Bug 1018326 (CVE-2016-7068)

Summary: VUL-0: CVE-2016-7068: pdns,pdns-recursor: Crafted queries can cause abnormal CPU usage (2016-02)
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: amajer, wolfgang
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE 42.2   
Whiteboard: CVSSv3:RedHat:CVE-2016-7068:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 7 Andreas Stieger 2017-01-05 13:08:31 UTC
pdns,pdns-recursor not in SLE, does not affect SLE.

Comment 8 Swamp Workflow Management 2017-01-05 23:00:15 UTC
bugbot adjusting priority
Comment 9 Bernhard Wiedemann 2017-01-12 13:00:48 UTC
This is an autogenerated message for OBS integration:
This bug (1018326) was mentioned in
https://build.opensuse.org/request/show/449842 13.2+42.1+42.2 / pdns
https://build.opensuse.org/request/show/449844 42.1+42.2 / pdns-recursor
Comment 13 Swamp Workflow Management 2017-01-17 18:46:41 UTC
openSUSE-SU-2017:0183-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1018326,1018327,1018328,1018329
CVE References: CVE-2016-2120,CVE-2016-7068,CVE-2016-7072,CVE-2016-7073,CVE-2016-7074
Sources used:
openSUSE Leap 42.2 (src):    pdns-3.4.9-3.1
openSUSE Leap 42.1 (src):    pdns-3.4.6-12.1
openSUSE 13.2 (src):    pdns-3.3.1-2.12.1
Comment 14 Andreas Stieger 2017-01-19 20:02:33 UTC
Comment 15 Swamp Workflow Management 2017-01-19 23:09:18 UTC
openSUSE-SU-2017:0221-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1018326
CVE References: CVE-2016-7068
Sources used:
openSUSE Leap 42.2 (src):    pdns-recursor-3.7.3-7.1
openSUSE Leap 42.1 (src):    pdns-recursor-3.7.3-6.1
Comment 16 Bernhard Wiedemann 2017-02-02 13:03:11 UTC
This is an autogenerated message for OBS integration:
This bug (1018326) was mentioned in
https://build.opensuse.org/request/show/454144 Factory / pdns-recursor
Comment 17 Bernhard Wiedemann 2017-02-19 19:01:14 UTC
This is an autogenerated message for OBS integration:
This bug (1018326) was mentioned in
https://build.opensuse.org/request/show/459081 42.3 / pdns
https://build.opensuse.org/request/show/459082 42.3 / pdns-recursor
Comment 18 Wolfgang Rosenauer 2017-02-21 12:04:39 UTC
Just for completeness.
At least pdns-recursor complains during startup:

Feb 21 12:57:39 Hygiea pdns_recursor[31991]: PowerDNS Security Update Mandatory: Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/

This is quite misleading. Wondering if this needs to be patched out somehow as it seems to be based on version checking.