[3.8] pdns: Multiple vulnerabilities (CVE-2018-10851, CVE-2018-14626)
CVE-2018-10851: Crafted zone record can cause a denial of service¶
An issue has been found in PowerDNS Authoritative Server allowing an
authorized user to cause a memory leak by inserting a specially crafted
record in a zone under their control,
then sending a DNS query for that record. The issue is due to the fact
that some memory is allocated before the parsing and is not always
properly released if the record is malformed.
Affects: PowerDNS Authoritative from 3.3.0 up to and including 4.1.4
Not affected: 4.1.5, 4.0.6
References:
https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html
https://www.openwall.com/lists/oss-security/2018/11/06/8
CVE-2018-14626: Packet cache pollution via crafted query¶
An issue has been found in PowerDNS Authoritative Server allowing a remote user to craft a DNS query that will cause an answer without DNSSEC records to be inserted into the packet cache and be returned to clients asking for DNSSEC records, thus hiding the presence of DNSSEC signatures for a specific qname and qtype. For a DNSSEC-signed domain, this means that DNSSEC validating clients will consider the answer to be bogus until it expires from the packet cache, leading to a denial of service.
Affects: PowerDNS Authoritative from 4.1.0 up to and including 4.1.4
Not affected: 4.1.5, 4.0.x
References:
https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html
https://www.openwall.com/lists/oss-security/2018/11/06/8
(from redmine: issue id 9719, created on 2018-11-29, closed on 2018-12-04)
- Changesets:
- Revision 43dd52bd by Natanael Copa on 2018-11-29T16:08:44Z:
community/pdns: security upgrade to 4.0.6 (CVE-2018-10851)
fixes #9719