update net/dnscrypt-proxy 2.0.38

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

update net/dnscrypt-proxy 2.0.38

Nam Nguyen
This is a security fix release that I propose adding to -stable. It
affects 32-bit arches when dnscrypt-proxy's DNS over HTTPS (DoH) feature
is used. It was fixed in Go 1.13.7 (now available in ports) and in the
version of golang.org/x/crypto specified in {WRKSRC}/go.mod.

From issue:
"On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1
parsing functions of golang.org/x/crypto/cryptobyte can lead to a
panic."

From Go commit:
"When int is 32 bits wide (on 32-bit architectures like 386 and arm), an
overflow could occur, causing a panic, due to malformed ASN.1 being
passed to any of the ASN1 methods of String."

From changelog:
"- Security (affecting DoH): precompiled binaries of dnscrypt-proxy
2.0.37 are built using Go 1.13.7 that fixes a TLS certificate parsing
issue present in previous versions of the compiler"

Sources:
CVE-2020-7919
https://github.com/golang/go/issues/36837
https://github.com/golang/go/commit/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574
https://github.com/golang/crypto/commit/69ecbb4d6d5dab05e49161c6e77ea40a030884e1

Changelog:
https://github.com/DNSCrypt/dnscrypt-proxy/blob/2.0.38/ChangeLog

This is an update for net/dnscrypt-proxy 2.0.38, released on January 30,
2020. I tested on amd64 and unit tests pass.

Index: Makefile
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/Makefile,v
retrieving revision 1.50
diff -u -p -r1.50 Makefile
--- Makefile 22 Dec 2019 14:12:47 -0000 1.50
+++ Makefile 31 Jan 2020 02:49:54 -0000
@@ -4,7 +4,7 @@ COMMENT = flexible DNS proxy with suppor
 
 GH_ACCOUNT = jedisct1
 GH_PROJECT = dnscrypt-proxy
-GH_TAGNAME = 2.0.36
+GH_TAGNAME = 2.0.38
 
 CATEGORIES = net
 
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/distinfo,v
retrieving revision 1.26
diff -u -p -r1.26 distinfo
--- distinfo 22 Dec 2019 14:12:47 -0000 1.26
+++ distinfo 31 Jan 2020 02:49:54 -0000
@@ -1,2 +1,2 @@
-SHA256 (dnscrypt-proxy-2.0.36.tar.gz) = 3ckiW4a/NZXO7a7WRwdk5hlCQc4mz+qG+f389r06dXU=
-SIZE (dnscrypt-proxy-2.0.36.tar.gz) = 2814470
+SHA256 (dnscrypt-proxy-2.0.38.tar.gz) = GjGZqkl/YGBv1CpjzpX1pAGya0A4UIYIrAb3KextLDQ=
+SIZE (dnscrypt-proxy-2.0.38.tar.gz) = 2814501
Index: patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml,v
retrieving revision 1.11
diff -u -p -r1.11 patch-dnscrypt-proxy_example-dnscrypt-proxy_toml
--- patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml 22 Dec 2019 14:12:47 -0000 1.11
+++ patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml 31 Jan 2020 02:49:54 -0000
@@ -12,7 +12,7 @@ Index: dnscrypt-proxy/example-dnscrypt-p
 
 
  ## Require servers (from static + remote sources) to satisfy specific properties
-@@ -584,7 +584,7 @@ cache_neg_max_ttl = 600
+@@ -586,7 +586,7 @@ cache_neg_max_ttl = 600
 
    [sources.'public-resolvers']
    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
@@ -21,7 +21,7 @@ Index: dnscrypt-proxy/example-dnscrypt-p
    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
    prefix = ''
 
-@@ -592,7 +592,7 @@ cache_neg_max_ttl = 600
+@@ -594,7 +594,7 @@ cache_neg_max_ttl = 600
 
    [sources.'relays']
    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/relays.md', 'https://download.dnscrypt.info/resolvers-list/v2/relays.md']

Reply | Threaded
Open this post in threaded view
|

Re: update net/dnscrypt-proxy 2.0.38

Björn Ketelaars
On Thu 30/01/2020 19:21, Nam Nguyen wrote:

> This is a security fix release that I propose adding to -stable. It
> affects 32-bit arches when dnscrypt-proxy's DNS over HTTPS (DoH) feature
> is used. It was fixed in Go 1.13.7 (now available in ports) and in the
> version of golang.org/x/crypto specified in {WRKSRC}/go.mod.
>
> From issue:
> "On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1
> parsing functions of golang.org/x/crypto/cryptobyte can lead to a
> panic."
>
> From Go commit:
> "When int is 32 bits wide (on 32-bit architectures like 386 and arm), an
> overflow could occur, causing a panic, due to malformed ASN.1 being
> passed to any of the ASN1 methods of String."
>
> From changelog:
> "- Security (affecting DoH): precompiled binaries of dnscrypt-proxy
> 2.0.37 are built using Go 1.13.7 that fixes a TLS certificate parsing
> issue present in previous versions of the compiler"
>
> Sources:
> CVE-2020-7919
> https://github.com/golang/go/issues/36837
> https://github.com/golang/go/commit/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574
> https://github.com/golang/crypto/commit/69ecbb4d6d5dab05e49161c6e77ea40a030884e1
>
> Changelog:
> https://github.com/DNSCrypt/dnscrypt-proxy/blob/2.0.38/ChangeLog
>
> This is an update for net/dnscrypt-proxy 2.0.38, released on January 30,
> 2020. I tested on amd64 and unit tests pass.

