CVE-2018-14644 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2018-14644 Interim 1 35 2025-11-05T03:26:08Z current 2021-05-30T14:15:40Z 2025-11-05T03:26:08Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2018-14644 An issue has been found in PowerDNS Recursor from 4.0.0 up to and including 4.1.4. A remote attacker sending a DNS query for a meta-type like OPT can lead to a zone being wrongly cached as failing DNSSEC validation. It only arises if the parent zone is signed, and all the authoritative servers for that parent zone answer with FORMERR to a query for at least one of the meta-types. As a result, subsequent queries from clients requesting DNSSEC validation will be answered with a ServFail. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FI4FFU4QQEWV74MZWYUFSQ5ZMXRGIH7G/#FI4FFU4QQEWV74MZWYUFSQ5ZMXRGIH7G E-Mail link for openSUSE-SU-2018:4062-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HH5MBEKH3XPGHRYURTR5RZQRX6A4SFWD/#HH5MBEKH3XPGHRYURTR5RZQRX6A4SFWD E-Mail link for openSUSE-SU-2018:4151-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DOLOBIPIZ3LAIYOJATK4335ZBTPVTRC2/#DOLOBIPIZ3LAIYOJATK4335ZBTPVTRC2 E-Mail link for openSUSE-SU-2018:4152-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M2UYXXO7I4TUSSSVHBOZEQKRR4SWMVXY/#M2UYXXO7I4TUSSSVHBOZEQKRR4SWMVXY E-Mail link for openSUSE-SU-2018:4177-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings HPE Helion OpenStack 8 SUSE OpenStack Cloud 8 SUSE Package Hub 12 SP1 SUSE Package Hub 15 openSUSE Leap 15.0 openSUSE Tumbleweed pdns pdns-backend-mysql pdns-recursor-4.1.2-bp150.2.3.1 pdns-recursor-4.1.2-lp150.2.3.1 pdns-recursor-4.1.8-13.1 pdns-recursor-4.5.5-1.3 pdns-recursor-4.1.8-13.1 as a component of SUSE Package Hub 12 SP1 pdns-recursor-4.1.2-bp150.2.3.1 as a component of SUSE Package Hub 15 pdns-recursor-4.1.2-lp150.2.3.1 as a component of openSUSE Leap 15.0 pdns-recursor-4.5.5-1.3 as a component of openSUSE Tumbleweed pdns as a component of HPE Helion OpenStack 8 pdns-backend-mysql as a component of HPE Helion OpenStack 8 pdns as a component of SUSE OpenStack Cloud 8 pdns-backend-mysql as a component of SUSE OpenStack Cloud 8 An issue has been found in PowerDNS Recursor from 4.0.0 up to and including 4.1.4. A remote attacker sending a DNS query for a meta-type like OPT can lead to a zone being wrongly cached as failing DNSSEC validation. It only arises if the parent zone is signed, and all the authoritative servers for that parent zone answer with FORMERR to a query for at least one of the meta-types. As a result, subsequent queries from clients requesting DNSSEC validation will be answered with a ServFail. CVE-2018-14644 SUSE Package Hub 12 SP1:pdns-recursor-4.1.8-13.1 SUSE Package Hub 15:pdns-recursor-4.1.2-bp150.2.3.1 openSUSE Leap 15.0:pdns-recursor-4.1.2-lp150.2.3.1 openSUSE Tumbleweed:pdns-recursor-4.5.5-1.3 HPE Helion OpenStack 8:pdns HPE Helion OpenStack 8:pdns-backend-mysql SUSE OpenStack Cloud 8:pdns SUSE OpenStack Cloud 8:pdns-backend-mysql moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L