Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 559440 (CVE-2015-5230) - <net-dns/pdns-3.4.6: Degraded service or Denial of service (CVE-2015-5230)
Summary: <net-dns/pdns-3.4.6: Degraded service or Denial of service (CVE-2015-5230)
Alias: CVE-2015-5230
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal with 2 votes (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
: 559876 (view as bug list)
Depends on:
Reported: 2015-09-02 18:38 UTC by Ronny Boesger
Modified: 2016-11-19 04:50 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Ronny Boesger 2015-09-02 18:38:39 UTC
CVE: CVE-2015-5230
Date: 2nd of September 2015
Credit: Pyry Hakulinen and Ashish Shakla at Automattic
Affects: PowerDNS Authoritative Server 3.4.0 through 3.4.5
Not affected: PowerDNS Authoritative Server 3.4.6
Severity: High
Impact: Degraded service or Denial of service
Exploit: This problem can be triggered by sending specially crafted query 
Risk of system compromise: No
Solution: Upgrade to a non-affected version
Workaround: Run the Authoritative Server inside a supervisor when `distributor-
            threads` is set to `1` to prevent Denial of Service. No workaround 
            for the degraded service exists

Reproducible: Always
Comment 1 Tomáš Mózes 2015-09-10 06:20:04 UTC
*** Bug 559876 has been marked as a duplicate of this bug. ***
Comment 2 Vladimir Datsevich 2015-09-23 17:19:12 UTC
Several days have passed since then, any news on this?
Comment 3 Vladimir Datsevich 2015-10-04 20:34:52 UTC
@security: could you please simply bump this one?
Comment 4 Sven Wegener gentoo-dev 2015-10-11 19:58:37 UTC
I've committed 3.4.6 to the tree.
Comment 5 Ronny Boesger 2015-10-26 10:45:13 UTC
3.4.6 works for me on x86, thanks.
Comment 6 Sven Wegener gentoo-dev 2015-11-09 20:12:32 UTC
The new 3.4.6 is vulnerable to another security issue, see bug #559440. Stable candidate is 3.4.7 for both bugs.
Comment 7 Sven Wegener gentoo-dev 2015-11-09 20:13:04 UTC
Make that bug #565286.
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-19 01:20:52 UTC
This was first fixed in Gentoo repository by

@ Security: Please vote!
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2016-11-19 04:50:08 UTC
GLSA Vote: No