Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 531992 (CVE-2014-8601) - <net-dns/pdns-recursor-3.6.1-r1: DoS vulnerability (CVE-2014-8601)
Summary: <net-dns/pdns-recursor-3.6.1-r1: DoS vulnerability (CVE-2014-8601)
Status: RESOLVED FIXED
Alias: CVE-2014-8601
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://doc.powerdns.com/md/security/p...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-08 16:39 UTC by Alexander Stoll
Modified: 2015-08-28 00:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Stoll 2014-12-08 16:39:17 UTC 
all versions prior 3.6.2 are affected by CVE-2014-8601
please do trivial version bump

Reproducible: Always
Comment 1 Francesco Riosa 2014-12-11 11:28:47 UTC 
hi,
I'm unable build 3.6.2 , see bug #532260
maybe it's advidsable to provide a patched 3.6.1, since the patch is trivial and behaviour of the program change less.

see 
https://downloads.powerdns.com/patches/2014-02/
for upstream patches

applied them here and program seem to work
Comment 2 Sven Wegener gentoo-dev 2014-12-18 21:07:31 UTC 
I've committed 3.6.1-r1 with the upstream patch for this issue. The build on 3.6.2 seems to be triggered be new gcc versions.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-19 00:53:21 UTC 
(In reply to Sven Wegener from comment #2)
> I've committed 3.6.1-r1 with the upstream patch for this issue. The build on
> 3.6.2 seems to be triggered be new gcc versions.

Thanks, Sven. May we proceed with stabilization of =net-dns/pdns-recursor-3.6.1-r1 ?
Comment 4 Sven Wegener gentoo-dev 2014-12-21 16:05:41 UTC 
Yes, please stabilize 3.6.1-r1.
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-21 18:35:59 UTC 
Arches, please stabilize:
=net-dns/pdns-recursor-3.6.1-r1
Stable targets: amd64 x86
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-12-21 18:54:06 UTC 
CVE-2014-8601 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8601):
  PowerDNS Recursor before 3.6.2 does not limit delegation chaining, which
  allows remote attackers to cause a denial of service ("performance
  degradations") via a large or infinite number of referrals, as demonstrated
  by resolving domains hosted by ezdns.it.
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-12-21 18:55:53 UTC 
amd64 stable
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-12-21 18:57:08 UTC 
x86 stable

@Maintainers, please cleanup!

@Security, please vote!

GLSA vote: no.
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-21 23:15:21 UTC 
 (In reply to Mikle Kolyada from comment #8)
> x86 stable
> 
> @Maintainers, please cleanup!
> 
> @Security, please vote!
> 
> GLSA vote: no.

We already have a GLSA draft for pdns-recursor with this bug on it, ready for peer review.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-12-22 22:02:10 UTC 
This issue was resolved and addressed in
 GLSA 201412-33 at http://security.gentoo.org/glsa/glsa-201412-33.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 11 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-22 22:03:20 UTC 
Re-opening until vulnerable versions are dropped.
Comment 12 Manuel Rüger (RETIRED) gentoo-dev 2015-08-28 00:12:27 UTC 
Vulnerable versions removed.