Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package pdns-recursor for openSUSE:Factory
checked in at 2023-04-04 21:26:47
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pdns-recursor (Old)
and /work/SRC/openSUSE:Factory/.pdns-recursor.new.19717 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pdns-recursor"
Tue Apr 4 21:26:47 2023 rev:63 rq:1077167 version:4.8.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/pdns-recursor/pdns-recursor.changes
2023-03-07 16:51:19.289896538 +0100
+++ /work/SRC/openSUSE:Factory/.pdns-recursor.new.19717/pdns-recursor.changes
2023-04-04 21:26:54.387402187 +0200
@@ -1,0 +2,7 @@
+Tue Apr 4 09:04:14 UTC 2023 - Adam Majer <adam.ma...@suse.de>
+
+- update to 4.8.4
+ * Deterred spoofing attempts can lead to authoritative servers
+ being marked unavailable (bsc#1209897, CVE-2023-26437)
+
+-------------------------------------------------------------------
Old:
----
pdns-recursor-4.8.3.tar.bz2
pdns-recursor-4.8.3.tar.bz2.sig
New:
----
pdns-recursor-4.8.4.tar.bz2
pdns-recursor-4.8.4.tar.bz2.sig
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pdns-recursor.spec ++++++
--- /var/tmp/diff_new_pack.04JWgL/_old 2023-04-04 21:26:55.127406388 +0200
+++ /var/tmp/diff_new_pack.04JWgL/_new 2023-04-04 21:26:55.131406411 +0200
@@ -25,7 +25,7 @@
%endif
Name: pdns-recursor
-Version: 4.8.3
+Version: 4.8.4
Release: 0
BuildRequires: autoconf
BuildRequires: automake
++++++ pdns-recursor-4.8.3.tar.bz2 -> pdns-recursor-4.8.4.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pdns-recursor-4.8.3/configure
new/pdns-recursor-4.8.4/configure
--- old/pdns-recursor-4.8.3/configure 2023-03-06 15:15:22.000000000 +0100
+++ new/pdns-recursor-4.8.4/configure 2023-03-27 17:09:30.000000000 +0200
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for pdns-recursor 4.8.3.
+# Generated by GNU Autoconf 2.69 for pdns-recursor 4.8.4.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@
# Identity of this package.
PACKAGE_NAME='pdns-recursor'
PACKAGE_TARNAME='pdns-recursor'
-PACKAGE_VERSION='4.8.3'
-PACKAGE_STRING='pdns-recursor 4.8.3'
+PACKAGE_VERSION='4.8.4'
+PACKAGE_STRING='pdns-recursor 4.8.4'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -1552,7 +1552,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures pdns-recursor 4.8.3 to adapt to many kinds of systems.
+\`configure' configures pdns-recursor 4.8.4 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1623,7 +1623,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of pdns-recursor 4.8.3:";;
+ short | recursive ) echo "Configuration of pdns-recursor 4.8.4:";;
esac
cat <<\_ACEOF
@@ -1810,7 +1810,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-pdns-recursor configure 4.8.3
+pdns-recursor configure 4.8.4
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2569,7 +2569,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by pdns-recursor $as_me 4.8.3, which was
+It was created by pdns-recursor $as_me 4.8.4, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3437,7 +3437,7 @@
# Define the identity of the package.
PACKAGE='pdns-recursor'
- VERSION='4.8.3'
+ VERSION='4.8.4'
cat >>confdefs.h <<_ACEOF
@@ -28247,7 +28247,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by pdns-recursor $as_me 4.8.3, which was
+This file was extended by pdns-recursor $as_me 4.8.4, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -28313,7 +28313,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //;
s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-pdns-recursor config.status 4.8.3
+pdns-recursor config.status 4.8.4
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pdns-recursor-4.8.3/configure.ac
new/pdns-recursor-4.8.4/configure.ac
--- old/pdns-recursor-4.8.3/configure.ac 2023-03-06 15:15:12.000000000
+0100
+++ new/pdns-recursor-4.8.4/configure.ac 2023-03-27 17:09:19.000000000
+0200
@@ -1,6 +1,6 @@
AC_PREREQ([2.69])
-AC_INIT([pdns-recursor], [4.8.3])
+AC_INIT([pdns-recursor], [4.8.4])
AC_CONFIG_AUX_DIR([build-aux])
AM_INIT_AUTOMAKE([foreign dist-bzip2 no-dist-gzip tar-ustar -Wno-portability
subdir-objects parallel-tests 1.11])
AM_SILENT_RULES([yes])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pdns-recursor-4.8.3/effective_tld_names.dat
new/pdns-recursor-4.8.4/effective_tld_names.dat
--- old/pdns-recursor-4.8.3/effective_tld_names.dat 2023-03-06
15:16:22.000000000 +0100
+++ new/pdns-recursor-4.8.4/effective_tld_names.dat 2023-03-27
17:10:37.000000000 +0200
@@ -7189,7 +7189,7 @@
// newGTLDs
-// List of new gTLDs imported from
https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on
2023-02-22T15:15:03Z
+// List of new gTLDs imported from
https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on
2023-03-18T15:13:13Z
// This list is auto-generated, don't edit it manually.
// aaa : 2015-02-26 American Automobile Association, Inc.
aaa
@@ -8898,9 +8898,6 @@
// lincoln : 2014-11-13 Ford Motor Company
lincoln
-// linde : 2014-12-04 Linde Aktiengesellschaft
-linde
-
// link : 2013-11-14 Nova Registry Ltd
link
@@ -8967,9 +8964,6 @@
// luxury : 2013-10-17 Luxury Partners, LLC
luxury
-// macys : 2015-07-31 Macys, Inc.
-macys
-
// madrid : 2014-05-01 Comunidad de Madrid
madrid
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pdns-recursor-4.8.3/pdns_recursor.1
new/pdns-recursor-4.8.4/pdns_recursor.1
--- old/pdns-recursor-4.8.3/pdns_recursor.1 2023-03-06 15:16:22.000000000
+0100
+++ new/pdns-recursor-4.8.4/pdns_recursor.1 2023-03-27 17:10:37.000000000
+0200
@@ -27,7 +27,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "PDNS_RECURSOR" "1" "Mar 06, 2023" "" "PowerDNS Recursor"
+.TH "PDNS_RECURSOR" "1" "Mar 27, 2023" "" "PowerDNS Recursor"
.SH NAME
pdns_recursor \- The PowerDNS Recursor binary
.SH SYNOPSIS
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pdns-recursor-4.8.3/pdns_recursor.cc
new/pdns-recursor-4.8.4/pdns_recursor.cc
--- old/pdns-recursor-4.8.3/pdns_recursor.cc 2023-03-06 15:14:33.000000000
+0100
+++ new/pdns-recursor-4.8.4/pdns_recursor.cc 2023-03-27 17:08:37.000000000
+0200
@@ -2688,35 +2688,40 @@
static void handleUDPServerResponse(int fd, FDMultiplexer::funcparam_t& var)
{
std::shared_ptr<PacketID> pid =
boost::any_cast<std::shared_ptr<PacketID>>(var);
- ssize_t len;
PacketBuffer packet;
packet.resize(g_outgoingEDNSBufsize);
ComboAddress fromaddr;
socklen_t addrlen = sizeof(fromaddr);
- len = recvfrom(fd, &packet.at(0), packet.size(), 0, (sockaddr*)&fromaddr,
&addrlen);
+ ssize_t len = recvfrom(fd, &packet.at(0), packet.size(), 0,
reinterpret_cast<sockaddr*>(&fromaddr), &addrlen);
- if (len < (ssize_t)sizeof(dnsheader)) {
- if (len < 0)
- ; // cerr<<"Error on fd "<<fd<<": "<<stringerror()<<"\n";
- else {
- g_stats.serverParseError++;
- if (g_logCommonErrors)
- SLOG(g_log << Logger::Error << "Unable to parse packet from remote UDP
server " << fromaddr.toString() << ": packet smaller than DNS header" << endl,
- g_slogout->info(Logr::Error, "Unable to parse packet from remote
UDP server", "from", Logging::Loggable(fromaddr)));
- }
+ const ssize_t signed_sizeof_sdnsheader = sizeof(dnsheader);
+ if (len < 0) {
+ // len < 0: error on socket
t_udpclientsocks->returnSocket(fd);
- PacketBuffer empty;
+ PacketBuffer empty;
MT_t::waiters_t::iterator iter = MT->d_waiters.find(pid);
- if (iter != MT->d_waiters.end())
+ if (iter != MT->d_waiters.end()) {
doResends(iter, pid, empty);
+ }
+ MT->sendEvent(pid, &empty); // this denotes error (does retry lookup using
other NS)
+ return;
+ }
- MT->sendEvent(pid, &empty); // this denotes error (does lookup again.. at
least L1 will be hot)
+ if (len < signed_sizeof_sdnsheader) {
+ // We have received a packet that cannot be a valid DNS packet, as it has
no complete header
+ // Drop it, but continue to wait for other packets
+ g_stats.serverParseError++;
+ if (g_logCommonErrors) {
+ SLOG(g_log << Logger::Error << "Unable to parse too short packet from
remote UDP server " << fromaddr.toString() << ": packet smaller than DNS
header" << endl,
+ g_slogout->info(Logr::Error, "Unable to parse too short packet from
remote UDP server", "from", Logging::Loggable(fromaddr)));
