Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 605588 (CVE-2016-2120, CVE-2016-7072) - <net-dns/pdns-4.0.2: multiple vulnerabilities (CVE-2016-{2120,7068,7072,7073,7074})
Summary: <net-dns/pdns-4.0.2: multiple vulnerabilities (CVE-2016-{2120,7068,7072,7073,...
Status: RESOLVED FIXED
Alias: CVE-2016-2120, CVE-2016-7072
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2016-7068 CVE-2016-7073, CVE-2016-7074
  Show dependency tree
 
Reported: 2017-01-13 15:26 UTC by Thomas Deutschmann
Modified: 2017-01-23 03:55 UTC (History)
2 users (show)

See Also:
Package list:
=net-dns/pdns-4.0.2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-01-13 15:26:06 UTC
We are pleased to announce the release of the PowerDNS Authoritative Server 4.0.2. This release fixes several security issues reported to us in the last few months, as well a memory leak in the Postgresql backend.

The following security issues were fixed:

 * 2016-02: Crafted queries can cause abnormal CPU usage[1]
 * 2016-03: Denial of service via the web server[2]
 * 2016-04: Insufficient validation of TSIG signatures[3]
 * 2016-05: Crafted zone record can cause a denial of service[4]

For those who cannot update, minimal patches are available[5,6,7,8]

The full changelog is available online[5] and reproduced here:

 *  Don't parse spurious RRs in queries when we don't need them (Security Advisory 2016-02)
 *  Don't exit if the webserver can't accept a connection (Security Advisory 2016-03)
 *  Check TSIG signature on IXFR (Security Advisory 2016-04)
 *  Correctly check unknown record content size (Security Advisory 2016-05)
 *  ODBC backend: actually prepare statements
 *  Fix incorrect length check in `DNSName` when extracting qtype or qclass
 *  Fix a possible memory leak in the webserver
 *  Fix a stack-based off-by-one write in the HTTP remote backend
 *  Better handling of invalid serial
 *  Limit size of mysql cell to 128 kilobytes
 *  Overload fix: make overload-queue-length work as intended again, add test for it.
 *  Improve root-zone performance
 *  pipe: SERVFAIL when needed
 *  Make sure mariadb (mysql on centos/rhel) is started before pdns (42wim)
 *  ComboAddress: don't allow invalid ports
 *  Plug memory leak in postgresql backend (Christian Hofstaedtler)
 *  auth: Fix a stack-based off-by-one write in the HTTP remote backend
 *  calidns: Don't crash if we don't have enough 'unknown' queries remaining
 *  disable negative getSOA caching if the negcache_ttl is 0 (Kees Monshouwer)
 *  Improve PacketCache cleaning (Kees Monshouwer)
 *  Strip trailing dot in PTR content (Kees Monshouwer)
 *  contrib: simple bash completion for pdnsutil (j0ju)
 *  Bind backend: update status message on reload, keep the existing zone on failure
 *  report DHCID type (Kees Monshouwer)
 *  Fix build with LibreSSL, for which OPENSSL_VERSION_NUMBER is irrelevant
 *  Speedup DNSName creation
 *  fix TSIG for single thread distributor (Kees Monshouwer)
 *  change default for any-to-tcp to yes (Kees Monshouwer)
 *  Don't look up the packet cache for TSIG-enabled queries
 *  (auth) Fix build with OpenSSL 1.1.0 final (Christian Hofstaedtler)
 *  geoipbackend: Fix minor naming issue (Aki Tuomi)
 *  pdnsutil: create-slave-zone accept multiple masters (Hannu Ylitalo)
 *  API: search should not return ENTs (Christian Hofstaedtler)
 *  In `Bind2Backend::lookup()`, use the `zoneId` when we have it

We highly recommend all users to update to the latest version.

The tarball is on the releases page[10], as well as signatures[11].
Packages for Debian Stable, Ubuntu Trusty, Xenial and Wily and CentOS 6 and 7 are available form our repositories[12].

Best regards,

The PowerDNS team.

1 - https://doc.powerdns.com/md/security/powerdns-advisory-2016-02
2 - https://doc.powerdns.com/md/security/powerdns-advisory-2016-03
3 - https://doc.powerdns.com/md/security/powerdns-advisory-2016-04
4 - https://doc.powerdns.com/md/security/powerdns-advisory-2016-05
5 - https://downloads.powerdns.com/patches/2016-02
6 - https://downloads.powerdns.com/patches/2016-03
7 - https://downloads.powerdns.com/patches/2016-04
8 - https://downloads.powerdns.com/patches/2016-05
9 - https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-402
10 - https://downloads.powerdns.com/releases/pdns-4.0.2.tar.bz2
11 - https://downloads.powerdns.com/releases/pdns-4.0.2.tar.bz2.sig
12 - https://repo.powerdns.com
Comment 1 Sven Wegener gentoo-dev 2017-01-14 07:25:21 UTC
I just committed pdns-recursor-4.0.4 to the tree.
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-14 08:04:22 UTC
*** Bug 605590 has been marked as a duplicate of this bug. ***
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-01-14 14:02:00 UTC
@ Arches,

please test and mark stable: =net-dns/pdns-4.0.2
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-15 09:04:48 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-01-16 10:16:27 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 Thomas Deutschmann gentoo-dev Security 2017-01-16 18:46:50 UTC
GLSA Vote: No.


@ Maintainer(s): Please cleanup and drop <net-dns/pdns-4.0.2.
Comment 7 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-23 03:55:16 UTC
tree is clean.