two security vulnerabilities have recently been discovered: http://doc.powerdns.com/powerdns-advisory-2010-01.html http://doc.powerdns.com/powerdns-advisory-2010-02.html Users should be urged to upgrade to current version. maybe 3.1.7.2 should be stabilized ASAP. Reproducible: Always
rename ebuild and a little patch did the job... --- pdns-recursor-3.1.7.1.ebuild 2010-01-06 21:13:53.328864268 +0100 +++ pdns-recursor-3.1.7.2.ebuild 2010-01-06 21:14:19.496362725 +0100 @@ -27,7 +27,7 @@ unpack ${A} cd "${S}" - epatch "${FILESDIR}"/${P}-error-message.patch + epatch "${FILESDIR}"/${PN}-3.1.7.1-error-message.patch sed -i -e s:/var/run/:/var/lib/powerdns: "${S}"/config.h || die }
Marcel, thanks for your report. Sven, please commit a bumped ebuild ASAP.
I just commited 3.1.7.2 to the tree.
There is a possible regression in that version. Holding stabilization until the situation is clarified.
CVE-2009-4009 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4009): Buffer overflow in PowerDNS Recursor before 3.1.7.2 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via crafted packets. CVE-2009-4010 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4010): Unspecified vulnerability in PowerDNS Recursor before 3.1.7.2 allows remote attackers to spoof DNS data via crafted zones.
(In reply to comment #4) > There is a possible regression in that version. Which regression do you mean?
Alex just told me the regression is bogus. Arches, please test and mark stable: =net-dns/pdns-recursor-3.1.7.2 Target keywords : "amd64 x86"
x86 stable
amd64 stable, all arches done.
Everythings fine. We should close this bug ;)
No, unfortunately we should not. Please read http://www.gentoo.org/security/en/vulnerability-policy.xml and/or let the security team handle the closing of security bugs. GLSA request filed.
This issue was resolved and addressed in GLSA 201412-33 at http://security.gentoo.org/glsa/glsa-201412-33.xml by GLSA coordinator Sean Amoss (ackle).