Package: pdns-recursor Version: 3.1.7-1~bpo40+1 Severity: critical Debian Release: 4.0 APT : etch-backports
Two major vulnerabilities have recently been discovered in the PowerDNS Recursor (all versions up to and including 3.1.7.1). Over the past two weeks, these vulnerabilities have been addressed, resulting in PowerDNS Recursor 3.1.7.2. Given the nature and magnitude of these vulnerabilities, ALL PowerDNS RECURSOR USERS ARE URGED TO UPGRADE AT THEIR EARLIEST CONVENIENCE. No versions of the PowerDNS Authoritative Server are affected. PowerDNS Recursor 3.1.7.2 as been thoroughly tested, and has in fact been in production for a week at some major sites already. No problems have been reported. 3.1.7.2 does not include anything other than security updates. The two major vulnerabilities can lead to a FULL SYSTEM COMPROMISE, as well as cache poisoning, connecting your users to possibly malicious IP addresses. These vulnerabilities were discovered by a third party that for now prefers not to be named. PowerDNS is however very grateful for their help. More details are available on: http://old.nabble.com/Critical-PowerDNS-Recursor-Security-Vulnerabilities%3A-please-upgrade-ASAP-to-3.1.7.2-td27045266.html http://doc.powerdns.com/powerdns-advisory-2010-01.html http://doc.powerdns.com/powerdns-advisory-2010-02.html Addition Security information http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4009 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4010 Redhats Bug report https://bugzilla.redhat.com/show_bug.cgi?id=552285 I haven't found mention of a bug report or a version update within http://packages.debian.org/etch-backports/pdns-recursor http://packages.debian.org/etch-backports/pdns-server I suggest that the new packages be created incorporating the recommended version 3.1.7.2 http://downloads.powerdns.com/releases/pdns-recursor-3.1.7.2.tar.bz2 http://www.powerdns.com/en/downloads.aspx -- James Pohl Senior Systems Administrator Summit with Tenzing Direct: +1 877 767 5577 x204 Mobile: +1 250 640 4464 Fax: +1 416 981 3007 Web: www.tenzing.com ---------------------------------------- Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), contain confidential proprietary business information, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system. Thank-you! :wq -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
