From the CVE entry at $URL: "The resolver in PowerDNS Recursor (aka pdns_recursor) 3.3 overwrites cached server names and TTL values in NS records during the processing of a response to an A record query, which allows remote attackers to trigger continued resolvability of revoked domain names via a "ghost domain names" attack." The CVE is still being reviewed and while it only lists that pdns-recursor 3.3 is affected, the original research[1] states only that no prior versions were tested. [1] https://www.isc.org/files/imce/ghostdomain_camera.pdf
CVE-2012-1193 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1193): The resolver in PowerDNS Recursor (aka pdns_recursor) 3.3 overwrites cached server names and TTL values in NS records during the processing of a response to an A record query, which allows remote attackers to trigger continued resolvability of revoked domain names via a "ghost domain names" attack.
*** Bug 466008 has been marked as a duplicate of this bug. ***
Created attachment 345986 [details] ebuild for pdns-recursor-3.5 release changed init file to better naming also * changed pdns-recursor version to 3.5 * changed init script name from "precursor" -> "pdns-recursor" Works as overlay on my 3 systems since the release candidate version fine, no issues so far. The ebuild is only changed for the new release and the init file, nothing more. I hope it helps to solve this CVE quickly.
Created attachment 347262 [details] updated ebuild for pdns-recursor version 3.5.1 released today may 3rd 2013
I've commited 3.5.1 to the tree.
sven, could you please commit update the ebuild to 3.5.2 ? Changelog is: Changes since 3.5.1: * Responses without the QR bit set now get matched up to an outstanding query, so that resolution can be aborted early instead of waiting for a timeout. Code in commit ee90f02. * The depth limiter changes in 3.5.1 broke some legal domains with lots of indirection. Improved in commit d393c2d. * Slightly improved logging to aid debugging. Code in commit 437824d and commit 182005e. http://doc.powerdns.com/html/changelog.html#changelog-recursor-3.5.2
Wow, this has been in the tree for a long time now. Sven, can we proceed stabilization? 3.5.1 or 3.5.3?
3.5.3 should be stabilized, the 3.6 version is in near sight (currently there is a RC1 which does have production quality, i am testing it already). So, if no reasons are against, 3.5.3 should be stable and I will then open a request for 3.6.0 if all goes well for a keyword marked ebuild.
stabilization is currently happening in bug 514946
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version. GLSA Vote: Yes
Maintainer(s), Thank you for cleanup!
YES too, added to the existing request.
This issue was resolved and addressed in GLSA 201412-33 at http://security.gentoo.org/glsa/glsa-201412-33.xml by GLSA coordinator Sean Amoss (ackle).