CVE-2009-4009, CVE-2009-4010 > This Wednesday the release of the PowerDNS Recursor 3.1.7.2 will be made > public, which fixes two important security issues, one of which is remotely > exploitable. > > Given the critical nature of these vulnerabilities, we are trying to keep > details confidential for a few more days. > > Summary > ------- > The short version: please contact me off-list if you distribute the PowerDNS > Recursor (any version), and if you want to gain early access to version > 3.1.7.2 and associated release notes. > > Details > ------- > The two security issues have been discovered by two parties which we cannot > yet publicly mention or thank, but they deserve full credit and gratitude > for their discoveries. > > Two CVE numbers have been requested, they will be communicated ASAP. > > One issue is remotely exploitable, and there are no configuration > countermeasures. The other allows a (skilled) attacker to spoof domain data > for domain names he does not own. > > The first issue is at least a DoS, but in all likelihood can be expanded > into a full compromise ('rooted'). > > The release that will be made public is already available for distributors. > Other good news is that it is already serving over a million ISP customers, > with no apparent problems. > > Contact me off-list for quick access to the new PowerDNS Recursor code, > patch & release notes. > > If you need any kind of assistance in doing a smooth upgrade, also do not > hesitate to contact me.
Bert, is -4009 for the first issue (DoS / code execution) and -4010 for the second (domain data spoofing)?
(In reply to comment #1) Tomas, is there a way to update the package before wednesday without the details showing up in public cvs?
This is correct. These issues are extremely urgent - how can I get the patch/new tarball to you?
I've just received the tarball from Bert via private mail.
(In reply to comment #2) > Tomas, is there a way to update the package before wednesday without the > details showing up in public cvs? No. Fedora CVS / build system is public, so once new version is committed / built, it will be available to anyone.
Bert, can this bug be made public now? I don't see any announcement in announce list archives, but upstream pages already offer updated binaries (but not sources).
Yes, you can go live Sources are available now too.
Thanks, making bug public.
pdns-recursor-3.1.7.2-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
pdns-recursor-3.1.7.2-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
Upstream advisories: http://doc.powerdns.com/powerdns-advisory-2010-01.html http://doc.powerdns.com/powerdns-advisory-2010-02.html
pdns-recursor-3.1.7.2-1.el4.1 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.
pdns-recursor-3.1.7.2-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.