Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.2119
pdns security update
12 September 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: pdns
Publisher: Debian
Operating System: Debian GNU/Linux 8
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-6172 CVE-2016-5427 CVE-2016-5426
Original Bulletin:
http://www.debian.org/security/2016/dsa-3664
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running pdns check for an updated version of the software for their
operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3664-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 10, 2016 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : pdns
CVE ID : CVE-2016-5426 CVE-2016-5427 CVE-2016-6172
Debian Bug : 830808
Multiple vulnerabilities have been discovered in pdns, an authoritative
DNS server. The Common Vulnerabilities and Exposures project identifies
the following problems:
CVE-2016-5426 / CVE-2016-5427
Florian Heinz and Martin Kluge reported that the PowerDNS
Authoritative Server accepts queries with a qname's length larger
than 255 bytes and does not properly handle dot inside labels. A
remote, unauthenticated attacker can take advantage of these flaws
to cause abnormal load on the PowerDNS backend by sending specially
crafted DNS queries, potentially leading to a denial of service.
CVE-2016-6172
It was reported that a malicious primary DNS server can crash a
secondary PowerDNS server due to improper restriction of zone size
limits. This update adds a feature to limit AXFR sizes in response
to this flaw.
For the stable distribution (jessie), these problems have been fixed in
version 3.4.1-4+deb8u6.
We recommend that you upgrade your pdns packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJX06v5AAoJEAVMuPMTQ89EOlMP/2a7w5qfgqWp2KIJBP6qAA67
+XRaLRwDb2s8b9X/6NMFgjmnrZj4RWfDliZK1hqp3mXgr6UjO3Q3KPKK124YlKUL
WMqwPJ8c9BJ0SGzDGb2xLWBntO3r3Wm9H2Rx6WvPhZTahD6X/ucoqphGrbZhLi01
PXr46WCqwvOqWS5rDsFCQQbPg9MABjMxQ2ObDm2CMAE0spNKYteoLjZQEZYxWb9E
JrC4xWi3LragzZNNvoIehhcAlotE4KnhIDTAeTimoU4HtNXVvAnFL0L4cu7d/ytR
1mdrAo60TOdGQ30afJrY2/tLh/eg9uNbWs+Ha63YKeIJvEDE+G3dp6Rw9uTUDKO7
B1sbcaVIv8b3R0DcFjGnB0LiMFRezTHNrBi70PHlDN7ZVhYq3rBdpExkQDxkRLBe
ZfHcZiwo+aUxT719jneaRszQeDrwcLN8N7XtTWPpAAryET8zUxV2wKYwF1DB7KN7
onsaOuyyndALkyv1hGx8scSVBH2grReaSxCWmrjGKPx2INkLtAjRvbD9BZTYOKHV
2JLhNIdK5vclHiSYc4/VmXoIMK4b8bmugVOwJT0/DYI0hSnQBWFq9clmzRNblvzV
dqqz+/vhJM7k/BJXEjD9ZkRO+eOCdsEdMIKeFg1BE2Yiz6pbhNo6AjigDH1eqfxN
wI72WPtWMv6DNriR2mhp
=6o+o
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV9YT74x+lLeg9Ub1AQj0Vw/+Iua66mz5CSEsZteLFAdsSFTm+2Hnsr1c
j79vwCfw+YgK6ZbqY21a8X+OCBku7CQaGnYz7PAXgwX5n+3yhaPtfrnU7E9NRFkv
hES8UFCmyCWtojxsK2xCaEijiZLGqWmIEY/t1zkL6oqhYGCwdUA4OEt14WvvNjlz
2eEF4aNjn0Ahgk7IQpq6z5y3ls88zkELNrlLi4wYNVqdMb6C9oTxnD1lH+z9JBmV
mjpLBpyQ7INVZGF7nyvY4WLRPXpqmozrngNuiTXZXZDEjthngrfrUDeMD7ftzq8g
+9W0wsbup/aD7ZeU3AjwCPA1Fst/mPHIq0DL48iL5mOji3I+hSLRECFRDA6Zo8sm
mU//jtYza6fAS8rf6HSQB1HXDHoDR/QGvFJUD63lMCQjN+PV9bi4CADjZjCYCP/c
1WIDWikBQ/aBuA+vadXkB/gzn977wWpmo7VjlLosY/b20gZuSwfB71MIkdWtqj45
EVIBXzHpm6axE/+8qRCa7gIeA68eoqd5ivox7EHqKXimKolBsAUMDqCx+2De243G
MXTrCn/mmcYAl/DBn+Cg/Ucl9X5/LZN6zdvEaJFCKx/UKKwbRYB4dNNQVKSQ/vQZ
sYi9b9WRqPb6kSL00ngDbR0cPif0mcoZJRS0nRs1wC0209MNB9aHlyj/+YkVRsR8
y0jTdsdAomQ=
=RGfU
-----END PGP SIGNATURE-----