Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 605590 - <net-dns/pdns-recursor-4.0.4: multiple vulnerabilities (CVE-2016-{7068,70737074})
Summary: <net-dns/pdns-recursor-4.0.4: multiple vulnerabilities (CVE-2016-{7068,707370...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on:
Blocks: CVE-2016-7068 CVE-2016-7073, CVE-2016-7074
  Show dependency tree
Reported: 2017-01-13 15:31 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-01-23 03:55 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-13 15:31:09 UTC
We are happy to announce the release of the PowerDNS Recursor version 4.0.4. This release fixes 2 security issues and adds several improvements to the DNSSEC validation code.

The following PowerDNS Security Advisories are fixed:

 * 2016-02: Crafted queries can cause abnormal CPU usage[1]
 * 2016-04: Insufficient validation of TSIG signatures[2]

Minimal patches are available for those unable to fully upgrade[3,4]

The full changelog is available online[5] and reproduced here:

 * Check TSIG signature on IXFR (Security Advisory 2016-04)
 * Don't parse spurious RRs in queries when we don't need them
   (Security Advisory 2016-02)
 * Fix incorrect length check in `DNSName` when extracting qtype or qclass
 * Wait until after daemonizing to start the RPZ and protobuf threads
 * On (re-)priming, fetch the root NS records
 * Fix src/dest inversion in the protobuf message for TCP queries
 * On RPZ customPolicy, follow the resulting CNAME
 * Add requestorId and some comments to the protobuf definition file
 * Make the negcache forwarded zones aware
 * Cache records for zones that were delegated to from a forwarded zone
 * Add `getRecursorThreadId()` to Lua, identifying the current thread
 * Add support for boost::context >= 1.61
 * DNSSEC: Implement keysearch based on zone-cuts
 * DNSSEC: don't go bogus on zero configured DSs
 * DNSSEC: NSEC3 optout and Bogus insecure forward fixes
 * DNSSEC: Handle CNAMEs at the apex of secure zones to other secure zones

We urge all users of the Recursor to upgrade to this version.
Tarballs with sources are available (with signatures)[6,7].
Packages for Debian Stable, Ubuntu Trusty, Xenial and Wily and CentOS 6 and 7 are available from our repositories[8].

1 -
2 -
3 -
4 -
5 -
6 -
7 -
8 -
Comment 1 Sven Wegener gentoo-dev 2017-01-14 07:25:23 UTC
I just committed pdns-4.0.2 to the tree.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2017-01-14 08:04:22 UTC

*** This bug has been marked as a duplicate of bug 605588 ***
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2017-01-14 12:24:24 UTC
My bad.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-14 14:03:30 UTC
@ Arches,

please test and mark stable: =net-dns/pdns-recursor-4.0.4
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2017-01-15 09:23:33 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-01-16 10:16:33 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-16 18:50:51 UTC
GLSA Vote: No

@ Maintainer(s): Please cleanup and drop <net-dns/pdns-recursor-4.0.4!
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2017-01-23 03:55:41 UTC
tree is clean.