From remi.gacogne at powerdns.com Fri Apr 5 08:34:10 2024 From: remi.gacogne at powerdns.com (Remi Gacogne) Date: Fri, 5 Apr 2024 10:34:10 +0200 Subject: [Pdns-announce] PowerDNS DNSdist 1.9.2 released Message-ID: <9389f874-a875-429f-8b42-00bfab388f6f@powerdns.com> Hello! We released PowerDNS DNSdist 1.9.2 today. This release fixes several issues: - HTTP/1.1 was wrongly selected over HTTP/2 when a DNS over HTTPS client advertised both HTTP versions in ALPN and listed HTTP/1.1 first, and the nghttp2 provider was used - The first connection to the DNSdist console done over IPv6 was rejected - A failure of the first lazy health-check was not properly handled - A crash might have occurred if an incoming DNS over HTTPS connection timed out right before the corresponding outgoing query to a backend did, and the nghttp2 provider was used - DNS over HTTPS connections and queries counters were not working properly with the nghttp2 provider - Incoming TCP connections from a client were not always closed right away after an error - Outgoing TCP connections to a backend were not always closed right away after a timeout - The Docker image was printing the DNSdist configuration to the terminal by default, including secrets, which might not have been expected - It was not possible to return a "no server available" result from a custom Lua FFI load-balancing policy - Several compilation warnings have been fixed Please see the DNSdist website [1] for the more complete changelog [2] and the current documentation. The upgrade guide is also available there [3]. Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub [4]. The release tarball [5] and its signature [6] are available on the downloads website, and packages for several distributions are available from our repository [7]. [1]: https://dnsdist.org [2]: https://dnsdist.org/changelog.html#change-1.9.2 [3]: https://dnsdist.org/upgrade_guide.html [4]: https://github.com/PowerDNS/pdns/issues/new/choose [5]: https://downloads.powerdns.com/releases/dnsdist-1.9.2.tar.bz2 [6]: https://downloads.powerdns.com/releases/dnsdist-1.9.2.tar.bz2.sig [7]: https://repo.powerdns.com Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From remi.gacogne at powerdns.com Fri Apr 5 11:55:33 2024 From: remi.gacogne at powerdns.com (Remi Gacogne) Date: Fri, 5 Apr 2024 13:55:33 +0200 Subject: [Pdns-announce] PowerDNS DNSdist 1.9.3 released Message-ID: <08833e2d-9c0e-44ba-8794-1a812a2a402c@powerdns.com> Hello! Less than an hour after the release of PowerDNS DNSdist 1.9.2 today, we received reports of DNSdist crashing in some setups. This 1.9.3 release fixes the issue that was introduced in 1.9.2, for now by reverting the related change. Please see the DNSdist website [1] for the changelog [2] and the current documentation. The upgrade guide is also available there [3]. Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub [4]. The release tarball [5] and its signature [6] are available on the downloads website, and packages for several distributions are available from our repository [7]. [1]: https://dnsdist.org [2]: https://dnsdist.org/changelog.html#change-1.9.3 [3]: https://dnsdist.org/upgrade_guide.html [4]: https://github.com/PowerDNS/pdns/issues/new/choose [5]: https://downloads.powerdns.com/releases/dnsdist-1.9.3.tar.bz2 [6]: https://downloads.powerdns.com/releases/dnsdist-1.9.3.tar.bz2.sig [7]: https://repo.powerdns.com Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From peter.van.dijk at powerdns.com Wed Apr 24 10:37:12 2024 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Wed, 24 Apr 2024 12:37:12 +0200 Subject: [Pdns-announce] PowerDNS Recursor Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor Message-ID: Dear user, Please find below a security advisory, relating to PowerDNS Recursor 4.8.7, 4.9.4 and 5.0.3 only. When using recursive forwarding, a crafted response from an upstream server can cause a Denial of Service in the Recursor. ========================================================================= PowerDNS Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor CVE: CVE-2024-25583 Date: 24th of April 2024. Affects: PowerDNS Recursor 4.8.7, 4.9.4 and 5.0.3, earlier versions are not affected Not affected: PowerDNS Recursor 4.8.8, 4.9.5 and 5.0.4 Severity: High (only when using recursive forwarding) Impact: Denial of service Exploit: This problem can be triggered by an attacker publishing a crafted zone Risk of system compromise: None Solution: Upgrade to patched version When using recursive forwarding, a crafted response from an upstream server can cause a Denial of Service in the Recursor. The default configuration of the Recursor does not use recursive forwarding and is not affected. CVSS Score: 7.5, only for configurations using recursive forwarding, see https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1 The remedy is to update to a patched version. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 914 bytes Desc: This is a digitally signed message part URL: