Date: 2nd of September 2015
Credit: Pyry Hakulinen and Ashish Shakla at Automattic
Affects: PowerDNS Authoritative Server 3.4.0 through 3.4.5
Not affected: PowerDNS Authoritative Server 3.4.6
Impact: Degraded service or Denial of service
Exploit: This problem can be triggered by sending specially crafted query
Risk of system compromise: No
Solution: Upgrade to a non-affected version
Workaround: Run the Authoritative Server inside a supervisor when `distributor-
threads` is set to `1` to prevent Denial of Service. No workaround
for the degraded service exists
*** Bug 559876 has been marked as a duplicate of this bug. ***
Several days have passed since then, any news on this?
@security: could you please simply bump this one?
I've committed 3.4.6 to the tree.
3.4.6 works for me on x86, thanks.
The new 3.4.6 is vulnerable to another security issue, see bug #559440. Stable candidate is 3.4.7 for both bugs.
Make that bug #565286.
This was first fixed in Gentoo repository by https://gitweb.gentoo.org/repo/gentoo.git/commit/net-dns/pdns?id=0a6c9076768524880ef4bbc0b741104d6dae1cdf
@ Security: Please vote!
GLSA Vote: No