Version: 4.1.5-14.1
* Wed Nov 07 2018 michael@stroeder.com
- Update to 4.1.5
* Improvements
- Apply alias scopemask after chasing
- Release memory in case of error in the openssl ecdsa constructor
- Switch to devtoolset 7 for el6
* Bug Fixes
- Crafted zone record can cause a denial of service
(bsc#1114157, CVE-2018-10851)
- Packet cache pollution via crafted query
(bsc#1114169, CVE-2018-14626)
- Fix compilation with libressl 2.7.0+
- Actually truncate truncated responses
* Wed Aug 29 2018 amajer@suse.com
- Update to 4.1.4
- Improvements
* #6590: Fix warnings reported by gcc 8.1.0.
* #6632, #6844, #6842, #6848: Make the gmysql backend future-proof
* #6685, #6686: Initialize some missed qtypes.
- Bug Fixes
* #6780: Avoid concurrent records/comments iteration from
running out of sync.
* #6816: Fix a crash in the API when adding records.
* #4457, #6691: pdns_control notify: handle slave without
renotify properly.
* #6736, #6738: Reset the TSIG state between queries.
* #6857: Remove SOA-check backoff on incoming notify and fix
lock handling.
* #6858: Fix an issue where updating a record via DNS-UPDATE in
a child zone that also exists in the parent zone, we would
incorrectly apply the update to the parent zone.
* #6676, #6677: Geoipbackend: check geoip_id_by_addr_gl and
geoip_id_by_addr_v6_gl return value. (Aki Tuomi)
* Thu May 24 2018 michael@stroeder.com
- Use HTTPS links in .spec file like mentioned in PowerDNS announcements
- removed obsolete 6370.patch
- Update to 4.1.3
- Improvements
* #6239, #6559: pdnsutil: use new domain in b2bmigrate (Aki Tuomi)
* #6130: Update copyright years to 2018 (Matt Nordhoff)
* #6312, #6545: Lower ?packet too short? loglevel
- Bug Fixes
* #6441, #6614: Restrict creation of OPT and TSIG RRsets
* #6228, #6370: Fix handling of user-defined axfr filters return values
* #6584, #6585, #6608: Prevent the GeoIP backend from copying
NetMaskTrees around, fixes slow-downs in certain configurations
(Aki Tuomi)
* #6654, #6659: Ensure alias answers over TCP have correct name
Version: 4.1.2-8.1
* Fri May 11 2018 kbabioch@suse.com
- Update to 4.1.2
- Improvements
* API: increase serial after dnssec related updates
* Auth: lower ?packet too short? loglevel
* Make check-zone error on rows that have content but shouldn?t
* Auth: avoid an isane amount of new backend connections during an axfr
* Report unparseable data in stoul invalid_argument exception
* Backport: recheck serial when axfr is done
* Backport: add tcp support for alias
- Bug Fixes
* Auth: allocate new statements after reconnecting to postgresql
* Auth-bindbackend: only compare ips in ismaster() (Kees Monshouwer)
* Rather than crash, sheepishly report no file/linenum
* Document undocumented config vars
* Backport #6276 (auth 4.1.x): prevent cname + other data with dnsupdate
- misc
* Move includes around to avoid boost L conflict
* Backport: update edns option code list
* Auth: link dnspcap2protobuf against librt when needed
* Fix a warning on botan >= 2.5.0
* Auth 4.1.x: unbreak build
* Dnsreplay: bail out on a too small outgoing buffer (CVE-2018-1046 bsc#1092540)
* Mon Apr 23 2018 mrueckert@suse.de
- add patch for upstream issue #6228
https://patch-diff.githubusercontent.com/raw/PowerDNS/pdns/pull/6370.patch
* Fri Apr 13 2018 adam.majer@suse.de
- geoip not available on SLE15 but protobuf support is available.
Version: 4.1.11-20.1
* Thu Aug 01 2019 adam.majer@suse.de
- Update to 4.1.11:
* update postgresql schema to address a possible denial of service
by an authorized user by inserting a crafted record in a MASTER
type zone under their control. (bsc#1142810, CVE-2019-10203)
To fix the issue, run the following command against your PostgreSQL
pdns database:
ALTER TABLE domains ALTER notified_serial TYPE bigint
USING CASE WHEN notified_serial >= 0
THEN notified_serial::bigint END;
- spec file simplifications and cleanup
* Fri Jun 21 2019 michael@stroeder.com
- Update to 4.1.10 with security fixes:
* fixes a denial of service but when authorized user to cause
the server to exit by inserting a crafted record in a MASTER
type zone under their control. (bsc#1138582, CVE-2019-10162)
* fixes a denial of service of slave server when an authorized
master server sends large number of NOTIFY messages
(bsc#1138582, CVE-2019-10163)
* Tue Jun 18 2019 michael@stroeder.com
- Update to 4.1.9
* #7922: by popular demand, the option to disable superslave support
has been backported from 4.2.0 to 4.1.9
* #7921: `pdnsutil b2b-migrate` would lose NSEC3 settings.
