dns/knot-resolver security update to 5.7.1 (was: dns/knot3 update to 3.3.4)

Reply: Moin Rahman : "Re: dns/knot-resolver security update to 5.7.1 (was: dns/knot3 update to 3.3.4)"
In reply to: Moin Rahman : "Re: dns/knot3 update to 3.3.4"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Michael Grimm <trashcan_at_ellael.org>
Date: Sun, 25 Feb 2024 17:15:58 UTC

Moin Rahman <bofh@FreeBSD.org> wrote:

>> On Feb 25, 2024, at 5:04 PM, Michael Grimm <trashcan@ellael.org> wrote:
>> 
>> a new version of this port has been released two month ago.
>> 
>> The maintainer normally updates knot3 shortly after the release of a new version. He didn't react on a mail of mine. No pun intended, there are numerous reasons for that.
>> 
>> I do have a git-diff patch at hand, successfully compiling with poudriere, and running well for 1 month now.
>> 
>> What can I do to get this patch committed?
>> Shall I create a PR like https://cgit.freebsd.org/ports/commit/?id=11f44f375254e07a262455aaf8311bfd4bbedb67

> It's best to create a PR and awaiting for maintainer-timeout.

Done, https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277305

> However on certain cases like security or vulnerability issues the update
> can be committed without the maintainer-approval. So if this is a release
> related to the recent dnssec security issue let me know.

dns/knot3 as an authoritative DNS server isn't affected by CVE-2023-50868, if I am not mistaken. Ain't no DNS expert …

BUT, dns/knot-resolver is affected: https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1

I do not use that port, yet. 
But I opened another PR on that security update to dns/knot-resolver: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277306

All I can say is: dns/knot-resolver 5.7.1 compiles with poudriere.

HTH,
Michael

P.S. Please forgive my lack in experience with PRs ;-)
     Please let me know, what to correct if neccessary