~samiam/MaraDNS

d398719f0b5bb0577db229ba25bc157726707eca — Sam Trenholme 9 days ago f2c0307 master
Add 3.4.02 → 3.4.03 update patches and scripts

This makes it easier for legacy users to make security updates to
older versions of MaraDNS.
A deadwood-github/update/3.4.03/3.4.02-to-3.4.03 => deadwood-github/update/3.4.03/3.4.02-to-3.4.03 +159 -0
@@ 0,0 1,159 @@
#!/bin/sh -e

# The revision number; in the case of having multiple snapshots a day,
# the revision number can be incremented so as to minimize confusion
# This is only done when more than one snapshop is uploaded to the
# maradns.org server in a given day.  Here at the top to be easy to change.
REVISION=1

# This script updates Deadwood 3.0

# To run this script, make sure that this script is in the directory
# containing the tarball for the version of Deadwood you wish to update, and
# all of the patches are in a directory entitled 'patches'.

CURRENT=${0%%-*}
CURRENT=${CURRENT##*/}
NEXT=${0##*-}

# Make a clean CURRENT install, which we rename NEXT
rm -fr deadwood-$CURRENT 2> /dev/null
rm -fr deadwood-$NEXT 2> /dev/null
echo extracting tarball
tar xjf deadwood-$CURRENT.tar.bz2
if [ $? != 0 ] ; then
	echo run this from the correct directory
	exit 1
fi
rm -fr deadwood-$NEXT*
mv deadwood-$CURRENT deadwood-$NEXT
cd deadwood-$NEXT

# The patches

mkdir update/$NEXT
if [ "$1" != "new" ] ; then
	cp ../patches/deadwood-$CURRENT* update/$NEXT
	#cp ../patches/maradns* update/$NEXT
	#echo
fi

# Regenerate Deadwood's random prime number (always done)
echo Making new random prime
cd src
rm -f *orig # While we're here, remove any pesky .orig files
cc -o foo RandomPrime.c
./foo > DwRandPrime.h
rm foo
cd ..

# This is one of the few places where we will need to change anything
# in this script from version to version

# BEGIN Release-specific fixes and changes go here

patch -p1 < update/$NEXT/deadwood-3.4.02-manylabel-TTL.patch
patch -p2 < update/$NEXT/deadwood-3.4.02-cname-TTL.patch
patch -p1 < update/$NEXT/deadwood-3.4.02-changelog.patch
# We now use Ubuntu, not RedHat/CentOS
mv src/Makefile.sl6 src/Makefile.ubuntu2004

# END Release-specific fixes/changes

# We're getting .orig files when patching :(
rm -f src/*.orig

# This script with the "orig" argument can used if making a release 
# that is making changes to an already-patched version of Deadwood
# Change "orig" to "work" if implementing new features
if [ "$1" = "orig" ] ; then 
	cd src
	for a in *.c *.h ; do
		cp $a $a.orig
	done
	cd ..
	cp doc/Deadwood.ej doc/Deadwood.ej.orig
fi

# Convert tabs in code to spaces, since this is inconsistant in different
# programs; disable when in "work" mode since it messes up patches
if [ "$1" != "work" ] ; then 
	echo removing tabs from source files
	for a in $( find . -type f -name \*.[ch] ) ; do 
		if col -x < $a > foo ; then
			echo FOO $a
			mv foo $a
		fi
	done
fi
chmod 755 src/make.version.h

echo updating documentation
# Update the documentation
cd doc
make
# Go back to the deadwood dir
cd ..

# Go one level higher than the toplevel directory to copy this script
# over
cd ..

# Put this script in the "build" directory
cp $0 deadwood-$NEXT/update/$NEXT

# Version number always current
cd deadwood-$NEXT/src
./make.version.h > version.h
cd ../..

if [ "$1" = "new" ] ; then
	tar xjf deadwood-$CURRENT.tar.bz2
	echo OK, both deadwood-$CURRENT and deadwood-$NEXT made\; you
	echo now can start making patches.
	exit 0
fi

if [ "$1" != "go" ] && [ "$1" != "snap" ] && [ "$1" != "work" ] ; then
	echo OK, deadwood-$NEXT built.  Confirm this compiles and	
	echo perform basic regression before re-running this to make
	echo the tarballs.  Once you have tested this, rerun this 
	echo script as: \"$0 go\" or as \"$0 snap\" 
        echo to make a daily snapshot
	exit 0
fi

if [ "$1" = "work" ] ; then
	tar xjf deadwood-$CURRENT.tar.bz2
	echo OK, both deadwood-$CURRENT and deadwood-$NEXT made\; you
	echo now can make more patches as needed.  
	cd deadwood-$NEXT/src
	echo '#define VERSION "'$NEXT'-pre"' > version.h
	cd ../..
	exit 0
fi

