funsec mailing list archives
Denial of Service Vulnerability in PowerDNS
From: "Fergie" <fergdawg () netzero net>
Date: Tue, 14 Nov 2006 18:56:09 GMT
Via heise Security News. [snip] PowerDNS, a DNS server used in settings such as the Wikipedia project, has been found to contain two bugs that attackers could use to provoke a denial of service attack, or even potentially plant malicious code. PowerDNS is a powerful DNS server that can address various backends and data sources like BIND or MySQL server for name resolution and which can temporarily store the results in memory for quicker delivery during repeated enquiries. An invalid calculation of the length of DNS queries via TCP can lead PowerDNS to attempt to read up to 4 gigabytes of storage into a 64 kb buffer. Attackers can also potentially compromise a system. The DNS server can also be brought into an infinite loop through a CNAME loop, presuming no second CNAME entry exists. The bug affects PowerDNS 3.1.3 and prior versions. The PowerDNS developers are now making the source code for version 3.1.4 available; affected administrators should install the update. [snip] Link: http://www.heise-security.co.uk/news/80993/ - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Denial of Service Vulnerability in PowerDNS Fergie (Nov 14)