| 1 |
commit: a51a7518f3cf54a0c50b6aca22459b761d6525f7 |
| 2 |
Author: Sven Wegener <swegener <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Mon Nov 27 17:32:22 2017 +0000 |
| 4 |
Commit: Sven Wegener <swegener <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Mon Nov 27 17:36:52 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a51a7518 |
| 7 |
|
| 8 |
net-dns/pdns: Revision bump, security bug #638566 |
| 9 |
|
| 10 |
Package-Manager: Portage-2.3.14, Repoman-2.3.6 |
| 11 |
Signed-off-by: Sven Wegener <swegener <AT> gentoo.org> |
| 12 |
|
| 13 |
net-dns/pdns/Manifest | 4 +- |
| 14 |
net-dns/pdns/files/CVE-2017-15091-4.0.4.patch | 30 +++++ |
| 15 |
net-dns/pdns/pdns-4.0.4-r1.ebuild | 157 ++++++++++++++++++++++++++ |
| 16 |
3 files changed, 189 insertions(+), 2 deletions(-) |
| 17 |
|
| 18 |
diff --git a/net-dns/pdns/Manifest b/net-dns/pdns/Manifest |
| 19 |
index 8e03e0ac8e2..ef4e8b7dced 100644 |
| 20 |
--- a/net-dns/pdns/Manifest |
| 21 |
+++ b/net-dns/pdns/Manifest |
| 22 |
@@ -1,2 +1,2 @@ |
| 23 |
-DIST pdns-4.0.4.tar.bz2 1320327 SHA256 d974ab89de69477c7f581a3233bc731eacbb43d479291e472b2c531c83b6d763 SHA512 4ef4705cd990b03976775167c7c37850d45907e198549feda5f5701172e008e3f1f74a35a9bebdb24b63dec15ff63cb2cc9dfc8f92e4e1012e0539c5a88b845b WHIRLPOOL 5ac68a15155424d42fb4b84be1b34eb2e51498ae5193ae104215e4bb52a72845923f82dc6b112ce165444cdbfe3aaf01557d2f6ab42f6531dd525aee15ee1b19 |
| 24 |
-DIST pdns-4.1.0-rc3.tar.bz2 1112366 SHA256 889e2135ad4fa716afdd762a1c1551881e96f656f4434b0b1dcd57c63e87ffe2 SHA512 19485bf95a68cbe2ac4cc826b44c3a8670f66cedc2ab426c589a3f67d96f70bd6dd297bd95301c29cda10ff9a7e429fa702bdc7368ce08862140d7097013ea7f WHIRLPOOL 2e6e6b0a1b173aaa4ac61ac6b11204b30c2fde527476a218e13e62100d82a14b676075ce76e6b830e4c0e5d7f79c4421df9a4539ff9c0a9c110f9509c2d3a8a4 |
| 25 |
+DIST pdns-4.0.4.tar.bz2 1320327 BLAKE2B 5c11a0245408f8448b41ed4229718e6f7244e0c8f36b60b07c280f82c7dea0065cce93c3814b3a396666be8d3b012ad4eb646cf55f531d22ce325190e0fd6e22 SHA512 4ef4705cd990b03976775167c7c37850d45907e198549feda5f5701172e008e3f1f74a35a9bebdb24b63dec15ff63cb2cc9dfc8f92e4e1012e0539c5a88b845b |
| 26 |
+DIST pdns-4.1.0-rc3.tar.bz2 1112366 BLAKE2B 8ac9d351ffee81a859b68bc66e989ce4c91804ab134ada3e090aed982df31191f5bfc83f7174873ab34b2a1b6be21f2c938874d94ea0e166b060453b746eec13 SHA512 19485bf95a68cbe2ac4cc826b44c3a8670f66cedc2ab426c589a3f67d96f70bd6dd297bd95301c29cda10ff9a7e429fa702bdc7368ce08862140d7097013ea7f |
| 27 |
|
| 28 |
diff --git a/net-dns/pdns/files/CVE-2017-15091-4.0.4.patch b/net-dns/pdns/files/CVE-2017-15091-4.0.4.patch |
| 29 |
