*** This bug is a security vulnerability *** Public security bug reported:
Note: We have this package running in production without any apparent issues. * SECURITY UPDATE: * References * CVE-2014-8601: PowerDNS Recursor before 3.6.2 does not limit delegation chaining, which allows remote attackers to cause a denial of service ("performance degradations") via a large or infinite number of referrals, as demonstrated by resolving domains hosted by ezdns.it. - Added debian/patches/CVE-2014-8601.patch * CVE-2015-1868: The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authoritative (Auth) Server 3.2.x, 3.3.x before 3.3.2, and 3.4.x before 3.4.4 allows remote attackers to cause a denial of service (CPU consumption or crash) via a request with a name that refers to itself. - Added debian/patches/CVE-2015-1868.patch * CVE-2015-5470: The label decompression functionality in PowerDNS Recursor before 3.6.4 and 3.7.x before 3.7.3 and Authoritative (Auth) Server before 3.3.3 and 3.4.x before 3.4.5 allows remote attackers to cause a denial of service (CPU consumption or crash) via a request with a long name that refers to itself. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1868. - Added debian/patches/CVE-2015-1868-2.patch * CVE-2016-7068: Florian Heinz and Martin Kluge reported that pdns-recursor parses all records present in a query regardless of whether they are needed or even legitimate, allowing a remote, unauthenticated attacker to cause an abnormal CPU usage load on the pdns server, resulting in a partial denial of service if the system becomes overloaded. - Added debian/patches/CVE-2016-7068.patch * Add debian/patches/qtypes.patch so qtypes required for CVE-2016-7068.patch are available I have not evaluated any other Ubuntu releases (and don't intend to). ** Affects: pdns-recursor (Ubuntu) Importance: Undecided Status: Invalid ** Affects: pdns-recursor (Ubuntu Trusty) Importance: High Status: New ** Patch added: "Debdiff for trusty" https://bugs.launchpad.net/bugs/1656931/+attachment/4805135/+files/pdns-recursor.trusty.debdiff ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-8601 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-5470 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-7068 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1656931 Title: Security update for pdns-recursor on trusty To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pdns-recursor/+bug/1656931/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs