From 407525b571b48cfd65e1ad7a02d250a927c967c9 Mon Sep 17 00:00:00 2001
From: V3n3RiX <venerix@redcorelinux.org>
Date: Fri, 1 Dec 2017 03:04:39 +0000
Subject: gentoo resync : 01.12.2017

---
 net-dns/pdns-recursor/Manifest                     | 17 +++--
 .../pdns-recursor/files/CVE-2017-15090-4.0.6.patch | 15 ++++
 .../pdns-recursor/files/CVE-2017-15092-4.0.6.patch | 85 ++++++++++++++++++++++
 .../pdns-recursor/files/CVE-2017-15093-4.0.6.patch | 47 ++++++++++++
 .../pdns-recursor/files/CVE-2017-15094-4.0.6.patch | 28 +++++++
 net-dns/pdns-recursor/metadata.xml                 |  1 +
 .../pdns-recursor/pdns-recursor-4.0.6-r1.ebuild    | 81 +++++++++++++++++++++
 net-dns/pdns-recursor/pdns-recursor-4.0.6.ebuild   |  4 +-
 net-dns/pdns-recursor/pdns-recursor-4.0.7.ebuild   | 77 ++++++++++++++++++++
 .../pdns-recursor-4.1.0_rc3-r1.ebuild              | 84 +++++++++++++++++++++
 .../pdns-recursor/pdns-recursor-4.1.0_rc3.ebuild   | 74 -------------------
 11 files changed, 433 insertions(+), 80 deletions(-)
 create mode 100644 net-dns/pdns-recursor/files/CVE-2017-15090-4.0.6.patch
 create mode 100644 net-dns/pdns-recursor/files/CVE-2017-15092-4.0.6.patch
 create mode 100644 net-dns/pdns-recursor/files/CVE-2017-15093-4.0.6.patch
 create mode 100644 net-dns/pdns-recursor/files/CVE-2017-15094-4.0.6.patch
 create mode 100644 net-dns/pdns-recursor/pdns-recursor-4.0.6-r1.ebuild
 create mode 100644 net-dns/pdns-recursor/pdns-recursor-4.0.7.ebuild
 create mode 100644 net-dns/pdns-recursor/pdns-recursor-4.1.0_rc3-r1.ebuild
 delete mode 100644 net-dns/pdns-recursor/pdns-recursor-4.1.0_rc3.ebuild

(limited to 'net-dns/pdns-recursor')

diff --git a/net-dns/pdns-recursor/Manifest b/net-dns/pdns-recursor/Manifest
index 3379c28da292..475a17d4ef1a 100644
--- a/net-dns/pdns-recursor/Manifest
+++ b/net-dns/pdns-recursor/Manifest
@@ -1,6 +1,13 @@
+AUX CVE-2017-15090-4.0.6.patch 659 BLAKE2B b710ca3c84f5b7d7936155a67f8d3fd82ad6b58f0edf69079498a1896f5ab4a3387fb4c6c9999a726b38e439b506f6ebbcec53866b556f3d0e297c30ffe8f50a SHA512 ce747ae0c747d70597bf3b386db0390c34dce03d6dab98f7f30e43fa21a87f133e66438bf53bcd66ae364cdc451dc4469b95bf479540b90c7282ba4cf150f3ad
+AUX CVE-2017-15092-4.0.6.patch 2798 BLAKE2B 6770cb303a86457338776abb95d198315f643c96337f857ab83979ae5978b52210621fdee557d9c0ba07d457b8eadfb88dca994fbd8bab6fcdf885948a5c4c97 SHA512 d4d22dd0ee26fd750e517796cda7c0517c0e05743b8acff013e48f3c9b3748c5301ecb8e781ecae966c58cc96fe202375c55a5c3593fb475d526fbd079ff971a
+AUX CVE-2017-15093-4.0.6.patch 1581 BLAKE2B b3604c997b30805bf883879a65e30a96bfeef52eb04fbe7b741c2a41884134c145059359daed0db7d419eadc76909366d19af719a1cb0a978319028c6cbb4614 SHA512 e367895d54c0fe989812195bef0e904c79e16d5bcb1239b074e9587d0e69bab2ae4d675a74c485179c5bb3d4e18fd1f8d505bae0ef1dc72b3a649db596f8c222
+AUX CVE-2017-15094-4.0.6.patch 1031 BLAKE2B 7be45cc770e92fb156b563e32855576ec79f230edd751e14d5bb6b55b859a83acfb9cad30f1e4dace94c316895241a2da2f46e9335b1f3138b4cbd535e62131f SHA512 164370b3667fbe8f19c55068a5d250651ef9873df05d4516f093f98a9bd8f1cd48e95530b2e8cca3b5c54c26bdde8718d7dcd739c922c8d25ac25d2418642393
