Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 299942 (CVE-2009-4009)

Summary: <net-dns/pdns-recursor- Multiple vulnerabilities (CVE-2009-{4009,4010})
Product: Gentoo Security Reporter: Marcel Pennewiß <gentoo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: swegener
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa+]
Package list:
Runtime testing required: ---

Description Marcel Pennewiß 2010-01-06 20:13:32 UTC
two security vulnerabilities have recently been discovered:

Users should be urged to upgrade to current version. maybe should be stabilized ASAP.

Reproducible: Always
Comment 1 Marcel Pennewiß 2010-01-06 20:15:34 UTC
rename ebuild and a little patch did the job...

--- pdns-recursor-        2010-01-06 21:13:53.328864268 +0100
+++ pdns-recursor-        2010-01-06 21:14:19.496362725 +0100
@@ -27,7 +27,7 @@
        unpack ${A}
        cd "${S}"

-       epatch "${FILESDIR}"/${P}-error-message.patch
+       epatch "${FILESDIR}"/${PN}-

        sed -i -e s:/var/run/:/var/lib/powerdns: "${S}"/config.h || die
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2010-01-07 23:50:53 UTC
Marcel, thanks for your report.

Sven, please commit a bumped ebuild ASAP.
Comment 3 Sven Wegener gentoo-dev 2010-01-08 07:26:07 UTC
I just commited to the tree.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-01-08 07:34:47 UTC
There is a possible regression in that version. Holding stabilization until the situation is clarified.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-08 20:41:20 UTC
CVE-2009-4009 (
  Buffer overflow in PowerDNS Recursor before allows remote
  attackers to cause a denial of service (daemon crash) or possibly
  execute arbitrary code via crafted packets.

CVE-2009-4010 (
  Unspecified vulnerability in PowerDNS Recursor before allows
  remote attackers to spoof DNS data via crafted zones.

Comment 6 Marcel Pennewiß 2010-01-10 09:48:21 UTC
(In reply to comment #4)
> There is a possible regression in that version.

Which regression do you mean?

Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2010-01-10 11:30:08 UTC
Alex just told me the regression is bogus.

Arches, please test and mark stable:
Target keywords : "amd64 x86"
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2010-01-10 12:09:28 UTC
x86 stable
Comment 9 Markus Meier gentoo-dev 2010-02-01 19:46:56 UTC
amd64 stable, all arches done.
Comment 10 Marcel Pennewiß 2010-02-14 18:00:00 UTC
Everythings fine. We should close this bug ;)
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2010-02-14 18:05:59 UTC
No, unfortunately we should not. Please read and/or let the security team handle the closing of security bugs.

GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-12-22 22:01:48 UTC
This issue was resolved and addressed in
 GLSA 201412-33 at
by GLSA coordinator Sean Amoss (ackle).