This has been corrected now.
* Fri Mar 22 2019 michael@stroeder.com
- Update to 4.1.8
* #7604: Correctly interpret an empty AXFR response to an IXFR query,
* #7610: Fix replying from ANY address for non-standard port,
* #7609: Fix rectify for ENT records in narrow zones,
* #7607: Do not compress the root,
* #7608: Fix dot stripping in `setcontent()`,
* #7605: Fix invalid SOA record in MySQL which prevented the authoritative server from starting,
* #7603: Prevent leak of file descriptor if running out of ports for incoming AXFR,
* #7602: Fix API search failed with ?Commands out of sync; you can?t run this command now?,
* #7509: Plug `mysql_thread_init` memory leak,
* #7567: EL6: fix `CXXFLAGS` to build with compiler optimizations.
Version: 4.1.0-2.1
* Thu Nov 30 2017 adam.majer@suse.de
- Update to version 4.1.0:
+ Recursor passthrough removal. Migration plans for users of
recursor passthrough are in documentation and available at,
https://doc.powerdns.com/authoritative/guides/recursion.html
+ Improved performance: 4x speedup in some scenarios
+ Crypto API: DNSSEC fully configurable via RESTful API
+ Database: enhanced reconnection logic solving problems
associated with idle disonnection from database servers.
+ Documentation improvements
+ Support for TCP Fast Open
+ Removed deprecated SOA-EDIT values: INCEPTION and INCEPTION-WEEK
- pkgconfig(krb5) is now always required for building LDAP backend
- pdns-4.0.4_mysql-schema-mariadb.patch: removed, upstreamed
* Mon Nov 27 2017 mrueckert@suse.de
- package schema files in ldap subpackage
* Mon Nov 27 2017 adam.majer@suse.de
- Update to version 4.0.5:
+ fixes CVE-2017-15091: Missing check on API operations
+ Bindbackend: do not corrupt data supplied by other backends in
getAllDomains
+ For create-slave-zone, actually add all slaves, and not only
first n times
+ Check return value for all getTSIGKey calls.
+ Publish inactive KSK/CSK as CDNSKEY/CDS
+ Treat requestor?s payload size lower than 512 as equal to 512
+ Correctly purge entries from the caches after a transfer
+ LuaWrapper: Allow embedded NULs in strings received from Lua
+ Stubresolver: Use only recursor setting if given
+ mydnsbackend: Add getAllDomains
+ LuaJIT 2.1: Lua fallback functionality no longer uses Lua namespace
+ gpgsql: make statement names actually unique
+ API: prevent sending nameservers list and zone-level NS in rrsets
* Tue Oct 31 2017 jengelh@inai.de
- Ensure descriptions are neutral. Remove ineffective --with-pic.
- Do not ignore errors from useradd.
- Trim idempotent %if..%endif around %package.
* Thu Oct 19 2017 adam.majer@suse.de
- Added pdns.keyring linked from https://dnsdist.org/install.html
* Fri Sep 29 2017 vcizek@suse.com
- Don't BuildRequire Botan 1.x which will be dropped (bsc#1055322)
* upstream support for Botan was dropped in favor of OpenSSL, see
https://blog.powerdns.com/2016/07/11/powerdns-authoritative-server-4-0-0-released
* Sun Jul 30 2017 wr@rosenauer.org
- This makes the schema fit storage requirements of various
mysql/mariadb versions. pdns-4.0.4_mysql-schema-mariadb.patch
- preset uid and gid in configuration
* Fri Jun 23 2017 michael@stroeder.com
- fixed use of pdns_protobuf
* Fri Jun 23 2017 michael@stroeder.com
- fixed use of pdns_protobuf
* Fri Mar 31 2017 mrueckert@suse.de
- added pdns-4.0.3_allow_dacoverride_in_capset.patch:
Adding CAP_DAC_OVERRIDE to fix startup problems with sqlite3
backend
* Thu Feb 02 2017 adam.majer@suse.de
- use individual libboost-*-devel packages instead of boost-devel
* Tue Jan 17 2017 michael@stroeder.com
- update to 4.0.3 which obsoletes b854d9f.diff
* Fri Jan 13 2017 adam.majer@suse.de
- b854d9f.diff: revert upstream change that caused a regression
with multiple-backends
* Fri Jan 13 2017 adam.majer@suse.de
- b854d9f.diff: revert upstream change that caused a regression
with multiple-backends
* Mon Dec 12 2016 dimstar@opensuse.org
- BuildRequire pkgconfig(libsystemd) instead of
pkgconfig(libsystemd-daemon): these libs were merged in systemd
209 times. The build system is capable of finding either one.
