From: Pieter Lexis Date: Fri, 28 Aug 2015 14:02:26 +0000 (+0200) Subject: Add the security advisory for Auth 3.4.6 X-Git-Tag: dnsdist-1.0.0-alpha1~248^2~68^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2a846ba0d8bc96902f165d288214f14225f66e24;p=thirdparty%2Fpdns.git Add the security advisory for Auth 3.4.6 --- diff --git a/docs/markdown/changelog.md.raw b/docs/markdown/changelog.md.raw index 1b2082ffd7..8804d8a4a5 100644 --- a/docs/markdown/changelog.md.raw +++ b/docs/markdown/changelog.md.raw @@ -3,6 +3,9 @@ # PowerDNS Authoritative Server 3.4.6 Released 28th of August 2015 +This is a security release fixing [Security Advisory +2015-02](security/powerdns-advisory-2015-02.md) + Bug fixes: - commits [c849701](https://github.com/PowerDNS/pdns/commit/c849701) and diff --git a/docs/markdown/security/powerdns-advisory-2015-02.md b/docs/markdown/security/powerdns-advisory-2015-02.md new file mode 100644 index 0000000000..e3c38249f0 --- /dev/null +++ b/docs/markdown/security/powerdns-advisory-2015-02.md @@ -0,0 +1,30 @@ +## PowerDNS Security Advisory 2015-02: Packet parsing bug can cause thread or process abortion + +* CVE: CVE-2015-5230 +* Date: 2nd of September 2015 +* Credit: Pyry Hakulinen and Ashish Shakla at Automattic +* Affects: PowerDNS Authoritative Server 3.4.0 through 3.4.5 +* Not affected: PowerDNS Authoritative Server 3.4.6 +* Severity: High +* Impact: Degraded service or Denial of service +* Exploit: This problem can be triggered by sending specially crafted query packets +* Risk of system compromise: No +* Solution: Upgrade to a non-affected version +* Workaround: Run the Authoritative Server inside a supervisor when + `distributor-threads` is set to `1` to prevent Denial of Service. + No workaround for the degraded service exists + +A bug was found in our DNS packet parsing/generation code, which, when exploited, +can cause individual threads (disabling service) or whole processes (allowing a +supervisor to restart them) to crash with just one or a few query packets. + +PowerDNS Authoritative Server 3.4.0-3.4.5 are affected. No other versions are +affected. The PowerDNS Recursor is not affected. + +[PowerDNS Authoritative Server 3.4.6](../changelog.md#powerdns-authoritative-server-346) +contains a fix to this issue. A minimal patch is [available here](https://downloads.powerdns.com/patches/2015-02/). + +This issue is entirely unrelated to [Security Advisory 2015-01](powerdns-advisory-2015-01.md)/CVE-2015-1868. + +We'd like to thank Pyry Hakulinen and Ashish Shakla at Automattic for finding and +subsequently reporting this bug. diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml index d00fbe87fb..8655ff774c 100644 --- a/docs/mkdocs.yml +++ b/docs/mkdocs.yml @@ -66,6 +66,7 @@ pages: - List of Settings: recursor/settings.md - Security: - Security Policy: security/index.md + - Advisory 2015-02: security/powerdns-advisory-2015-02.md - Advisory 2015-01: security/powerdns-advisory-2015-01.md - Advisory 2014-02: security/powerdns-advisory-2014-02.md - Advisory 2014-01: security/powerdns-advisory-2014-01.md