Debian 10230 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-139-1 bash security update

Debian GNU/Linux 8 LTS:
DLA 1843-1: pdns security update



ELA-139-1 bash security update

Package: bash
Version: 4.2+dfsg-0.1+deb7u6
Related CVE: CVE-2012-6711

A heap-based buffer overflow was discovered in bash caused by a wrong handling of unsupported characters in the function u32cconv(). When LC_CTYPE locale cannot correctly convert a wide character to a multibyte sequence, through the wctomb() function, u32cconv() returns a negative value that is used to update a pointer to a buffer in ansicstr(), resulting in a write out of the buffer’s bounds. A local attacker, who can provide data to print through the echo builtin function, may use this flaw to crash a script or execute code with the privileges of the bash process (e.g. escape a restricted bash or elevate privileges if a setuid script is vulnerable).

For Debian 7 Wheezy, these problems have been fixed in version 4.2+dfsg-0.1+deb7u6.

We recommend that you upgrade your bash packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1843-1: pdns security update




Package : pdns
Version : 3.4.1-4+deb8u10
CVE ID : CVE-2019-10162 CVE-2019-10163


Two vulnerabilities have been discovered in pdns, an authoritative DNS
server which may result in denial of service via malformed zone records
and excessive NOTIFY packets in a master/slave setup.

CVE-2019-10162

An issue has been found in PowerDNS Authoritative Server allowing
an authorized user to cause the server to exit by inserting a
crafted record in a MASTER type zone under their control. The issue
is due to the fact that the Authoritative Server will exit when it
runs into a parsing error while looking up the NS/A/AAAA records it
is about to use for an outgoing notify.

CVE-2019-10163

An issue has been found in PowerDNS Authoritative Server allowing
a remote, authorized master server to cause a high CPU load or even
prevent any further updates to any slave zone by sending a large
number of NOTIFY messages. Note that only servers configured as
slaves are affected by this issue.

For Debian 8 "Jessie", these problems have been fixed in version
3.4.1-4+deb8u10.

We recommend that you upgrade your pdns packages.

For the detailed security status of pdns please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pdns

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS