[Pdns-dev] PowerDNS Recursor 4.1.8 Released

Erik Winkels erik.winkels at open-xchange.com
Mon Nov 26 16:03:50 UTC 2018

We’ve released PowerDNS Recursor 4.1.8.
This release fixes Security Advisory 2018-09 (https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-09.html) that we recently discovered, affecting PowerDNS Recursor from 4.1.0 up to and including 4.1.7.  PowerDNS Recursor 4.0.x and below are not affected.
The issue is that a remote attacker can trigger an out-of-bounds memory read via a crafted query, while computing the hash of the query for a packet cache lookup, possibly leading to a crash.
When the PowerDNS Recursor is run inside a supervisor like supervisord or systemd, a crash will lead to an automatic restart, limiting the impact to a somewhat degraded service.
A minimal patch is available at: https://downloads.powerdns.com/patches/2018-09/
The changelog[1]:
    - #7221: Crafted query can cause a denial of service (CVE-2018-16855)
The tarball[2] (signature[3]) is available at https://downloads.powerdns.com/releases/ and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Bionic, Trusty and Xenial are available from https://repo.powerdns.com/ .
Please send us all feedback and issues you might have via the mailing list[4], or in case of a bug, via GitHub[5].
[1] https://doc.powerdns.com/recursor/changelog/4.1.html#change-4.1.8
[2] https://downloads.powerdns.com/releases/pdns-recursor-4.1.8.tar.bz2
[3] https://downloads.powerdns.com/releases/pdns-recursor-4.1.8.tar.bz2.sig
[4] https://mailman.powerdns.com/mailman/listinfo/pdns-users
[5] https://github.com/PowerDNS/pdns/issues/new
Erik Winkels
PowerDNS.COM BV -- https://www.powerdns.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 475 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/pdns-dev/attachments/20181126/d8148125/attachment.sig>

More information about the Pdns-dev mailing list