~alpine/aports

[alpine-aports] [PATCH v3.5] community/pdns: security upgrade to 4.0.3 - fixes #7044

Sergei Lukin <sergej.lukin@gmail.com>
Details
Message ID
<20170403103349.4457-1-sergej.lukin@gmail.com>
Sender timestamp
1491215629
DKIM signature
missing
Download raw message
7 years ago
Patch: +14 -55 
CVE-2016-2120: Crafted zone record can cause a denial of service
CVE-2016-7068: Crafted queries can cause abnormal CPU usage
CVE-2016-7072: Denial of service via the web server
CVE-2016-7073, CVE-2016-7074: Insufficient validation of TSIG signatures
---
 community/pdns/APKBUILD       | 23 +++++++++++++---------
 community/pdns/libressl.patch | 46 -------------------------------------------
 2 files changed, 14 insertions(+), 55 deletions(-)
 delete mode 100644 community/pdns/libressl.patch

diff --git a/community/pdns/APKBUILD b/community/pdns/APKBUILD
index 7720d0ae4c..bda1ef2aa7 100644
--- a/community/pdns/APKBUILD
+++ b/community/pdns/APKBUILD
@@ -1,10 +1,11 @@
# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
# Contributor: Łukasz Jendrysik <scadu@yandex.com>
# Contributor: Matt Smith <mcs@darkregion.net>
# Contributor: Olivier Mauras <olivier@mauras.ch>
# Maintainer:  Matt Smith <mcs@darkregion.net>
pkgname=pdns
pkgver=4.0.1
pkgrel=1
pkgver=4.0.3
pkgrel=0
pkgdesc="PowerDNS Authoritative Server"
url="http://www.powerdns.com/"
arch="all"
@@ -25,11 +26,18 @@ subpackages="$pkgname-doc
pkgusers="pdns"
pkggroups="pdns"
source="http://downloads.powerdns.com/releases/pdns-$pkgver.tar.bz2
	libressl.patch
	pdns.initd
	pdns.conf
	"

# secfixes:
#   4.0.3-r0:
#   - CVE-2016-2120
#   - CVE-2016-7068
#   - CVE-2016-7072
#   - CVE-2016-7073
#   - CVE-2016-7074

_builddir="$srcdir/$pkgname-$pkgver"

prepare() {
@@ -92,15 +100,12 @@ _mv_backend() {
		"$subpkgdir"/usr/lib/pdns/pdns/ || return 1
}

md5sums="d34a390672aa043f8a287e5bb2284f4a  pdns-4.0.1.tar.bz2
262a16352b63b3bb89eda6ff01292f52  libressl.patch
md5sums="bbb1ebed50edc0f2127d6c4331c1429a  pdns-4.0.3.tar.bz2
db11dfe72474858f706155c817f2ded5  pdns.initd
351bac7f784a1a40e768466d9e6f1a79  pdns.conf"
sha256sums="d191eed4a6664430e85969f49835c59e810ecbb7b3eb506e64c6b2734091edd7  pdns-4.0.1.tar.bz2
81b86dca30af161d0bb6f944e7e89b84f21494bf9534c2a223baff71cd84f53e  libressl.patch
sha256sums="60fa21550b278b41f58701af31c9f2b121badf271fb9d7642f6d35bfbea8e282  pdns-4.0.3.tar.bz2
081835f812e419b153a9cc716ad55b9cb22c6c185b748e0aafc40430fa5e8b5e  pdns.initd
5fdf423f829dca0b50bc81bab773d7ec4ee6627e35f861124d8c2ccd79a2f50c  pdns.conf"
sha512sums="77fce9963a05198afeb569f92fbb0f6a1cb3426c28dd77b0921128189c80d9a72ebdbfc249dfc0b5b89cc7a65a83887a0388d6cc3461453b1e3096e563afdd1e  pdns-4.0.1.tar.bz2
21e88422c6a7cd7d9fbe0de972f85d7ea6e5c3b63e96d742d5cbee99de21f35a1ccd5cdde713a31a932414cc9e43d1b20dcd8d9cfd8f9ce3827915d03f6ba497  libressl.patch
sha512sums="58d33ac6cf457a916bae6abd8d2dc17f76fbcd1bd9e649948584dd669f5596b43e3e4d91841700ea1ea2cd1ac102749e503cd9075273540f33a2321e20d8bfc2  pdns-4.0.3.tar.bz2
71257be925fe57b15ebf29a7810cd70581cb867416ab9562300a1bbc3eb94fcb92ea2eb95f15e3ee3bd409468911077c50f90a2501801b0c8c49ed979f41f3a4  pdns.initd
9913551bb4d685aaced806134b1037d85ce759e7d9e780e256e67651d9d346aad5e608b4a45a4933f0ba879605b69d06e579c38b7f917f7a9be37c7797c5953b  pdns.conf"
diff --git a/community/pdns/libressl.patch b/community/pdns/libressl.patch
deleted file mode 100644
index 0fecb70814..0000000000
--- a/community/pdns/libressl.patch
@@ -1,46 +0,0 @@
From 115f658ee2000a4cdcc13e999da50b3634c6a907 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 12 Aug 2016 09:52:08 +0200
Subject: [PATCH] Fix build with LibreSSL, for which OPENSSL_VERSION_NUMBER is
 irrelevant

---
 pdns/dns_random.cc     | 4 ++--
 pdns/opensslsigners.cc | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/pdns/dns_random.cc b/pdns/dns_random.cc
index 623e3aa..4a8ef82 100644
--- a/pdns/dns_random.cc
+++ b/pdns/dns_random.cc
@@ -2,7 +2,7 @@
 #include "config.h"
 #endif
 #include <openssl/aes.h>
-#if OPENSSL_VERSION_NUMBER > 0x1000100fL
+#if OPENSSL_VERSION_NUMBER > 0x1000100fL && !defined LIBRESSL_VERSION_NUMBER
 // Older OpenSSL does not have CRYPTO_ctr128_encrypt. Before 1.1.0 the header
 // file did not have the necessary extern "C" wrapper. In 1.1.0, AES_ctr128_encrypt
 // was removed.
@@ -53,7 +53,7 @@ unsigned int dns_random(unsigned int n)
   if(!g_initialized)
     abort();
   uint32_t out;
-#if OPENSSL_VERSION_NUMBER > 0x1000100fL
+#if OPENSSL_VERSION_NUMBER > 0x1000100fL && !defined LIBRESSL_VERSION_NUMBER
   CRYPTO_ctr128_encrypt((const unsigned char*)&g_in, (unsigned char*) &out, sizeof(g_in), &aes_key, g_counter, g_stream, &g_offset, (block128_f) AES_encrypt);
 #else
   AES_ctr128_encrypt((const unsigned char*)&g_in, (unsigned char*) &out, sizeof(g_in), &aes_key, g_counter, g_stream, &g_offset);
diff --git a/pdns/opensslsigners.cc b/pdns/opensslsigners.cc
index 3496992..18b78cd 100644
--- a/pdns/opensslsigners.cc
+++ b/pdns/opensslsigners.cc
@@ -12,7 +12,7 @@
 #include "opensslsigners.hh"
 #include "dnssecinfra.hh"
 
-#if OPENSSL_VERSION_NUMBER < 0x1010000fL
+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL || defined LIBRESSL_VERSION_NUMBER)
 /* OpenSSL < 1.1.0 needs support for threading/locking in the calling application. */
 static pthread_mutex_t *openssllocks;
 
-- 
2.11.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)