Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2436 [SECURITY] [DLA 1843-1] pdns security update 4 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: pdns Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-10163 CVE-2019-10162 Reference: ESB-2019.2234 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/07/msg00002.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : pdns Version : 3.4.1-4+deb8u10 CVE ID : CVE-2019-10162 CVE-2019-10163 Two vulnerabilities have been discovered in pdns, an authoritative DNS server which may result in denial of service via malformed zone records and excessive NOTIFY packets in a master/slave setup. CVE-2019-10162 An issue has been found in PowerDNS Authoritative Server allowing an authorized user to cause the server to exit by inserting a crafted record in a MASTER type zone under their control. The issue is due to the fact that the Authoritative Server will exit when it runs into a parsing error while looking up the NS/A/AAAA records it is about to use for an outgoing notify. CVE-2019-10163 An issue has been found in PowerDNS Authoritative Server allowing a remote, authorized master server to cause a high CPU load or even prevent any further updates to any slave zone by sending a large number of NOTIFY messages. Note that only servers configured as slaves are affected by this issue. For Debian 8 "Jessie", these problems have been fixed in version 3.4.1-4+deb8u10. We recommend that you upgrade your pdns packages. For the detailed security status of pdns please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pdns Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - - -- Jonas Meurer - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAl0cq0AACgkQUmLn/0kQ Sf6uzRAAn57AZxX15uMo8TazTd4gFkT4MdP8BOdUKx05DPFVNCMcQCNheQsFoW83 Ewcdg9truLiG+NebnBpDnbVgXrkCmNXJbai6zrXuyqq+2m4PqUz/QkBT2GqaFE4G XPXcuh8En5xn7dTasBkJvTA9Tm5i9Omdmj+VsDHLA2JLsvjjhrHvkuYFpZiA62J1 a3Tvf5jBO2+dmnR17Kf6AF++mitTa+BqPKWt4KSoFMGdb/I+K+XRZPr/N2Dvi9ld Ankkjm7GwdcnXu2L5neU75EI0xAWEe5SGdRAAKAveAQ8qbDpGy/UtS42+t09ao69 C97PuB0P+0lH612u0NKybH20Mbtp9cY2lh+h8l3pteVO4I8SgUmr+Qgnj62e12Rw IoUCY7JBxII8rnSKlQ7SR2EJS23CHEk4brijaOl+o+ACqKLD3fmgdmTlO84zKXQv /pHJESvbpK/prZAy/GVVfpWDgx5IEq1lhUDZkHZBZ+qZjH2LXsLn59uxL7to8Gkl KD0TJxdrYFLVeu+CgvO2fNySr9VaAih9LV8EvS86y9m7fZZKTv5ivT0CVRDfv4re 6DyWMdn0nhmAYHBFxiAFL5qsO4pjte8YjR07SfKCTDwGboILMJA1QXFCszdJNCxr BXRXQ9NA5nsw2K+gq2rIn38iiq70JlO6OL0wGq190ALPkr41k4o= =0wei - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXR1RwmaOgq3Tt24GAQiueg//VH2QclOhWaJ5Z71FTBhmivMgJEx0h+S+ PODxhJX2ANlOypUXVfesBGE2RemJVUn8D3PzUpWX4R5slzetOJL1Yw9qMCGLD80+ KLwGuVCcWdW7i6JwoVWfw18SMHjuypkplFAl3ICPzwHDnqEJFUH2TdtvejFubizK IEZ8QTnfZK/NeFtwmpdRCy/P8WrGmu4B3NFcgAHwn1DaFotQJHwtrYo6OS941ggR 93bVZdcNMIjiG3NAvfn3Pczbtpp5OGGg3ENnr3YiKCm3DhrOOtlXndZJOGPUP8cY CHvDL855xwIHBGeRorV7UE0FZXawwmMNfWcYMsc3vBvSa9I09NfzjiHbr1pY4IW8 bFAmBQedrZD3W7n1MUD44AcirEOAbVeKwvZVcDHc5ysxkn5YT280cbexpvTI36NL p5rkPiRkVRPuHO/I1dEb3wcpKSW7wqG4PP7mvOLY+iW0uBRuqSFt1KxTfs6/xIvY 6fXJ1srUIY9Fa6K5Y7AIyxHndYmHvjLVkVFmzaooqE5l3Lwz3jKH0UKx6eVVOwnU HPvfODge1Y1w8mx3exSbKgOS1D9bap3e34bp4FvEBkM0Bkdo70uJiucQtw5qXxPh x1mB4boeqATK18MELSUa5m9l+RLRLEF/reXI8Ify7RLGekMo8oihxA8fnAtuNuZU 7R4ibYYHExc= =9hI1 -----END PGP SIGNATURE-----