(Just converting the email sent to security@gentoo.org) I'm restricting this, because it's not officially released. I'm preparing the release and will commit it when it's officially released. Vulnerability type "unspecified", decide your own classification. <------------------------ Dear PowerDNS Distributors, [PowerDNS security release tomorrow around 20:00 CET, small patch that applies cleanly referenced below] Brian Dowling of Simplicity Communications and Florian Weimer have brought some bad PowerDNS behaviour to my attention. In short, PowerDNS does not respond to certain queries it considers malformed. This in itself is not a problem, and was even thought of as a security measure. Brian and Florian, independently I think, have discovered that not answering a query for an invalid DNS record within a valid domain allows for a larger spoofing window of the valid domain. Because of the Kaminsky-discovery, this has become bad. For a sophisticated attacker, this provides no benefit. However, such a long window allows unsophisticated hackers to achieve better results. The relevant patch is in: http://wiki.powerdns.com/cgi-bin/trac.fcgi/changeset/1239 (it can also be downloaded in raw format) It applies to 2.9.21 with some innocent fuzz. The patch is in production at several large sites already, and has not caused problems. I've also already made available PowerDNS 2.9.21.1 on http://downloads.powerdns.com/releases/pdns-2.9.21.1.tar.gz This consists of nothing but 2.9.21 plus this patch and a rerun of autoconf. I will release this update tomorrow August 6th at 20:00 hours CET. This issue has been assigned CVE-2008-3337. I understand this is a very short notification. I would normally not have made a security-only release over this, but given the current DNS climate, people will get upset if we aren't very vigilant. Please contact me if you have questions. Kind regards, Bert Hubert PowerDNS <------------------------
OK, I commited it, with just "Version bump" as comment. A little bit early, but there are other packagers that already have public reference to the new version and it's security implication.
Arch Security Liaisons, please test and mark stable: =net-dns/pdns-2.9.21.1 Target keywords : "amd64 x86" CC'ing current Liaisons: amd64 : keytoaster, tester x86 : maekke, armin76
public via $URL
Arches, please test and mark stable: =net-dns/pdns-2.9.21.1 Target keywords : "amd64 x86"
amd64/x86 stable, all arches done.
vote: YES
yes too, request filed.
GLSA 200812-19