 AUX pdns-recursor-r1 1135 BLAKE2B 90f28d33c126882e5b5e29209ec12f336797720832f7750262329cc5d47fefdf8bcb5208807e47638037a704abbbebd0ee2b1380a3d1d54feab6d4900c250176 SHA512 9dce3cd454ed6b61af8d70c90a8464c60d16eb8342ffc46558f5dcc5089c77aff4581f208684ddb25c4512ce6f39c54afaf267dcade667d812511ae3fa3a1f48
-DIST pdns-recursor-4.0.6.tar.bz2 1105423 SHA256 f2182ac644268bb08b865a71351f11d75c5015ac0608a1469eb4c1cd5494d60d SHA512 2203fd96469deded1da677344485da221eec036b1ad9fb418a89cd4477d73f2a6fcf984a39b574561df6946f440ddf1982de20cd39d7204da9c27e74216d1159 WHIRLPOOL a2eece8a6cdfcd6c791cb6fa42053d524b4e54f1431d78345640d7f2d9f3079939c7905767abe65abb977bce45647fb7232d1148dac13737625ee4bfae221da8
-DIST pdns-recursor-4.1.0-rc3.tar.bz2 1191353 SHA256 0b8bc3fec4cd39c62e53993ab7a87fc1f2b3d200df071a401775f33e47392169 SHA512 141e3fcbf5e7c81ae0228fb7a15c599ef5ae41e2c2d169e2f7b4f57c6c832ac40d3e20302d219ba565c4a514b1297906684247a1a56cd740e3ea0bff4a7da51d WHIRLPOOL b6e1c3cb233aff0ac10e1d0d4b5e3de508cf657e1f3fa27c3692e38c90f7af82cc6afe499915d1dbd78cdd5d5eb2ec814b2f3ae86ae6a3f353321abfbe191691
-EBUILD pdns-recursor-4.0.6.ebuild 1619 BLAKE2B 7445475cf2912584ae43b880ca3d138ffca61100582a950ec486425726df07147b05fdffe3372806a43eee1ce91b7f0210c941961de62f16b4122ab3a734d1f9 SHA512 d7bab4a391b40acc2e78c51ce7d1ba1b77a62a0bc4cb3285ceec92d370e875141984d7d289e6c110ed914a4f9ad714f2d8ca1e4cdb7aa534fd9457d64ce05b47
-EBUILD pdns-recursor-4.1.0_rc3.ebuild 1603 BLAKE2B 068eab0abd4546abf3c1988ad87c663951e15769eab808db22a49188116202549eaa42a3ac9ed4822fe25f51d5fb13fec563dbecd9930cee10a69ab08f1fc3f0 SHA512 2f4a6b3cb2db63dab166f53844e58f358097e7607c70c00ebe4be9d25ad7e3d0a983fd589906c7db2f9ccfd174742f64fea5386f6c56195b35db45d243f5c8c6
-MISC metadata.xml 997 BLAKE2B 0ec5da2bba75b0e3fb5a45e64e1863b06ed9e2cfb088aeff89633ee9c4ee4f26787c0769c70dbf021c651ff67e59b5e8ed8bdbd70ce69179fb929f5deacd525d SHA512 43d84c29e22bece3fc87a925c309229dd5867c3457e3378a0000c046b06b5a7fc75f6e204111cbdc90a02fba3a987ba376bd96dd2b81e498fa19955f16b5a58e
+DIST pdns-recursor-4.0.6.tar.bz2 1105423 BLAKE2B 50cc52f118630d4d8ce9876c2e11494a3c972ec90003c40fea36801eb08bd8b6173f876e6f53eb672ad8ff3da04e669946740a50f653a21459f25c1137d91297 SHA512 2203fd96469deded1da677344485da221eec036b1ad9fb418a89cd4477d73f2a6fcf984a39b574561df6946f440ddf1982de20cd39d7204da9c27e74216d1159
+DIST pdns-recursor-4.0.7.tar.bz2 1107546 BLAKE2B 3ccda73878599e3ade69e4dc6b0787e588a8403fb7cacfbe574409513b8723cbfd29a3c73d857120def801da60a4bedbc0f0c396e6642adb0287204cde301331 SHA512 0c8873adcce5ed9b41f161bc71635da23496b4ae48dbffff7dcdf9c5181e720f9aa94e18bd64e0dff9fa03eae8410dc93585a74d13f0c16d38b0d1c0f4146bb2
+DIST pdns-recursor-4.1.0-rc3.tar.bz2 1191353 BLAKE2B fcbc6f08f962c9c2f459448770406734eff2caab43b615690e9d910b65327e45182aa2c9bcadadeaa6eb3984a8cb463849d5e001ffb98bb618966da5b8557a8a SHA512 141e3fcbf5e7c81ae0228fb7a15c599ef5ae41e2c2d169e2f7b4f57c6c832ac40d3e20302d219ba565c4a514b1297906684247a1a56cd740e3ea0bff4a7da51d
