[Pdns-dev] PowerDNS Recursor 4.3.2, 4.2.3. and 4.1.17 released fixing CVE-2020-14196: Access restriction, bypass
otto.moerbeek at open-xchange.com
Wed Jul 1 12:08:24 UTC 2020
Today we are releasing PowerDNS Recursor 4.3.2, 4.2.3. and 4.1.17,
containing a security fix for CVE-2020-14196: Access restriction
An issue has been found in PowerDNS Recursor where the ACL applied to
the internal web server via `webserver-allow-from` is not properly
enforced, allowing a remote attacker to send HTTP queries to the
internal web server, bypassing the restriction.
Note that the web server is not enabled by default. Only installations
using a non-default value for `webserver` and `webserver-address` are
Workarounds are: disable the webserver or set a password or an API
key. Additionally, restrict the binding address using the
`webserver-address` setting to local addresses only and/or use a
firewall to disallow web requests from untrusted sources reaching the
webserver listening address.
As usual, there were also other smaller enhancements and bugfixes. In
particular, the 4.3.2 release contains fixes that allow long CNAME
chains to resolve properly, where previously they could fail if qname
minimization is enabled. Please refer to the 4.3.2 changelog,
4.2.3 changelog and 4.1.17 changelog for details.
The 4.3.2 tarball (signature), 4.2.3 tarball (signature)
and 4.1.17 tarball (signature) are available from our download
site and packages for CentOS 6, 7 and 8, Debian Stretch and
Buster, Ubuntu Xenial and Bionic are available from our
4.0 and older releases are EOL, refer to the documentation for
details about our release cycles.
Please send us all feedback and issues you might have via the mailing
list, or in case of a bug, via GitHub.
Otto and the PowerDNS team
Senior PowerDNS Developer
Email: otto.moerbeek at open-xchange.com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: OpenPGP digital signature
More information about the Pdns-dev