Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 299942 (CVE-2009-4009) - <net-dns/pdns-recursor-3.1.7.2: Multiple vulnerabilities (CVE-2009-{4009,4010})
Summary: <net-dns/pdns-recursor-3.1.7.2: Multiple vulnerabilities (CVE-2009-{4009,4010})
Status: RESOLVED FIXED
Alias: CVE-2009-4009
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-01-06 20:13 UTC by Marcel Pennewiß
Modified: 2014-12-22 22:01 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcel Pennewiß 2010-01-06 20:13:32 UTC
two security vulnerabilities have recently been discovered:
http://doc.powerdns.com/powerdns-advisory-2010-01.html
http://doc.powerdns.com/powerdns-advisory-2010-02.html

Users should be urged to upgrade to current version. maybe 3.1.7.2 should be stabilized ASAP.

Reproducible: Always
Comment 1 Marcel Pennewiß 2010-01-06 20:15:34 UTC
rename ebuild and a little patch did the job...

--- pdns-recursor-3.1.7.1.ebuild        2010-01-06 21:13:53.328864268 +0100
+++ pdns-recursor-3.1.7.2.ebuild        2010-01-06 21:14:19.496362725 +0100
@@ -27,7 +27,7 @@
        unpack ${A}
        cd "${S}"

-       epatch "${FILESDIR}"/${P}-error-message.patch
+       epatch "${FILESDIR}"/${PN}-3.1.7.1-error-message.patch

        sed -i -e s:/var/run/:/var/lib/powerdns: "${S}"/config.h || die
 }
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2010-01-07 23:50:53 UTC
Marcel, thanks for your report.

Sven, please commit a bumped ebuild ASAP.
Comment 3 Sven Wegener gentoo-dev 2010-01-08 07:26:07 UTC
I just commited 3.1.7.2 to the tree.
Comment 4 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-01-08 07:34:47 UTC
There is a possible regression in that version. Holding stabilization until the situation is clarified.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-08 20:41:20 UTC
CVE-2009-4009 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4009):
  Buffer overflow in PowerDNS Recursor before 3.1.7.2 allows remote
  attackers to cause a denial of service (daemon crash) or possibly
  execute arbitrary code via crafted packets.

CVE-2009-4010 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4010):
  Unspecified vulnerability in PowerDNS Recursor before 3.1.7.2 allows
  remote attackers to spoof DNS data via crafted zones.

Comment 6 Marcel Pennewiß 2010-01-10 09:48:21 UTC
(In reply to comment #4)
> There is a possible regression in that version.

Which regression do you mean?

Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2010-01-10 11:30:08 UTC
Alex just told me the regression is bogus.

Arches, please test and mark stable:
=net-dns/pdns-recursor-3.1.7.2
Target keywords : "amd64 x86"
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2010-01-10 12:09:28 UTC
x86 stable
Comment 9 Markus Meier gentoo-dev 2010-02-01 19:46:56 UTC
amd64 stable, all arches done.
Comment 10 Marcel Pennewiß 2010-02-14 18:00:00 UTC
Everythings fine. We should close this bug ;)
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2010-02-14 18:05:59 UTC
No, unfortunately we should not. Please read http://www.gentoo.org/security/en/vulnerability-policy.xml and/or let the security team handle the closing of security bugs.

GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-12-22 22:01:48 UTC
This issue was resolved and addressed in
 GLSA 201412-33 at http://security.gentoo.org/glsa/glsa-201412-33.xml
by GLSA coordinator Sean Amoss (ackle).