MFH: r511195

dns/powerdns: upgrade 4.1.14 -> 4.2.0 - Please note: to fix CVE-2019-10203, upgrading is not enough Manually apply the schema change: ALTER TABLE domains ALTER notified_serial TYPE bigint USING CASE WHEN notified_serial >= 0 THEN notified_serial::bigint END; PR: 239850 Submitted by: Ralf van der Enden <tremere@cainites.net> (maintainer) Relnotes: https://doc.powerdns.com/authoritative/changelog/4.2.html http://blog.powerdns.com/2019/08/29/powerdns-authoritative-server-4-2-0/ Security: CVE-2019-10203 Approved by: ports-secteam (implicit)
svn path=/branches/2019Q3/; revision=512785
2019-09-25 13:43:22 +00:00 · 2019-09-25 13:43:22 +00:00 · eb02344e7f · 2021-03-31 03:12:20 +00:00
commit eb02344e7f
parent 7a47e56c0f
7 changed files with 98 additions and 32 deletions
--- a/dns/powerdns/Makefile
+++ b/dns/powerdns/Makefile
@ -1,9 +1,9 @@
 # $FreeBSD$

 PORTNAME=	powerdns
-DISTVERSION=	4.1.10
+DISTVERSION=	4.2.0
 CATEGORIES=	dns ipv6
-MASTER_SITES=	http://downloads.powerdns.com/releases/
+MASTER_SITES=	https://downloads.powerdns.com/releases/
 DISTNAME=	pdns-${DISTVERSION}

 MAINTAINER=	tremere@cainites.net
@ -14,11 +14,11 @@ LICENSE=	GPLv2
 BROKEN_powerpc64=	Does not build: undefined reference to std::__throw_out_of_range_fmt
 BROKEN_sparc64=		Does not compile: error: to_string is not a member of std

-LIB_DEPENDS=	libboost_serialization.so:devel/boost-libs
+LIB_DEPENDS=	libboost_serialization.so:devel/boost-libs \
+		libcurl.so:ftp/curl

 USES=		compiler:c++11-lib cpe gmake libtool localbase:ldflags pathfix \
 		pkgconfig ssl tar:bzip2
-
 USE_LDCONFIG=	YES
 USE_RC_SUBR=	pdns
 USE_SUBMAKE=	YES
@ -35,27 +35,25 @@ INSTALL_TARGET=	install-strip
 SCRIPTS_ENV=	CURDIR2="${.CURDIR}" DISTNAME="${DISTNAME}" MKDIR="${MKDIR}" \
 		POWERDNS_OPTIONS="${POWERDNS_OPTIONS}" \
 		WRKDIRPREFIX="${WRKDIRPREFIX}"
-
 SUB_FILES=	pkg-message

-OPTIONS_DEFINE=		DOCS EXAMPLES LUAJIT MYDNS MYSQL OPENDBX OPENLDAP \
-			OPTALGO PGSQL PROTOBUF REMOTE SQLITE3 TINYDNS TOOLS \
-			UNIXODBC
-OPTIONS_DEFAULT=	MYSQL PGSQL SQLITE3
-
-OPTIONS_GROUP=			EXPERIMENTAL REMOTEOPT
-OPTIONS_GROUP_EXPERIMENTAL=	LUABACKEND
+OPTIONS_DEFINE=			DOCS EXAMPLES GEOIP LUABACKEND LUAJIT MYDNS \
+				MYSQL OPENDBX OPENLDAP PGSQL PROTOBUF REMOTE \
+				SQLITE3 TINYDNS TOOLS UNIXODBC
+OPTIONS_DEFAULT=		MYSQL PGSQL SQLITE3
+OPTIONS_GROUP=			GEOIPOPT REMOTEOPT
 OPTIONS_GROUP_REMOTEOPT=	ZEROMQ

 OPTIONS_SUB=	yes

-LUABACKEND_DESC=	Lua backend
+GEOIPOPT_DESC=		GeoIP DB options
+GEOIP_DESC=		GeoIP backend (GeoIP2 DB)
+LUABACKEND_DESC=	Lua2 backend
 LUAJIT_DESC=		Use LuaJIT instead of Lua
 MYDNS_DESC=		MyDNS backend
 MYSQL_DESC=		MySQL backend
 OPENDBX_DESC=		OpenDBX backend
 OPENLDAP_DESC=		OpenLDAP backend
-OPTALGO_DESC=		Enable optional algorithms (12, 15 & 16)
 PGSQL_DESC=		PostgreSQL backend
 PROTOBUF_DESC=		Protobuf support
 REMOTEOPT_DESC=		Remote backend connectors
@ -65,11 +63,15 @@ TINYDNS_DESC=		TinyDNS backend
 TOOLS_DESC=		Build extra tools
 ZEROMQ_DESC=		Enable ZeroMQ connector (Implies REMOTE enabled)

