[Pdns-users] [EXT] Re: [Pdns-announce] PowerDNS Recursor 4.3.1, 4.2.2. and 4.1.16 released fixing multiple vulnerabilities

Otto Moerbeek otto.moerbeek at open-xchange.com
Wed May 20 10:52:11 UTC 2020



On 2020-05-20 12:35, Kevin P. Fleming wrote:
> The new packages aren't available for Raspbian yet; would someone
> check the build systems for Raspbian? Thanks.

The builds are slow, the packages should become available soon.

	-Otto

> 
> On Tue, May 19, 2020 at 4:58 AM Otto Moerbeek via Pdns-announce
> <pdns-announce at mailman.powerdns.com> wrote:
>>
>> Hello!,
>>
>> Today we are releasing PowerDNS Recursor 4.3.1, 4.2.2. and 4.1.16,
>> containing security fixes for three CVEs:
>>
>> - CVE-2020-10995[1]
>> - CVE-2020-12244[2]
>> - CVE-2020-10030[3]
>>
>> The issues are:
>>
>> CVE-2020-10995: An issue in the DNS protocol has been found that allows
>> malicious parties to use recursive DNS services to attack third party
>> authoritative name servers. Severity is medium. We would like to thank
>> Lior Shafir, Yehuda Afek and Anat Bremler-Barr for finding and
>> subsequently reporting this issue!
>>
>> CVE-2020-12244: Records in the answer section of a NXDOMAIN response
>> lacking an SOA were not properly validated. Severity is medium. We would
>> like to thank Matt Nordhoff for finding and subsequently reporting this
>> issue!
>>
>> CVE-2020-10030: An attacker with enough privileges to change the
>> hostname might be able to disclose uninitialized memory. This issue also
>> affects the Authoritative Server and dnsdist; since the attack requires
>> very high privileges and the issue does not affect Linux, we will not be
>> releasing new versions for those just for this issue. Severity is low.
>>
>> As usual, there were also other smaller enhancements and bugfixes.
>> Please refer to the 4.3.1 changelog[4], 4.2.2 changelog[5] and 4.1.16
>> changelog[6] for details.
>>
>> The 4.3.1 tarball[7] (signature[8]), 4.2.2 tarball[9] (signature[10])
>> and 4.1.16 tarball[11] (signature[12]) are available at our download
>> site[13] and packages for CentOS 6, 7 and 8, Debian Stretch and Buster,
>> Ubuntu Xenial and Bionic are available from our repository[14]
>>
>> Note that the 4.1 packages will be published later today.
>>
>> 4.0 and older releases are EOL, refer to the documentation[15] for
>> details about our release cycles.
>>
>> Please send us all feedback and issues you might have via the mailing
>> list[16], or in case of a bug, via GitHub[17].
>>
>>
>> [1]
>> https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html
>> [2]
>> https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html
>> [3]
>> https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html
>> [4] https://doc.powerdns.com/recursor/changelog/4.3.html#change-4.3.1
>> [5] https://doc.powerdns.com/recursor/changelog/4.2.html#change-4.2.2
>> [6] https://doc.powerdns.com/recursor/changelog/4.1.html#change-4.1.16
>> [7] https://downloads.powerdns.com/releases/pdns-recursor-4.3.1.tar.bz2
>> [8] https://downloads.powerdns.com/releases/pdns-recursor-4.3.1.tar.bz2.sig
>> [9] https://downloads.powerdns.com/releases/pdns-recursor-4.2.2.tar.bz2
>> [10] https://downloads.powerdns.com/releases/pdns-recursor-4.2.2.tar.bz2.sig
>> [11] https://downloads.powerdns.com/releases/pdns-recursor-4.1.16.tar.bz2
>> [12]
>> https://downloads.powerdns.com/releases/pdns-recursor-4.1.16.tar.bz2.sig
>> [13] https://downloads.powerdns.com/releases
>> [14] https://repo.powerdns.com/
>> [15] https://docs.powerdns.com/recursor/appendices/EOL.html
>> [16] https://mailman.powerdns.com/mailman/listinfo/pdns-users
>> [17] https://github.com/PowerDNS/pdns/issues/new/choose
>>
>> --
>> kind regards,
>> Otto Moerbeek
>> Senior PowerDNS Developer
>>
>> Email: otto.moerbeek at open-xchange.com
>>
>> _______________________________________________
>> Pdns-announce mailing list
>> Pdns-announce at mailman.powerdns.com
>> https://mailman.powerdns.com/mailman/listinfo/pdns-announce

-- 
kind regards,
Otto Moerbeek
Senior PowerDNS Developer

Email: otto.moerbeek at open-xchange.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200520/75c3f500/attachment.sig>


More information about the Pdns-users mailing list