all versions prior 3.6.2 are affected by CVE-2014-8601
please do trivial version bump
I'm unable build 3.6.2 , see bug #532260
maybe it's advidsable to provide a patched 3.6.1, since the patch is trivial and behaviour of the program change less.
for upstream patches
applied them here and program seem to work
I've committed 3.6.1-r1 with the upstream patch for this issue. The build on 3.6.2 seems to be triggered be new gcc versions.
(In reply to Sven Wegener from comment #2)
> I've committed 3.6.1-r1 with the upstream patch for this issue. The build on
> 3.6.2 seems to be triggered be new gcc versions.
Thanks, Sven. May we proceed with stabilization of =net-dns/pdns-recursor-3.6.1-r1 ?
Yes, please stabilize 3.6.1-r1.
Arches, please stabilize:
Stable targets: amd64 x86
PowerDNS Recursor before 3.6.2 does not limit delegation chaining, which
allows remote attackers to cause a denial of service ("performance
degradations") via a large or infinite number of referrals, as demonstrated
by resolving domains hosted by ezdns.it.
@Maintainers, please cleanup!
@Security, please vote!
GLSA vote: no.
(In reply to Mikle Kolyada from comment #8)
> x86 stable
> @Maintainers, please cleanup!
> @Security, please vote!
> GLSA vote: no.
We already have a GLSA draft for pdns-recursor with this bug on it, ready for peer review.
This issue was resolved and addressed in
GLSA 201412-33 at http://security.gentoo.org/glsa/glsa-201412-33.xml
by GLSA coordinator Sean Amoss (ackle).
Re-opening until vulnerable versions are dropped.
Vulnerable versions removed.