554856 – <net-dns/pdns-recursor-{3.6.4,3.7.3}: Label decompression bug in PowerDNS can cause crashes on specific platforms (incomplete CVE-2015-1868 fix)

Bug 554856 - <net-dns/pdns-recursor-{3.6.4,3.7.3}: Label decompression bug in PowerDNS can cause crashes on specific platforms (incomplete CVE-2015-1868 fix)

Summary: <net-dns/pdns-recursor-{3.6.4,3.7.3}: Label decompression bug in PowerDNS can...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:	547706
	Show dependency tree

Reported:	2015-07-14 09:53 UTC by Agostino Sarubbo
Modified:	2015-12-20 19:41 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2015-07-14 09:53:38 UTC

From ${URL} :

It was found that fix for CVE-2015-1868 was incomplete for PowerDNS:
https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/

Upstream released updated versions that fix this:
http://blog.powerdns.com/2015/06/09/authoritative-server-3-4-5-3-3-3-and-recursor-3-7-3-3-6-4-released/

Separate CVE has been assigned to this issue:
http://seclists.org/oss-sec/2015/q3/85


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.

Comment 1 Sven Wegener gentoo-dev

2015-08-07 19:20:34 UTC

3.7.3 and 3.6.4 are the stabilization candidates, please coordinate with bug #547706 which tracks the original security fix.

Comment 2 Yury German Gentoo Infrastructure

2015-08-10 14:54:21 UTC

Arches, please test and mark stable:

=net-dns/pdns-recursor-3.6.4

Target Keywords : "amd64 x86"

Thank you!

Comment 3 Mikle Kolyada (RETIRED) archtester

2015-08-16 23:08:38 UTC

amd64 stable

Comment 4 Yury German Gentoo Infrastructure

2015-09-13 12:59:54 UTC

Ping on x86 stabilization.

Comment 5 Agostino Sarubbo gentoo-dev

2015-10-16 08:09:51 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev

2015-10-31 14:51:52 UTC

GLSA Vote: No

Comment 7 Yury German Gentoo Infrastructure

2015-11-02 22:37:45 UTC

GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).

Comment 8 Yury German Gentoo Infrastructure

2015-12-20 19:41:12 UTC

Maintainer(s), Thank you for cleanup.

Thank you all. Closing as [noglsa].