Please unblock pdns 2.9.21.1-1

To: debian-release@lists.debian.org
Cc: "Thijs Kinkhorst" <thijs@debian.org>, "Matthijs Mohlmann" <matthijs@cacholong.nl>, team@security.debian.org, Florian Weimer <fw@deneb.enyo.de>
Subject: Please unblock pdns 2.9.21.1-1
From: Christoph Haas <haas@debian.org>
Date: Thu, 7 Aug 2008 20:33:19 +0200
Message-id: <[🔎] 200808072033.21103.haas@debian.org>

Hi,

please allow pdns 2.9.21.1-1 into Lenny. It's fixing a security-related 
problem registered as CVE-2008-3337 (see the upstream's notification 
attached). The security team has been informed and we are currently 
preparing a security update for Etch's 2.9.20-8 version, too.

Cheers
 Christoph
-- 
When you do things right people won't be sure you've done anything at all.

--- Begin Message ---

To: powerdns-debian@workaround.org
Subject: [bert.hubert@netherlabs.nl: URGENT: PowerDNS security update 2.9.21.1 CVE-2008-3337]
From: bert hubert <bert.hubert@netherlabs.nl>
Date: Wed, 6 Aug 2008 10:48:02 +0200
Message-id: <20080806084802.GA13461@outpost.ds9a.nl>
Mail-followup-to: bert hubert <bert.hubert@netherlabs.nl>, powerdns-debian@workaround.org

----- Forwarded message from bert hubert <bert.hubert@netherlabs.nl> -----

Date: Tue, 5 Aug 2008 21:55:32 +0200
From: bert hubert <bert.hubert@netherlabs.nl>
To: Sven Wegener <swegener@gentoo.org>, security@gentoo.org,
	mind@monshouwer.eu, ruben@rubenkerkhof.com, tremere@cainites.net,
	vendor-sec@lst.de
Subject: URGENT: PowerDNS security update 2.9.21.1 CVE-2008-3337

Dear PowerDNS Distributors,

[PowerDNS security release tomorrow around 20:00 CET, small patch that
applies cleanly referenced below] 

Brian Dowling of Simplicity Communications and Florian Weimer have brought
some bad PowerDNS behaviour to my attention.

In short, PowerDNS does not respond to certain queries it considers
malformed. This in itself is not a problem, and was even thought of as a
security measure.

Brian and Florian, independently I think, have discovered that not answering
a query for an invalid DNS record within a valid domain allows for a larger
spoofing window of the valid domain. Because of the Kaminsky-discovery, this
has become bad.

For a sophisticated attacker, this provides no benefit. However, such a long
window allows unsophisticated hackers to achieve better results.

The relevant patch is in:
http://wiki.powerdns.com/cgi-bin/trac.fcgi/changeset/1239
(it can also be downloaded in raw format)

It applies to 2.9.21 with some innocent fuzz. The patch is in production at
several large sites already, and has not caused problems.

I've also already made available PowerDNS 2.9.21.1 on
http://downloads.powerdns.com/releases/pdns-2.9.21.1.tar.gz
This consists of nothing but 2.9.21 plus this patch and a rerun of autoconf.

I will release this update tomorrow August 6th at 20:00 hours CET.
This issue has been assigned CVE-2008-3337.

I understand this is a very short notification. I would normally not have
made a security-only release over this, but given the current DNS climate,
people will get upset if we aren't very vigilant.

Please contact me if you have questions. 

Kind regards,

Bert Hubert
PowerDNS

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

----- End forwarded message -----

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

--- End Message ---

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Re: Please unblock pdns 2.9.21.1-1
  - From: Luk Claes <luk@debian.org>

Prev by Date: Re: Freeze exception for gdesklets/gdesklets-data
Next by Date: Re: Please unblock pdns 2.9.21.1-1
Previous by thread: Re: request for freeze exception for libxmpp4r-ruby
Next by thread: Re: Please unblock pdns 2.9.21.1-1
Index(es):
- Date
- Thread