-LUABACKEND_VARS=	MODULES+=lua
+GEOIP_LIB_DEPENDS=	libmaxminddb.so:net/libmaxminddb \
+			libyaml-cpp.so:devel/yaml-cpp
+GEOIP_VARS=		MODULES+=geoip
+
+LUABACKEND_VARS=	MODULES+=lua2

 LUAJIT_LIB_DEPENDS=	libluajit-5.1.so.2:lang/luajit
 LUAJIT_USES_OFF=	lua
-LUAJIT_CONFIGURE_WITH=	luajit
+LUAJIT_CONFIGURE_ON=	--with-lua=luajit

 MYDNS_USES=		mysql
 MYDNS_CONFIGURE_ON=	--with-mysql=${LOCALBASE}
@ -87,13 +89,6 @@ OPENLDAP_USE=		OPENLDAP=YES
 OPENLDAP_CXXFLAGS=	-DLDAP_DEPRECATED=1
 OPENLDAP_VARS=		MODULES+=ldap

-OPTALGO_LIB_DEPENDS=	libbotan-2.so:security/botan2 \
-			libdecaf.so:security/libdecaf \
-			libsodium.so:security/libsodium
-OPTALGO_CONFIGURE_ON=	--enable-botan \
-			--enable-libdecaf \
-			--enable-libsodium
-
 PGSQL_USES=		pgsql
 PGSQL_CONFIGURE_ON=	--with-pg-config=${LOCALBASE}/bin/pg_config
 PGSQL_VARS=		MODULES+=gpgsql
@ -120,9 +115,18 @@ ZEROMQ_IMPLIES=		REMOTE
 ZEROMQ_LIB_DEPENDS=	libzmq.so:net/libzmq4
 ZEROMQ_CONFIGURE_ON=	--enable-remotebackend-zeromq

+.include <bsd.port.pre.mk>
+
+.if ${OPSYS} == FreeBSD && ${OSVERSION} < 1200085 && ${SSL_DEFAULT} != openssl111
+CONFIGURE_ARGS+=	--with-libdecaf \
+			--with-libsodium
+LIB_DEPENDS+=		libdecaf.so:security/libdecaf \
+			libsodium.so:security/libsodium
+.endif
+
 post-install::
 	@${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
 	@${STAGEDIR}${LOCALBASE}/sbin/pdns_server --module-dir=${STAGEDIR}${LOCALBASE}/lib/pdns --launch="pipe bind ${MODULES}" --config > ${STAGEDIR}${EXAMPLESDIR}/pdns.conf
 	@${REINPLACE_CMD} -e 's;${STAGEDIR};;' -i '' ${STAGEDIR}${EXAMPLESDIR}/pdns.conf

-.include <bsd.port.mk>
+.include <bsd.port.post.mk>
--- a/dns/powerdns/distinfo
+++ b/dns/powerdns/distinfo
@ -1,3 +1,3 @@
-TIMESTAMP = 1561114944
-SHA256 (pdns-4.1.10.tar.bz2) = 5a46cfde92caaaa2e85af9a15acb9ad81b56f4c8a8255c457e6938d8c0cb15c7
-SIZE (pdns-4.1.10.tar.bz2) = 1117663
+TIMESTAMP = 1567076172
+SHA256 (pdns-4.2.0.tar.bz2) = 222007f25e25aad71ac7d8b7f1797a4bcb30781e456d74ed00396e53828a903a
+SIZE (pdns-4.2.0.tar.bz2) = 1249282
--- a/dns/powerdns/files/patch-pdns_dns__random.cc
+++ b/dns/powerdns/files/patch-pdns_dns__random.cc
@ -0,0 +1,12 @@
+--- pdns/dns_random.cc.orig	2018-11-29 12:53:42 UTC
+++ pdns/dns_random.cc
+@@ -40,7 +40,9 @@
+ #include <openssl/rand.h>
+ #endif
+ #if defined(HAVE_GETRANDOM)
+extern "C" {
+ #include <sys/random.h>
+}
+ #endif
+ 
+ static enum DNS_RNG {
--- a/dns/powerdns/files/pdns.in
+++ b/dns/powerdns/files/pdns.in
@ -4,7 +4,7 @@
 #

 # PROVIDE: pdns_server
-# REQUIRE: DAEMON SERVERS
+# REQUIRE: DAEMON SERVERS mysql postgresql slapd
 # KEYWORD: shutdown

 #
--- a/dns/powerdns/files/pkg-message.in
+++ b/dns/powerdns/files/pkg-message.in
@ -10,9 +10,9 @@
 A pdns.conf with all possible options is available in
 %%EXAMPLESDIR%%

