]> granicus.if.org Git - pdns/commitdiff
projects / pdns / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1403836)
Update secpoll and documentation for 2016-01
authorRemi Gacogne <remi.gacogne@powerdns.com>
Fri, 9 Sep 2016 08:57:21 +0000 (10:57 +0200)
committerRemi Gacogne <remi.gacogne@powerdns.com>
Fri, 9 Sep 2016 08:57:21 +0000 (10:57 +0200)
docs/markdown/security/index.md patch | blob | history
docs/markdown/security/powerdns-advisory-2016-01.md [new file with mode: 0644] patch | blob
docs/mkdocs.yml patch | blob | history
docs/secpoll.zone patch | blob | history

diff --git a/docs/markdown/security/index.md b/docs/markdown/security/index.md
index 0af341bb13ddc42239fb95d1541d5d129860ffcc..740fd53f7a138cf09cf71b5c16ceb79bd5a03478 100644 (file)
--- a/docs/markdown/security/index.md
+++ b/docs/markdown/security/index.md
@@ -4,7 +4,9 @@ If you have a security problem to report, please email us at both <a href="mailt
 
 We remind PowerDNS users that under the terms of the GNU General Public License, PowerDNS comes with ABSOLUTELY NO WARRANTY. This license is included in this documentation.
 
-As of the 2nd of September 2015, no actual security problems with PowerDNS Authoritative Server 3.4.6, Recursor 3.6.3, Recursor 3.7.2, or later are known about. This page will be updated with all bugs which are deemed to be security problems, or could conceivably lead to those. Any such notifications will also be sent to all PowerDNS mailing lists.
+As of the 9th of September 2016, no actual security problems with PowerDNS Authoritative Server 3.4.10, Recursor 3.6.3, Recursor 3.7.2, or later are known about. This page will be updated with all bugs which are deemed to be security problems, or could conceivably lead to those. Any such notifications will also be sent to all PowerDNS mailing lists.
+
+Version 3.4.9 and earlier of the PowerDNS Authoritative Server can be made to cause unexpected backend load, see [PowerDNS Security Advisory 2016-01](powerdns-advisory-2016-01.md) for more information.
 
 PowerDNS Authoritative Server 3.4.0 through 3.4.5 can have their threads crashed with a malformed packet, see [PowerDNS Security Advisory 2015-02](powerdns-advisory-2015-02.md) for more information.
 
