Debian DSA-3664-1 : pdns - security update

High Nessus Plugin ID 93419

Synopsis

The remote Debian host is missing a security-related update.

Description

Multiple vulnerabilities have been discovered in pdns, an authoritative DNS server. The Common Vulnerabilities and Exposures project identifies the following problems :

- CVE-2016-5426 / CVE-2016-5427 Florian Heinz and Martin Kluge reported that the PowerDNS Authoritative Server accepts queries with a qname's length larger than 255 bytes and does not properly handle dot inside labels. A remote, unauthenticated attacker can take advantage of these flaws to cause abnormal load on the PowerDNS backend by sending specially crafted DNS queries, potentially leading to a denial of service.

- CVE-2016-6172 It was reported that a malicious primary DNS server can crash a secondary PowerDNS server due to improper restriction of zone size limits. This update adds a feature to limit AXFR sizes in response to this flaw.

Solution

Upgrade the pdns packages.

For the stable distribution (jessie), these problems have been fixed in version 3.4.1-4+deb8u6.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830808

https://security-tracker.debian.org/tracker/CVE-2016-5426

https://security-tracker.debian.org/tracker/CVE-2016-5427

https://security-tracker.debian.org/tracker/CVE-2016-6172

https://packages.debian.org/source/jessie/pdns

https://www.debian.org/security/2016/dsa-3664

Plugin Details

Severity: High

ID: 93419

File Name: debian_DSA-3664.nasl

Version: 2.7

Type: local

Agent: unix

Published: 2016/09/12

Updated: 2018/11/10

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.1

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:pdns, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2016/09/10

Reference Information

CVE: CVE-2016-5426, CVE-2016-5427, CVE-2016-6172

DSA: 3664