+EBUILD pdns-recursor-4.0.6-r1.ebuild 1775 BLAKE2B 68e4f90e18abfede00cc903b32013ea89e608bbb1b9cbdb1003fd24f02bb278bd9c7c30c58f7416976cc702e7330064c6c2d327dec29ca069465b2972cd10c38 SHA512 ffd7d04fa63cb931ed3c4171e4e0ec2de8d1665c897382117d8e20b26a46e61b4e900a406c751e5848fd1c673102b93ecb8f29631da8c8e8553814f36169abc3
+EBUILD pdns-recursor-4.0.6.ebuild 1698 BLAKE2B bf67849d5f47c1f0d148596aea3fbc4268ad6696761f76f7fdb3b3b574708b01a464f12ae2a6c1df8979d60ec0cb877542dbf927af91bb2709e4510ce675a691 SHA512 358312b26fad4c6f2c473b7756f9c6d71c77045d6c7d0e92a10555848bc1643d9fc59454f61f8286d0891d181a1f6b20eeae055598dc7b150ba06faa0af44650
+EBUILD pdns-recursor-4.0.7.ebuild 1698 BLAKE2B bf67849d5f47c1f0d148596aea3fbc4268ad6696761f76f7fdb3b3b574708b01a464f12ae2a6c1df8979d60ec0cb877542dbf927af91bb2709e4510ce675a691 SHA512 358312b26fad4c6f2c473b7756f9c6d71c77045d6c7d0e92a10555848bc1643d9fc59454f61f8286d0891d181a1f6b20eeae055598dc7b150ba06faa0af44650
+EBUILD pdns-recursor-4.1.0_rc3-r1.ebuild 1889 BLAKE2B e8a915231e5cdaf6cfcd64d4e78a56b183cb7a37a41262c275d203d00b62de05a8975aa7574ec46ccc089aeeeeafa497b6755a344e718bf9d2db75dd5d09f635 SHA512 216143fbd3c7c869ec09f0bc0fc0785d8f5ca2335c53028d8942cf97e3b25aa0cfc08921130589f97ebea642ba505b908a126921bea60f095d377d4f44453227
+MISC metadata.xml 1076 BLAKE2B 4f68267d5dfcf3cff38f306f440ed2e9a7f5193c14c1029bcfcbbfca4f8f310c94969001c781e1b78a14cec2a6e313e44d82bebbd9694fe46f97759372e63711 SHA512 374be5aa98c4bab340d8d63c859ab08a392e926fbb4d55e1f5a2967d41c401d13d5e8d5997c0790c3b8f96662b56e4492343248d7c8e0a067dc7eaf3f4b56e95
diff --git a/net-dns/pdns-recursor/files/CVE-2017-15090-4.0.6.patch b/net-dns/pdns-recursor/files/CVE-2017-15090-4.0.6.patch
new file mode 100644
index 000000000000..fa0bfd099abf
--- /dev/null
+++ b/net-dns/pdns-recursor/files/CVE-2017-15090-4.0.6.patch
@@ -0,0 +1,15 @@
+diff -ru pdns-recursor-4.0.6.orig/validate-recursor.cc pdns-recursor-4.0.6/validate-recursor.cc
+--- pdns-recursor-4.0.6.orig/validate-recursor.cc	2017-07-04 17:43:07.000000000 +0200
++++ pdns-recursor-4.0.6/validate-recursor.cc	2017-11-02 18:29:16.612520450 +0100
+@@ -87,6 +87,11 @@
+     bool first = true;
+     for(const auto& csp : cspmap) {
+       for(const auto& sig : csp.second.signatures) {
++
++        if (!csp.first.first.isPartOf(sig->d_signer)) {
++          return increaseDNSSECStateCounter(Bogus);
++        }
++
+         vState newState = getKeysFor(sro, sig->d_signer, keys); // XXX check validity here
+ 
+         if (newState == Bogus) // No hope
diff --git a/net-dns/pdns-recursor/files/CVE-2017-15092-4.0.6.patch b/net-dns/pdns-recursor/files/CVE-2017-15092-4.0.6.patch
new file mode 100644
index 000000000000..1425c33586c2
--- /dev/null
+++ b/net-dns/pdns-recursor/files/CVE-2017-15092-4.0.6.patch
@@ -0,0 +1,85 @@
+diff -ru pdns-recursor-4.0.6.orig/html/local.js pdns-recursor-4.0.6/html/local.js
+--- pdns-recursor-4.0.6.orig/html/local.js	2017-07-04 17:43:07.000000000 +0200
++++ pdns-recursor-4.0.6/html/local.js	2017-11-02 18:26:04.624586674 +0100
+@@ -63,7 +63,7 @@
+ 
+ 	$.getJSON(qstring,
