PowerDNS Authoritative Server 4.0.6 & 4.1.5 and Recursor 4.0.9 & 4.1.5 Released

Nov 6, 2018

We’ve released PowerDNS Authoritative Server 4.0.6 & 4.1.5 and Recursor 4.0.9 & 4.1.5.

These are security releases with additional minor improvements and bug fixes.

Minimal patches for the releases are available at https://downloads.powerdns.com/patches/.

The changelogs look as follows:

Authoritative Server 4.1.5

This release fixes the following security advisories:

  • PowerDNS Security Advisory 2018-03 (CVE-2018-10851)
  • PowerDNS Security Advisory 2018-05 (CVE-2018-14626)

Improvements

  • Apply alias scopemask after chasing (#6976)
  • Release memory in case of error in the openssl ecdsa constructor (#6917)
  • Switch to devtoolset 7 for el6 (#7118, #7040)

Bug Fixes

  • Crafted zone record can cause a denial of service (CVE-2018-10851, #7149)
  • Packet cache pollution via crafted query (CVE-2018-14626, #7149)
  • Fix compilation with libressl 2.7.0+ (#6948, #6943)
  • Actually truncate truncated responses (#6913)

Authoritative Server 4.0.6

This release fixes PowerDNS Security Advisory 2018-03 (CVE-2018-10851).

Bug fixes

  • Crafted zone record can cause a denial of service (CVE-2018-10851, #7150)
  • Skip v6-dependent test when pdns_test_no_ipv6 is set in environment (#6013)
  • Fix el6 builds (#7135)

Improvements

  • Prevent cname + other data with dnsupdate (#6315)
  • Switch to devtoolset 7 for el6 (#7119)

Recursor 4.1.5

This release fixes the following security advisories:

  • PowerDNS Security Advisory 2018-04 (CVE-2018-10851)
  • PowerDNS Security Advisory 2018-06 (CVE-2018-14626)
  • PowerDNS Security Advisory 2018-07 (CVE-2018-14644)

Improvements

  • Add pdnslog to lua configuration scripts (Chris Hofstaedtler) (#6919, #6848)
  • Fix compilation with libressl 2.7.0+ (#6948, #6943)
  • Export outgoing ECS value and server ID in protobuf (if any) (#7004, #6991, #6989)
  • Switch to devtoolset 7 for el6 (#7122, #7040)
  • Allow the signature inception to be off by a number of seconds (Kees Monshouwer) (#7125, #7081)

Bug Fixes

  • Crafted answer can cause a denial of service (CVE-2018-10851, #7151)
  • Packet cache pollution via crafted query (CVE-2018-14626, #7151)
  • Crafted query for meta-types can cause a denial of service (CVE-2018-14644, #7151)
  • Delay the creation of rpz threads until we have dropped privileges (#6984 #6792)
  • Cleanup the netmask trees used for the ecs index on removals (#6961 #6960)
  • Make sure that the ecs scope from the auth is < to the source (#6963, #6605)
  • Authority records in aa=1 cname answer are authoritative (#6980, #6979)
  • Avoid a memory leak in catch-all exception handler (#7073)
  • Don’t require authoritative answers for forward-recurse zones (#6741, #6340)
  • Release memory in case of error in the openssl ecdsa constructor (#6917)
  • Convert a few uses to toLogString to print DNSName’s that may be empty in a safer manner (#6925, #6924)
  • Avoid a crash on DEC Alpha systems (#6945)
  • Clear all caches on (N)TA changes (#6951, #6949)

Recursor 4.0.9

This release fixes the following security advisories:

  • PowerDNS Security Advisory 2018-04 (CVE-2018-10851)
  • PowerDNS Security Advisory 2018-06 (CVE-2018-14626)
  • PowerDNS Security Advisory 2018-07 (CVE-2018-14644)

Bug fixes

  • Crafted answer can cause a denial of service (CVE-2018-10851, #7152)
  • Packet cache pollution via crafted query (CVE-2018-14626, #7152)
  • Crafted query for meta-types can cause a denial of service (CVE-2018-14644, #7152)

The tarballs and signatures are available at downloads.powerdns.com and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Bionic, Trusty and Xenial are available from repo.powerdns.com.  Raspberry PI packages will follow tomorrow.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

About the author

Erik Winkels

Developer at PowerDNS

Related Articles

PowerDNS Recursor 4.0.8 Released

Today we announce the release of the PowerDNS Recursor 4.0.8 which contains a fix for the following security advisory:...

Erik Winkels 12/2/17

PowerDNS Authoritative Server 4.0.8 and 4.1.10 Released

These are security releases. The 4.0.8 and 4.1.10 (together with 4.1.9) releases fix the following security advisories:...

Erik Winkels 06/6/19

PowerDNS Authoritative Server 4.0.5 and Recursor 4.0.7 Released

Today we announce the release of both the PowerDNS Authoritative Server 4.0.5 and Recursor 4.0.7 which contain a lot of...

Peter van Dijk 11/2/17

PowerDNS Recursor 4.3.5, 4.2.5 and 4.1.18 Released

Hello!, Today we are releasing PowerDNS Recursor 4.3.5, 4.2.5. and 4.1.18, containing a security fix for CVE-2020-25829: An...

Otto Moerbeek 10/3/20