Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0784 -- [Win][UNIX/Linux] New PowerDNS packages reduce DNS spoofing risk 11 August 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: PowerDNS Publisher: Debian Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact: Provide Misleading Information Access: Remote/Unauthenticated CVE Names: CVE-2008-3337 Original Bulletin: http://www.debian.org/security/2008/dsa-1627 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running PowerDNS check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1628-1 security@debian.org http://www.debian.org/security/ Florian Weimer August 10, 2008 http://www.debian.org/security/faq - - ------------------------------------------------------------------------ Package : pdns Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-3337 Brian Dowling discovered that the PowerDNS authoritative name server does not respond to DNS queries which contain certain characters, increasing the risk of successful DNS spoofing (CVE-2008-3337). This update changes PowerDNS to respond with SERVFAIL responses instead. For the stable distribution (etch), this problem has been fixed in version 2.9.20-8+etch1. For the unstable distribution (sid), this problem has been fixed in version 2.9.21.1-1. We recommend that you upgrade your pdns package. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/p/pdns/pdns_2.9.20-8+etch1.dsc Size/MD5 checksum: 1137 0a41ec265f82fce6d439919cdae6001a http://security.debian.org/pool/updates/main/p/pdns/pdns_2.9.20-8+etch1.diff.gz Size/MD5 checksum: 51420 bb972467332e6122cee9d363ca55ad2e http://security.debian.org/pool/updates/main/p/pdns/pdns_2.9.20.orig.tar.gz Size/MD5 checksum: 861879 66b3d3847f91e9ac3d13bdb8ddabfc7b Architecture independent packages: http://security.debian.org/pool/updates/main/p/pdns/pdns_2.9.20-8+etch1_all.deb Size/MD5 checksum: 18402 ce1890128198b2924ec047c6fc4cd986 http://security.debian.org/pool/updates/main/p/pdns/pdns-doc_2.9.20-8+etch1_all.deb Size/MD5 checksum: 151286 ee2289703f9bc5a55ec2610309f638d8 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-geo_2.9.20-8+etch1_alpha.deb Size/MD5 checksum: 128498 662065c9d72d1ce6010322203c0de483 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-pipe_2.9.20-8+etch1_alpha.deb Size/MD5 checksum: 101180 ed93c993121ef29ea27aec3e51ae780a http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-ldap_2.9.20-8+etch1_alpha.deb Size/MD5 checksum: 270198 7ea2ed079ca10c956bf85ce86cc4b91f http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-sqlite_2.9.20-8+etch1_alpha.deb Size/MD5 checksum: 80612 66cdb0206efd5384a6c12059bed6a810 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-pgsql_2.9.20-8+etch1_alpha.deb Size/MD5 checksum: 89786 5b5b81b0b2b5a652047c8b5843f853a5 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-mysql_2.9.20-8+etch1_alpha.deb Size/MD5 checksum: 85122 7b27de3ebd7f6b97b56aac71b724bf74 http://security.debian.org/pool/updates/main/p/pdns/pdns-server_2.9.20-8+etch1_alpha.deb Size/MD5 checksum: 809372 9de5122e1f69aafe84e9cfa5804223c5 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-geo_2.9.20-8+etch1_amd64.deb Size/MD5 checksum: 105322 1f82a2e47996af30eaf4cbb3790d8595 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-pgsql_2.9.20-8+etch1_amd64.deb Size/MD5 checksum: 72704 11d22cf7210db662e8667784f07aa5f3 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-ldap_2.9.20-8+etch1_amd64.deb Size/MD5 checksum: 216888 8568e7c10fa743b1b94d84a5d65be8b4 