Ubuntu
pdns-recursor package

"ghost domain names" attack CVE-2012-1193

Bug #1391409 reported by Charles Peters II on 2014-11-11

262

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	pdns-recursor (Ubuntu)	Fix Released	Low	Unassigned
	Precise	Won't Fix	Low	Unassigned

http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-1193.html shows "needed" for 12.04, 14.04 and 14.10. It appears the bug is fixed in 14.04 and 14.10 as it was fixed in PowerDNS Recursor version 3.5:

I'm not using 12.04 or PowerDNS Recursor, but I hope the following patches will help someone else fix the issue.

https://bugzilla.redhat.com/show_bug.cgi?id=794963 comment 4 says:
From http://doc.powerdns.com/changelog.html#changelog-recursor-3.5:
"While Recursor 3.3 was not vulnerable to the specific attack noted in 'Ghost Domain Names: Revoked Yet Still Resolvable', further investigation showed that a variant of the attack could work. This was fixed in r3085."

There's also the following upstream bug:
http://wiki.powerdns.com/trac/ticket/668

Tags:

Charles Peters II (cp) on 2014-11-11

information type:

Private Security → Public

Mathew Hodson (mhodson) on 2016-12-17

information type:	Public → Public Security
tags:	added: precise removed: cve-2012-1193
Changed in pdns-recursor (Ubuntu):
importance:	Undecided → Low

Steve Beattie (sbeattie) on 2017-02-27

Changed in pdns-recursor (Ubuntu Precise):
importance:	Undecided → Low
status:	New → Confirmed
Changed in pdns-recursor (Ubuntu):
status:	New → Fix Released

Revision history for this message

Steve Langasek (vorlon) wrote on 2021-10-14:

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in pdns-recursor (Ubuntu Precise):
status:	Confirmed → Won't Fix

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Bug watches keep track of this bug in other bug trackers.