[Pdns-announce] Security Advisory 2023-01 for PowerDNS Recursor 4.8.0

Otto Moerbeek otto.moerbeek at open-xchange.com
Fri Jan 20 12:17:23 UTC 2023


   Hello,

   Today we have released PowerDNS Recursor 4.8.1 due to a high severity
   issue found.

   Please find the full text of the advisory below.

   The [1]changelog is available.

   The [2]tarball ([3]signature) is available from our download [4]server.
   Patches are available at [5]patches. Packages for various distributions
   are available from our [6]repository.

   Note that PowerDNS Recursor 4.5.x and older releases are End of Life.
   Consult the [7]EOL policy for more details.
     __________________________________________________________________

PowerDNS Security Advisory 2023-01: unbounded recursion results in program
termination

     * CVE: CVE-2023-22617
     * Date: 20th of January 2023
     * Affects: PowerDNS Recursor 4.8.0
     * Not affected: PowerDNS Recursor < 4.8.0, PowerDNS Recursor 4.8.1
     * Severity: High
     * Impact: Denial of service
     * Exploit: This problem can be triggered by a remote attacker with
       access to the recursor by querying names from specific
       mis-configured domains
     * Risk of system compromise: None
     * Solution: Upgrade to patched version

   CVSS 3.0 score: 8.2 (High)
   https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/
   S:U/C:N/I:L/A:H/E:H/RL:U/RC:C

   Thanks to applied-privacy.net for reporting this issue and their assistance in diagnosing it.

References

   1. https://docs.powerdns.com/recursor/changelog/4.8.html#change-4.8.1
   2. https://downloads.powerdns.com/releases/pdns-recursor-4.8.1.tar.bz2
   3. https://downloads.powerdns.com/releases/pdns-recursor-4.8.1.tar.bz2.sig
   4. https://downloads.powerdns.com/releases/
   5. https://downloads.powerdns.com/patches/2023-01/
   6. https://repo.powerdns.com/
   7. https://docs.powerdns.com/recursor/appendices/EOL.html


--

kind regards,
Otto Moerbeek
PowerDNS Developer



Email: otto.moerbeek at open-xchange.com


-------------------------------------------------------------------------------------
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-------------------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 475 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/pdns-announce/attachments/20230120/2d35521e/attachment.sig>


More information about the Pdns-announce mailing list