vulnerability causing temporary denial of service (see URL)
Steps to Reproduce:
1. emerge pdns-2.9.22-r1
2. see URL for further details
Created attachment 298511 [details, diff]
patch for 2.9.22
Created attachment 298513 [details, diff]
patch for current ebuild
fixed in: 22.214.171.124 or 3.0.1
ebuild and patches using 126.96.36.199:
@swegener, I see the bump in tree, can we go to stabilize?
Yes, the only difference between 3.0 and 3.0.1 is the security fix and 3.0 has been in the tree long enough.
Arches, please test and mark stable:
Target keywords : "amd64 x86"
Please note that net-dns/pdns-3.0 was not previously marked stable, and neither should 3.0.1 be imho. While the software runs ok the developers have indicated that it might not yet be suitable for full scale production use and have announced an updated 3.1 version addressing some important issues, see http://mailman.powerdns.com/pipermail/pdns-announce/2012-January/000150.html
It might be a better idea to apply the previously supplied patch and create a new stable version in the 2.9 branch (2.9.22-r2?), keeping 3.0.1 as it is for now.
(In reply to comment #8)
> It might be a better idea to apply the previously supplied patch and create a
> new stable version in the 2.9 branch (2.9.22-r2?), keeping 3.0.1 as it is for
Maybe using 188.8.131.52-tarball (which includes the patch already) can be an suitable solution. IMHO there should be a solution to quick-fix the security issue without upgrading to new version - as long as upstream supports also old version with security fixes...
Feel free to open a new bug with bump of 2.9 and request also a slot if is possible
(In reply to comment #11)
> Feel free to open a new bug with bump of 2.9 and request also a slot if is
I personally am happy not going through this exercise and apply the (very small) patch for 2.9.22 locally or install 184.108.40.206 from source, but stabilising PowerDNS 3.x at this point is imho ill-advised. PowerDNS 3.0 is very different internally from the 2.9 branch, dropping some things such as the LDAP backend from being officially supported.
I do not think Gentoo should force administrators to do a major upgrade of PowerDNS to apply a fix that consists of three lines of source code.
For those that want to stay at 2.9.22, I've just also commited 220.127.116.11.
Since is not a regression I remove bug 398685 from "Depends on"
(In reply to comment #13)
> For those that want to stay at 2.9.22, I've just also commited 18.104.22.168.
could you easily bump version to 22.214.171.124 while 126.96.36.199 includes a bug which can cause crashes on busy setup, see http://doc.powerdns.com/changelog.html#changelog-auth-2-9-22-6
or should i better open a new bug?
@security: please vote.
Thanks, folks. GLSA Vote: yes.
YES, too. New request filed.
common_startup.cc in PowerDNS (aka pdns) Authoritative Server before
188.8.131.52 and 3.x before 3.0.1 allows remote attackers to cause a denial of
service (packet loop) via a crafted UDP DNS response.
This issue was resolved and addressed in
GLSA 201202-04 at http://security.gentoo.org/glsa/glsa-201202-04.xml
by GLSA coordinator Sean Amoss (ackle).