Hello community,

here is the log from the commit of package pdns-recursor for openSUSE:Factory 
checked in at 2015-05-06 11:19:33
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pdns-recursor (Old)
 and      /work/SRC/openSUSE:Factory/.pdns-recursor.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "pdns-recursor"

Changes:
--------
--- /work/SRC/openSUSE:Factory/pdns-recursor/pdns-recursor.changes      
2015-02-20 12:01:42.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.pdns-recursor.new/pdns-recursor.changes 
2015-05-06 11:19:33.000000000 +0200
@@ -1,0 +2,20 @@
+Wed Apr 29 07:13:09 UTC 2015 - mrueck...@suse.de
+
+- call systemd-tmpfiles during installation
+
+-------------------------------------------------------------------
+Thu Apr 23 12:21:59 UTC 2015 - mich...@stroeder.com
+
+- update to 3.7.2 with a fix for CVE-2015-1868 (boo# 927569)
+  Bug fixes:
+  - commit adb10be commit 3ec3e0f commit dc02ebf Fix handling of
+    forward references in label compressed packets; fixes
+    CVE-2015-1868
+  - commit a7be3f1: make sure we never call sendmsg with
+    msg_control!=NULL && msg_controllen>0. Fixes ticket #2227
+  - commit 9d835ed: Improve robustness of root-nx-trust.
+  Improvements:
+  - commit 99c595b: Silence warnings that always occur on FreeBSD
+    (Ruben Kerkhof)
+
+-------------------------------------------------------------------

Old:
----
  pdns-recursor-3.7.1.tar.bz2

New:
----
  pdns-recursor-3.7.2.tar.bz2

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ pdns-recursor.spec ++++++
--- /var/tmp/diff_new_pack.onFZJT/_old  2015-05-06 11:19:34.000000000 +0200
+++ /var/tmp/diff_new_pack.onFZJT/_new  2015-05-06 11:19:34.000000000 +0200
@@ -24,7 +24,7 @@
 
 
 Name:           pdns-recursor
-Version:        3.7.1
+Version:        3.7.2
 Release:        1
 %define pkg_version    %{version}
 #
@@ -118,6 +118,7 @@
 
 %if 0%{?suse_version} && %{with systemd}
 %post
+systemd-tmpfiles --create /usr/lib/tmpfiles.d/pdns-recursor.conf || true
 %service_add_post %{name}.service
 %endif
 

++++++ pdns-recursor-3.7.1.tar.bz2 -> pdns-recursor-3.7.2.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/pdns-recursor-3.7.1/README 
new/pdns-recursor-3.7.2/README
--- old/pdns-recursor-3.7.1/README      2015-02-12 11:16:00.000000000 +0100
+++ new/pdns-recursor-3.7.2/README      2015-04-21 15:02:57.000000000 +0200
@@ -2,7 +2,9 @@
 -------------
 For full details, please read:
 
-               http://doc.powerdns.com/built-in-recursor.html
+       https://doc.powerdns.com/md/recursor/
+
+Here follow some brief notes that may be useful to get you going.
 
 COMPILING
 ---------
@@ -14,76 +16,29 @@
 You only need to download it, there is no need to compile.
 
 On most modern UNIX distributions, you can simply install 'boost' or
-'boost-dev' or 'boost-devel'. If you don't have that option, or don't want
-to use it, try:
-
-1) head to http://sourceforge.net/project/showfiles.php?group_id=7586 and
-download the latest boost tar.bz2 or tar.gz, perhaps from:
-http://downloads.sourceforge.net/project/boost/boost/1.39.0/boost_1_39_0.tar.bz2?use_mirror=ovh
-(use the first link if this one doesn't work)
-
-2) untar it:
-
-$ tar xjf boost_1_39_0.tar.bz2
-
-3) Compile the PowerDNS recursor using:
-
-$ CXXFLAGS=-I./boost_1_39_0/ ./configure
-$ CXXFLAGS=-I./boost_1_39_0/ make clean 
-$ CXXFLAGS=-I./boost_1_39_0/ make all
-(the 'clean' is needed to have make pick up the new boost)
-
-4) Run ./pdns_recursor and you should be set!
-
-5) (g)make install
-
-(use gmake on many BSD variant and Solaris, regular make on Linux)
+'boost-dev' or 'boost-devel'. Otherwise, just download boost, and point the
+compiler at the right directory using CPPFLAGS.
 
