pdns-4.1.8-bp151.1.4

- Update to 4.1.8
  * #7604: Correctly interpret an empty AXFR response to an IXFR query,
  * #7610: Fix replying from ANY address for non-standard port,
  * #7609: Fix rectify for ENT records in narrow zones,
  * #7607: Do not compress the root,
  * #7608: Fix dot stripping in `setcontent()`,
  * #7605: Fix invalid SOA record in MySQL which prevented the authoritative server from starting,
  * #7603: Prevent leak of file descriptor if running out of ports for incoming AXFR,
  * #7602: Fix API search failed with ?Commands out of sync; you can?t run this command now?,
  * #7509: Plug `mysql_thread_init` memory leak,
  * #7567: EL6: fix `CXXFLAGS` to build with compiler optimizations.

- Update to 4.1.7 with a security fix:
  * Insufficient validation in the HTTP remote backend
    (bsc#1129734, CVE-2019-3871)

- Update to 4.1.6
  * Prevent more than one CNAME/SOA record in the same RRset

- adjust buildrequires for mariadb 10.2.x on SLES

- Update to 4.1.5
  * Improvements
  - Apply alias scopemask after chasing
  - Release memory in case of error in the openssl ecdsa constructor
  - Switch to devtoolset 7 for el6
  * Bug Fixes
  - Crafted zone record can cause a denial of service
    (bsc#1114157, CVE-2018-10851)
  - Packet cache pollution via crafted query
    (bsc#1114169, CVE-2018-14626)
  - Fix compilation with libressl 2.7.0+
  - Actually truncate truncated responses

- Update to 4.1.7 with a security fix:
  * Insufficient validation in the HTTP remote backend
    (bsc#1129734, CVE-2019-3871)

- Update to 4.1.6
  * Prevent more than one CNAME/SOA record in the same RRset

- adjust buildrequires for mariadb 10.2.x on SLES

- Update to 4.1.5
  * Improvements
  - Apply alias scopemask after chasing
  - Release memory in case of error in the openssl ecdsa constructor
  - Switch to devtoolset 7 for el6
  * Bug Fixes
  - Crafted zone record can cause a denial of service
    (bsc#1114157, CVE-2018-10851)
  - Packet cache pollution via crafted query
    (bsc#1114169, CVE-2018-14626)
  - Fix compilation with libressl 2.7.0+
  - Actually truncate truncated responses

- Update to 4.1.4
  - Improvements
  * #6590: Fix warnings reported by gcc 8.1.0.
  * #6632, #6844, #6842, #6848: Make the gmysql backend future-proof
  * #6685, #6686: Initialize some missed qtypes.
  - Bug Fixes
  * #6780: Avoid concurrent records/comments iteration from
    running out of sync.
  * #6816: Fix a crash in the API when adding records.
  * #4457, #6691: pdns_control notify: handle slave without
    renotify properly.
  * #6736, #6738: Reset the TSIG state between queries.
  * #6857: Remove SOA-check backoff on incoming notify and fix
    lock handling.
  * #6858: Fix an issue where updating a record via DNS-UPDATE in
    a child zone that also exists in the parent zone, we would
    incorrectly apply the update to the parent zone.
  * #6676, #6677: Geoipbackend: check geoip_id_by_addr_gl and
    geoip_id_by_addr_v6_gl return value. (Aki Tuomi)

- Use HTTPS links in .spec file like mentioned in PowerDNS announcements
- removed obsolete 6370.patch
- Update to 4.1.3
  - Improvements
  * #6239, #6559: pdnsutil: use new domain in b2bmigrate (Aki Tuomi)
  * #6130: Update copyright years to 2018 (Matt Nordhoff)
  * #6312, #6545: Lower ?packet too short? loglevel
  - Bug Fixes
  * #6441, #6614: Restrict creation of OPT and TSIG RRsets
  * #6228, #6370: Fix handling of user-defined axfr filters return values
  * #6584, #6585, #6608: Prevent the GeoIP backend from copying
    NetMaskTrees around, fixes slow-downs in certain configurations
    (Aki Tuomi)
  * #6654, #6659: Ensure alias answers over TCP have correct name

