From nobody Wed May 15 02:02:54 2024 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VfGhZ5mGJz5LNhD; Wed, 15 May 2024 02:02:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VfGhZ4pgMz3y5K; Wed, 15 May 2024 02:02:54 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1715738574; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mNm1x1H5dGR9wht7wVKcyM5VwucQZIruRjc5pK71Guw=; b=nnVdEPJxo40w5aN9PgHoO257bvT/ursDUWVwwM8sjRjo+OCSLRXQJrM/n++/WYE+q/PUyD xANdAL1Mh4UbxLvyGtwZ70I0U0KDaV7GGx1SwMjhq0IVXol56eWlbVVe47VAACWDyiKRKS 7NLQv4ZJ7pBa0IoZ6xuJi53Vl9gFCuHyBPovklKPlH+TyHPML8L3f8SCzHOm6rX+f/uos6 T3h1/s/cZ4iX/BGakY99ceOZwAX5aASkz/qst33Oa9CSnFDO+70FarTE96vV5HxxPPEq7F vAwXwT0dTW9Gayp5IEHLQbHHURC5mzIZBjpBH8dJmG3sDGvOpTXIv/9zN1uqgA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1715738574; a=rsa-sha256; cv=none; b=YmFELLwRAjy/tsm6Vr8kx68u1nCeKAiDaU6sGd5MMufI3TNLCohfQd6PKNT9aVrcb8yayJ m+9viOISvSybaeflxibkSVw0cTyrB6kVlHf2mOLkDw8ymScPIWfXeWfmvaqRNa6i9KLbCP R8i8Bbpj7X7/dL1tw+Tn4QoC6SZDbbbMrnu6FqntEkwXx2d/MixbZU6HUKPgTIHOC/tMjA zzmlCLt/Khg9xCJHwIVFkpIWSedka+Nz6tk7Yll5z/4O5ogJhF6czG322J2HHBjHKSlcBq wnENpCH/CSF9UgGFRd5yHjmkt/5sczTIqsKiYEMK9EbUnbIF8mZE7xJdilnMZw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1715738574; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mNm1x1H5dGR9wht7wVKcyM5VwucQZIruRjc5pK71Guw=; b=khBPUYeNxp26jiOFsEquW9qO9Xz6ePJ1Dki+LGocfxvAGQmxQGoe7TFhqG/64i7lpdbSG3 fBH/x3qQuvMLjN5cceJ21D+4qyab4B1efVJZrGE27b6vmyh1Bitr/9PEIoz1DhfBd715Dq 4v6w16utxpKbhi91KHNeJN40fntPoft8dUlwK1CE768O9vc6Rr11qwFvrC3o/5gj4w/ipa F/291q6Y1wPzUnxgY6t/529CrFHk57zjQm11yxBmc+1uTzjgx6DgQp7oguoTNVQbSX0ZqD ELlMhVb78M0kXDr4Ok9wFTeN83zJDdpgqvt/xFweK/g0MBa8Iqah7ERy++yH1g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VfGhZ46dzzwFH; Wed, 15 May 2024 02:02:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 44F22sxx050886; Wed, 15 May 2024 02:02:54 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 44F22swA050883; Wed, 15 May 2024 02:02:54 GMT (envelope-from git) Date: Wed, 15 May 2024 02:02:54 GMT Message-Id: <202405150202.44F22swA050883@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Neel Chauhan Subject: git: 9422b76b11fe - main - dns/dnsdist: update to 1.9.4 (fixes CVE-2024-25581) List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-main@freebsd.org Sender: owner-dev-commits-ports-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: nc X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 9422b76b11fe118a3473845ee88bd920f418c14c Auto-Submitted: auto-generated The branch main has been updated by nc: URL: https://cgit.FreeBSD.org/ports/commit/?id=9422b76b11fe118a3473845ee88bd920f418c14c commit 9422b76b11fe118a3473845ee88bd920f418c14c Author: Ralf van der Enden AuthorDate: 2024-05-13 11:39:22 +0000 Commit: Neel Chauhan CommitDate: 2024-05-15 02:02:40 +0000 dns/dnsdist: update to 1.9.4 (fixes CVE-2024-25581) PR: 278954 Approved by: submitter is maintainer --- dns/dnsdist/Makefile | 2 +- dns/dnsdist/distinfo | 6 +++--- security/vuxml/vuln/2024.xml | 34 +++++++++++++++++++++++++++++++++- 3 files changed, 37 insertions(+), 5 deletions(-) diff --git a/dns/dnsdist/Makefile b/dns/dnsdist/Makefile index 1c3dee8e4206..c1ddecd5e4d2 100644 --- a/dns/dnsdist/Makefile +++ b/dns/dnsdist/Makefile @@ -1,5 +1,5 @@ PORTNAME= dnsdist -DISTVERSION= 1.9.3 +DISTVERSION= 1.9.4 CATEGORIES= dns net MASTER_SITES= https://downloads.powerdns.com/releases/ diff --git a/dns/dnsdist/distinfo b/dns/dnsdist/distinfo index 656cd642f775..724d6806d1a7 100644 --- a/dns/dnsdist/distinfo +++ b/dns/dnsdist/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1712317299 -SHA256 (dnsdist-1.9.3.tar.bz2) = f05b68806dc6c4d207b1fadb7ec715c3e0d28d893a8b3b92d58297c4ceb56c3f -SIZE (dnsdist-1.9.3.tar.bz2) = 1577027 +TIMESTAMP = 1715595818 +SHA256 (dnsdist-1.9.4.tar.bz2) = 297d3a3751af4650665c9d3890a1d5a7a0467175f2c8607d0d5980e3fd67ef14 +SIZE (dnsdist-1.9.4.tar.bz2) = 1591994 diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index f0d80972c94b..a7adfc16dd50 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,4 +1,36 @@ - + + dnsdist -- Transfer requests received over DoH can lead to a denial of service + + + dnsdist + 1.9.4 + + + + +

PowerDNS Security Advisory reports:

+
+

When incoming DNS over HTTPS support is enabled using the nghttp2 provider, + and queries are routed to a tcp-only or DNS over TLS backend, an attacker can + trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR + or IXFR) over DNS over HTTPS, causing the process to stop and thus leading to a + Denial of Service. DNS over HTTPS is not enabled by default, and backends are using + plain DNS (Do53) by default. +

+
+ +
+ + CVE-2024-25581 + https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2024-03.html + + + 2024-05-13 + 2024-05-13 + +
+ + Intel CPUs -- multiple vulnerabilities