[Pdns-announce] Security update: PowerDNS Authoritative Server 2.9.21.1 released

bert hubert bert.hubert at netherlabs.nl
Wed Aug 6 18:00:06 UTC 2008


Released on the 6th of August 2008.

* http://downloads.powerdns.com/releases/pdns-2.9.21.1.tar.gz
* http://downloads.powerdns.com/releases/deb/stable/pdns-static_2.9.21.1-1_i386.deb
* http://downloads.powerdns.com/releases/rpm/pdns-static-2.9.21.1-1.i386.rpm
* All UNIX/Linux distributions shipping PowerDNS have been notified and are
  working on updating their packages

This release consists of a single patch to PowerDNS Authoritative Server
version 2.9.21. Brian J. Dowling of Simplicity Communications has
discovered a security implication of the previous PowerDNS behaviour to
drop queries it considers malformed. We are grateful that Brian notified
us quickly about this problem.

This issue has been assigned CVE-2008-3337. The single patch is in commit
1239 http://wiki.powerdns.com/cgi-bin/trac.fcgi/changeset/1239. 
More detail can be found in http://doc.powerdns.com/powerdns-advisory-2008-02.html

The implication is that while the PowerDNS Authoritative server itself
does not face a security risk because of dropping these malformed queries,
other resolving nameservers run a higher risk of accepting spoofed answers
for domains being hosted by PowerDNS Authoritative Servers before
2.9.21.1.

While the dropping of queries does not aid sophisticated spoofing
attempts, it does facilitate simpler attacks.

It may be good to know that several large sites already run with this
patch applied, as it has been in the public codebase for some weeks
already.


-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services


More information about the Pdns-announce mailing list