Rebase to 4.0.6 / CVE-2018-10851

2018-11-09 18:10:50 +01:00 · 2018-11-09 18:10:50 +01:00 · 167077d8f8
parent 7f366c2f25
commit 167077d8f8
7 changed files with 74 additions and 125 deletions
--- a/.gitignore
+++ b/.gitignore
@ -23,3 +23,4 @@ pdns-2.9.22.tar.gz
 /pdns-3.4.8.tar.bz2
 /pdns-3.4.10.tar.bz2
 /pdns-3.4.11.tar.bz2
+/pdns-4.0.6.tar.bz2
--- a/CVE-2017-15091-3.4.11.patch
+++ b/CVE-2017-15091-3.4.11.patch
@ -1,30 +0,0 @@
-diff -ru pdns-3.4.11.orig/pdns/ws-auth.cc pdns-3.4.11/pdns/ws-auth.cc
--- pdns-3.4.11.orig/pdns/ws-auth.cc	2017-01-13 09:13:16.000000000 +0100
-+++ pdns-3.4.11/pdns/ws-auth.cc	2017-11-02 18:03:50.635753956 +0100
-@@ -895,7 +895,7 @@
- static void apiServerZoneAxfrRetrieve(HttpRequest* req, HttpResponse* resp) {
-   string zonename = apiZoneIdToName(req->parameters["id"]);
- 
-  if(req->method != "PUT")
-+  if(req->method != "PUT" || ::arg().mustDo("experimental-api-readonly"))
-     throw HttpMethodNotAllowedException();
- 
-   UeberBackend B;
-@@ -914,7 +914,7 @@
- static void apiServerZoneNotify(HttpRequest* req, HttpResponse* resp) {
-   string zonename = apiZoneIdToName(req->parameters["id"]);
- 
-  if(req->method != "PUT")
-+  if(req->method != "PUT" || ::arg().mustDo("experimental-api-readonly"))
-     throw HttpMethodNotAllowedException();
- 
-   UeberBackend B;
-@@ -1195,7 +1195,7 @@
- }
- 
- void apiServerFlushCache(HttpRequest* req, HttpResponse* resp) {
-  if(req->method != "PUT")
-+  if(req->method != "PUT" || ::arg().mustDo("experimental-api-readonly"))
-     throw HttpMethodNotAllowedException();
- 
-   extern PacketCache PC;
--- a/pdns-default-config.patch
+++ b/pdns-default-config.patch
@ -1,9 +0,0 @@
--- pdns-3.4.0-rc1/pdns/pdns.conf-dist.orig	2014-07-31 21:42:05.000000000 +0200
-+++ pdns-3.4.0-rc1/pdns/pdns.conf-dist	2014-08-01 14:02:00.238999673 +0200
-@@ -1,3 +1,6 @@
-+setuid=pdns
-+setgid=pdns
-+launch=bind
- # Autogenerated configuration file template
- #################################
- # allow-axfr-ips	Allow zonetransfers only to these subnets
--- a/pdns-disable-secpoll.patch
+++ b/pdns-disable-secpoll.patch
@ -1,11 +1,11 @@
--- pdns-3.4.10/pdns/common_startup.cc.orig	2016-09-01 11:11:55.000000000 +0200
-+++ pdns-3.4.10/pdns/common_startup.cc	2016-09-09 17:36:16.156258298 +0200
-@@ -169,7 +169,7 @@ void declareArguments()
+--- pdns-4.0.0-rc1/pdns/common_startup.cc.orig	2016-06-29 11:43:23.000000000 +0200
+++ pdns-4.0.0-rc1/pdns/common_startup.cc	2016-06-29 14:50:11.915033803 +0200
+@@ -183,7 +183,7 @@ void declareArguments()
   ::arg().set("max-nsec3-iterations","Limit the number of NSEC3 hash iterations")="500"; // RFC5155 10.3
 
