openSUSE Security Update: Security update for pdns-recursor
______________________________________________________________________________
Announcement ID: openSUSE-SU-2014:1685-1
Rating: moderate
References: #906583
Cross-References: CVE-2014-8601
Affected Products:
openSUSE 13.1
openSUSE 12.3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This pdns-recursor version update fixes the following security issue and
non secuirty issues.
Update to upstream release 3.6.2.
- boo#906583: Degraded service through queries to queries to specific
domains (CVE-2014-8601)
- Fixed broken _localstatedir
Update to upstream release 3.6.1.
- gab14b4f: expedite servfail generation for ezdns-like failures (fully
abort query resolving if we hit more than 50 outqueries)
- g42025be: PowerDNS now polls the security status of a release at startup
and periodically. More detail on this feature, and how to turn it off,
can be found in Section 2, "Security polling".
- g5027429: We did not transmit the right 'local' socket address to Lua
for TCP/IP queries in the recursor. In addition, we would attempt to
lookup a filedescriptor that wasn't there in an unlocked map which could
conceivably lead to crashes. Closes t1828, thanks Winfried for reporting
- g752756c: Sync embedded yahttp copy. API: Replace HTTP Basic auth with
static key in custom header
- g6fdd40d: add missing #include to rec-channel.hh (this fixes
building on OS X).
- sync permissions/ownership of home and config dir with the pdns package
- added systemd support for 12.3 and newer
Update to upstrean release 3.5.3.
- This is a bugfix and performance update to 3.5.2. It brings serious
performance improvements for dual stack users. For all the details see
http://doc.powerdns.com/html/changelog.html#changelog-recursor-3.5.3
- Remove patch (pdns-recursor-3.3_config.patch)
- Add patch (pdns-recursor-3.5.3_config.patch)
Update to upstrean release 3.5.2.
- Responses without the QR bit set now get matched up to an
outstanding query, so that resolution can be aborted early instead of
waiting for a timeout.
- The depth limiter changes in 3.5.1 broke some legal domains with lots of
indirection.
- Slightly improved logging to aid debugging.
Update to upstream version 3.5.1.
- This is a stability and bugfix update to 3.5. It contains important
fixes that improve operation for certain domains. This is a stability,
security and bugfix update to 3.3/3.3.1. It contains important fixes for
slightly broken domain names, which your users expect to work anyhow.
For all details see
http://doc.powerdns.com/html/changelog.html#changelog-recursor-3.5.1
- adapted patches: pdns-rec-lua52.patch pdns-recursor-3.5.1_config.patch
- fixed conditional for different lua versions
- started some basic support to build packages for non suse distros
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 13.1:
zypper in -t patch openSUSE-2014-798
- openSUSE 12.3:
zypper in -t patch openSUSE-2014-798
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 13.1 (i586 x86_64):
pdns-recursor-3.6.2-8.4.1
pdns-recursor-debuginfo-3.6.2-8.4.1
pdns-recursor-debugsource-3.6.2-8.4.1
- openSUSE 12.3 (i586 x86_64):
pdns-recursor-3.6.2-6.4.1
pdns-recursor-debuginfo-3.6.2-6.4.1
pdns-recursor-debugsource-3.6.2-6.4.1
References:
http://support.novell.com/security/cve/CVE-2014-8601.html
https://bugzilla.suse.com/show_bug.cgi?id=906583