From ${URL} : It turns out that most DNS server implementations do not implement reasonable restrictions for zone sizes. This allows an explicitly configured primary DNS server for a zone to crash a secondary DNS server, affecting service of other zones hosted on the same secondary server. Some references: https://lists.dns-oarc.net/pipermail/dns-operations/2016-July/015058.html https://lists.dns-oarc.net/pipermail/dns-operations/2016-July/015075.html https://gitlab.labs.nic.cz/labs/knot/merge_requests/541 https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=790 PowerDNS is reportedly affected as well, but I did not find a public bug for this issue. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Proposed patches being tracked by upstream: https://github.com/PowerDNS/pdns/issues/4128
Today (2016-09-02) PowerDNS announced the release of pdns-3.4.10 which addresses the reported problem: > Hi everybody, > > We’re pleased to announce version 3.4.10 of our Authoritative Server. > > This release fixes several bugs, decreases CPU usage and allows better > interoperability with PowerDNS 4.0.X databases. It also adds a feature to > limit AXFR sizes in response to CVE-2016-6172. > > Tar.gz and packages are available on: > > https://downloads.powerdns.com/releases/ > Soon: https://www.monshouwer.eu/download/3rd_party/pdns/ (RHEL/ > CentOS, with the usual huge thanks to Kees Monshouwer). > > Warning: Version 3.4.10 of the PowerDNS Authoritative Server is a major > upgrade if you are coming from 2.9.x. Additionally, if you are coming > from any 3.x version (including 3.3.1), there is a mandatory SQL schema > upgrade. Please refer to the Upgrade documentation for important > information on correct and stable operation, as well as notes on > performance and memory use. > > Find the downloads on our download page, https://www.powerdns.com/downloads.html > > Changes since 3.4.9: > > - commit 1f8078c: Enable mbedtls threading abstraction layer (Kees Monshouwer) > - commit 63a6800: Update polarssl 1.3.9 to mbedtls 1.3.17 (Kees Monshouwer) > - commit dc73734: Report DHCID type (Kees Monshouwer) > - commit 2c6e628: Fix TSIG for single thread distributor (Kees Monshouwer) > - commit 09bdd9f: Don’t send covering nsec records for direct nsec queries (Kees Monshouwer) > - commit da231a4: Ignore trailing dot in signer name (Kees Monshouwer) > - commit a014f4c: Add limits to the size of received AXFR, in megabytes > - commit 881b5b0: Reject qnames with wirelength > 255, chopOff() handle dot inside labels > - commit 210fb15: Gmysql get-order-after-query was slow (Kees Monshouwer) > - commit 7bab770: Sync boost.m4 with upstream (Kees Monshouwer) > - commit 9740371: Fix shorter best matching names in getAuth() (Kees Monshouwer) > - commit 991528c: change default for any-to-tcp to yes (Kees Monshouwer) Source: https://blog.powerdns.com/2016/09/02/authoritative-server-3-4-10/
3.4.10 is in the tree.
pdns-3.4.10 is ready for stabilization
@ Arches, please test and mark stable: =net-dns/pdns-3.4.10 Targeted stable KEYWORDS: amd64 x86
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
GLSA Vote: No