Update to 1.3.3

Fixes CVE-2018-14663
Fix sigabrt on TCP query (https://github.com/PowerDNS/pdns/issues/6712 )
2018-11-18 19:39:08 +01:00 · 2018-06-06 14:17:48 +02:00 · 2018-05-31 16:54:55 +02:00 · 2018-05-31 16:49:08 +02:00 · 2018-05-31 16:35:09 +02:00 · 2018-05-31 16:28:39 +02:00
4 changed files with 55 additions and 206 deletions
--- a/.gitignore
+++ b/.gitignore
@ -3,18 +3,5 @@
 /dnsdist-1.0.0.tar.bz2
 /dnsdist-1.1.0.tar.bz2
 /dnsdist-1.2.0.tar.bz2
-/dnsdist-1.2.1.tar.bz2
 /dnsdist-1.3.0.tar.bz2
 /dnsdist-1.3.3.tar.bz2
-/dnsdist-1.4.0-rc5.tar.bz2
-/dnsdist-1.4.0.tar.bz2
-/dnsdist-1.5.0.tar.bz2
-/dnsdist-1.6.0-1.fc35.src.rpm
-/dnsdist-1.6.0-includes.patch
-/dnsdist-1.6.0.tar.bz2
-/dnsdist-1.6.1.tar.bz2
-/dnsdist-1.7.0.tar.bz2
-/dnsdist-1.7.1.tar.bz2
-/dnsdist-1.7.2.tar.bz2
-/dnsdist-1.7.3.tar.bz2
-/dnsdist-1.8.0.tar.bz2
--- a/dnsdist.spec
+++ b/dnsdist.spec
@ -1,32 +1,25 @@
 %ifarch %{nodejs_arches}
-# el-7 does not have uglifyjs
-%if "0%{?el7}" == "0"
 %global uglify 1
 %endif
-%endif

 Name: dnsdist
-Version: 1.8.0
-Release: 2%{?dist}
+Version: 1.3.3
+Release: 1%{?dist}
 Summary: Highly DNS-, DoS- and abuse-aware loadbalancer
+Group: System Environment/Daemons
 License: GPLv2
 URL: https://dnsdist.org
-Source0: https://downloads.powerdns.com/releases/%{name}-%{version}.tar.bz2
+Source0: http://downloads.powerdns.com/releases/%{name}-%{version}.tar.bz2

-ExcludeArch: %{ix86} #1994125
-ExcludeArch: armv7hl #1994125
 BuildRequires: boost-devel
-BuildRequires: fstrm-devel
 BuildRequires: gcc-c++
 #ppc64 buildroot doesn't have libatomic, so require it
 #https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/FSMMBCD2C2SPO4D66O35EGUTF7YXEPBA/
 BuildRequires: libatomic
-BuildRequires: libcap-devel
 BuildRequires: libedit-devel
-BuildRequires: libnghttp2-devel
 BuildRequires: libsodium-devel
-BuildRequires: lmdb-devel
-%ifarch %{ix86} x86_64 %{mips} aarch64
+BuildRequires: lua-devel
+%ifnarch aarch64 ppc64 ppc64le
 BuildRequires: luajit-devel
 %else
 BuildRequires: lua-devel
@ -37,11 +30,9 @@ BuildRequires: re2-devel
 BuildRequires: readline-devel
 BuildRequires: systemd-devel
 BuildRequires: systemd-units
-BuildRequires: tinycdb-devel
 %if 0%{?uglify}
 BuildRequires: uglify-js
 %endif
-BuildRequires: make
 Requires(post): systemd
 Requires(preun): shadow-utils
 Requires(preun): systemd
@ -54,7 +45,7 @@ legitimate users while shunting or blocking abusive traffic.


