Hi, please allow pdns 2.9.21.1-1 into Lenny. It's fixing a security-related problem registered as CVE-2008-3337 (see the upstream's notification attached). The security team has been informed and we are currently preparing a security update for Etch's 2.9.20-8 version, too. Cheers Christoph -- When you do things right people won't be sure you've done anything at all.
--- Begin Message ---
- To: powerdns-debian@workaround.org
- Subject: [bert.hubert@netherlabs.nl: URGENT: PowerDNS security update 2.9.21.1 CVE-2008-3337]
- From: bert hubert <bert.hubert@netherlabs.nl>
- Date: Wed, 6 Aug 2008 10:48:02 +0200
- Message-id: <20080806084802.GA13461@outpost.ds9a.nl>
- Mail-followup-to: bert hubert <bert.hubert@netherlabs.nl>, powerdns-debian@workaround.org
----- Forwarded message from bert hubert <bert.hubert@netherlabs.nl> ----- Date: Tue, 5 Aug 2008 21:55:32 +0200 From: bert hubert <bert.hubert@netherlabs.nl> To: Sven Wegener <swegener@gentoo.org>, security@gentoo.org, mind@monshouwer.eu, ruben@rubenkerkhof.com, tremere@cainites.net, vendor-sec@lst.de Subject: URGENT: PowerDNS security update 2.9.21.1 CVE-2008-3337 Dear PowerDNS Distributors, [PowerDNS security release tomorrow around 20:00 CET, small patch that applies cleanly referenced below] Brian Dowling of Simplicity Communications and Florian Weimer have brought some bad PowerDNS behaviour to my attention. In short, PowerDNS does not respond to certain queries it considers malformed. This in itself is not a problem, and was even thought of as a security measure. Brian and Florian, independently I think, have discovered that not answering a query for an invalid DNS record within a valid domain allows for a larger spoofing window of the valid domain. Because of the Kaminsky-discovery, this has become bad. For a sophisticated attacker, this provides no benefit. However, such a long window allows unsophisticated hackers to achieve better results. The relevant patch is in: http://wiki.powerdns.com/cgi-bin/trac.fcgi/changeset/1239 (it can also be downloaded in raw format) It applies to 2.9.21 with some innocent fuzz. The patch is in production at several large sites already, and has not caused problems. I've also already made available PowerDNS 2.9.21.1 on http://downloads.powerdns.com/releases/pdns-2.9.21.1.tar.gz This consists of nothing but 2.9.21 plus this patch and a rerun of autoconf. I will release this update tomorrow August 6th at 20:00 hours CET. This issue has been assigned CVE-2008-3337. I understand this is a very short notification. I would normally not have made a security-only release over this, but given the current DNS climate, people will get upset if we aren't very vigilant. Please contact me if you have questions. Kind regards, Bert Hubert PowerDNS -- http://www.PowerDNS.com Open source, database driven DNS Software http://netherlabs.nl Open and Closed source services ----- End forwarded message ----- -- http://www.PowerDNS.com Open source, database driven DNS Software http://netherlabs.nl Open and Closed source services
--- End Message ---
Attachment:
signature.asc
Description: This is a digitally signed message part.