[Pdns-users] PowerDNS Security Advisory 2024-04

Otto Moerbeek otto.moerbeek at powerdns.com
Thu Oct 3 11:54:53 UTC 2024


   Hello,

   Today we have released PowerDNS Recursor 4.9.9, 5.0.9 and 5.1.2.

   These releases fix PowerDNS Security Advisory 2024-04: Crafted
   responses can lead to a denial of service due to cache inefficiencies
   in the Recursor.
     __________________________________________________________________

   PowerDNS Security Advisory 2024-04: Crafted responses can lead to a denial of
   service due to cache inefficiencies in the Recursor

   CVE: CVE-2024-25590
   Date: 3rd of October 2024.
   Affects: PowerDNS Recursor up to and including 4.9.8, 5.0.8 and 5.1.1
   Not affected: PowerDNS Recursor 4.9.9, 5.0.9 and 5.1.2
   Severity: High
   Impact: Denial of service
   Exploit: This problem can be triggered by an attacker publishing a crafted zone
   Risk of system compromise: None
   Solution: Upgrade to patched version


   An attacker can publish a zone containing specific Resource Record
   Sets. Repeatedly processing and caching results for these sets can lead
   to a denial of service.

   CVSS Score: 7.5, see CVSS Calculator[1]

   The remedy is: upgrade to a patched version.

   We would like to thank Toshifumi Sakaguchi for bringing this issue to
   our attention and assisting in validating the patches.
     __________________________________________________________________

   Please refer to the changelogs  (4.9.9[2], 5.0.9[3], 5.1.2[4]) and
   upgrade guide[5] for additional details.

   Please send us all feedback and issues you might have via the mailing
   list[6], or in case of a bug, via GitHub[7].

   The tarballs (4.9.9[8], 5.0.9[9], 5.1.2[10]) (with signature files
   4.9.9[11], 5.0.9[12], 5.1.2[13]) are available from our
   download server[14] and packages for several distributions are
   available from our repository[15].

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

References

   1. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1
   2. https://doc.powerdns.com/recursor/changelog/4.9.html#change-4.9.9
   3. https://doc.powerdns.com/recursor/changelog/5.0.html#change-5.0.9
   4. https://doc.powerdns.com/recursor/changelog/5.1.html#change-5.1.2
   5. https://docs.powerdns.com/recursor/upgrade.html
   6. https://mailman.powerdns.com/mailman/listinfo/pdns-users
   7. https://github.com/PowerDNS/pdns/issues/new/choose
   8. https://downloads.powerdns.com/releases/pdns-recursor-4.9.9.tar.bz2
   9. https://downloads.powerdns.com/releases/pdns-recursor-5.0.9.tar.bz2
  10. https://downloads.powerdns.com/releases/pdns-recursor-5.1.2.tar.bz2
  11. https://downloads.powerdns.com/releases/pdns-recursor-4.9.9.tar.bz2.sig
  12. https://downloads.powerdns.com/releases/pdns-recursor-5.0.9.tar.bz2.sig
  13. https://downloads.powerdns.com/releases/pdns-recursor-5.1.2.tar.bz2.sig
  14. https://downloads.powerdns.com/releases/
  15. https://repo.powerdns.com/


--

kind regards,
Otto Moerbeek
Senior Developer PowerDNS


Phone: +49 2761 75252 00 Fax: +49 2761 75252 30
Email: otto.moerbeek at open-xchange.com


-------------------------------------------------------------------------------------
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Dr. Paul-Josef Patt

PowerDNS.COM BV, Koninginnegracht 5, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt
-------------------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 486 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20241003/c7bd555e/attachment.sig>


More information about the Pdns-users mailing list