powerdns: apply patch for ixfr validation issue

The PowerDNS version we ship on release-21.11 went EOL in january, so there are no explicit patches for 4.3.1, however the patches for 4.4.2 apply cleanly and the tests are still passing. https://blog.powerdns.com/2022/03/25/security-advisory-2022-01-for-powerdns-authoritative-server-4-4-2-4-5-3-4-6-0-and-powerdns-recursor-4-4-7-4-5-7-4-6-0/ Fixes: CVE-2022-27227
author: Martin Weinelt <hexa@darmstadt.ccc.de> 2022-03-28 16:10:40 +0200
committer: Martin Weinelt <hexa@darmstadt.ccc.de> 2022-03-28 16:10:40 +0200
commit: 657fc6d5d8b6cf4aa11b8647878e395ce7dc0b0a (patch)
tree: b7d4151cfa363e7c407336121e9eb41b674c8112
parent: 4ecbe233957a028441267760f9522952a8aea260 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/pkgs/servers/dns/powerdns/default.nix b/pkgs/servers/dns/powerdns/default.nix
index cc7bb3317fd4..6a6b80bcd6c4 100644
--- a/pkgs/servers/dns/powerdns/default.nix
+++ b/pkgs/servers/dns/powerdns/default.nix
@@ -18,6 +18,12 @@ stdenv.mkDerivation rec {
       url = "https://github.com/PowerDNS/pdns/commit/05c9dd77b28.diff";
       sha256 = "1m9szbi02h9kcabgw3kb8k9qrb54d34z0qzizrlfiw3hxs6c2zql";
     })
+    (fetchurl {
+      # Fixes incomplete validation of incoming IXFR transfers
+      name = "CVE-2022-27227.patch";
+      url = "https://downloads.powerdns.com/patches/2022-01/pdns-4.4.2-xfr.patch";
+      hash = "sha256-WFycHFmDX6MvbOS9WDv+wx0rog7xkSGe/sxSVMWREOA=";
+    })
   ];
 
   nativeBuildInputs = [ pkg-config ];
author	Martin Weinelt <hexa@darmstadt.ccc.de>	2022-03-28 16:10:40 +0200
committer	Martin Weinelt <hexa@darmstadt.ccc.de>	2022-03-28 16:10:40 +0200
commit	657fc6d5d8b6cf4aa11b8647878e395ce7dc0b0a (patch)
tree	b7d4151cfa363e7c407336121e9eb41b674c8112
parent	4ecbe233957a028441267760f9522952a8aea260 (diff)