PowerDNS Authoritative Server 4.0.5 and Recursor 4.0.7 Released
Today we announce the release of both the PowerDNS Authoritative Server 4.0.5 and Recursor 4.0.7 which contain a lot of backports from the 4.1.x branch.
These releases also drop support for Botan 1.10 in favor of Botan 2.x.
More importantly there are fixes for the following security advisories.
- PowerDNS Security Advisory 2017-04: Missing check on API operations (CVE-2017-15091)
- PowerDNS Security Advisory 2017-03: Insufficient validation of DNSSEC signatures (CVE-2017-15090)
- PowerDNS Security Advisory 2017-05: Cross-Site Scripting in the web interface (CVE-2017-15092)
- PowerDNS Security Advisory 2017-06: Configuration file injection in the API (CVE-2017-15093)
- PowerDNS Security Advisory 2017-07: Memory leak in DNSSEC parsing (CVE-2017-15094)
(We thank Nixu for their discoveries of CVE-2017-15092, CVE-2017-15093 and CVE-2017-15094.)
Changelog: PowerDNS Authoritative Server 4.0.5
Changelog: PowerDNS Recursor 4.0.7
The full changelog looks like this:
- #4561: Update rec_control manpage (Winfried Angele)
- #4824: Check in the detected OpenSSL/libcrypto for ECDSA
- #5406: Make more specific Netmasks < to less specific ones
- #5525: Fix validation at the exact RRSIG inception or expiration time
- #5740: Lowercase all outgoing qnames when lowercase-outgoing is set
- #5599: Fix libatomic detection on ppc64
- #5961: Edit configname definition to include the ‘config-name’ argument (Jake Reynolds)
- #4646: Extract nested exception from Luawrapper
- #4960: Use explicit yes for default-enabled settings (Christian Hofstaedtler)
- #5078: Throw an error when lua-conf-file can’t be loaded
- #5261: get-remote-ring’s “other” report should only have two items. (Patrick Cloke)
- #5320: PowerDNS sdig does not truncate trailing bits of EDNS Client Subnet mask
- #5488: Only increase no-packet-error on the first read
- #5498: Add support for Botan 2.x
- #5511: Add more information to recursor cache dumps
- #5523: Fix typo in two log messages (Ruben Kerkhof)
- #5598: Add help text on autodetecting systemd support
- #5726: Be more resilient with broken auths
- #5739: Remove pdns.PASS and pdns.TRUNCATE
- #5755: Improve dnsbulktest experience in travis for more robustness
- #5762: Create socket-dir from init-script
- #5843: b.root renumbering, effective 2017-10-24
- #5921: Don’t retry security polling too often when it fails
The tarball is available on downloads.powerdns.com (signature) and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Artful, Trusty, Xenial and Zesty are available from repo.powerdns.com.
Please send us all feedback and issues you might have via the mailinglist, or in case of a bug, via GitHub.