| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 6 Jan 2010 16:34:10 +0100 From: bert hubert <bert.hubert@...herlabs.nl> To: bugtraq@...urityfocus.com Subject: Critical PowerDNS Recursor Security Vulnerabilities: please upgrade ASAP to 3.1.7.2 Dear PowerDNS Users, Two major vulnerabilities have recently been discovered in the PowerDNS Recursor (all versions up to and including 3.1.7.1). Over the past two weeks, these vulnerabilities have been addressed, resulting in PowerDNS Recursor 3.1.7.2. Given the nature and magnitude of these vulnerabilities, ALL PowerDNS RECURSOR USERS ARE URGED TO UPGRADE AT THEIR EARLIEST CONVENIENCE. No versions of the PowerDNS Authoritative Server are affected. PowerDNS Recursor 3.1.7.2 as been thoroughly tested, and has in fact been in production for a week at some major sites already. No problems have been reported. 3.1.7.2 does not include anything other than security updates. The two major vulnerabilities can lead to a FULL SYSTEM COMPROMISE, as well as cache poisoning, connecting your users to possibly malicious IP addresses. These vulnerabilities were discovered by a third party that for now prefers not to be named. PowerDNS is however very grateful for their help. More details are available on: http://doc.powerdns.com/powerdns-advisory-2010-01.html http://doc.powerdns.com/powerdns-advisory-2010-02.html Debian, FreeBSD, Gentoo and SuSE are processing the changed packages, and will be releasing security updates shortly. Ubuntu does not provide security updates for PowerDNS, so Ubuntu users must take immediate action and download our packages. RHEL4/5, CentOS packages are available (care of Kees Monshouwer) here: http://www.monshouwer.eu/download/3th_party/pdns-recursor/ Updated packages for .deb based systems are available here: http://downloads.powerdns.com/releases/deb/pdns-recursor_3.1.7.2-1_i386.deb http://downloads.powerdns.com/releases/deb/pdns-recursor_3.1.7.2-1_amd64.deb Updated packages for .rpm based systems are available here: http://downloads.powerdns.com/releases/rpm/pdns-recursor-3.1.7.2-1.i386.rpm http://downloads.powerdns.com/releases/rpm/pdns-recursor-3.1.7.2-1.x86_64.rpm Source code is available here: http://downloads.powerdns.com/releases/pdns-recursor-3.1.7.2.tar.bz2 Special 'upgrade option of last resort' (old systems) ----------------------------------------------------- In addition, as a special service, we are also providing two precompiled fully static Linux binaries as an 'upgrade option of last resort': http://downloads.powerdns.com/releases/pdns_recursor-3.1.7.2.amd64.static.executable http://downloads.powerdns.com/releases/pdns_recursor-3.1.7.2.i386.static.executable These two binaries are suitable of our .deb or .rpm files somehow refuse to load (which happens on RHEL version 3, for example). Download the appropriate executable, rename to pdns_recursor, set the executable bit (chmod a+x pdns_recursor), and 'mv' the executable over /usr/sbin/pdns_recursor. If you need any help in upgrading, please do not hesitate to contact us. Kind regards, Bert Hubert Bert ----- End forwarded message -----
Powered by blists - more mailing lists