Hello community, here is the log from the commit of package pdns.12262 for openSUSE:Leap:15.1:Update checked in at 2020-04-09 06:17:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.1:Update/pdns.12262 (Old) and /work/SRC/openSUSE:Leap:15.1:Update/.pdns.12262.new.3248 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pdns.12262" Thu Apr 9 06:17:45 2020 rev:1 rq:791278 version:4.1.8 Changes: -------- New Changes file: --- /dev/null 2020-04-01 01:12:57.297512941 +0200 +++ /work/SRC/openSUSE:Leap:15.1:Update/.pdns.12262.new.3248/pdns.changes 2020-04-09 06:17:45.836798405 +0200 @@ -0,0 +1,1273 @@ +------------------------------------------------------------------- +Fri Apr 3 09:36:07 UTC 2020 - Adam Majer <[email protected]> + +- pdns_maxmind.patch: backport support for MaxMindDB + +------------------------------------------------------------------- +Thu Mar 5 14:10:29 UTC 2020 - Vítězslav Čížek <[email protected]> + +- Build with libmaxminddb instead of the obsolete GeoIP (bsc#1156196) + +------------------------------------------------------------------- +Wed Jul 31 14:25:40 UTC 2019 - Adam Majer <[email protected]> + +- CVE-2019-10162.patch: fixes a denial of service but when authorized + user to cause the server to exit by inserting a crafted record in + a MASTER type zone under their control. (bsc#1138582, CVE-2019-10162) +- CVE-2019-10163.patch: fixes a denial of service of slave server when + an authorized master server sends large number of NOTIFY messages + (bsc#1138582, CVE-2019-10163) +- CVE-2019-10203.patch: update postgresql schema to address a possible + denial of service by an authorized user by inserting a crafted + record in a MASTER type zone under their control. + (bsc#1142810, CVE-2019-10203) + + To fix the issue, run the following command against your PostgreSQL + pdns database: + + ALTER TABLE domains ALTER notified_serial TYPE bigint + USING CASE WHEN notified_serial >= 0 + THEN notified_serial::bigint END; + +------------------------------------------------------------------- +Fri Mar 22 14:48:38 UTC 2019 - Michael Ströder <[email protected]> + +- Update to 4.1.8 + * #7604: Correctly interpret an empty AXFR response to an IXFR query, + * #7610: Fix replying from ANY address for non-standard port, + * #7609: Fix rectify for ENT records in narrow zones, + * #7607: Do not compress the root, + * #7608: Fix dot stripping in `setcontent()`, + * #7605: Fix invalid SOA record in MySQL which prevented the authoritative server from starting, + * #7603: Prevent leak of file descriptor if running out of ports for incoming AXFR, + * #7602: Fix API search failed with “Commands out of sync; you can’t run this command now”, + * #7509: Plug `mysql_thread_init` memory leak, + * #7567: EL6: fix `CXXFLAGS` to build with compiler optimizations. + +------------------------------------------------------------------- +Mon Mar 18 20:17:10 UTC 2019 - Michael Ströder <[email protected]> + +- Update to 4.1.7 with a security fix: + * Insufficient validation in the HTTP remote backend + (bsc#1129734, CVE-2019-3871) + +------------------------------------------------------------------- +Mon Mar 18 12:13:42 UTC 2019 - Michael Ströder <[email protected]> + +- Update to 4.1.6 + * Prevent more than one CNAME/SOA record in the same RRset + +------------------------------------------------------------------- +Wed Mar 13 17:48:19 UTC 2019 - Dirk Mueller <[email protected]> + +- adjust buildrequires for mariadb 10.2.x on SLES + +------------------------------------------------------------------- +Wed Nov 7 07:21:21 UTC 2018 - Michael Ströder <[email protected]> + +- Update to 4.1.5 + * Improvements + - Apply alias scopemask after chasing + - Release memory in case of error in the openssl ecdsa constructor + - Switch to devtoolset 7 for el6 + * Bug Fixes + - Crafted zone record can cause a denial of service + (bsc#1114157, CVE-2018-10851) + - Packet cache pollution via crafted query + (bsc#1114169, CVE-2018-14626) + - Fix compilation with libressl 2.7.0+ + - Actually truncate truncated responses + +------------------------------------------------------------------- +Wed Aug 29 16:06:03 UTC 2018 - [email protected] + +- Update to 4.1.4 + - Improvements + * #6590: Fix warnings reported by gcc 8.1.0. + * #6632, #6844, #6842, #6848: Make the gmysql backend future-proof + * #6685, #6686: Initialize some missed qtypes. + + - Bug Fixes + * #6780: Avoid concurrent records/comments iteration from + running out of sync. + * #6816: Fix a crash in the API when adding records. + * #4457, #6691: pdns_control notify: handle slave without + renotify properly. + * #6736, #6738: Reset the TSIG state between queries. + * #6857: Remove SOA-check backoff on incoming notify and fix + lock handling. + * #6858: Fix an issue where updating a record via DNS-UPDATE in + a child zone that also exists in the parent zone, we would + incorrectly apply the update to the parent zone. + * #6676, #6677: Geoipbackend: check geoip_id_by_addr_gl and + geoip_id_by_addr_v6_gl return value. (Aki Tuomi) + +------------------------------------------------------------------- +Thu May 24 14:53:16 UTC 2018 - [email protected] + +- Use HTTPS links in .spec file like mentioned in PowerDNS announcements +- removed obsolete 6370.patch +- Update to 4.1.3 + - Improvements + * #6239, #6559: pdnsutil: use new domain in b2bmigrate (Aki Tuomi) + * #6130: Update copyright years to 2018 (Matt Nordhoff) + * #6312, #6545: Lower ‘packet too short’ loglevel + - Bug Fixes + * #6441, #6614: Restrict creation of OPT and TSIG RRsets + * #6228, #6370: Fix handling of user-defined axfr filters return values + * #6584, #6585, #6608: Prevent the GeoIP backend from copying + NetMaskTrees around, fixes slow-downs in certain configurations + (Aki Tuomi) + * #6654, #6659: Ensure alias answers over TCP have correct name + +------------------------------------------------------------------- +Fri May 11 13:34:23 UTC 2018 - [email protected] + +- Update to 4.1.2 + - Improvements + * API: increase serial after dnssec related updates + * Auth: lower ‘packet too short’ loglevel + * Make check-zone error on rows that have content but shouldn’t + * Auth: avoid an isane amount of new backend connections during an axfr + * Report unparseable data in stoul invalid_argument exception + * Backport: recheck serial when axfr is done + * Backport: add tcp support for alias + - Bug Fixes + * Auth: allocate new statements after reconnecting to postgresql + * Auth-bindbackend: only compare ips in ismaster() (Kees Monshouwer) + * Rather than crash, sheepishly report no file/linenum + * Document undocumented config vars + * Backport #6276 (auth 4.1.x): prevent cname + other data with dnsupdate + - misc + * Move includes around to avoid boost L conflict + * Backport: update edns option code list + * Auth: link dnspcap2protobuf against librt when needed + * Fix a warning on botan >= 2.5.0 + * Auth 4.1.x: unbreak build + * Dnsreplay: bail out on a too small outgoing buffer (CVE-2018-1046 bsc#1092540) + +------------------------------------------------------------------- +Mon Apr 23 18:22:25 UTC 2018 - [email protected] + +- add patch for upstream issue #6228 + https://patch-diff.githubusercontent.com/raw/PowerDNS/pdns/pull/6370.patch + +------------------------------------------------------------------- +Fri Apr 13 12:02:14 UTC 2018 - [email protected] + +- geoip not available on SLE15 but protobuf support is available. + +------------------------------------------------------------------- +Fri Feb 16 17:55:03 UTC 2018 - [email protected] + +- Update to version 4.1.1: + bug-fix only release, with fixes to the LDAP and MySQL backends, + the pdnsutil tool, and PDNS internals + +------------------------------------------------------------------- +Thu Nov 30 13:25:19 UTC 2017 - [email protected] + +- Update to version 4.1.0: + + Recursor passthrough removal. Migration plans for users of + recursor passthrough are in documentation and available at, + https://doc.powerdns.com/authoritative/guides/recursion.html + + Improved performance: 4x speedup in some scenarios + + Crypto API: DNSSEC fully configurable via RESTful API + + Database: enhanced reconnection logic solving problems + associated with idle disonnection from database servers. + + Documentation improvements + + Support for TCP Fast Open + + Removed deprecated SOA-EDIT values: INCEPTION and INCEPTION-WEEK +- pkgconfig(krb5) is now always required for building LDAP backend +- pdns-4.0.4_mysql-schema-mariadb.patch: removed, upstreamed + +------------------------------------------------------------------- +Mon Nov 27 17:03:10 UTC 2017 - [email protected] + +- package schema files in ldap subpackage + +------------------------------------------------------------------- +Mon Nov 27 16:21:43 UTC 2017 - [email protected] + +- Update to version 4.0.5: + + fixes CVE-2017-15091: Missing check on API operations + + Bindbackend: do not corrupt data supplied by other backends in + getAllDomains + + For create-slave-zone, actually add all slaves, and not only + first n times ++++ 1076 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.1:Update/.pdns.12262.new.3248/pdns.changes New: ---- CVE-2019-10162.patch CVE-2019-10163.patch CVE-2019-10203.patch README.opendbx pdns-4.0.3_allow_dacoverride_in_capset.patch pdns-4.1.8.tar.bz2 pdns-4.1.8.tar.bz2.sig pdns.changes pdns.keyring pdns.spec pdns_maxmind.patch rcpdns ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pdns.spec ++++++ # # spec file for package pdns # # Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: pdns Version: 4.1.8 Release: 0 # %define pkg_name pdns %define pkg_version 4.1.8 # %if 0%{?suse_version} > 1230 || 0%{?rhel_version} > 600 || 0%{?centos_version} > 600 || 0%{?fedora_version} >= 20 || 0%{?el7}%{?fc20}%{?fc21}%{?fc22}%{?fc23}%{?fc24}%{?fc25} %bcond_without systemd %else %bcond_with systemd %endif %if 0%{?fedora_version} >= 24 || 0%{?fc24}%{?fc25} %bcond_with systemd_separetedlibs %else %bcond_without systemd_separetedlibs %endif # %bcond_without pdns_lua %bcond_without pdns_mydns %bcond_with pdns_experimental_gss_tsig %bcond_without pdns_odbc %bcond_without pdns_sqlite3 %bcond_with pdns_tinydns %if 0%{?is_opensuse} %bcond_without pdns_geoip %else %bcond_with pdns_geoip %endif %if 0%{?suse_version} > 1315 || 0%{?is_opensuse} %bcond_without pdns_protobuf %else %bcond_with pdns_protobuf %endif %if 0%{?suse_version} > 1110 || 0%{?rhel_version} > 600 || 0%{?centos_version} > 600 || 0%{?fedora_version} >= 22 || 0%{?fc22}%{?fc23}%{?fc24}%{?fc25} %bcond_without pdns_tools %bcond_without pdns_pkcs11 %bcond_without pdns_zeromq %else %bcond_with pdns_tools %bcond_with pdns_pkcs11 %bcond_with pdns_zeromq %endif # BuildRoot: %{_tmppath}/%{name}-%{version}-build #BuildRequires: asciidoc BuildRequires: autoconf BuildRequires: automake BuildRequires: bison %if 0%{?suse_version} > 1325 BuildRequires: libboost_program_options-devel %else BuildRequires: boost-devel %endif BuildRequires: curl-devel BuildRequires: flex %if %{with pdns_geoip} BuildRequires: pkgconfig(libmaxminddb) BuildRequires: yaml-cpp-devel %endif BuildRequires: pkgconfig(krb5) %if %{with pdns_experimental_gss_tsig} BuildRequires: pkgconfig(gss) BuildRequires: pkgconfig(krb5-gssapi) %endif BuildRequires: gcc-c++ BuildRequires: gdbm-devel BuildRequires: libtool # unused atm