Important Update for Security Advisory 2015-01

Last week, we released Security Advisory 2015-01, with text suggesting that only specific platforms were seriously affected. We must now report that this was incorrect: all platforms are impacted. The advisory has been updated to that effect.

Furthermore, by popular demand, we have released Authoritative Server 3.3.2, an update to version 3.3.1 which includes DNSSEC improvements and of course a patch for the security issue. Click these links: release notes, tarball, debs, RPMs.

Security Advisory 2015-01

UPDATE: please also read the update posted on May 1st.

Hi everybody,

Please be aware of PowerDNS Security Advisory 2015-01
(http://doc.powerdns.com/md/security/powerdns-advisory-2015-01/).

The good news is that as far as we have seen, only
specific builds for RHEL5 are affected, but just to be sure we are doing
full releases of all recent versions of our products.

Packages and distribution tar balls of Recursor 3.6.3, Recursor 3.7.2 and Auth
3.4.4 are available in the usual places, and release announcements have just gone out.

If you prefer a minimal patch, please go to
https://downloads.powerdns.com/patches/2015-01/ and see README.txt there.

If you have problems upgrading, please either contact us on our mailing lists,
or privately via powerdns.support@powerdns.com (should you wish to make use of
our SLA-backed support program).

We want to thank Aki Tuomi for finding this issue, and really digging into it.
We also want to thank Kees Monshouwer for assisting in debugging and fixing
the offending code. Finally we want to thank Kai Storbeck for putting an
earlier, broken version of the patch into production and being understanding
about the names that broke because of it.

Recursor 3.7.2

Hi everybody,

We’re pleased to announce version 3.7.2 of our Recursor.

The most important part of this update is a fix for CVE-2015-1868.
Please see http://doc.powerdns.com/md/security/powerdns-advisory-2015-01/
for more information.

Tar.gz and packages are available on:

* https://downloads.powerdns.com/releases/
* Soon: https://www.monshouwer.eu/download/3rd_party/pdns-recursor/
(RHEL/CentOS, with the usual huge thanks to Kees Monshouwer).

The changelog with clickable links can also be found on
https://doc.powerdns.com/md/changelog/#powerdns-recursor-372

PowerDNS Recursor 3.7.2

Released 23rd of April, 2015

Among other bug fixes and improvements (as listed below), this release
incorporates a fix for CVE-2015-1868, as detailed in PowerDNS
Security Advisory 2015-01

Bug fixes:
* Fix handling of forward references in label compressed packets; fixes CVE-2015-1868
* make sure we never call sendmsg with msg_control!=NULL && msg_controllen>0. Fixes #2227
* Improve robustness of root-nx-trust.

Improvements:
* Silence warnings that always occur on FreeBSD (Ruben Kerkhof)

Recursor 3.6.3

Hi everybody,

We’re pleased to announce version 3.6.3 of our Recursor.

The most important part of this update is a fix for CVE-2015-1868.
Please see http://doc.powerdns.com/md/security/powerdns-advisory-2015-01/
for more information.

Tar.gz and packages are available on:

* https://downloads.powerdns.com/releases/
* Soon: https://www.monshouwer.eu/download/3rd_party/pdns-recursor/
(RHEL/CentOS, with the usual huge thanks to Kees Monshouwer).

Note that Recursor 3.7.2 is also available, with many improvements beyond
the fix for this CVE.

PowerDNS Recursor 3.6.3

Released 23rd of April, 2015

The only difference between Recursor 3.6.2 and 3.6.3 is a fix for
CVE-2015-1868, as detailed in PowerDNS Security Advisory 2015-01

Authoritative Server 3.4.4

Hi everybody,

We’re pleased to announce version 3.4.4 of our Authoritative Server.

The most important part of this update is a fix for CVE-2015-1868.
Please see http://doc.powerdns.com/md/security/powerdns-advisory-2015-01/
for more information.

Tar.gz and packages are available on:

* https://downloads.powerdns.com/releases/
* Soon: https://www.monshouwer.eu/download/3rd_party/pdns/
(RHEL/CentOS, with the usual huge thanks to Kees Monshouwer).

Warning: Version 3.4.4 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to the Upgrade documentation for important information on correct and stable operation, as well as notes on performance and memory use.

Find the downloads on our download page, https://www.powerdns.com/downloads.html

This is a performance and bugfix update to 3.4.3 and any earlier version. For high traffic setups, including those using DNSSEC, upgrading to 3.4.4 may show tremendous performance increases.

Please see the full clickable changelog at
https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-344

PowerDNS and Open-Xchange agree to merge

team

(Peter van Dijk, Bert Hubert, Rafael Laguna, Mikko Linnamäki, Markku Kenttä, Timo Sirainen)

Hi everybody,

We’re currently at World Hosting Days in Rust Germany, where we just announced that PowerDNS will be joining the Open-Xchange family of companies.  Last week it was also announced that the famous Dovecot IMAP server project is now a part of OX too.

Update: The Register and The WHIR covered the news!

We’ve been working with Timo and his team at Dovecot and with the OX Team in Email Security projects and are already sharing personnel and infrastructure with each other and the cooperation works really well for all of us.

From the Open-Xchange website: “With over a decade of developing open-source software, Open-Xchange believes that only by engineering ruthlessly open products and services can the next generation of innovation emerge on the web. “Stay Open” contains many aspects of how we develop, engineer and deploy our products together with and for client-partners.”

We fully believe in that mission, and are glad that PowerDNS will become part of the Open-Xchange family. It will be great to have Timo and friends from Dovecot as cousins!

We’ll share more details of what the merger will and will not mean, but rest assured PowerDNS will stay as open and as community friendly as it has ever been.

Meanwhile, if you are at WHD, please come meet us at the Open-Xchange booth!

Bert, Peter and Pieter

World Hosting Days & Private Graphs as a Service!

Hi everybody,

Two announcements in one: First, like 7000 others, we’ll be visiting World Hosting Days in Rust, Germany next week. Peter, Pieter and I will be there, as will be two of our wonderful Certified Consultants (Kees Monshouwer and Christian Hofstaedtler).

If you want to meet up, please email any of us (or powerdns.ideas@powerdns.com) and we can coordinate. The PowerDNS team will in any case be available for drinks! We always like to  hear from users since you have more experience running PowerDNS than we do, and can help us guide new features.

Secondly, last year we made our ‘public graphing as a service’ available, as described on
http://blog.powerdns.com/2014/12/11/powerdns-graphing-as-a-service/

Today, we’re happy to announce that we now also have a private variant for supported customers and selected users. This means you can benefit from a one-line setup in PowerDNS (simply set the ‘carbon-server’ variable and you are done), and view all your PowerDNS instances from one single interface, and in private.

If you’d like to use our private graphing service, please contact us for details.

The public graphing instance is now receiving over 1 gigabyte of graphs every week, so we think we are fulfilling a need!

Cheers,

Bert