head	1.2;
access;
symbols
	pkgsrc-2015Q1:1.1.0.6
	pkgsrc-2015Q1-base:1.1
	pkgsrc-2014Q4:1.1.0.4
	pkgsrc-2014Q4-base:1.1
	pkgsrc-2014Q3:1.1.0.2;
locks; strict;
comment	@# @;


1.2
date	2015.06.10.14.22.29;	author fhajny;	state dead;
branches;
next	1.1;
commitid	lZPE4a8fCMDDjToy;

1.1
date	2014.12.11.20.18.17;	author roy;	state Exp;
branches
	1.1.2.1;
next	;
commitid	97S3b9dliqM46F1y;

1.1.2.1
date	2014.12.11.20.18.17;	author tron;	state dead;
branches;
next	1.1.2.2;
commitid	LzPhZrrhdpN1Yj2y;

1.1.2.2
date	2014.12.16.23.23.22;	author tron;	state Exp;
branches;
next	;
commitid	LzPhZrrhdpN1Yj2y;


desc
@@


1.2
log
@Update net/powerdns-recursor to 3.7.3.
Add SMF support.
Defuzz patches.

PowerDNS Recursor 3.7.3
- Limit the maximum length of a qname
- pdnssec: check for glue and delegations in parent zones

PowerDNS Recursor 3.7.2
- Fix handling of forward references in label compressed packets;
  fixes CVE-2015-1868.
- Minor improvements and bugfixes.

PowerDNS Recursor 3.7.1
- New root-nx-trust flag makes PowerDNS generalize NXDOMAIN responses
  from the root-servers
- getregisteredname() for Lua, which turns 'www.bbc.co.uk' into 'bbc.co.uk'
- Lua preoutquery filter
- Lua IP-based filter (ipfilter) before parsing packets
- iputils class for Lua, to quickly process IP addresses and netmasks
  in their native format
- getregisteredname function for Lua, to find the registered domain
  for a given name
- Various new ringbuffers: top-servfail-remotes, top-largeanswer-remotes,
  top-servfail-queries
- Minor improvements and bugfixes.

PowerDNS Recursor 3.6.2
- Minor improvements and bugfixes.

PowerDNS Recursor 3.6.1
- Fix for a crash under a specific sequence of packets.

PowerDNS Recursor 3.6.0
- Implement minimum-ttl-override config setting, plus runtime configurability
  via 'rec_control set-minimum-ttl'.
- Lots of work on the JSON API, which is exposed via Aki Tuomi's 'yahttp'.
- Lua modules can now use 'pdnslog(INFO..')
- Adopt any-to-tcp feature to the recursor.
- Implement built-in statistics dumper using the 'carbon' protocol, which
  is also understood by metronome (our mini-graphite). Use 'carbon-server',
  'carbon-ourname' and 'carbon-interval' settings.
- New setting 'udp-truncation-threshold' to configure from how many bytes
  we should truncate. commit a09a8ce.
- Proper support for CHaos class for CHAOS TXT queries.
- Added support for Lua scripts to drop queries w/o further processing.
- Kevin Holly added qtype statistics to recursor and rec_control.
- Add support for include-files in configuration, also reload ACLs and zones
  defined in them.
- Paulo Anes contributed server-down-max-fails which helps combat
  Recursive DNS based amplification attacks.
- Implement "followCNAMERecords" feature in the Lua hooks.
- Minor improvements and bugfixes.

PowerDNS Recursor 3.5.3
- This is a bugfix and performance update to 3.5.2. It brings serious
  performance improvements for dual stack users.

PowerDNS Recursor 3.5.2
- This is a stability and bugfix update to 3.5.1. It contains important
  fixes that improve operation for certain domains.

PowerDNS Recursor 3.5.1
- This is a stability and bugfix update to 3.5.

PowerDNS Recursor 3.5
- The local zone server now understands wildcards.
- The Lua postresolve and nodata hooks.
- A new feature, rec_control trace-regex allows the tracing of lookups
  for specific names
- A new setting, export-etc-hosts-search-suffix, adds a configurable
  suffix to names imported from /etc/hosts
- Minor improvements & bugfixes

PowerDNS Recursor 3.3.1
- Small number of important fixes, adds some memory usage statistics,
  but no new features
@
text
@$NetBSD: patch-CVE-2014-8601,v 1.1 2014/12/11 20:18:17 roy Exp $

Upstream backported fix for CVE-2014-8601

commit 62d189c81359c70821523d7ba9831d0f6e57b012
Author: Your Name <you@@example.com>
Date:   Tue Dec 2 08:50:41 2014 +0000

    backport query limiter to 3.3

diff --git pdns_recursor.cc pdns_recursor.cc
index 0f9b08f..3bb71e0 100644
--- pdns_recursor.cc
+++ pdns_recursor.cc
@@@@ -522,7 +522,14 @@@@ void startDoResolve(void *p)
     bool variableAnswer = false;
     // if there is a PowerDNSLua active, and it 'took' the query in preResolve, we don't launch beginResolve
     if(!t_pdl->get() || !(*t_pdl)->preresolve(dc->d_remote, g_listenSocketsAddresses[dc->d_socket], dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), ret, res, &variableAnswer)) {
-       res = sr.beginResolve(dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_mdp.d_qclass, ret);
+      try {
+        res = sr.beginResolve(dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_mdp.d_qclass, ret);
+      }
+      catch(ImmediateServFailException &e) {
+        L<<Logger::Error<<"Sending SERVFAIL during resolve of '"<<dc->d_mdp.d_qname<<"' because: "<<e.reason<<endl;
+
+        res = RCode::ServFail;
+      }
 