- CVE-2019-10162.patch: fixes a denial of service but when authorized
  user to cause the server to exit by inserting a crafted record in
  a MASTER type zone under their control. (bsc#1138582, CVE-2019-10162)
- CVE-2019-10163.patch: fixes a denial of service of slave server when
  an authorized master server sends large number of NOTIFY messages
  (bsc#1138582, CVE-2019-10163)
- CVE-2019-10203.patch: update postgresql schema to address a possible
  denial of service by an authorized user by inserting a crafted
  record in a MASTER type zone under their control.
  (bsc#1142810, CVE-2019-10203)
  To fix the issue, run the following command against your PostgreSQL
  pdns database:
    ALTER TABLE domains ALTER notified_serial TYPE bigint
    USING CASE WHEN notified_serial >= 0
    THEN notified_serial::bigint END;

- CVE-2019-3871-auth-4.1.6.patch: fixes insufficient validation in
  HTTP remote backend (bsc#1129734, CVE-2019-3871)

- CVE-2018-10851-auth-4.1.4.patch: fixes DoS via crafted zone record
  (bnc#1114157, CVE-2018-10851)
- CVE-2018-14626-auth-4.1.4.patch: fixes an issue allowing a
  remote user to craft a DNS query that will cause an answer without
  DNSSEC records to be inserted into the packet cache and be
  returned to clients asking for DNSSEC records, thus hiding
  the presence of DNSSEC signatures leading to a potential DoS
  (bsc#1114169, CVE-2018-14626)

- Update to 4.1.2
  - Improvements
  * API: increase serial after dnssec related updates
  * Auth: lower ?packet too short? loglevel
  * Make check-zone error on rows that have content but shouldn?t
  * Auth: avoid an isane amount of new backend connections during an axfr
  * Report unparseable data in stoul invalid_argument exception
  * Backport: recheck serial when axfr is done
  * Backport: add tcp support for alias
  - Bug Fixes
  * Auth: allocate new statements after reconnecting to postgresql
  * Auth-bindbackend: only compare ips in ismaster() (Kees Monshouwer)
  * Rather than crash, sheepishly report no file/linenum
  * Document undocumented config vars
  * Backport #6276 (auth 4.1.x): prevent cname + other data with dnsupdate
  - misc
  * Move includes around to avoid boost L conflict
  * Backport: update edns option code list
  * Auth: link dnspcap2protobuf against librt when needed
  * Fix a warning on botan >= 2.5.0
  * Auth 4.1.x: unbreak build
  * Dnsreplay: bail out on a too small outgoing buffer (CVE-2018-1046 bsc#1092540)

- add patch for upstream issue #6228
  https://patch-diff.githubusercontent.com/raw/PowerDNS/pdns/pull/6370.patch

- geoip not available on SLE15 but protobuf support is available.

- Update to 4.1.14:
  * fixes a security issue that results in leaking uninitialised
  memory through crafted zone records (CVE-2020-17482, bsc#1176535)
  Other changes since 4.1.11,
  * Raise an exception on invalid hex content in unknown records
  * stop using select() in places where FDs can be >1023
  For details, see
  https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html

- Update to 4.1.11:
  * update postgresql schema to address a possible denial of service
    by an authorized user by inserting a crafted record in a MASTER
    type zone under their control. (bsc#1142810, CVE-2019-10203)
  To fix the issue, run the following command against your PostgreSQL
  pdns database:
    ALTER TABLE domains ALTER notified_serial TYPE bigint
    USING CASE WHEN notified_serial >= 0
    THEN notified_serial::bigint END;
- spec file simplifications and cleanup

- Update to 4.1.10 with security fixes:
  * fixes a denial of service but when authorized user to cause
    the server to exit by inserting a crafted record in a MASTER
    type zone under their control. (bsc#1138582, CVE-2019-10162)
  * fixes a denial of service of slave server when an authorized
    master server sends large number of NOTIFY messages
    (bsc#1138582, CVE-2019-10163)

- Update to 4.1.9
  * #7922: by popular demand, the option to disable superslave support
    has been backported from 4.2.0 to 4.1.9
  * #7921: `pdnsutil b2b-migrate` would lose NSEC3 settings.
    This has been corrected now.