   ::arg().set("include-dir","Include *.conf files from this directory");
 -  ::arg().set("security-poll-suffix","Domain name from which to query security update notifications")="secpoll.powerdns.com.";
 +  ::arg().set("security-poll-suffix","Domain name from which to query security update notifications")="";
 
-   ::arg().set("xfr-max-received-mbytes", "Maximum number of megabytes received from an incoming AXFR")="100";
- }
+   ::arg().setSwitch("outgoing-axfr-expand-alias", "Expand ALIAS records during outgoing AXFR")="no";
+   ::arg().setSwitch("8bit-dns", "Allow 8bit dns queries")="no";
--- a/pdns-systemd.patch
+++ b/pdns-systemd.patch
@ -1,11 +0,0 @@
--- pdns-3.4.0/contrib/systemd-pdns.service.orig	2014-09-02 10:02:05.000000000 +0200
-+++ pdns-3.4.0/contrib/systemd-pdns.service	2014-09-30 13:10:07.441999290 +0200
-@@ -1,7 +1,7 @@
- [Unit]
- Description=PowerDNS Authoritative Server
- Wants=network-online.target
-After=network-online.target mysqld.service postgresql.service slapd.service
-+After=network-online.target mariadb.service postgresql.service slapd.service
- 
- [Service]
- Type=forking
--- a/pdns.spec
+++ b/pdns.spec
@ -2,29 +2,31 @@
 %global backends %{nil}

 Name: pdns
-Version: 3.4.11
-Release: 4%{?dist}
+Version: 4.0.6
+Release: 1%{?dist}
 Summary: A modern, advanced and high performance authoritative-only nameserver
 Group: System Environment/Daemons
 License: GPLv2
 URL: http://powerdns.com
 Source0: http://downloads.powerdns.com/releases/%{name}-%{version}.tar.bz2
-Patch0: pdns-default-config.patch
-Patch1: pdns-systemd.patch
-Patch2: pdns-disable-secpoll.patch
-Patch3: CVE-2017-15091-3.4.11.patch
+Patch0: pdns-disable-secpoll.patch

 Requires(pre): shadow-utils
-Requires(post): systemd-sysv
 Requires(post): systemd-units
 Requires(preun): systemd-units
 Requires(postun): systemd-units

-BuildRequires: systemd-units
-BuildRequires: boost-devel
-BuildRequires: lua-devel
-BuildRequires: cryptopp-devel
 BuildRequires: bison
+BuildRequires: boost-devel
+BuildRequires: gcc-c++
+BuildRequires: libsodium-devel
+BuildRequires: lua-devel
+BuildRequires: openssl-devel
+BuildRequires: protobuf-compiler
+BuildRequires: protobuf-devel
+BuildRequires: python2-virtualenv
+BuildRequires: systemd-devel
+BuildRequires: systemd-units
 BuildRequires: zeromq-devel
 Provides: powerdns = %{version}-%{release}
 %global backends %{backends} bind
@ -80,17 +82,6 @@ Requires: %{name}%{?_isa} = %{version}-%{release}
 %description backend-remote
 This package contains the remote backend for %{name}

-%package backend-geo
-Summary: Geo backend for %{name}
-Group: System Environment/Daemons
-Requires: %{name}%{?_isa} = %{version}-%{release}
-%global backends %{backends} geo
-
-%description backend-geo
-This package contains the geo backend for %{name}
-It allows different answers to DNS queries coming from different
-IP address ranges or based on the geographic location
-
 %package backend-ldap
 Summary: LDAP backend for %{name}
 Group: System Environment/Daemons
@ -160,22 +151,9 @@ BuildRequires: tinycdb-devel
 %description backend-tinydns
 This package contains the TinyDNS backend for %{name}

-%package backend-lmdb
-Summary: LMDB backend for %{name}
-Group: System Environment/Daemons
-Requires: %{name}%{?_isa} = %{version}-%{release}
-BuildRequires: lmdb-devel
-%global backends %{backends} lmdb
-
-%description backend-lmdb
-This package contains the LMDB backend for %{name}
-
 %prep
 %setup -q
-%patch0 -p1 -b .default-config-patch
-%patch1 -p1 -b .systemd-patch
-%patch2 -p1 -b .disable-secpoll
-%patch3 -p1 -b .CVE-2017-15091
+%patch0 -p1 -b .disable-secpoll

