Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.2119 pdns security update 12 September 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: pdns Publisher: Debian Operating System: Debian GNU/Linux 8 UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-6172 CVE-2016-5427 CVE-2016-5426 Original Bulletin: http://www.debian.org/security/2016/dsa-3664 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running pdns check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3664-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 10, 2016 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : pdns CVE ID : CVE-2016-5426 CVE-2016-5427 CVE-2016-6172 Debian Bug : 830808 Multiple vulnerabilities have been discovered in pdns, an authoritative DNS server. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2016-5426 / CVE-2016-5427 Florian Heinz and Martin Kluge reported that the PowerDNS Authoritative Server accepts queries with a qname's length larger than 255 bytes and does not properly handle dot inside labels. A remote, unauthenticated attacker can take advantage of these flaws to cause abnormal load on the PowerDNS backend by sending specially crafted DNS queries, potentially leading to a denial of service. CVE-2016-6172 It was reported that a malicious primary DNS server can crash a secondary PowerDNS server due to improper restriction of zone size limits. This update adds a feature to limit AXFR sizes in response to this flaw. For the stable distribution (jessie), these problems have been fixed in version 3.4.1-4+deb8u6. We recommend that you upgrade your pdns packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJX06v5AAoJEAVMuPMTQ89EOlMP/2a7w5qfgqWp2KIJBP6qAA67 +XRaLRwDb2s8b9X/6NMFgjmnrZj4RWfDliZK1hqp3mXgr6UjO3Q3KPKK124YlKUL WMqwPJ8c9BJ0SGzDGb2xLWBntO3r3Wm9H2Rx6WvPhZTahD6X/ucoqphGrbZhLi01 PXr46WCqwvOqWS5rDsFCQQbPg9MABjMxQ2ObDm2CMAE0spNKYteoLjZQEZYxWb9E JrC4xWi3LragzZNNvoIehhcAlotE4KnhIDTAeTimoU4HtNXVvAnFL0L4cu7d/ytR 1mdrAo60TOdGQ30afJrY2/tLh/eg9uNbWs+Ha63YKeIJvEDE+G3dp6Rw9uTUDKO7 B1sbcaVIv8b3R0DcFjGnB0LiMFRezTHNrBi70PHlDN7ZVhYq3rBdpExkQDxkRLBe ZfHcZiwo+aUxT719jneaRszQeDrwcLN8N7XtTWPpAAryET8zUxV2wKYwF1DB7KN7 onsaOuyyndALkyv1hGx8scSVBH2grReaSxCWmrjGKPx2INkLtAjRvbD9BZTYOKHV 2JLhNIdK5vclHiSYc4/VmXoIMK4b8bmugVOwJT0/DYI0hSnQBWFq9clmzRNblvzV dqqz+/vhJM7k/BJXEjD9ZkRO+eOCdsEdMIKeFg1BE2Yiz6pbhNo6AjigDH1eqfxN wI72WPtWMv6DNriR2mhp =6o+o - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV9YT74x+lLeg9Ub1AQj0Vw/+Iua66mz5CSEsZteLFAdsSFTm+2Hnsr1c j79vwCfw+YgK6ZbqY21a8X+OCBku7CQaGnYz7PAXgwX5n+3yhaPtfrnU7E9NRFkv hES8UFCmyCWtojxsK2xCaEijiZLGqWmIEY/t1zkL6oqhYGCwdUA4OEt14WvvNjlz 2eEF4aNjn0Ahgk7IQpq6z5y3ls88zkELNrlLi4wYNVqdMb6C9oTxnD1lH+z9JBmV mjpLBpyQ7INVZGF7nyvY4WLRPXpqmozrngNuiTXZXZDEjthngrfrUDeMD7ftzq8g +9W0wsbup/aD7ZeU3AjwCPA1Fst/mPHIq0DL48iL5mOji3I+hSLRECFRDA6Zo8sm mU//jtYza6fAS8rf6HSQB1HXDHoDR/QGvFJUD63lMCQjN+PV9bi4CADjZjCYCP/c 1WIDWikBQ/aBuA+vadXkB/gzn977wWpmo7VjlLosY/b20gZuSwfB71MIkdWtqj45 EVIBXzHpm6axE/+8qRCa7gIeA68eoqd5ivox7EHqKXimKolBsAUMDqCx+2De243G MXTrCn/mmcYAl/DBn+Cg/Ucl9X5/LZN6zdvEaJFCKx/UKKwbRYB4dNNQVKSQ/vQZ sYi9b9WRqPb6kSL00ngDbR0cPif0mcoZJRS0nRs1wC0209MNB9aHlyj/+YkVRsR8 y0jTdsdAomQ= =RGfU -----END PGP SIGNATURE-----