BuildRequires: libedit-devel BuildRequires: libsodium-devel %if %{with pdns_lua} BuildRequires: lua-devel %endif %if %{with pdns_tinydns} # FIXME: Could not find libcdb/tinycdb %endif BuildRequires: libmysqlclient-devel %if 0%{?suse_version} BuildRequires: openldap2-devel %else BuildRequires: openldap-devel %endif BuildRequires: postgresql-devel #BuildRequires: ragel %if %{with pdns_protobuf} BuildRequires: protobuf-devel %endif BuildRequires: sqlite-devel >= 3 %if %{with pdns_sqlite3} BuildRequires: sqlite-devel >= 3 %endif %if %{with pdns_odbc} BuildRequires: unixODBC-devel %endif # %if %{with pdns_opendbx} BuildRequires: opendbx-backend-pgsql BuildRequires: opendbx-devel %endif BuildRequires: pkgconfig %if %{with pdns_pkcs11} BuildRequires: pkgconfig(p11-kit-1) %endif %if %{with pdns_zeromq} BuildRequires: zeromq-devel %endif %if %{with systemd} BuildRequires: pkgconfig(systemd) %if %{with systemd_separetedlibs} BuildRequires: pkgconfig(libsystemd) %endif %{?systemd_requires} %else PreReq: %fillup_prereq PreReq: %insserv_prereq %endif PreReq: pdns-common # Url: https://www.powerdns.com/ Source: https://downloads.powerdns.com/releases/pdns-%{pkg_version}.tar.bz2 Source3: https://downloads.powerdns.com/releases/pdns-%{pkg_version}.tar.bz2.sig Source4: https://powerdns.com/powerdns-keyblock.asc#/pdns.keyring Source1: rcpdns Source2: README.opendbx Patch1: pdns-4.0.3_allow_dacoverride_in_capset.patch Patch2: CVE-2019-10162.patch Patch3: CVE-2019-10163.patch Patch4: CVE-2019-10203.patch Patch5: pdns_maxmind.patch Summary: Authoritative-only nameserver License: GPL-2.0-only Group: Productivity/Networking/DNS/Servers %description The PowerDNS Nameserver is a authoritative-only nameserver. It conforms to contemporary DNS standards documents. Furthermore, PowerDNS interfaces with almost any database. %package backend-mysql Requires: %{name} = %{version} # Summary: MySQL backend for pdns Group: Productivity/Networking/DNS/Servers %description backend-mysql The PowerDNS Nameserver is a authoritative-only nameserver. It conforms to contemporary DNS standards documents. This package holds the MySQL backend for pdns. %if %{with pdns_mydns} %package backend-mydns Requires: %{name} = %{version} # Summary: MyDNS backend for pdns Group: Productivity/Networking/DNS/Servers %description backend-mydns The PowerDNS Nameserver is a authoritative-only nameserver. It conforms to contemporary DNS standards documents. This package holds the MyDNS backend for pdns. %endif %package backend-postgresql Requires: %{name} = %{version} # Summary: PostgreSQL backend for pdns Group: Productivity/Networking/DNS/Servers %description backend-postgresql The PowerDNS Nameserver is a authoritative-only nameserver. It conforms to contemporary DNS standards documents. This package holds the PostgreSQL backend for pdns. %if %{with pdns_odbc} %package backend-godbc Requires: %{name} = %{version} # Summary: ODBC backend for pdns Group: Productivity/Networking/DNS/Servers %description backend-godbc The PowerDNS Nameserver is a authoritative-only nameserver. It conforms to contemporary DNS standards documents. This package holds the ODBC backend for pdns. %endif %package backend-sqlite3 Requires: %{name} = %{version} # Summary: SQLite 3 backend for pdns Group: Productivity/Networking/DNS/Servers %description backend-sqlite3 The PowerDNS Nameserver is a authoritative-only nameserver. It conforms to contemporary DNS standards documents. This package holds the SQLite 3 backend for pdns. %package backend-ldap Requires: %{name} = %{version} # Summary: LDAP backend for pdns Group: Productivity/Networking/DNS/Servers %description backend-ldap The PowerDNS Nameserver is a authoritative-only nameserver. It conforms to contemporary DNS standards documents. This package holds the LDAP backend for pdns. %package backend-opendbx Requires: %{name} = %{version} # Summary: OpenDBX backend for pdns Group: Productivity/Networking/DNS/Servers %description backend-opendbx The PowerDNS Nameserver is a authoritative-only nameserver. It conforms to contemporary DNS standards documents. This package holds the OpenDBX backend for pdns. %package backend-lua Requires: %{name} = %{version} # Summary: Lua backend for pdns Group: Productivity/Networking/DNS/Servers %description backend-lua The PowerDNS Nameserver is a authoritative-only nameserver. It conforms to contemporary DNS standards documents. This package holds the Lua backend for pdns. %package backend-remote Requires: %{name} = %{version} # Summary: Remote backend for pdns Group: Productivity/Networking/DNS/Servers %description backend-remote The PowerDNS Nameserver is a authoritative-only nameserver. It conforms to contemporary DNS standards documents. This package holds the remote backend for pdns. %package backend-geoip Requires: %{name} = %{version} # Summary: GeoIP2 backend for pdns Group: Productivity/Networking/DNS/Servers %description backend-geoip The PowerDNS Nameserver is a authoritative-only nameserver. It conforms to contemporary DNS standards documents. This package holds the GeoIP2 backend for pdns. %prep %autosetup -n %{name}-%{pkg_version} -p1 %if %{with pdns_opendbx} cp %{S:2} README.opendbx %endif %build # touch NEWS AUTHORS COPYING autoreconf -fiv # set $LD for now. this fixes the configure check for relro,now. export LD="$(which ld)" export CFLAGS="%{optflags} -DLDAP_DEPRECATED" export CXXFLAGS="$CFLAGS" # "mysql" backend is legacy crap. dont build it! %configure \ --docdir=%{_datadir}/doc/packages/%{name}/ \ --disable-silent-rules \ --with-socketdir=%{_localstatedir} \ --localstatedir=%{_localstatedir} \ --enable-libsodium \ --enable-reproducible \ %if %{with