[Pdns-dev] PowerDNS Recursor 4.3.5, 4.2.5. and 4.1.18 released fixing a cache pollution issue (CVE-2020-25829)

Otto Moerbeek otto.moerbeek at open-xchange.com
Tue Oct 13 11:11:46 UTC 2020


Today we are releasing PowerDNS Recursor 4.3.5, 4.2.5. and 4.1.18,
containing a security fix for CVE-2020-25829[1]:

An issue has been found in PowerDNS Recursor where a remote attacker
can cause the cached records for a given name to be updated to the
Bogus DNSSEC validation state, instead of their actual DNSSEC Secure
state, via a DNS ANY query. This results in a denial of service for
installations that always validate (dnssec=validate) and for clients
requesting validation when on-demand validation is enabled
(dnssec=process). The severity is high for these cases.

As usual, there were also other smaller enhancements and
bugfixes. Please refer to the 4.3.5 changelog[2], 4.2.5 changelog[3]
and 4.1.18 changelog[4] for details.

The 4.3.5 tarball[5] (signature[6]), 4.2.5 tarball[7] (signature[8])
and 4.1.18 tarball[9] (signature[10]) are available at our download
site[11] and packages for CentOS 6, 7 and 8, Debian Stretch and
Buster, Ubuntu Xenial and Bionic are available from our

4.0 and older releases are EOL, refer to the documentation[13] for details
about our release cycles.

Please send us all feedback and issues you might have via the mailing
list[14], or in case of a bug, via GitHub[15].


 -Otto and the PowerDNS Team
[1] https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html
[2] https://doc.powerdns.com/recursor/changelog/4.3.html#change-4.3.5
[3] https://doc.powerdns.com/recursor/changelog/4.2.html#change-4.2.5
[4] https://doc.powerdns.com/recursor/changelog/4.1.html#change-4.1.18
[5] https://downloads.powerdns.com/releases/pdns-recursor-4.3.5.tar.bz2
[6] https://downloads.powerdns.com/releases/pdns-recursor-4.3.5.tar.bz2.sig
[7] https://downloads.powerdns.com/releases/pdns-recursor-4.2.5.tar.bz2
[8] https://downloads.powerdns.com/releases/pdns-recursor-4.2.5.tar.bz2.sig
[9] https://downloads.powerdns.com/releases/pdns-recursor-4.1.18.tar.bz2
[10] https://downloads.powerdns.com/releases/pdns-recursor-4.1.18.tar.bz2.sig
[11] https://downloads.powerdns.com/releases/
[12] https://repo.powerdns.com/
[13] https://docs.powerdns.com/recursor/appendices/EOL.html
[14] https://mailman.powerdns.com/mailman/listinfo/pdns-users
[15] https://github.com/PowerDNS/pdns/issues/new/choose

kind regards,
Otto Moerbeek
Senior PowerDNS Developer

Email: otto.moerbeek at open-xchange.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-dev/attachments/20201013/e1e13f55/attachment.sig>

More information about the Pdns-dev mailing list