This is a security fix release, which addresses an issue that affects
32-bit arches when dnscrypt-proxy's DNS over HTTPS (DoH) feature is
used. It was fixed in Go 1.13.7 (now available in ports) and in the
version of golang.org/x/crypto specified in {WRKSRC}/go.mod.
Release notes: https://github.com/DNSCrypt/dnscrypt-proxy/releases
From Nam Nguyen <namn AT berkeley DOT edu> (MAINTAINER).
Changelog:
https://github.com/DNSCrypt/dnscrypt-proxy/blob/2.0.36/ChangeLog
The miegkg/dns module was updated to version 1.1.26, that fixes a
security issue affecting non-encrypted/non-authenticated DNS traffic. In
dnscrypt-proxy, this only affects the forwarding feature.
From Nam Nguyen <namn AT berkeley DOT edu> (MAINTAINER).
like the rest of the ports tree. This also allows removing a bunch of
manual setting of PATH="${PORTPATH}" HOME="${PORTHOME}" done in various
ports etc. This also makes sure CFLAGS is passed through (not everything
honours it but it does improve at least some ports).
Remove NO_CCACHE from www/honk that was added because the above problem
resulted in ccache variables not being passed through correctly breaking
the cc calls in this.
ok kmos@
As of 2.x dnscrypt-proxy is golang based. This newer version has
additional features, e.g. caching, and uses a new conf file/layout.
There is no separate package for plugins.
Feedback from MAINTAINER and sthen@ have been addressed. Thanks!
github homepage for now. reported by Boni Satani on ports@ (though not
switching to the commercial homepage suggested).
XXX this port needs removing or updating to the golang-based v2. any takers?
but skipping the new config file for now because we can't force daemonizing
for the rc script (or setting uid) while using the config file. (the ideal
situation for scripts would be to allow these flags to override things on
the config file).
Since --gc-sections is broken on powerpc, but noone cared to okay jca@'s
binutils fix to disable it completely, continue fixing ports one by
one...
Btw, realized dnscrypt-proxy uses its own modified copy of libevent.. yay.
package's old default but this has been replaced in the csv file since
the OpenDNS acquisition.
There is now no default; select a server yourself and configure it as shown
in the readme.
- Security: malformed packets could cause the OpenDNS deviceid,
OpenDNS set-client-ip, blocking and AAAA blocking plugins to use
uninitialized pointers, leading to a denial of service or possibly
code execution. The vulnerable code is present since dnscrypt-proxy
1.1.0. OpenDNS users and people using dnscrypt-proxy in order to block
domain names and IP addresses should upgrade as soon as possible.
