Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-627-1 pdns

Debian Security Advisory

DLA-627-1 pdns -- LTS security update

Date Reported:

18 Sep 2016

Affected Packages:

pdns

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 830808.
In Mitre's CVE dictionary: CVE-2016-5426, CVE-2016-5427, CVE-2016-6172.

More information:

Multiple vulnerabilities have been discovered in pdns, an authoritative DNS server. The Common Vulnerabilities and Exposures project identifies the following problems:

• CVE-2016-5426 / CVE-2016-5427

  Florian Heinz and Martin Kluge reported that the PowerDNS Authoritative Server accepts queries with a qname's length larger than 255 bytes and does not properly handle dot inside labels. A remote, unauthenticated attacker can take advantage of these flaws to cause abnormal load on the PowerDNS backend by sending specially crafted DNS queries, potentially leading to a denial of service.

• CVE-2016-6172

  It was reported that a malicious primary DNS server can crash a secondary PowerDNS server due to improper restriction of zone size limits. This update adds a feature to limit AXFR sizes in response to this flaw.

For Debian 7 Wheezy, these problems have been fixed in version 3.1-4.1+deb7u2.

We recommend that you upgrade your pdns packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS