This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 552285 - (CVE-2009-4009, CVE-2009-4010) CVE-2009-4009 CVE-2009-4010 PowerDNS Recursor: code execution and domain spoofing flaws
CVE-2009-4009 CVE-2009-4010 PowerDNS Recursor: code execution and domain spoo...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: pdns-recursor (Show other bugs)
12
All Linux
low Severity urgent
: ---
: ---
Assigned To: Ruben Kerkhof
Ruben Kerkhof
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-01-04 10:11 EST by bert hubert
Modified: 2010-01-07 16:43 EST (History)
2 users (show)

See Also:
Fixed In Version: 3.1.7.2-1.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-01-07 16:43:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description bert hubert 2010-01-04 10:11:24 EST
CVE-2009-4009, CVE-2009-4010
> This Wednesday the release of the PowerDNS Recursor 3.1.7.2 will be made
> public, which fixes two important security issues, one of which is remotely
> exploitable.
> 
> Given the critical nature of these vulnerabilities, we are trying to keep
> details confidential for a few more days.
> 
> Summary
> -------
> The short version: please contact me off-list if you distribute the PowerDNS
> Recursor (any version), and if you want to gain early access to version
> 3.1.7.2 and associated release notes.
> 
> Details
> -------
> The two security issues have been discovered by two parties which we cannot
> yet publicly mention or thank, but they deserve full credit and gratitude  
> for their discoveries.
> 
> Two CVE numbers have been requested, they will be communicated ASAP.
> 
> One issue is remotely exploitable, and there are no configuration
> countermeasures. The other allows a (skilled) attacker to spoof domain data
> for domain names he does not own.
> 
> The first issue is at least a DoS, but in all likelihood can be expanded
> into a full compromise ('rooted').
> 
> The release that will be made public is already available for distributors.
> Other good news is that it is already serving over a million ISP customers,
> with no apparent problems.
> 
> Contact me off-list for quick access to the new PowerDNS Recursor code,
> patch & release notes.
> 
> If you need any kind of assistance in doing a smooth upgrade, also do not
> hesitate to contact me.
Comment 1 Tomas Hoger 2010-01-04 10:20:23 EST
Bert, is -4009 for the first issue (DoS / code execution) and -4010 for the second (domain data spoofing)?
Comment 2 Ruben Kerkhof 2010-01-04 10:28:27 EST
(In reply to comment #1)

Tomas, is there a way to update the package before wednesday without the details showing up in public cvs?
Comment 3 bert hubert 2010-01-04 10:30:03 EST
This is correct. These issues are extremely urgent - how can I get the patch/new tarball to you?
Comment 4 Ruben Kerkhof 2010-01-04 10:46:36 EST
I've just received the tarball from Bert via private mail.
Comment 5 Tomas Hoger 2010-01-04 10:52:50 EST
(In reply to comment #2)
> Tomas, is there a way to update the package before wednesday without the
> details showing up in public cvs?  

No.  Fedora CVS / build system is public, so once new version is committed / built, it will be available to anyone.
Comment 6 Tomas Hoger 2010-01-06 09:56:43 EST
Bert, can this bug be made public now?  I don't see any announcement in announce list archives, but upstream pages already offer updated binaries (but not sources).
Comment 7 bert hubert 2010-01-06 10:13:34 EST
Yes, you can go live
Sources are available now too.
Comment 8 Tomas Hoger 2010-01-06 10:19:57 EST
Thanks, making bug public.
Comment 9 Fedora Update System 2010-01-06 19:53:55 EST
pdns-recursor-3.1.7.2-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2010-01-06 19:56:18 EST
pdns-recursor-3.1.7.2-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2010-01-07 16:42:42 EST
pdns-recursor-3.1.7.2-1.el4.1 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2010-01-07 16:43:14 EST
pdns-recursor-3.1.7.2-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.