Bug 1138582 - (CVE-2019-10162) VUL-0: CVE-2019-10162,CVE-2019-10163: pdns: multiple issues
(CVE-2019-10162)
VUL-0: CVE-2019-10162,CVE-2019-10163: pdns: multiple issues
Status: RESOLVED UPSTREAM
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/235355/
CVSSv3:SUSE:CVE-2019-10162:3.5:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-06-18 14:40 UTC by Robert Frohl
Modified: 2022-03-29 09:40 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 3 Robert Frohl 2019-06-18 14:48:35 UTC
PowerDNS Security Advisory 2019-05: Denial of service via NOTIFY packets
========================================================================

-  CVE: CVE-2019-10163
-  Date: June 21st 2019
-  Affects: PowerDNS Authoritative up to and including 4.1.8
-  Not affected: 4.1.9, 4.0.8
-  Severity: Medium
-  Impact: Denial of Service
-  Exploit: This problem can be triggered via the sending of NOTIFY
   packets from an authorized master
-  Risk of system compromise: No
-  Solution: Upgrade to a non-affected version

An issue has been found in PowerDNS Authoritative Server allowing a
remote, authorized master server to cause a high CPU load or 
even prevent any further updates to any slave zone by sending a
large number of NOTIFY messages.
Note that only servers configured as slaves are affected by this issue.

This issue has been assigned CVE-2019-10163.

PowerDNS Authoritative up to and including 4.1.8 is affected.
Please note that at the time of writing, PowerDNS Authoritative 3.4 and
below are no longer supported, as described in 
https://doc.powerdns.com/authoritative/appendices/EOL.html.

We would like to thank George Asenov for finding and subsequently
reporting this issue!
Comment 7 Robert Frohl 2019-06-18 14:52:42 UTC
PowerDNS Security Advisory 2019-04: Denial of service via crafted zone records
==============================================================================

-  CVE: CVE-2019-10162
-  Date: June 21st 2019
-  Affects: PowerDNS Authoritative up to and including 4.1.9
-  Not affected: 4.1.10, 4.0.8
-  Severity: Medium
-  Impact: Denial of Service
-  Exploit: This problem can be triggered via crafted records 
-  Risk of system compromise: No
-  Solution: Upgrade to a non-affected version
-  Workaround: run the process inside the guardian or inside a supervisor

An issue has been found in PowerDNS Authoritative Server allowing an
authorized user to cause the server to exit by inserting a crafted
record in a MASTER type zone under their control. The issue is due
to the fact that the Authoritative Server will exit when it runs into a
parsing error while looking up the NS/A/AAAA records it is about to
use for an outgoing notify.

This issue has been assigned CVE-2019-10162.

PowerDNS Authoritative up to and including 4.1.9 is affected.
Please note that at the time of writing, PowerDNS Authoritative 3.4 and
below are no longer supported, as described in 
https://doc.powerdns.com/authoritative/appendices/EOL.html.

We would like to thank Gert van Dijk for finding and subsequently
reporting this issue!
Comment 14 Swamp Workflow Management 2019-08-01 14:40:05 UTC
This is an autogenerated message for OBS integration:
This bug (1138582) was mentioned in
https://build.opensuse.org/request/show/720228 Factory / pdns
https://build.opensuse.org/request/show/720229 15.0+15.1+Backports:SLE-12-SP1+Backports:SLE-15 / pdns
Comment 17 Swamp Workflow Management 2019-08-15 13:14:09 UTC
openSUSE-SU-2019:1904-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1138582,1142810
CVE References: CVE-2019-10162,CVE-2019-10163,CVE-2019-10203
Sources used:
openSUSE Leap 15.1 (src):    pdns-4.1.8-lp151.2.3.1
openSUSE Leap 15.0 (src):    pdns-4.1.2-lp150.3.13.1
openSUSE Backports SLE-15 (src):    pdns-4.1.2-bp150.2.9.1
Comment 18 Swamp Workflow Management 2019-08-15 13:21:09 UTC
openSUSE-SU-2019:1904-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1138582,1142810
CVE References: CVE-2019-10162,CVE-2019-10163,CVE-2019-10203
Sources used:
openSUSE Leap 15.1 (src):    pdns-4.1.8-lp151.2.3.1
openSUSE Leap 15.0 (src):    pdns-4.1.2-lp150.3.13.1
openSUSE Backports SLE-15 (src):    pdns-4.1.2-bp150.2.9.1
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    pdns-4.1.11-20.1
Comment 19 Swamp Workflow Management 2019-08-15 19:10:57 UTC
openSUSE-SU-2019:1921-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1138582,1142810
CVE References: CVE-2019-10162,CVE-2019-10163,CVE-2019-10203
Sources used:
openSUSE Backports SLE-15-SP1 (src):    pdns-4.1.8-bp151.3.3.1
Comment 21 Alexandros Toptsoglou 2019-08-23 15:43:10 UTC
Closing SUSE products are not affected by these CVEs
Comment 22 OBSbugzilla Bot 2022-03-29 09:40:09 UTC
This is an autogenerated message for OBS integration:
This bug (1138582) was mentioned in
https://build.opensuse.org/request/show/965583 Backports:SLE-12-SP4 / pdns