+ }
return;
}
+ // We have at least a full header
packet.resize(len);
dnsheader dh;
memcpy(&dh, &packet.at(0), sizeof(dh));
@@ -2738,10 +2743,18 @@
}
else {
try {
- if (len > 12)
- pident->domain = DNSName(reinterpret_cast<const char*>(packet.data()),
len, 12, false, &pident->type); // don't copy this from above - we need to do
the actual read
+ if (len > signed_sizeof_sdnsheader) {
+ pident->domain = DNSName(reinterpret_cast<const char*>(packet.data()),
len, static_cast<int>(sizeof(dnsheader)), false, &pident->type); // don't copy
this from above - we need to do the actual read
+ }
+ else {
+ // len == sizeof(dnsheader), only header case
+ // We will do a full scan search later to see if we can match this
reply even without a domain
+ pident->domain.clear();
+ pident->type = 0;
+ }
}
catch (std::exception& e) {
+ // Parse error, continue waiting for other packets
g_stats.serverParseError++; // won't be fed to lwres.cc, so we have to
increment
SLOG(g_log << Logger::Warning << "Error in packet from remote nameserver
" << fromaddr.toStringWithPort() << ": " << e.what() << endl,
g_slogudpin->error(Logr::Warning, e.what(), "Error in packet from
remote nameserver", "from", Logging::Loggable(fromaddr)));
@@ -2749,14 +2762,16 @@
}
}
- MT_t::waiters_t::iterator iter = MT->d_waiters.find(pident);
- if (iter != MT->d_waiters.end()) {
- doResends(iter, pident, packet);
+ if (!pident->domain.empty()) {
+ MT_t::waiters_t::iterator iter = MT->d_waiters.find(pident);
+ if (iter != MT->d_waiters.end()) {
+ doResends(iter, pident, packet);
+ }
}
retryWithName:
- if (!MT->sendEvent(pident, &packet)) {
+ if (pident->domain.empty() || MT->sendEvent(pident, &packet) == 0) {
/* we did not find a match for this response, something is wrong */
// we do a full scan for outstanding queries on unexpected answers. not
too bad since we only accept them on the right port number, which is hard
enough to guess
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pdns-recursor-4.8.3/rec_control.1
new/pdns-recursor-4.8.4/rec_control.1
--- old/pdns-recursor-4.8.3/rec_control.1 2023-03-06 15:16:22.000000000
+0100
+++ new/pdns-recursor-4.8.4/rec_control.1 2023-03-27 17:10:37.000000000
+0200
@@ -27,7 +27,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "REC_CONTROL" "1" "Mar 06, 2023" "" "PowerDNS Recursor"
+.TH "REC_CONTROL" "1" "Mar 27, 2023" "" "PowerDNS Recursor"
.SH NAME
rec_control \- Command line tool to control a running Recursor
.SH SYNOPSIS
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pdns-recursor-4.8.3/syncres.cc
new/pdns-recursor-4.8.4/syncres.cc
--- old/pdns-recursor-4.8.3/syncres.cc 2023-03-06 15:14:33.000000000 +0100
+++ new/pdns-recursor-4.8.4/syncres.cc 2023-03-27 17:08:37.000000000 +0200
@@ -5193,6 +5193,12 @@
}
d_totUsec += lwr.d_usec;
+
+ if (resolveret == LWResult::Result::Spoofed) {
+ spoofed = true;
+ return false;
+ }
+
accountAuthLatency(lwr.d_usec, remoteIP.sin4.sin_family);
++g_stats.authRCode.at(lwr.d_rcode);
@@ -5224,9 +5230,6 @@
LOG(prefix<<qname<<": hit a local resource limit resolving"<< (doTCP ? "
over TCP" : "")<<", probable error: "<<stringerror()<<endl);
g_stats.resourceLimits++;
}
- else if (resolveret == LWResult::Result::Spoofed) {
- spoofed = true;
- }
else {
/* LWResult::Result::PermanentError */
s_unreachables++;
