Main Vulnerability Database SB2017082222

SB2017082222 - Fedora 26 update for dnsdist

Published: August 22, 2017 Updated: April 24, 2025

Security Bulletin ID SB2017082222

Severity

High

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2016-7069)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in the way EDNS0 OPT records are handled when parsing responses from a backend. When dnsdist is configured to add EDNS Client Subnet to a query, the response may contain an EDNS0 OPT record that has to be removed before forwarding the response to the initial client.

2) Cross-site request forgery (CVE-ID: CVE-2017-7557)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-2017-487fae29b4