* Sat Jul 30 2016 michael@stroeder.com
- update to 4.0.1
Bug fixes
- #4126 Wait for the connection to the carbon server to be established
- #4206 Don't try to deallocate empty PG statements
- #4245 Send the correct response when queried for an NSEC directly (Kees Monshouwer)
- #4252 Don't include bind files if length <= 2 or > sizeof(filename)
- #4255 Catch runtime_error when parsing a broken MNAME
Improvements
- #4044 Make DNSPacket return a ComboAddress for local and remote (Aki Tuomi)
- #4056 OpenSSL 1.1.0 support (Christian Hofstaedtler)
- #4169 Fix typos in a logmessage and exception (Christian Hofsteadtler)
- #4183 pdnsutil: Remove checking of ctime and always diff the changes (Hannu Ylitalo)
- #4192 dnsreplay: Only add Client Subnet stamp when asked
- #4250 Use toLogString() for ringAccount (Kees Monshouwer)
Additions
- #4133 Add limits to the size of received {A,I}XFR (CVE-2016-6172)
- #4142 Add used filedescriptor statistic (Kees Monshouwer)
* Mon Jul 11 2016 mrueckert@suse.de
- update to 4.0.0
https://blog.powerdns.com/2016/07/11/powerdns-authoritative-server-4-0-0-released/
https://blog.powerdns.com/2016/07/11/welcome-to-powerdns-4-0-0/
- packaging changes:
- remotebackend split out now
- enabled experimental_gss_tsig support
- enabled protobuf based stats support
- no more xdb and lmdb backend
- added odbc backend where supported
- drop pdns-3.4.0-no_date_time.patch: replaced with
- -enable-reproducible
* Sun May 29 2016 michael@stroeder.com
- update to 3.4.9
* use OpenSSL for ECDSA signing where available
* allow common signing key
* Add a disable-syslog setting
* fix SOA caching with multiple backends
* whitespace-related zone parsing fixes [ticket #3568]
* bindbackend: fix, set domain in list()
* Wed Feb 03 2016 michael@stroeder.com
- update to 3.4.8
* Use AC_SEARCH_LIBS (Ruben Kerkhof)
* Check for inet_aton in libresolv (Ruben Kerkhof)
* Remove hardcoded -lresolv, -lnsl and -lsocket (Ruben Kerkhof)
* pdnssec: don't check disabled records (Pieter Lexis)
* pdnssec: check all records (including disabled ones)
only in verbose mode (Kees Monshouwer)
* traling dot in DNAME content (Kees Monshouwer)
* Fix luabackend compilation on FreeBSD i386 (RvdE)
* silence g++ 6.0 warnings and error (Kees Monshouwer)
* add gcc 5.3 and 6.0 support to boost.m4 (Kees Monshouwer)
* Tue Nov 03 2015 michael@stroeder.com
- update to 3.4.7
Bug fixes:
* Ignore invalid/empty TKEY and TSIG records (Christian Hofstaedtler)
* Don't reply to truncated queries (Christian Hofstaedtler)
* don't log out-of-zone ents during AXFR in (Kees Monshouwer)
* Prevent XSS by escaping user input. Thanks to Pierre Jaury and Damien
Cauquil at Sysdream for pointing this out.
* Handle NULL and boolean properly in gPGSql (Aki Tuomi)
* Improve negative caching (Kees Monshouwer)
* Do not divide timeout twice (Aki Tuomi)
* Correctly sort records with a priority.
Improvements:
* Direct query answers and correct zone-rectification in the GeoIP
backend (Aki Tuomi)
* Use token names to identify PKCS#11 keys (Aki Tuomi)
* Fix typo in an error message (Arjen Zonneveld)
* limit NSEC3 iterations in bindbackend (Kees Monshouwer)
* Initialize minbody (Aki Tuomi)
New features:
* OPENPGPKEY record-type (James Cloos and Kees Monshouwer)
* add global soa-edit settings (Kees Monshouwer)