Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 2 Sep 2015 15:24:48 +0200
From: Pieter Lexis <pieter.lexis@...erdns.com>
To: pdns-users Users <pdns-users@...lman.powerdns.com>,
 pdns-dev@...lman.powerdns.com, pdns-announce@...lman.powerdns.com,
 oss-security@...ts.openwall.com
Subject: PowerDNS Security Advisory 2015-02

Hi all,

We'd like to make you aware of Security Advisory 2015-02 for PowerDNS.

A bug was recently found in our DNS packet parsing/generation code,
which, when exploited, can cause individual threads (disabling service)
or whole processes (allowing a supervisor to restart them) to crash with
just one or a few query packets.

* CVE: CVE-2015-5230
* Date: 2nd of September 2015
* Credit: Pyry Hakulinen and Ashish Shakla at Automattic
* Affects: PowerDNS Authoritative Server 3.4.0 through 3.4.5
* Not affected: PowerDNS Authoritative Server 3.4.6
* Severity: High
* Impact: Degraded service or Denial of service
* Exploit: This problem can be triggered by sending specially crafted
  query packets
* Risk of system compromise: No
* Solution: Upgrade to a non-affected version
* Workaround: Run the Authoritative Server inside a supervisor when
  `distributor-threads`  is set to `1` to prevent Denial of Service.
  No workaround for the degraded service exists

PowerDNS Authoritative Server 3.4.0-3.4.5 are affected. No other
versions are affected. The PowerDNS Recursor is not affected.

PowerDNS Authoritative Server 3.4.6 contains a fix to this issue. A
minimal patch is available [1].

This issue is entirely unrelated to Security Advisory 2015-01/CVE-2015-1868.

We'd like to thank Pyry Hakulinen and Ashish Shakla at Automattic for
finding and subsequently reporting this bug.

1 - https://downloads.powerdns.com/patches/2015-02/

-- 
Pieter Lexis
PowerDNS.COM BV - https://www.powerdns.com


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