SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

Critical PowerDNS Recursor Security Vulnerabilitiess upgrade ASAP to 3.1.7.2


Arrow  SecurityAlert : 6935
Arrow  CVE : CVE-2009-4009
Arrow  CVE : CVE-2009-4010
Arrow  CWE : CWE-119
Arrow  SecurityRisk : High  Security Risk High  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Victim interaction required : No
Arrow  Exploit Available : No
Arrow  Credit : Bert Hubert
Arrow  Published : 12.01.2010

Arrow  Affected Software : powerdns:recursor:3.1.2
powerdns:recursor:3.1.1
powerdns:recursor:3.1
powerdns:recursor:3.0.1
powerdns:recursor:3.0
powerdns:recursor:2.9.18
powerdns:recursor:2.9.17
powerdns:recursor:2.9.16
powerdns:recursor:3.1.4
powerdns:recursor:3.1.3
powerdns:recursor:3.1.5
powerdns:recursor:3.1.6
powerdns:recursor:3.1.7
powerdns:recursor:2.0_rc1
powerdns:recursor:2.8
powerdns:recursor:2.9.15
powerdns:recursor:3.1.7.1
powerdns:recursor:3.1.7.2 and previous versions



Arrow  Advisory Content :  

Dear PowerDNS Users,

Two major vulnerabilities have recently been discovered in the PowerDNS
Recursor (all versions up to and including 3.1.7.1). Over the past two
weeks, these vulnerabilities have been addressed, resulting in PowerDNS
Recursor 3.1.7.2.

Given the nature and magnitude of these vulnerabilities, ALL PowerDNS
RECURSOR USERS ARE URGED TO UPGRADE AT THEIR EARLIEST CONVENIENCE. No
versions of the PowerDNS Authoritative Server are affected.

PowerDNS Recursor 3.1.7.2 as been thoroughly tested, and has in fact been
in
production for a week at some major sites already. No problems have been
reported. 3.1.7.2 does not include anything other than security updates.

The two major vulnerabilities can lead to a FULL SYSTEM COMPROMISE, as
well
as cache poisoning, connecting your users to possibly malicious IP
addresses.

These vulnerabilities were discovered by a third party that for now
prefers
not to be named. PowerDNS is however very grateful for their help. More
details are available on:
http://doc.powerdns.com/powerdns-advisory-2010-01.html
http://doc.powerdns.com/powerdns-advisory-2010-02.html

Debian, FreeBSD, Gentoo and SuSE are processing the changed packages, and
will be releasing security updates shortly. Ubuntu does not provide
security
updates for PowerDNS, so Ubuntu users must take immediate action and
download our packages.

RHEL4/5, CentOS packages are available (care of Kees Monshouwer) here:
http://www.monshouwer.eu/download/3th_party/pdns-recursor/

Updated packages for .deb based systems are available here:
http://downloads.powerdns.com/releases/deb/pdns-recursor_3.1.7.2-1_i386.
deb
http://downloads.powerdns.com/releases/deb/pdns-recursor_3.1.7.2-1_amd64
.deb

Updated packages for .rpm based systems are available here:
http://downloads.powerdns.com/releases/rpm/pdns-recursor-3.1.7.2-1.i386.
rpm
http://downloads.powerdns.com/releases/rpm/pdns-recursor-3.1.7.2-1.x86_6
4.rpm

Source code is available here:
http://downloads.powerdns.com/releases/pdns-recursor-3.1.7.2.tar.bz2

Special 'upgrade option of last resort' (old systems)
-----------------------------------------------------
In addition, as a special service, we are also providing two precompiled
fully static Linux binaries as an 'upgrade option of last resort':

http://downloads.powerdns.com/releases/pdns_recursor-3.1.7.2.amd64.stati
c.executable
http://downloads.powerdns.com/releases/pdns_recursor-3.1.7.2.i386.static
.executable

These two binaries are suitable of our .deb or .rpm files somehow refuse
to
load (which happens on RHEL version 3, for example).

Download the appropriate executable, rename to pdns_recursor, set the
executable bit (chmod a+x pdns_recursor), and 'mv' the executable over
/usr/sbin/pdns_recursor.

If you need any help in upgrading, please do not hesitate to contact us.

Kind regards,

Bert Hubert

Bert

----- End forwarded message -----



Arrow  References :

http://www.vupen.com/english/advisories/2010/0054
https://www.redhat.com/archives/fedora-package-announce/2010-January/msg00228.html
https://www.redhat.com/archives/fedora-package-announce/2010-January/msg00217.html
https://bugzilla.redhat.com/show_bug.cgi?id=552285
http://xforce.iss.net/xforce/xfdb/55439
http://www.securityfocus.com/bid/37653
http://www.securityfocus.com/archive/1/archive/1/508743/100/0/thr2000eaded
http://securitytracker.com/id?1023404
http://secunia.com/advisories/38068
http://secunia.com/advisories/38004
http://doc.powerdns.com/powerdns-advisory-2010-02.html




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc/fnmatch(3) DoS

Security Risk Medium- 2011-05-13

Allow attacker to denial of service apache 2.2.17 server
Apache RSS Apache Alert

» Apache HTTP Server Denial
   of Service Vulnerability

» Multiple Vendors
   libc/fnmatch(3) DoS (incl
   apache poc)

» Apache Continuum
   cross-site scripting
   vulnerability

» Apache Tomcat DoS
   Vulnerability
PHP RSS PHP Alert

» PHP Hashtables Denial of
   Service

» PHP 5.3.6 multiple null
   pointer dereference

» PHP 5.3.6 ZipArchive
   invalid use glob(3)

» libzip 0.9.3
   _zip_name_locate NULL
   Pointer Dereference (incl
   PHP 5.3.5)
ADT

Protect your family and valuables with Home Security Systems
Copyright © SecurityReason.com. All Rights Reserved.