Red Hat Bugzilla – Bug 772570
Denial of Service vulnerability in PowerDNS 2.9.22
Last modified: 2013-02-04 04:07:39 EST
Tomorrow (Tuesday the 10th of January) at 9AM eastern time, 15:00 Central
European Time, we will be releasing an important PowerDNS Security Advisory.
This Advisory contains details of a Denial of Service issue within all
currently used versions of the PowerDNS Authoritative Server.
We will be releasing:
* A configuration based workaround, which might have a performance
* An iptables based workaround
* Versions 220.127.116.11 and 3.0.1 of the Authoritative Server
As source code
Packages (static 32 bit and 64 bit for Debian and RPM based
* A one-line patch that solves the issue for source based users
* Complete details of the problem
The denial of service attack is temporary in nature, but can be performed
using limited resources. There is no risk of a system compromise because of
This pre-announcement is made to allow operators to schedule a maintenance
window to possibly upgrade or modify their systems.
If you anticipate requiring help upgrading your affected systems, please
contact powerdns.support at netherlabs.nl.
Some more details:
Date: 10th of January 2012
Affects: Most PowerDNS Authoritative Server versions < 3.0.1 (with the
exception of 18.104.22.168)
Not affected: No versions of the PowerDNS Recursor ('pdns_recursor') are
Impact: Temporary denial of service
Exploit: Proof of concept
Risk of system compromise: No
Solution: Upgrade to PowerDNS Recursor 22.214.171.124 or 3.0.1
I think it would be good to upgrade the EPEL package to 126.96.36.199 once it is released tomorrow to protect users of the package from this vulnerability.
*** Bug 772581 has been marked as a duplicate of this bug. ***
We don't ship PowerDNS, nor does Fedora.
Forgot that Fedora calls it pdns, not powerdns.
That's why Nils opened a bug in the Fedora EPEL component, not Red Hat.
Thanks for the help, but I rather handle my own bugs myself. I opened #772581 to keep track of this in Fedora, not EPEL.
pdns-2.9.22-4.el5 has been submitted as an update for Fedora EPEL 5.
pdns-188.8.131.52-1.el6 has been submitted as an update for Fedora EPEL 6.
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing pdns-184.108.40.206-1.el6'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
According to http://mailman.powerdns.com/pipermail/pdns-users/2012-January/008492.html 220.127.116.11 introduces a crashing bug when using PowerDNS as an AXFR slave. 18.104.22.168 will be released this week to address this issue.
Thanks Nils, I didn't see that one since I'm only subscribed to pdns-devel.
I have 22.214.171.124 running in production for a week now, on 1 master and 2 AXFR slaves, and haven't seen any crashes. Just to be save, I'll refrain from pushing 126.96.36.199 and wait for the 188.8.131.52 update.
Maybe you could just apply the one-line patch to fix the denial of service vulnerability and release that?
PowerDNS 184.108.40.206 has been released:
The improvements to the master/slave engine in 220.127.116.11 contained one serious bug that can cause crashes on busy setups. 18.104.22.168 fixes this crash.
pdns-22.214.171.124-1.el6 has been submitted as an update for Fedora EPEL 6.
pdns-2.9.22-4.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
pdns-126.96.36.199-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.