Bug#564145: marked as done (CVE-2009-4009 CVE-2009-4010 PowerDNS Recursor: code execution and domain spoofing flaws)

[Debian Bug Tracking System]

Your message dated Fri, 08 Jan 2010 18:05:25 +0000
with message-id <e1ntjdb-0000ia...@ries.debian.org>
and subject line Bug#564145: fixed in pdns-recursor 3.1.7.2-1
has caused the Debian Bug report #564145,
regarding CVE-2009-4009 CVE-2009-4010 PowerDNS Recursor: code execution and 
domain spoofing flaws
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
564145: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564145
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: pdns-recursor
Version: 3.1.7-1~bpo40+1
Severity: critical

Debian Release: 4.0
APT : etch-backports

  

Two major vulnerabilities have recently been discovered in the PowerDNS 
Recursor (all versions up to and including 3.1.7.1). Over the past two weeks, 
these vulnerabilities have been addressed, resulting in PowerDNS Recursor 
3.1.7.2.

Given the nature and magnitude of these vulnerabilities, ALL PowerDNS RECURSOR 
USERS ARE URGED TO UPGRADE AT THEIR EARLIEST CONVENIENCE. No versions of the 
PowerDNS Authoritative Server are affected.

PowerDNS Recursor 3.1.7.2 as been thoroughly tested, and has in fact been in 
production for a week at some major sites already.  No problems have been 
reported. 3.1.7.2 does not include anything other than security updates.

The two major vulnerabilities can lead to a FULL SYSTEM COMPROMISE, as well as 
cache poisoning, connecting your users to possibly malicious IP addresses.

These vulnerabilities were discovered by a third party that for now prefers not 
to be named. PowerDNS is however very grateful for their help. More details are 
available on:


http://old.nabble.com/Critical-PowerDNS-Recursor-Security-Vulnerabilities%3A-please-upgrade-ASAP-to-3.1.7.2-td27045266.html


  http://doc.powerdns.com/powerdns-advisory-2010-01.html
  http://doc.powerdns.com/powerdns-advisory-2010-02.html


Addition Security information

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4009
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4010


Redhats Bug report

  https://bugzilla.redhat.com/show_bug.cgi?id=552285

  

  I haven't found mention of a bug report or a version update within 

  http://packages.debian.org/etch-backports/pdns-recursor
  http://packages.debian.org/etch-backports/pdns-server



  I suggest that the new packages be created incorporating the recommended 
version 3.1.7.2

  http://downloads.powerdns.com/releases/pdns-recursor-3.1.7.2.tar.bz2
  http://www.powerdns.com/en/downloads.aspx



--
James Pohl
Senior Systems Administrator Summit with Tenzing

Direct: +1 877 767 5577 x204
Mobile: +1 250 640 4464
Fax:  +1 416 981 3007
Web: www.tenzing.com



----------------------------------------
Confidentiality Warning: This message and any attachments are intended only for 
the use of the intended recipient(s), contain confidential proprietary business 
information, and may be privileged. If you are not the intended recipient, you 
are hereby notified that any review, retransmission, conversion to hard copy, 
copying, circulation or other use of this message and any attachments is 
strictly prohibited. If you are not the intended recipient, please notify the 
sender immediately by return e-mail, and delete this message and any 
attachments from your system. Thank-you! :wq

--- End Message ---

--- Begin Message ---

Source: pdns-recursor
Source-Version: 3.1.7.2-1

We believe that the bug you reported is fixed in the latest version of
pdns-recursor, which is due to be installed in the Debian FTP archive:

pdns-recursor_3.1.7.2-1.diff.gz
  to main/p/pdns-recursor/pdns-recursor_3.1.7.2-1.diff.gz
pdns-recursor_3.1.7.2-1.dsc
  to main/p/pdns-recursor/pdns-recursor_3.1.7.2-1.dsc
pdns-recursor_3.1.7.2-1_amd64.deb
  to main/p/pdns-recursor/pdns-recursor_3.1.7.2-1_amd64.deb
pdns-recursor_3.1.7.2.orig.tar.gz
  to main/p/pdns-recursor/pdns-recursor_3.1.7.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 564...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthijs Mohlmann <matth...@cacholong.nl> (supplier of updated pdns-recursor 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 08 Jan 2010 18:14:44 +0100
Source: pdns-recursor
Binary: pdns-recursor
Architecture: source amd64
Version: 3.1.7.2-1
Distribution: unstable
Urgency: high
Maintainer: Debian PowerDNS Maintainers <powerdns-deb...@workaround.org>
Changed-By: Matthijs Mohlmann <matth...@cacholong.nl>
Description: 
 pdns-recursor - PowerDNS recursor
Closes: 551153 564145
Changes: 
 pdns-recursor (3.1.7.2-1) unstable; urgency=high
 .
   * New upstream version. (CVE-2009-4009 and CVE-2009-4010) (Closes: #564145)
   * Make lintian happy.
   * Now really add sh4 to the architecture list. (Closes: #551153)
Checksums-Sha1: 
 e2a2114b0319b8299165cc4888c36bbd6a5adae0 1361 pdns-recursor_3.1.7.2-1.dsc
 8231d0a99830a223cece364f4a03c1820c166c37 211218 
pdns-recursor_3.1.7.2.orig.tar.gz
 5c040410c16c0c5ac2f390c8b04c757f2b2a07a5 8863 pdns-recursor_3.1.7.2-1.diff.gz
 9a2005a0f2af564867a434086df35a6b40db7a27 459716 
pdns-recursor_3.1.7.2-1_amd64.deb
Checksums-Sha256: 
 13d8e9055963daa121be52fbd1e8dc6d427e5aa109f4cee48ee2a50cfd66e4df 1361 
pdns-recursor_3.1.7.2-1.dsc
 4a4ca408ed9493adb98bb969a7fdf9ee16bd979fdda34ad3da39dd698bc67c5c 211218 
pdns-recursor_3.1.7.2.orig.tar.gz
 77f2be19a8d5b25d82b62be6e30f00e0c52dbd5b9dfa6e54fd9568f2f91cf3d4 8863 
pdns-recursor_3.1.7.2-1.diff.gz
 41ea9b7e220035bd68f05c488664477fb98ce4ee5933d690e3bc9e07baaf7f6a 459716 
pdns-recursor_3.1.7.2-1_amd64.deb
Files: 
 e386c6528a6c8830dc483f5a5bfc1348 1361 net extra pdns-recursor_3.1.7.2-1.dsc
 844ab9ebdb3d274a0018662f4431c2bb 211218 net extra 
pdns-recursor_3.1.7.2.orig.tar.gz
 937c564d6b9a8897cd0be390cfdb797f 8863 net extra pdns-recursor_3.1.7.2-1.diff.gz
 3c774d1e608972bda2897fb3e36e3d5d 459716 net extra 
pdns-recursor_3.1.7.2-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktHbjcACgkQ2n1ROIkXqbDO1wCgiTcXxhXoXp2jWYWAO+vqCGrN
hcEAn0UlyDW6oplKqfbr4AlUoqFvwa8e
=Bjt2
-----END PGP SIGNATURE-----

--- End Message ---