From a813c49b498eada581a90028679e04648ce1c263 Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Fri, 1 Dec 2017 12:00:45 +0100 Subject: [PATCH] Add advisory 2017-08 --- .../powerdns-advisory-2017-08.rst | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 pdns/recursordist/docs/security-advisories/powerdns-advisory-2017-08.rst diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2017-08.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2017-08.rst new file mode 100644 index 0000000000..34ea7e4694 --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2017-08.rst @@ -0,0 +1,32 @@ +PowerDNS Security Advisory 2017-08: Crafted CNAME answer can cause a denial of service +====================================================================================== + +- CVE: CVE-2017-15120 +- Date: December 18th 2017 +- Credit: Toshifumi Sakaguchi +- Affects: PowerDNS Recursor from 4.0.0 up to and including 4.0.7 +- Not affected: PowerDNS Recursor 3.7.4, 4.0.8, 4.1.0 +- Severity: High +- Impact: Denial of service +- Exploit: This problem can be triggered by an authoritative server + sending a crafted CNAME answer with a class other than IN to the Recursor. +- Risk of system compromise: No +- Solution: Upgrade to a non-affected version +- Workaround: run the process inside a supervisor like supervisord or systemd + +An issue has been found in the parsing of authoritative answers in PowerDNS +Recursor, leading to a NULL pointer dereference when parsing a specially crafted +answer containing a CNAME of a different class than IN. +This issue has been assigned CVE-2017-15120. + +When the PowerDNS Recursor is run inside a supervisor like supervisord or +systemd, it will be automatically restarted, limiting the impact to somewhat +degraded service. + +PowerDNS Recursor from 4.0.0 up to and including 4.0.7 are affected. + +For those unable to upgrade to a new version, a minimal patch is +`available `__ + +We would like to thank Toshifumi Sakaguchi for finding and subsequently +reporting this issue. -- 2.47.2