Debian Bug report logs -
#1033941
pdns-recursor: CVE-2023-26437: Deterred spoofing attempts can lead to authoritative servers being marked unavailable
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, pdns-recursor packagers <pdns-recursor@packages.debian.org>
:
Bug#1033941
; Package src:pdns-recursor
.
(Tue, 04 Apr 2023 11:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Hofstaedtler <zeha@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, pdns-recursor packagers <pdns-recursor@packages.debian.org>
.
(Tue, 04 Apr 2023 11:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: pdns-recursor
Version: 4.8.2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
The following vulnerability was published for pdns-recursor.
CVE-2023-26437:
| Deterred spoofing attempts can lead to authoritative servers being
| marked unavailable.
| When the recursor detects and deters a spoofing attempt or receives
| certain malformed DNS packets, it throttles the server that was the
| target of the impersonation attempt so that other authoritative servers
| for the same zone will be more likely to be used in the future, in case
| the attacker controls the path to one server only. Unfortunately this
| mechanism can be used by an attacker with the ability to send queries to
| the recursor, guess the correct source port of the corresponding
| outgoing query and inject packets with a spoofed IP address to force the
| recursor to mark specific authoritative servers as not available,
| leading a denial of service for the zones served by those servers.
Additional information:
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html
Chris
PS: unclear to me if 4.4.x in stable is also affected.
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Apr 4 13:10:47 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.