Bug 772570 (CVE-2012-0206) - Denial of Service vulnerability in PowerDNS 2.9.22
Summary: Denial of Service vulnerability in PowerDNS 2.9.22
Alias: CVE-2012-0206
Product: Fedora EPEL
Classification: Fedora
Component: pdns
Version: el5
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Ruben Kerkhof
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2012-01-09 09:39 UTC by Nils Breunese
Modified: 2013-02-04 09:07 UTC (History)
3 users (show)

Fixed In Version: pdns-
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-02-04 01:07:45 UTC
Type: ---

Attachments (Terms of Use)

Description Nils Breunese 2012-01-09 09:39:58 UTC
http://mailman.powerdns.com/pipermail/pdns-announce/2012-January/000151.html says:

Tomorrow (Tuesday the 10th of January) at 9AM eastern time, 15:00 Central
European Time, we will be releasing an important PowerDNS Security Advisory.

This Advisory contains details of a Denial of Service issue within all
currently used versions of the PowerDNS Authoritative Server.

We will be releasing:
	* A configuration based workaround, which might have a performance

	* An iptables based workaround

	* Versions and 3.0.1 of the Authoritative Server
		As source code
		Packages (static 32 bit and 64 bit for Debian and RPM based
		Linux distributions)

	* A one-line patch that solves the issue for source based users

	* Complete details of the problem

The denial of service attack is temporary in nature, but can be performed
using limited resources. There is no risk of a system compromise because of
this attack.

This pre-announcement is made to allow operators to schedule a maintenance
window to possibly upgrade or modify their systems.

If you anticipate requiring help upgrading your affected systems, please
contact powerdns.support at netherlabs.nl.

Some more details:
CVE: CVE-2012-0206
Date: 10th of January 2012

Affects: Most PowerDNS Authoritative Server versions < 3.0.1 (with the 
exception of

Not affected: No versions of the PowerDNS Recursor ('pdns_recursor') are

Severity: High
Impact: Temporary denial of service
Exploit: Proof of concept
Risk of system compromise: No
Solution: Upgrade to PowerDNS Recursor or 3.0.1
Workaround: Several

I think it would be good to upgrade the EPEL package to once it is released tomorrow to protect users of the package from this vulnerability.

Comment 1 Kurt Seifried 2012-01-10 01:49:11 UTC
*** Bug 772581 has been marked as a duplicate of this bug. ***

Comment 2 Kurt Seifried 2012-01-10 01:53:38 UTC
We don't ship PowerDNS, nor does Fedora.

Comment 3 Kurt Seifried 2012-01-10 01:58:25 UTC
Forgot that Fedora calls it pdns, not powerdns.

Comment 4 Ruben Kerkhof 2012-01-10 11:29:34 UTC
That's why Nils opened a bug in the Fedora EPEL component, not Red Hat.

Thanks for the help, but I rather handle my own bugs myself. I opened #772581 to keep track of this in Fedora, not EPEL.

Comment 5 Fedora Update System 2012-01-10 13:24:29 UTC
pdns-2.9.22-4.el5 has been submitted as an update for Fedora EPEL 5.

Comment 6 Fedora Update System 2012-01-10 13:25:31 UTC
pdns- has been submitted as an update for Fedora EPEL 6.

Comment 7 Fedora Update System 2012-01-11 07:59:36 UTC
Package pdns-
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing pdns-'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 8 Nils Breunese 2012-01-17 23:52:46 UTC
According to http://mailman.powerdns.com/pipermail/pdns-users/2012-January/008492.html introduces a crashing bug when using PowerDNS as an AXFR slave. will be released this week to address this issue.

Comment 9 Ruben Kerkhof 2012-01-18 11:05:32 UTC
Thanks Nils, I didn't see that one since I'm only subscribed to pdns-devel.

I have running in production for a week now, on 1 master and 2 AXFR slaves, and haven't seen any crashes. Just to be save, I'll refrain from pushing and wait for the update.

Comment 10 Nils Breunese 2012-01-18 11:57:12 UTC
Maybe you could just apply the one-line patch to fix the denial of service vulnerability and release that?

Comment 11 Nils Breunese 2012-01-26 09:48:27 UTC
PowerDNS has been released:

The improvements to the master/slave engine in contained one serious bug that can cause crashes on busy setups. fixes this crash.


Comment 12 Fedora Update System 2012-02-02 09:48:17 UTC
pdns- has been submitted as an update for Fedora EPEL 6.

Comment 13 Fedora Update System 2012-02-04 01:07:45 UTC
pdns-2.9.22-4.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2012-02-18 21:43:25 UTC
pdns- has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.