Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 559440 (CVE-2015-5230) - <net-dns/pdns-3.4.6: Degraded service or Denial of service (CVE-2015-5230)
Summary: <net-dns/pdns-3.4.6: Degraded service or Denial of service (CVE-2015-5230)
Status: RESOLVED FIXED
Alias: CVE-2015-5230
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal with 2 votes (vote)
Assignee: Gentoo Security
URL: http://blog.powerdns.com/2015/09/02/p...
Whiteboard: B3 [noglsa]
Keywords:
: 559876 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-09-02 18:38 UTC by Ronny Boesger
Modified: 2016-11-19 04:50 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ronny Boesger 2015-09-02 18:38:39 UTC 
CVE: CVE-2015-5230
Date: 2nd of September 2015
Credit: Pyry Hakulinen and Ashish Shakla at Automattic
Affects: PowerDNS Authoritative Server 3.4.0 through 3.4.5
Not affected: PowerDNS Authoritative Server 3.4.6
Severity: High
Impact: Degraded service or Denial of service
Exploit: This problem can be triggered by sending specially crafted query 
         packets
Risk of system compromise: No
Solution: Upgrade to a non-affected version
Workaround: Run the Authoritative Server inside a supervisor when `distributor-
            threads` is set to `1` to prevent Denial of Service. No workaround 
            for the degraded service exists


Reproducible: Always
Comment 1 Tomáš Mózes 2015-09-10 06:20:04 UTC 
*** Bug 559876 has been marked as a duplicate of this bug. ***
Comment 2 Vladimir Datsevich 2015-09-23 17:19:12 UTC 
Several days have passed since then, any news on this?
Comment 3 Vladimir Datsevich 2015-10-04 20:34:52 UTC 
@security: could you please simply bump this one?
Comment 4 Sven Wegener gentoo-dev 2015-10-11 19:58:37 UTC 
I've committed 3.4.6 to the tree.
Comment 5 Ronny Boesger 2015-10-26 10:45:13 UTC 
3.4.6 works for me on x86, thanks.
Comment 6 Sven Wegener gentoo-dev 2015-11-09 20:12:32 UTC 
The new 3.4.6 is vulnerable to another security issue, see bug #559440. Stable candidate is 3.4.7 for both bugs.
Comment 7 Sven Wegener gentoo-dev 2015-11-09 20:13:04 UTC 
Make that bug #565286.
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-19 01:20:52 UTC 
This was first fixed in Gentoo repository by https://gitweb.gentoo.org/repo/gentoo.git/commit/net-dns/pdns?id=0a6c9076768524880ef4bbc0b741104d6dae1cdf


@ Security: Please vote!
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2016-11-19 04:50:08 UTC 
GLSA Vote: No