 %prep
-%autosetup -p2
+%autosetup

 # run as dnsdist user
 sed -i '/^ExecStart/ s/dnsdist/dnsdist -u dnsdist -g dnsdist/' dnsdist.service.in
@ -67,22 +58,24 @@ sed -i '/^ExecStart/ s/dnsdist/dnsdist -u dnsdist -g dnsdist/' dnsdist.service.i
    --disable-silent-rules \
    --enable-dnscrypt \
    --enable-dns-over-tls \
-    --enable-unit-tests \
-    --with-cdb \
-    --with-lmdb \
-    --with-nghttp2 \
-    --with-re2
-
+    --enable-libsodium \
+    --enable-libssl \
+    --with-ebpf=no \
+%ifnarch aarch64 ppc64 ppc64le
+    --with-luajit \
+%else
+    --with-lua \
+%endif
+    --enable-unit-tests
 rm html/js/*
 %if 0%{?uglify}
 make min_js
 %else
 cp src_js/*.js html/js
-rename .js .min.js html/js/*.js
 %endif

 make %{?_smp_mflags}
-%{__cp} dnsdist.conf-dist dnsdist.conf.sample
+mv dnsdistconf.lua dnsdist.conf.sample

 %install
 make install DESTDIR=%{buildroot}
@ -90,8 +83,6 @@ make install DESTDIR=%{buildroot}
 # install systemd unit file
 install -D -p -m 644 %{name}.service %{buildroot}%{_unitdir}/%{name}.service
 install -d %{buildroot}%{_sysconfdir}/%{name}/
-%{__mv} %{buildroot}%{_sysconfdir}/%{name}/dnsdist.conf-dist %{buildroot}%{_sysconfdir}/%{name}/dnsdist.conf
-chmod 0640 %{buildroot}/%{_sysconfdir}/%{name}/dnsdist.conf

 %pre
 getent group dnsdist >/dev/null || groupadd -r dnsdist
@ -118,128 +109,13 @@ exit 0
 %{_unitdir}/%{name}.service
 %{_unitdir}/%{name}@.service
 %dir %{_sysconfdir}/%{name}/
-%config(noreplace) %{_sysconfdir}/%{name}/dnsdist.conf
+

 %changelog
-* Thu Mar 30 2023 Sander Hoentjen <sander@hoentjen.eu> - 1.8.0-2
- Fix specfile error
-
-* Thu Mar 30 2023 Sander Hoentjen <sander@hoentjen.eu> - 1.8.0-1
- Update to 1.8.0 (#2128188)
-
-* Mon Feb 20 2023 Sander Hoentjen <sander@hoentjen.eu> - 1.7.3-3
- add patch for missing includes
-
-* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-
-* Wed Nov 02 2022 Sander Hoentjen <sander@hoentjen.eu> - 1.7.3-1
- Update to 1.7.3 (#2096239)
-
-* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Mon Jun 13 2022 Fedora Release Monitoring <release-monitoring@fedoraproject.org> - 1.7.2-1
- Update to 1.7.2 (#2096239)
-
-* Tue May 03 2022 Sander Hoentjen <sander@hoentjen.eu> - 1.7.1-2
- Fixes build without uglify (#2070613)
-
-* Sat Apr 30 2022 Sander Hoentjen <sander@hoentjen.eu> - 1.7.1-1
- Update to 1.7.1
-
-* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Mon Jan 17 2022 Sander Hoentjen <sander@hoentjen.eu> - 1.7.0-1
- Update to 1.7.0 (#2041478)
- enable cdb
- enable nghttp2
-
-* Sat Jan 08 2022 Miro Hrončok <mhroncok@redhat.com> - 1.6.1-3
- Rebuilt for libre2.so.9
-
-* Thu Sep 16 2021 Sahana Prasad <sahana@redhat.com> - 1.6.1-2
- Rebuilt with OpenSSL 3.0.0
-
-* Thu Sep 16 2021 Sander Hoentjen <sander@hoentjen.eu> - 1.6.1-1
- Update to 1.6.1 (#1884153)
-
-* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1.6.0-2
- Rebuilt with OpenSSL 3.0.0
-
-* Mon Aug 16 2021 Sander Hoentjen <sander@hoentjen.eu> - 1.6.0-1
- Update to 1.6.0
-
-* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.0-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.5.0-8
- Rebuilt for updated systemd-rpm-macros
-  See https://pagure.io/fesco/issue/2583.
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Thu Jan 14 08:47:30 CET 2021 Adrian Reber <adrian@lisas.de> - 1.5.0-6
- Rebuilt for protobuf 3.14
-
-* Wed Sep 23 2020 Adrian Reber <adrian@lisas.de> - 1.5.0-5
- Rebuilt for protobuf 3.13
-
-* Wed Aug 05 2020 Sander Hoentjen <sander@hoentjen.eu> - 1.5.0-4
- Fix building
-
-* Wed Aug 05 2020 Sander Hoentjen <sander@hoentjen.eu> - 1.5.0-3
- Don't build on armv7hl, dnsdist fails to compile there
-
-* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.0-2
- Second attempt - Rebuilt for
-  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Fri Jul 31 2020 ander Hoentjen <sander@hoentjen.eu> - 1.5.0-1
- Update to 1.5.0
-
-* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Sun Jun 14 2020 Adrian Reber <adrian@lisas.de> - 1.4.0-5
- Rebuilt for protobuf 3.12
-
-* Tue Mar 03 2020 Ruben Kerkhof <ruben@rubenkerkhof.com> - 1.4.0-4
- Fix build with GCC 10 (#1799286)
-
-* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Thu Dec 19 2019 Orion Poplawski <orion@nwra.com> - 1.4.0-2
- Rebuild for protobuf 3.11
-
-* Thu Nov 21 2019 Ruben Kerkhof <ruben@rubenkerkhof.com> - 1.4.0-1
- Upstream released new stable version
-
-* Mon Nov 04 2019 Ruben Kerkhof <ruben@rubenkerkhof.com> - 1.4.0-0.1
- Upstream released new version
- Enable re2
- Link with LMDB
- Enable dnstap
-
-* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Wed Nov 21 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.3.3-2
- Rebuild for protobuf 3.6
-
 * Sun Nov 18 2018 Sander Hoentjen <sander@hoentjen.eu> - 1.3.3-1
 - Update to 1.3.3
 - Fixes CVE-2018-14663

-* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
 * Wed Jun 06 2018 Ruben Kerkhof <ruben@rubenkerkhof.com> - 1.3.0-2
 - Fix sigabrt on TCP query (https://github.com/PowerDNS/pdns/issues/6712)

@ -247,61 +123,11 @@ exit 0
 - Upstream released new version
 - Enable DNS over TLS

-* Mon Feb 19 2018 Ruben Kerkhof <ruben@rubenkerkhof.com> - 1.2.1-1
- Upstream released new version
- BuildRequires gcc-c++ (https://fedoraproject.org/wiki/Packaging:C_and_C%2B%2B#BuildRequire)
- Fix mixed indentation in spec file
-
-* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
-
-* Wed Nov 29 2017 Igor Gnatenko <ignatenko@redhat.com> - 1.2.0-4
- Rebuild for protobuf 3.5
-
-* Mon Nov 13 2017 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.2.0-3
- Rebuild for protobuf 3.4
-
-* Mon Oct 02 2017 Remi Collet <remi@fedoraproject.org> - 1.2.0-2
- rebuild for libsodium
-
 * Tue Aug 22 2017 Sander Hoentjen <sander@hoentjen.eu> - 1.2.0-1
 - Update to 1.2.0
 - Fixes CVE-2017-7557
 - Fixes CVE-2016-7069

-* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
-
-* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
-
-* Tue Jun 13 2017 Orion Poplawski <orion@cora.nwra.com> - 1.1.0-6
- Rebuild for protobuf 3.3.1
-
-* Mon May 15 2017 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_27_Mass_Rebuild
-
-* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
-
-* Mon Jan 23 2017 Orion Poplawski <orion@cora.nwra.com> - 1.1.0-3
- Rebuild for protobuf 3.2.0
-
-* Fri Dec 30 2016 Sander Hoentjen <sander@hoentjen.eu> - 1.1.0-2
- ppc64 buildroot doesn't have libatomic, so require it
-
-* Fri Dec 30 2016 Sander Hoentjen <sander@hoentjen.eu> - 1.1.0-1
- New upstream release
-
-* Sat Nov 19 2016 Orion Poplawski <orion@cora.nwra.com> - 1.0.0-4
- Rebuild for protobuf 3.1.0
-
-* Tue Aug 30 2016 Sander Hoentjen <sander@hoentjen.eu> - 1.0.0-3
- luajit is now also available for aarch64 and MIPS
-
-* Mon Aug 29 2016 Igor Gnatenko <ignatenko@redhat.com> - 1.0.0-2
- Rebuild for LuaJIT 2.1.0
-
 * Thu Apr 21 2016 Sander Hoentjen <sander@hoentjen.eu> - 1.0.0-1
 - Upstream released new version

