vulnerability causing temporary denial of service (see URL)
Steps to Reproduce:
1. emerge pdns-2.9.22-r1
2. see URL for further details
Created attachment 298511 [details, diff]
patch for 2.9.22
Created attachment 298513 [details, diff]
patch for current ebuild
fixed in: 220.127.116.11 or 3.0.1
ebuild and patches using 18.104.22.168:
@swegener, I see the bump in tree, can we go to stabilize?
Yes, the only difference between 3.0 and 3.0.1 is the security fix and 3.0 has been in the tree long enough.
Arches, please test and mark stable:
Target keywords : "amd64 x86"
Please note that net-dns/pdns-3.0 was not previously marked stable, and neither should 3.0.1 be imho. While the software runs ok the developers have indicated that it might not yet be suitable for full scale production use and have announced an updated 3.1 version addressing some important issues, see http://mailman.powerdns.com/pipermail/pdns-announce/2012-January/000150.html
It might be a better idea to apply the previously supplied patch and create a new stable version in the 2.9 branch (2.9.22-r2?), keeping 3.0.1 as it is for now.
(In reply to comment #8)
> It might be a better idea to apply the previously supplied patch and create a
> new stable version in the 2.9 branch (2.9.22-r2?), keeping 3.0.1 as it is for
Maybe using 22.214.171.124-tarball (which includes the patch already) can be an suitable solution. IMHO there should be a solution to quick-fix the security issue without upgrading to new version - as long as upstream supports also old version with security fixes...
Feel free to open a new bug with bump of 2.9 and request also a slot if is possible
(In reply to comment #11)
> Feel free to open a new bug with bump of 2.9 and request also a slot if is
I personally am happy not going through this exercise and apply the (very small) patch for 2.9.22 locally or install 126.96.36.199 from source, but stabilising PowerDNS 3.x at this point is imho ill-advised. PowerDNS 3.0 is very different internally from the 2.9 branch, dropping some things such as the LDAP backend from being officially supported.
I do not think Gentoo should force administrators to do a major upgrade of PowerDNS to apply a fix that consists of three lines of source code.
For those that want to stay at 2.9.22, I've just also commited 188.8.131.52.
Since is not a regression I remove bug 398685 from "Depends on"
(In reply to comment #13)
> For those that want to stay at 2.9.22, I've just also commited 184.108.40.206.
could you easily bump version to 220.127.116.11 while 18.104.22.168 includes a bug which can cause crashes on busy setup, see http://doc.powerdns.com/changelog.html#changelog-auth-2-9-22-6
or should i better open a new bug?
@security: please vote.
Thanks, folks. GLSA Vote: yes.
YES, too. New request filed.
common_startup.cc in PowerDNS (aka pdns) Authoritative Server before
22.214.171.124 and 3.x before 3.0.1 allows remote attackers to cause a denial of
service (packet loop) via a crafted UDP DNS response.
This issue was resolved and addressed in
GLSA 201202-04 at http://security.gentoo.org/glsa/glsa-201202-04.xml
by GLSA coordinator Sean Amoss (ackle).