 %build
 export CPPFLAGS="-DLDAP_DEPRECATED"
@ -188,15 +166,17 @@ export CPPFLAGS="-DLDAP_DEPRECATED"
 	--with-modules='' \
 	--with-lua \
 	--with-dynmodules='%{backends}' \
-	--enable-cryptopp \
 	--enable-tools \
+	--enable-libsodium \
 	--enable-remotebackend-zeromq \
-	--enable-unit-tests
+	--enable-unit-tests \
+	--enable-reproducible \
+	--enable-systemd

-make %{?_smp_mflags}
+%make_build

 %install
-make install DESTDIR=%{buildroot}
+%make_install

 %{__rm} -f %{buildroot}%{_libdir}/%{name}/*.la
 %{__rm} -rf %{buildroot}%{_docdir}
@ -205,11 +185,18 @@ make install DESTDIR=%{buildroot}
 chmod 600 %{buildroot}%{_sysconfdir}/%{name}/pdns.conf

 # rename zone2ldap to pdns-zone2ldap (#1193116)
-%{__mv} %{buildroot}/%{_bindir}/zone2ldap %{buildroot}/%{_bindir}/pdns-zone2ldap
-%{__mv} %{buildroot}/%{_mandir}/man1/zone2ldap.1 %{buildroot}/%{_mandir}/man1/pdns-zone2ldap.1
+%{__mv} %{buildroot}/%{_bindir}/zone2ldap %{buildroot}/%{_bindir}/pdns_zone2ldap
+%{__mv} %{buildroot}/%{_mandir}/man1/zone2ldap.1 %{buildroot}/%{_mandir}/man1/pdns_zone2ldap.1

-# install systemd unit file
-%{__install} -D -p -m 644 contrib/systemd-pdns.service %{buildroot}%{_unitdir}/%{name}.service
+# change user/group to pdns
+# change default backend to bind
+sed -i \
+    -e 's/# setuid=/setuid=pdns/' \
+    -e 's/# setgid=/setgid=pdns/' \
+    -e 's/# launch=/launch=bind/' \
+    %{buildroot}%{_sysconfdir}/%{name}/pdns.conf
+
+%{__rm} %{buildroot}/%{_bindir}/stubquery

 %check
 make %{?_smp_mflags} -C pdns check
@ -230,50 +217,61 @@ exit 0
 %postun
 %systemd_postun_with_restart pdns.service

-%triggerun -- pdns < 3.0-rc3
-# Save the current service runlevel info
-# User must manually run systemd-sysv-convert --apply pdns
-# to migrate them to systemd targets
-%{_bindir}/systemd-sysv-convert --save pdns &>/dev/null ||:
-
-# Run these because the SysV package being removed won't do them
-/sbin/chkconfig --del pdns &>/dev/null || :
-/bin/systemctl try-restart pdns.service &>/dev/null || :
-
 %files
-%doc COPYING README
+%doc README
+%license COPYING
 %{_bindir}/pdns_control
-%{_bindir}/pdnssec
-%{_bindir}/pdns-zone2ldap
+%{_bindir}/pdnsutil
+%{_bindir}/pdns_zone2ldap
 %{_bindir}/zone2sql
 %{_bindir}/zone2json
-%{_bindir}/zone2lmdb
 %{_sbindir}/pdns_server
-%{_libdir}/%{name}/libbindbackend.so
 %{_mandir}/man1/pdns_control.1.gz
 %{_mandir}/man1/pdns_server.1.gz
 %{_mandir}/man1/zone2sql.1.gz
-%{_mandir}/man1/pdns-zone2ldap.1.gz
-%{_mandir}/man1/pdnssec.1.gz
+%{_mandir}/man1/zone2json.1.gz
+%{_mandir}/man1/pdns_zone2ldap.1.gz
+%{_mandir}/man1/pdnsutil.1.gz
 %{_unitdir}/pdns.service
+%{_unitdir}/pdns@.service
+%{_libdir}/%{name}/libbindbackend.so
 %dir %{_libdir}/%{name}/
 %dir %{_sysconfdir}/%{name}/
 %config(noreplace) %{_sysconfdir}/%{name}/pdns.conf