pdns_protobuf} --with-protobuf \ %endif %if %{with pdns_experimental_gss_tsig} --enable-experimental-gss-tsig \ %endif --sysconfdir=%{_sysconfdir}/%{pkg_name} \ --libdir=%{_libdir} \ --with-pgsql-lib=%{_libdir} \ --with-mysql-lib=%{_libdir} \ %if %{with pdns_pkcs11} --enable-experimental-pkcs11 \ %endif %if %{with sanitizer} --enable-asan \ --enable-msan \ --enable-tsan \ --enable-lsan \ --enable-ubsan \ %endif --enable-malloc-trace \ %if %{with pdns_zeromq} --enable-remotebackend-zeromq \ %endif --with-modules="" \ %if %{with pdns_lua} --with-lua \ %endif --with-dynmodules="\ bind \ %if %{with pdns_geoip} geoip \ %endif gmysql \ %if %{with pdns_odbc} godbc \ %endif %if %{with pdns_oracle} goracle \ %endif gpgsql \ %if %{with pdns_sqlite3} gsqlite3 \ %endif ldap \ %if %{with pdns_lua} lua \ %endif %if %{with pdns_mydns} mydns \ %endif %if %{with pdns_opendbx} opendbx \ %endif %if %{with pdns_oracle} oracle \ %endif pipe \ random \ remote \ %if %{with pdns_tinydns} tinydns \ %endif "\ %if %{with pdns_tools} --enable-tools \ %endif --disable-static make %{?_smp_mflags} %install make %{?_smp_mflags} install DESTDIR="%{buildroot}" sed -i "s:# setgid=:setgid=pdns:g s:# setuid=:setuid=pdns:g" \ %{buildroot}%{_sysconfdir}/%{pkg_name}/pdns.conf-dist mv %{buildroot}%{_sysconfdir}/%{pkg_name}/pdns.conf-dist %{buildroot}%{_sysconfdir}/%{pkg_name}/pdns.conf %if %{with systemd} ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rc%{pkg_name} %else install -D -m 0755 %{SOURCE1} %{buildroot}%{_sysconfdir}/init.d/%{pkg_name} ln -s -f ../..%{_sysconfdir}/init.d/%{pkg_name} %{buildroot}%{_sbindir}/rc%{pkg_name} %endif rm -rfv %{buildroot}%{_libdir}/pdns/*.la # install -m 0644 AUTHORS NEWS NOTICE COPYING README* %{buildroot}%{_datadir}/doc/packages/%{name}/ %pre getent group pdns >/dev/null || /usr/sbin/groupadd -r pdns getent passwd pdns >/dev/null || \ /usr/sbin/useradd -g pdns -s /bin/false -r -c "pdns" -d %{home} pdns %if %{with systemd} %service_add_pre %{name}.service %endif %post %if %{with systemd} %service_add_post %{name}.service %else %{fillup_and_insserv pdns} %endif %preun %if %{with systemd} %service_del_preun %{name}.service %else %stop_on_removal pdns %endif %postun %if %{with systemd} %service_del_postun %{name}.service %else %restart_on_update pdns %insserv_cleanup %endif %files %defattr (-,root,root,-) %dir %{_datadir}/doc/packages/%{name}/ %doc %{_datadir}/doc/packages/%{name}/AUTHORS %doc %{_datadir}/doc/packages/%{name}/COPYING %doc %{_datadir}/doc/packages/%{name}/NEWS %doc %{_datadir}/doc/packages/%{name}/NOTICE %doc %{_datadir}/doc/packages/%{name}/README* %exclude %{_datadir}/doc/packages/%{name}/*.sql %if %{with systemd} %{_unitdir}/%{name}.service %{_unitdir}/%{name}@.service %else %{_sysconfdir}/init.d/%{pkg_name} %endif %{_sbindir}/rcpdns %config(noreplace) %attr(640,root,pdns) %{_sysconfdir}/%{pkg_name}/%{pkg_name}.conf %{_bindir}/dnsbulktest %{_bindir}/dnsreplay %{_bindir}/dnsscan %{_bindir}/dnsscope %{_bindir}/dnstcpbench %{_bindir}/dnswasher %{_bindir}/nproxy %{_bindir}/nsec3dig %{_bindir}/saxfr %{_bindir}/calidns %{_bindir}/dnsgram %{_bindir}/dumresp %{_bindir}/ixplore %{_bindir}/sdig %{_bindir}/pdns_control %{_bindir}/pdns_notify %{_bindir}/pdnsutil %{_bindir}/stubquery %{_bindir}/zone2sql %{_bindir}/zone2json %{_sbindir}/pdns_server %if %{with pdns_protobuf} %{_bindir}/dnspcap2protobuf %{_mandir}/man1/dnspcap2protobuf.1.gz %endif %{_mandir}/man1/dnsbulktest.1* %{_mandir}/man1/dnsgram.1* %{_mandir}/man1/dnsscan.1* %{_mandir}/man1/ixplore.1* %{_mandir}/man1/nsec3dig.1* %{_mandir}/man1/saxfr.1* %{_mandir}/man1/sdig.1* %{_mandir}/man1/dnstcpbench.1* %{_mandir}/man1/dnsreplay.1* %{_mandir}/man1/dnsscope.1* %{_mandir}/man1/dnswasher.1* %{_mandir}/man1/pdns_control.1* %{_mandir}/man1/pdns_notify.1* %{_mandir}/man1/pdns_server.1* %{_mandir}/man1/pdnsutil.1* %{_mandir}/man1/zone2json.1* %{_mandir}/man1/zone2sql.1* %{_mandir}/man1/calidns.1* %{_mandir}/man1/dumresp.1* %{_mandir}/man1/nproxy.1* %dir %{_libdir}/%{pkg_name} %{_libdir}/%{pkg_name}/libpipebackend.so* %{_libdir}/%{pkg_name}/libbindbackend.so* %{_libdir}/%{pkg_name}/librandombackend.so* %files backend-mysql %defattr (-,root,root,-) %{_libdir}/%{pkg_name}/libgmysqlbackend.so* %doc %{_datadir}/doc/packages/%{name}/*.mysql.sql %if %{with pdns_mydns} %files backend-mydns %defattr (-,root,root,-) %{_libdir}/%{pkg_name}/libmydnsbackend.so* %endif %if %{with pdns_lua} %files backend-lua %defattr (-,root,root,-) %{_libdir}/%{pkg_name}/libluabackend.so* %endif %files backend-postgresql %defattr (-,root,root,-) %{_libdir}/%{pkg_name}/libgpgsqlbackend.so* %doc %{_datadir}/doc/packages/%{name}/*.pgsql.sql %if %{with pdns_sqlite3} %files backend-sqlite3 %defattr (-,root,root,-) %{_libdir}/%{pkg_name}/libgsqlite3backend.so* %doc %{_datadir}/doc/packages/%{name}/*.sqlite3.sql %endif %files backend-ldap %defattr (-,root,root,-) %{_bindir}/zone2ldap %{_libdir}/%{pkg_name}/libldapbackend.so* %{_mandir}/man1/zone2ldap.1* %doc %{_datadir}/doc/packages/%{name}/*.schema %if %{with pdns_opendbx} %files backend-opendbx %defattr (-,root,root,-) %{_libdir}/%{pkg_name}/libopendbxbackend.so* %endif %if %{with pdns_odbc} %files backend-godbc %defattr (-,root,root,-) %{_libdir}/%{pkg_name}/libgodbcbackend.so* %endif %if %{with pdns_geoip} %files backend-geoip %defattr (-,root,root,-) %{_libdir}/%{pkg_name}/libgeoipbackend.so* %endif %files backend-remote %defattr (-,root,root,-) %{_libdir}/%{pkg_name}/libremotebackend.so %changelog ++++++ CVE-2019-10162.patch ++++++ diff --git pdns-4.1.8/pdns/mastercommunicator.cc pdns-4.1.8-invalidrecords/pdns/mastercommunicator.cc index 456957a..ce0355c 100644 --- pdns-4.1.8/pdns/mastercommunicator.cc +++ pdns-4.1.8-invalidrecords/pdns/mastercommunicator.cc @@ -50,6 +50,7 @@ void CommunicatorClass::queueNotifyDomain(const DomainInfo& di, UeberBackend* B) FindNS fns; + try { if (d_onlyNotify.size()) { B->lookup(QType(QType::NS), di.zone); while(B->get(rr)) @@ -77,6 +78,16 @@ void CommunicatorClass::queueNotifyDomain(const DomainInfo& di, UeberBackend* B) hasQueuedItem=true; } } + } + catch (PDNSException &ae) { + L << Logger::Error << "Error looking up name servers for " << di.zone << ", cannot notify: " << ae.reason << endl; + return; + } + catch (std::exception &e) { + L << Logger::Error << "Error looking up name servers for " << di.zone << ", cannot notify: " << e.what() << endl; + return; + } + set<string> alsoNotify(d_alsoNotify); B->alsoNotifies(di.zone, &alsoNotify); ++++++ CVE-2019-10163.patch ++++++ diff --git pdns-4.1.8/pdns/communicator.cc pdns-4.1.8-busyloop/pdns/communicator.cc index 7db5a3e..7fd59e4 100644 --- pdns-4.1.8/pdns/communicator.cc +++ pdns-4.1.8-busyloop/pdns/communicator.cc @@ -136,7 +136,10 @@ void CommunicatorClass::mainloop(void) if (extraSlaveRefresh) slaveRefresh(&P); } - else { + else { + // eat up extra posts to avoid busy looping if many posts were done + while (d_any_sem.tryWait() == 0) { + } break; // something happened } // this gets executed at least once every second ++++++ CVE-2019-10203.patch ++++++ Based on, commit 1953ba21c91a8569250f72a3de0efe57eabd7482 Author: Peter van Dijk <[email protected]> Date: Wed Jul 17 21:06:01 2019 +0200 use BIGINT for notified_serial in pg schema; fixes #6815 index f91046250..2333cf453 100644 Index: pdns-4.1.8/modules/gpgsqlbackend/3.4.0_to_4.1.0_schema.pgsql.sql =================================================================== --- pdns-4.1.8.orig/modules/gpgsqlbackend/3.4.0_to_4.1.0_schema.pgsql.sql +++ pdns-4.1.8/modules/gpgsqlbackend/3.4.0_to_4.1.0_schema.pgsql.sql @@ -1 +1,2 @@ ALTER TABLE records ALTER id TYPE BIGINT; +ALTER TABLE domains ALTER notified_serial TYPE bigint USING CASE WHEN notified_serial >= 0 THEN notified_serial::bigint END; Index: pdns-4.1.8/modules/gpgsqlbackend/schema.pgsql.sql =================================================================== --- pdns-4.1.8.orig/modules/gpgsqlbackend/schema.pgsql.sql +++ pdns-4.1.8/modules/gpgsqlbackend/schema.pgsql.sql @@ -4,7 +4,7 @@ CREATE TABLE domains ( master VARCHAR(128) DEFAULT NULL, last_check INT DEFAULT NULL, type VARCHAR(6) NOT NULL, - notified_serial INT DEFAULT NULL, + notified_serial BIGINT DEFAULT NULL, account VARCHAR(40) DEFAULT NULL, CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT))) ); ++++++ README.opendbx ++++++ grabbed from http://wiki.linuxnetworks.de/index.php/PowerDNS_OpenDBX_Backend and linked pages ------------------------------------------------------------------------------- PowerDNS OpenDBX Backend - Installation >From Wiki Contents • 1 Installation 1.1 Compilation 1.2 Configuration options 1.3 Backend specific configuration ☆ 1.3.1 MySQL ☆ 1.3.2 PostgreSQL ☆ 1.3.3 SQLite and SQLite3 ☆ 1.3.4 MS SQL Server ☆ 1.3.5 Sybase ASE 1.4 Database setup 1.5 Migration Installation Compilation Before performing the steps to compile the PowerDNS server and the OpenDBX backend you have to install the OpenDBX library, the OpenDBX backend you want to use and its development package, which includes the necessary header. The OpenDBX package can be downloaded from Linuxnetworks.de. Apply these steps to the source pdns-x.xx.tar.gz file, if you don't want to use a precompiled package: * Extract the pdns tar file * Change into the newly created pdns directory * Extract the opendbxbackend tar file * Run "cat <patch> | patch -p1" (if available) * Type ./configure --help for the available options * For dynamic modules: ./configure --prefix=/usr --with-modules="" --with-dynmodules="opendbx" --enable-recursor * For a static module: ./configure --prefix=/usr --with-modules="opendbx" --with-dynmodules="" --enable-recursor * make && make install Configuration options There are a few options through the OpenDBX backend can be configured for your environment. Add them to the pdns.conf file located in /etc/powerdns or /usr/ local/etc/ (depends on your configuration while compiling): opendbx-backend (default "mysql") Name of the backend used to connect to the database server. Currently mysql, pgsql, sqlite, sqlite3 and sybase are available. opendbx-host-read (default "127.0.0.1") One or more host names or IP addresses of the database servers. These hosts will be used for retrieving the records via SELECT queries. opendbx-host-write (default "127.0.0.1") Same as opendbx-host-read, except for INSERT/UPDATE statements (mostly used by zonetransfers). opendbx-port (default "") TCP/IP port number where the database server is listening to. Most databases will use their default port if you leave this empty. opendbx-database (default "powerdns") The database name where all domain and record entries are stored. opendbx-username (default "powerdns") Name of the user send to the DBMS for authentication. opendbx-password (default "") Clear text password for authentication in combination with the username. opendbx-host (deprecated, default "127.0.0.1") Host name or IP address of the database server. This parameter is deprecated in favor of opendbx-host-read and opendbx-host-write. Backend specific configuration MySQL Supported without changes since OpenDBX 1.0.0 PostgreSQL Supported without changes since OpenDBX 1.0.0 SQLite and SQLite3 Supported without changes since OpenDBX 1.0.0 but requires to set opendbx-host to the path of the SQLite file (including the trailing slash or backslash, depending on your operating system) and opendbx-database