+ 		  function(data) {
+-		      var bouw="<table><tr><th>Number</th><th>Domain</th><th>Type</th></tr>";
++		      var table = $('<table><tr><th>Number</th><th>Domain</th><th>Type</th></tr></table>');
+ 		      var num=0;
+ 		      var total=0, rest=0;
+ 		      $.each(data["entries"], function(a,b) {
+@@ -75,12 +75,26 @@
+ 			  if(b[1].length > 25)
+ 			      b[1]=b[1].substring(0,25);
+ 
+-			  bouw=bouw+("<tr><td>"+b[0]+"</td><td>"+b[1]+"</td><td>"+b[2]+"</td></tr>");
+-		      });
+-		      bouw+="<tr><td>"+rest+"</td><td>Rest</td></tr>";
+-		      bouw=bouw+"</table>";
+-		      $("#queryring").html(bouw);
+-
++			  var line = $('<tr />');
++			  var number = $('<td />');
++			  number.text(b[0]);
++			  var domain = $('<td />');
++			  domain.text(b[1]);
++			  var type = $('<td />');
++			  type.text(b[2]);
++			  line.append(number);
++			  line.append(domain);
++			  line.append(type);
++			  table.append(line);
++                      });
++		      var line = $('<tr />');
++		      var number = $('<td />');
++		      number.text(rest);
++		      var label = $('<td>Rest</td>');
++		      line.append(number);
++		      line.append(label);
++		      table.append(line);
++		      $("#queryring").html(table);
+ 		  });
+ 
+ 	filtered=$("#filter2").is(':checked')
+@@ -91,7 +105,7 @@
+ 
+ 	$.getJSON(qstring, 
+ 		  function(data) {
+-		      var bouw="<table><tr><th>Number</th><th>Servfail domain</th><th>Type</th></tr>";
++		      var table = $('<table><tr><th>Number</th><th>Servfail domain</th><th>Type</th></tr></table>');
+ 		      var num=0, total=0, rest=0;
+ 		      $.each(data["entries"], function(a,b) {
+ 			  total+=b[0];
+@@ -101,11 +115,26 @@
+ 			  }
+ 			  if(b[1].length > 25)
+ 			      b[1]=b[1].substring(0,25);
+-			  bouw=bouw+("<tr><td>"+b[0]+"</td><td>"+b[1]+"</td><td>"+b[2]+"</td></tr>");
++			  var line = $('<tr />');
++			  var number = $('<td />');
++			  number.text(b[0]);
++			  var domain = $('<td />');
++			  domain.text(b[1]);
++			  var type = $('<td />');
++			  type.text(b[2]);
++			  line.append(number);
++			  line.append(domain);
++			  line.append(type);
++			  table.append(line);
+ 		      });
+-		      bouw+="<tr><td>"+rest+"</td><td>Rest</td></tr>";
+-		      bouw=bouw+"</table>";
+-		      $("#servfailqueryring").html(bouw);
++		      var line = $('<tr />');
++		      var number = $('<td />');
++		      number.text(rest);
++		      var label = $('<td>Rest</td>');
++		      line.append(number);
++		      line.append(label);
++		      table.append(line);
++		      $("#servfailqueryring").html(table);
+ 
+ 		  });
+ 
diff --git a/net-dns/pdns-recursor/files/CVE-2017-15093-4.0.6.patch b/net-dns/pdns-recursor/files/CVE-2017-15093-4.0.6.patch
new file mode 100644
index 000000000000..2695830b4420
--- /dev/null
+++ b/net-dns/pdns-recursor/files/CVE-2017-15093-4.0.6.patch
@@ -0,0 +1,47 @@
+diff -ru pdns-recursor-4.0.6.orig/ws-recursor.cc pdns-recursor-4.0.6/ws-recursor.cc
+--- pdns-recursor-4.0.6.orig/ws-recursor.cc	2017-07-04 17:43:07.000000000 +0200
