Hello, We’ve released PowerDNS Recursor 4.1.8. This release fixes Security Advisory 2018-09 (https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-09.html) that we recently discovered, affecting PowerDNS Recursor from 4.1.0 up to and including 4.1.7. PowerDNS Recursor 4.0.x and below are not affected. The issue is that a remote attacker can trigger an out-of-bounds memory read via a crafted query, while computing the hash of the query for a packet cache lookup, possibly leading to a crash. When the PowerDNS Recursor is run inside a supervisor like supervisord or systemd, a crash will lead to an automatic restart, limiting the impact to a somewhat degraded service. A minimal patch is available at: https://downloads.powerdns.com/patches/2018-09/ The changelog[1]: - #7221: Crafted query can cause a denial of service (CVE-2018-16855) The tarball[2] (signature[3]) is available at https://downloads.powerdns.com/releases/ and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Bionic, Trusty and Xenial are available from https://repo.powerdns.com/ . Please send us all feedback and issues you might have via the mailing list[4], or in case of a bug, via GitHub[5]. [1] https://doc.powerdns.com/recursor/changelog/4.1.html#change-4.1.8 [2] https://downloads.powerdns.com/releases/pdns-recursor-4.1.8.tar.bz2 [3] https://downloads.powerdns.com/releases/pdns-recursor-4.1.8.tar.bz2.sig [4] https://mailman.powerdns.com/mailman/listinfo/pdns-users [5] https://github.com/PowerDNS/pdns/issues/new -- Erik Winkels PowerDNS.COM BV -- https://www.powerdns.com
signature.asc
Description: PGP signature
_______________________________________________ Pdns-dev mailing list Pdns-dev@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-dev
