Debian Security Advisory

DSA-1968-1 pdns-recursor -- several vulnerabilities

Date Reported:

08 Jan 2010

Affected Packages:

pdns-recursor

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2009-4009, CVE-2009-4010.

More information:

It was discovered that pdns-recursor, the PowerDNS recursive name server, contains several vulnerabilities:

CVE-2009-4009
A buffer overflow can be exploited to crash the daemon, or potentially execute arbitrary code.
CVE-2009-4010
A cache poisoning vulnerability may allow attackers to trick the server into serving incorrect DNS data.

For the oldstable distribution (etch), fixed packages will be provided soon.

For the stable distribution (lenny), these problems have been fixed in version 3.1.7-1+lenny1.

For the unstable distribution (sid), these problems have been fixed in version 3.1.7.2-1.

We recommend that you upgrade your pdns-recursor package.

Fixed in:

Source:: http://security.debian.org/pool/updates/main/p/pdns-recursor/pdns-recursor_3.1.7.orig.tar.gz; http://security.debian.org/pool/updates/main/p/pdns-recursor/pdns-recursor_3.1.7-1+lenny1.dsc; http://security.debian.org/pool/updates/main/p/pdns-recursor/pdns-recursor_3.1.7-1+lenny1.diff.gz
Alpha:: http://security.debian.org/pool/updates/main/p/pdns-recursor/pdns-recursor_3.1.7-1+lenny1_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/p/pdns-recursor/pdns-recursor_3.1.7-1+lenny1_amd64.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/p/pdns-recursor/pdns-recursor_3.1.7-1+lenny1_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/p/pdns-recursor/pdns-recursor_3.1.7-1+lenny1_ia64.deb
PowerPC:: http://security.debian.org/pool/updates/main/p/pdns-recursor/pdns-recursor_3.1.7-1+lenny1_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/p/pdns-recursor/pdns-recursor_3.1.7-1+lenny1_s390.deb

MD5 checksums of the listed files are available in the original advisory.