++++ pdns-recursor-4.0.6/ws-recursor.cc	2017-11-02 18:13:55.762458134 +0100
+@@ -76,10 +76,11 @@
+       throw ApiException("'value' must be an array");
+     }
+ 
++    NetmaskGroup nmg;
+     for (auto value : jlist.array_items()) {
+       try {
+-        Netmask(value.string_value());
+-      } catch (NetmaskException &e) {
++        nmg.addMask(value.string_value());
++      } catch (const NetmaskException &e) {
+         throw ApiException(e.reason);
+       }
+     }
+@@ -91,9 +92,7 @@
+ 
+     // Clear allow-from, and provide a "parent" value
+     ss << "allow-from=" << endl;
+-    for (auto value : jlist.array_items()) {
+-      ss << "allow-from+=" << value.string_value() << endl;
+-    }
++    ss << "allow-from+=" << nmg.toString() << endl;
+ 
+     apiWriteConfigFile("allow-from", ss.str());
+ 
+@@ -201,10 +200,15 @@
+       if (server == "") {
+         throw ApiException("Forwarded-to server must not be an empty string");
+       }
+-      if (!serverlist.empty()) {
+-        serverlist += ";";
++      try {
++        ComboAddress ca = parseIPAndPort(server, 53);
++        if (!serverlist.empty()) {
++          serverlist += ";";
++        }
++        serverlist += ca.toStringWithPort();
++      } catch (const PDNSException &e) {
++        throw ApiException(e.reason);
+       }
+-      serverlist += server;
+     }
+     if (serverlist == "")
+       throw ApiException("Need at least one upstream server when forwarding");
diff --git a/net-dns/pdns-recursor/files/CVE-2017-15094-4.0.6.patch b/net-dns/pdns-recursor/files/CVE-2017-15094-4.0.6.patch
new file mode 100644
index 000000000000..ee7cf6878d98
--- /dev/null
+++ b/net-dns/pdns-recursor/files/CVE-2017-15094-4.0.6.patch
@@ -0,0 +1,28 @@
+diff -ru pdns-recursor-4.0.6.orig/opensslsigners.cc pdns-recursor-4.0.6/opensslsigners.cc
+--- pdns-recursor-4.0.6.orig/opensslsigners.cc	2017-07-04 17:43:07.000000000 +0200
++++ pdns-recursor-4.0.6/opensslsigners.cc	2017-11-02 18:18:37.489408103 +0100
+@@ -474,7 +474,7 @@
+   if (iqmp == NULL) {
+     RSA_free(key);
+     BN_clear_free(dmq1);
+-    BN_clear_free(iqmp);
++    BN_clear_free(dmp1);
+     throw runtime_error(getName()+" allocation of BIGNUM iqmp failed");
+   }
+   RSA_set0_crt_params(key, dmp1, dmq1, iqmp);
+@@ -562,6 +562,7 @@
+   BIGNUM *n = BN_bin2bn((unsigned char*)modulus.c_str(), modulus.length(), NULL);
+   if (!n) {
+     RSA_free(key);
++    BN_clear_free(e);
+     throw runtime_error(getName()+" error loading n value of public key");
+   }
+ 
+@@ -866,6 +867,7 @@
+ 
+   int ret = EC_POINT_oct2point(d_ecgroup, pub_key, (unsigned char*) ecdsaPoint.c_str(), ecdsaPoint.length(), d_ctx);
+   if (ret != 1) {
++    EC_POINT_free(pub_key);
+     throw runtime_error(getName()+" reading ECP point from binary failed");
+   }
+ 
diff --git a/net-dns/pdns-recursor/metadata.xml b/net-dns/pdns-recursor/metadata.xml
index a5208407eaa3..e8c54bc6eb5f 100644
--- a/net-dns/pdns-recursor/metadata.xml
+++ b/net-dns/pdns-recursor/metadata.xml
@@ -18,5 +18,6 @@ nameserver performance.