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-mysql_2.9.20-8+etch1_amd64.deb Size/MD5 checksum: 69118 297d560f7fc926151fb3e7e48840e279 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-sqlite_2.9.20-8+etch1_amd64.deb Size/MD5 checksum: 65954 4ce9ab913782ad2285e1a729f73bfb77 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-pipe_2.9.20-8+etch1_amd64.deb Size/MD5 checksum: 81000 62ea289801afba9d82d57647a5b69a1e http://security.debian.org/pool/updates/main/p/pdns/pdns-server_2.9.20-8+etch1_amd64.deb Size/MD5 checksum: 700178 466d9d5a83f8f54346bcfef8594482cb arm architecture (ARM) http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-sqlite_2.9.20-8+etch1_arm.deb Size/MD5 checksum: 72396 1cdaa3e1e9b6f9c0fc4c0d6ebd4431cc http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-geo_2.9.20-8+etch1_arm.deb Size/MD5 checksum: 113774 f9e6a066829b4ab17cacb06da5115c97 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-pgsql_2.9.20-8+etch1_arm.deb Size/MD5 checksum: 79256 ae1f671e2546d03ee244ca08a6cd7739 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-ldap_2.9.20-8+etch1_arm.deb Size/MD5 checksum: 245716 a914afcf74e95b26e87a2982ea339318 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-mysql_2.9.20-8+etch1_arm.deb Size/MD5 checksum: 76732 ed38f9dea0d74cfac026951d532eb2dc http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-pipe_2.9.20-8+etch1_arm.deb Size/MD5 checksum: 88456 5e573619f814e75190dfbd5d18684cbe http://security.debian.org/pool/updates/main/p/pdns/pdns-server_2.9.20-8+etch1_arm.deb Size/MD5 checksum: 834670 4f9ff6e1b22d5ebe6a2cee9cfab9f333 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-pipe_2.9.20-8+etch1_hppa.deb Size/MD5 checksum: 89188 c7d85f3d66651f9b27b10ccc26bc56c4 http://security.debian.org/pool/updates/main/p/pdns/pdns-server_2.9.20-8+etch1_hppa.deb Size/MD5 checksum: 779220 b1ce1b8f19c577b0ee4f2a1ee08237e7 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-sqlite_2.9.20-8+etch1_hppa.deb Size/MD5 checksum: 71462 8a979586b26e57bcb275eaa418e82984 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-mysql_2.9.20-8+etch1_hppa.deb Size/MD5 checksum: 74914 c8b1db6a6eb2a04ea29ec760e4ee8e9d http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-geo_2.9.20-8+etch1_hppa.deb Size/MD5 checksum: 116772 5fc7175897c29277345d6f17a2163976 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-pgsql_2.9.20-8+etch1_hppa.deb Size/MD5 checksum: 78590 c6f85e199a17cb460e0c68c89b0bd964 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-ldap_2.9.20-8+etch1_hppa.deb Size/MD5 checksum: 241084 fe36e0a467697245f7a7311da13525aa i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/p/pdns/pdns-server_2.9.20-8+etch1_i386.deb Size/MD5 checksum: 708666 36483e99ba35b15425455a4a89dafe08 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-pgsql_2.9.20-8+etch1_i386.deb Size/MD5 checksum: 70008 10aecf8368afb6c194e1a1820655d3fd http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-mysql_2.9.20-8+etch1_i386.deb Size/MD5 checksum: 66474 18efd44bd3b34fbc402f4d0226e82f3b http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-ldap_2.9.20-8+etch1_i386.deb Size/MD5 checksum: 217716 0c9b86c448fe9842e93048dc4fcbbd1c http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-sqlite_2.9.20-8+etch1_i386.deb Size/MD5 checksum: 63686 f849a4d00ed60c49955a408ca6881fae http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-pipe_2.9.20-8+etch1_i386.deb Size/MD5 checksum: 78932 3d9391be91d78616516bf7634ee97a18 