Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 234032 (CVE-2008-3337) - net-dns/pdns < Ignoring invalid DNS queries eases cache poisoning (CVE-2008-3337)
Summary: net-dns/pdns < Ignoring invalid DNS queries eases cache poisoning (CV...
Alias: CVE-2008-3337
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2008-08-05 22:19 UTC by Sven Wegener
Modified: 2008-12-19 21:46 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sven Wegener gentoo-dev 2008-08-05 22:19:42 UTC
(Just converting the email sent to

I'm restricting this, because it's not officially released. I'm preparing the release and will commit it when it's officially released. Vulnerability type "unspecified", decide your own classification.

Dear PowerDNS Distributors,                                                                                                                                                           
[PowerDNS security release tomorrow around 20:00 CET, small patch that                                                                                                                
applies cleanly referenced below]                                                                                                                                                     
Brian Dowling of Simplicity Communications and Florian Weimer have brought                                                                                                            
some bad PowerDNS behaviour to my attention.                                                                                                                                          
In short, PowerDNS does not respond to certain queries it considers                                                                                                                   
malformed. This in itself is not a problem, and was even thought of as a                                                                                                              
security measure.                                                                                                                                                                     
Brian and Florian, independently I think, have discovered that not answering                                                                                                          
a query for an invalid DNS record within a valid domain allows for a larger                                                                                                           
spoofing window of the valid domain. Because of the Kaminsky-discovery, this                                                                                                          
has become bad.                                                                                                                                                                       
For a sophisticated attacker, this provides no benefit. However, such a long                                                                                                          
window allows unsophisticated hackers to achieve better results.                                                                                                                      
The relevant patch is in:                                                                                                                                                                                                                                                                                 
(it can also be downloaded in raw format)                                                                                                                                             
It applies to 2.9.21 with some innocent fuzz. The patch is in production at                                                                                                           
several large sites already, and has not caused problems.                                                                                                                             
I've also already made available PowerDNS on                                                                                                                                                                                                                                                   
This consists of nothing but 2.9.21 plus this patch and a rerun of autoconf.                                                                                                          
I will release this update tomorrow August 6th at 20:00 hours CET.                                                                                                                    
This issue has been assigned CVE-2008-3337.                                                                                                                                           
I understand this is a very short notification. I would normally not have                                                                                                             
made a security-only release over this, but given the current DNS climate,                                                                                                            
people will get upset if we aren't very vigilant.                                                                                                                                     
Please contact me if you have questions.                                                                                                                                              
Kind regards,                                                                                                                                                                         
Bert Hubert                                                                                                                                                                           
Comment 1 Sven Wegener gentoo-dev 2008-08-06 17:07:00 UTC
OK, I commited it, with just "Version bump" as comment. A little bit early, but there are other packagers that already have public reference to the new version and it's security implication.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-08-06 17:17:56 UTC
Arch Security Liaisons, please test and mark stable:
Target keywords : "amd64 x86"

CC'ing current Liaisons:
   amd64 : keytoaster, tester
     x86 : maekke, armin76
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-08-06 18:09:34 UTC
public via $URL
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-08-06 18:10:24 UTC
Arches, please test and mark stable:
Target keywords : "amd64 x86"
Comment 5 Markus Meier gentoo-dev 2008-08-06 19:25:10 UTC
amd64/x86 stable, all arches done.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-08-06 21:23:18 UTC
vote: YES
Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-06 21:06:08 UTC
yes too, request filed.
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-12-19 21:46:42 UTC
GLSA 200812-19