Your message dated Wed, 05 Apr 2023 08:50:15 +0000
with message-id <[email protected]>
and subject line Bug#1033941: fixed in pdns-recursor 4.8.4-1
has caused the Debian Bug report #1033941,
regarding pdns-recursor: CVE-2023-26437: Deterred spoofing attempts can lead to
authoritative servers being marked unavailable
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1033941: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033941
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: pdns-recursor
Version: 4.8.2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <[email protected]>
The following vulnerability was published for pdns-recursor.
CVE-2023-26437:
| Deterred spoofing attempts can lead to authoritative servers being
| marked unavailable.
| When the recursor detects and deters a spoofing attempt or receives
| certain malformed DNS packets, it throttles the server that was the
| target of the impersonation attempt so that other authoritative servers
| for the same zone will be more likely to be used in the future, in case
| the attacker controls the path to one server only. Unfortunately this
| mechanism can be used by an attacker with the ability to send queries to
| the recursor, guess the correct source port of the corresponding
| outgoing query and inject packets with a spoofed IP address to force the
| recursor to mark specific authoritative servers as not available,
| leading a denial of service for the zones served by those servers.
Additional information:
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html
Chris
PS: unclear to me if 4.4.x in stable is also affected.
--- End Message ---
--- Begin Message ---
Source: pdns-recursor
Source-Version: 4.8.4-1
Done: Chris Hofstaedtler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
pdns-recursor, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Hofstaedtler <[email protected]> (supplier of updated pdns-recursor package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 04 Apr 2023 11:10:26 +0000
Source: pdns-recursor
Architecture: source
Version: 4.8.4-1
Distribution: unstable
Urgency: medium
Maintainer: pdns-recursor packagers <[email protected]>
Changed-By: Chris Hofstaedtler <[email protected]>
Closes: 1033941
Changes:
pdns-recursor (4.8.4-1) unstable; urgency=medium
.
* New upstream version 4.8.4
* Fixes CVE-2023-26437, see
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html
(Closes: #1033941)
* Fixes high CPU usage caused by serve-stale logic.
* Fixes DNSSEC validation issues for some domains served by popular
DNS software by F5.
* Downgrades severity for a few log messages.
Checksums-Sha1:
8d1d846e298c4d1a384426fe4fdce5f86cc2a410 2829 pdns-recursor_4.8.4-1.dsc
08c7d299ae14eba82cd22165e9250e851786c63c 1528092
pdns-recursor_4.8.4.orig.tar.bz2
15f95c712c753a6d95a707e04a98dfacf1aeb1dc 488
pdns-recursor_4.8.4.orig.tar.bz2.asc
752ec18d445ffecebeb085703ee55343cad1c763 23212
pdns-recursor_4.8.4-1.debian.tar.xz
de5ae3cbebaa1f48aa121b3ae8f8c461a01a22fd 7023
pdns-recursor_4.8.4-1_source.buildinfo
Checksums-Sha256:
98870d8d2dee721a4d8a4186444969b8aa1585f3ca3f293664fed5e0abcf2904 2829
pdns-recursor_4.8.4-1.dsc
f0a63fd08e03da82fa20d333ea5179d1b9259f4264546cf4995286677d9458c7 1528092
pdns-recursor_4.8.4.orig.tar.bz2
447a2f99226f5db241d94bebb1a1672c316e9297eb87a3f59fad24184a3d9f67 488
pdns-recursor_4.8.4.orig.tar.bz2.asc
9b71a411a2cf3178f1cd4ed1bf949baf62641cc3399d497ba57338f4d7b0b42b 23212
pdns-recursor_4.8.4-1.debian.tar.xz
1108e4ff4b4fbc1648b80ab2cc4f012b4e76c047991ae1293e313a33c1cd2ede 7023
pdns-recursor_4.8.4-1_source.buildinfo
Files:
44aa8dcf8ba291e565988e12f073ef04 2829 net optional pdns-recursor_4.8.4-1.dsc
8c78c3023b50f7bc16017dc8e62e67fc 1528092 net optional
pdns-recursor_4.8.4.orig.tar.bz2
1dc8caf7b3a661adfb73c87954f49c05 488 net optional
pdns-recursor_4.8.4.orig.tar.bz2.asc
ae317da9cdd09d8e3123d498b23b3897 23212 net optional
pdns-recursor_4.8.4-1.debian.tar.xz
470822e6c3fa7c0ac2c61a214bd3c9fa 7023 net optional
pdns-recursor_4.8.4-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfRrP+tnggGycTNOSXBPW25MFLgMFAmQtLr8ACgkQXBPW25MF
LgMntA//aGXaHGll9SVsq21KqtHcEwaBShosW0hIPDIRO7aJ42EwXrI6jJBKvr2+
VD2Kbd1MwyejjHRycTRF7ot5nQu4rNqk2HCzNIeZ2wlSmTvWloRNSUOiHoUTxKJZ
0EMetZSH7kqAxw1PPoDEcY/Wf+2kwlWcqBh8rh56PfaBVSSXYb2f7jjjZIGF6XVA
6ESKVy4zwme10DXkQGIcBbW2ZucQuBEj/raWUJgYon5EeHQBgyWY/QPlcZOxZ0vo
opy/BNttWLWK0xHmdYTTtgqBcAVZw2Bvw1wekPKxu8/AXWixXj4gFGvpHKUCIbSF
yf+C7VgJldosDaDiRJ7B1bmk/WR+v/BC2LqKfwLGQwEV6oZ/p6EehKHnfglQe4K6
ANupgnHQAbtmn3tpw1uucIGj7pyqgOAmEEz/UZ9pr0rCU1rebFP89Vu39piwQNE+
hyxITDIzA6ezNH6ZrGjllp5Uc0StW9nZSOBpylnbtYPDY5HPfxuZ6ATJMZ04XT7+
K0ynqHxMDSNrLs2SLvTa/CiMIoTMAM9Y5a/2bhKS5aM1m6ZDcJ3460ijHOKHEiJO
ryeaGj5t8JC/jvFSqf4C06QU6o5zkZruS0VUzpEHICpSQELb41OYxli9LJxs2/yK
5A5ZCt04vBPUTwykPwRyZYAoLYVeeXLeSHxAmZfBJrsav8IIEDQ=
=fXfd
-----END PGP SIGNATURE-----
--- End Message ---
