Arch Linux Security Advisory ASA-201609-9 ========================================= Severity: Medium Date : 2016-09-13 CVE-ID : CVE-2016-5426 CVE-2016-5427 Package : powerdns Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package powerdns before version 4.0.1-3 is vulnerable to denial of service. Resolution ========== Upgrade to 4.0.1-3. # pacman -Syu "powerdns>=4.0.1-3" The problems have been fixed upstream in version 4.0.0. Workaround ========== Running dnsdist in front of potentially affected servers prevents CVE-2016-5426, and can prevent CVE-2016-5427 with the use of custom rules described in the PowerDNS advisory. Description =========== Two issues have been found in PowerDNS Authoritative Server allowing a remote, unauthenticated attacker to cause an abnormal load on the PowerDNS backend by sending crafted DNS queries, which might result in a partial denial of service if the backend becomes overloaded. SQL backends for example are particularly vulnerable to this kind of unexpected load if they have not been dimensioned for it. - CVE-2016-5426 PowerDNS Authoritative Server accepts queries with a qname's length larger than 255 bytes. - CVE-2016-5427 PowerDNS Authoritative Server does not properly handle dot inside labels. Impact ====== A remote, unauthenticated attacker can cause an abnormal load on the backend by sending crafted DNS queries, resulting in denial of service. References ========== http://seclists.org/oss-sec/2016/q3/464 https://doc.powerdns.com/md/security/powerdns-advisory-2016-01/ https://access.redhat.com/security/cve/CVE-2016-5426 https://access.redhat.com/security/cve/CVE-2016-5427