- Update to 4.1.8
  * #7604: Correctly interpret an empty AXFR response to an IXFR query,
  * #7610: Fix replying from ANY address for non-standard port,
  * #7609: Fix rectify for ENT records in narrow zones,
  * #7607: Do not compress the root,
  * #7608: Fix dot stripping in `setcontent()`,
  * #7605: Fix invalid SOA record in MySQL which prevented the authoritative server from starting,
  * #7603: Prevent leak of file descriptor if running out of ports for incoming AXFR,
  * #7602: Fix API search failed with ?Commands out of sync; you can?t run this command now?,
  * #7509: Plug `mysql_thread_init` memory leak,
  * #7567: EL6: fix `CXXFLAGS` to build with compiler optimizations.

- Update to version 4.1.1:
  bug-fix only release, with fixes to the LDAP and MySQL backends,
  the pdnsutil tool, and PDNS internals

- Update to version 4.1.0:
  + Recursor passthrough removal. Migration plans for users of
    recursor passthrough are in documentation and available at,
    https://doc.powerdns.com/authoritative/guides/recursion.html
  + Improved performance: 4x speedup in some scenarios
  + Crypto API: DNSSEC fully configurable via RESTful API
  + Database: enhanced reconnection logic solving problems
    associated with idle disonnection from database servers.
  + Documentation improvements
  + Support for TCP Fast Open
  + Removed deprecated SOA-EDIT values: INCEPTION and INCEPTION-WEEK
- pkgconfig(krb5) is now always required for building LDAP backend
- pdns-4.0.4_mysql-schema-mariadb.patch: removed, upstreamed

- package schema files in ldap subpackage

- Update to version 4.0.5:
  + fixes CVE-2017-15091: Missing check on API operations
  + Bindbackend: do not corrupt data supplied by other backends in
    getAllDomains
  + For create-slave-zone, actually add all slaves, and not only
    first n times
  + Check return value for all getTSIGKey calls.
  + Publish inactive KSK/CSK as CDNSKEY/CDS
  + Treat requestor?s payload size lower than 512 as equal to 512
  + Correctly purge entries from the caches after a transfer
  + LuaWrapper: Allow embedded NULs in strings received from Lua
  + Stubresolver: Use only recursor setting if given
  + mydnsbackend: Add getAllDomains
  + LuaJIT 2.1: Lua fallback functionality no longer uses Lua namespace
  + gpgsql: make statement names actually unique
  + API: prevent sending nameservers list and zone-level NS in rrsets

- Ensure descriptions are neutral. Remove ineffective --with-pic.
- Do not ignore errors from useradd.
- Trim idempotent %if..%endif around %package.

- Added pdns.keyring linked from https://dnsdist.org/install.html

- Don't BuildRequire Botan 1.x which will be dropped (bsc#1055322)
  * upstream support for Botan was dropped in favor of OpenSSL, see
  https://blog.powerdns.com/2016/07/11/powerdns-authoritative-server-4-0-0-released

- This makes the schema fit storage requirements of various
  mysql/mariadb versions. pdns-4.0.4_mysql-schema-mariadb.patch
- preset uid and gid in configuration

- fixed use of pdns_protobuf

- fixed use of pdns_protobuf

- added pdns-4.0.3_allow_dacoverride_in_capset.patch:
  Adding CAP_DAC_OVERRIDE to fix startup problems with sqlite3
  backend

- use individual libboost-*-devel packages instead of boost-devel

- update to 4.0.3 which obsoletes b854d9f.diff

- b854d9f.diff: revert upstream change that caused a regression
  with multiple-backends

- b854d9f.diff: revert upstream change that caused a regression
  with multiple-backends

- BuildRequire pkgconfig(libsystemd) instead of
  pkgconfig(libsystemd-daemon): these libs were merged in systemd
  209 times. The build system is capable of finding either one.

