Denial of Service Vulnerability in PowerDNS

["Fergie" <fergdawg () netzero net>]

Via heise Security News.

[snip]

PowerDNS, a DNS server used in settings such as the Wikipedia project,
has been found to contain two bugs that attackers could use to provoke
a denial of service attack, or even potentially plant malicious code.
PowerDNS is a powerful DNS server that can address various backends and
data sources like BIND or MySQL server for name resolution and which
can temporarily store the results in memory for quicker delivery during
repeated enquiries.

An invalid calculation of the length of DNS queries via TCP can lead
PowerDNS to attempt to read up to 4 gigabytes of storage into a 64 kb
buffer. Attackers can also potentially compromise a system. The DNS
server can also be brought into an infinite loop through a CNAME loop,
presuming no second CNAME entry exists.

The bug affects PowerDNS 3.1.3 and prior versions. The PowerDNS
developers are now making the source code for version 3.1.4 available;
affected administrators should install the update.

[snip]

Link:
http://www.heise-security.co.uk/news/80993/

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.