1 |
commit: a51a7518f3cf54a0c50b6aca22459b761d6525f7 |
2 |
Author: Sven Wegener <swegener <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Nov 27 17:32:22 2017 +0000 |
4 |
Commit: Sven Wegener <swegener <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Nov 27 17:36:52 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a51a7518 |
7 |
|
8 |
net-dns/pdns: Revision bump, security bug #638566 |
9 |
|
10 |
Package-Manager: Portage-2.3.14, Repoman-2.3.6 |
11 |
Signed-off-by: Sven Wegener <swegener <AT> gentoo.org> |
12 |
|
13 |
net-dns/pdns/Manifest | 4 +- |
14 |
net-dns/pdns/files/CVE-2017-15091-4.0.4.patch | 30 +++++ |
15 |
net-dns/pdns/pdns-4.0.4-r1.ebuild | 157 ++++++++++++++++++++++++++ |
16 |
3 files changed, 189 insertions(+), 2 deletions(-) |
17 |
|
18 |
diff --git a/net-dns/pdns/Manifest b/net-dns/pdns/Manifest |
19 |
index 8e03e0ac8e2..ef4e8b7dced 100644 |
20 |
--- a/net-dns/pdns/Manifest |
21 |
+++ b/net-dns/pdns/Manifest |
22 |
@@ -1,2 +1,2 @@ |
23 |
-DIST pdns-4.0.4.tar.bz2 1320327 SHA256 d974ab89de69477c7f581a3233bc731eacbb43d479291e472b2c531c83b6d763 SHA512 4ef4705cd990b03976775167c7c37850d45907e198549feda5f5701172e008e3f1f74a35a9bebdb24b63dec15ff63cb2cc9dfc8f92e4e1012e0539c5a88b845b WHIRLPOOL 5ac68a15155424d42fb4b84be1b34eb2e51498ae5193ae104215e4bb52a72845923f82dc6b112ce165444cdbfe3aaf01557d2f6ab42f6531dd525aee15ee1b19 |
24 |
-DIST pdns-4.1.0-rc3.tar.bz2 1112366 SHA256 889e2135ad4fa716afdd762a1c1551881e96f656f4434b0b1dcd57c63e87ffe2 SHA512 19485bf95a68cbe2ac4cc826b44c3a8670f66cedc2ab426c589a3f67d96f70bd6dd297bd95301c29cda10ff9a7e429fa702bdc7368ce08862140d7097013ea7f WHIRLPOOL 2e6e6b0a1b173aaa4ac61ac6b11204b30c2fde527476a218e13e62100d82a14b676075ce76e6b830e4c0e5d7f79c4421df9a4539ff9c0a9c110f9509c2d3a8a4 |
25 |
+DIST pdns-4.0.4.tar.bz2 1320327 BLAKE2B 5c11a0245408f8448b41ed4229718e6f7244e0c8f36b60b07c280f82c7dea0065cce93c3814b3a396666be8d3b012ad4eb646cf55f531d22ce325190e0fd6e22 SHA512 4ef4705cd990b03976775167c7c37850d45907e198549feda5f5701172e008e3f1f74a35a9bebdb24b63dec15ff63cb2cc9dfc8f92e4e1012e0539c5a88b845b |
26 |
+DIST pdns-4.1.0-rc3.tar.bz2 1112366 BLAKE2B 8ac9d351ffee81a859b68bc66e989ce4c91804ab134ada3e090aed982df31191f5bfc83f7174873ab34b2a1b6be21f2c938874d94ea0e166b060453b746eec13 SHA512 19485bf95a68cbe2ac4cc826b44c3a8670f66cedc2ab426c589a3f67d96f70bd6dd297bd95301c29cda10ff9a7e429fa702bdc7368ce08862140d7097013ea7f |
27 |
|
28 |
diff --git a/net-dns/pdns/files/CVE-2017-15091-4.0.4.patch b/net-dns/pdns/files/CVE-2017-15091-4.0.4.patch |
29 |
new file mode 100644 |
30 |
index 00000000000..a9506af8ef9 |
31 |
--- /dev/null |
32 |
+++ b/net-dns/pdns/files/CVE-2017-15091-4.0.4.patch |
33 |
@@ -0,0 +1,30 @@ |
34 |
+diff -ru pdns-4.0.4.orig/pdns/ws-auth.cc pdns-4.0.4/pdns/ws-auth.cc |
35 |
+--- pdns-4.0.4.orig/pdns/ws-auth.cc 2017-06-22 22:07:25.000000000 +0200 |
36 |
++++ pdns-4.0.4/pdns/ws-auth.cc 2017-11-02 18:07:20.986764858 +0100 |
37 |
+@@ -860,7 +860,7 @@ |
38 |
+ static void apiServerZoneAxfrRetrieve(HttpRequest* req, HttpResponse* resp) { |
39 |
+ DNSName zonename = apiZoneIdToName(req->parameters["id"]); |
40 |
+ |
41 |
+- if(req->method != "PUT") |
42 |
++ if(req->method != "PUT" || ::arg().mustDo("api-readonly")) |
43 |
+ throw HttpMethodNotAllowedException(); |
44 |
+ |
45 |
