Community Packages

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#44708 - [powerdns][powerdns-recursor][CVE-2015-1868] Label decompression bug can cause crashes

Attached to Project: Community Packages
Opened by Christian Rebischke (Shibumi) - Thursday, 23 April 2015, 20:05 GMT
Last edited by Alexander F. Rødseth (xyproto) - Friday, 24 April 2015, 08:59 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To No-one
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No



A bug was discovered in our label decompression code, making it possible for names to refer to themselves, thus causing a loop during decompression. This loop is capped at a 1000 iterations by a failsafe, making the issue harmless on most platforms. As for workarounds, only clients in allow-from are able to trigger the degraded service, so this should be limited to your userbase; further, we recommend running your critical services under supervision such as systemd, supervisord, daemontools, etc.[0]

patch for powerdns [1]
patch for powerdns-recursor [2]

This task depends upon

Closed by  Alexander F. Rødseth (xyproto)
Friday, 24 April 2015, 08:59 GMT
Reason for closing:  Fixed
Comment by Alexander F. Rødseth (xyproto) - Friday, 24 April 2015, 08:59 GMT
Thanks for reporting. The powerdns package has been updated to 3.4.4 (this release includes the upstream patches) and should appear in [community] shortly.