[Pdns-users] security advisory 2021-01 for PowerDNS Authoritative Server 4.5.0

Steven Garner stevenjgarner at gmail.com
Sat Sep 18 21:17:23 UTC 2021 

For Debian systems will apt be updated so that an upgrade from 4.4.1 to
4.5.1 can be picked up by apt upgrade?  Or is there a different upgrade
path?  I don't see any reference in
https://doc.powerdns.com/authoritative/upgrading.html#x-to-4-5-0-or-master.
Thanks in advance.

Steve Garner
+1 302 364 0325
stevenjgarner at gmail.com


On Mon, Jul 26, 2021 at 7:42 AM Peter van Dijk via Pdns-users <
pdns-users at mailman.powerdns.com> wrote:

> Hello,
>
> today we have released PowerDNS Authoritative Server 4.5.1, fixing a
> remotely triggered crash present in version 4.5.0. No other versions
> are affected.
>
> Tarballs and signatures are available at
> https://downloads.powerdns.com/releases/, and a single patch is
> available at https://downloads.powerdns.com/patches/2021-01/. However,
> 4.5.1 contains no other changes.
>
> Please find the full text of the advisory below.
>
> PowerDNS Security Advisory 2021-01: Specific query crashes
> Authoritative Server
>
> -  CVE: CVE-2021-36754
> -  Date: July 26th, 2021
> -  Affects: PowerDNS Authoritative version 4.5.0
> -  Not affected: 4.4.x and below, 4.5.1
> -  Severity: High
> -  Impact: Denial of service
> -  Exploit: This problem can be triggered via a specific query packet
> -  Risk of system compromise: None
> -  Solution: Upgrade to 4.5.1, or filter queries in ``dnsdist``
>
> PowerDNS Authoritative Server 4.5.0 (and the alpha/beta/rc1/rc2
> prereleases that came before it) will crash with an uncaught out of
> bounds exception if it receives a query with QTYPE 65535. The offending
> code was not present in earlier versions, and they are not affected.
>
> Users that cannot upgrade immediately, but do have dnsdist in place,
> can use dnsdist to filter such queries before they do harm, with
> something like ``addAction(QTypeRule(65535),
> RCodeAction(DNSRCode.REFUSED))``.
>
> When the PowerDNS Authoritative Server is run inside a supervisor like
> supervisord or systemd, an uncaught exception crash will lead to an
> automatic restart, limiting the impact to a somewhat degraded service.
>
> We would like to thank Reinier Schoof and Robin Geuze of TransIP for
> noticing crashes in production, immediately letting us know, and
> helping us figure out what was happening.
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20210918/743e7a47/attachment.htm>

More information about the Pdns-users mailing list