There are two bugs with security implications, which only apply to installations running with the LDAP backend, or installations providing recursion to a limited range of IP addresses. If any of these apply to you, an upgrade is highly advised: * The LDAP backend did not properly escape all queries, allowing it to fail and not answer questions. We have not investigated further risks involved, but we advise LDAP users to update as quickly as possible (Norbert Sendetzky, Jan de Groot) * Questions from clients denied recursion could blank out answers to clients who are allowed recursion services, temporarily. Reported by Wilco Baan. This would've made it possible for outsiders to blank out a domain temporarily to your users. Luckily PowerDNS would send out SERVFAIL or Refused, and not a denial of a domain's existence.
We already have an ebuild: *pdns-2.9.18 (17 Jul 2005) Arches please test and mark stable.
Stable on x86.
Doesn't compile on amd64 when USE=ldap is set :-/ x86_64-pc-linux-gnu-g++ -DHAVE_CONFIG_H -I. -I. -I../.. -D_GNU_SOURCE -march=k8 -O2 -pipe -ftracer -Wall -O2 -MT ldapbackend.lo -MD -MP -MF .deps/ldapbackend.Tpo -c ldapbackend.cc -fPIC -DPIC -o .libs/ldapbackend.o ldapbackend.cc: In member function `bool LdapBackend::list_simple(const std::string&, int)': ldapbackend.cc:135: error: `strbind' undeclared (first use this function) ldapbackend.cc:135: error: (Each undeclared identifier is reported only once for each function it appears in.) ldapbackend.cc: In member function `void LdapBackend::lookup_simple(const QType&, const std::string&, DNSPacket*, int)': ldapbackend.cc:218: error: `strbind' undeclared (first use this function) ldapbackend.cc: In member function `void LdapBackend::lookup_strict(const QType&, const std::string&, DNSPacket*, int)': ldapbackend.cc:263: error: `strbind' undeclared (first use this function) ldapbackend.cc: In member function `void LdapBackend::lookup_tree(const QType&, const std::string&, DNSPacket*, int)': ldapbackend.cc:291: error: `strbind' undeclared (first use this function) It's to late for me to look at this tonight... Will have a look tomorrow.
sorry, blame it on me, doesn't compile on x86 either. seems lilke i missed it in my tests. should be fixed now!
stable on amd64.
Thx this one is ready for GLSA decision. I tend to vote NO.
Tend to say no over here, too. DoS is temporary, the existance of a domain is not denied and it requires special setup-scenarios. I might change my mind if somebody reports that the inproper escaping of LDAP queries can exploited for something worse than causing it not to answer.
Any other votes?
Voting no too. Closing.