# Build the tarballs
echo making new tarballs

if [ "$1" = "snap" ] ; then
	SNAP=S-$( date +%Y-%m-%d )-$REVISION
	rm -fr deadwood-$SNAP
	mv deadwood-$NEXT deadwood-$SNAP
	cd deadwood-$SNAP/src
	./make.version.h > version.h
	cd ../..
	# Alas, my ancient msys environment doesn't have xz
	tar cjf deadwood-$SNAP.tar.bz2 deadwood-$SNAP
	#tar cJf deadwood-$SNAP.tar.xz deadwood-$SNAP
	exit 0
else
	SNAP=$NEXT
	cd deadwood-$NEXT/src
	./make.version.h > version.h
	cd ../..
	tar cjf deadwood-$NEXT.tar.bz2 deadwood-$NEXT
	tar cJf deadwood-$NEXT.tar.xz deadwood-$NEXT
fi

exit 0 # Done

A deadwood-github/update/3.4.03/deadwood-3.4.02-changelog.patch => deadwood-github/update/3.4.03/deadwood-3.4.02-changelog.patch +10 -0
@@ 0,0 1,10 @@
--- deadwood-3.4.02/doc/CHANGELOG	2020-01-14 06:45:38.000000000 -0800
+++ deadwood-3.4.03/doc/CHANGELOG	2022-08-03 00:38:10.673323327 -0700
@@ -1,3 +1,7 @@
+3.4.03 (2022-08-03; legacy release)
+
+- Fixes for CVE-2022-30256
+
 3.4.02 (2020-01-14; stable release)
 
 - Issue building Deadwood from the GitHub tree in CentOS8 fixed

A deadwood-github/update/3.4.03/deadwood-3.4.02-cname-TTL.patch => deadwood-github/update/3.4.03/deadwood-3.4.02-cname-TTL.patch +87 -0
@@ 0,0 1,87 @@
diff --git a/deadwood-github/src/DwRecurse.c b/deadwood-github/src/DwRecurse.c
index 956673c..fddaea3 100644
--- a/deadwood-github/src/DwRecurse.c
+++ b/deadwood-github/src/DwRecurse.c
@@ -2084,7 +2084,7 @@ void dwx_send_glueless_cname_upstream(int conn_num, int c, int depth,
         }
         child_action = dwh_get(cache, cname_cache, 0, 1);
         dwx_make_cname_reply(upstream, rem[upstream].query,
-                        child_action, uncomp, depth + 1);
+                        child_action, uncomp, depth + 1, 0);
 
 catch_dwx_send_glueless_cname_upstream:
         if(cname_cache != 0) {
@@ -2100,7 +2100,7 @@ catch_dwx_send_glueless_cname_upstream:
  * send that reply out.
  */
 int dwx_make_cname_reply(int conn_num, dw_str *query,
-                dw_str *action, dw_str *answer, int depth) {
+                dw_str *action, dw_str *answer, int depth, int here_max_ttl) {
         dw_str *uncomp = 0, *reply = 0, *comp = 0;
         int ret = -1, c = 0; /* c is for counter */
         int_fast32_t ttl = 3600;
@@ -2132,6 +2132,9 @@ int dwx_make_cname_reply(int conn_num, dw_str *query,
         if(ttl > max_ttl) {
                 ttl = max_ttl;
         }
+	if(here_max_ttl > 0 && ttl > here_max_ttl) {
+                ttl = here_max_ttl;
+        }
         /*ttl = 30; // DEBUG*/
         uncomp = dwx_create_cname_reply(query, action, answer, ttl);
         comp = dwc_compress(query, uncomp);
@@ -2238,8 +2241,18 @@ int dwx_handle_cname_refer(int connection_number, dw_str *action,
         /* See if we have the data already in the cache */
         answer = dwh_get(cache,real_query,0,1);
         if(answer != 0) { /* In cache */
+                /* Only keep new cached item in cache slightly longer
+                 * than cache item it depends on */
+		int32_t the_most_ttl;
+                the_most_ttl = dwh_get_ttl(cache,real_query) + 30;
+                if(the_most_ttl > max_ttl) {
+                        the_most_ttl = max_ttl;
+                }
+                if(the_most_ttl < 30) {
+                        the_most_ttl = 30;
+                }
                 ret = dwx_make_cname_reply(connection_number, query,
-                                action, answer,0);
+                                action, answer,0,the_most_ttl);
                 goto catch_dwx_handle_cname_refer;
         } else { /* Not in cache */
                 ret = dwx_do_cname_glueless(real_query, connection_number);
@@ -3181,7 +3194,7 @@ void dwx_incomplete_cname_done(dw_str *query, int child, int l) {
                 goto catch_dwx_incomplete_cname_done;
         }
 
-        dwx_make_cname_reply(parent, rem[parent].query, action, answer, 0);
+        dwx_make_cname_reply(parent, rem[parent].query, action, answer, 0, 0);
 
 catch_dwx_incomplete_cname_done:
         if(cname_cache != 0) {
@@ -3324,7 +3337,7 @@ void dwx_cached_cname_done(dw_str *query, int b, int l, int depth) {
                 goto catch_dwx_cached_cname_done;
         }
 
