FreeBSD Bugzilla – Attachment 199361 Details for
Bug 233139
dns/powerdns: Update to 4.1.5 (Fixes security vulnerabilities)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
VuXML for powerdns < 4.1.5 issues
vuxml-powerdns.diff (text/plain), 2.37 KB, created by
Ralf van der Enden
on 2018-11-19 21:39:02 UTC
(
hide
)
Description:
VuXML for powerdns < 4.1.5 issues
Filename:
MIME Type:
Creator:
Ralf van der Enden
Created:
2018-11-19 21:39:02 UTC
Size:
2.37 KB
patch
obsolete
>Index: vuln.xml >=================================================================== >--- vuln.xml (revision 485327) >+++ vuln.xml (working copy) >@@ -58,6 +58,47 @@ > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > --> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> >+ <vuln vid="0aee2f13-ec1d-11e8-8c92-6805ca2fa271"> >+ <topic>powerdns -- Multiple vulnerabilities</topic> >+ <affects> >+ <package> >+ <name>powerdns</name> >+ <range><lt>4.1.5</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <p>PowerDNS Team reports:</p> >+ <blockquote cite="https://doc.powerdns.com/authoritative/changelog/4.1.html"> >+ <p>CVE-2018-10851: An issue has been found in PowerDNS Authoritative Server allowing >+ an authorized user to cause a memory leak by inserting a specially crafted record >+ in a zone under their control, then sending a DNS query for that record. The issue >+ is due to the fact that some memory is allocated before the parsing and is not >+ always properly released if the record is malformed. When the PowerDNS >+ Authoritative Server is run inside the guardian (--guardian), or inside a >+ supervisor like supervisord or systemd, an out-of-memory crash will lead to an >+ automatic restart, limiting the impact to a somewhat degraded service.</p> >+ <p>CVE-2018-14626: An issue has been found in PowerDNS Authoritative Server allowing >+ a remote user to craft a DNS query that will cause an answer without DNSSEC >+ records to be inserted into the packet cache and be returned to clients asking for >+ DNSSEC records, thus hiding the presence of DNSSEC signatures for a specific qname >+ and qtype. For a DNSSEC-signed domain, this means that DNSSEC validating clients >+ will consider the answer to be bogus until it expires from the packet cache, >+ leading to a denial of service.</p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <url>https://doc.powerdns.com/authoritative/changelog/4.1.html</url> >+ <cvename>CVE-2018-10851</cvename> >+ <cvename>CVE-2018-14626</cvename> >+ </references> >+ <dates> >+ <discovery>2018-11-06</discovery> >+ <entry>2018-11-19</entry> >+ </dates> >+ </vuln> >+ > <vuln vid="e9aa0e4c-ea8b-11e8-a5b7-00e04c1ea73d"> > <topic>powerdns-recursor -- Multiple vulnerabilities</topic> > <affects>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=199361">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 233139
:
199138
| 199361