+ UeberBackend B; |
46 |
+@@ -879,7 +879,7 @@ |
47 |
+ static void apiServerZoneNotify(HttpRequest* req, HttpResponse* resp) { |
48 |
+ DNSName zonename = apiZoneIdToName(req->parameters["id"]); |
49 |
+ |
50 |
+- if(req->method != "PUT") |
51 |
++ if(req->method != "PUT" || ::arg().mustDo("api-readonly")) |
52 |
+ throw HttpMethodNotAllowedException(); |
53 |
+ |
54 |
+ UeberBackend B; |
55 |
+@@ -1191,7 +1191,7 @@ |
56 |
+ } |
57 |
+ |
58 |
+ void apiServerCacheFlush(HttpRequest* req, HttpResponse* resp) { |
59 |
+- if(req->method != "PUT") |
60 |
++ if(req->method != "PUT" || ::arg().mustDo("api-readonly")) |
61 |
+ throw HttpMethodNotAllowedException(); |
62 |
+ |
63 |
+ DNSName canon = apiNameToDNSName(req->getvars["domain"]); |
64 |
|
65 |
diff --git a/net-dns/pdns/pdns-4.0.4-r1.ebuild b/net-dns/pdns/pdns-4.0.4-r1.ebuild |
66 |
new file mode 100644 |
67 |
index 00000000000..9fa2350de53 |
68 |
--- /dev/null |
69 |
+++ b/net-dns/pdns/pdns-4.0.4-r1.ebuild |
70 |
@@ -0,0 +1,157 @@ |
71 |
+# Copyright 1999-2017 Gentoo Foundation |
72 |
+# Distributed under the terms of the GNU General Public License v2 |
73 |
+ |
74 |
+EAPI="6" |
75 |
+ |
76 |
+inherit eutils multilib user toolchain-funcs versionator |
77 |
+ |
78 |
+DESCRIPTION="The PowerDNS Daemon" |
79 |
+HOMEPAGE="https://www.powerdns.com/" |
80 |
+SRC_URI="https://downloads.powerdns.com/releases/${P/_/-}.tar.bz2" |
81 |
+ |
82 |
+LICENSE="GPL-2" |
83 |
+SLOT="0" |
84 |
+KEYWORDS="~amd64 ~x86" |
85 |
+ |
86 |
+# other possible flags: |
87 |
+# db2: we lack the dep |
88 |
+# oracle: dito (need Oracle Client Libraries) |
89 |
+# xdb: (almost) dead, surely not supported |
90 |
+ |
91 |
+IUSE="botan debug doc geoip ldap libressl lua luajit mydns mysql opendbx postgres protobuf remote sqlite systemd tools tinydns test" |
92 |
+ |
93 |
+REQUIRED_USE="mydns? ( mysql ) ?? ( lua luajit )" |
94 |
+ |
95 |
+RDEPEND=" |
96 |
+ libressl? ( dev-libs/libressl:= ) |
97 |
+ !libressl? ( dev-libs/openssl:= ) |
98 |
+ >=dev-libs/boost-1.35:= |
99 |
+ botan? ( =dev-libs/botan-1.10*[threads] ) |
100 |
+ lua? ( dev-lang/lua:= ) |
101 |
+ luajit? ( dev-lang/luajit:= ) |
102 |
+ mysql? ( virtual/mysql ) |
103 |
+ postgres? ( dev-db/postgresql:= ) |
104 |
+ ldap? ( >=net-nds/openldap-2.0.27-r4 ) |
105 |
+ sqlite? ( dev-db/sqlite:3 ) |
106 |
+ opendbx? ( dev-db/opendbx ) |
107 |
+ geoip? ( >=dev-cpp/yaml-cpp-0.5.1 dev-libs/geoip ) |
108 |
+ tinydns? ( >=dev-db/tinycdb-0.77 ) |
109 |
+ protobuf? ( dev-libs/protobuf )" |
110 |
+DEPEND="${RDEPEND} |
111 |
+ virtual/pkgconfig |
112 |
+ doc? ( app-doc/doxygen )" |
113 |
+ |
114 |
+S="${WORKDIR}"/${P/_/-} |
115 |
+ |
116 |
+PATCHES=( |
117 |
+ "${FILESDIR}"/CVE-2017-15091-4.0.4.patch |
118 |
+) |
119 |
+ |
120 |
+src_configure() { |
121 |
+ local dynmodules="pipe bind" # the default backends, always enabled |
122 |
+ |
123 |
+ #use db2 && dynmodules+=" db2" |
124 |
+ use ldap && dynmodules+=" ldap" |
125 |
+ use lua && dynmodules+=" lua" |
126 |
+ use mydns && dynmodules+=" mydns" |
127 |
+ use mysql && dynmodules+=" gmysql" |
128 |
+ use opendbx && dynmodules+=" opendbx" |
129 |
+ #use oracle && dynmodules+=" goracle oracle" |
130 |
+ use postgres && dynmodules+=" gpgsql" |
131 |
+ use remote && dynmodules+=" remote" |
132 |