 <use>
 	<flag name="luajit">Enable support for <pkg>dev-lang/luajit</pkg>.</flag>
 	<flag name="protobuf">Enable support for <pkg>dev-libs/protobuf</pkg>.</flag>
+	<flag name="sodium">Use <pkg>dev-libs/libsodium</pkg> for cryptography</flag>
 </use>
 </pkgmetadata>
diff --git a/net-dns/pdns-recursor/pdns-recursor-4.0.6-r1.ebuild b/net-dns/pdns-recursor/pdns-recursor-4.0.6-r1.ebuild
new file mode 100644
index 000000000000..30f31e4cc5bb
--- /dev/null
+++ b/net-dns/pdns-recursor/pdns-recursor-4.0.6-r1.ebuild
@@ -0,0 +1,81 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit toolchain-funcs flag-o-matic eutils versionator
+
+DESCRIPTION="The PowerDNS Recursor"
+HOMEPAGE="https://www.powerdns.com/"
+SRC_URI="https://downloads.powerdns.com/releases/${P/_/-}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~x86"
+IUSE="libressl lua luajit protobuf systemd"
+REQUIRED_USE="?? ( lua luajit )"
+
+DEPEND="lua? ( >=dev-lang/lua-5.1:= )
+	luajit? ( dev-lang/luajit:= )
+	protobuf? (
+		dev-libs/protobuf
+		>=dev-libs/boost-1.42:=
+	)
+	systemd? ( sys-apps/systemd:0= )
+	libressl? ( dev-libs/libressl:= )
+	!libressl? ( dev-libs/openssl:= )
+	>=dev-libs/boost-1.35:="
+RDEPEND="${DEPEND}
+	!<net-dns/pdns-2.9.20-r1"
+DEPEND="${DEPEND}
+	virtual/pkgconfig"
+
+S="${WORKDIR}"/${P/_/-}
+
+PATCHES=(
+	"${FILESDIR}"/CVE-2017-{15090,15092,15093,15094}-4.0.6.patch
+)
+
+pkg_setup() {
+	filter-flags -ftree-vectorize
+}
+
+src_configure() {
+	econf \
+		--sysconfdir=/etc/powerdns \
+		$(use_enable systemd) \
+		$(use_with lua) \
+		$(use_with luajit) \
+		$(use_with protobuf)
+}
+
+src_install() {
+	default
+
+	mv "${D}"/etc/powerdns/recursor.conf{-dist,}
+
+	# set defaults: setuid=nobody, setgid=nobody
+	sed -i \
+		-e 's/^# set\([ug]\)id=$/set\1id=nobody/' \
+		-e 's/^# quiet=$/quiet=on/' \
+		-e 's/^# chroot=$/chroot=\/var\/lib\/powerdns/' \
+		"${D}"/etc/powerdns/recursor.conf
+
+	newinitd "${FILESDIR}"/pdns-recursor-r1 pdns-recursor
+
+	keepdir /var/lib/powerdns
+}
+
+pkg_postinst() {
+	local old
+
+	for old in ${REPLACING_VERSIONS}; do
+		version_compare ${old} 4.0.0-r1
+		[[ $? -eq 1 ]] || continue
+
+		ewarn "Starting with 4.0.0-r1 the init script has been renamed from precursor"
+		ewarn "to pdns-recursor, please update your runlevels accordingly."
+
+		break
+	done
+}
diff --git a/net-dns/pdns-recursor/pdns-recursor-4.0.6.ebuild b/net-dns/pdns-recursor/pdns-recursor-4.0.6.ebuild
index 60e59cefe9fe..8ad027121b3c 100644
--- a/net-dns/pdns-recursor/pdns-recursor-4.0.6.ebuild
+++ b/net-dns/pdns-recursor/pdns-recursor-4.0.6.ebuild
@@ -12,7 +12,7 @@ SRC_URI="https://downloads.powerdns.com/releases/${P/_/-}.tar.bz2"
 LICENSE="GPL-2"
 SLOT="0"
 KEYWORDS="amd64 ~arm x86"
-IUSE="lua luajit protobuf systemd"
+IUSE="libressl lua luajit protobuf systemd"
 REQUIRED_USE="?? ( lua luajit )"
 
 DEPEND="lua? ( >=dev-lang/lua-5.1:= )
@@ -22,6 +22,8 @@ DEPEND="lua? ( >=dev-lang/lua-5.1:= )
 		>=dev-libs/boost-1.42:=
 	)
 	systemd? ( sys-apps/systemd:0= )
+	libressl? ( dev-libs/libressl:= )
+	!libressl? ( dev-libs/openssl:= )
 	>=dev-libs/boost-1.35:="
 RDEPEND="${DEPEND}
 	!<net-dns/pdns-2.9.20-r1"
diff --git a/net-dns/pdns-recursor/pdns-recursor-4.0.7.ebuild b/net-dns/pdns-recursor/pdns-recursor-4.0.7.ebuild
new file mode 100644
index 000000000000..8ad027121b3c
--- /dev/null
+++ b/net-dns/pdns-recursor/pdns-recursor-4.0.7.ebuild
@@ -0,0 +1,77 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit toolchain-funcs flag-o-matic eutils versionator
+
+DESCRIPTION="The PowerDNS Recursor"
+HOMEPAGE="https://www.powerdns.com/"
+SRC_URI="https://downloads.powerdns.com/releases/${P/_/-}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 ~arm x86"
+IUSE="libressl lua luajit protobuf systemd"
+REQUIRED_USE="?? ( lua luajit )"
+
+DEPEND="lua? ( >=dev-lang/lua-5.1:= )
+	luajit? ( dev-lang/luajit:= )
+	protobuf? (
+		dev-libs/protobuf
+		>=dev-libs/boost-1.42:=
+	)
+	systemd? ( sys-apps/systemd:0= )
+	libressl? ( dev-libs/libressl:= )
+	!libressl? ( dev-libs/openssl:= )
+	>=dev-libs/boost-1.35:="
+RDEPEND="${DEPEND}
+	!<net-dns/pdns-2.9.20-r1"
+DEPEND="${DEPEND}
+	virtual/pkgconfig"
+
+S="${WORKDIR}"/${P/_/-}
+
+pkg_setup() {
+	filter-flags -ftree-vectorize
+}
+
+src_configure() {
+	econf \
+		--sysconfdir=/etc/powerdns \
+		$(use_enable systemd) \
+		$(use_with lua) \
+		$(use_with luajit) \
+		$(use_with protobuf)
+}
+
+src_install() {
+	default
+
+	mv "${D}"/etc/powerdns/recursor.conf{-dist,}
+
+	# set defaults: setuid=nobody, setgid=nobody
+	sed -i \
+		-e 's/^# set\([ug]\)id=$/set\1id=nobody/' \
+		-e 's/^# quiet=$/quiet=on/' \
+		-e 's/^# chroot=$/chroot=\/var\/lib\/powerdns/' \
+		"${D}"/etc/powerdns/recursor.conf
+
+	newinitd "${FILESDIR}"/pdns-recursor-r1 pdns-recursor
+
+	keepdir /var/lib/powerdns
+}
+
+pkg_postinst() {
+	local old
+
+	for old in ${REPLACING_VERSIONS}; do
+		version_compare ${old} 4.0.0-r1
+		[[ $? -eq 1 ]] || continue
+
+		ewarn "Starting with 4.0.0-r1 the init script has been renamed from precursor"
+		ewarn "to pdns-recursor, please update your runlevels accordingly."
+
+		break
+	done
+}
diff --git a/net-dns/pdns-recursor/pdns-recursor-4.1.0_rc3-r1.ebuild b/net-dns/pdns-recursor/pdns-recursor-4.1.0_rc3-r1.ebuild
new file mode 100644
index 000000000000..224ae2f7537a
--- /dev/null
+++ b/net-dns/pdns-recursor/pdns-recursor-4.1.0_rc3-r1.ebuild
@@ -0,0 +1,84 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit toolchain-funcs flag-o-matic eutils versionator
+
+DESCRIPTION="The PowerDNS Recursor"
+HOMEPAGE="https://www.powerdns.com/"
+SRC_URI="https://downloads.powerdns.com/releases/${P/_/-}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~x86"
+IUSE="libressl luajit protobuf snmp sodium systemd"
+
+DEPEND="!luajit? ( >=dev-lang/lua-5.1:= )
