Bug 552285 (CVE-2009-4009, CVE-2009-4010)

Summary: CVE-2009-4009 CVE-2009-4010 PowerDNS Recursor: code execution and domain spoofing flaws
Product: [Fedora] Fedora Reporter: bert hubert <bert.hubert>
Component: pdns-recursorAssignee: Ruben Kerkhof <ruben>
Status: CLOSED ERRATA QA Contact: Ruben Kerkhof <ruben>
Severity: urgent Docs Contact:
Priority: low    
Version: 12CC: bressers, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 3.1.7.2-1.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-01-07 21:43:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description bert hubert 2010-01-04 15:11:24 UTC 
CVE-2009-4009, CVE-2009-4010
> This Wednesday the release of the PowerDNS Recursor 3.1.7.2 will be made
> public, which fixes two important security issues, one of which is remotely
> exploitable.
> 
> Given the critical nature of these vulnerabilities, we are trying to keep
> details confidential for a few more days.
> 
> Summary
> -------
> The short version: please contact me off-list if you distribute the PowerDNS
> Recursor (any version), and if you want to gain early access to version
> 3.1.7.2 and associated release notes.
> 
> Details
> -------
> The two security issues have been discovered by two parties which we cannot
> yet publicly mention or thank, but they deserve full credit and gratitude  
> for their discoveries.
> 
> Two CVE numbers have been requested, they will be communicated ASAP.
> 
> One issue is remotely exploitable, and there are no configuration
> countermeasures. The other allows a (skilled) attacker to spoof domain data
> for domain names he does not own.
> 
> The first issue is at least a DoS, but in all likelihood can be expanded
> into a full compromise ('rooted').
> 
> The release that will be made public is already available for distributors.
> Other good news is that it is already serving over a million ISP customers,
> with no apparent problems.
> 
> Contact me off-list for quick access to the new PowerDNS Recursor code,
> patch & release notes.
> 
> If you need any kind of assistance in doing a smooth upgrade, also do not
> hesitate to contact me.
Comment 1 Tomas Hoger 2010-01-04 15:20:23 UTC 
Bert, is -4009 for the first issue (DoS / code execution) and -4010 for the second (domain data spoofing)?
Comment 2 Ruben Kerkhof 2010-01-04 15:28:27 UTC 
(In reply to comment #1)

Tomas, is there a way to update the package before wednesday without the details showing up in public cvs?
Comment 3 bert hubert 2010-01-04 15:30:03 UTC 
This is correct. These issues are extremely urgent - how can I get the patch/new tarball to you?
Comment 4 Ruben Kerkhof 2010-01-04 15:46:36 UTC 
I've just received the tarball from Bert via private mail.
Comment 5 Tomas Hoger 2010-01-04 15:52:50 UTC 
(In reply to comment #2)
> Tomas, is there a way to update the package before wednesday without the
> details showing up in public cvs?  

No.  Fedora CVS / build system is public, so once new version is committed / built, it will be available to anyone.
Comment 6 Tomas Hoger 2010-01-06 14:56:43 UTC 
Bert, can this bug be made public now?  I don't see any announcement in announce list archives, but upstream pages already offer updated binaries (but not sources).
Comment 7 bert hubert 2010-01-06 15:13:34 UTC 
Yes, you can go live
Sources are available now too.
Comment 8 Tomas Hoger 2010-01-06 15:19:57 UTC 
Thanks, making bug public.
Comment 9 Fedora Update System 2010-01-07 00:53:55 UTC 
pdns-recursor-3.1.7.2-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2010-01-07 00:56:18 UTC 
pdns-recursor-3.1.7.2-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Tomas Hoger 2010-01-07 07:45:31 UTC 
Upstream advisories:
  http://doc.powerdns.com/powerdns-advisory-2010-01.html
  http://doc.powerdns.com/powerdns-advisory-2010-02.html
Comment 12 Fedora Update System 2010-01-07 21:42:42 UTC 
pdns-recursor-3.1.7.2-1.el4.1 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2010-01-07 21:43:14 UTC 
pdns-recursor-3.1.7.2-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.