-        dwx_make_cname_reply(b,oquery,action,answer,depth + 1);
+        dwx_make_cname_reply(b,oquery,action,answer,depth + 1,0);
 
 catch_dwx_cached_cname_done:
         dw_destroy(answer);
diff --git a/deadwood-github/src/DwRecurse.h b/deadwood-github/src/DwRecurse.h
index 4338210..c9dac8a 100644
--- a/deadwood-github/src/DwRecurse.h
+++ b/deadwood-github/src/DwRecurse.h
@@ -1,4 +1,4 @@
-/* Copyright (c) 2009-2011 Sam Trenholme
+/* Copyright (c) 2009-2022 Sam Trenholme
  *
  * TERMS
  *
@@ -184,5 +184,5 @@ int dwx_cname_in_cache(dw_str *orig_query, dw_str *query,
  * because we recursive call it from another function.
  */
 int dwx_make_cname_reply(int conn_num, dw_str *query,
-                dw_str *action, dw_str *answer, int depth);
+                dw_str *action, dw_str *answer, int depth, int here_max_ttl);
 #endif /* __DWRECURSE_H_DEFINED__ */

A deadwood-github/update/3.4.03/deadwood-3.4.02-manylabel-TTL.patch => deadwood-github/update/3.4.03/deadwood-3.4.02-manylabel-TTL.patch +177 -0
@@ 0,0 1,177 @@
diff -ur deadwood-3.4.02/src/DwRecurse.c deadwood-3.4.03/src/DwRecurse.c
--- deadwood-3.4.02/src/DwRecurse.c	2020-01-14 06:45:38.000000000 -0800
+++ deadwood-3.4.03/src/DwRecurse.c	2022-08-03 00:31:24.631187323 -0700
@@ -1718,6 +1718,8 @@
 void dwx_handle_ns_refer(int connection_number, dw_str *action,
                 dw_str *query, int32_t ttl) {
         dw_str *place = 0, *packet = 0;
+        int label_count = -1;
+        int_fast32_t this_max_ttl = max_ttl;
 
         if(rem[connection_number].ns == 0 || action == 0
                         || rem[connection_number].is_upstream == 1) {
@@ -1734,7 +1736,7 @@
         rem[connection_number].ns = dw_copy(action);
 
         /* Add this NS referral to the cache */
-        place = dw_get_dname(action->str, 0, 260);
+        place = dw_get_dname(action->str, 0, 260, &label_count);
         if(place == 0) {
                 goto catch_dwx_handle_ns_refer;
         }
@@ -1742,8 +1744,14 @@
                           * an hour for security reasons */
                 ttl = 3600;
         }
-        if(ttl > max_ttl) {
-                ttl = max_ttl;
+        if(label_count > 3) {
+                this_max_ttl >>= (label_count - 3);
+                if(this_max_ttl < 30) {
+                        this_max_ttl = 30;
+                }
+        }
+        if(ttl > this_max_ttl) {
+               ttl = this_max_ttl;
         }
         dw_put_u16(place, 65395, -1); /* Add "NS refer" private RR type */
         dwh_add(cache,place,action,ttl,1);
@@ -1790,7 +1798,7 @@
                 goto catch_dwx_make_one_cname_rr;
         }
 
-        temp = dw_get_dname(question->str, question_offset, size);
+        temp = dw_get_dname(question->str, question_offset, size, 0);
         if(temp == 0) {
                 goto catch_dwx_make_one_cname_rr;
         }
@@ -1806,7 +1814,7 @@
                 goto catch_dwx_make_one_cname_rr;
         }
         dw_destroy(temp);
-        temp = dw_get_dname(answer->str, answer_offset, 260);
+        temp = dw_get_dname(answer->str, answer_offset, 260, 0);
         if(temp == 0 || dw_put_u16(out, temp->len, -1) == -1 ||
                         dw_append(temp,out) == -1) {
                 goto catch_dwx_make_one_cname_rr;
@@ -2207,7 +2215,7 @@
         }
         offset = dw_fetch_u16(action, -2);
         offset += 2; /* Go past two-byte length */
-        real_query = dw_get_dname(action->str, offset, 260);
+        real_query = dw_get_dname(action->str, offset, 260, 0);
         dwc_lower_case(real_query);
         if(real_query == 0) {
                 goto catch_dwx_handle_cname_refer;
@@ -2279,7 +2287,7 @@
                 ttl = max_ttl;
         }
 
-        bailiwick = dw_get_dname(rem[connection_number].ns->str, 0, 260);
+        bailiwick = dw_get_dname(rem[connection_number].ns->str, 0, 260, 0);
         if(bailiwick == 0 || bailiwick->len > 256) {
                 ret = -1;
                 goto catch_dwx_cache_reply;
@@ -2388,7 +2396,7 @@
                         return 0;
                 }
         } else {
-                dname = dw_get_dname(bailiwick->str, 0, 260);
+                dname = dw_get_dname(bailiwick->str, 0, 260, 0);
                 if(dname == 0) {
                         return 0;
                 }
@@ -2652,7 +2660,7 @@
         }
 
         /* See if it is in the cache */
-        query = dw_get_dname(list->str + 3, offset, 256);
+        query = dw_get_dname(list->str + 3, offset, 256, 0);
         dwc_lower_case(query);
         if(query == 0 || dw_push_u16(type,query) == -1) {
                 goto catch_dwx_ns_getip_glueless;
@@ -2665,7 +2673,7 @@
                 }
         }
 
-        addr.glueless = dw_get_dname(list->str + 3, offset, 260);
+        addr.glueless = dw_get_dname(list->str + 3, offset, 260, 0);
         dw_put_u16(addr.glueless, key_n[DWM_N_ns_glueless_type], -1);
         if(addr.glueless == 0) {
                 goto catch_dwx_ns_getip_glueless;
@@ -3216,7 +3224,7 @@
         /* Create new remote for solving incomplete CNAME */
         offset = dw_fetch_u16(action, -2);
         offset += 2; /* Go past two-byte length */
-        real_query = dw_get_dname(action->str, offset, 260);
+        real_query = dw_get_dname(action->str, offset, 260, 0);
         dwc_lower_case(real_query);
         if(real_query == 0) {
                 goto catch_dwx_cname_in_cache;
Only in deadwood-3.4.03/src: DwRecurse.c.orig
Only in deadwood-3.4.03/src: DwRecurse.c.rej
diff -ur deadwood-3.4.02/src/DwStr.c deadwood-3.4.03/src/DwStr.c
--- deadwood-3.4.02/src/DwStr.c	2020-01-14 06:45:38.000000000 -0800
+++ deadwood-3.4.03/src/DwStr.c	2022-08-03 00:28:04.020613703 -0700
@@ -1,4 +1,4 @@
-/* Copyright (c) 2007-2014 Sam Trenholme
+/* Copyright (c) 2007-2022 Sam Trenholme
  *
  * TERMS
  *
@@ -774,10 +774,11 @@
  * ASCII nulls, since DNS packets have those) and puts it in a newly
  * created string.
  * Input: Pointer to raw string; offset where we look for DNS DNAME,
- *        maximum length of raw string
+ *        maximum length of raw string; if label_count is not NULL,
+ *        put the number of labels in this integer
  * Output: A pointer to a new dw_str with NAME
  */
-dw_str *dw_get_dname(uint8_t *raw, int offset, int max) {
+dw_str *dw_get_dname(uint8_t *raw, int offset, int max, int *label_count) {
         int len = 0, counter = 0;
         int soffset = 0;
         dw_str *out = 0;
@@ -822,6 +823,9 @@
                 soffset++;
                 offset++;
         }
+        if(label_count != 0) {
+                *label_count = counter;
+        }
         out->len = soffset + 1;
         return out;
 
@@ -842,7 +846,7 @@
 dw_str *dw_get_dname_type(uint8_t *raw, int offset, int max) {
         dw_str *out = 0;
 
-        out = dw_get_dname(raw,offset,max);
+        out = dw_get_dname(raw,offset,max,0);
         if(out == 0) {
                 goto catch_dw_get_dname_class;
         }
diff -ur deadwood-3.4.02/src/DwStr_functions.h deadwood-3.4.03/src/DwStr_functions.h
--- deadwood-3.4.02/src/DwStr_functions.h	2020-01-14 06:45:38.000000000 -0800
+++ deadwood-3.4.03/src/DwStr_functions.h	2022-08-03 00:28:04.020613703 -0700
@@ -1,4 +1,4 @@
-/* Copyright (c) 2007-2010 Sam Trenholme
+/* Copyright (c) 2007-2022 Sam Trenholme
  *
  * TERMS
  *
@@ -223,10 +223,11 @@
  * ASCII nulls, since DNS packets have those) and puts it in a newly
  * created string.
  * Input: Pointer to raw string; offset where we look for DNS DNAME,
- *        maximum length of raw string
+ *        maximum length of raw string; if label_count is not NULL,
+ *        we set this int with the number of labels in the DNAME
  * Output: A pointer to a new dw_str with NAME
  */
-dw_str *dw_get_dname(uint8_t *raw, int offset, int max);
+dw_str *dw_get_dname(uint8_t *raw, int offset, int max, int *label_count);
 
 /* This extracts a DNS DNAME, followed by a two-byte TYPE (the type of RR)
  * from a raw c-string (with ASCII nulls, since DNS packets have those)

A update/3.4.03/3.4.02-to-3.4.03 => update/3.4.03/3.4.02-to-3.4.03 +215 -0
@@ 0,0 1,215 @@
#!/bin/sh -e

# This script updates MaraDNS 3.4

# To run this script, make sure that this script is in the directory
# containing the tarball for the version of MaraDNS you wish to update, and
# all of the patches are in a directory entitled 'patches'.

# For example, to update MaraDNS 3.4.02 to 3.4.03, make sure 
# maradns-3.4.02.tar.bz2 is in the same directory as this script, and
# that the directory containing this script has a directory called
# "patches/" which has all of the maradns-3.4.02*.patch files.

CURRENT=${0%%-*}
CURRENT=${CURRENT##*/}
NEXT=${0##*-}

# The revision number; in the case of having multiple snapshots a day,
# the revision number can be incremented so as to minimize confusion
# This is only done when more than one snapshop is uploaded to the
# maradns.org server in a given day.
REVISION=.1

# Make a clean CURRENT install, which we rename NEXT
rm -fr maradns-$CURRENT 2> /dev/null
rm -fr maradns-$NEXT 2> /dev/null
echo extracting tarball
tar xjf maradns-$CURRENT.tar.bz2
if [ $? != 0 ] ; then
	echo run this from the correct directory
	exit 1
fi
rm -fr maradns-$NEXT*
mv maradns-$CURRENT maradns-$NEXT
cd maradns-$NEXT

# The patches

mkdir update/$NEXT
if [ "$1" != "new" ] ; then
	cp ../patches/maradns-$CURRENT* update/$NEXT
#	#cp ../patches/maradns-* update/$NEXT
#	#echo
fi

