CVE-2018-14626

Name	CVE-2018-14626
Description	PowerDNS Authoritative Server 4.1.0 up to 4.1.4 inclusive and PowerDNS Recursor 4.0.0 up to 4.1.4 inclusive are vulnerable to a packet cache pollution via crafted query that can lead to denial of service.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	913162, 913163

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
pdns (PTS)	bullseye	4.4.1-1	fixed
	bookworm	4.7.3-2	fixed
	sid, trixie	4.9.2-1	fixed
pdns-recursor (PTS)	bullseye	4.4.2-3	fixed
	bookworm, bookworm (security)	4.8.8-1	fixed
	sid, trixie	5.1.3-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Debian Bugs
pdns	source	jessie	(not affected)
pdns	source	stretch	(not affected)
pdns	source	(unstable)	4.1.5-1	913163
pdns-recursor	source	jessie	(not affected)
pdns-recursor	source	stretch	4.0.4-1+deb9u4
pdns-recursor	source	(unstable)	4.1.7-1	913162

Notes

[stretch] - pdns <not-affected> (Vulnerable code present only in >=  4.1.0)
[jessie] - pdns <not-affected> (Vulnerable code not present)
[jessie] - pdns-recursor <not-affected> (Vulnerable code not present)
https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html
https://downloads.powerdns.com/patches/2018-05/
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-06.html
https://downloads.powerdns.com/patches/2018-06/