Date: Fri, 13 Jun 2014 15:42:52 +0200 From: Vasyl Kaigorodov <vkaigoro@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE request: PowerDNS in default configuration is vulnerable to DoS attack It was found  that in default configuration PowerDNS is allowed to consume more file descriptors than is available for a default installation of many Linux distributions. Default configuration is: 2 threads / 2048 max-mthreads, which leads to a theoretical FD consumption of 4096. Default FD limit on many distributions is 1024. This can potentially lead to the DoS attack. Workaround (from ): - Reduce max-mthreads to 512 (or threads to 1 and max-mthreads to 1024) (max-mthreads was introduced in Recursor 3.2; but if you are running a version that old, please upgrade it!) - Run ‘ulimit -n 32768′ before starting (perhaps put this in /etc/init.d/ script). There’s little reason to skip on this number. - Investigate defaults in /etc/security/limits.conf Patch is available at  : http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/ : https://github.com/Habbie/pdns/commit/e24b124a4c7b49f38ff8bcf6926cd69077d16ad8 References: https://bugs.mageia.org/show_bug.cgi?id=13521 https://bugzilla.redhat.com/show_bug.cgi?id=1109231 Can a CVE please be assigned if one has not been already? Thanks. -- Vasyl Kaigorodov | Red Hat Product Security Team PGP: 0xABB6E828 A7E0 87FF 5AB5 48EB 47D0 2868 217B F9FC ABB6 E828 Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.