# This is one of the few places where we will need to change anything
# in this script from version to version

echo applying patches

#if [ "$1" != "new" ] ; then

#fi

# Update RPM spec file (We now have a script make the .spec file)
rm -f build/maradns-$CURRENT.spec
tools/misc/make.maradns.spec $NEXT 2> /dev/null > foo
grep -v EOF foo > build/maradns-$NEXT.spec
rm foo

# Update Deadwood to 3.4.03
rm -fr deadwood-3.4.02
tar xjf ../deadwood-3.4.03.tar.bz2

# Regenerate Deadwood's random prime number
echo Making new random prime
cd deadwood-3.4.*/src/
cc -o foo RandomPrime.c
./foo > DwRandPrime.h
rm foo
cd ../..

# Release-specific fixes and changes go here

echo Patches...
patch -p1 < update/$NEXT/maradns-3.4.02-changelog.patch

# Anything below this line normally is not changed between MaraDNS versions

# Make sure text changelog and FAQ are up-to-date
#cp doc/en/webpage/faq.embed doc/en/source/faq.embed

# Convert tabs in code to spaces, since this is inconsistant in different
# programs
echo removing tabs from source files
if true ; then
	for a in $( find . -type f -name \*.[ch] ) ; do 
		col -x < $a > foo
		mv foo $a
	done
fi

echo updating documentation
# Update the documentation

# Nicholas Bamber pointed out some of the documentation was not automagically
# updated; fixed for MaraDNS 2.0.04
rm 0QuickStart 
PATH=$PATH:$(pwd)/tools/ej
./tools/ej/ej2txt doc/en/source/quick_start.ej | awk '
	/\*/ {print ""} {print}' > 0QuickStart
#cp doc/en/webpage/changelog.embed doc/en/source
cp doc/en/source/changelog.embed doc/en/webpage/

cd doc/en
make
cd man
make
cd ../examples
make
cd ../tutorial
make
cd ../text
make
cd ../webpage
#../../../tools/misc/make.download.embed > download.embed
make
# Go back to the maradns dir
cd ../../..

rm CHANGELOG
ln -s doc/en/changelog.txt CHANGELOG

# Go one level higher than the toplevel directory to copy this script
# over
cd ..

# Put this script in the "build" directory
cp $0 maradns-$NEXT/update/$NEXT

if [ "$1" = "new" ] ; then
	tar xjf maradns-$CURRENT.tar.bz2
	echo OK, both maradns-$CURRENT and maradns-$NEXT made\; you
	echo now can start making patches.
	exit 0
fi

if [ "$1" != "go" ] && [ "$1" != "snap" ] && [ "$1" != "work" ] ; then
	echo OK, maradns-$NEXT built.  Confirm this compiles and	
	echo perform basic regression before re-running this to make
	echo the tarballs.  Once you have tested this, rerun this 
	echo script as: \"$0 go\" or as \"$0 snap\" 
        echo to make a daily snapshot
	exit 0
fi

if [ "$1" = "work" ] ; then
	tar xjf maradns-$CURRENT.tar.bz2
	echo OK, both maradns-$CURRENT and maradns-$NEXT made\; you
	echo now can make more patches as needed.  
	exit 0
fi

# Build the tarballs
echo making new tarballs

if [ "$1" = "snap" ] ; then
	SNAP=Q.$( date +%Y-%m-%d )$REVISION
	rm -fr maradns-$SNAP
	mv maradns-$NEXT maradns-$SNAP
	#tar cJf maradns-$SNAP.tar.xz maradns-$SNAP
	tar cjf maradns-$SNAP.tar.bz2 maradns-$SNAP
	exit 0
else
	SNAP=$NEXT
	tar cjf maradns-$SNAP.tar.bz2 maradns-$SNAP
	# CentOS 5 doesn't have "J" tar option
	tar cf maradns-$SNAP.tar maradns-$SNAP
	xz -9 maradns-$SNAP.tar
	#tar czf maradns-$SNAP.tar.gz maradns-$SNAP

	# All of the compression we actually use was originally written by 
	# Igor Pavlov for the 7-zip compression suite
	#echo shrinking .gz tarball
	#advdef -z -4 maradns-$SNAP.tar.gz
fi

exit 0 # No exotic compression any more

echo using exotic compression
tar cf maradns-$SNAP.tar maradns-$SNAP

echo lzma compression \(this will take about 5 minutes\)
date
# To decompress: cat file.tar.lzma | lzma d -si -so | tar xvf -
# -d20 makes the file almost as small as -d22, but uses 1/4 of the memory
# (only a little over one meg needed for decompression)
lzma e maradns-$SNAP.tar maradns-$SNAP.tar.lzma -a2 -d20 -fb255
date
echo

