Date: Wed, 2 Sep 2015 15:24:48 +0200 From: Pieter Lexis <pieter.lexis@...erdns.com> To: pdns-users Users <pdns-users@...lman.powerdns.com>, pdns-dev@...lman.powerdns.com, pdns-announce@...lman.powerdns.com, oss-security@...ts.openwall.com Subject: PowerDNS Security Advisory 2015-02 Hi all, We'd like to make you aware of Security Advisory 2015-02 for PowerDNS. A bug was recently found in our DNS packet parsing/generation code, which, when exploited, can cause individual threads (disabling service) or whole processes (allowing a supervisor to restart them) to crash with just one or a few query packets. * CVE: CVE-2015-5230 * Date: 2nd of September 2015 * Credit: Pyry Hakulinen and Ashish Shakla at Automattic * Affects: PowerDNS Authoritative Server 3.4.0 through 3.4.5 * Not affected: PowerDNS Authoritative Server 3.4.6 * Severity: High * Impact: Degraded service or Denial of service * Exploit: This problem can be triggered by sending specially crafted query packets * Risk of system compromise: No * Solution: Upgrade to a non-affected version * Workaround: Run the Authoritative Server inside a supervisor when `distributor-threads` is set to `1` to prevent Denial of Service. No workaround for the degraded service exists PowerDNS Authoritative Server 3.4.0-3.4.5 are affected. No other versions are affected. The PowerDNS Recursor is not affected. PowerDNS Authoritative Server 3.4.6 contains a fix to this issue. A minimal patch is available . This issue is entirely unrelated to Security Advisory 2015-01/CVE-2015-1868. We'd like to thank Pyry Hakulinen and Ashish Shakla at Automattic for finding and subsequently reporting this bug. 1 - https://downloads.powerdns.com/patches/2015-02/ -- Pieter Lexis PowerDNS.COM BV - https://www.powerdns.com [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