- ---------------------------------------------
- IMPORTANT: PowerDNS Authoritive Server 3.4.0+:
- ---------------------------------------------
+ -----------------------------------------------
+ IMPORTANT: PowerDNS Authoritative Server 3.4.0+:
+ -----------------------------------------------
 This version needs a mandatory schema change for the gmsyql,
 gpgsql and gsqlite3 backends. SQL statements are available in
 %%DOCSDIR%% or http://doc.powerdns.com
--- a/dns/powerdns/pkg-install
+++ b/dns/powerdns/pkg-install
@ -0,0 +1,42 @@
+#! /bin/sh
+
+# $FreeBSD$
+
+PATH=/bin:/usr/bin:/usr/sbin
+
+securitywarning() {
+cat <<EOF
+
+  === IMPORTANT FOR GPGSQL BACKEND USERS! ===
+  The following only impacts anyone using the
+  gpgsql (PostgreSQL) backend:
+
+  An issue has been found in PowerDNS
+  Authoritative Server allowing an authorized
+  user to cause the server to exit by
+  inserting a crafted record in a MASTER type
+  zone under their control. The issue is due
+  to the fact that the Authoritative Server
+  will exit when it tries to store the
+  notified serial in the PostgreSQL database,
+  if this serial cannot be represented in 31
+  bits.
+
+  To fix the issue, run the following command
+  against your PostgreSQL pdns database:
+
+  ALTER TABLE domains ALTER notified_serial
+  TYPE bigint USING CASE WHEN notified_serial
+  >= 0 THEN notified_serial::bigint END;
+
+  No software changes are required.
+  ===========================================
+EOF
+}
+
+case $2 in
+PRE-INSTALL)
+        securitywarning
+        sleep 5
+        ;;
+esac
--- a/dns/powerdns/pkg-plist
+++ b/dns/powerdns/pkg-plist
@ -4,8 +4,10 @@ bin/zone2json
 bin/zone2sql
 sbin/pdns_server
 %%PROTOBUF%%bin/dnspcap2protobuf
+%%TOOLS%%bin/calidns
 %%TOOLS%%bin/dnsbulktest
 %%TOOLS%%bin/dnsgram
+%%TOOLS%%bin/dnspcap2calidns
 %%TOOLS%%bin/dnsreplay
 %%TOOLS%%bin/dnsscan
 %%TOOLS%%bin/dnsscope
@ -21,7 +23,8 @@ sbin/pdns_server
 %%TOOLS%%bin/stubquery
 lib/pdns/libbindbackend.so
 lib/pdns/libpipebackend.so
-%%LUABACKEND%%lib/pdns/libluabackend.so
+%%GEOIP%%lib/pdns/libgeoipbackend.so
+%%LUABACKEND%%lib/pdns/liblua2backend.so
 %%MYDNS%%lib/pdns/libmydnsbackend.so
 %%MYSQL%%lib/pdns/libgmysqlbackend.so
 %%OPENDBX%%lib/pdns/libopendbxbackend.so
@ -35,6 +38,7 @@ lib/pdns/libpipebackend.so
 %%TOOLS%%man/man1/calidns.1.gz
 %%TOOLS%%man/man1/dnsbulktest.1.gz
 %%TOOLS%%man/man1/dnsgram.1.gz
+%%TOOLS%%man/man1/dnspcap2calidns.1.gz
 %%TOOLS%%man/man1/dnsscan.1.gz
 %%TOOLS%%man/man1/dumresp.1.gz
 %%TOOLS%%man/man1/ixplore.1.gz
@ -59,6 +63,10 @@ man/man1/zone2sql.1.gz
 %%PORTEXAMPLES%%@dir %%EXAMPLESDIR%%
 %%MYSQL%%%%PORTDOCS%%%%DOCSDIR%%/3.4.0_to_4.1.0_schema.mysql.sql
 %%PGSQL%%%%PORTDOCS%%%%DOCSDIR%%/3.4.0_to_4.1.0_schema.pgsql.sql
+%%SQLITE3%%%%PORTDOCS%%%%DOCSDIR%%/3.4.0_to_4.0.0_schema.sqlite3.sql
+%%SQLITE3%%%%PORTDOCS%%%%DOCSDIR%%/4.0.0_to_4.2.0_schema.sqlite3.sql
+%%MYSQL%%%%PORTDOCS%%%%DOCSDIR%%/4.1.0_to_4.2.0_schema.mysql.sql
+%%PGSQL%%%%PORTDOCS%%%%DOCSDIR%%/4.1.0_to_4.2.0_schema.pgsql.sql
 %%MYSQL%%%%PORTDOCS%%%%DOCSDIR%%/dnssec-3.x_to_3.4.0_schema.mysql.sql
 %%PGSQL%%%%PORTDOCS%%%%DOCSDIR%%/dnssec-3.x_to_3.4.0_schema.pgsql.sql
 %%SQLITE3%%%%PORTDOCS%%%%DOCSDIR%%/dnssec-3.x_to_3.4.0_schema.sqlite3.sql