[SECURITY] [DLA 1843-1] pdns security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1843-1] pdns security update
From: Jonas Meurer <mejo@debian.org>
Date: Wed, 3 Jul 2019 15:18:56 +0200
Message-id: <[🔎] 7bba0564-47df-84aa-e524-78b3dce51d3c@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : pdns
Version        : 3.4.1-4+deb8u10
CVE ID         : CVE-2019-10162 CVE-2019-10163


Two vulnerabilities have been discovered in pdns, an authoritative DNS
server which may result in denial of service via malformed zone records
and excessive NOTIFY packets in a master/slave setup.

CVE-2019-10162

    An issue has been found in PowerDNS Authoritative Server allowing
    an authorized user to cause the server to exit by inserting a
    crafted record in a MASTER type zone under their control. The issue
    is due to the fact that the Authoritative Server will exit when it
    runs into a parsing error while looking up the NS/A/AAAA records it
    is about to use for an outgoing notify.

CVE-2019-10163

    An issue has been found in PowerDNS Authoritative Server allowing
    a remote, authorized master server to cause a high CPU load or even
    prevent any further updates to any slave zone by sending a large
    number of NOTIFY messages. Note that only servers configured as
    slaves are affected by this issue.

For Debian 8 "Jessie", these problems have been fixed in version
3.4.1-4+deb8u10.

We recommend that you upgrade your pdns packages.

For the detailed security status of pdns please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pdns

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


- -- 
Jonas Meurer

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAl0cq0AACgkQUmLn/0kQ
Sf6uzRAAn57AZxX15uMo8TazTd4gFkT4MdP8BOdUKx05DPFVNCMcQCNheQsFoW83
Ewcdg9truLiG+NebnBpDnbVgXrkCmNXJbai6zrXuyqq+2m4PqUz/QkBT2GqaFE4G
XPXcuh8En5xn7dTasBkJvTA9Tm5i9Omdmj+VsDHLA2JLsvjjhrHvkuYFpZiA62J1
a3Tvf5jBO2+dmnR17Kf6AF++mitTa+BqPKWt4KSoFMGdb/I+K+XRZPr/N2Dvi9ld
Ankkjm7GwdcnXu2L5neU75EI0xAWEe5SGdRAAKAveAQ8qbDpGy/UtS42+t09ao69
C97PuB0P+0lH612u0NKybH20Mbtp9cY2lh+h8l3pteVO4I8SgUmr+Qgnj62e12Rw
IoUCY7JBxII8rnSKlQ7SR2EJS23CHEk4brijaOl+o+ACqKLD3fmgdmTlO84zKXQv
/pHJESvbpK/prZAy/GVVfpWDgx5IEq1lhUDZkHZBZ+qZjH2LXsLn59uxL7to8Gkl
KD0TJxdrYFLVeu+CgvO2fNySr9VaAih9LV8EvS86y9m7fZZKTv5ivT0CVRDfv4re
6DyWMdn0nhmAYHBFxiAFL5qsO4pjte8YjR07SfKCTDwGboILMJA1QXFCszdJNCxr
BXRXQ9NA5nsw2K+gq2rIn38iiq70JlO6OL0wGq190ALPkr41k4o=
=0wei
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1842-1] python-django security update
Next by Date: [SECURITY] [DLA 1844-1] lemonldap-ng security update
Previous by thread: [SECURITY] [DLA 1842-1] python-django security update
Next by thread: [SECURITY] [DLA 1844-1] lemonldap-ng security update
Index(es):
- Date
- Thread