Today we have released PowerDNS Authoritative Server versions 4.3.1, 4.2.3 and 4.1.14, containing a fix for PowerDNS Security Advisory 2020-05.
Additionally, we are publishing PowerDNS Security Advisory 2020-06 today (‘Various issues have been found in our GSS-TSIG support, where an unauthorized attacker could cause crashes, possibly leak uninitialised memory, and possibly execute arbitrary code.’). Our GSS-TSIG support was never shipped in any packages by us or, to our knowledge, any other distributions. The GSS-TSIG code will be gone in version 4.4.0. We’ve chosen to leave the code intact for older versions, so that users that do rely on it today can keep doing so, keeping in mind the risks detailed in Advisory 2020-06.
Regarding 2020-05: an issue has been found in PowerDNS Authoritative Server where an authorized user with the ability to insert crafted records into a zone might be able to leak the content of uninitialized memory. Such a user could be a customer inserting data via a control panel, or somebody with access to the REST API. Crafted records cannot be inserted via AXFR. This issue is resolved in the versions mentioned above. (4.1.14 changelog, 4.2.3 changelog)
Version 4.3.1 also contains various other bug fixes and improvements, please see the changelog for all details.
The 4.3.1 tarball (signature), 4.2.3 tarball (signature) and 4.1.14 tarball (signature) are available at downloads.powerdns.com and packages for various Linux distributions are available from our repository.
4.0 and older releases are EOL, refer to the documentation for details about our release cycles.