       if(t_pdl->get()) {
         if(res == RCode::NXDomain)
diff --git a/syncres.cc b/syncres.cc
index 4b05acf..08b2930 100644
--- syncres.cc
+++ syncres.cc
@@@@ -874,6 +874,7 @@@@ int SyncRes::doResolveAt(set<string, CIStringCompare> nameservers, string auth,
           }
           else {
             s_outqueries++; d_outqueries++;
+            if(d_outqueries > 50) throw ImmediateServFailException("more than 50 queries sent while resolving "+qname);
           TryTCP:
             if(doTCP) {
               LOG<<prefix<<qname<<": using TCP with "<< remoteIP->toStringWithPort() <<endl;
diff --git a/syncres.hh b/syncres.hh
index e3249d2..6c151e0 100644
--- syncres.hh
+++ syncres.hh
@@@@ -502,6 +502,13 @@@@ private:
   static AtomicCounter s_currentConnections; //!< total number of current TCP connections
 };
 
+class ImmediateServFailException
+{
+public:
+  ImmediateServFailException(string r){reason=r;};
+
+  string reason; //! Print this to tell the user what went wrong
+};
 
 struct RemoteKeeper
 {
@


1.1
log
@Add upstream patch to fix CVE-2014-8601.
Remove myself as maintainer.
@
text
@d1 1
a1 1
$NetBSD: $
@


1.1.2.1
log
@file patch-CVE-2014-8601 was added on branch pkgsrc-2014Q3 on 2014-12-16 23:23:22 +0000
@
text
@d1 60
@


1.1.2.2
log
@Pullup ticket #4573 - requested by roy
net/powerdns-recursor: security patch

Revisions pulled up:
- net/powerdns-recursor/Makefile                                1.16
- net/powerdns-recursor/distinfo                                1.12
- net/powerdns-recursor/patches/patch-CVE-2014-8601             1.1

---
   Module Name:    pkgsrc
   Committed By:   roy
   Date:           Thu Dec 11 20:18:17 UTC 2014

   Modified Files:
           pkgsrc/net/powerdns-recursor: Makefile distinfo
   Added Files:
           pkgsrc/net/powerdns-recursor/patches: patch-CVE-2014-8601

   Log Message:
   Add upstream patch to fix CVE-2014-8601.
   Remove myself as maintainer.
@
text
@a0 60
$NetBSD$

Upstream backported fix for CVE-2014-8601

commit 62d189c81359c70821523d7ba9831d0f6e57b012
Author: Your Name <you@@example.com>
Date:   Tue Dec 2 08:50:41 2014 +0000

    backport query limiter to 3.3

diff --git pdns_recursor.cc pdns_recursor.cc
index 0f9b08f..3bb71e0 100644
--- pdns_recursor.cc
+++ pdns_recursor.cc
@@@@ -522,7 +522,14 @@@@ void startDoResolve(void *p)
     bool variableAnswer = false;
     // if there is a PowerDNSLua active, and it 'took' the query in preResolve, we don't launch beginResolve
     if(!t_pdl->get() || !(*t_pdl)->preresolve(dc->d_remote, g_listenSocketsAddresses[dc->d_socket], dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), ret, res, &variableAnswer)) {
-       res = sr.beginResolve(dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_mdp.d_qclass, ret);
+      try {
+        res = sr.beginResolve(dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_mdp.d_qclass, ret);
+      }
+      catch(ImmediateServFailException &e) {
+        L<<Logger::Error<<"Sending SERVFAIL during resolve of '"<<dc->d_mdp.d_qname<<"' because: "<<e.reason<<endl;
+
+        res = RCode::ServFail;
+      }
 
       if(t_pdl->get()) {
         if(res == RCode::NXDomain)
diff --git a/syncres.cc b/syncres.cc
index 4b05acf..08b2930 100644
--- syncres.cc
+++ syncres.cc
@@@@ -874,6 +874,7 @@@@ int SyncRes::doResolveAt(set<string, CIStringCompare> nameservers, string auth,
           }
           else {
             s_outqueries++; d_outqueries++;
+            if(d_outqueries > 50) throw ImmediateServFailException("more than 50 queries sent while resolving "+qname);
           TryTCP:
             if(doTCP) {
               LOG<<prefix<<qname<<": using TCP with "<< remoteIP->toStringWithPort() <<endl;
diff --git a/syncres.hh b/syncres.hh
index e3249d2..6c151e0 100644
--- syncres.hh
+++ syncres.hh
@@@@ -502,6 +502,13 @@@@ private:
   static AtomicCounter s_currentConnections; //!< total number of current TCP connections
 };
 
+class ImmediateServFailException
+{
+public:
+  ImmediateServFailException(string r){reason=r;};
+
+  string reason; //! Print this to tell the user what went wrong
+};
 
 struct RemoteKeeper
 {
@