vulnerability causing temporary denial of service (see URL)
Steps to Reproduce:
1. emerge pdns-2.9.22-r1
2. see URL for further details
Created attachment 298511 [details, diff]
patch for 2.9.22
Created attachment 298513 [details, diff]
patch for current ebuild
fixed in: 184.108.40.206 or 3.0.1
ebuild and patches using 220.127.116.11:
@swegener, I see the bump in tree, can we go to stabilize?
Yes, the only difference between 3.0 and 3.0.1 is the security fix and 3.0 has been in the tree long enough.
Arches, please test and mark stable:
Target keywords : "amd64 x86"
Please note that net-dns/pdns-3.0 was not previously marked stable, and neither should 3.0.1 be imho. While the software runs ok the developers have indicated that it might not yet be suitable for full scale production use and have announced an updated 3.1 version addressing some important issues, see http://mailman.powerdns.com/pipermail/pdns-announce/2012-January/000150.html
It might be a better idea to apply the previously supplied patch and create a new stable version in the 2.9 branch (2.9.22-r2?), keeping 3.0.1 as it is for now.
(In reply to comment #8)
> It might be a better idea to apply the previously supplied patch and create a
> new stable version in the 2.9 branch (2.9.22-r2?), keeping 3.0.1 as it is for
Maybe using 18.104.22.168-tarball (which includes the patch already) can be an suitable solution. IMHO there should be a solution to quick-fix the security issue without upgrading to new version - as long as upstream supports also old version with security fixes...
Feel free to open a new bug with bump of 2.9 and request also a slot if is possible
(In reply to comment #11)
> Feel free to open a new bug with bump of 2.9 and request also a slot if is
I personally am happy not going through this exercise and apply the (very small) patch for 2.9.22 locally or install 22.214.171.124 from source, but stabilising PowerDNS 3.x at this point is imho ill-advised. PowerDNS 3.0 is very different internally from the 2.9 branch, dropping some things such as the LDAP backend from being officially supported.
I do not think Gentoo should force administrators to do a major upgrade of PowerDNS to apply a fix that consists of three lines of source code.
For those that want to stay at 2.9.22, I've just also commited 126.96.36.199.
Since is not a regression I remove bug 398685 from "Depends on"
(In reply to comment #13)
> For those that want to stay at 2.9.22, I've just also commited 188.8.131.52.
could you easily bump version to 184.108.40.206 while 220.127.116.11 includes a bug which can cause crashes on busy setup, see http://doc.powerdns.com/changelog.html#changelog-auth-2-9-22-6
or should i better open a new bug?
@security: please vote.
Thanks, folks. GLSA Vote: yes.
YES, too. New request filed.
common_startup.cc in PowerDNS (aka pdns) Authoritative Server before
18.104.22.168 and 3.x before 3.0.1 allows remote attackers to cause a denial of
service (packet loop) via a crafted UDP DNS response.
This issue was resolved and addressed in
GLSA 201202-04 at http://security.gentoo.org/glsa/glsa-201202-04.xml
by GLSA coordinator Sean Amoss (ackle).