PowerDNS Authoritative Server 4.0.5 and Recursor 4.0.7 Released

Today we announce the release of both the PowerDNS Authoritative Server 4.0.5 and Recursor 4.0.7 which contain a lot of backports from the 4.1.x branch.
These releases also drop support for Botan 1.10 in favor of Botan 2.x.
More importantly there are fixes for the following security advisories.

Authoritative Server

Recursor

(We thank Nixu for their discoveries of CVE-2017-15092, CVE-2017-15093 and CVE-2017-15094.)

 Changelog: PowerDNS Authoritative Server 4.0.5

The full changelog looks like this:

Bug fixes

  • #4650: Bindbackend: do not corrupt data supplied by other backends in getAllDomains (Christian Hofstaedtler)
  • #4751: API: prevent sending nameservers list and zone-level NS in rrsets (Christian Hofstaedtler)
  • #4929: gpgsql: make statement names actually unique (Christian Hofstaedtler)
  • #4997: Fix remotebackend params (Aki Tuomi)
  • #5051: Fix godbc query logging
  • #5125: For create-slave-zone, actually add all slaves, and not only first n times
  • #5161: Fix a regression in axfr-rectify + test (Arthur Gautier)
  • #5408: When making a netmask from a comboaddress, we neglected to zero the port
  • #5599: Fix libatomic detection on ppc64
  • #5641: Catch DNSName exception in the Zoneparser
  • #5722: Publish inactive KSK/CSK as CDNSKEY/CDS
  • #5730: Handle AFSDB record separately due to record structure. Fixes #4703 (Johan Jatko)
  • #5678: Treat requestor’s payload size lower than 512 as equal to 512
  • #5766: Correctly purge entries from the caches after a transfer
  • #5777: Handle a signing pipe worker dying with work still pending
  • #5815: Ignore SOA-EDIT for PRESIGNED zones. Fixes #5814
  • #5933: Check return value for all getTSIGKey calls. Fixes #5931

Improvements

  • #4922: Fix ldap-strict autoptr feature, including a test
  • #5043: mydnsbackend: Add getAllDomains (Aki Tuomi)
  • #5112: Stubresolver: Use only recursor setting if given
  • #5147: LuaWrapper: Allow embedded NULs in strings received from Lua
  • #5277: sdig: Clarify that the ednssubnet option takes “subnet/mask”
  • #5309: Tests: Ensure all required tools are available (Arthur Gautier)
  • #5320: PowerDNS sdig does not truncate trailing bits of EDNS Client Subnet mask
  • #5349: LuaJIT 2.1: Lua fallback functionality no longer uses Lua namespace
  • #5498: Add support for Botan 2.x
  • #5509: Ship ldapbackend schema files in tarball (Christian Hofstaedtler)
  • #5518: Collection of schema changes (Kees Monshouwer)
  • #5523: Fix typo in two log messages (Ruben Kerkhof)
  • #5598: Add help text on autodetecting systemd support
  • #5723: Use a unique pointer for bind backend’s d_of
  • #5826: Fix some of the issues found by @jpmens

The tarball is available on downloads.powerdns.com (signature) and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Artful, Trusty, Xenial and Zesty are available from repo.powerdns.com.

Changelog: PowerDNS Recursor 4.0.7

The full changelog looks like this:

Bug fixes

  • #4561: Update rec_control manpage (Winfried Angele)
  • #4824: Check in the detected OpenSSL/libcrypto for ECDSA
  • #5406: Make more specific Netmasks < to less specific ones
  • #5525: Fix validation at the exact RRSIG inception or expiration time
  • #5740: Lowercase all outgoing qnames when lowercase-outgoing is set
  • #5599: Fix libatomic detection on ppc64
  • #5961: Edit configname definition to include the ‘config-name’ argument (Jake Reynolds)

Improvements

  • #4646: Extract nested exception from Luawrapper
  • #4960: Use explicit yes for default-enabled settings (Christian Hofstaedtler)
  • #5078: Throw an error when lua-conf-file can’t be loaded
  • #5261: get-remote-ring’s “other” report should only have two items. (Patrick Cloke)
  • #5320: PowerDNS sdig does not truncate trailing bits of EDNS Client Subnet mask
  • #5488: Only increase no-packet-error on the first read
  • #5498: Add support for Botan 2.x
  • #5511: Add more information to recursor cache dumps
  • #5523: Fix typo in two log messages (Ruben Kerkhof)
  • #5598: Add help text on autodetecting systemd support
  • #5726: Be more resilient with broken auths
  • #5739: Remove pdns.PASS and pdns.TRUNCATE
  • #5755: Improve dnsbulktest experience in travis for more robustness
  • #5762: Create socket-dir from init-script
  • #5843: b.root renumbering, effective 2017-10-24
  • #5921: Don’t retry security polling too often when it fails

The tarball is available on downloads.powerdns.com (signature) and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Artful, Trusty, Xenial and Zesty are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailinglist, or in case of a bug, via GitHub.

2 comments

  1. Pingback: PowerDNS patches 5 safety holes in broadly used nameserver software program – Assist Web Safety | NETWORKFIGHTS.COM
  2. Pingback: В популярных DNS-серверах закрыто пять брешей | Threatpost | Новости информационной безопасности

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s