to the name of the file, e.g. opendbx-host-read = /path/to/file/ opendbx-host-write = /path/to/file/ opendbx-database = powerdns.sqlite MS SQL Server Supported by PowerDNS 2.9.20 (with latest patch) and OpenDBX 1.1.4 by using the FreeTDS library. It uses a different scheme for host configuration (requires the name of the host section in the configuration file of the dblib client library) and doesn't support the default statement for starting transactions. Please add the following lines to your pdns.conf: opendbx-host-read = MSSQL2k opendbx-host-write = MSSQL2k opendbx-sql-transactbegin = BEGIN TRANSACTION Sybase ASE Supported by PowerDNS 2.9.20 (with latest patch) and OpenDBX 1.1.5 by using the native Sybase ctlib or the FreeTDS library. It uses a different scheme for host configuration (requires the name of the host section in the configuration file of the ctlib client library) and doesn't support the default statement for starting transactions. Please add the following lines to your pdns.conf: opendbx-host-read = SYBASE opendbx-host-write = SYBASE opendbx-sql-transactbegin = BEGIN TRANSACTION Database setup You need one of the DBMS supported by the OpenDBX library for storing your records and domain infomation. Please have a look at the documentation of your DBMS for the task of creating a database and an user. After that you're almost done. Use the appropriate table definition below to create the tables in the new database after which you can populate your database with dns information with e.g. zone2sql. • MySQL • PostgreSQL • SQLite • Sybase Migration To convert an existing gMySQL Database to an OpenDBX MySQL database, an additional status column is required since patch 2.9.20-3: ALTER TABLE domains ADD ( status CHAR(1) NOT NULL DEFAULT 'A' ) Adding a foreign key constraint from records.domain_id to domains.id is a good idea too: ALTER TABLE records ADD CONSTRAINT fk_records_domainid FOREIGN KEY (domain_id) REFERENCES domains (id) ON UPDATE CASCADE ON DELETE CASCADE You should also recreate your indices for optimal performance. Please have a look in the appropriate file listed in the section above. ------------------------------------------------------------------------------- PowerDNS OpenDBX Backend - Optimization >From Wiki Contents • 1 Optimization 1.1 Use NULL for prio and ttl fields Optimization Use NULL for prio and ttl fields Each DNS entry in the record table has its own values for time-to-live (TTL) and priority. You can speed up processing of each query in the OpenDBX backend if you set both values in your records table to NULL by default and only set them to an appropriate value if you really need them. There are two record types where you can't use NULL in the prio fields: MX and SRV record types. Most of the time you need different values than 0 (which NULL is converted to in the OpenDBX backend) in those records but everywhere else NULL is suggested. The same applies to the TTL field in each record. There are only a few cases where you might wish to use different values than the default one you can set by the default-ttl=... config option in the pdns.conf file. ------------------------------------------------------------------------------- PowerDNS OpenDBX Backend - Comparison >From Wiki Contents • 1 Comparison 1.1 Environment 1.2 Settings 1.3 Test description 1.4 Results 1.5 Conclusion 1.6 Optimizations Comparison Environment The test environment consisted of two different machines both running Debian 3.1 (Sarge) with the latest official patches applied. The following packages were used: PowerDNS Version 2.9.18-svn (rev 474, 2005-09-03) PowerDNS OpenDBX Backend Version from 2005-10-15 (source) OpenDBX Version 0.9.5 (more) MySQL Version 4.1.11a, including libmysqlclient14 PostgreSQL Version 7.4.7 SQLite3 Version 3.2.1 One hosted the PowerDNS server while the other was responsible for running the test suite (queryperf is included in the BIND sources): PowerDNS + database server VIA C3 533MHz, 256MB RAM Benchmark client Pentium M 1.5GHz, 512MB RAM Both machines were connected by a 100MBit network and they were the only ones attached to the hub. Settings All test were done with default settings for each database - no further optimizations were applied except if stated otherwise. To get raw database and backend performance, caching in PowerDNS was switched of generally. Otherwise we would get much higher but false results due to packet caching done by PowerDNS. The "slave-cycle-interval" parameter was set to a value high enough so checking for unfresh slaves had no negative influence: • cache-ttl=0 • negquery-cache-ttl=0 • query-cache-ttl=0 • recursive-cache-ttl=0 • master=yes • slave-cycle-interval=300 Test description The test was based on the records in the example.com zone available in the regression-tests directory of PowerDNS. The zone file was converted by zone2sql (part of the PowerDNS distribution) to a set of SQL queries inserted into the database tables created by specific "create table" statements for each DBMS (available along with the OpenDBX backend sources). Lookup speed This was tested by running queryperf with a query set of 10000 A records (host-0.example.com to host-9999.example.com) three times in a row. Afterwards these results were averaged to be a good rule of thumb for real live environments (cache hit rate of 60 to 70 percent). AXFR speed Zone transfer measurement was done by running "host -l example.com <serverip> 1>/dev/null" 100 times in a loop while timing the test. Possible variation of the results due to the operating system should be minimal. Results Values for queryperf results are the averaged number of queries per second determined by queryperf. Backend gmysql OpenDBX OpenDBX OpenDBX mysql pgsql sqlite3 1. queryperf 446 454 270 839 2. queryperf 1033 1118 272 848 3. queryperf 1033 1118 272 844 Lookup (avg) 837 897 271 844 AXFR (sec) 198 160 271 224 Conclusion • The OpenDBX backend outperforms the native MySQL backend by ca. 7 percent in lookups • OpenDBX backend zone transfers are even 20 percent faster than gmysql backend • A PostgreSQL server needs optimized settings before it can perform well • SQLite is a good alternative for systems without dedicated server Optimizations I would like to know which settings are needed to get comparable performance figures for PostgreSQL. If you have any suggestions please add them to the Talk page. ++++++ pdns-4.0.3_allow_dacoverride_in_capset.patch ++++++ situation: /var/lib/pdns pdns:pdns 750 /var/lib/pdns/sqlite3.db pdns:pdns 640 during start up it seems pdns tries to open the file as root which fails because of the permissions, internally it tries to open it with dac override capability, which fails as it isn't in the capability set. Adding CAP_DAC_OVERRIDE fixes the start problems. Index: pdns-4.0.3/pdns/pdns.service.in =================================================================== --- pdns-4.0.3.orig/pdns/pdns.service.in +++ pdns-4.0.3/pdns/pdns.service.in @@ -13,7 +13,7 @@ RestartSec=1 StartLimitInterval=0 PrivateTmp=true PrivateDevices=true -CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT CAP_DAC_OVERRIDE NoNewPrivileges=true # ProtectSystem=full will disallow write access to /etc and /usr, possibly # not being able to write slaved-zones into sqlite3 or zonefiles. ++++++ pdns_maxmind.patch ++++++ ++++ 1559 lines (skipped) ++++++ rcpdns ++++++ #! /bin/sh # Copyright (c) 1995-2004 SUSE Linux AG, Nuernberg, Germany. # All rights reserved. # # Author: Kurt Garloff # Please send feedback to http://www.suse.de/feedback/ # # /etc/init.d/pdns # and its symbolic link # /(usr/)sbin/rcpdns # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # Template system startup script for some example service/daemon FOO # # LSB compatible service control script; see http://www.linuxbase.org/spec/ # # Note: This template uses functions rc_XXX defined in /etc/rc.status on # UnitedLinux (UL) based Linux distributions. If you want to base your # script on this template and ensure that it works on non UL based LSB # compliant Linux distributions, you either have to provide the rc.status # functions from UL or change the script to work without them. # ### BEGIN INIT INFO # Provides: pdns # Required-Start: $network $syslog $remote_fs # Should-Start: ldap # Required-Stop: $network $syslog $remote_fs # Should-Stop: ldap # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: PDNS is a versatile high performance authoritative nameserver # Description: PDNS is a versatile high performance authoritative nameserver ### END INIT INFO # # Any extensions to the keywords given above should be preceeded by # X-VendorTag- (X-UnitedLinux- X-SuSE- for us) according to LSB. # # Notes on Required-Start/Should-Start: # * There are two different issues that are solved by Required-Start # and Should-Start # (a) Hard dependencies: This is used by the runlevel editor to determine # which services absolutely need to be started to make the start of # this service make sense. Example: nfsserver should have # Required-Start: $portmap # Also, required services are started before the dependent ones. # The runlevel editor will warn about such missing hard dependencies # and suggest enabling. During system startup, you may expect an error, # if the dependency is not fulfilled. # (b) Specifying the init script ordering, not real (hard) dependencies. # This is needed by insserv to determine which service should be # started first (and at a later stage what services can be started # in parallel). The tag Should-Start: is used for this. # It tells, that if a service is available, it should be started # before. If not, never mind. # * When specifying hard dependencies or ordering requirements, you can # use names of services (contents of their Provides: section) # or pseudo names starting with a $. The following ones are available # according to LSB (1.1): # $local_fs all local file systems are mounted # (most services should need this!) # $remote_fs all remote file systems are mounted # (note that /usr may be remote, so # many services should Require this!) # $syslog system logging facility up # $network low level networking (eth card, ...) # $named hostname resolution available # $netdaemons all network daemons are running # The $netdaemons pseudo service has been removed in LSB 1.2. # For now, we still offer it for backward compatibility. # These are new (LSB 1.2): # $time the system time has been set correctly # $portmap SunRPC portmapping service available # UnitedLinux extensions: # $ALL indicates that a script should be inserted # at the end # * The services specified in the stop tags # (Required-Stop/Should-Stop) # specify which services need to be still running when this service # is shut down. Often the entries there are just copies or a subset # from the respective start tag. # * Should-Start/Stop are now part of LSB as of 2.0, # formerly SUSE/Unitedlinux used X-UnitedLinux-Should-Start/-Stop. # insserv does support both variants. # * X-UnitedLinux-Default-Enabled: yes/no is used at installation time # (%fillup_and_insserv macro in %post of many RPMs) to specify whether # a startup script should default to be enabled after installation. # It's not used by insserv. # # Note on runlevels: # 0 - halt/poweroff 6 - reboot # 1 - single user 2 - multiuser without network exported # 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm) # # Note on script names: # http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB/scrptnames.html # A registry has been set up to manage the init script namespace. # http://www.lanana.org/ # Please use the names already registered or register one or use a # vendor prefix. # Check for missing binaries (stale symlinks should not happen) # Note: Special treatment of stop for LSB conformance PDNS_SERVER=/usr/sbin/pdns_server test -x $PDNS_SERVER || { echo "$PDNS_SERVER not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } doPC() { ret=$(/usr/bin/pdns_control $EXTRAOPTS $1 $2 2> /dev/null) } doPC ping NOTRUNNING=$? # Source LSB init functions # providing start_daemon, killproc, pidofproc, # log_success_msg, log_failure_msg and log_warning_msg. # This is currently not used by UnitedLinux based distributions and # not needed for init scripts for UnitedLinux only. If it is used, # the functions from rc.status should not be sourced or used. #. /lib/lsb/init-functions # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v be verbose in local rc status and clear it afterwards # rc_status -v -r ditto and clear both the local and overall rc status # rc_status -s display "skipped" and exit with status 3 # rc_status -u display "unused" and exit with status 3 # rc_failed set local and overall rc status to failed # rc_failed <num> set local and overall rc status to <num> # rc_reset clear both the local and overall rc status # rc_exit exit appropriate to overall rc status # rc_active checks whether a service is activated by symlinks . /etc/rc.status # Reset status of this service rc_reset # Return values acc. to LSB for all commands but status: # 0 - success # 1 - generic or unspecified error # 2 - invalid or excess argument(s) # 3 - unimplemented feature (e.g. "reload") # 4 - user had insufficient privileges # 5 - program is not installed # 6 - program is not configured # 7 - program is not running # 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl) # # Note that starting an already running service, stopping # or restarting a not-running service as well as the restart # with force-reload (in case signaling is not supported) are # considered a success. # ensure our control directory exists PDNS_CTRLDIR="/var/run/pdns" if [ ! -e "$PDNS_CTRLDIR" ] ; then mkdir --mode=0755 "$PDNS_CTRLDIR" fi case "$1" in start) echo -n "Starting PowerDNS authoritative nameserver" ## Start daemon with startproc(8). If this fails ## the return value is set appropriately by startproc. startproc $PDNS_SERVER $EXTRAOPTS --daemon # Remember status and be verbose rc_status -v ;; stop) echo -n "Shutting down PowerDNS authoritative nameserver" ## Stop daemon with killproc(8) and if this fails ## killproc sets the return value according to LSB. killproc -TERM $PDNS_SERVER # Remember status and be verbose rc_status -v ;; try-restart|condrestart) ## Do a restart only if the service was active before. ## Note: try-restart is now part of LSB (as of 1.9). ## RH has a similar command named condrestart. if test "$1" = "condrestart"; then echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}" fi $0 status if test $? = 0; then $0 restart else rc_reset # Not running is not a failure. fi # Remember status and be quiet rc_status ;; restart|force-reload) ## Stop the service and regardless of whether it was ## running or not, start it again. $0 stop $0 start # Remember status and be quiet rc_status ;; reload) ## Like force-reload, but if daemon does not support ## signaling, do nothing (!) echo -n "Reloading PowerDNS authoritative nameserver" doPC cycle rc_status -v ;; status) echo -n "Checking for service PDNS " ## Check status with checkproc(8), if process is running ## checkproc will return with exit status 0. # Return value is slightly different for the status command: # 0 - service up and running # 1 - service dead, but /var/run/ pid file exists # 2 - service dead, but /var/lock/ lock file exists # 3 - service not running (unused) # 4 - service status unknown :-( # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) # NOTE: checkproc returns LSB compliant status values. checkproc $PDNS_SERVER # NOTE: rc_status knows that we called this init script with # "status" option and adapts its messages accordingly. rc_status -v ;; probe) ## Optional: Probe for the necessity of a reload, print out the ## argument to this init script which is required for a reload. ## Note: probe is not (yet) part of LSB (as of 1.9) test /etc/pdns.conf -nt /var/run/pdns.pid && echo reload ;; # additional options, taken from the upstream init script force-stop) echo -n "Stopping PowerDNS authoritative nameserver" killproc -KILL $PDNS_SERVER rc_status -v ;; monitor) if test "$NOTRUNNING" = "0" then echo "already running" else $PDNS_SERVER --daemon=no --guardian=no --control-console --loglevel=9 fi ;; dump) if test "$NOTRUNNING" = "0" then doPC list echo $ret else echo "not running" fi ;; show) if [ $# -lt 2 ] then echo Insufficient parameters exit fi if test "$NOTRUNNING" = "0" then echo -n "$2=" doPC show $2 ; echo $ret else echo "not running" fi ;; mrtg) if [ $# -lt 2 ] then echo Insufficient parameters exit fi if test "$NOTRUNNING" = "0" then doPC show $2 ; echo $ret if [ "$3x" != "x" ] then doPC show $3 ; echo $ret else echo 0 fi doPC uptime ; echo $ret echo PowerDNS daemon else echo "not running" fi ;; cricket) if [ $# -lt 2 ] then echo Insufficient parameters exit fi if test "$NOTRUNNING" = "0" then doPC show $2 ; echo $ret else echo "not running" fi ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe|force-stop|monitor|dump|show|mrtg|cricket}" exit 1 ;; esac rc_exit
