On Wed, Sep 14, 2016 at 07:10:43AM +1000, zlin...@virginbroadband.com.au wrote:
> I am using pdnsd 

FYI, I saw this DSA come in a few days ago:

https://www.debian.org/security/2016/dsa-3664

Debian Security Advisory
DSA-3664-1 pdns -- security update

Date Reported: 10 Sep 2016
Affected Packages: pdns 
Vulnerable: Yes

Security database references:
    In the Debian bugtracking system: Bug 830808.
    In Mitre's CVE dictionary: CVE-2016-5426, CVE-2016-5427, CVE-2016-6172.

More information:

    Multiple vulnerabilities have been discovered in pdns, an
    authoritative DNS server. The Common Vulnerabilities and Exposures
    project identifies the following problems:

        CVE-2016-5426 / CVE-2016-5427

        Florian Heinz and Martin Kluge reported that the PowerDNS
        Authoritative Server accepts queries with a qname's length
        larger than 255 bytes and does not properly handle dot inside
        labels. A remote, unauthenticated attacker can take advantage of
        these flaws to cause abnormal load on the PowerDNS backend by
        sending specially crafted DNS queries, potentially leading to a
        denial of service.  

        CVE-2016-6172

        It was reported that a malicious primary DNS server can crash a
        secondary PowerDNS server due to improper restriction of zone
        size limits. This update adds a feature to limit AXFR sizes in
        response to this flaw.

    For the stable distribution (jessie), these problems have been fixed
    in version 3.4.1-4+deb8u6.

    We recommend that you upgrade your pdns packages.


craig

--
craig sanders <c...@taz.net.au>
_______________________________________________
luv-main mailing list
luv-main@luv.asn.au
https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-main

Reply via email to