We regret that we have to announce a PowerDNS Recursor security release: Issue: A specific sequence of packets can crash PowerDNS Recursor 3.6.0 remotely CVE: CVE-2014-3614 Affected: All deployments of PowerDNS Recursor 3.6.0 Not Affected: PowerDNS Authoritative Server, PowerDNS Recursor versions other than 3.6.0 Workaround: 1) Only users from netmasks specified in 'allow-from' can cause the crash 2) add automated restarting Remediation: Upgrade to 3.6.1, or apply our minimal patch and recompile Distributions shipping 3.6.0 have been notified and will be providing updates very soon Recently, we’ve discovered that PowerDNS Recursor 3.6.0 (but NOT earlier) can crash when exposed to a specific sequence of malformed packets. This sequence happened spontaneously with one of our largest deployments, and the packets did not appear to have a malicious origin. Yet, this crash can be triggered remotely, leading to a denial of service attack. There appears to be no way to use this crash for system compromise or stack overflow.
(In reply to Ronny Boesger from comment #0) > We regret that we have to announce a PowerDNS Recursor security release: > Thank you for the report. @maintainer(s): after the bump please advice or initiate stabilization as needed.
Changing rating from B to ~ as the 3.6 branch has never been stabilized. That also removes any need for stabilization for this bug. After the bump, please clean up the vulnerable version.
*** Bug 524450 has been marked as a duplicate of this bug. ***
3.6.1 is in the tree and 3.6.0 is gone.
(In reply to Sven Wegener from comment #4) > 3.6.1 is in the tree and 3.6.0 is gone. So... where is the stabilisation request?
3.6.2 is out since Oct 30, 2014, which fixes some issues in 3.6.1 URL: http://doc.powerdns.com/html/changelog.html#changelog-recursor-3.6.2
closing as noglsa.
