yep -----Original Message----- From: Salvatore Bonaccorso [mailto:car...@debian.org] Sent: Saturday, September 10, 2016 2:47 AM To: debian-security-annou...@lists.debian.org Subject: [SECURITY] [DSA 3664-1] pdns security update Importance: High
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3664-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 10, 2016 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : pdns CVE ID : CVE-2016-5426 CVE-2016-5427 CVE-2016-6172 Debian Bug : 830808 Multiple vulnerabilities have been discovered in pdns, an authoritative DNS server. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2016-5426 / CVE-2016-5427 Florian Heinz and Martin Kluge reported that the PowerDNS Authoritative Server accepts queries with a qname's length larger than 255 bytes and does not properly handle dot inside labels. A remote, unauthenticated attacker can take advantage of these flaws to cause abnormal load on the PowerDNS backend by sending specially crafted DNS queries, potentially leading to a denial of service. CVE-2016-6172 It was reported that a malicious primary DNS server can crash a secondary PowerDNS server due to improper restriction of zone size limits. This update adds a feature to limit AXFR sizes in response to this flaw. For the stable distribution (jessie), these problems have been fixed in version 3.4.1-4+deb8u6. We recommend that you upgrade your pdns packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJX06v5AAoJEAVMuPMTQ89EOlMP/2a7w5qfgqWp2KIJBP6qAA67 +XRaLRwDb2s8b9X/6NMFgjmnrZj4RWfDliZK1hqp3mXgr6UjO3Q3KPKK124YlKUL WMqwPJ8c9BJ0SGzDGb2xLWBntO3r3Wm9H2Rx6WvPhZTahD6X/ucoqphGrbZhLi01 PXr46WCqwvOqWS5rDsFCQQbPg9MABjMxQ2ObDm2CMAE0spNKYteoLjZQEZYxWb9E JrC4xWi3LragzZNNvoIehhcAlotE4KnhIDTAeTimoU4HtNXVvAnFL0L4cu7d/ytR 1mdrAo60TOdGQ30afJrY2/tLh/eg9uNbWs+Ha63YKeIJvEDE+G3dp6Rw9uTUDKO7 B1sbcaVIv8b3R0DcFjGnB0LiMFRezTHNrBi70PHlDN7ZVhYq3rBdpExkQDxkRLBe ZfHcZiwo+aUxT719jneaRszQeDrwcLN8N7XtTWPpAAryET8zUxV2wKYwF1DB7KN7 onsaOuyyndALkyv1hGx8scSVBH2grReaSxCWmrjGKPx2INkLtAjRvbD9BZTYOKHV 2JLhNIdK5vclHiSYc4/VmXoIMK4b8bmugVOwJT0/DYI0hSnQBWFq9clmzRNblvzV dqqz+/vhJM7k/BJXEjD9ZkRO+eOCdsEdMIKeFg1BE2Yiz6pbhNo6AjigDH1eqfxN wI72WPtWMv6DNriR2mhp =6o+o -----END PGP SIGNATURE----- NOTICE: This message is confidential. It may also be privileged or otherwise protected by work product immunity or other legal rules. If you have received it by mistake, please let us know by e-mail reply and delete it from your system; you may not copy this message or disclose its contents to anyone. Please send us by fax any message containing deadlines as incoming e-mails are not screened for response deadlines. The integrity and security of this message cannot be guaranteed on the Internet.
