Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 588656 (CVE-2016-6172) - <net-dns/pdns-3.4.10: Malicious primary DNS servers can crash secondaries
Summary: <net-dns/pdns-3.4.10: Malicious primary DNS servers can crash secondaries
Alias: CVE-2016-6172
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on:
Blocks: CVE-2016-5426, CVE-2016-5427
  Show dependency tree
Reported: 2016-07-12 08:39 UTC by Agostino Sarubbo
Modified: 2016-11-11 12:45 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-07-12 08:39:01 UTC
From ${URL} :

It turns out that most DNS server implementations do not implement 
reasonable restrictions for zone sizes.  This allows an explicitly 
configured primary DNS server for a zone to crash a secondary DNS 
server, affecting service of other zones hosted on the same secondary 

Some references:

PowerDNS is reportedly affected as well, but I did not find a public bug 
for this issue.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-07-16 09:01:01 UTC
Proposed patches being tracked by upstream:
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-09-02 12:03:11 UTC
Today (2016-09-02) PowerDNS announced the release of pdns-3.4.10 which addresses the reported problem:

> Hi everybody,
> We’re pleased to announce version 3.4.10 of our Authoritative Server.
> This release fixes several bugs, decreases CPU usage and allows better
> interoperability with PowerDNS 4.0.X databases. It also adds a feature to
> limit AXFR sizes in response to CVE-2016-6172.
> Tar.gz and packages are available on:
>     Soon: (RHEL/
>     CentOS, with the usual huge thanks to Kees Monshouwer).
> Warning: Version 3.4.10 of the PowerDNS Authoritative Server is a major
> upgrade if you are coming from 2.9.x. Additionally, if you are coming
> from any 3.x version (including 3.3.1), there is a mandatory SQL schema
> upgrade. Please refer to the Upgrade documentation for important
> information on correct and stable operation, as well as notes on
> performance and memory use.
> Find the downloads on our download page,
> Changes since 3.4.9:
>  - commit 1f8078c: Enable mbedtls threading abstraction layer (Kees Monshouwer)
>  - commit 63a6800: Update polarssl 1.3.9 to mbedtls 1.3.17 (Kees Monshouwer)
>  - commit dc73734: Report DHCID type (Kees Monshouwer)
>  - commit 2c6e628: Fix TSIG for single thread distributor (Kees Monshouwer)
>  - commit 09bdd9f: Don’t send covering nsec records for direct nsec queries (Kees Monshouwer)
>  - commit da231a4: Ignore trailing dot in signer name (Kees Monshouwer)
>  - commit a014f4c: Add limits to the size of received AXFR, in megabytes
>  - commit 881b5b0: Reject qnames with wirelength > 255, chopOff() handle dot inside labels
>  - commit 210fb15: Gmysql get-order-after-query was slow (Kees Monshouwer)
>  - commit 7bab770: Sync boost.m4 with upstream (Kees Monshouwer)
>  - commit 9740371: Fix shorter best matching names in getAuth() (Kees Monshouwer)
>  - commit 991528c: change default for any-to-tcp to yes (Kees Monshouwer)

Comment 3 Sven Wegener gentoo-dev 2016-09-04 08:45:19 UTC
3.4.10 is in the tree.
Comment 4 Sven Wegener gentoo-dev 2016-09-12 21:03:46 UTC
pdns-3.4.10 is ready for stabilization
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2016-09-12 23:16:03 UTC
@ Arches,

please test and mark stable: =net-dns/pdns-3.4.10 
Targeted stable KEYWORDS: amd64 x86
Comment 6 Agostino Sarubbo gentoo-dev 2016-09-13 11:37:30 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-09-29 08:42:05 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2016-11-11 12:45:47 UTC
GLSA Vote: No