diff --git a/docs/markdown/security/powerdns-advisory-2016-01.md b/docs/markdown/security/powerdns-advisory-2016-01.md
new file mode 100644 (file)
index 0000000..15039c3
--- /dev/null
+++ b/docs/markdown/security/powerdns-advisory-2016-01.md
@@ -0,0 +1,24 @@
+## PowerDNS Security Advisory 2016-01: Crafted queries can cause unexpected backend load
+
+* CVE: CVE-2016-5426, CVE-2016-5427
+* Date: 9th of September 2016
+* Credit: Florian Heinz and Martin Kluge
+* Affects: PowerDNS Authoritative Server up to and including 3.4.9
+* Not affected: PowerDNS Authoritative Server 3.4.10, 4.x
+* Severity: Medium
+* Impact: Degraded service or Denial of service
+* Exploit: This problem can be triggered by sending specially crafted query packets
+* Risk of system compromise: No
+* Solution: Upgrade to a non-affected version
+* Workaround: Run dnsdist with the rules provided below in front of potentially affected servers, or dimension the backend capacity so that it can handle the increased load.
+
+Two issues have been found in PowerDNS Authoritative Server allowing a remote, unauthenticated attacker to cause an abnormal load on the PowerDNS backend by sending crafted DNS queries, which might result in a partial denial of service if the backend becomes overloaded. SQL backends for example are particularly vulnerable to this kind of unexpected load if they have not been dimensioned for it.
+The first issue is based on the fact that PowerDNS Authoritative Server accepts queries with a qname's length larger than 255 bytes. This issue has been assigned CVE-2016-5426.
+The second issue is based on the fact that PowerDNS Authoritative Server does not properly handle dot inside labels. This issue has been assigned CVE-2016-5427.
+Both issues have been addressed by this [commit](https://github.com/PowerDNS/pdns/commit/881b5b03a590198d03008e4200dd00cc537712f3).
+
+PowerDNS Authoritative Server up to and including 3.4.9 is affected. No other versions are affected. The PowerDNS Recursor is not affected.
+
+dnsdist can be used to block crafted queries, using QNameWireLengthRule() to block queries with a qname larger than 255 bytes and QNameLabelsCountRule() to block queries with a very large amount of labels. Please note that restricting the number of labels in a query might lead to unexpected issues, especially with DNSSEC-enabled domains.
+
+We'd like to thank Florian Heinz and Martin Kluge for finding and subsequently reporting this issue.
diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml
index 0bd37f0644894890b9e9f48a4f9c8faa790c895b..2f41647d8353981c1718fa525e84e00e207e2308 100644 (file)
--- a/docs/mkdocs.yml
+++ b/docs/mkdocs.yml
@@ -72,6 +72,7 @@ pages:
     - List of Settings: recursor/settings.md
   - Security:
     - Security Policy: security/index.md
+    - Advisory 2016-01: security/powerdns-advisory-2016-01.md
     - Advisory 2015-03: security/powerdns-advisory-2015-03.md
     - Advisory 2015-02: security/powerdns-advisory-2015-02.md
     - Advisory 2015-01: security/powerdns-advisory-2015-01.md
diff --git a/docs/secpoll.zone b/docs/secpoll.zone
index 3571f770330d779323ef8cafa77abea58139992d..687e8c8e4c0b82d17be828fc61293b0b632c02eb 100644 (file)
--- a/docs/secpoll.zone
+++ b/docs/secpoll.zone
@@ -1,4 +1,4 @@
-@       86400   IN  SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2016090502 10800 3600 604800 10800
+@       86400   IN  SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2016090907 10800 3600 604800 10800
 @       3600    IN  NS  pdns-public-ns1.powerdns.com.
 @       3600    IN  NS  pdns-public-ns2.powerdns.com.
 ; Auth
@@ -12,9 +12,9 @@ auth-3.4.3.security-status                              60 IN TXT "3 Upgrade now
 auth-3.4.4.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/md/security/powerdns-advisory-2015-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2015-03/"
 auth-3.4.5.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2015-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2015-03/"
 auth-3.4.6.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2015-03/"
-auth-3.4.7.security-status                              60 IN TXT "1 OK"
-auth-3.4.8.security-status                              60 IN TXT "1 OK"
-auth-3.4.9.security-status                              60 IN TXT "1 OK"
+auth-3.4.7.security-status                              60 IN TXT "2 Upgrade recommended, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-01/"
+auth-3.4.8.security-status                              60 IN TXT "2 Upgrade recommended, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-01/"
+auth-3.4.9.security-status                              60 IN TXT "2 Upgrade recommended, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-01/"
 auth-3.4.10.security-status                             60 IN TXT "1 OK"
 
 auth-4.0.0-alpha1.security-status                       60 IN TXT "2 Unsupported pre-release (no known vulnerabilities). Please upgrade to final, see https://blog.powerdns.com/2016/07/11/powerdns-authoritative-server-4-0-0-released/"
@@ -34,26 +34,26 @@ auth-3.4.4-1.debian.security-status                     60 IN TXT "3 Upgrade now
 auth-3.4.4-2.debian.security-status                     60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/md/security/powerdns-advisory-2015-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2015-03/"
 auth-3.4.5-1.debian.security-status                     60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2015-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2015-03/"
 auth-3.4.6-1.debian.security-status                     60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2015-03/"
-auth-3.4.7-1.debian.security-status                     60 IN TXT "1 OK"
+auth-3.4.7-1.debian.security-status                     60 IN TXT "2 Upgrade recommended, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-01/"
 
 auth-3.4.1-3_bpo70_1.debian.security-status             60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/md/security/powerdns-advisory-2015-02/"
 auth-3.4.1-4_bpo70_1.debian.security-status             60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/md/security/powerdns-advisory-2015-02/"
 auth-3.4.4-2_bpo7_1.debian.security-status              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/md/security/powerdns-advisory-2015-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2015-03/"
 auth-3.4.5-1_bpo7_1.debian.security-status              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2015-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2015-03/"
 auth-3.4.6-1_bpo7_1.debian.security-status              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2015-03/"
-auth-3.4.7-1_bpo7_1.debian.security-status              60 IN TXT "1 OK"
+auth-3.4.7-1_bpo7_1.debian.security-status              60 IN TXT "2 Upgrade recommended, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-01/"
 
 auth-3.4.1-4_deb8u1.debian.security-status              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/md/security/powerdns-advisory-2015-02/"
 auth-3.4.1-4_deb8u2.debian.security-status              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2015-02/"
-auth-3.4.1-4_deb8u3.debian.security-status              60 IN TXT "1 OK"
-auth-3.4.1-4_deb8u4.debian.security-status              60 IN TXT "1 OK"
-auth-3.4.1-4_deb8u5.debian.security-status              60 IN TXT "1 OK"
+auth-3.4.1-4_deb8u3.debian.security-status              60 IN TXT "2 Upgrade recommended, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-01/"
+auth-3.4.1-4_deb8u4.debian.security-status              60 IN TXT "2 Upgrade recommended, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-01/"
+auth-3.4.1-4_deb8u5.debian.security-status              60 IN TXT "2 Upgrade recommended, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-01/"
 auth-3.4.1-4_deb8u6.debian.security-status              60 IN TXT "1 OK"
 
 auth-3.4.4-2_bpo8_1.debian.security-status              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/md/security/powerdns-advisory-2015-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2015-03/"
 auth-3.4.5-1_bpo8_1.debian.security-status              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2015-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2015-03/"
 auth-3.4.6-1_bpo8_1.debian.security-status              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2015-03/"
-auth-3.4.7-1_bpo8_1.debian.security-status              60 IN TXT "1 OK"
+auth-3.4.7-1_bpo8_1.debian.security-status              60 IN TXT "2 Upgrade recommended, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-01/"
 
 auth-4.0.0_alpha1-1.debian.security-status              60 IN TXT "2 Unsupported pre-release (no known vulnerabilities). Please upgrade to final, see https://blog.powerdns.com/2016/07/11/powerdns-authoritative-server-4-0-0-released/"
 auth-4.0.0_alpha1-2.debian.security-status              60 IN TXT "2 Unsupported pre-release (no known vulnerabilities). Please upgrade to final, see https://blog.powerdns.com/2016/07/11/powerdns-authoritative-server-4-0-0-released/"
@@ -70,7 +70,7 @@ auth-3.4.1-3.ubuntu.security-status                     60 IN TXT "3 Upgrade now
 auth-3.4.1-4.ubuntu.security-status                     60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/md/security/powerdns-advisory-2015-02/"
 auth-3.4.5-1.ubuntu.security-status                     60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2015-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2015-03"
 auth-3.4.6-1.ubuntu.security-status                     60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2015-03/"
-auth-3.4.7-1.ubuntu.security-status                     60 IN TXT "1 OK"
+auth-3.4.7-1.ubuntu.security-status                     60 IN TXT "2 Upgrade recommended, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-01/"
 
 auth-4.0.0_alpha1-1.ubuntu.security-status              60 IN TXT "2 Unsupported pre-release (no known vulnerabilities). Please upgrade to final, see https://blog.powerdns.com/2016/07/11/powerdns-authoritative-server-4-0-0-released/"
 auth-4.0.0_alpha2-1.ubuntu.security-status              60 IN TXT "2 Unsupported pre-release (no known vulnerabilities). Please upgrade to final, see https://blog.powerdns.com/2016/07/11/powerdns-authoritative-server-4-0-0-released/"
Unnamed repository; edit this file 'description' to name the repository.