This is a security fix release that I propose adding to -stable. It
affects 32-bit arches when dnscrypt-proxy's DNS over HTTPS (DoH) feature
is used. It was fixed in Go 1.13.7 (now available in ports) and in the
version of golang.org/x/crypto specified in {WRKSRC}/go.mod.
From issue:
"On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1
parsing functions of golang.org/x/crypto/cryptobyte can lead to a
panic."
From Go commit:
"When int is 32 bits wide (on 32-bit architectures like 386 and arm), an
overflow could occur, causing a panic, due to malformed ASN.1 being
passed to any of the ASN1 methods of String."
From changelog:
"- Security (affecting DoH): precompiled binaries of dnscrypt-proxy
2.0.37 are built using Go 1.13.7 that fixes a TLS certificate parsing
issue present in previous versions of the compiler"
Sources:
CVE-2020-7919
https://github.com/golang/go/issues/36837
https://github.com/golang/go/commit/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574
https://github.com/golang/crypto/commit/69ecbb4d6d5dab05e49161c6e77ea40a030884e1
Changelog:
https://github.com/DNSCrypt/dnscrypt-proxy/blob/2.0.38/ChangeLog
This is an update for net/dnscrypt-proxy 2.0.38, released on January 30,
2020. I tested on amd64 and unit tests pass.
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/Makefile,v
retrieving revision 1.50
diff -u -p -r1.50 Makefile
--- Makefile 22 Dec 2019 14:12:47 -0000 1.50
+++ Makefile 31 Jan 2020 02:49:54 -0000
@@ -4,7 +4,7 @@ COMMENT = flexible DNS proxy with suppor
GH_ACCOUNT = jedisct1
GH_PROJECT = dnscrypt-proxy
-GH_TAGNAME = 2.0.36
+GH_TAGNAME = 2.0.38
CATEGORIES = net
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/distinfo,v
retrieving revision 1.26
diff -u -p -r1.26 distinfo
--- distinfo 22 Dec 2019 14:12:47 -0000 1.26
+++ distinfo 31 Jan 2020 02:49:54 -0000
@@ -1,2 +1,2 @@
-SHA256 (dnscrypt-proxy-2.0.36.tar.gz) = 3ckiW4a/NZXO7a7WRwdk5hlCQc4mz+qG+f389r06dXU=
-SIZE (dnscrypt-proxy-2.0.36.tar.gz) = 2814470
+SHA256 (dnscrypt-proxy-2.0.38.tar.gz) = GjGZqkl/YGBv1CpjzpX1pAGya0A4UIYIrAb3KextLDQ=
+SIZE (dnscrypt-proxy-2.0.38.tar.gz) = 2814501
Index: patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml,v
retrieving revision 1.11
diff -u -p -r1.11 patch-dnscrypt-proxy_example-dnscrypt-proxy_toml
--- patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml 22 Dec 2019 14:12:47 -0000 1.11
+++ patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml 31 Jan 2020 02:49:54 -0000
@@ -12,7 +12,7 @@ Index: dnscrypt-proxy/example-dnscrypt-p
## Require servers (from static + remote sources) to satisfy specific properties
-@@ -584,7 +584,7 @@ cache_neg_max_ttl = 600
+@@ -586,7 +586,7 @@ cache_neg_max_ttl = 600
[sources.'public-resolvers']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
@@ -21,7 +21,7 @@ Index: dnscrypt-proxy/example-dnscrypt-p
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
prefix = ''
-@@ -592,7 +592,7 @@ cache_neg_max_ttl = 600
+@@ -594,7 +594,7 @@ cache_neg_max_ttl = 600
[sources.'relays']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/relays.md', 'https://download.dnscrypt.info/resolvers-list/v2/relays.md']
No comments:
Post a Comment