diff --git a/net/powerdns/Makefile b/net/powerdns/Makefile
index c124bac449d2..8ce2a0d05ba4 100644
--- a/net/powerdns/Makefile
+++ b/net/powerdns/Makefile
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.3 2008/01/30 22:36:14 heinz Exp $
+# $NetBSD: Makefile,v 1.4 2008/08/11 13:59:48 ghen Exp $
 
 PKG_DESTDIR_SUPPORT=	user-destdir
 
 .include "Makefile.common"
 
 PKGNAME=		${DISTNAME:S/pdns/powerdns/}
-PKGREVISION=		1
+PKGREVISION=		2
 COMMENT=		Modern, advanced and high performance nameserver
 
 CONFIGURE_ARGS+=	--with-modules="geo"
diff --git a/net/powerdns/distinfo b/net/powerdns/distinfo
index f4defbbf8122..7cc2a726777d 100644
--- a/net/powerdns/distinfo
+++ b/net/powerdns/distinfo
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.2 2007/05/09 08:05:24 ghen Exp $
+$NetBSD: distinfo,v 1.3 2008/08/11 13:59:48 ghen Exp $
 
 SHA1 (pdns-2.9.21.tar.gz) = 2b86e4b44ef43db308c62e32b10ed0d5221a45c9
 RMD160 (pdns-2.9.21.tar.gz) = ed53de20a4e660ab2537b3c888b0a85225764a51
 Size (pdns-2.9.21.tar.gz) = 991071 bytes
 SHA1 (patch-aa) = 034845af3a9b66f57e482e3b43e43b61c17f51ab
 SHA1 (patch-ab) = d47887faff80330122ccf1cfd047c11e114c1153
+SHA1 (patch-ac) = aa7387cd9c283810d41d6097ecfbe6e688621432
diff --git a/net/powerdns/patches/patch-ac b/net/powerdns/patches/patch-ac
new file mode 100644
index 000000000000..6e553ad8017e
--- /dev/null
+++ b/net/powerdns/patches/patch-ac
@@ -0,0 +1,22 @@
+$NetBSD: patch-ac,v 1.1 2008/08/11 13:59:48 ghen Exp $
+
+Fix for CVE-2008-3337 taken from PowerDNS 2.9.21.1: return SERVFAIL to
+mailformed queries instead of just dropping them (as this facilitates
+DNS spoofing attacks).
+
+--- pdns/packethandler.cc.orig	2007-04-21 15:56:36.000000000 +0200
++++ pdns/packethandler.cc
+@@ -576,9 +576,11 @@ DNSPacket *PacketHandler::questionOrRecu
+ 
+     if(!validDNSName(p->qdomain)) {
+       if(arg().mustDo("log-dns-details"))
+-        L<<Logger::Error<<"Received a malformed qdomain from "<<p->getRemote()<<", '"<<p->qdomain<<"': dropping"<<endl;
++        L<<Logger::Error<<"Received a malformed qdomain from "<<p->getRemote()<<", '"<<p->qdomain<<"': sending servfail"<<endl;
+       S.inc("corrupt-packets");
+-      return 0;
++      r=p->replyPacket(); 
++      r->setRcode(RCode::ServFail);
++      return r;
+     }
+     if(p->d.opcode) { // non-zero opcode (again thanks RA!)
+       if(p->d.opcode==Opcode::Update) {