+	luajit? ( dev-lang/luajit:= )
+	protobuf? (
+		dev-libs/protobuf
+		>=dev-libs/boost-1.42:=
+	)
+	systemd? ( sys-apps/systemd:0= )
+	snmp? ( net-analyzer/net-snmp )
+	sodium? ( dev-libs/libsodium:= )
+	libressl? ( dev-libs/libressl:= )
+	!libressl? ( dev-libs/openssl:= )
+	>=dev-libs/boost-1.35:="
+RDEPEND="${DEPEND}
+	!<net-dns/pdns-2.9.20-r1"
+DEPEND="${DEPEND}
+	virtual/pkgconfig"
+
+S="${WORKDIR}"/${P/_/-}
+
+PATCHES=(
+	"${FILESDIR}"/CVE-2017-{15093,15094}-4.0.6.patch
+)
+
+pkg_setup() {
+	filter-flags -ftree-vectorize
+}
+
+src_configure() {
+	econf \
+		--sysconfdir=/etc/powerdns \
+		$(use_enable systemd) \
+		$(use_enable sodium libsodium) \
+		$(use_with !luajit lua) \
+		$(use_with luajit luajit) \
+		$(use_with protobuf) \
+		$(use_with snmp net-snmp)
+}
+
+src_install() {
+	default
+
+	mv "${D}"/etc/powerdns/recursor.conf{-dist,}
+
+	# set defaults: setuid=nobody, setgid=nobody
+	sed -i \
+		-e 's/^# set\([ug]\)id=$/set\1id=nobody/' \
+		-e 's/^# quiet=$/quiet=on/' \
+		-e 's/^# chroot=$/chroot=\/var\/lib\/powerdns/' \
+		"${D}"/etc/powerdns/recursor.conf
+
+	newinitd "${FILESDIR}"/pdns-recursor-r1 pdns-recursor
+
+	keepdir /var/lib/powerdns
+}
+
+pkg_postinst() {
+	local old
+
+	for old in ${REPLACING_VERSIONS}; do
+		version_compare ${old} 4.0.0-r1
+		[[ $? -eq 1 ]] || continue
+
+		ewarn "Starting with 4.0.0-r1 the init script has been renamed from precursor"
+		ewarn "to pdns-recursor, please update your runlevels accordingly."
+
+		break
+	done
+}
diff --git a/net-dns/pdns-recursor/pdns-recursor-4.1.0_rc3.ebuild b/net-dns/pdns-recursor/pdns-recursor-4.1.0_rc3.ebuild
deleted file mode 100644
index 7cb168d0b3b7..000000000000
--- a/net-dns/pdns-recursor/pdns-recursor-4.1.0_rc3.ebuild
+++ /dev/null
@@ -1,74 +0,0 @@
-# Copyright 1999-2017 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="6"
-
-inherit toolchain-funcs flag-o-matic eutils versionator
-
-DESCRIPTION="The PowerDNS Recursor"
-HOMEPAGE="https://www.powerdns.com/"
-SRC_URI="https://downloads.powerdns.com/releases/${P/_/-}.tar.bz2"
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS="~amd64 ~arm ~x86"
-IUSE="luajit protobuf systemd"
-
-DEPEND="!luajit? ( >=dev-lang/lua-5.1:= )
-	luajit? ( dev-lang/luajit:= )
-	protobuf? (
-		dev-libs/protobuf
-		>=dev-libs/boost-1.42:=
-	)
-	systemd? ( sys-apps/systemd:0= )
-	>=dev-libs/boost-1.35:="
-RDEPEND="${DEPEND}
-	!<net-dns/pdns-2.9.20-r1"
-DEPEND="${DEPEND}
-	virtual/pkgconfig"
-
-S="${WORKDIR}"/${P/_/-}
-
-pkg_setup() {
-	filter-flags -ftree-vectorize
-}
-
-src_configure() {
-	econf \
-		--sysconfdir=/etc/powerdns \
-		$(use_enable systemd) \
-		$(use_with !luajit lua) \
-		$(use_with luajit luajit) \
-		$(use_with protobuf)
-}
-
-src_install() {
-	default
-
-	mv "${D}"/etc/powerdns/recursor.conf{-dist,}
-
-	# set defaults: setuid=nobody, setgid=nobody
-	sed -i \
-		-e 's/^# set\([ug]\)id=$/set\1id=nobody/' \
-		-e 's/^# quiet=$/quiet=on/' \
-		-e 's/^# chroot=$/chroot=\/var\/lib\/powerdns/' \
-		"${D}"/etc/powerdns/recursor.conf
-
-	newinitd "${FILESDIR}"/pdns-recursor-r1 pdns-recursor
-
-	keepdir /var/lib/powerdns
-}
-
-pkg_postinst() {
-	local old
-
-	for old in ${REPLACING_VERSIONS}; do
-		version_compare ${old} 4.0.0-r1
-		[[ $? -eq 1 ]] || continue
-
-		ewarn "Starting with 4.0.0-r1 the init script has been renamed from precursor"
-		ewarn "to pdns-recursor, please update your runlevels accordingly."
-
-		break
-	done
-}
-- 
cgit v1.2.3