Arch Linux ASA-201609-9 Medium PowerDNS Denial Of Service Advisory

Arch Linux Security Advisory ASA-201609-9
========================================
Severity: Medium
Date    : 2016-09-13
CVE-ID  : CVE-2016-5426 CVE-2016-5427
Package : powerdns
Type    : denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package powerdns before version 4.0.1-3 is vulnerable to denial of
service.

Resolution
=========
Upgrade to 4.0.1-3.

# pacman -Syu "powerdns>=4.0.1-3"

The problems have been fixed upstream in version 4.0.0.

Workaround
=========
Running dnsdist in front of potentially affected servers prevents
CVE-2016-5426, and can prevent CVE-2016-5427 with the use of custom
rules described in the PowerDNS advisory.

Description
==========
Two issues have been found in PowerDNS Authoritative Server allowing a
remote, unauthenticated attacker to cause an abnormal load on the
PowerDNS backend by sending crafted DNS queries, which might result in a
partial denial of service if the backend becomes overloaded. SQL
backends for example are particularly vulnerable to this kind of
unexpected load if they have not been dimensioned for it.

- CVE-2016-5426

PowerDNS Authoritative Server accepts queries with a qname's length
larger than 255 bytes.

- CVE-2016-5427

PowerDNS Authoritative Server does not properly handle dot inside labels.

Impact
=====
A remote, unauthenticated attacker can cause an abnormal load on the
backend by sending crafted DNS queries, resulting in denial of service.

References
=========
https://seclists.org/oss-sec/2016/q3/464
/
https://access.redhat.com/security/cve/CVE-2016-5426
https://access.redhat.com/security/cve/CVE-2016-5427