CVE-2015-1868

Name	CVE-2015-1868
Description	The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authoritative (Auth) Server 3.2.x, 3.3.x before 3.3.2, and 3.4.x before 3.4.4 allows remote attackers to cause a denial of service (CPU consumption or crash) via a request with a name that refers to itself.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
pdns (PTS)	buster	4.1.6-3+deb10u1	fixed
	bullseye	4.4.1-1	fixed
	bookworm	4.7.3-2	fixed
	sid, trixie	4.8.2-2	fixed
pdns-recursor (PTS)	buster, buster (security)	4.1.11-1+deb10u1	fixed
	bullseye	4.4.2-3	fixed
	bookworm	4.8.4-1	fixed
	sid, trixie	4.9.1-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
pdns	source	squeeze	(not affected)
pdns	source	wheezy	(not affected)
pdns	source	jessie	3.4.1-4+deb8u1
pdns	source	(unstable)	3.4.4-1
pdns-recursor	source	squeeze	(not affected)
pdns-recursor	source	wheezy	(not affected)
pdns-recursor	source	jessie	3.6.2-2+deb8u1
pdns-recursor	source	(unstable)	3.7.2-1

Notes

[wheezy] - pdns <not-affected> (3.2 and up affected)
[squeeze] - pdns <not-affected> (3.2 and up affected)
[wheezy] - pdns-recursor <not-affected> (3.5 and up affected)
[squeeze] - pdns-recursor <not-affected> (3.5 and up affected)
https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/