+ use sqlite && dynmodules+=" gsqlite3" |
133 |
+ use tinydns && dynmodules+=" tinydns" |
134 |
+ use geoip && dynmodules+=" geoip" |
135 |
+ #use xdb && dynmodules+=" xdb" |
136 |
+ |
137 |
+ econf \ |
138 |
+ --disable-static \ |
139 |
+ --sysconfdir=/etc/powerdns \ |
140 |
+ --libdir=/usr/$(get_libdir)/powerdns \ |
141 |
+ --with-modules= \ |
142 |
+ --with-dynmodules="${dynmodules}" \ |
143 |
+ --with-pgsql-includes=/usr/include \ |
144 |
+ --with-pgsql-lib=/usr/$(get_libdir) \ |
145 |
+ --with-mysql-lib=/usr/$(get_libdir) \ |
146 |
+ $(use_enable botan botan1.10) \ |
147 |
+ $(use_enable debug verbose-logging) \ |
148 |
+ $(use_enable test unit-tests) \ |
149 |
+ $(use_enable tools) \ |
150 |
+ $(use_enable systemd) \ |
151 |
+ $(use_with lua) \ |
152 |
+ $(use_with luajit) \ |
153 |
+ $(use_with protobuf) \ |
154 |
+ ${myconf} |
155 |
+} |
156 |
+ |
157 |
+src_compile() { |
158 |
+ default |
159 |
+ use doc && emake -C codedocs codedocs |
160 |
+} |
161 |
+ |
162 |
+src_install() { |
163 |
+ default |
164 |
+ |
165 |
+ mv "${D}"/etc/powerdns/pdns.conf{-dist,} |
166 |
+ |
167 |
+ fperms 0700 /etc/powerdns |
168 |
+ fperms 0600 /etc/powerdns/pdns.conf |
169 |
+ |
170 |
+ # set defaults: setuid=pdns, setgid=pdns |
171 |
+ sed -i \ |
172 |
+ -e 's/^# set\([ug]\)id=$/set\1id=pdns/g' \ |
173 |
+ "${D}"/etc/powerdns/pdns.conf |
174 |
+ |
175 |
+ newinitd "${FILESDIR}"/pdns-r1 pdns |
176 |
+ |
177 |
+ keepdir /var/empty |
178 |
+ |
179 |
+ use doc && dohtml -r codedocs/html/. |
180 |
+ |
181 |
+ # Install development headers |
182 |
+ insinto /usr/include/pdns |
183 |
+ doins pdns/*.hh |
184 |
+ insinto /usr/include/pdns/backends/gsql |
185 |
+ doins pdns/backends/gsql/*.hh |
186 |
+ |
187 |
+ if use ldap ; then |
188 |
+ insinto /etc/openldap/schema |
189 |
+ doins "${FILESDIR}"/dnsdomain2.schema |
190 |
+ fi |
191 |
+ |
192 |
+ prune_libtool_files --all |
193 |
+} |
194 |
+ |
195 |
+pkg_preinst() { |
196 |
+ enewgroup pdns |
197 |
+ enewuser pdns -1 -1 /var/empty pdns |
198 |
+} |
199 |
+ |
200 |
+pkg_postinst() { |
201 |
+ elog "PowerDNS provides multiple instances support. You can create more instances" |
202 |
+ elog "by symlinking the pdns init script to another name." |
203 |
+ elog |
204 |
+ elog "The name must be in the format pdns.<suffix> and PowerDNS will use the" |
205 |
+ elog "/etc/powerdns/pdns-<suffix>.conf configuration file instead of the default." |
206 |
+ |
207 |
+ if use ldap ; then |
208 |
+ ewarn "The official LDAP backend module is only compile-tested by upstream." |
209 |
+ ewarn "Try net-dns/pdns-ldap-backend if you have problems with it." |
210 |
+ fi |
211 |
+ |
212 |
+ local old |
213 |
+ for old in ${REPLACING_VERSIONS}; do |
214 |
+ version_compare ${old} 3.2 |
215 |
+ [[ $? -eq 1 ]] || continue |
216 |
+ |
217 |
+ ewarn "To fix a security bug (bug #458018) had the following" |
218 |
+ ewarn "files/directories the world-readable bit removed (if set):" |
219 |
+ ewarn " ${EPREFIX}/etc/powerdns" |
220 |
+ ewarn " ${EPREFIX}/etc/powerdns/pdns.conf" |
221 |
+ ewarn "Check if this is correct for your setup" |
222 |
+ ewarn "This is a one-time change and will not happen on subsequent updates." |
223 |
+ chmod o-rwx "${EPREFIX}"/etc/powerdns/{,pdns.conf} |
224 |
+ |
225 |
+ break |
226 |
+ done |
227 |
+} |