBER < 0x1010000fL
-+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL || defined LIBRESSL_VERSION_NUMBER)
- /* OpenSSL < 1.1.0 needs support for threading/locking in the calling application. */
- static pthread_mutex_t *openssllocks;
- 
-- 
2.11.1
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Mon Apr 03 2017 - 10:33:49 GMT