Incoming details.
I received the information and will be doing the bump on Tuesday.
Information is public at - https://blog.powerdns.com/2020/10/13/powerdns-recursor-4-3-5-4-2-5-and-4-1-18-released/ - https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html
PowerDNS Security Advisory 2020-07: Cache pollution =================================================== CVE: CVE-2020-25829 Date: 13th of October 2020 Affects: PowerDNS Recursor up to and including 4.3.4, 4.2.4 and 4.1.17 Not affected: 4.3.5, 4.2.5, 4.1.18 Severity: High Impact: Denial of service Exploit: This problem can be triggered by sending DNS queries Risk of system compromise: No Solution: Upgrade to a non-affected version Workaround: Filter ANY queries to prevent them from reaching the recursor. An issue has been found in PowerDNS Recursor where a remote attacker can cause the cached records for a given name to be updated to the ‘Bogus’ DNSSEC validation state, instead of their actual DNSSEC ‘Secure’ state, via a DNS ANY query. This results in a denial of service for installations that always validate (dnssec=validate) and for clients requesting validation when on-demand validation is enabled (dnssec=process).
I've committed 4.3.5 to the tree, but the automated bug reference from the commit message didn't make it here due to the access restriction.
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec8f51b4afaad9612dad0340c81968344a61964b
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=edf1122e56fa58755f0da35606bbac283bf1bd30 commit edf1122e56fa58755f0da35606bbac283bf1bd30 Author: Sven Wegener <swegener@gentoo.org> AuthorDate: 2020-10-17 09:23:09 +0000 Commit: Sven Wegener <swegener@gentoo.org> CommitDate: 2020-10-17 09:23:29 +0000 net-dns/pdns-recursor: Cleanup Bug: https://bugs.gentoo.org/746923 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Sven Wegener <swegener@gentoo.org> net-dns/pdns-recursor/Manifest | 2 - .../files/pdns-recursor-4.3.1-boost-1.73.0.patch | 89 ---------------------- net-dns/pdns-recursor/pdns-recursor-4.3.3.ebuild | 85 --------------------- net-dns/pdns-recursor/pdns-recursor-4.3.4.ebuild | 85 --------------------- 4 files changed, 261 deletions(-)
Thanks!
GLSA Vote: Yes New GLSA request filed.
This issue was resolved and addressed in GLSA 202012-19 at https://security.gentoo.org/glsa/202012-19 by GLSA coordinator Thomas Deutschmann (whissi).