--- a/fix-sigabrt.patch
+++ b/fix-sigabrt.patch
@ -0,0 +1,36 @@
+From 60a518c8c246f43c53694160ebb7ca8b8b5c6346 Mon Sep 17 00:00:00 2001
+From: Remi Gacogne <remi.gacogne@powerdns.com>
+Date: Wed, 6 Jun 2018 00:10:13 +0200
+Subject: [PATCH] dnsdist: Don't access the TCP buffer vector past its size
+
+The required memory has been reserve()'d, but we are not allowed to
+access it directly, and it breaks when compiled with the following
+flag, checking any access to containers as if .at() were used:
+
+-D_GLIBCXX_ASSERTIONS
+---
+ pdns/dnsdist-tcp.cc | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/pdns/dnsdist-tcp.cc b/pdns/dnsdist-tcp.cc
+index 0eb7ea1396..ab2bda916c 100644
+--- a/pdns/dnsdist-tcp.cc
+++ b/pdns/dnsdist-tcp.cc
+@@ -315,7 +315,7 @@ void* tcpClientThread(int pipefd)
+         bool ecsAdded = false;
+         /* allocate a bit more memory to be able to spoof the content,
+            or to add ECS without allocating a new buffer */
+-        queryBuffer.reserve(qlen + 512);
+        queryBuffer.resize(qlen + 512);
+ 
+         char* query = &queryBuffer[0];
+         handler.read(query, qlen, g_tcpRecvTimeout, remainingTime);
+@@ -358,7 +358,7 @@ void* tcpClientThread(int pipefd)
+ 	uint16_t qtype, qclass;
+ 	unsigned int consumed = 0;
+ 	DNSName qname(query, qlen, sizeof(dnsheader), false, &qtype, &qclass, &consumed);
+-	DNSQuestion dq(&qname, qtype, qclass, &dest, &ci.remote, dh, queryBuffer.capacity(), qlen, true, &queryRealTime);
+	DNSQuestion dq(&qname, qtype, qclass, &dest, &ci.remote, dh, queryBuffer.size(), qlen, true, &queryRealTime);
+ 
+ 	if (!processQuery(holders, dq, poolname, &delayMsec, now)) {
+ 	  goto drop;
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (dnsdist-1.8.0.tar.bz2) = 426db3e83729bd2f8a8c8b1c02d719c6618acc0aec09d1f2670c159d441c1cad2fdc85c5ffe919e76d1b1e8e24198bf29133802cb857dfacde2dfed2532001f1
+SHA512 (dnsdist-1.3.3.tar.bz2) = c0e3435eafc1f7bcdf41346cecf7b089cc142716f94058f9ec262d0c6ad16467e0b8bed5abc648829c597120c94f998602849ded574e75bfc1a1fb70c1b719ad
Author	SHA1	Message	Date
Sander Hoentjen	64dcd7e6d6	Update to 1.3.3 Fixes CVE-2018-14663	2018-11-18 19:39:08 +01:00
Ruben Kerkhof	6e6e862ec4	Fix sigabrt on TCP query (https://github.com/PowerDNS/pdns/issues/6712 )	2018-06-06 14:17:48 +02:00
Ruben Kerkhof	855119dc2b	No luajit on ppc64le either	2018-05-31 16:54:55 +02:00
Ruben Kerkhof	b8abae8660	Fix BuildRequires	2018-05-31 16:49:08 +02:00
Ruben Kerkhof	3a28e64dd3	No luajit on ppc64	2018-05-31 16:35:09 +02:00
Ruben Kerkhof	9625c84ddb	No luajit on arm64	2018-05-31 16:28:39 +02:00
Ruben Kerkhof	818e8b424d	Upstream released new version Enable DNS over TLS	2018-05-31 16:05:17 +02:00
Sander Hoentjen	a81e8576d8	Update to 1.2.0 Fixes CVE-2017-7557 Fixes CVE-2016-7069	2017-08-22 12:28:45 +02:00