all versions prior 3.6.2 are affected by CVE-2014-8601 please do trivial version bump Reproducible: Always
hi, I'm unable build 3.6.2 , see bug #532260 maybe it's advidsable to provide a patched 3.6.1, since the patch is trivial and behaviour of the program change less. see https://downloads.powerdns.com/patches/2014-02/ for upstream patches applied them here and program seem to work
I've committed 3.6.1-r1 with the upstream patch for this issue. The build on 3.6.2 seems to be triggered be new gcc versions.
(In reply to Sven Wegener from comment #2) > I've committed 3.6.1-r1 with the upstream patch for this issue. The build on > 3.6.2 seems to be triggered be new gcc versions. Thanks, Sven. May we proceed with stabilization of =net-dns/pdns-recursor-3.6.1-r1 ?
Yes, please stabilize 3.6.1-r1.
Arches, please stabilize: =net-dns/pdns-recursor-3.6.1-r1 Stable targets: amd64 x86
CVE-2014-8601 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8601): PowerDNS Recursor before 3.6.2 does not limit delegation chaining, which allows remote attackers to cause a denial of service ("performance degradations") via a large or infinite number of referrals, as demonstrated by resolving domains hosted by ezdns.it.
amd64 stable
x86 stable @Maintainers, please cleanup! @Security, please vote! GLSA vote: no.
(In reply to Mikle Kolyada from comment #8) > x86 stable > > @Maintainers, please cleanup! > > @Security, please vote! > > GLSA vote: no. We already have a GLSA draft for pdns-recursor with this bug on it, ready for peer review.
This issue was resolved and addressed in GLSA 201412-33 at http://security.gentoo.org/glsa/glsa-201412-33.xml by GLSA coordinator Sean Amoss (ackle).
Re-opening until vulnerable versions are dropped.
Vulnerable versions removed.