Today we have released PowerDNS Recursor 4.9.9, 5.0.9 and 5.1.2.
These releases fix PowerDNS Security Advisory 2024-04: Crafted responses can lead to a denial of service due to cache inefficiencies in the Recursor.
CVE: CVE-2024-25590
Date: 3rd of October 2024.
Affects: PowerDNS Recursor up to and including 4.9.8, 5.0.8 and 5.1.1
Not affected: PowerDNS Recursor 4.9.9, 5.0.9 and 5.1.2
Severity: High
Impact: Denial of service
Exploit: This problem can be triggered by an attacker publishing a crafted zone
Risk of system compromise: None
Solution: Upgrade to patched version
An attacker can publish a zone containing specific Resource Record Sets. Repeatedly processing and caching results for these sets can lead to a denial of service.
CVSS Score: 7.5, see CVSS Calculator
The remedy is: upgrade to a patched version.
We would like to thank Toshifumi Sakaguchi for bringing this issue to our attention and assisting in validating the patches.
Please refer to the changelogs (4.9.9, 5.0.9, 5.1.2) and upgrade guide for additional details.
Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.
The tarballs (4.9.9, 5.0.9, 5.1.2) (with signature files 4.9.9, 5.0.9, 5.1.2) are available from our download server and packages for several distributions are available from our repository.
We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.