A bug was found using afl-fuzz
in our packet parsing code. This bug,
when exploited, causes an assertion error and consequent termination of
the the pdns_server
process, causing a Denial of Service.
When the PowerDNS Authoritative Server is run inside the guardian
(--guardian
), or inside a supervisor like supervisord or systemd, it
will be automatically restarted, limiting the impact to a somewhat
degraded service.
PowerDNS Authoritative Server 3.4.4 - 3.4.6 are affected. No other versions are affected. The PowerDNS Recursor is not affected.
PowerDNS Authoritative Server 3.4.7 contains a fix to this issue. A minimal patch is available here.
This issue is unrelated to the issues in our previous two Security Announcements (2015-01 and 2015-02).
We’d like to thank Chris Hofstaedtler of Deduktiva GmbH for finding and reporting this issue.