CVE-2015-1868

NameCVE-2015-1868
DescriptionThe label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authoritative (Auth) Server 3.2.x, 3.3.x before 3.3.2, and 3.4.x before 3.4.4 allows remote attackers to cause a denial of service (CPU consumption or crash) via a request with a name that refers to itself.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pdns (PTS)jessie3.4.1-4+deb8u8fixed
jessie (security)3.4.1-4+deb8u10fixed
stretch (security), stretch4.0.3-1+deb9u5fixed
buster4.1.6-3fixed
bullseye, sid4.2.1-1fixed
pdns-recursor (PTS)jessie3.6.2-2+deb8u4fixed
jessie (security)3.6.2-2+deb8u3fixed
stretch4.0.4-1+deb9u4fixed
stretch (security)4.0.4-1+deb9u3fixed
buster4.1.11-1fixed
bullseye, sid4.2.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pdnssource(unstable)3.4.4-1
pdnssourcejessie3.4.1-4+deb8u1
pdnssourcesqueeze(not affected)
pdnssourcewheezy(not affected)
pdns-recursorsource(unstable)3.7.2-1
pdns-recursorsourcejessie3.6.2-2+deb8u1
pdns-recursorsourcesqueeze(not affected)
pdns-recursorsourcewheezy(not affected)

Notes

[wheezy] - pdns <not-affected> (3.2 and up affected)
[squeeze] - pdns <not-affected> (3.2 and up affected)
[wheezy] - pdns-recursor <not-affected> (3.5 and up affected)
[squeeze] - pdns-recursor <not-affected> (3.5 and up affected)
https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/

Search for package or bug name: Reporting problems