Summary: | <net-dns/pdns-recursor-3.1.7.2: Multiple vulnerabilities (CVE-2009-{4009,4010}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Marcel Pennewiß <gentoo> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | swegener |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B1 [glsa+] | ||
Package list: | Runtime testing required: | --- |
Description
Marcel Pennewiß
2010-01-06 20:13:32 UTC
rename ebuild and a little patch did the job... --- pdns-recursor-3.1.7.1.ebuild 2010-01-06 21:13:53.328864268 +0100 +++ pdns-recursor-3.1.7.2.ebuild 2010-01-06 21:14:19.496362725 +0100 @@ -27,7 +27,7 @@ unpack ${A} cd "${S}" - epatch "${FILESDIR}"/${P}-error-message.patch + epatch "${FILESDIR}"/${PN}-3.1.7.1-error-message.patch sed -i -e s:/var/run/:/var/lib/powerdns: "${S}"/config.h || die } Marcel, thanks for your report. Sven, please commit a bumped ebuild ASAP. I just commited 3.1.7.2 to the tree. There is a possible regression in that version. Holding stabilization until the situation is clarified. CVE-2009-4009 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4009): Buffer overflow in PowerDNS Recursor before 3.1.7.2 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via crafted packets. CVE-2009-4010 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4010): Unspecified vulnerability in PowerDNS Recursor before 3.1.7.2 allows remote attackers to spoof DNS data via crafted zones. (In reply to comment #4) > There is a possible regression in that version. Which regression do you mean? Alex just told me the regression is bogus. Arches, please test and mark stable: =net-dns/pdns-recursor-3.1.7.2 Target keywords : "amd64 x86" x86 stable amd64 stable, all arches done. Everythings fine. We should close this bug ;) No, unfortunately we should not. Please read http://www.gentoo.org/security/en/vulnerability-policy.xml and/or let the security team handle the closing of security bugs. GLSA request filed. This issue was resolved and addressed in GLSA 201412-33 at http://security.gentoo.org/glsa/glsa-201412-33.xml by GLSA coordinator Sean Amoss (ackle). |