PowerDNS Recursor 4.1.8 Released

Nov 26, 2018

We’ve released PowerDNS Recursor 4.1.8.

This release fixes Security Advisory 2018-09 that we recently discovered, affecting PowerDNS Recursor from 4.1.0 up to and including 4.1.7.  PowerDNS Recursor 4.0.x and below are not affected.

The issue is that a remote attacker can trigger an out-of-bounds memory read via a crafted query, while computing the hash of the query for a packet cache lookup, possibly leading to a crash.

When the PowerDNS Recursor is run inside a supervisor like supervisord or systemd, a crash will lead to an automatic restart, limiting the impact to a somewhat degraded service.

A minimal patch is available at https://downloads.powerdns.com/patches/2018-09/.

The changelog:

  • #7221: Crafted query can cause a denial of service (CVE-2018-16855)

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Bionic, Trusty and Xenial are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

About the author

Erik Winkels

Developer at PowerDNS

Categories

Related Articles

Third alpha release of PowerDNS Recursor 4.3.0

We’re proud to announce the third alpha release for the PowerDNS Recursor 4.3 release train. Note that a second alpha was...

Otto Moerbeek 10/3/19

PowerDNS Recursor 4.3.4 Released

Hello!, Today we are releasing PowerDNS Recursor 4.3.4. This release: fixes an issue where certain CNAMEs could lead to...

Otto Moerbeek 09/3/20

PowerDNS Recursor 4.8.3 Released

We are proud to announce the release of PowerDNS Recursor 4.8.3 This release is a maintenance release. The most important...

Otto Moerbeek 03/3/23

PowerDNS Recursor 4.5.11, 4.6.4 and 4.7.3 Released

Hello, Today we have released a maintenance release of PowerDNS Recursor 4.5.11, 4.6.4 and 4.7.3, containing fixes for a few...

Otto Moerbeek 09/3/22