Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2436
[SECURITY] [DLA 1843-1] pdns security update
4 July 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: pdns
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-10163 CVE-2019-10162
Reference: ESB-2019.2234
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2019/07/msg00002.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : pdns
Version : 3.4.1-4+deb8u10
CVE ID : CVE-2019-10162 CVE-2019-10163
Two vulnerabilities have been discovered in pdns, an authoritative DNS
server which may result in denial of service via malformed zone records
and excessive NOTIFY packets in a master/slave setup.
CVE-2019-10162
An issue has been found in PowerDNS Authoritative Server allowing
an authorized user to cause the server to exit by inserting a
crafted record in a MASTER type zone under their control. The issue
is due to the fact that the Authoritative Server will exit when it
runs into a parsing error while looking up the NS/A/AAAA records it
is about to use for an outgoing notify.
CVE-2019-10163
An issue has been found in PowerDNS Authoritative Server allowing
a remote, authorized master server to cause a high CPU load or even
prevent any further updates to any slave zone by sending a large
number of NOTIFY messages. Note that only servers configured as
slaves are affected by this issue.
For Debian 8 "Jessie", these problems have been fixed in version
3.4.1-4+deb8u10.
We recommend that you upgrade your pdns packages.
For the detailed security status of pdns please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pdns
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- - --
Jonas Meurer
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAl0cq0AACgkQUmLn/0kQ
Sf6uzRAAn57AZxX15uMo8TazTd4gFkT4MdP8BOdUKx05DPFVNCMcQCNheQsFoW83
Ewcdg9truLiG+NebnBpDnbVgXrkCmNXJbai6zrXuyqq+2m4PqUz/QkBT2GqaFE4G
XPXcuh8En5xn7dTasBkJvTA9Tm5i9Omdmj+VsDHLA2JLsvjjhrHvkuYFpZiA62J1
a3Tvf5jBO2+dmnR17Kf6AF++mitTa+BqPKWt4KSoFMGdb/I+K+XRZPr/N2Dvi9ld
Ankkjm7GwdcnXu2L5neU75EI0xAWEe5SGdRAAKAveAQ8qbDpGy/UtS42+t09ao69
C97PuB0P+0lH612u0NKybH20Mbtp9cY2lh+h8l3pteVO4I8SgUmr+Qgnj62e12Rw
IoUCY7JBxII8rnSKlQ7SR2EJS23CHEk4brijaOl+o+ACqKLD3fmgdmTlO84zKXQv
/pHJESvbpK/prZAy/GVVfpWDgx5IEq1lhUDZkHZBZ+qZjH2LXsLn59uxL7to8Gkl
KD0TJxdrYFLVeu+CgvO2fNySr9VaAih9LV8EvS86y9m7fZZKTv5ivT0CVRDfv4re
6DyWMdn0nhmAYHBFxiAFL5qsO4pjte8YjR07SfKCTDwGboILMJA1QXFCszdJNCxr
BXRXQ9NA5nsw2K+gq2rIn38iiq70JlO6OL0wGq190ALPkr41k4o=
=0wei
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXR1RwmaOgq3Tt24GAQiueg//VH2QclOhWaJ5Z71FTBhmivMgJEx0h+S+
PODxhJX2ANlOypUXVfesBGE2RemJVUn8D3PzUpWX4R5slzetOJL1Yw9qMCGLD80+
KLwGuVCcWdW7i6JwoVWfw18SMHjuypkplFAl3ICPzwHDnqEJFUH2TdtvejFubizK
IEZ8QTnfZK/NeFtwmpdRCy/P8WrGmu4B3NFcgAHwn1DaFotQJHwtrYo6OS941ggR
93bVZdcNMIjiG3NAvfn3Pczbtpp5OGGg3ENnr3YiKCm3DhrOOtlXndZJOGPUP8cY
CHvDL855xwIHBGeRorV7UE0FZXawwmMNfWcYMsc3vBvSa9I09NfzjiHbr1pY4IW8
bFAmBQedrZD3W7n1MUD44AcirEOAbVeKwvZVcDHc5ysxkn5YT280cbexpvTI36NL
p5rkPiRkVRPuHO/I1dEb3wcpKSW7wqG4PP7mvOLY+iW0uBRuqSFt1KxTfs6/xIvY
6fXJ1srUIY9Fa6K5Y7AIyxHndYmHvjLVkVFmzaooqE5l3Lwz3jKH0UKx6eVVOwnU
HPvfODge1Y1w8mx3exSbKgOS1D9bap3e34bp4FvEBkM0Bkdo70uJiucQtw5qXxPh
x1mB4boeqATK18MELSUa5m9l+RLRLEF/reXI8Ify7RLGekMo8oihxA8fnAtuNuZU
7R4ibYYHExc=
=9hI1
-----END PGP SIGNATURE-----