openSUSE Security Update: Security update for pdns-recursor ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:1685-1 Rating: moderate References: #906583 Cross-References: CVE-2014-8601 Affected Products: openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This pdns-recursor version update fixes the following security issue and non secuirty issues. Update to upstream release 3.6.2. - boo#906583: Degraded service through queries to queries to specific domains (CVE-2014-8601) - Fixed broken _localstatedir Update to upstream release 3.6.1. - gab14b4f: expedite servfail generation for ezdns-like failures (fully abort query resolving if we hit more than 50 outqueries) - g42025be: PowerDNS now polls the security status of a release at startup and periodically. More detail on this feature, and how to turn it off, can be found in Section 2, "Security polling". - g5027429: We did not transmit the right 'local' socket address to Lua for TCP/IP queries in the recursor. In addition, we would attempt to lookup a filedescriptor that wasn't there in an unlocked map which could conceivably lead to crashes. Closes t1828, thanks Winfried for reporting - g752756c: Sync embedded yahttp copy. API: Replace HTTP Basic auth with static key in custom header - g6fdd40d: add missing #include <pthread.h> to rec-channel.hh (this fixes building on OS X). - sync permissions/ownership of home and config dir with the pdns package - added systemd support for 12.3 and newer Update to upstrean release 3.5.3. - This is a bugfix and performance update to 3.5.2. It brings serious performance improvements for dual stack users. For all the details see http://doc.powerdns.com/html/changelog.html#changelog-recursor-3.5.3 - Remove patch (pdns-recursor-3.3_config.patch) - Add patch (pdns-recursor-3.5.3_config.patch) Update to upstrean release 3.5.2. - Responses without the QR bit set now get matched up to an outstanding query, so that resolution can be aborted early instead of waiting for a timeout. - The depth limiter changes in 3.5.1 broke some legal domains with lots of indirection. - Slightly improved logging to aid debugging. Update to upstream version 3.5.1. - This is a stability and bugfix update to 3.5. It contains important fixes that improve operation for certain domains. This is a stability, security and bugfix update to 3.3/3.3.1. It contains important fixes for slightly broken domain names, which your users expect to work anyhow. For all details see http://doc.powerdns.com/html/changelog.html#changelog-recursor-3.5.1 - adapted patches: pdns-rec-lua52.patch pdns-recursor-3.5.1_config.patch - fixed conditional for different lua versions - started some basic support to build packages for non suse distros Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-798 - openSUSE 12.3: zypper in -t patch openSUSE-2014-798 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): pdns-recursor-3.6.2-8.4.1 pdns-recursor-debuginfo-3.6.2-8.4.1 pdns-recursor-debugsource-3.6.2-8.4.1 - openSUSE 12.3 (i586 x86_64): pdns-recursor-3.6.2-6.4.1 pdns-recursor-debuginfo-3.6.2-6.4.1 pdns-recursor-debugsource-3.6.2-6.4.1 References: http://support.novell.com/security/cve/CVE-2014-8601.html https://bugzilla.suse.com/show_bug.cgi?id=906583