dns/powerdns: Update to 4.4.0
ClosedPublic
Actions

Authored by otis on Dec 19 2020, 2:26 PM.

Details

Reviewers

osa
swills

Commits

rP559064: dns/powerdns: Update to 4.4.0

Summary

dns/powerdns: Update to 4.4.0

Changes:

This release drops GSS/TSIG support, please see PowerDNS Security Advisory 2020-06.

New features:
- the LMDB backend now supports long record content, making it production ready for everybody
- the SVCB and HTTPS record types are supported, with limited additional processing transaction handling in the 2136 handler and the HTTP API was again improved a lot, avoiding various spurious issues users may have noticed if they do a lot of changes a new setting (consistent-backends) offers a roughly 30% speedup, subject to conditions
- we finally emit Prometheus metrics!

Improvements:
- don’t log trusted-notification-proxy notify at error level
- Stop using incbin and use od & sed to generate constant string data.

Bug Fixes:
- clear the LMDB set state when performing a new lookup or list to prevent corruption cases
- SVCB: Correctly parse and print unknown params
- fix direct-dnskey in AXFR-out

Please make sure to read the upgrade notes before upgrading:
https://doc.powerdns.com/authoritative/upgrading.html

Diff Detail

Repository

rP FreeBSD ports repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

otis created this revision.Dec 19 2020, 2:26 PM

Herald added a subscriber: mat. · View Herald TranscriptDec 19 2020, 2:26 PM

otis requested review of this revision.Dec 19 2020, 2:26 PM

Does vulnxml also need updating?

This release addresses the following: https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-06.html

Submit a proper diff.

Because of a security update of the port, an update of security/vuxml is required.

From the security advisory:
Affects: PowerDNS Authoritative versions before 4.4.0, when compiled with –enable-experimental-gss-tsig

The port never built using that configure flag. I'd be happy to supply an update to VuXML, but IMO it's not necessary.

In D27680#618983, @tremere_cainites.net wrote:

From the security advisory:
Affects: PowerDNS Authoritative versions before 4.4.0, when compiled with –enable-experimental-gss-tsig

The port never built using that configure flag. I'd be happy to supply an update to VuXML, but IMO it's not necessary.

You are right. Looks good to me, then.

My thoughts are it's better to add a record about that CVE to our vuln.xml, so that record provides correct information what is vulnerable and what is not to avoid any questions in the future.

@swills what's your thoughts?

@swills could you please provide an update, thanks!

@osa I'll construct and commit a vulnxm entries (except from dns/powerdns also for mail/postsrsd)

osa accepted this revision.Dec 22 2020, 5:28 AM

This revision is now accepted and ready to land.Dec 22 2020, 5:28 AM

Closed by commit rP559064: dns/powerdns: Update to 4.4.0 (authored by otis). · Explain WhyDec 24 2020, 11:42 AM

This revision was automatically updated to reflect the committed changes.

otis added a commit: rP559064: dns/powerdns: Update to 4.4.0.