Bug 1018326 – VUL-0: CVE-2016-7068: pdns,pdns-recursor: Crafted queries can cause abnormal CPU usage (2016-02)

Bug 1018326 - (CVE-2016-7068) VUL-0: CVE-2016-7068: pdns,pdns-recursor: Crafted queries can cause abnormal CPU usage (2016-02)

(CVE-2016-7068)
Summary:	VUL-0: CVE-2016-7068: pdns,pdns-recursor: Crafted queries can cause abnormal ...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other openSUSE 42.2

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv3:RedHat:CVE-2016-7068:5.3:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-01-05 12:45 UTC by Andreas Stieger
Modified:	2018-09-10 15:58 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 7 Andreas Stieger 2017-01-05 13:08:31 UTC

pdns,pdns-recursor not in SLE, does not affect SLE.

affected:
openSUSE:13.2:Update/pdns
openSUSE:Leap:42.1:Update/pdns
openSUSE:Leap:42.1:Update/pdns-recursor
openSUSE:Leap:42.2:Update/pdns
openSUSE:Leap:42.2:Update/pdns-recursor

Comment 8 Swamp Workflow Management 2017-01-05 23:00:15 UTC

bugbot adjusting priority

Comment 9 Bernhard Wiedemann 2017-01-12 13:00:48 UTC

This is an autogenerated message for OBS integration:
This bug (1018326) was mentioned in
https://build.opensuse.org/request/show/449842 13.2+42.1+42.2 / pdns
https://build.opensuse.org/request/show/449844 42.1+42.2 / pdns-recursor

Comment 12 Andreas Stieger 2017-01-12 20:50:25 UTC

patch public at https://github.com/PowerDNS/pdns/pull/4882
https://github.com/PowerDNS/pdns/commit/fd95c884bd875e2d374dae217277fd5075acba13

Comment 13 Swamp Workflow Management 2017-01-17 18:46:41 UTC

openSUSE-SU-2017:0183-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1018326,1018327,1018328,1018329
CVE References: CVE-2016-2120,CVE-2016-7068,CVE-2016-7072,CVE-2016-7073,CVE-2016-7074
Sources used:
openSUSE Leap 42.2 (src):    pdns-3.4.9-3.1
openSUSE Leap 42.1 (src):    pdns-3.4.6-12.1
openSUSE 13.2 (src):    pdns-3.3.1-2.12.1

Comment 14 Andreas Stieger 2017-01-19 20:02:33 UTC

release

Comment 15 Swamp Workflow Management 2017-01-19 23:09:18 UTC

openSUSE-SU-2017:0221-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1018326
CVE References: CVE-2016-7068
Sources used:
openSUSE Leap 42.2 (src):    pdns-recursor-3.7.3-7.1
openSUSE Leap 42.1 (src):    pdns-recursor-3.7.3-6.1

Comment 16 Bernhard Wiedemann 2017-02-02 13:03:11 UTC

This is an autogenerated message for OBS integration:
This bug (1018326) was mentioned in
https://build.opensuse.org/request/show/454144 Factory / pdns-recursor

Comment 17 Bernhard Wiedemann 2017-02-19 19:01:14 UTC

This is an autogenerated message for OBS integration:
This bug (1018326) was mentioned in
https://build.opensuse.org/request/show/459081 42.3 / pdns
https://build.opensuse.org/request/show/459082 42.3 / pdns-recursor

Comment 18 Wolfgang Rosenauer 2017-02-21 12:04:39 UTC

Just for completeness.
At least pdns-recursor complains during startup:

Feb 21 12:57:39 Hygiea pdns_recursor[31991]: PowerDNS Security Update Mandatory: Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/

This is quite misleading. Wondering if this needs to be patched out somehow as it seems to be based on version checking.