Comment 18 for bug 1471161

Kiall Mac Innes (kiall) wrote :

No CVE number yet, went ahead and notified downstreams. Disclosure date set for 2015-07-28, 1500UTC.

Copy of email below:

This is an advance warning of a vulnerability discovered in OpenStack
Designate, to give you, as downstream stakeholders, a chance to coordinate
the release of fixes and reduce the vulnerability window. Please treat the
following information as confidential until the proposed public
disclosure date.

Title: Designate mDNS DoS through incorrect handling of large RecordSets
Reporter: Florian Weimer (Red Hat)
Products: Designate
Affects: 2015.1.0 through 1.0.0.0b1

Description:
Florian Weimer from Red Hat reported a vulnerability in Designate.
By creating a single RecordSet that exceeds the configured max allowed DNS
packet size, an authenticated user may cause the Designate mDNS service
to enter an infinite loop, triggering a DoS.

Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/kilo and master on the public disclosure date.

CVE: TBA
Launchpad Bug #: 1471161
RedHat Bug #: 1236014

Proposed public disclosure date/time: 2015-07-28, 1500UTC

Please do not make the issue public (or release public patches) before
this coordinated embargo date.

Regards,

--
Kiall Mac Innes
OpenStack Designate PTL