MGASA-2017-0033
Vulnerability Summary
Timeline
Description
Updated pdns packages fix security vulnerabilities Mathieu Lafon discovered that pdns does not properly validate records in zones. An authorized user can take advantage of this flaw to crash server by inserting a specially crafted record in a zone under their control and then sending a DNS query for that record (CVE-2016-2120). Florian Heinz and Martin Kluge reported that pdns parses all records present in a query regardless of whether they are needed or even legitimate, allowing a remote, unauthenticated attacker to cause an abnormal CPU usage load on the pdns server, resulting in a partial denial of service if the system becomes overloaded (CVE-2016-7068). Mongo discovered that the webserver in pdns is susceptible to a denial-of-service vulnerability. A remote, unauthenticated attacker to cause a denial of service by opening a large number of f TCP connections to the web server (CVE-2016-7072). Mongo discovered that pdns does not sufficiently validate TSIG signatures, allowing an attacker in position of man-in-the-middle to alter the content of an AXFR (CVE-2016-7073, CVE-2016-7074).
Affected Systems
- mageia•pdns
< 3.3.3-1.3.mga5
References (7)
- https://advisories.mageia.org/MGASA-2017-0033.html
- https://bugs.mageia.org/show_bug.cgi?id=20126
- https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/
- https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/
- https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/
- https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/
- https://www.debian.org/security/2017/dsa-3764