Debian Bug report logs -
#1069762
pdns-recursor: CVE-2024-25583
Reported by: Moritz Mühlenhoff <jmm@inutil.org>
Date: Wed, 24 Apr 2024 11:45:02 UTC
Severity: grave
Tags: security
Found in versions pdns-recursor/4.9.4-1, pdns-recursor/4.8.7-1
Fixed in version pdns-recursor/4.9.5-1
Done: Chris Hofstaedtler <zeha@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, pdns-recursor packagers <pdns-recursor@packages.debian.org>:
Bug#1069762; Package src:pdns-recursor.
(Wed, 24 Apr 2024 11:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, pdns-recursor packagers <pdns-recursor@packages.debian.org>.
(Wed, 24 Apr 2024 11:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: pdns-recursor
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for pdns-recursor.
CVE-2024-25583[0]:
PowerDNS Security Advisory 2024-02: if recursive forwarding is
configured, crafted responses can lead to a denial of service in Recursor
https://www.openwall.com/lists/oss-security/2024/04/24/1
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-25583
https://www.cve.org/CVERecord?id=CVE-2024-25583
Please adjust the affected versions in the BTS as needed.
Marked as found in versions pdns-recursor/4.9.4-1.
Request was from Chris Hofstaedtler <zeha@debian.org>
to control@bugs.debian.org.
(Wed, 24 Apr 2024 12:30:07 GMT) (full text, mbox, link).
Marked as found in versions pdns-recursor/4.8.7-1.
Request was from Chris Hofstaedtler <zeha@debian.org>
to control@bugs.debian.org.
(Wed, 24 Apr 2024 12:30:07 GMT) (full text, mbox, link).
Reply sent
to Chris Hofstaedtler <zeha@debian.org>:
You have taken responsibility.
(Wed, 24 Apr 2024 13:21:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Wed, 24 Apr 2024 13:21:03 GMT) (full text, mbox, link).
Message #14 received at 1069762-close@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: pdns-recursor
Source-Version: 4.9.5-1
Done: Chris Hofstaedtler <zeha@debian.org>
We believe that the bug you reported is fixed in the latest version of
pdns-recursor, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1069762@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Hofstaedtler <zeha@debian.org> (supplier of updated pdns-recursor package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 24 Apr 2024 14:19:26 +0200
Source: pdns-recursor
Architecture: source
Version: 4.9.5-1
Distribution: unstable
Urgency: medium
Maintainer: pdns-recursor packagers <pdns-recursor@packages.debian.org>
Changed-By: Chris Hofstaedtler <zeha@debian.org>
Closes: 1069762
Changes:
pdns-recursor (4.9.5-1) unstable; urgency=medium
.
* New upstream version 4.9.5, including fix for CVE-2024-25583
(Closes: #1069762)
Checksums-Sha1:
1324089baae0d3ad5dcc1331d3f8c5cff8c9ecd5 2871 pdns-recursor_4.9.5-1.dsc
da8bc013ee0fef9e4e18a2e023c26cc10648d574 1556147 pdns-recursor_4.9.5.orig.tar.bz2
04271a59919ac5f9084a73384beae7b8e3eced0d 488 pdns-recursor_4.9.5.orig.tar.bz2.asc
d33467707919ef469741a7aa4e47de8784277cb9 23728 pdns-recursor_4.9.5-1.debian.tar.xz
e11dae70c571471e9b7f8034b161926a2d7d6980 9647 pdns-recursor_4.9.5-1_arm64.buildinfo
Checksums-Sha256:
284ce1b6af758bee617a38a3e893c357d0c82e3a2a15f17d6fdad49fcaf17a70 2871 pdns-recursor_4.9.5-1.dsc
1d062be88c70c27200821c1c6154ee68e4efec395eff588ee1e73c4e81e4f51e 1556147 pdns-recursor_4.9.5.orig.tar.bz2
dfd0d2e16b9a304da858c6dd01abf465fb759ddd83db4e0dcad53a2a4fa13087 488 pdns-recursor_4.9.5.orig.tar.bz2.asc
df65b867c04cc6b91736705a2cb64d6d85e58bd63c000f744963c5cad4248a86 23728 pdns-recursor_4.9.5-1.debian.tar.xz
067255269eb32eada41904154c2fe995bd559f97747f9d00008e44086c2d27e7 9647 pdns-recursor_4.9.5-1_arm64.buildinfo
Files:
f122f2cfe183c33ed4e3bde8aaa59472 2871 net optional pdns-recursor_4.9.5-1.dsc
ffb6a13c94a32f21780df601d56bd970 1556147 net optional pdns-recursor_4.9.5.orig.tar.bz2
9e4360c9a06d4744b164867ce7be67c1 488 net optional pdns-recursor_4.9.5.orig.tar.bz2.asc