 OPTIONAL LUA SCRIPTING
 ----------------------
 To benefit from Lua scripting, as described on
 http://doc.powerdns.com/recursor-scripting.html please compile like this:
 
-$ LUA=1 (g)make
+$ LUA=1 ./configure ; LUA=1 (g)make
+
 or even
 
 $ LUA=1 LUA_CPPFLAGS_CONFIG=-I/usr/local/include/lua5.1 
LUA_LIBS_CONFIG=-llua5.1\
+       ./configure
+$ LUA=1 LUA_CPPFLAGS_CONFIG=-I/usr/local/include/lua5.1 
LUA_LIBS_CONFIG=-llua5.1\
        (g)make
 
 Use the _CONFIG settings to point out to PowerDNS where your Lua
-installation resides. PowerDNS supports both Lua 5.0 and 5.1.
-
-PLATFORM SPECIFIC NOTES
------------------------
-When compiling on Solaris 8, use:
-$ CPPFLAGS=-DSOLARIS8 ... gmake 
-
-where ... stands for any possible CXXFLAGS or PROFILEFLAGS, see below.
-
-PERFORMANCE
------------
-When on Intel/AMD, by ALL means use a 64-bit binary (not just a 64-bit
-kernel). This speeds up most things by at least a factor 2.
-
-For the utmost in performance, compile like this:
-
-   $ PROFILEFLAGS=-fprofile-generate make
-
-Then run the program for a bit, in as much of a real-life setting as you
-have available. Then run:
-
-   $ rec_control quit-nicely
-   bye nicely
-
-Then do:
-
-   $ PROFILEFLAGS=-fprofile-use make binclean all
-
-The resulting binary is up to 20% faster in our tests.
-
-Do run with g++ 4.4.1 if you can, it is the best.
+installation resides. PowerDNS supports Lua 5.1 through Lua 5.3.
 
 RUNNING ON A DIFFERENT MACHINE
 ------------------------------
 To prevent hassles with g++/c++ dependencies, you can build like this:
-   $ STATIC=semi make all
+
+   $ STATIC=semi ./configure ; STATIC=semi make all
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/pdns-recursor-3.7.1/build-scripts/redhat/pdns-recursor-test.spec 
new/pdns-recursor-3.7.2/build-scripts/redhat/pdns-recursor-test.spec
--- old/pdns-recursor-3.7.1/build-scripts/redhat/pdns-recursor-test.spec        
2015-02-12 11:16:00.000000000 +0100
+++ new/pdns-recursor-3.7.2/build-scripts/redhat/pdns-recursor-test.spec        
2015-04-21 15:02:57.000000000 +0200
@@ -9,7 +9,7 @@
 Epoch:                 0
 Group:                 System Environment/Daemons
 License:               GPL
-Source:                        
http://downloads.powerdns.com/releases/%{name}-3.7.1.tar.bz2
+Source:                        
http://downloads.powerdns.com/releases/%{name}-3.7.2.tar.bz2
 
 BuildRequires:         boost-devel >= 1.39.0
 BuildRequires:         lua-devel >= 5.3
@@ -20,7 +20,7 @@
 PowerDNS recursor
 
 %prep
-%setup -q -n %{name}-3.7.1
+%setup -q -n %{name}-3.7.2
 
 %build
 %configure
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/pdns-recursor-3.7.1/config.h 
new/pdns-recursor-3.7.2/config.h
--- old/pdns-recursor-3.7.1/config.h    2015-02-12 11:16:00.000000000 +0100
+++ new/pdns-recursor-3.7.2/config.h    2015-04-21 15:02:57.000000000 +0200
@@ -1,4 +1,4 @@
 #define RECURSOR
-#define VERSION "3.7.1"
+#define VERSION "3.7.2"
 #define DIST_HOST "jenk...@autotest.powerdns.com"
 #define HAVE_BOOST 1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/pdns-recursor-3.7.1/configure 
new/pdns-recursor-3.7.2/configure
--- old/pdns-recursor-3.7.1/configure   2015-02-12 11:16:00.000000000 +0100
+++ new/pdns-recursor-3.7.2/configure   2015-04-21 15:02:57.000000000 +0200
@@ -1,6 +1,10 @@
 #!/bin/sh
 set -e
 
