Debian Security Advisory
DLA-1843-1 pdns -- LTS security update
- Date Reported:
- 03 Jul 2019
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2019-10162, CVE-2019-10163.
- More information:
Two vulnerabilities have been discovered in pdns, an authoritative DNS server which may result in denial of service via malformed zone records and excessive NOTIFY packets in a master/slave setup.
An issue has been found in PowerDNS Authoritative Server allowing an authorized user to cause the server to exit by inserting a crafted record in a MASTER type zone under their control. The issue is due to the fact that the Authoritative Server will exit when it runs into a parsing error while looking up the NS/A/AAAA records it is about to use for an outgoing notify.
An issue has been found in PowerDNS Authoritative Server allowing a remote, authorized master server to cause a high CPU load or even prevent any further updates to any slave zone by sending a large number of NOTIFY messages. Note that only servers configured as slaves are affected by this issue.
For Debian 8
Jessie, these problems have been fixed in version 3.4.1-4+deb8u10.
We recommend that you upgrade your pdns packages.
For the detailed security status of pdns please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pdns
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS