[Pdns-users] Attack scope clarification, Ubuntu PowerDNS Recursor Updates + need to restart

Jean Baptiste powerdns at jbfavre.org
Sat Jan 9 12:38:20 UTC 2010


Hello,
Indeed there are updates for Debian:
http://www.uk.debian.org/security/2010/dsa-1968

Not visible from main website, but available trough RSS feeds and 
twitter account.
For the moment only available for Lenny, but as Etch provide the 3.1.4, 
I think they're waiting for the patch as well as Ubuntu.

Regards,
JB

On 09/01/2010 13:11, allied internet ag- Stefan Priebe wrote:
> What is about debian - there doesn't seem to be any updates at all... :-(
>
> Stefan
>
> bert hubert schrieb:
>> Dear PowerDNS Users,
>>
>> Three important updates:
>>
>> 1) To clarify, *ALL* PowerDNS Recursor installations are vulnerable to
>> attack, even if you only provide service to trusted users! There is an
>> attack vector through malicious authoritative servers.
>>
>> 2) A reminder, some PowerDNS Packages do not automatically restart the
>> PowerDNS Recursor when an upgrade is installed. To be on the safe side,
>> restart your recursor manually.
>>
>> 3) I'm happy to report that, contrary to initial indications, Ubuntu
>> has in
>> fact updated the PowerDNS Recursor for their recent distributions, and
>> will
>> be addressing their older versions too once we get round to shipping the
>> patch to 3.1.4.
>>
>> Many thanks to Imre Gergely, who mangled the patches for Ubuntu.
>>
>> Bert
>>
>>
>> On Wed, Jan 06, 2010 at 04:19:56PM +0100, bert hubert wrote:
>>> The correct links to the .deb packages are:
>>> http://downloads.powerdns.com/releases/deb/pdns-recursor_3.1.7.2-1_i386.deb
>>>
>>> http://downloads.powerdns.com/releases/deb/pdns-recursor_3.1.7.2-1_amd64.deb
>>>
>>>
>>> Special 'upgrade option of last resort' (old systems)
>>> -----------------------------------------------------
>>> In addition, as a special service, we are also providing two precompiled
>>> fully static Linux binaries as an 'upgrade option of last resort':
>>>
>>> http://downloads.powerdns.com/releases/pdns_recursor-3.1.7.2.amd64.static.executable
>>>
>>> http://downloads.powerdns.com/releases/pdns_recursor-3.1.7.2.i386.static.executable
>>>
>>>
>>> These two binaries are suitable of our .deb or .rpm files somehow
>>> refuse to
>>> load (which happens on RHEL version 3, for example).
>>>
>>> Download the appropriate executable, rename to pdns_recursor, set the
>>> executable bit (chmod a+x pdns_recursor), and 'mv' the executable over
>>> /usr/sbin/pdns_recursor.
>>>
>>> Bert
>>>
>>> On Wed, Jan 06, 2010 at 04:11:09PM +0100, bert hubert wrote:
>>>> Dear PowerDNS Users,
>>>>
>>>> Two major vulnerabilities have recently been discovered in the PowerDNS
>>>> Recursor (all versions up to and including 3.1.7.1). Over the past two
>>>> weeks, these vulnerabilities have been addressed, resulting in PowerDNS
>>>> Recursor 3.1.7.2.
>>>>
>>>> Given the nature and magnitude of these vulnerabilities, ALL PowerDNS
>>>> RECURSOR USERS ARE URGED TO UPGRADE AT THEIR EARLIEST CONVENIENCE. No
>>>> versions of the PowerDNS Authoritative Server are affected.
>>>>
>>>> PowerDNS Recursor 3.1.7.2 as been thoroughly tested, and has in fact
>>>> been in
>>>> production for a week at some major sites already. No problems have
>>>> been
>>>> reported. 3.1.7.2 does not include anything other than security
>>>> updates.
>>>>
>>>> The two major vulnerabilities can lead to a FULL SYSTEM COMPROMISE,
>>>> as well
>>>> as cache poisoning, connecting your users to possibly malicious IP
>>>> addresses.
>>>>
>>>> These vulnerabilities were discovered by a third party that for now
>>>> prefers
>>>> not to be named. PowerDNS is however very grateful for their help. More
>>>> details are available on:
>>>> http://doc.powerdns.com/powerdns-advisory-2010-01.html
>>>> http://doc.powerdns.com/powerdns-advisory-2010-02.html
>>>>
>>>> Debian, FreeBSD, Gentoo and SuSE are processing the changed
>>>> packages, and
>>>> will be releasing security updates shortly. Ubuntu does not provide
>>>> security
>>>> updates for PowerDNS, so Ubuntu users must take immediate action and
>>>> download our packages.
>>>>
>>>> RHEL4/5, CentOS packages are available (care of Kees Monshouwer) here:
>>>> http://www.monshouwer.eu/download/3th_party/pdns-recursor/
>>>>
>>>> Updated packages for .deb based systems are available here:
>>>> http://downloads.powerdns.com/releases/rpm/pdns-recursor-3.1.7.2-1.i386.rpm
>>>>
>>>> http://downloads.powerdns.com/releases/rpm/pdns-recursor-3.1.7.2-1.x86_64.rpm
>>>>
>>>>
>>>> Updated packages for .rpm based systems are available here:
>>>> http://downloads.powerdns.com/releases/rpm/pdns-recursor-3.1.7.2-1.i386.rpm
>>>>
>>>> http://downloads.powerdns.com/releases/rpm/pdns-recursor-3.1.7.2-1.x86_64.rpm
>>>>
>>>>
>>>> Source code is available here:
>>>> http://downloads.powerdns.com/releases/pdns-recursor-3.1.7.2.tar.bz2
>>>>
>>>> If you need any help in upgrading, please do not hesitate to contact
>>>> us.
>>>>
>>>> Kind regards,
>>>>
>>>>
>>>> Bert Hubert
>>> _______________________________________________
>>> Pdns-announce mailing list
>>> Pdns-announce at mailman.powerdns.com
>>> http://mailman.powerdns.com/mailman/listinfo/pdns-announce
>>>
>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com
>> http://mailman.powerdns.com/mailman/listinfo/pdns-users
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users




More information about the Pdns-users mailing list