[Pdns-users] [Pdns-announce] PowerDNS Recursor 4.3.1, 4.2.2. and 4.1.16 released fixing multiple vulnerabilities
Kevin P. Fleming
kevin at km6g.us
Wed May 20 10:35:56 UTC 2020
The new packages aren't available for Raspbian yet; would someone
check the build systems for Raspbian? Thanks.
On Tue, May 19, 2020 at 4:58 AM Otto Moerbeek via Pdns-announce
<pdns-announce at mailman.powerdns.com> wrote:
>
> Hello!,
>
> Today we are releasing PowerDNS Recursor 4.3.1, 4.2.2. and 4.1.16,
> containing security fixes for three CVEs:
>
> - CVE-2020-10995[1]
> - CVE-2020-12244[2]
> - CVE-2020-10030[3]
>
> The issues are:
>
> CVE-2020-10995: An issue in the DNS protocol has been found that allows
> malicious parties to use recursive DNS services to attack third party
> authoritative name servers. Severity is medium. We would like to thank
> Lior Shafir, Yehuda Afek and Anat Bremler-Barr for finding and
> subsequently reporting this issue!
>
> CVE-2020-12244: Records in the answer section of a NXDOMAIN response
> lacking an SOA were not properly validated. Severity is medium. We would
> like to thank Matt Nordhoff for finding and subsequently reporting this
> issue!
>
> CVE-2020-10030: An attacker with enough privileges to change the
> hostname might be able to disclose uninitialized memory. This issue also
> affects the Authoritative Server and dnsdist; since the attack requires
> very high privileges and the issue does not affect Linux, we will not be
> releasing new versions for those just for this issue. Severity is low.
>
> As usual, there were also other smaller enhancements and bugfixes.
> Please refer to the 4.3.1 changelog[4], 4.2.2 changelog[5] and 4.1.16
> changelog[6] for details.
>
> The 4.3.1 tarball[7] (signature[8]), 4.2.2 tarball[9] (signature[10])
> and 4.1.16 tarball[11] (signature[12]) are available at our download
> site[13] and packages for CentOS 6, 7 and 8, Debian Stretch and Buster,
> Ubuntu Xenial and Bionic are available from our repository[14]
>
> Note that the 4.1 packages will be published later today.
>
> 4.0 and older releases are EOL, refer to the documentation[15] for
> details about our release cycles.
>
> Please send us all feedback and issues you might have via the mailing
> list[16], or in case of a bug, via GitHub[17].
>
>
> [1]
> https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html
> [2]
> https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html
> [3]
> https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html
> [4] https://doc.powerdns.com/recursor/changelog/4.3.html#change-4.3.1
> [5] https://doc.powerdns.com/recursor/changelog/4.2.html#change-4.2.2
> [6] https://doc.powerdns.com/recursor/changelog/4.1.html#change-4.1.16
> [7] https://downloads.powerdns.com/releases/pdns-recursor-4.3.1.tar.bz2
> [8] https://downloads.powerdns.com/releases/pdns-recursor-4.3.1.tar.bz2.sig
> [9] https://downloads.powerdns.com/releases/pdns-recursor-4.2.2.tar.bz2
> [10] https://downloads.powerdns.com/releases/pdns-recursor-4.2.2.tar.bz2.sig
> [11] https://downloads.powerdns.com/releases/pdns-recursor-4.1.16.tar.bz2
> [12]
> https://downloads.powerdns.com/releases/pdns-recursor-4.1.16.tar.bz2.sig
> [13] https://downloads.powerdns.com/releases
> [14] https://repo.powerdns.com/
> [15] https://docs.powerdns.com/recursor/appendices/EOL.html
> [16] https://mailman.powerdns.com/mailman/listinfo/pdns-users
> [17] https://github.com/PowerDNS/pdns/issues/new/choose
>
> --
> kind regards,
> Otto Moerbeek
> Senior PowerDNS Developer
>
> Email: otto.moerbeek at open-xchange.com
>
> _______________________________________________
> Pdns-announce mailing list
> Pdns-announce at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-announce
More information about the Pdns-users
mailing list