Comment 1 for bug 502987

> One issue is remotely exploitable, and there are no configuration
> countermeasures. The other allows a (skilled) attacker to spoof domain data
> for domain names he does not own.

For issue 1, CVE-2009-4009, for issue 2, CVE-2009-4010.

To further clarify, the information & update will be made public on
Wednesday January 6th, at 16:00 CET (10AM EST).

I've not yet heard from FreeBSD, Ubuntu (Bug #502987), Fedora and Gentoo.
Can you please contact me ASAP?

> Hi everbody,
>
> This Wednesday the release of the PowerDNS Recursor 3.1.7.2 will be made
> public, which fixes two important security issues, one of which is remotely
> exploitable.
>
> Given the critical nature of these vulnerabilities, we are trying to keep
> details confidential for a few more days.
>
> Summary
> -------
> The short version: please contact me off-list if you distribute the PowerDNS
> Recursor (any version), and if you want to gain early access to version
> 3.1.7.2 and associated release notes.
>
> Details
> -------
> The two security issues have been discovered by two parties which we cannot
> yet publicly mention or thank, but they deserve full credit and gratitude
> for their discoveries.
>
> Two CVE numbers have been requested, they will be communicated ASAP.
>
> One issue is remotely exploitable, and there are no configuration
> countermeasures. The other allows a (skilled) attacker to spoof domain data
> for domain names he does not own.
>
> The first issue is at least a DoS, but in all likelihood can be expanded
> into a full compromise ('rooted').
>
> The release that will be made public is already available for distributors.
> Other good news is that it is already serving over a million ISP customers,
> with no apparent problems.
>
> Contact me off-list for quick access to the new PowerDNS Recursor code,
> patch & release notes.