|Summary:||<net-dns/pdns-3.0.1: Denial of Service (CVE-2012-0206)|
|Product:||Gentoo Security||Reporter:||Marcel Pennewiß <gentoo>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||minor||CC:||gentoo, s.hoogeveen, swegener|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||398703|
Description Marcel Pennewiß 2012-01-10 15:41:01 UTC
vulnerability causing temporary denial of service (see URL) Reproducible: Always Steps to Reproduce: 1. emerge pdns-2.9.22-r1 2. see URL for further details
Comment 1 Marcel Pennewiß 2012-01-10 15:41:48 UTC
Created attachment 298511 [details, diff] pdns-2.9.22-CVE-2012-0206.patch patch for 2.9.22
Comment 2 Marcel Pennewiß 2012-01-10 15:44:39 UTC
Created attachment 298513 [details, diff] pdns-2.9.22-r1.ebuild.patch patch for current ebuild
Comment 3 Agostino Sarubbo 2012-01-10 17:12:39 UTC
fixed in: 188.8.131.52 or 3.0.1
Comment 4 Marcel Pennewiß 2012-01-11 10:17:30 UTC
ebuild and patches using 184.108.40.206: https://subversion.fem.tu-ilmenau.de/repository/fem-overlay/trunk/net-dns/pdns/
Comment 5 Agostino Sarubbo 2012-01-11 15:50:47 UTC
@swegener, I see the bump in tree, can we go to stabilize?
Comment 6 Sven Wegener 2012-01-11 22:58:44 UTC
Yes, the only difference between 3.0 and 3.0.1 is the security fix and 3.0 has been in the tree long enough.
Comment 7 Tim Sammut (RETIRED) 2012-01-12 06:58:57 UTC
Arches, please test and mark stable: =net-dns/pdns-3.0.1 Target keywords : "amd64 x86"
Comment 8 Sebastiaan Hoogeveen 2012-01-12 11:46:45 UTC
Please note that net-dns/pdns-3.0 was not previously marked stable, and neither should 3.0.1 be imho. While the software runs ok the developers have indicated that it might not yet be suitable for full scale production use and have announced an updated 3.1 version addressing some important issues, see http://mailman.powerdns.com/pipermail/pdns-announce/2012-January/000150.html It might be a better idea to apply the previously supplied patch and create a new stable version in the 2.9 branch (2.9.22-r2?), keeping 3.0.1 as it is for now.
Comment 9 Marcel Pennewiß 2012-01-12 12:14:05 UTC
(In reply to comment #8) > It might be a better idea to apply the previously supplied patch and create a > new stable version in the 2.9 branch (2.9.22-r2?), keeping 3.0.1 as it is for > now. Maybe using 220.127.116.11-tarball (which includes the patch already) can be an suitable solution. IMHO there should be a solution to quick-fix the security issue without upgrading to new version - as long as upstream supports also old version with security fixes...
Comment 10 Paweł Hajdan, Jr. (RETIRED) 2012-01-12 17:30:05 UTC
Comment 11 Agostino Sarubbo 2012-01-12 17:38:27 UTC
@sebastiaan Feel free to open a new bug with bump of 2.9 and request also a slot if is possible
Comment 12 Sebastiaan Hoogeveen 2012-01-12 18:46:16 UTC
(In reply to comment #11) > Feel free to open a new bug with bump of 2.9 and request also a slot if is > possible I personally am happy not going through this exercise and apply the (very small) patch for 2.9.22 locally or install 18.104.22.168 from source, but stabilising PowerDNS 3.x at this point is imho ill-advised. PowerDNS 3.0 is very different internally from the 2.9 branch, dropping some things such as the LDAP backend from being officially supported. I do not think Gentoo should force administrators to do a major upgrade of PowerDNS to apply a fix that consists of three lines of source code.
Comment 13 Sven Wegener 2012-01-12 19:07:55 UTC
For those that want to stay at 2.9.22, I've just also commited 22.214.171.124.
Comment 14 Agostino Sarubbo 2012-01-12 22:36:15 UTC
Since is not a regression I remove bug 398685 from "Depends on"
Comment 15 Marcel Pennewiß 2012-01-26 10:05:37 UTC
(In reply to comment #13) > For those that want to stay at 2.9.22, I've just also commited 126.96.36.199. could you easily bump version to 188.8.131.52 while 184.108.40.206 includes a bug which can cause crashes on busy setup, see http://doc.powerdns.com/changelog.html#changelog-auth-2-9-22-6 or should i better open a new bug?
Comment 16 Agostino Sarubbo 2012-01-26 11:53:23 UTC
amd64 stable @security: please vote.
Comment 17 Tim Sammut (RETIRED) 2012-01-27 05:33:47 UTC
Thanks, folks. GLSA Vote: yes.
Comment 18 Sean Amoss 2012-01-27 14:48:42 UTC
YES, too. New request filed.
Comment 19 GLSAMaker/CVETool Bot 2012-02-20 04:55:17 UTC
CVE-2012-0206 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0206): common_startup.cc in PowerDNS (aka pdns) Authoritative Server before 220.127.116.11 and 3.x before 3.0.1 allows remote attackers to cause a denial of service (packet loop) via a crafted UDP DNS response.
Comment 20 GLSAMaker/CVETool Bot 2012-02-22 20:49:47 UTC
This issue was resolved and addressed in GLSA 201202-04 at http://security.gentoo.org/glsa/glsa-201202-04.xml by GLSA coordinator Sean Amoss (ackle).