Gentoo Logo

PowerDNS: Multiple vulnerabilities

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200812-19 / pdns
Release Date December 19, 2008
Latest Revision December 19, 2008: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-dns/pdns < 2.9.21.2 >= 2.9.21.2 All supported architectures

Related bugreports: #234032, #247079

Synopsis

Two vulnerabilities have been discovered in PowerDNS, possibly leading to a Denial of Service and easing cache poisoning attacks.

2.  Impact Information

Background

The PowerDNS Nameserver is an authoritative-only nameserver which uses a flexible backend architecture.

Description

Daniel Drown reported an error when receiving a HINFO CH query (CVE-2008-5277). Brian J. Dowling of Simplicity Communications discovered a previously unknown security implication of the PowerDNS behavior to not respond to certain queries it considers malformed (CVE-2008-3337).

Impact

A remote attacker could send specially crafted queries to cause a Denial of Service. The second vulnerability in itself does not pose a security risk to PowerDNS Nameserver. However, not answering a query for an invalid DNS record within a valid domain allows for a larger spoofing window on third-party nameservers for domains being hosted by PowerDNS Nameserver itself.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All PowerDNS users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-dns/pdns-2.9.21.2"

4.  References

Print

Page updated December 19, 2008

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.