http://mailman.powerdns.com/pipermail/pdns-announce/2012-January/000151.html says: ---- Tomorrow (Tuesday the 10th of January) at 9AM eastern time, 15:00 Central European Time, we will be releasing an important PowerDNS Security Advisory. This Advisory contains details of a Denial of Service issue within all currently used versions of the PowerDNS Authoritative Server. We will be releasing: * A configuration based workaround, which might have a performance penalty * An iptables based workaround * Versions 2.9.22.5 and 3.0.1 of the Authoritative Server As source code Packages (static 32 bit and 64 bit for Debian and RPM based Linux distributions) * A one-line patch that solves the issue for source based users * Complete details of the problem The denial of service attack is temporary in nature, but can be performed using limited resources. There is no risk of a system compromise because of this attack. This pre-announcement is made to allow operators to schedule a maintenance window to possibly upgrade or modify their systems. If you anticipate requiring help upgrading your affected systems, please contact powerdns.support at netherlabs.nl. Some more details: CVE: CVE-2012-0206 Date: 10th of January 2012 Affects: Most PowerDNS Authoritative Server versions < 3.0.1 (with the exception of 2.9.22.5) Not affected: No versions of the PowerDNS Recursor ('pdns_recursor') are affected. Severity: High Impact: Temporary denial of service Exploit: Proof of concept Risk of system compromise: No Solution: Upgrade to PowerDNS Recursor 2.9.22.5 or 3.0.1 Workaround: Several ---- I think it would be good to upgrade the EPEL package to 2.9.22.5 once it is released tomorrow to protect users of the package from this vulnerability.
*** Bug 772581 has been marked as a duplicate of this bug. ***
We don't ship PowerDNS, nor does Fedora.
Forgot that Fedora calls it pdns, not powerdns.
That's why Nils opened a bug in the Fedora EPEL component, not Red Hat. Thanks for the help, but I rather handle my own bugs myself. I opened #772581 to keep track of this in Fedora, not EPEL.
pdns-2.9.22-4.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/pdns-2.9.22-4.el5
pdns-2.9.22.5-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/pdns-2.9.22.5-1.el6
Package pdns-2.9.22.5-1.el6: * should fix your issue, * was pushed to the Fedora EPEL 6 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing pdns-2.9.22.5-1.el6' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-0061/pdns-2.9.22.5-1.el6 then log in and leave karma (feedback).
According to http://mailman.powerdns.com/pipermail/pdns-users/2012-January/008492.html 2.9.22.5 introduces a crashing bug when using PowerDNS as an AXFR slave. 2.9.22.6 will be released this week to address this issue.
Thanks Nils, I didn't see that one since I'm only subscribed to pdns-devel. I have 2.9.22.5 running in production for a week now, on 1 master and 2 AXFR slaves, and haven't seen any crashes. Just to be save, I'll refrain from pushing 2.9.22.5 and wait for the 2.9.22.6 update.
Maybe you could just apply the one-line patch to fix the denial of service vulnerability and release that?
PowerDNS 2.9.22.6 has been released: ---- The improvements to the master/slave engine in 2.9.22.5 contained one serious bug that can cause crashes on busy setups. 2.9.22.6 fixes this crash. ---- http://doc.powerdns.com/changelog.html#changelog-auth-2-9-22-6
pdns-2.9.22.6-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/pdns-2.9.22.6-1.el6
pdns-2.9.22-4.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
pdns-2.9.22.6-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.