Summary: | <net-dns/pdns-recursor-3.6.1-r1: DoS vulnerability (CVE-2014-8601) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alexander Stoll <technoworx> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | swegener, vivo75 |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://doc.powerdns.com/md/security/powerdns-advisory-2014-02/ | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Alexander Stoll
2014-12-08 16:39:17 UTC
hi, I'm unable build 3.6.2 , see bug #532260 maybe it's advidsable to provide a patched 3.6.1, since the patch is trivial and behaviour of the program change less. see https://downloads.powerdns.com/patches/2014-02/ for upstream patches applied them here and program seem to work I've committed 3.6.1-r1 with the upstream patch for this issue. The build on 3.6.2 seems to be triggered be new gcc versions. (In reply to Sven Wegener from comment #2) > I've committed 3.6.1-r1 with the upstream patch for this issue. The build on > 3.6.2 seems to be triggered be new gcc versions. Thanks, Sven. May we proceed with stabilization of =net-dns/pdns-recursor-3.6.1-r1 ? Yes, please stabilize 3.6.1-r1. Arches, please stabilize: =net-dns/pdns-recursor-3.6.1-r1 Stable targets: amd64 x86 CVE-2014-8601 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8601): PowerDNS Recursor before 3.6.2 does not limit delegation chaining, which allows remote attackers to cause a denial of service ("performance degradations") via a large or infinite number of referrals, as demonstrated by resolving domains hosted by ezdns.it. amd64 stable x86 stable @Maintainers, please cleanup! @Security, please vote! GLSA vote: no. (In reply to Mikle Kolyada from comment #8) > x86 stable > > @Maintainers, please cleanup! > > @Security, please vote! > > GLSA vote: no. We already have a GLSA draft for pdns-recursor with this bug on it, ready for peer review. This issue was resolved and addressed in GLSA 201412-33 at http://security.gentoo.org/glsa/glsa-201412-33.xml by GLSA coordinator Sean Amoss (ackle). Re-opening until vulnerable versions are dropped. Vulnerable versions removed. |