af3414311b44df3acd1b5ea494a6be07 23728 net optional pdns-recursor_4.9.5-1.debian.tar.xz
f4b94c5a60e93003dfda463889a96523 9647 net optional pdns-recursor_4.9.5-1_arm64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfRrP+tnggGycTNOSXBPW25MFLgMFAmYpA78ACgkQXBPW25MF
LgNySxAAnEkSmj5PY4FswwPFioesg8Qk6AUXKIddWh475WFy9ef0fYxm6C3a094I
ty5pMMsmWXnHGxR5L+ctOnS8RO5ZDtD3FPyYvs2SDDdMG0yAwoP8mc3uJUuja9/J
LoeFdWpvtc9do0gstB4X+TiI62iuQol4iqu3DcPf8n+UEfsICIijnV+5rQ3jgt+q
WTJvBjNWckFr7k+5R3lQPVc42kMv/gqrdNOT0MPponsiRWVFGC3vPUddzO1yz7BH
yu9GWoljB3vG+N1o2v187xhjdmBZLYWVzl8K79rkyjtktwNXcsn/CQ3ND1XE26Ym
K0POiF5ihL2+wdNu0t45C9Y9hiY0vvewMSHZDzXVAvuCZ5f/WV1lT89KGKLobg1a
9Ww2IWNy88n/8BOFEA44vDtwot1PzzC0Gm09XRbcMiIQHcJnbE2DLzS4uQxC0Oa8
Gl8M6lHLUC2yiCTwosRftRuX94L9PsTOnW+yVFTsQ29SjN6Vi2Yi/ugAN4WnsbFu
8/sKxet3g0dDrxymLan3M+8oQcTmHBV5rac8tfK4bRHFGLgw3uwV9kx9ZD3QGt/o
mKselbvZgoi8DsYUTv+txADo64nP5nto1ZXpP4CJ0rAOJcdDSqMZePigLzGVQ57o
wmyO2LNHZd03+bzk2EJGN/4+RpBwznc/iKltZmbUbu7ge4gyYRw=
=QZW8
-----END PGP SIGNATURE-----
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, pdns-recursor packagers <pdns-recursor@packages.debian.org>:
Bug#1069762; Package src:pdns-recursor.
(Thu, 25 Apr 2024 06:39:15 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Hofstaedtler <zeha@debian.org>:
Extra info received and forwarded to list. Copy sent to pdns-recursor packagers <pdns-recursor@packages.debian.org>.
(Thu, 25 Apr 2024 06:39:15 GMT) (full text, mbox, link).
Message #19 received at 1069762@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Moritz,
could we once again use the upstream release for stable?
debdiff 4.8.7-1 -> 4.8.8-1 is attached.
Apart from the usual autoconf, pubsuffix diff noise it matches
https://github.com/PowerDNS/pdns/commit/3365253d0634f2bd01258719b6bea1c2ffa8795a
Thanks,
Chris
[pdns-recursor_4.8.8-1.debdiff (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, pdns-recursor packagers <pdns-recursor@packages.debian.org>:
Bug#1069762; Package src:pdns-recursor.
(Thu, 25 Apr 2024 06:45:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to pdns-recursor packagers <pdns-recursor@packages.debian.org>.
(Thu, 25 Apr 2024 06:45:02 GMT) (full text, mbox, link).
Message #24 received at 1069762@bugs.debian.org (full text, mbox, reply):
On Thu, Apr 25, 2024 at 08:37:14AM +0200, Chris Hofstaedtler wrote:
> Hi Moritz,
>
> could we once again use the upstream release for stable?
> debdiff 4.8.7-1 -> 4.8.8-1 is attached.
Ack. Following the 4.8 releases has served us well. debdiff looks fine,
please build with -sa and upload to security-master.
Cheers,
Moritz
Marked as found in versions pdns-recursor/4.8.4-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 25 Apr 2024 07:03:04 GMT) (full text, mbox, link).
No longer marked as found in versions pdns-recursor/4.8.4-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 25 Apr 2024 07:03:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, pdns-recursor packagers <pdns-recursor@packages.debian.org>:
Bug#1069762; Package src:pdns-recursor.
(Thu, 25 Apr 2024 07:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Hofstaedtler <zeha@debian.org>:
Extra info received and forwarded to list. Copy sent to pdns-recursor packagers <pdns-recursor@packages.debian.org>.
(Thu, 25 Apr 2024 07:39:03 GMT) (full text, mbox, link).
Message #33 received at 1069762@bugs.debian.org (full text, mbox, reply):
* Moritz Muehlenhoff <jmm@inutil.org> [240425 08:44]:
> On Thu, Apr 25, 2024 at 08:37:14AM +0200, Chris Hofstaedtler wrote:
> > Hi Moritz,
> >
> > could we once again use the upstream release for stable?
> > debdiff 4.8.7-1 -> 4.8.8-1 is attached.
>
> Ack. Following the 4.8 releases has served us well. debdiff looks fine,
> please build with -sa and upload to security-master.
Done.
Thanks,
Chris
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Apr 25 11:54:23 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon