[Pdns-users] Regarding CVE-2015-7547 & PowerDNS Recursor

bert hubert bert.hubert at powerdns.com
Wed Feb 17 13:38:05 UTC 2016

On Wed, Feb 17, 2016 at 02:12:51PM +0100, Nick Douma wrote:
> What about the static debian package on the website? I assume updating
> the OS libc package is not enough?

Hi Nick,

Good question. It turns out our recent static packages in fact link to the
system libc. We call these 'semi-static', but did not change the package

Check with ldd /usr/sbin/pdns_server or /usr/sbin/pdns_recursor to see if
your version runs against the system libc. If it doesn't chances are you are
running a version that needed to be updated anyhow!

Secondly, as a nameserver, we try not to resolve names using the system
library as this could create chicken/egg problems. We do use getaddrinfo()
but not to resolve names, only to convert IPv6 addresses, and that only if
inet_pton doesn't do the job. See

If you connec to a MySQL or PostgreSQL database using a *named* database
host, those libraries might try to resolve a name, but we recommend against

But chances are you are running a version of PowerDNS that does not contain
a vulnerable libc anyhow.


More information about the Pdns-users mailing list