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-geo_2.9.20-8+etch1_i386.deb Size/MD5 checksum: 105212 1ae9f44fef55b966568e29c057f6f87f ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-sqlite_2.9.20-8+etch1_ia64.deb Size/MD5 checksum: 77244 4d91e45c77bb38a41982e93e2479757d http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-ldap_2.9.20-8+etch1_ia64.deb Size/MD5 checksum: 282342 57d8d9dcd767e37894d0f9f894e386e6 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-geo_2.9.20-8+etch1_ia64.deb Size/MD5 checksum: 130856 f13b6a20419dbafda9cd00905149170c http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-mysql_2.9.20-8+etch1_ia64.deb Size/MD5 checksum: 80256 eca0173e0776cfa51be3fe35275e336d http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-pipe_2.9.20-8+etch1_ia64.deb Size/MD5 checksum: 97948 58ad77f6e4a87bc86d84851836f91fca http://security.debian.org/pool/updates/main/p/pdns/pdns-server_2.9.20-8+etch1_ia64.deb Size/MD5 checksum: 941082 99eeed221822d5882679c7775049b16d http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-pgsql_2.9.20-8+etch1_ia64.deb Size/MD5 checksum: 84298 66a4d00b34bd8cfe0b1226a626c7e03c mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-sqlite_2.9.20-8+etch1_mips.deb Size/MD5 checksum: 63060 39a187d32f4b7211d250d3620a01cc24 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-pgsql_2.9.20-8+etch1_mips.deb Size/MD5 checksum: 70350 dee7156441aa0be6eaef652585ed5a1b http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-geo_2.9.20-8+etch1_mips.deb Size/MD5 checksum: 105298 a26d7f802d8c1fd4482558d0a6e6aa3e http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-pipe_2.9.20-8+etch1_mips.deb Size/MD5 checksum: 81156 e8c0118b7d0863f9e83ba4ec83b30019 http://security.debian.org/pool/updates/main/p/pdns/pdns-server_2.9.20-8+etch1_mips.deb Size/MD5 checksum: 670300 c65ec14b44e58d5d423b1c3fb974b4ce http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-ldap_2.9.20-8+etch1_mips.deb Size/MD5 checksum: 214280 20b6cc51c4f38ccaf8daf5c93b7e8886 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-mysql_2.9.20-8+etch1_mips.deb Size/MD5 checksum: 67088 ce286fc954825fea3d3765d492eea148 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-sqlite_2.9.20-8+etch1_mipsel.deb Size/MD5 checksum: 63340 bd900083144b99155d9720a289fdd33f http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-ldap_2.9.20-8+etch1_mipsel.deb Size/MD5 checksum: 213322 ea511d369d33b503b65af378eb267521 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-geo_2.9.20-8+etch1_mipsel.deb Size/MD5 checksum: 104804 6220725bf558c49f92503e5c676b736a http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-pgsql_2.9.20-8+etch1_mipsel.deb Size/MD5 checksum: 70124 9f3ac750de78a447d510c2ac213f8f20 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-pipe_2.9.20-8+etch1_mipsel.deb Size/MD5 checksum: 81728 fd31e9f80040f6b1803d16f6e9ad78cf http://security.debian.org/pool/updates/main/p/pdns/pdns-server_2.9.20-8+etch1_mipsel.deb Size/MD5 checksum: 669432 cb6421c4f2c14c0ed2bb8a5998d60fa8 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-mysql_2.9.20-8+etch1_mipsel.deb Size/MD5 checksum: 67048 a1f9256339678471b87cb01657e1b70b powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/p/pdns/pdns-server_2.9.20-8+etch1_powerpc.deb Size/MD5 checksum: 716276 4df7f6ea44a8d5fab0fb2bdc20752a5b http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-mysql_2.9.20-8+etch1_powerpc.deb Size/MD5 checksum: 70326 