# Clean up the uncompressed tarball
rm maradns-$SNAP.tar

exit 0

# The other exotic compressors can't be run in a pipeline

echo 7zip compression
date
7za a maradns-$SNAP.tar.7z maradns-$SNAP.tar
date
echo

echo paq6 compression \(This will take 2\-3 minutes\)
date
paq6v2 -2 maradns-$SNAP.tar.pq6 maradns-$SNAP.tar
date
echo

echo rzip compression
date
rzip maradns-$SNAP.tar
date
echo

A update/3.4.03/maradns-3.4.02-changelog.patch => update/3.4.03/maradns-3.4.02-changelog.patch +391 -0
@@ 0,0 1,391 @@
--- maradns-3.4.02/doc/en/changelog.txt	2018-08-16 14:59:42.000000000 -0700
+++ maradns-3.4.03/doc/en/changelog.txt	2022-08-03 01:19:24.488095176 -0700
@@ -1,8 +1,377 @@
 MaraDNS changelog
 
+   maradns-3.4.03:
+   This is a legacy release of MaraDNS:
+
+      * Backport CVE-2022-30256 to MaraDNS 3.4
+
+     (2022-08-03)
+
+   maradns-3.5.0022: 
+   This is a stable release of MaraDNS:
+
+      * Make incomplete last line non-fatal in Windows
+      * Documentation updates based on user feedback
+      * New Deadwood parameter: maxttl_reduce_labels for tweaking
+        how many lables a DNS label for a NS referral can have before
+        reducing its TTL.
+      * Mitigations for an issue where “ghost domains” could stay
+        in the cache longer.  This is a medium impact security 
+        issue which should be described in CVE-2022-30256.
+
+     (2022-05-07)
+
+   maradns-3.5.0021: 
+   This is a stable release of MaraDNS:
+
+     * MaraDNS now, by default, will compile with IPv6 support.
+       See MaraDNS GitHUB ticket #97 for discussion.
+     * One line patch for coLunacyDNS against CVE-2014-5461.  This
+       only affects coLunacyDNS (not MaraDNS and not Deadwood), and
+       in the context of coLunacyDNS, I can not reproduce the exploit,
+       and only people running untrusted Lua scripts would be vulnerable.
+
+     (2021-07-28)
+
+   maradns-3.5.0020:
+   This is a stable release of MaraDNS:
+
+     * New parameter: source_ip4, to specify the source IP when sending a
+       query to an upstream or authoritative DNS server.
+     * Makefile.centos8 file for Deadwood renamed Makefile.Ubuntu2004 (i.e.
+       it’s now a Makefile for Ubuntu 20.04)
+
+     (2021-05-15)
+
+   maradns-3.5.0019:
+   This is a stable release of MaraDNS:
+
+     * One line change to zoneserver.c to make it work better with systemd
+     * Synthetic IP generator example (e.g. 10.1.2.3.ip4.internal 
+       resolves to 10.1.2.3) added to coLunacyDNS documentation
+
+     (2021-03-16)
+
+   maradns-3.5.0018:
+   This is a stable release of MaraDNS:
+
+     * coLunacyDNS updated to 1.0.010 (Ubuntu 20.04 testing found a
+       minor select() bug)
+     * Since RedHat has broken their pinky promise to support CentOS 8
+       until 2029, MaraDNS has moved from CentOS 8 to Ubuntu 20.04 LTS
+       (RPM .spec files removed; Docker container now runs Ubuntu 20.04)
+
+     (2020-12-20)
+
+   maradns-3.5.0017:
+   This is a stable release of MaraDNS:
+
+     * coLunacyDNS update: We can now specify the “Authoritative”
+       and “Recursion available” flags in the reply.
+     * coLunacyDNS update: We can now specify a TTL for the reply,
+       to be anywhere from 0 seconds (do not cache) to a little over
+       90 days.
+     * coLunacyDNS version updated to be 1.0.009.
+
+     (2020-10-02)
+
+   maradns-3.5.0016:
+   This is a stable release of MaraDNS:
+
+     * Unstable mmLunacyDNS code removed from tree (coLunacyDNS can do
+       anything mmLunacyDNS could do)
+     * coLunacyDNS bug fixes: We return with an error if the Lua code
+       attempts to return an invalid IPv4 address to the client (before,
+       the code incorrectly returned 255.255.255.255)
+     * coLunacyDNS returns helpful errors if the processQuery return 
+       value is invalid in various ways.
+     * coLunacyDNS now has 100%* testing coverage. *Some sanity tests
+       which protect coLunacyDNS from security threats which can not
+       be readily reproduced are disabled in testing mode.
+     * coLunacyDNS is now at version 1.0.008
+
+     (2020-09-01)
+
+   maradns-3.5.0015:
+   This is a stable release of MaraDNS:
+
+     * coLunacyDNS is now a stable release (1.0.007) with a full
+       SQA testing suite and well over 90% code coverage in its tests.
+     * mmLunacyDNS has been removed; coLunacyDNS can do everything
+       mmLunacyDNS could do, and this saves me the bother of
+       maintaining two code bases.
+     * askmara now compiles with IPv6 support (the code has been
+       there, but is finally getting enabled)
+
+     (2020-08-29)
+
+   maradns-3.5.0014:
+   This is a stable release of MaraDNS (note that coLunacyDNS and
+   mmLunacyDNS are unstable):
+
+     * coLunacyDNS’s Lua script can now specify IPv6 addresses in
+       standard “colon” format, e.g. co1Data="2001:db8::1"
+     * coLunacyDNS now handles ANY (and HINFO) queries as per RFC8482
+     * coLunacyDNS documentation updates: Various cleanup.  Also,
+       the example coLunacyDNS .lua files now return “not there”
+       when we ask for a hostname which does not have a given record.
+
+     (2020-08-20)
+
+   maradns-3.5.0013:
