Summary: | <net-dns/pdns-recursor-{3.6.4,3.7.3}: vulnerability (CVE-2015-1868) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alexander Stoll <technoworx> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | swegener |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://doc.powerdns.com/md/security/powerdns-advisory-2015-01/ | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 554856 | ||
Bug Blocks: |
Description
Alexander Stoll
2015-04-25 14:21:33 UTC
There are 3 Bugs in BGO related to this, two concerning the recursor (#547706, #547550) one concerning the autoritative server, #547482, which was marked as a duplicate of #547550. Since the initial reporting from 23.04.15 there is still no bump whatsoever. According to PowerDNS, the sevirity of this CVE is high. Any news? I've committed both 3.6.3 and 3.7.2 to the tree. 3.7 has been in the tree for some time now, I'd mark both stable so if someone wants to stay on the older 3.6 branch. CVE-2015-1868 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1868): The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authoritative (Auth) Server 3.2.x, 3.3.x before 3.3.2, and 3.4.x before 3.4.4 allows remote attackers to cause a denial of service (CPU consumption or crash) via a request with a name that refers to itself. Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself. Ping on stabilization - 30 days has gone by for testing are we ready to stabilize? Yep, this is ready to go stable, see bug #554856 for a follow-up security fix, the original fix didn't solve the issue completely. So the stabilization candidates are 3.7.3 and 3.6.4. Security Please Vote. GLSA Vote: No Maintainer(s), please drop the vulnerable version(s). Vote: No. Maintainer(s), Thank you for cleanup. |