vulnerability causing temporary denial of service (see URL) Reproducible: Always Steps to Reproduce: 1. emerge pdns-2.9.22-r1 2. see URL for further details
Created attachment 298511 [details, diff] pdns-2.9.22-CVE-2012-0206.patch patch for 2.9.22
Created attachment 298513 [details, diff] pdns-2.9.22-r1.ebuild.patch patch for current ebuild
fixed in: 2.9.22.5 or 3.0.1
ebuild and patches using 2.9.22.5: https://subversion.fem.tu-ilmenau.de/repository/fem-overlay/trunk/net-dns/pdns/
@swegener, I see the bump in tree, can we go to stabilize?
Yes, the only difference between 3.0 and 3.0.1 is the security fix and 3.0 has been in the tree long enough.
Arches, please test and mark stable: =net-dns/pdns-3.0.1 Target keywords : "amd64 x86"
Please note that net-dns/pdns-3.0 was not previously marked stable, and neither should 3.0.1 be imho. While the software runs ok the developers have indicated that it might not yet be suitable for full scale production use and have announced an updated 3.1 version addressing some important issues, see http://mailman.powerdns.com/pipermail/pdns-announce/2012-January/000150.html It might be a better idea to apply the previously supplied patch and create a new stable version in the 2.9 branch (2.9.22-r2?), keeping 3.0.1 as it is for now.
(In reply to comment #8) > It might be a better idea to apply the previously supplied patch and create a > new stable version in the 2.9 branch (2.9.22-r2?), keeping 3.0.1 as it is for > now. Maybe using 2.9.22.5-tarball (which includes the patch already) can be an suitable solution. IMHO there should be a solution to quick-fix the security issue without upgrading to new version - as long as upstream supports also old version with security fixes...
x86 stable
@sebastiaan Feel free to open a new bug with bump of 2.9 and request also a slot if is possible
(In reply to comment #11) > Feel free to open a new bug with bump of 2.9 and request also a slot if is > possible I personally am happy not going through this exercise and apply the (very small) patch for 2.9.22 locally or install 2.9.22.5 from source, but stabilising PowerDNS 3.x at this point is imho ill-advised. PowerDNS 3.0 is very different internally from the 2.9 branch, dropping some things such as the LDAP backend from being officially supported. I do not think Gentoo should force administrators to do a major upgrade of PowerDNS to apply a fix that consists of three lines of source code.
For those that want to stay at 2.9.22, I've just also commited 2.9.22.5.
Since is not a regression I remove bug 398685 from "Depends on"
(In reply to comment #13) > For those that want to stay at 2.9.22, I've just also commited 2.9.22.5. could you easily bump version to 2.9.22.6 while 2.9.22.5 includes a bug which can cause crashes on busy setup, see http://doc.powerdns.com/changelog.html#changelog-auth-2-9-22-6 or should i better open a new bug?
amd64 stable @security: please vote.
Thanks, folks. GLSA Vote: yes.
YES, too. New request filed.
CVE-2012-0206 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0206): common_startup.cc in PowerDNS (aka pdns) Authoritative Server before 2.9.22.5 and 3.x before 3.0.1 allows remote attackers to cause a denial of service (packet loop) via a crafted UDP DNS response.
This issue was resolved and addressed in GLSA 201202-04 at http://security.gentoo.org/glsa/glsa-201202-04.xml by GLSA coordinator Sean Amoss (ackle).
