Bug 1018326 (CVE-2016-7068)

Summary:	VUL-0: CVE-2016-7068: pdns,pdns-recursor: Crafted queries can cause abnormal CPU usage (2016-02)
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Andreas Stieger <astieger>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	amajer, wolfgang
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	openSUSE 42.2
Whiteboard:	CVSSv3:RedHat:CVE-2016-7068:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Comment 7 Andreas Stieger 2017-01-05 13:08:31 UTC

pdns,pdns-recursor not in SLE, does not affect SLE.

affected:
openSUSE:13.2:Update/pdns
openSUSE:Leap:42.1:Update/pdns
openSUSE:Leap:42.1:Update/pdns-recursor
openSUSE:Leap:42.2:Update/pdns
openSUSE:Leap:42.2:Update/pdns-recursor

Comment 8 Swamp Workflow Management 2017-01-05 23:00:15 UTC

bugbot adjusting priority

Comment 9 Bernhard Wiedemann 2017-01-12 13:00:48 UTC

This is an autogenerated message for OBS integration:
This bug (1018326) was mentioned in
https://build.opensuse.org/request/show/449842 13.2+42.1+42.2 / pdns
https://build.opensuse.org/request/show/449844 42.1+42.2 / pdns-recursor

Comment 12 Andreas Stieger 2017-01-12 20:50:25 UTC

patch public at https://github.com/PowerDNS/pdns/pull/4882
https://github.com/PowerDNS/pdns/commit/fd95c884bd875e2d374dae217277fd5075acba13

Comment 13 Swamp Workflow Management 2017-01-17 18:46:41 UTC

openSUSE-SU-2017:0183-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1018326,1018327,1018328,1018329
CVE References: CVE-2016-2120,CVE-2016-7068,CVE-2016-7072,CVE-2016-7073,CVE-2016-7074
Sources used:
openSUSE Leap 42.2 (src):    pdns-3.4.9-3.1
openSUSE Leap 42.1 (src):    pdns-3.4.6-12.1
openSUSE 13.2 (src):    pdns-3.3.1-2.12.1

Comment 14 Andreas Stieger 2017-01-19 20:02:33 UTC

release

Comment 15 Swamp Workflow Management 2017-01-19 23:09:18 UTC

openSUSE-SU-2017:0221-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1018326
CVE References: CVE-2016-7068
Sources used:
openSUSE Leap 42.2 (src):    pdns-recursor-3.7.3-7.1
openSUSE Leap 42.1 (src):    pdns-recursor-3.7.3-6.1

Comment 16 Bernhard Wiedemann 2017-02-02 13:03:11 UTC

This is an autogenerated message for OBS integration:
This bug (1018326) was mentioned in
https://build.opensuse.org/request/show/454144 Factory / pdns-recursor

Comment 17 Bernhard Wiedemann 2017-02-19 19:01:14 UTC

This is an autogenerated message for OBS integration:
This bug (1018326) was mentioned in
https://build.opensuse.org/request/show/459081 42.3 / pdns
https://build.opensuse.org/request/show/459082 42.3 / pdns-recursor

Comment 18 Wolfgang Rosenauer 2017-02-21 12:04:39 UTC

Just for completeness.
At least pdns-recursor complains during startup:

Feb 21 12:57:39 Hygiea pdns_recursor[31991]: PowerDNS Security Update Mandatory: Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/

This is quite misleading. Wondering if this needs to be patched out somehow as it seems to be based on version checking.