+if [ "$HARDENING" = "" ]; then
+  HARDENING="yes"
+fi
+
 if [ "$CXX" = "" ]; then
   CXX="g++"
 fi
@@ -46,8 +50,8 @@
 EOF
 
   # test for PIE
-  if $CXX $src -c -o a.out -fPIE -DPIE; then
-    if [ "$STATIC" != "semi" ] && [ "$STATIC" != "full" ] && $CXX -pie -o 
a2.out a.out; then
+  if $CXX $src -c -o a.out -fPIE -DPIE 2>/dev/null; then
+    if [ "$STATIC" != "semi" ] && [ "$STATIC" != "full" ] && $CXX -pie -o 
a2.out a.out 2>/dev/null; then
       CF_PIE="-fPIE -DPIE"
       LD_PIE="-pie"
     fi
@@ -69,7 +73,9 @@
   rm -f $src a.out a2.out
 }
 
-test_flags
+if [ "$HARDENING" != "no" ]; then
+  test_flags
+fi
 
 sed -e "s/@LD_RELRO@/$LD_RELRO/g" -e "s/@LD_PIE@/$LD_PIE/g" -e 
"s/@CF_PIE@/$CF_PIE/g" -e "s/@CF_FORTIFY@/$CF_FORTIFY/g" -e 
"s/@CF_STACK@/$CF_STACK/g" < Makefile.in > Makefile
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/pdns-recursor-3.7.1/contrib/systemd-pdns-recursor.service 
new/pdns-recursor-3.7.2/contrib/systemd-pdns-recursor.service
--- old/pdns-recursor-3.7.1/contrib/systemd-pdns-recursor.service       
2015-02-12 11:16:00.000000000 +0100
+++ new/pdns-recursor-3.7.2/contrib/systemd-pdns-recursor.service       
2015-04-21 15:02:57.000000000 +0200
@@ -1,7 +1,8 @@
 [Unit]
 Description=PowerDNS recursing nameserver
 Documentation=man:pdns_recursor(1) man:rec_control(1)
-Wants=network-online.target
+Wants=network-online.target nss-lookup.target
+Before=nss-lookup.target
 After=network-online.target
 
 [Service]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/pdns-recursor-3.7.1/dnsparser.cc 
new/pdns-recursor-3.7.2/dnsparser.cc
--- old/pdns-recursor-3.7.1/dnsparser.cc        2015-02-12 11:16:00.000000000 
+0100
+++ new/pdns-recursor-3.7.2/dnsparser.cc        2015-04-21 15:02:57.000000000 
+0200
@@ -455,9 +455,10 @@
 
 void PacketReader::getLabelFromContent(const vector<uint8_t>& content, 
uint16_t& frompos, string& ret, int recurs) 
 {
-  if(recurs > 1000) // the forward reference-check below should make this test 
100% obsolete
+  if(recurs > 100) // the forward reference-check below should make this test 
100% obsolete
     throw MOADNSException("Loop");
   // it is tempting to call reserve on ret, but it turns out it creates a 
malloc/free storm in the loop
+  int pos = frompos;
   for(;;) {
     unsigned char labellen=content.at(frompos++);
 
@@ -470,7 +471,7 @@
       uint16_t offset=256*(labellen & ~0xc0) + (unsigned 
int)content.at(frompos++) - sizeof(dnsheader);
       //        cout<<"This is an offset, need to go to: "<<offset<<endl;
 