+   This is a stable release of MaraDNS (note that coLunacyDNS and
+   mmLunacyDNS are unstable):
+
+     * coLunacyDNS now has support for binding to IPv6 addresses.  Both
+       the *NIX (Linux) and the Windows32 binary can bind to an IPv6
+       socket.
+     * Some other bug fixes and cleanup, mainly with coLunacyDNS.
+
+     (2020-08-19)
+
+   maradns-3.5.0012:
+   This is a stable release of MaraDNS (note that coLunacyDNS and
+   mmLunacyDNS are unstable): 
+
+     * mmLunacyDNS security fix: We now use a secure hash compression
+       function (HalfSipHash-1-3) for string hashing.
+     * coLunacyDNS: hash compression function updated from 64-bit
+       SipHash-2-4 to 32-bit HalfSipHash-1-3.  Compile time warnings
+       removed from code.
+     * lunacy: The code by default now uses HalfSipHash-1-3 for string
+       hash compression.  Default compile optimization is now -O3
+ 
+     (2020-08-12)
+
+   maradns-3.5.0011:
+   This is a stable release of MaraDNS:
+
+     * min_ttl parameter added; this is the minimum time we keep a 
+       record in the cache (in seconds)
+     * Deadwood now compiles with IPv6 support by default.  For
+       systems without IPv6 support, -DNOIP6 can be set when
+       compiling Deadwood.
+     * Automated tests now all run inside of Podman (Docker) container
+       and all pass.  Tests are now completely automated, and can run
+       from cron (and can be adapted to run inside Jenkins). 
+
+     (2020-08-10)
+
+   maradns-3.5.0010:
+   This is a stable release of MaraDNS:
+
+     * Hotfix: coLunacyDNS no longer fails after 20 calls to 
+       processQuery() (we now properly clean the main stack before 
+       calling processQuery() in a co-routine).
+     * Security update: MaraDNS, Deadwood, and Duende now default to
+       the user ID 707 instead of 99/66.  This minimizes the chances
+       of the user used by MaraDNS being used by other processes, 
+       which could be a security leak under some circumstances.  The
+       problem with running multiple services as "nobody" is that
+       the "nobody" account is only as secure as the least secure
+       service running as that account.
+     * coLunacyDNS feature update: coLunacyDNS can now open and
+       read files (for security reasons, only in the same directory
+       coLunacyDNS is running in).  In addition, the code to implement 
+       IPv6 sockets is well under way.
+
+     (2020-08-06)
+
+   maradns-3.5.0009:
+   This is a stable release of MaraDNS:
+
+     * Add new program: coLunacyDNS.  This is a DNS server which runs a
+       Lua function every time it gets a DNS query.  It uses Lua
+       threads ("co-routines") to have a function which can get a
+       DNS packet from an upstream server and return the result for
+       processing by the Lua script (doing all this required setting up
+       an entire select()-based state machine).  coLunacyDNS also supports
+       sending proper "not there" replies and both sending and 
+       receiving IPv6 DNS records (but presently only over IPv4).
+     * Deadwood ip6 records can now have dashes and spaces in them
+       to make reading a 128-bit IP easier.
+     * SQA tests have been updated to run in CentOS 8.
+
+     (2020-08-03)
+
+   maradns-3.5.0008:
+   This is a stable release of MaraDNS:
+
+     * Add new program: mmLunacyDNS.  This is an updated version of the
+       microdns program, a program which always returns the same IP for 
+       any DNS query given to it, with Lua scripting support (so we
+       can customize what gets logged, return different IPs for 
+       different queries, and ignore non-IPv4 IP address queries).
+       The program can also run as a Windows service.  The script can
+       only return IPv4 IP addresses or ignore queries, but it’s quite
+       flexible given those limitations.
+     * Since mmLunacyDNS has Lua support, we now include the full source
+       of my fork of Lua 5.1, “Lunacy”.  The reason why I am using an
+       older version of Lua is because this is the version of Lua 
+       supported by LuaJIT, and I like having the option of increasing
+       performance with LuaJIT without breaking existing Lua-based
+       configuration files.
+     * Deadwood logging update: Only note if one can not open cache when
+       verbose_level is 10 or more (since this is mostly harmless).
+       This is a non-fatal error which can be safely ignored. The cache 
+       file just keeps copies of previously resolved DNS names around 
+       between invocations of Deadwood; if the cache file can’t be read, 
+       then DNS resolution might be a bit slower for some names after 
+       starting up Deadwood, but everything will be OK.
+     * I have added the ability to have multiline comments in Deadwood
+       configuration files by using _rem={ at the beginning of a line;
+       this indicates that a comment should continue until a } character
+       is seen.  The reason for the unusual syntax is so that we can have
+       multi-line comments in script files which are compatible with
+       Deadwood, Lua, and Python.
+
+     (2020-07-24)
+
+   maradns-3.5.0007:
+   This is a stable release of MaraDNS:
+
+     * Update name of “ip_blacklist” to be “ip_blocklist”.  The
+       old name "ip_blacklist" still works (and I have no plans to 
+       remove it), but “ip_blocklist” is more up to date.
+     * Note in some older documents that while “primary” and “replica”
+       are more up to date ways of saying “master” and “slave”, the
+       documents will, in the interest of compatibility, retain the 
+       “master” and “slave” wording.
+
+     (2020-07-07)
+
+   maradns-3.5.0006:
+   This is a stable release of MaraDNS:
+
+     * Deadwood configuration files can not have leading space in them.
+       Deadwood no longer uses a subset of Python2 syntax, since Python2
+       is now post-End of life.
+
+     (2020-07-01)
+
+   maradns-3.5.0005:
+   This is a stable release of MaraDNS:
+
+     * MaraDNS is now fully supported in Cygwin
+     * Windows port of MaraDNS no longer includes maradns.exe; we instead
+       tell people how to compile MaraDNS in Cygwin. Note We continue to
+       fully support Deadwood for Windows, which is a proper Windows
+       service (unlike the old maradns.exe).
+     * Dockerfile now creates Docker image with working instance of
+       MaraDNS. This is still a work in progress; one currently needs to
+       enter the Docker container to change MaraDNS configuration files.
+     * Version number fixed when compiling a MaraDNS release.
+
+     (2020-06-02)
+
+   maradns-3.5.0004:
+   This is a stable release of MaraDNS:
+
+     * maximum_cache_elements no longer needs to include blocklist, root
+       server, upstream server, or synthetic IP elements.
+     * Documentation updates, mainly for maximum_cache_elements change
+
+     (2020-04-18)
+
+   maradns-3.5.0003:
+   This is a stable release of MaraDNS:
+
+     * Added support for blocklists as per GitHub issue #69 and GitHub
+       issue #70
+     * Minimize memory usage of blocklists by allowing the same entry to
+       be used for IPv4 and IPv6
+
+     (2020-04-16)
+
+   maradns-3.5.0002:
+   This is a stable release of MaraDNS:
+
+     * Documentation and other updates and cleanups.
+     * Windows port no longer needs to have secret.txt file to run; the
+       Deadwood Windows port now uses the Windows call CryptGenRandom() to
+       get entropy.
+
+     (2020-02-03)
+
+   maradns-3.5.0001:
+   This is a stable release of MaraDNS:
+
+     * bind2csv2.py updated to run in Python3.
+     * This is the first “One Source of Truth” release of MaraDNS: All
+       files in the release are derived directly from the Git version of
+       MaraDNS.
+     * Github history going back to 2014 is now included as part of the
+       source code tarball.
+     * Scripts to test the Git version of MaraDNS, to make the Windows
+       binaries, and to convert the Git version in to a tarball and
+       Windows zipfile added.
+
+     (2020-01-25)
+
+   maradns-3.4.02:
+   This is a stable release of MaraDNS:
+
+     * Tests updated to run and pass in CentOS 7
+     * Fix typo in asktest.c.
+     * Deadwood: Issue building Deadwood from the GitHub tree in CentOS8
+       fixed
+     * Deadwood: Update Windows documents in Deadwood source code tarball
+
+     (2020-01-16)
+
+   maradns-3.4.01:
+   This is a stable release of MaraDNS:
+
+     * Deadwood updated to 3.4.01
+
+     (2019-10-24)
+
+   Important: Deadwood 3.4.01 is updated to use the Quad9 upstream DNS
+   servers as the default. If the old behavior of using the ICANN name
+   servers as root servers is desired, add the following lines to one’s
+   dwood3rc file:
+root_servers = {}
+root_servers["."]="198.41.0.4,"
+root_servers["."]+="199.9.14.201,"
+root_servers["."]+="192.33.4.12,"
+root_servers["."]+="199.7.91.13,"
+root_servers["."]+="192.203.230.10,"
+root_servers["."]+="192.5.5.241,"
+root_servers["."]+="192.112.36.4,"
+root_servers["."]+="198.97.190.53,"
+root_servers["."]+="192.36.148.17,"
+root_servers["."]+="192.58.128.30,"
+root_servers["."]+="193.0.14.129,"
+root_servers["."]+="199.7.83.42,"
+root_servers["."]+="202.12.27.33"
+
+   Please note: The above list of IPs is current as of 2019-04-07, and was
+   last changed in October of 2017.
+
+   Please go to root-servers.org to get an up-to-date list of root
+   servers.
+
+   maradns-3.3.03:
+   This is a development release of MaraDNS.
+
+     * Updated numbering system to give MaraDNS the same version number as
+       Deadwood.
+     * Deadwood updated to 3.3.03.
+     * Document how star records work.
+
+     (2019-09-28)
+
+   maradns-2.0.17:
+   This is the stable release of MaraDNS. No security updates were made.
+
+     * Deadwood updated to 3.2.14
+     * Default max_mem value doubled as discussed in GitHub issue #52.
+
+     (2019-01-20)
+
    maradns-2.0.16:
-   This is the stable release of MaraDNS. No security updates were done in
-   this release.
+   This is the stable release of MaraDNS. A very minor security update was
+   made.
 
      * Deadwood updated to 3.2.12
 
@@ -81,8 +450,3 @@
        defaults to 4 instead of 10
 
      (2015.01.24)
-
-   Older changes
-     __________________________________________________________________
-
-   Main Download Changelog Documentation Search Blog Security