[Pdns-users] Attack scope clarification, Ubuntu PowerDNS Recursor Updates + need to restart

bert hubert bert.hubert at netherlabs.nl
Sat Jan 9 11:22:15 UTC 2010 

Dear PowerDNS Users,

Three important updates:

1) To clarify, *ALL* PowerDNS Recursor installations are vulnerable to
attack, even if you only provide service to trusted users! There is an
attack vector through malicious authoritative servers.

2) A reminder, some PowerDNS Packages do not automatically restart the
PowerDNS Recursor when an upgrade is installed. To be on the safe side,
restart your recursor manually.

3) I'm happy to report that, contrary to initial indications, Ubuntu has in
fact updated the PowerDNS Recursor for their recent distributions, and will
be addressing their older versions too once we get round to shipping the
patch to 3.1.4.

Many thanks to Imre Gergely, who mangled the patches for Ubuntu.

	Bert


On Wed, Jan 06, 2010 at 04:19:56PM +0100, bert hubert wrote:
> The correct links to the .deb packages are:
> http://downloads.powerdns.com/releases/deb/pdns-recursor_3.1.7.2-1_i386.deb
> http://downloads.powerdns.com/releases/deb/pdns-recursor_3.1.7.2-1_amd64.deb
> 
> Special 'upgrade option of last resort' (old systems)
> -----------------------------------------------------
> In addition, as a special service, we are also providing two precompiled
> fully static Linux binaries as an 'upgrade option of last resort':
> 
> http://downloads.powerdns.com/releases/pdns_recursor-3.1.7.2.amd64.static.executable
> http://downloads.powerdns.com/releases/pdns_recursor-3.1.7.2.i386.static.executable
> 
> These two binaries are suitable of our .deb or .rpm files somehow refuse to
> load (which happens on RHEL version 3, for example).
> 
> Download the appropriate executable, rename to pdns_recursor, set the
> executable bit (chmod a+x pdns_recursor), and 'mv' the executable over
> /usr/sbin/pdns_recursor.
> 
> 	Bert
> 
> On Wed, Jan 06, 2010 at 04:11:09PM +0100, bert hubert wrote:
> > Dear PowerDNS Users,
> > 
> > Two major vulnerabilities have recently been discovered in the PowerDNS
> > Recursor (all versions up to and including 3.1.7.1). Over the past two
> > weeks, these vulnerabilities have been addressed, resulting in PowerDNS
> > Recursor 3.1.7.2.
> > 
> > Given the nature and magnitude of these vulnerabilities, ALL PowerDNS
> > RECURSOR USERS ARE URGED TO UPGRADE AT THEIR EARLIEST CONVENIENCE. No
> > versions of the PowerDNS Authoritative Server are affected.
> > 
> > PowerDNS Recursor 3.1.7.2 as been thoroughly tested, and has in fact been in
> > production for a week at some major sites already.  No problems have been
> > reported. 3.1.7.2 does not include anything other than security updates.
> > 
> > The two major vulnerabilities can lead to a FULL SYSTEM COMPROMISE, as well
> > as cache poisoning, connecting your users to possibly malicious IP addresses.
> > 
> > These vulnerabilities were discovered by a third party that for now prefers
> > not to be named. PowerDNS is however very grateful for their help. More
> > details are available on:
> > http://doc.powerdns.com/powerdns-advisory-2010-01.html
> > http://doc.powerdns.com/powerdns-advisory-2010-02.html
> > 
> > Debian, FreeBSD, Gentoo and SuSE are processing the changed packages, and
> > will be releasing security updates shortly. Ubuntu does not provide security
> > updates for PowerDNS, so Ubuntu users must take immediate action and
> > download our packages.
> > 
> > RHEL4/5, CentOS packages are available (care of Kees Monshouwer) here:
> > http://www.monshouwer.eu/download/3th_party/pdns-recursor/
> > 
> > Updated packages for .deb based systems are available here:
> > http://downloads.powerdns.com/releases/rpm/pdns-recursor-3.1.7.2-1.i386.rpm
> > http://downloads.powerdns.com/releases/rpm/pdns-recursor-3.1.7.2-1.x86_64.rpm
> > 
> > Updated packages for .rpm based systems are available here:
> > http://downloads.powerdns.com/releases/rpm/pdns-recursor-3.1.7.2-1.i386.rpm
> > http://downloads.powerdns.com/releases/rpm/pdns-recursor-3.1.7.2-1.x86_64.rpm
> > 
> > Source code is available here:
> > http://downloads.powerdns.com/releases/pdns-recursor-3.1.7.2.tar.bz2
> > 
> > If you need any help in upgrading, please do not hesitate to contact us.
> > 
> > Kind regards,
> > 
> > 
> > Bert Hubert
> _______________________________________________
> Pdns-announce mailing list
> Pdns-announce at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-announce
>

More information about the Pdns-users mailing list