06c5c32d97c0eac47107aa00dd9008f5 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-pgsql_2.9.20-8+etch1_powerpc.deb Size/MD5 checksum: 73730 6c98ac116ea64aa66e8a617a256781cd http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-sqlite_2.9.20-8+etch1_powerpc.deb Size/MD5 checksum: 66526 ada8622d9a53d4dfd89972e99da8c1a0 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-pipe_2.9.20-8+etch1_powerpc.deb Size/MD5 checksum: 82142 255449adb0cf54fa443ee90b266102e3 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-ldap_2.9.20-8+etch1_powerpc.deb Size/MD5 checksum: 222544 2cba08f9232e4c68801b7440a74b2932 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-geo_2.9.20-8+etch1_powerpc.deb Size/MD5 checksum: 109028 c1fe83f0c527d1a9c8998d6d63ba71d0 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-sqlite_2.9.20-8+etch1_s390.deb Size/MD5 checksum: 61466 6f8bf4d3a4888c2c805c2d1649e5f8e1 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-mysql_2.9.20-8+etch1_s390.deb Size/MD5 checksum: 64120 747dcdd246cb9216c38d0f60d9d83970 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-pipe_2.9.20-8+etch1_s390.deb Size/MD5 checksum: 78374 a7d74b952126768d8ee6b6a4af3ff176 http://security.debian.org/pool/updates/main/p/pdns/pdns-server_2.9.20-8+etch1_s390.deb Size/MD5 checksum: 647764 b324252630cb5e9331a8da4d13029ab7 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-pgsql_2.9.20-8+etch1_s390.deb Size/MD5 checksum: 66934 af0d5492cd4ec5b0313ac93093fad6da http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-geo_2.9.20-8+etch1_s390.deb Size/MD5 checksum: 104342 2294cc657d9d41e07a2bd50ad679a931 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-ldap_2.9.20-8+etch1_s390.deb Size/MD5 checksum: 206680 752595cd21b17313ac4e89260afa2125 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-mysql_2.9.20-8+etch1_sparc.deb Size/MD5 checksum: 66600 2c9b1c9106d7d4e20c9c070938180b15 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-geo_2.9.20-8+etch1_sparc.deb Size/MD5 checksum: 102604 497b5950616a7ae22c27a41de5afce2d http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-ldap_2.9.20-8+etch1_sparc.deb Size/MD5 checksum: 213970 db7bfb0af8508c12a313932b56089245 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-pipe_2.9.20-8+etch1_sparc.deb Size/MD5 checksum: 78018 4f564a99232539283d1c22defd36d572 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-pgsql_2.9.20-8+etch1_sparc.deb Size/MD5 checksum: 69886 8294d5780a4e1fe0584354b05307ce0b http://security.debian.org/pool/updates/main/p/pdns/pdns-server_2.9.20-8+etch1_sparc.deb Size/MD5 checksum: 718572 b1edc3a9ff76c2aade1c4b3ac4312317 http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-sqlite_2.9.20-8+etch1_sparc.deb Size/MD5 checksum: 63458 b5f2890c751479e3b6aa62f5782e92a1 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJIn1CqAAoJEL97/wQC1SS+5kIH/2y6oD7sD4cWALAzHJQLlz+B ytzW2l66FQ2i5yFTeS1n9J5nmF25BPQll0L96M1W7L7hPPYa/Os4dwWTnrgI38co Z1YbeL52elkfXVRjA2/lmJrMcKDRB8y0I9NVfdn7YtVoqfvuvWjMDkRQL59CQn0y DPn4Rf52lQcT7IoxaUJ1Kyxc3QADW7GGJ3zlKLb7ddwZoUyEMsHdal0+w+UEWzM6 iZ5aWrMeboh2KAoTQ+AAh7b2Z75S7bqL2U5AjL3lTGezuAuTai1iQ1H2WlYabR1P Dw2nnPS81bTQ2sV2gAmECMFtF7wVVQnBCRsjVBkcxV/4sVZ73vTulM+ZtJqURz4= =XSxZ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSJ9+XSh9+71yA2DNAQKB3QP+KFeWdLHIbKrMHhNuc8Ta+Vm+HGats1VA FEy1QkwCzJoVMeryWjv3+1u8CQkxDPPL1eXgj//8O8GhNX+f2LgbyS5BXBPbNSXh E/b0P5wyK6CIGHpDSBPuhBxBgzxM6bbMbdSpQQAHxpV3wXc1sLEIeAHpLkp5PRdJ EboW7F7A570= =XJy9 -----END PGP SIGNATURE-----