new file mode 100644 |
| 30 |
index 00000000000..a9506af8ef9 |
| 31 |
--- /dev/null |
| 32 |
+++ b/net-dns/pdns/files/CVE-2017-15091-4.0.4.patch |
| 33 |
@@ -0,0 +1,30 @@ |
| 34 |
+diff -ru pdns-4.0.4.orig/pdns/ws-auth.cc pdns-4.0.4/pdns/ws-auth.cc |
| 35 |
+--- pdns-4.0.4.orig/pdns/ws-auth.cc 2017-06-22 22:07:25.000000000 +0200 |
| 36 |
++++ pdns-4.0.4/pdns/ws-auth.cc 2017-11-02 18:07:20.986764858 +0100 |
| 37 |
+@@ -860,7 +860,7 @@ |
| 38 |
+ static void apiServerZoneAxfrRetrieve(HttpRequest* req, HttpResponse* resp) { |
| 39 |
+ DNSName zonename = apiZoneIdToName(req->parameters["id"]); |
| 40 |
+ |
| 41 |
+- if(req->method != "PUT") |
| 42 |
++ if(req->method != "PUT" || ::arg().mustDo("api-readonly")) |
| 43 |
+ throw HttpMethodNotAllowedException(); |
| 44 |
+ |
| 45 |
+ UeberBackend B; |
| 46 |
+@@ -879,7 +879,7 @@ |
| 47 |
+ static void apiServerZoneNotify(HttpRequest* req, HttpResponse* resp) { |
| 48 |
+ DNSName zonename = apiZoneIdToName(req->parameters["id"]); |
| 49 |
+ |
| 50 |
+- if(req->method != "PUT") |
| 51 |
++ if(req->method != "PUT" || ::arg().mustDo("api-readonly")) |
| 52 |
+ throw HttpMethodNotAllowedException(); |
| 53 |
+ |
| 54 |
+ UeberBackend B; |
| 55 |
+@@ -1191,7 +1191,7 @@ |
| 56 |
+ } |
| 57 |
+ |
| 58 |
+ void apiServerCacheFlush(HttpRequest* req, HttpResponse* resp) { |
| 59 |
+- if(req->method != "PUT") |
| 60 |
++ if(req->method != "PUT" || ::arg().mustDo("api-readonly")) |
| 61 |
+ throw HttpMethodNotAllowedException(); |
| 62 |
+ |
| 63 |
+ DNSName canon = apiNameToDNSName(req->getvars["domain"]); |
| 64 |
|
| 65 |
diff --git a/net-dns/pdns/pdns-4.0.4-r1.ebuild b/net-dns/pdns/pdns-4.0.4-r1.ebuild |
| 66 |
new file mode 100644 |
| 67 |
index 00000000000..9fa2350de53 |
| 68 |
--- /dev/null |
| 69 |
+++ b/net-dns/pdns/pdns-4.0.4-r1.ebuild |
| 70 |
@@ -0,0 +1,157 @@ |
| 71 |
+# Copyright 1999-2017 Gentoo Foundation |
| 72 |
+# Distributed under the terms of the GNU General Public License v2 |
| 73 |
+ |
| 74 |
+EAPI="6" |
| 75 |
+ |
| 76 |
+inherit eutils multilib user toolchain-funcs versionator |
| 77 |
+ |
| 78 |
+DESCRIPTION="The PowerDNS Daemon" |
| 79 |
+HOMEPAGE="https://www.powerdns.com/" |
| 80 |
+SRC_URI="https://downloads.powerdns.com/releases/${P/_/-}.tar.bz2" |
| 81 |
+ |
| 82 |
+LICENSE="GPL-2" |
| 83 |
+SLOT="0" |
| 84 |
+KEYWORDS="~amd64 ~x86" |
| 85 |
+ |
| 86 |
+# other possible flags: |
| 87 |
+# db2: we lack the dep |
| 88 |
+# oracle: dito (need Oracle Client Libraries) |
| 89 |
+# xdb: (almost) dead, surely not supported |
| 90 |
+ |
| 91 |
+IUSE="botan debug doc geoip ldap libressl lua luajit mydns mysql opendbx postgres protobuf remote sqlite systemd tools tinydns test" |
| 92 |
+ |
| 93 |
+REQUIRED_USE="mydns? ( mysql ) ?? ( lua luajit )" |
| 94 |
+ |
| 95 |
+RDEPEND=" |
| 96 |
+ libressl? ( dev-libs/libressl:= ) |
| 97 |
+ !libressl? ( dev-libs/openssl:= ) |
| 98 |
+ >=dev-libs/boost-1.35:= |
| 99 |
+ botan? ( =dev-libs/botan-1.10*[threads] ) |
| 100 |
+ lua? ( dev-lang/lua:= ) |
| 101 |
+ luajit? ( dev-lang/luajit:= ) |
| 102 |
+ mysql? ( virtual/mysql ) |
| 103 |
+ postgres? ( dev-db/postgresql:= ) |
| 104 |
+ ldap? ( >=net-nds/openldap-2.0.27-r4 ) |
| 105 |
+ sqlite? ( dev-db/sqlite:3 ) |
| 106 |
+ opendbx? ( dev-db/opendbx ) |
| 107 |
+ geoip? ( >=dev-cpp/yaml-cpp-0.5.1 dev-libs/geoip ) |
| 108 |
+ tinydns? ( >=dev-db/tinycdb-0.77 ) |
| 109 |
+ protobuf? ( dev-libs/protobuf )" |
| 110 |
+DEPEND="${RDEPEND} |
| 111 |
+ virtual/pkgconfig |
| 112 |
+ doc? ( app-doc/doxygen )" |
| 113 |
+ |
| 114 |
+S="${WORKDIR}"/${P/_/-} |
| 115 |
+ |
| 116 |
+PATCHES=( |
| 117 |
+ "${FILESDIR}"/CVE-2017-15091-4.0.4.patch |
| 118 |
+) |
| 119 |
+ |
| 120 |
+src_configure() { |
| 121 |
+ local dynmodules="pipe bind" # the default backends, always enabled |
| 122 |
+ |
| 123 |
+ #use db2 && dynmodules+=" db2" |
| 124 |
+ use ldap && dynmodules+=" ldap" |
| 125 |
+ use lua && dynmodules+=" lua" |
| 126 |
+ use mydns && dynmodules+=" mydns" |
| 127 |
+ use mysql && dynmodules+=" gmysql" |
| 128 |
+ use opendbx && dynmodules+=" opendbx" |
| 129 |
+ #use oracle && dynmodules+=" goracle oracle" |
| 130 |
+ use postgres && dynmodules+=" gpgsql" |
| 131 |
+ use remote && dynmodules+=" remote" |
| 132 |
+ use sqlite && dynmodules+=" gsqlite3" |
| 133 |
+ use tinydns && dynmodules+=" tinydns" |
| 134 |
+ use geoip && dynmodules+=" geoip" |
| 135 |
+ #use xdb && dynmodules+=" xdb" |
| 136 |
+ |
| 137 |
+ econf \ |
| 138 |
+ --disable-static \ |
| 139 |
+ --sysconfdir=/etc/powerdns \ |
| 140 |
+ --libdir=/usr/$(get_libdir)/powerdns \ |
| 141 |
+ --with-modules= \ |
| 142 |
+ --with-dynmodules="${dynmodules}" \ |
| 143 |
+ --with-pgsql-includes=/usr/include \ |
| 144 |
+ --with-pgsql-lib=/usr/$(get_libdir) \ |
| 145 |
+ --with-mysql-lib=/usr/$(get_libdir) \ |
| 146 |
+ $(use_enable botan botan1.10) \ |
| 147 |
+ $(use_enable debug verbose-logging) \ |
| 148 |
+ $(use_enable test unit-tests) \ |
| 149 |
+ $(use_enable tools) \ |
| 150 |
+ $(use_enable systemd) \ |
| 151 |
+ $(use_with lua) \ |
| 152 |
+ $(use_with luajit) \ |
| 153 |
+ $(use_with protobuf) \ |
| 154 |
+ ${myconf} |
| 155 |
+} |
| 156 |
+ |
| 157 |
+src_compile() { |
| 158 |
+ default |
| 159 |
+ use doc && emake -C codedocs codedocs |
| 160 |
+} |
| 161 |
+ |
| 162 |
+src_install() { |
| 163 |
+ default |
| 164 |
+ |
| 165 |
+ mv "${D}"/etc/powerdns/pdns.conf{-dist,} |
| 166 |
+ |
| 167 |
+ fperms 0700 /etc/powerdns |
| 168 |
+ fperms 0600 /etc/powerdns/pdns.conf |
| 169 |
+ |
| 170 |
+ # set defaults: setuid=pdns, setgid=pdns |
| 171 |
+ sed -i \ |
| 172 |
+ -e 's/^# set\([ug]\)id=$/set\1id=pdns/g' \ |
| 173 |
+ "${D}"/etc/powerdns/pdns.conf |
| 174 |
+ |
| 175 |
+ newinitd "${FILESDIR}"/pdns-r1 pdns |
| 176 |
+ |
| 177 |
+ keepdir /var/empty |
| 178 |
+ |
| 179 |
+ use doc && dohtml -r codedocs/html/. |
| 180 |
+ |
| 181 |
+ # Install development headers |
| 182 |
+ insinto /usr/include/pdns |
| 183 |
+ doins pdns/*.hh |
| 184 |
+ insinto /usr/include/pdns/backends/gsql |
| 185 |
+ doins pdns/backends/gsql/*.hh |
| 186 |
+ |
| 187 |
+ if use ldap ; then |
| 188 |
+ insinto /etc/openldap/schema |
| 189 |
+ doins "${FILESDIR}"/dnsdomain2.schema |
| 190 |
+ fi |
| 191 |
+ |
| 192 |
+ prune_libtool_files --all |
| 193 |
+} |
| 194 |
+ |
| 195 |
+pkg_preinst() { |
| 196 |
+ enewgroup pdns |
| 197 |
+ enewuser pdns -1 -1 /var/empty pdns |
| 198 |
+} |
| 199 |
+ |
| 200 |
+pkg_postinst() { |
| 201 |
+ elog "PowerDNS provides multiple instances support. You can create more instances" |
| 202 |
+ elog "by symlinking the pdns init script to another name." |
| 203 |
+ elog |
| 204 |
+ elog "The name must be in the format pdns.<suffix> and PowerDNS will use the" |
| 205 |
+ elog "/etc/powerdns/pdns-<suffix>.conf configuration file instead of the default." |
| 206 |
+ |
| 207 |
+ if use ldap ; then |
| 208 |
+ ewarn "The official LDAP backend module is only compile-tested by upstream." |
| 209 |
+ ewarn "Try net-dns/pdns-ldap-backend if you have problems with it." |
| 210 |
+ fi |
| 211 |
+ |
| 212 |
+ local old |
| 213 |
+ for old in ${REPLACING_VERSIONS}; do |
| 214 |
+ version_compare ${old} 3.2 |
| 215 |
+ [[ $? -eq 1 ]] || continue |
| 216 |
+ |
| 217 |
+ ewarn "To fix a security bug (bug #458018) had the following" |
| 218 |
+ ewarn "files/directories the world-readable bit removed (if set):" |
| 219 |
+ ewarn " ${EPREFIX}/etc/powerdns" |
| 220 |
+ ewarn " ${EPREFIX}/etc/powerdns/pdns.conf" |
| 221 |
+ ewarn "Check if this is correct for your setup" |
| 222 |
+ ewarn "This is a one-time change and will not happen on subsequent updates." |
| 223 |
+ chmod o-rwx "${EPREFIX}"/etc/powerdns/{,pdns.conf} |
| 224 |
+ |
| 225 |
+ break |
| 226 |
+ done |
| 227 |
+} |
Archives