[Pdns-announce] PowerDNS Recursor 4.3.2, 4.2.3. and 4.1.17 released fixing CVE-2020-14196: Access restriction, bypass

Otto Moerbeek otto.moerbeek at open-xchange.com
Wed Jul 1 12:08:24 UTC 2020


Today we are releasing PowerDNS Recursor 4.3.2, 4.2.3. and 4.1.17,
containing a security fix for CVE-2020-14196: Access restriction

An issue has been found in PowerDNS Recursor where the ACL applied to
the internal web server via `webserver-allow-from` is not properly
enforced, allowing a remote attacker to send HTTP queries to the
internal web server, bypassing the restriction.

Note that the web server is not enabled by default. Only installations
using a non-default value for `webserver` and `webserver-address` are

Workarounds are: disable the webserver or set a password or an API
key. Additionally, restrict the binding address using the
`webserver-address` setting to local addresses only and/or use a
firewall to disallow web requests from untrusted sources reaching the
webserver listening address.

As usual, there were also other smaller enhancements and bugfixes. In
particular, the 4.3.2 release contains fixes that allow long CNAME
chains to resolve properly, where previously they could fail if qname
minimization is enabled.  Please refer to the 4.3.2 changelog[1],
4.2.3 changelog[2] and 4.1.17 changelog[3] for details.

The 4.3.2 tarball[4] (signature[5]), 4.2.3 tarball[6] (signature[7])
and 4.1.17 tarball[8] (signature[9]) are available from our download
site[10] and packages for CentOS 6, 7 and 8, Debian Stretch and
Buster, Ubuntu Xenial and Bionic are available from our

4.0 and older releases are EOL, refer to the documentation[12] for
details about our release cycles.

Please send us all feedback and issues you might have via the mailing
list[13], or in case of a bug, via GitHub[14].

[0] https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html
[1] https://doc.powerdns.com/recursor/changelog/4.3.html#change-4.3.2
[2] https://doc.powerdns.com/recursor/changelog/4.2.html#change-4.2.3
[3] https://doc.powerdns.com/recursor/changelog/4.1.html#change-4.1.17
[4] https://downloads.powerdns.com/releases/pdns-recursor-4.3.2.tar.bz2
[5] https://downloads.powerdns.com/releases/pdns-recursor-4.3.2.tar.bz2.sig
[6] https://downloads.powerdns.com/releases/pdns-recursor-4.2.3.tar.bz2
[7] https://downloads.powerdns.com/releases/pdns-recursor-4.2.3.tar.bz2.sig
[8] https://downloads.powerdns.com/releases/pdns-recursor-4.1.17.tar.bz2
[9] https://downloads.powerdns.com/releases/pdns-recursor-4.1.17.tar.bz2.sig
[10] https://downloads.powerdns.com/releases/
[11] https://repo.powerdns.com/
[12] https://docs.powerdns.com/recursor/appendices/EOL.html
[13] https://mailman.powerdns.com/mailman/listinfo/pdns-users
[14] https://github.com/PowerDNS/pdns/issues/new/choose


  Otto and the PowerDNS team

Otto Moerbeek
Senior PowerDNS Developer

Email: otto.moerbeek at open-xchange.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-announce/attachments/20200701/066c3150/attachment.sig>

More information about the Pdns-announce mailing list