-      if(offset >= frompos-2)
+      if(offset >= pos)
         throw MOADNSException("forward reference during label decompression");
       return getLabelFromContent(content, offset, ret, ++recurs);
     }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/pdns-recursor-3.7.1/iputils.cc 
new/pdns-recursor-3.7.2/iputils.cc
--- old/pdns-recursor-3.7.1/iputils.cc  2015-02-12 11:16:00.000000000 +0100
+++ new/pdns-recursor-3.7.2/iputils.cc  2015-04-21 15:02:57.000000000 +0200
@@ -115,6 +115,7 @@
   return false;
 }
 
+// FIXME: this function is unused, and using it could reduce some code 
duplication
 int sendfromto(int sock, const char* data, int len, int flags, const 
ComboAddress& from, const ComboAddress& to)
 {
   struct msghdr msgh;
@@ -133,11 +134,15 @@
   if(from.sin4.sin_family) {
     addCMsgSrcAddr(&msgh, cbuf, &from);
   }
+  else {
+    msgh.msg_control=NULL;
+  }
   return sendmsg(sock, &msgh, flags);
 }
 
 // be careful: when using this for receive purposes, make sure 
addr->sin4.sin_family is set appropriately so getSocklen works!
 // be careful: when using this function for *send* purposes, be sure to set 
cbufsize to 0!
+// be careful: if you don't call addCMsgSrcAddr after fillMSGHdr, make sure to 
set msg_control to NULL
 void fillMSGHdr(struct msghdr* msgh, struct iovec* iov, char* cbuf, size_t 
cbufsize, char* data, size_t datalen, ComboAddress* addr)
 {
   iov->iov_base = data;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/pdns-recursor-3.7.1/pdns_recursor.cc 
new/pdns-recursor-3.7.2/pdns_recursor.cc
--- old/pdns-recursor-3.7.1/pdns_recursor.cc    2015-02-12 11:16:00.000000000 
+0100
+++ new/pdns-recursor-3.7.2/pdns_recursor.cc    2015-04-21 15:02:57.000000000 
+0200
@@ -688,6 +688,8 @@
       fillMSGHdr(&msgh, &iov, cbuf, 0, (char*)&*packet.begin(), packet.size(), 
&dc->d_remote);
       if(dc->d_local.sin4.sin_family)
        addCMsgSrcAddr(&msgh, cbuf, &dc->d_local);
+      else
+        msgh.msg_control=NULL;
       sendmsg(dc->d_socket, &msgh, 0);
       if(!SyncRes::s_nopacketcache && !variableAnswer ) {
         t_packetCache->insertResponsePacket(string((const 
char*)&*packet.begin(), packet.size()),
@@ -961,6 +963,9 @@
       if(destaddr.sin4.sin_family) {
        addCMsgSrcAddr(&msgh, cbuf, &destaddr);
       }
+      else {
+        msgh.msg_control=NULL;
+      }
       sendmsg(fd, &msgh, 0);
 
       if(response.length() >= sizeof(struct dnsheader)) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/pdns-recursor-3.7.1/syncres.cc 
new/pdns-recursor-3.7.2/syncres.cc
--- old/pdns-recursor-3.7.1/syncres.cc  2015-02-12 11:16:00.000000000 +0100
+++ new/pdns-recursor-3.7.2/syncres.cc  2015-04-21 15:02:57.000000000 +0200
@@ -681,15 +681,14 @@
 // accepts . terminated names, www.powerdns.com. -> com.
 static const string getLastLabel(const std::string& qname)
 {
-  if(qname.empty())
+  if(qname.empty() || qname == ".")
     return qname;
-  string ret=qname.substr(0, qname.length()-1); // strip .
 
-  string::size_type pos = ret.rfind('.');
-  if(pos != string::npos) {
-    ret = ret.substr(pos+1) + ".";
-  }
-  return ret;
+  labelparts_t parts;
+  labeltokUnescape(parts, qname);
+  int offset = (parts.end()-1)->first;
+
+  return qname.substr(offset, qname.size()-offset);
 }
 
 bool SyncRes::doCacheCheck(const string &qname, const QType &qtype, 
vector<DNSResourceRecord>&ret, int depth, int &res)


Reply via email to