Bug 1138582 – VUL-0: CVE-2019-10162,CVE-2019-10163: pdns: multiple issues

Bug 1138582 - (CVE-2019-10162) VUL-0: CVE-2019-10162,CVE-2019-10163: pdns: multiple issues

(CVE-2019-10162)
Summary:	VUL-0: CVE-2019-10162,CVE-2019-10163: pdns: multiple issues

Status:	RESOLVED UPSTREAM

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/235355/
Whiteboard:	CVSSv3:SUSE:CVE-2019-10162:3.5:(AV:N/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-06-18 14:40 UTC by Robert Frohl
Modified:	2022-03-29 09:40 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 3 Robert Frohl 2019-06-18 14:48:35 UTC

PowerDNS Security Advisory 2019-05: Denial of service via NOTIFY packets
========================================================================

-  CVE: CVE-2019-10163
-  Date: June 21st 2019
-  Affects: PowerDNS Authoritative up to and including 4.1.8
-  Not affected: 4.1.9, 4.0.8
-  Severity: Medium
-  Impact: Denial of Service
-  Exploit: This problem can be triggered via the sending of NOTIFY
   packets from an authorized master
-  Risk of system compromise: No
-  Solution: Upgrade to a non-affected version

An issue has been found in PowerDNS Authoritative Server allowing a
remote, authorized master server to cause a high CPU load or 
even prevent any further updates to any slave zone by sending a
large number of NOTIFY messages.
Note that only servers configured as slaves are affected by this issue.

This issue has been assigned CVE-2019-10163.

PowerDNS Authoritative up to and including 4.1.8 is affected.
Please note that at the time of writing, PowerDNS Authoritative 3.4 and
below are no longer supported, as described in 
https://doc.powerdns.com/authoritative/appendices/EOL.html.

We would like to thank George Asenov for finding and subsequently
reporting this issue!

Comment 7 Robert Frohl 2019-06-18 14:52:42 UTC

PowerDNS Security Advisory 2019-04: Denial of service via crafted zone records
==============================================================================

-  CVE: CVE-2019-10162
-  Date: June 21st 2019
-  Affects: PowerDNS Authoritative up to and including 4.1.9
-  Not affected: 4.1.10, 4.0.8
-  Severity: Medium
-  Impact: Denial of Service
-  Exploit: This problem can be triggered via crafted records 
-  Risk of system compromise: No
-  Solution: Upgrade to a non-affected version
-  Workaround: run the process inside the guardian or inside a supervisor

An issue has been found in PowerDNS Authoritative Server allowing an
authorized user to cause the server to exit by inserting a crafted
record in a MASTER type zone under their control. The issue is due
to the fact that the Authoritative Server will exit when it runs into a
parsing error while looking up the NS/A/AAAA records it is about to
use for an outgoing notify.

This issue has been assigned CVE-2019-10162.

PowerDNS Authoritative up to and including 4.1.9 is affected.
Please note that at the time of writing, PowerDNS Authoritative 3.4 and
below are no longer supported, as described in 
https://doc.powerdns.com/authoritative/appendices/EOL.html.

We would like to thank Gert van Dijk for finding and subsequently
reporting this issue!

Comment 14 Swamp Workflow Management 2019-08-01 14:40:05 UTC

This is an autogenerated message for OBS integration:
This bug (1138582) was mentioned in
https://build.opensuse.org/request/show/720228 Factory / pdns
https://build.opensuse.org/request/show/720229 15.0+15.1+Backports:SLE-12-SP1+Backports:SLE-15 / pdns

Comment 17 Swamp Workflow Management 2019-08-15 13:14:09 UTC

openSUSE-SU-2019:1904-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1138582,1142810
CVE References: CVE-2019-10162,CVE-2019-10163,CVE-2019-10203
Sources used:
openSUSE Leap 15.1 (src):    pdns-4.1.8-lp151.2.3.1
openSUSE Leap 15.0 (src):    pdns-4.1.2-lp150.3.13.1
openSUSE Backports SLE-15 (src):    pdns-4.1.2-bp150.2.9.1

Comment 18 Swamp Workflow Management 2019-08-15 13:21:09 UTC

openSUSE-SU-2019:1904-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1138582,1142810
CVE References: CVE-2019-10162,CVE-2019-10163,CVE-2019-10203
Sources used:
openSUSE Leap 15.1 (src):    pdns-4.1.8-lp151.2.3.1
openSUSE Leap 15.0 (src):    pdns-4.1.2-lp150.3.13.1
openSUSE Backports SLE-15 (src):    pdns-4.1.2-bp150.2.9.1
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    pdns-4.1.11-20.1

Comment 19 Swamp Workflow Management 2019-08-15 19:10:57 UTC

openSUSE-SU-2019:1921-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1138582,1142810
CVE References: CVE-2019-10162,CVE-2019-10163,CVE-2019-10203
Sources used:
openSUSE Backports SLE-15-SP1 (src):    pdns-4.1.8-bp151.3.3.1

Comment 21 Alexandros Toptsoglou 2019-08-23 15:43:10 UTC

Closing SUSE products are not affected by these CVEs

Comment 22 OBSbugzilla Bot 2022-03-29 09:40:09 UTC

This is an autogenerated message for OBS integration:
This bug (1138582) was mentioned in
https://build.opensuse.org/request/show/965583 Backports:SLE-12-SP4 / pdns