Bug 906583 (CVE-2014-8601) - VUL-0: CVE-2014-8601: pdns: Degraded service through queries to queries to specific domains
Summary: VUL-0: CVE-2014-8601: pdns: Degraded service through queries to queries to sp...
Status: RESOLVED FIXED
Alias: CVE-2014-8601
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.2
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-21 13:32 UTC by Johannes Segitz
Modified: 2014-12-22 20:13 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2014-11-21 13:32:29 UTC 
Via distros. Kind of public since the version is already release. I'm sure solar won't be overjoyed.

From: Peter van Dijk <peter.van.dijk@netherlabs.nl>

RESTRICTED / EMBARGO UNTIL 8th OF DECEMBER 2014 16:00 UTC

Dear valued PowerDNS user,

Short version: we recommend that Recursor users upgrade to PowerDNS Recursor
3.6.2 at their earliest convenience.  Older versions can be made to provide
very bad service using queries to specific domains.  PowerDNS Recursor 3.6.2
was released on the 30th of October and is in wide production without
problems being reported.

Affected: PowerDNS Recursor 3.6.1 and earlier
Not affected: PowerDNS Recursor 3.6.2, PowerDNS Authoritative Server
Impact: Degraded service
Can be triggered remotely: Yes
Workaround: None
Fix: Upgrade to PowerDNS Recursor 3.6.2, released on the 30th of October 2014
CVE: CVE-2014-8601

Full story:

Recently we released PowerDNS Recursor 3.6.2 with a new feature that
strictly limits the amount of work we'll perform to resolve a single query.
This feature was inspired by performance degradations noted when resolving
domains hosted by 'ezdns.it', which can require thousands of queries to
resolve.

During the 3.6.2 release process, we were contacted by a government security
agency with news that they had found that all major caching nameservers,
including PowerDNS, could be negatively impacted by specially configured,
hard to resolve domain names. With their permission, we continued the 3.6.2
release process with the fix for the issue already in there.

On the 8th of December at 4PM UTC, there will be coordinated security
releases by all major DNS vendors, except PowerDNS.  For PowerDNS, no new
release is necessary, but it will become public knowledge at that date that
all versions of the recursor BEFORE 3.6.2 are vulnerable.

If you need any help upgrading to 3.6.2, please contact us. No problems are
expected however since 3.6.2 is in wide production use already.

PowerDNS Recursor 3.6.2 can be downloaded via
https://www.powerdns.com/downloads.html

To contact PowerDNS, please visit https://www.powerdns.com/contact.html
Comment 1 Swamp Workflow Management 2014-11-21 23:00:42 UTC 
bugbot adjusting priority
Comment 5 Johannes Segitz 2014-12-09 09:02:01 UTC 
public
Comment 6 Vladimir Nadvornik 2014-12-09 10:17:03 UTC 
submitted, sr #264511, #264512, #264514
Comment 7 Marcus Rückert 2014-12-09 10:29:34 UTC 
(In reply to Vladimir Nadvornik from comment #6)
> submitted, sr #264511, #264512, #264514

You want to redo that. I just fixed the typo in the changes entry and added the bugnumber in server:dns/pdns-recursor.
Comment 8 Vladimir Nadvornik 2014-12-09 11:51:04 UTC 
ok, submitted again as #264523, #264524, #264525
Comment 9 Swamp Workflow Management 2014-12-22 14:05:58 UTC 
openSUSE-SU-2014:1685-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 906583
CVE References: CVE-2014-8601
Sources used:
openSUSE 13.1 (src):    pdns-recursor-3.6.2-8.4.1
openSUSE 12.3 (src):    pdns-recursor-3.6.2-6.4.1
Comment 10 Marcus Meissner 2014-12-22 20:13:20 UTC 
released