SB2019081542 - OpenSUSE Linux update for pdns
Published: August 15, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Improper Authorization (CVE-ID: CVE-2019-10162)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
A vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.10, 4.0.8 allowing an authorized user to cause the server to exit by inserting a crafted record in a MASTER type zone under their control. The issue is due to the fact that the Authoritative Server will exit when it runs into a parsing error while looking up the NS/A/AAAA records it is about to use for an outgoing notify.
2) Resource exhaustion (CVE-ID: CVE-2019-10163)
The vulnerability allows a remote authenticated user to perform service disruption.
A Vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.9, 4.0.8 allowing a remote, authorized master server to cause a high CPU load or even prevent any further updates to any slave zone by sending a large number of NOTIFY messages. Note that only servers configured as slaves are affected by this issue.
3) Resource exhaustion (CVE-ID: CVE-2019-10203)
The vulnerability allows a remote authenticated user to perform service disruption.
PowerDNS Authoritative daemon , pdns versions 4.0.x before 4.0.9, 4.1.x before 4.1.11, exiting when encountering a serial between 2^31 and 2^32-1 while trying to notify a slave leads to DoS.
Remediation
Install update from vendor's website.