[Pdns-announce] PowerDNS Security Advisory 2014-02

Peter van Dijk peter.van.dijk at netherlabs.nl
Mon Dec 8 16:00:09 UTC 2014


Hi everybody,

Please be aware of PowerDNS Security Advisory 2014-02
(http://doc.powerdns.com/md/security/powerdns-advisory-2014-02/), which you
can also find below.  The good news is that the currently released version of the
PowerDNS Recursor is safe.  The bad news is that users of older versions
will have to upgrade.

PowerDNS Recursor 3.6.2, released late October, is in wide production use
and has been working well for our users.  If however you have reasons not to
upgrade, the advisory below contains a link to a patch which applies to
older versions.

Finally, if you have problems upgrading, please either contact us on our
mailing lists, or privately via powerdns.support at powerdns.com (should you
wish to make use of our SLA-backed support program).

We want to thank Florian Maury of French government information security
agency ANSSI for bringing this issue to our attention and coordinating the
security release with us and other nameserver vendors.

## PowerDNS Security Advisory 2014-02: PowerDNS Recursor 3.6.1 and earlier can be made to provide bad service

* CVE: CVE-2014-8601
* Date: 8th of December 2014
* Credit: Florian Maury ([ANSSI](http://www.ssi.gouv.fr/en/))
* Affects: PowerDNS Recursor versions 3.6.1 and earlier
* Not affected: PowerDNS Recursor 3.6.2; no versions of PowerDNS Authoritative Server
* Severity: High
* Impact: Degraded service
* Exploit: This problem can be triggered by sending queries for specifically configured domains
* Risk of system compromise: No
* Solution: Upgrade to PowerDNS Recursor 3.6.2
* Workaround: None known. Exposure can be limited by configuring the **allow-from** setting so only trusted users can query your nameserver.

Recently we released PowerDNS Recursor 3.6.2 with a new feature that
strictly limits the amount of work we'll perform to resolve a single query.
This feature was inspired by performance degradations noted when resolving
domains hosted by 'ezdns.it', which can require thousands of queries to
resolve.

During the 3.6.2 release process, we were contacted by a government security
agency with news that they had found that all major caching nameservers,
including PowerDNS, could be negatively impacted by specially configured,
hard to resolve domain names. With their permission, we continued the 3.6.2
release process with the fix for the issue already in there.

We recommend that all users upgrade to 3.6.2 if at all possible. Alternatively,
if you want to apply a minimal fix to your own tree, it can be found
[here](https://downloads.powerdns.com/patches/2014-02/), including patches for older versions.

As for workarounds, only clients in allow-from are able to trigger the
degraded service, so this should be limited to your userbase.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.powerdns.com/pipermail/pdns-announce/attachments/20141208/dec71bd5/attachment-0002.sig>


More information about the Pdns-announce mailing list