Since yesterday we have been following and studying CVE-2015-7547. More about which here.
In short, this is a vulnerability not in PowerDNS products but in the Linux C library. This vulnerability could be exploited if it would be possible to relay specifically crafted records to Linux clients.
It appears the PowerDNS Recursor out of the box makes it hard to transport such specifically crafted records.
However, at this point there is still uncertainty over how CVE-2015-7547 could be exploited exactly. It may be that there are still ways to get the PowerDNS Recursor to relay content that could exploit vulnerable clients.
(we have tweeted earlier that we thought this was not possible. It now appears not enough is known about CVE-2015-7547 to be sure).
To be on the safe side, we have published a Lua script that puts in place further restrictions in the recursor that should help block CVE-2015-7547, as far as we currently understand it.
We urge everyone to patch their Linux C libraries of course. But as long as this is in progress or not yet possible, this script may help you protect vulnerable systems:
NOTE: We will keep updating the version of the script on GitHub and on our blog. Please check back for updates.
Please let us know if you have further questions!