lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20100106153410.GB25606@xs.powerdns.com>
Date: Wed, 6 Jan 2010 16:34:10 +0100
From: bert hubert <bert.hubert@...herlabs.nl>
To: bugtraq@...urityfocus.com
Subject: Critical PowerDNS Recursor Security Vulnerabilities: please
 upgrade ASAP to 3.1.7.2

Dear PowerDNS Users,

Two major vulnerabilities have recently been discovered in the PowerDNS
Recursor (all versions up to and including 3.1.7.1). Over the past two
weeks, these vulnerabilities have been addressed, resulting in PowerDNS
Recursor 3.1.7.2.

Given the nature and magnitude of these vulnerabilities, ALL PowerDNS
RECURSOR USERS ARE URGED TO UPGRADE AT THEIR EARLIEST CONVENIENCE. No
versions of the PowerDNS Authoritative Server are affected.

PowerDNS Recursor 3.1.7.2 as been thoroughly tested, and has in fact been in
production for a week at some major sites already.  No problems have been
reported. 3.1.7.2 does not include anything other than security updates.

The two major vulnerabilities can lead to a FULL SYSTEM COMPROMISE, as well
as cache poisoning, connecting your users to possibly malicious IP addresses.

These vulnerabilities were discovered by a third party that for now prefers
not to be named. PowerDNS is however very grateful for their help. More
details are available on:
http://doc.powerdns.com/powerdns-advisory-2010-01.html
http://doc.powerdns.com/powerdns-advisory-2010-02.html

Debian, FreeBSD, Gentoo and SuSE are processing the changed packages, and
will be releasing security updates shortly. Ubuntu does not provide security
updates for PowerDNS, so Ubuntu users must take immediate action and
download our packages.

RHEL4/5, CentOS packages are available (care of Kees Monshouwer) here:
http://www.monshouwer.eu/download/3th_party/pdns-recursor/

Updated packages for .deb based systems are available here:
http://downloads.powerdns.com/releases/deb/pdns-recursor_3.1.7.2-1_i386.deb
http://downloads.powerdns.com/releases/deb/pdns-recursor_3.1.7.2-1_amd64.deb

Updated packages for .rpm based systems are available here:
http://downloads.powerdns.com/releases/rpm/pdns-recursor-3.1.7.2-1.i386.rpm
http://downloads.powerdns.com/releases/rpm/pdns-recursor-3.1.7.2-1.x86_64.rpm

Source code is available here:
http://downloads.powerdns.com/releases/pdns-recursor-3.1.7.2.tar.bz2

Special 'upgrade option of last resort' (old systems)
-----------------------------------------------------
In addition, as a special service, we are also providing two precompiled
fully static Linux binaries as an 'upgrade option of last resort':

http://downloads.powerdns.com/releases/pdns_recursor-3.1.7.2.amd64.static.executable
http://downloads.powerdns.com/releases/pdns_recursor-3.1.7.2.i386.static.executable

These two binaries are suitable of our .deb or .rpm files somehow refuse to
load (which happens on RHEL version 3, for example).

Download the appropriate executable, rename to pdns_recursor, set the
executable bit (chmod a+x pdns_recursor), and 'mv' the executable over
/usr/sbin/pdns_recursor.

If you need any help in upgrading, please do not hesitate to contact us.

Kind regards,


Bert Hubert

	Bert


----- End forwarded message -----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