Hello everyone, We’ve released PowerDNS Authoritative Server 4.0.6 & 4.1.5 and Recursor 4.0.9 & 4.1.5. These are security releases with additional minor improvements and bug fixes.
Minimal patches for the releases are available at https://downloads.powerdns.com/patches/. The changelogs look as follows (and can also be read at https://blog.powerdns.com/): # Authoritative Server 4.1.5 This release fixes the following security advisories: - PowerDNS Security Advisory 2018-03 (https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html) (CVE-2018-10851) - PowerDNS Security Advisory 2018-05 (https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html) (CVE-2018-14626) ## Improvements - Apply alias scopemask after chasing - Release memory in case of error in the openssl ecdsa constructor - Switch to devtoolset 7 for el6 ## Bug Fixes - Crafted zone record can cause a denial of service (CVE-2018-10851) - Packet cache pollution via crafted query (CVE-2018-14626) - Fix compilation with libressl 2.7.0+ - Actually truncate truncated responses # Authoritative Server 4.0.6 This release fixes PowerDNS Security Advisory 2018-03 (https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html) (CVE-2018-10851). ## Bug fixes - Crafted zone record can cause a denial of service (CVE-2018-10851) - Skip v6-dependent test when pdns_test_no_ipv6 is set in environment - Fix el6 builds ## Improvements - Prevent cname + other data with dnsupdate - Switch to devtoolset 7 for el6 # Recursor 4.1.5 This release fixes the following security advisories: - PowerDNS Security Advisory 2018-04 (https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-04.html) (CVE-2018-10851) - PowerDNS Security Advisory 2018-06 (https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-06.html) (CVE-2018-14626) - PowerDNS Security Advisory 2018-07 (https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-07.html) (CVE-2018-14644) ## Improvements - Add pdnslog to lua configuration scripts (Chris Hofstaedtler) - Fix compilation with libressl 2.7.0+ - Export outgoing ECS value and server ID in protobuf (if any) - Switch to devtoolset 7 for el6 - Allow the signature inception to be off by a number of seconds (Kees Monshouwer) ## Bug Fixes - Crafted answer can cause a denial of service (CVE-2018-10851) - Packet cache pollution via crafted query (CVE-2018-14626) - Crafted query for meta-types can cause a denial of service (CVE-2018-14644) - Delay the creation of rpz threads until we have dropped privileges - Cleanup the netmask trees used for the ecs index on removals - Make sure that the ecs scope from the auth is < to the source - Authority records in aa=1 cname answer are authoritative - Avoid a memory leak in catch-all exception handler - Don’t require authoritative answers for forward-recurse zones - Release memory in case of error in the openssl ecdsa constructor - Convert a few uses to toLogString to print DNSName’s that may be empty in a safer manner - Avoid a crash on DEC Alpha systems - Clear all caches on (N)TA changes # Recursor 4.0.9 This release fixes the following security advisories: - PowerDNS Security Advisory 2018-04 (https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-04.html) (CVE-2018-10851) - PowerDNS Security Advisory 2018-06 (https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-06.html) (CVE-2018-14626) - PowerDNS Security Advisory 2018-07 (https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-07.html) (CVE-2018-14644) ## Bug fixes - Crafted answer can cause a denial of service (CVE-2018-10851) - Packet cache pollution via crafted query (CVE-2018-14626) - Crafted query for meta-types can cause a denial of service (CVE-2018-14644) # Additional Information The tarballs and signatures are available at https://downloads.powerdns.com/releases/ and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Bionic, Trusty and Xenial are available from https://repo.powerdns.com/. Rapberry PI packages will follow tomorrow. Please send us all feedback and issues you might have via https://mailman.powerdns.com/mailman/listinfo/pdns-users, or in case of a bug, via https://github.com/PowerDNS/pdns/issues/new. -- Erik Winkels PowerDNS.COM BV -- https://www.powerdns.com
signature.asc
Description: PGP signature
_______________________________________________ Pdns-dev mailing list Pdns-dev@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-dev
