Bugzilla – Bug 1072170
VUL-0: CVE-2017-15120: pdns: Parsing error while handling authoritative answers leading to a recursor crash via a NULL-pointer dereference
Last modified: 2017-12-19 02:08:12 UTC
CVE-2017-15120 (CVE-2017-15120) affecting PowerDNS Recursor from 4.0.0 up to and including 4.0.7. PowerDNS Recursor 3.7.4 and 4.1.0 are not affected. The full security advisory can be found below and at https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-08.html The issue is a parsing error while handling authoritative answers containing a CNAME of a different class than IN, leading to a recursor crash via a NULL-pointer dereference. We don't believe this crash to be exploitable, but it results in an unauthenticated remote denial of service which can be mitigated by running the recursor inside a supervisor like supervisord or systemd so it can be automatically restarted. We also provide a minimal patch for the 4.0.7 release at https://downloads.powerdns.com/patches/2017-08/ References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15120 http://seclists.org/oss-sec/2017/q4/382 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15120 https://downloads.powerdns.com/patches/2017-08/ https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-08.html
This is an autogenerated message for OBS integration: This bug (1072170) was mentioned in https://build.opensuse.org/request/show/556013 42.3 / pdns-recursor
releasing, done
openSUSE-SU-2017:3363-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1072170 CVE References: CVE-2017-15120 Sources used: openSUSE Leap 42.3 (src): pdns-recursor-4.0.5-6.1