Debian Security Advisory
DSA-3664-1 pdns -- security update
- Date Reported:
- 10 Sep 2016
- Affected Packages:
- pdns
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 830808.
In Mitre's CVE dictionary: CVE-2016-5426, CVE-2016-5427, CVE-2016-6172. - More information:
-
Multiple vulnerabilities have been discovered in pdns, an authoritative DNS server. The Common Vulnerabilities and Exposures project identifies the following problems:
- CVE-2016-5426 / CVE-2016-5427
Florian Heinz and Martin Kluge reported that the PowerDNS Authoritative Server accepts queries with a qname's length larger than 255 bytes and does not properly handle dot inside labels. A remote, unauthenticated attacker can take advantage of these flaws to cause abnormal load on the PowerDNS backend by sending specially crafted DNS queries, potentially leading to a denial of service.
- CVE-2016-6172
It was reported that a malicious primary DNS server can crash a secondary PowerDNS server due to improper restriction of zone size limits. This update adds a feature to limit AXFR sizes in response to this flaw.
For the stable distribution (jessie), these problems have been fixed in version 3.4.1-4+deb8u6.
We recommend that you upgrade your pdns packages.
- CVE-2016-5426 / CVE-2016-5427