[Pdns-dev] PowerDNS Recursor 4.3.1, 4.2.2. and 4.1.16 released fixing multiple vulnerabilities

Otto Moerbeek otto.moerbeek at open-xchange.com
Tue May 19 08:58:02 UTC 2020


Today we are releasing PowerDNS Recursor 4.3.1, 4.2.2. and 4.1.16,
containing security fixes for three CVEs:

- CVE-2020-10995[1]
- CVE-2020-12244[2]
- CVE-2020-10030[3]

The issues are:

CVE-2020-10995: An issue in the DNS protocol has been found that allows
malicious parties to use recursive DNS services to attack third party
authoritative name servers. Severity is medium. We would like to thank
Lior Shafir, Yehuda Afek and Anat Bremler-Barr for finding and
subsequently reporting this issue!

CVE-2020-12244: Records in the answer section of a NXDOMAIN response
lacking an SOA were not properly validated. Severity is medium. We would
like to thank Matt Nordhoff for finding and subsequently reporting this

CVE-2020-10030: An attacker with enough privileges to change the
hostname might be able to disclose uninitialized memory. This issue also
affects the Authoritative Server and dnsdist; since the attack requires
very high privileges and the issue does not affect Linux, we will not be
releasing new versions for those just for this issue. Severity is low.

As usual, there were also other smaller enhancements and bugfixes.
Please refer to the 4.3.1 changelog[4], 4.2.2 changelog[5] and 4.1.16
changelog[6] for details.

The 4.3.1 tarball[7] (signature[8]), 4.2.2 tarball[9] (signature[10])
and 4.1.16 tarball[11] (signature[12]) are available at our download
site[13] and packages for CentOS 6, 7 and 8, Debian Stretch and Buster,
Ubuntu Xenial and Bionic are available from our repository[14]

Note that the 4.1 packages will be published later today.

4.0 and older releases are EOL, refer to the documentation[15] for
details about our release cycles.

Please send us all feedback and issues you might have via the mailing
list[16], or in case of a bug, via GitHub[17].

[4] https://doc.powerdns.com/recursor/changelog/4.3.html#change-4.3.1
[5] https://doc.powerdns.com/recursor/changelog/4.2.html#change-4.2.2
[6] https://doc.powerdns.com/recursor/changelog/4.1.html#change-4.1.16
[7] https://downloads.powerdns.com/releases/pdns-recursor-4.3.1.tar.bz2
[8] https://downloads.powerdns.com/releases/pdns-recursor-4.3.1.tar.bz2.sig
[9] https://downloads.powerdns.com/releases/pdns-recursor-4.2.2.tar.bz2
[10] https://downloads.powerdns.com/releases/pdns-recursor-4.2.2.tar.bz2.sig
[11] https://downloads.powerdns.com/releases/pdns-recursor-4.1.16.tar.bz2
[13] https://downloads.powerdns.com/releases
[14] https://repo.powerdns.com/
[15] https://docs.powerdns.com/recursor/appendices/EOL.html
[16] https://mailman.powerdns.com/mailman/listinfo/pdns-users
[17] https://github.com/PowerDNS/pdns/issues/new/choose

kind regards,
Otto Moerbeek
Senior PowerDNS Developer

Email: otto.moerbeek at open-xchange.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-dev/attachments/20200519/ff06d4fb/attachment.sig>

More information about the Pdns-dev mailing list