We’ve released PowerDNS Recursor 4.1.8.
This release fixes Security Advisory 2018-09 that we recently discovered, affecting PowerDNS Recursor from 4.1.0 up to and including 4.1.7. PowerDNS Recursor 4.0.x and below are not affected.
The issue is that a remote attacker can trigger an out-of-bounds memory read via a crafted query, while computing the hash of the query for a packet cache lookup, possibly leading to a crash.
When the PowerDNS Recursor is run inside a supervisor like supervisord or systemd, a crash will lead to an automatic restart, limiting the impact to a somewhat degraded service.
A minimal patch is available at https://downloads.powerdns.com/patches/2018-09/.
- #7221: Crafted query can cause a denial of service (CVE-2018-16855)
The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Bionic, Trusty and Xenial are available from repo.powerdns.com.
Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.