[Pdns-dev] PowerDNS Security Announcement 2015-03

Pieter Lexis pieter.lexis at powerdns.com
Mon Nov 9 15:47:35 CET 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello everyboby,

We'd like to make you aware of PowerDNS Security Advisory 2015-3[1].

* CVE: CVE-2015-5311
* Date: November 9th 2015
* Credit: Christian Hofstaedtler
* Affects: PowerDNS Authoritative Server 3.4.4 through 3.4.6
* Not affected: PowerDNS Authoritative Server 3.3.x and 3.4.7 and up
* Severity: High
* Impact: Degraded service or Denial of service
* Exploit: This problem can be triggered by sending specially crafted
  query packets
* Risk of system compromise: No
* Solution: Upgrade to a non-affected version
* Workaround: run the process inside the guardian or inside a supervisor

A bug was found using `afl-fuzz` in our packet parsing code. This bug,
when exploited, causes an assertion error and consequent termination
of the the `pdns_server` process, causing a Denial of Service.

When the PowerDNS Authoritative Server is run inside the guardian
(`--guardian`), or inside a supervisor like supervisord or systemd, it
will be automatically restarted, limiting the impact to a somewhat
degraded service.

PowerDNS Authoritative Server 3.4.4 - 3.4.6 are affected. No other
versions are affected. The PowerDNS Recursor is not affected.

PowerDNS Authoritative Server 3.4.7 contains a fix to this issue. A
minimal patch is available [2].

This issue is unrelated to the issues in our previous two Security
Announcements 2015-01 and 2015-02.

We'd like to thank Christian Hofstaedtler of Deduktiva GmbH for
finding and reporting this issue.

1 - https://doc.powerdns.com/md/security/powerdns-advisory-2015-03/
2 - https://downloads.powerdns.com/patches/2015-03/
- -- 
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWQLHwAAoJEF5QcVvy/+GnDhAP/0BnWPSx/KUM8MxYRxHytuXX
JTEwGT1V3JS0eZw8QjIe+3p4+Ek0SIMUf/d4xx/4aGh+c4mksU4HlWk7R68pu7vr
g7mtkjqmOmsbmqidmGUajbDd2Rx+10c7y3Ow2tA8bu52Xx5x7pinHrjfRd4VzoBN
mBdT1G/V4K9y9YX8bguJNl8m2GvTnSHEjZ/gCanvmDiEVMuZN2tNaGs3BLf4MOTq
RViXcyjs9p8DA4l2dH6srYE3FTA3r6lZSpC+vB+5rLHEpgIsjlPuHddJODmCTZP6
LXBmWz636GqI1K0uf2zETyIT+5FvAxlcb4b2j11PL7lrpAx9iiBYnwCmCrZoUFKd
/AwMuaz4NI9GSkd9aV8GjEI8TskTQJxufQQu7K4CSp/hcJBumW3rtjlKAUcyLeI0
jQ/odq34hR5vGS0+qJ4wwBtP3mpLQp6qbidnpWnmdBV5W2nn0FDpon2M/m9W+jdd
oPbLUWnwBY221qY8Jg7QZ+sanFeqlAt3vdE9KFQSUWoMXh0uHRYZt8fCwly9VCPJ
7M8ae/I4ak4IdTuvSdQbtzBhPlt6zacLKHrL4dUYxoU88/ukruDlsiuL2LHuyej5
roiQEBJVhduZ0xSFU/TI0X/hY7qRoj3ubEYVoYf3DOruHfPjdABX1wYStcz/LvHo
zj40IUG9DD0sYtPEtjBQ
=OUeD
-----END PGP SIGNATURE-----

More information about the Pdns-dev mailing list