[SECURITY] [DLA 788-1] pdns-recursor security update

2017-01-1622:28:19

lists.debian.org

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.5%

JSON

Package : pdns-recursor
Version : 3.3-3+deb7u2
CVE ID : CVE-2016-9139

Florian Heinz and Martin Kluge reported that pdns-recursor, a recursive
DNS server, parses all records present in a query regardless of whether
they are needed or even legitimate, allowing a remote, unauthenticated
attacker to cause an abnormal CPU usage load on the pdns server,
resulting in a partial denial of service if the system becomes
overloaded.

For Debian 7 "Wheezy", these problems have been fixed in version
3.3-3+deb7u2.

We recommend that you upgrade your pdns-recursor packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Jonas Meurer

OSVersionArchitecturePackageVersionFilename
Debian7allpdns-recursor< 3.3-3+deb7u2pdns-recursor_3.3-3+deb7u2_all.deb
Debian7allotrs< 3.1.7+dfsg1-8+deb7u6otrs_3.1.7+dfsg1-8+deb7u6_all.deb
Debian7i386pdns-recursor-dbg< 3.3-3+deb7u2pdns-recursor-dbg_3.3-3+deb7u2_i386.deb
Debian7amd64pdns-recursor< 3.3-3+deb7u2pdns-recursor_3.3-3+deb7u2_amd64.deb
Debian7amd64pdns-recursor-dbg< 3.3-3+deb7u2pdns-recursor-dbg_3.3-3+deb7u2_amd64.deb
Debian7allotrs2< 3.1.7+dfsg1-8+deb7u6otrs2_3.1.7+dfsg1-8+deb7u6_all.deb
Debian8allotrs< 3.3.18-1+deb8u1otrs_3.3.18-1+deb8u1_all.deb
Debian7i386pdns-recursor< 3.3-3+deb7u2pdns-recursor_3.3-3+deb7u2_i386.deb
Debian8allotrs2< 3.3.18-1+deb8u1otrs2_3.3.18-1+deb8u1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	all	pdns-recursor	< 3.3-3+deb7u2	pdns-recursor_3.3-3+deb7u2_all.deb
Debian	7	all	otrs	< 3.1.7+dfsg1-8+deb7u6	otrs_3.1.7+dfsg1-8+deb7u6_all.deb
Debian	7	i386	pdns-recursor-dbg	< 3.3-3+deb7u2	pdns-recursor-dbg_3.3-3+deb7u2_i386.deb
Debian	7	amd64	pdns-recursor	< 3.3-3+deb7u2	pdns-recursor_3.3-3+deb7u2_amd64.deb
Debian	7	amd64	pdns-recursor-dbg	< 3.3-3+deb7u2	pdns-recursor-dbg_3.3-3+deb7u2_amd64.deb
Debian	7	all	otrs2	< 3.1.7+dfsg1-8+deb7u6	otrs2_3.1.7+dfsg1-8+deb7u6_all.deb
Debian	8	all	otrs	< 3.3.18-1+deb8u1	otrs_3.3.18-1+deb8u1_all.deb
Debian	7	i386	pdns-recursor	< 3.3-3+deb7u2	pdns-recursor_3.3-3+deb7u2_i386.deb
Debian	8	all	otrs2	< 3.3.18-1+deb8u1	otrs2_3.3.18-1+deb8u1_all.deb