- update to 4.0.1
  Bug fixes
  - #4126 Wait for the connection to the carbon server to be established
  - #4206 Don't try to deallocate empty PG statements
  - #4245 Send the correct response when queried for an NSEC directly (Kees Monshouwer)
  - #4252 Don't include bind files if length <= 2 or > sizeof(filename)
  - #4255 Catch runtime_error when parsing a broken MNAME
  Improvements
  - #4044 Make DNSPacket return a ComboAddress for local and remote (Aki Tuomi)
  - #4056 OpenSSL 1.1.0 support (Christian Hofstaedtler)
  - #4169 Fix typos in a logmessage and exception (Christian Hofsteadtler)
  - #4183 pdnsutil: Remove checking of ctime and always diff the changes (Hannu Ylitalo)
  - #4192 dnsreplay: Only add Client Subnet stamp when asked
  - #4250 Use toLogString() for ringAccount (Kees Monshouwer)
  Additions
  - #4133 Add limits to the size of received {A,I}XFR (CVE-2016-6172)
  - #4142 Add used filedescriptor statistic (Kees Monshouwer)

- update to 4.0.0
  https://blog.powerdns.com/2016/07/11/powerdns-authoritative-server-4-0-0-released/
  https://blog.powerdns.com/2016/07/11/welcome-to-powerdns-4-0-0/
- packaging changes:
  - remotebackend split out now
  - enabled experimental_gss_tsig support
  - enabled protobuf based stats support
  - no more xdb and lmdb backend
  - added odbc backend where supported
- drop pdns-3.4.0-no_date_time.patch: replaced with
  - -enable-reproducible

- update to 3.4.9
  * use OpenSSL for ECDSA signing where available
  * allow common signing key
  * Add a disable-syslog setting
  * fix SOA caching with multiple backends
  * whitespace-related zone parsing fixes [ticket #3568]
  * bindbackend: fix, set domain in list()

- update to 3.4.8
  * Use AC_SEARCH_LIBS (Ruben Kerkhof)
  * Check for inet_aton in libresolv (Ruben Kerkhof)
  * Remove hardcoded -lresolv, -lnsl and -lsocket (Ruben Kerkhof)
  * pdnssec: don't check disabled records (Pieter Lexis)
  * pdnssec: check all records (including disabled ones)
    only in verbose mode (Kees Monshouwer)
  * traling dot in DNAME content (Kees Monshouwer)
  * Fix luabackend compilation on FreeBSD i386 (RvdE)
  * silence g++ 6.0 warnings and error (Kees Monshouwer)
  * add gcc 5.3 and 6.0 support to boost.m4 (Kees Monshouwer)

- update to 3.4.7
  Bug fixes:
  * Ignore invalid/empty TKEY and TSIG records (Christian Hofstaedtler)
  * Don't reply to truncated queries (Christian Hofstaedtler)
  * don't log out-of-zone ents during AXFR in (Kees Monshouwer)
  * Prevent XSS by escaping user input. Thanks to Pierre Jaury and Damien
  Cauquil at Sysdream for pointing this out.
  * Handle NULL and boolean properly in gPGSql (Aki Tuomi)
  * Improve negative caching (Kees Monshouwer)
  * Do not divide timeout twice (Aki Tuomi)
  * Correctly sort records with a priority.
  Improvements:
  * Direct query answers and correct zone-rectification in the GeoIP
  backend (Aki Tuomi)
  * Use token names to identify PKCS#11 keys (Aki Tuomi)
  * Fix typo in an error message (Arjen Zonneveld)
  * limit NSEC3 iterations in bindbackend (Kees Monshouwer)
  * Initialize minbody (Aki Tuomi)
  New features:
  * OPENPGPKEY record-type (James Cloos and Kees Monshouwer)
  * add global soa-edit settings (Kees Monshouwer)