While the autoritative server CVE is already tracked via bug #547482 the recursor is missing attention. Two new version have been released to mitigate CVE-2015-1868 for 3.7 and 3.6 branches. Reproducible: Always
There are 3 Bugs in BGO related to this, two concerning the recursor (#547706, #547550) one concerning the autoritative server, #547482, which was marked as a duplicate of #547550. Since the initial reporting from 23.04.15 there is still no bump whatsoever. According to PowerDNS, the sevirity of this CVE is high. Any news?
I've committed both 3.6.3 and 3.7.2 to the tree. 3.7 has been in the tree for some time now, I'd mark both stable so if someone wants to stay on the older 3.6 branch.
CVE-2015-1868 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1868): The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authoritative (Auth) Server 3.2.x, 3.3.x before 3.3.2, and 3.4.x before 3.4.4 allows remote attackers to cause a denial of service (CPU consumption or crash) via a request with a name that refers to itself.
Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.
Ping on stabilization - 30 days has gone by for testing are we ready to stabilize?
Yep, this is ready to go stable, see bug #554856 for a follow-up security fix, the original fix didn't solve the issue completely. So the stabilization candidates are 3.7.3 and 3.6.4.
Security Please Vote. GLSA Vote: No Maintainer(s), please drop the vulnerable version(s).
Vote: No.
Maintainer(s), Thank you for cleanup.