2.0.39 has been released a couple of hours ago, which fixes the firefox
local DOH service: https://github.com/DNSCrypt/dnscrypt-proxy/releases

Reply | Threaded
Open this post in threaded view
|

Re: update net/dnscrypt-proxy 2.0.38

Nam Nguyen
Björn Ketelaars writes:

> On Thu 30/01/2020 19:21, Nam Nguyen wrote:
>> This is a security fix release that I propose adding to -stable. It
>> affects 32-bit arches when dnscrypt-proxy's DNS over HTTPS (DoH) feature
>> is used. It was fixed in Go 1.13.7 (now available in ports) and in the
>> version of golang.org/x/crypto specified in {WRKSRC}/go.mod.
>>
>> From issue:
>> "On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1
>> parsing functions of golang.org/x/crypto/cryptobyte can lead to a
>> panic."
>>
>> From Go commit:
>> "When int is 32 bits wide (on 32-bit architectures like 386 and arm), an
>> overflow could occur, causing a panic, due to malformed ASN.1 being
>> passed to any of the ASN1 methods of String."
>>
>> From changelog:
>> "- Security (affecting DoH): precompiled binaries of dnscrypt-proxy
>> 2.0.37 are built using Go 1.13.7 that fixes a TLS certificate parsing
>> issue present in previous versions of the compiler"
>>
>> Sources:
>> CVE-2020-7919
>> https://github.com/golang/go/issues/36837
>> https://github.com/golang/go/commit/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574
>> https://github.com/golang/crypto/commit/69ecbb4d6d5dab05e49161c6e77ea40a030884e1
>>
>> Changelog:
>> https://github.com/DNSCrypt/dnscrypt-proxy/blob/2.0.38/ChangeLog
>>
>> This is an update for net/dnscrypt-proxy 2.0.38, released on January 30,
>> 2020. I tested on amd64 and unit tests pass.
>
> 2.0.39 has been released a couple of hours ago, which fixes the firefox
> local DOH service: https://github.com/DNSCrypt/dnscrypt-proxy/releases

Thank you for catching the new release. Here is a diff for
dnscrypt-proxy 2.0.39, released January 31, 2020.

Changelog:
https://github.com/DNSCrypt/dnscrypt-proxy/blob/2.0.39/ChangeLog

I tested the firefox local DOH service, and it works as
described. https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Local-DoH

I tested on amd64 and the unit tests pass.

Index: Makefile
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/Makefile,v
retrieving revision 1.50
diff -u -p -r1.50 Makefile
--- Makefile 22 Dec 2019 14:12:47 -0000 1.50
+++ Makefile 31 Jan 2020 23:11:41 -0000
@@ -4,7 +4,7 @@ COMMENT = flexible DNS proxy with suppor
 
 GH_ACCOUNT = jedisct1
 GH_PROJECT = dnscrypt-proxy
-GH_TAGNAME = 2.0.36
+GH_TAGNAME = 2.0.39
 
 CATEGORIES = net
 
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/distinfo,v
retrieving revision 1.26
diff -u -p -r1.26 distinfo
--- distinfo 22 Dec 2019 14:12:47 -0000 1.26
+++ distinfo 31 Jan 2020 23:11:41 -0000
@@ -1,2 +1,2 @@
-SHA256 (dnscrypt-proxy-2.0.36.tar.gz) = 3ckiW4a/NZXO7a7WRwdk5hlCQc4mz+qG+f389r06dXU=
-SIZE (dnscrypt-proxy-2.0.36.tar.gz) = 2814470
+SHA256 (dnscrypt-proxy-2.0.39.tar.gz) = yUPHTAiUu1EzZSnnM8o4Ed/9uRSlm5cHxjoyfyyP+DU=
+SIZE (dnscrypt-proxy-2.0.39.tar.gz) = 2814424
Index: patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml,v
retrieving revision 1.11
diff -u -p -r1.11 patch-dnscrypt-proxy_example-dnscrypt-proxy_toml
--- patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml 22 Dec 2019 14:12:47 -0000 1.11
+++ patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml 31 Jan 2020 23:11:41 -0000
@@ -12,7 +12,7 @@ Index: dnscrypt-proxy/example-dnscrypt-p
 
 
  ## Require servers (from static + remote sources) to satisfy specific properties
-@@ -584,7 +584,7 @@ cache_neg_max_ttl = 600
+@@ -586,7 +586,7 @@ cache_neg_max_ttl = 600
 
    [sources.'public-resolvers']
    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
@@ -21,7 +21,7 @@ Index: dnscrypt-proxy/example-dnscrypt-p
    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
    prefix = ''
 
-@@ -592,7 +592,7 @@ cache_neg_max_ttl = 600
+@@ -594,7 +594,7 @@ cache_neg_max_ttl = 600
 
    [sources.'relays']
    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/relays.md', 'https://download.dnscrypt.info/resolvers-list/v2/relays.md']