Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 547706 - <net-dns/pdns-recursor-{3.6.4,3.7.3}: vulnerability (CVE-2015-1868)
Summary: <net-dns/pdns-recursor-{3.6.4,3.7.3}: vulnerability (CVE-2015-1868)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://doc.powerdns.com/md/security/p...
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 554856
Blocks:
  Show dependency tree
 
Reported: 2015-04-25 14:21 UTC by Alexander Stoll
Modified: 2015-12-20 19:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Stoll 2015-04-25 14:21:33 UTC
While the autoritative server CVE is already tracked via bug #547482 the recursor is missing attention.
Two new version have been released to mitigate CVE-2015-1868 for 3.7 and 3.6 branches.

Reproducible: Always
Comment 1 Vladimir Datsevich 2015-04-30 13:49:32 UTC
There are 3 Bugs in BGO related to this,

two concerning the recursor (#547706, #547550)
one concerning the autoritative server, #547482, which was marked as a duplicate of #547550.


Since the initial reporting from 23.04.15 there is still no bump whatsoever.

According to PowerDNS, the sevirity of this CVE is high.

Any news?
Comment 2 Sven Wegener gentoo-dev 2015-05-18 18:06:46 UTC
I've committed both 3.6.3 and 3.7.2 to the tree. 3.7 has been in the tree for some time now, I'd mark both stable so if someone wants to stay on the older 3.6 branch.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-06-14 21:35:45 UTC
CVE-2015-1868 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1868):
  The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x
  before 3.6.3, and 3.7.x before 3.7.2 and Authoritative (Auth) Server 3.2.x,
  3.3.x before 3.3.2, and 3.4.x before 3.4.4 allows remote attackers to cause
  a denial of service (CPU consumption or crash) via a request with a name
  that refers to itself.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-06-14 22:54:25 UTC
Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-07-16 12:13:44 UTC
Ping on stabilization - 30 days has gone by for testing are we ready to stabilize?
Comment 6 Sven Wegener gentoo-dev 2015-08-07 19:19:36 UTC
Yep, this is ready to go stable, see bug #554856 for a follow-up security fix, the original fix didn't solve the issue completely. So the stabilization candidates are 3.7.3 and 3.6.4.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2015-11-02 22:39:50 UTC
Security Please Vote.
GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2015-11-09 21:56:30 UTC
Vote: No.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2015-12-20 19:15:02 UTC
Maintainer(s), Thank you for cleanup.