From the CVE entry at $URL:
"The resolver in PowerDNS Recursor (aka pdns_recursor) 3.3 overwrites cached server names and TTL values in NS records during the processing of a response to an A record query, which allows remote attackers to trigger continued resolvability of revoked domain names via a "ghost domain names" attack."
The CVE is still being reviewed and while it only lists that pdns-recursor 3.3 is affected, the original research states only that no prior versions were tested.
The resolver in PowerDNS Recursor (aka pdns_recursor) 3.3 overwrites cached
server names and TTL values in NS records during the processing of a
response to an A record query, which allows remote attackers to trigger
continued resolvability of revoked domain names via a "ghost domain names"
*** Bug 466008 has been marked as a duplicate of this bug. ***
Created attachment 345986 [details]
ebuild for pdns-recursor-3.5 release changed init file to better naming also
* changed pdns-recursor version to 3.5
* changed init script name from "precursor" -> "pdns-recursor"
Works as overlay on my 3 systems since the release candidate version fine, no issues so far. The ebuild is only changed for the new release and the init file, nothing more.
I hope it helps to solve this CVE quickly.
Created attachment 347262 [details]
updated ebuild for pdns-recursor version 3.5.1 released today may 3rd 2013
I've commited 3.5.1 to the tree.
could you please commit update the ebuild to 3.5.2 ?
Changes since 3.5.1:
* Responses without the QR bit set now get matched up to an outstanding
query, so that resolution can be aborted early instead of waiting for a
timeout. Code in commit ee90f02.
* The depth limiter changes in 3.5.1 broke some legal domains with lots of
indirection. Improved in commit d393c2d.
* Slightly improved logging to aid debugging. Code in commit 437824d and
Wow, this has been in the tree for a long time now. Sven, can we proceed stabilization? 3.5.1 or 3.5.3?
3.5.3 should be stabilized, the 3.6 version is in near sight (currently there is a RC1 which does have production quality, i am testing it already).
So, if no reasons are against, 3.5.3 should be stable and I will then open a request for 3.6.0 if all goes well for a keyword marked ebuild.
stabilization is currently happening in bug 514946
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version.
GLSA Vote: Yes
Maintainer(s), Thank you for cleanup!
YES too, added to the existing request.
This issue was resolved and addressed in
GLSA 201412-33 at http://security.gentoo.org/glsa/glsa-201412-33.xml
by GLSA coordinator Sean Amoss (ackle).