We are very happy to announce the 4.1.9 release of the PowerDNS Recursor. This release is fixing two security issues, and addressing a shortcoming in the way incoming queries are distributed to threads under heavy load.This release fixes the following security issues:
- PowerDNS Security Advisory 2019-01 (CVE-2019-3806): Lua hooks are not called over TCP
- PowerDNS Security Advisory 2019-02 (CVE-2019-3807): DNSSEC validation is not performed for AA=0 responses
These issues respectively affect PowerDNS Recursor from 4.1.4 and 4.1.0, up to and including 4.1.8. PowerDNS Recursor 4.0.x and below are not affected.
- #7397: Load the Lua script in the distributor thread, check signature for AA=0 answers (CVE-2019-3806, CVE-2019-3807)
- #7377: Try another worker before failing if the first pipe was full