 %files tools
+%{_bindir}/calidns
 %{_bindir}/dnsbulktest
+%{_bindir}/dnsgram
+%{_bindir}/dnspcap2protobuf
 %{_bindir}/dnsreplay
 %{_bindir}/dnsscan
 %{_bindir}/dnsscope
 %{_bindir}/dnstcpbench
 %{_bindir}/dnswasher
+%{_bindir}/dumresp
+%{_bindir}/ixplore
+%{_bindir}/pdns_notify
 %{_bindir}/nproxy
 %{_bindir}/nsec3dig
 %{_bindir}/saxfr
+%{_bindir}/sdig
+%{_mandir}/man1/calidns.1.gz
+%{_mandir}/man1/dnsbulktest.1.gz
+%{_mandir}/man1/dnsgram.1.gz
+%{_mandir}/man1/dnspcap2protobuf.1.gz
 %{_mandir}/man1/dnsreplay.1.gz
+%{_mandir}/man1/dnsscan.1.gz
 %{_mandir}/man1/dnsscope.1.gz
-%{_mandir}/man1/dnswasher.1.gz
 %{_mandir}/man1/dnstcpbench.1.gz
+%{_mandir}/man1/dnswasher.1.gz
+%{_mandir}/man1/dumresp.1.gz
+%{_mandir}/man1/ixplore.1.gz
+%{_mandir}/man1/pdns_notify.1.gz
+%{_mandir}/man1/nproxy.1.gz
+%{_mandir}/man1/nsec3dig.1.gz
+%{_mandir}/man1/saxfr.1.gz
+%{_mandir}/man1/sdig.1.gz

 %files backend-mysql
 %doc modules/gmysqlbackend/schema.mysql.sql
@ -293,12 +291,10 @@ exit 0
 %files backend-remote
 %{_libdir}/%{name}/libremotebackend.so

-%files backend-geo
-%doc modules/geobackend/README
-%{_libdir}/%{name}/libgeobackend.so
-
 %files backend-ldap
 %{_libdir}/%{name}/libldapbackend.so
+%doc modules/ldapbackend/dnsdomain2.schema
+%doc modules/ldapbackend/pdns-domaininfo.schema

 %files backend-lua
 %{_libdir}/%{name}/libluabackend.so
@ -321,10 +317,12 @@ exit 0
 %files backend-tinydns
 %{_libdir}/%{name}/libtinydnsbackend.so

-%files backend-lmdb
-%{_libdir}/%{name}/liblmdbbackend.so
-
 %changelog
+* Fri Nov 09 2018 Morten Stevens <mstevens@fedoraproject.org> - 4.0.6-1
+- Rebase to 4.0.6
+- Backend geo and lmdb has been deprecated
+- PowerDNS Security Advisory 2018-03 (CVE-2018-10851)
+
 * Thu Feb 01 2018 Morten Stevens <mstevens@fedoraproject.org> - 3.4.11-4
 - CVE-2017-15091

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (pdns-3.4.11.tar.bz2) = 6259b107d41e27209e524beb6396cf89b5334c6003b89dbc766a741e7ecfc39bcd5561a4fc189aac3e134907600c78882fa4abc348a93846e3228f45602f22b8
+SHA512 (pdns-4.0.6.tar.bz2) = 4a4f4db14809b96b763d223fe812cc552f62c96132226640eacdbdcebaa1ba7d8884498d685b81eb747668d42709698c46254f4fafe069306085f0bc19f18858