git: 9422b76b11fe - main - dns/dnsdist: update to 1.9.4 (fixes CVE-2024-25581)

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Neel Chauhan <nc_at_FreeBSD.org>
Date: Wed, 15 May 2024 02:02:54 UTC
The branch main has been updated by nc:

URL: https://cgit.FreeBSD.org/ports/commit/?id=9422b76b11fe118a3473845ee88bd920f418c14c

commit 9422b76b11fe118a3473845ee88bd920f418c14c
Author:     Ralf van der Enden <tremere@cainites.net>
AuthorDate: 2024-05-13 11:39:22 +0000
Commit:     Neel Chauhan <nc@FreeBSD.org>
CommitDate: 2024-05-15 02:02:40 +0000

    dns/dnsdist: update to 1.9.4 (fixes CVE-2024-25581)
    
    PR: 278954
    Approved by: submitter is maintainer
---
 dns/dnsdist/Makefile         |  2 +-
 dns/dnsdist/distinfo         |  6 +++---
 security/vuxml/vuln/2024.xml | 34 +++++++++++++++++++++++++++++++++-
 3 files changed, 37 insertions(+), 5 deletions(-)

diff --git a/dns/dnsdist/Makefile b/dns/dnsdist/Makefile
index 1c3dee8e4206..c1ddecd5e4d2 100644
--- a/dns/dnsdist/Makefile
+++ b/dns/dnsdist/Makefile
@@ -1,5 +1,5 @@
 PORTNAME=	dnsdist
-DISTVERSION=	1.9.3
+DISTVERSION=	1.9.4
 CATEGORIES=	dns net
 MASTER_SITES=	https://downloads.powerdns.com/releases/
 
diff --git a/dns/dnsdist/distinfo b/dns/dnsdist/distinfo
index 656cd642f775..724d6806d1a7 100644
--- a/dns/dnsdist/distinfo
+++ b/dns/dnsdist/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1712317299
-SHA256 (dnsdist-1.9.3.tar.bz2) = f05b68806dc6c4d207b1fadb7ec715c3e0d28d893a8b3b92d58297c4ceb56c3f
-SIZE (dnsdist-1.9.3.tar.bz2) = 1577027
+TIMESTAMP = 1715595818
+SHA256 (dnsdist-1.9.4.tar.bz2) = 297d3a3751af4650665c9d3890a1d5a7a0467175f2c8607d0d5980e3fd67ef14
+SIZE (dnsdist-1.9.4.tar.bz2) = 1591994
diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml
index f0d80972c94b..a7adfc16dd50 100644
--- a/security/vuxml/vuln/2024.xml
+++ b/security/vuxml/vuln/2024.xml
@@ -1,4 +1,36 @@
-  <vuln vid="5afd64ae-122a-11ef-8eed-1c697a616631">
+  <vuln vid="f2d8342f-1134-11ef-8791-6805ca2fa271">
+    <topic>dnsdist -- Transfer requests received over DoH can lead to a denial of service</topic>
+    <affects>
+      <package>
+	<name>dnsdist</name>
+	<range><lt>1.9.4</lt></range>
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>PowerDNS Security Advisory reports:</p>
+	<blockquote cite="https://dnsdist.org/security-advisories/index.html">
+	  <p>When incoming DNS over HTTPS support is enabled using the nghttp2 provider,
+	    and queries are routed to a tcp-only or DNS over TLS backend, an attacker can
+	    trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR
+	    or IXFR) over DNS over HTTPS, causing the process to stop and thus leading to a
+	    Denial of Service. DNS over HTTPS is not enabled by default, and backends are using
+	    plain DNS (Do53) by default.
+	  </p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2024-25581</cvename>
+      <url>https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2024-03.html</url>
+    </references>
+    <dates>
+      <discovery>2024-05-13</discovery>
+      <entry>2024-05-13</entry>
+    </dates>
+  </vuln>
+
+<vuln vid="5afd64ae-122a-11ef-8eed-1c697a616631">
     <topic>Intel CPUs -- multiple vulnerabilities</topic>
     <affects>
       <package>