We are pleased to announce the release of the PowerDNS Authoritative Server 4.0.2. This release fixes several security issues reported to us in the last few months, as well a memory leak in the Postgresql backend. The following security issues were fixed: * 2016-02: Crafted queries can cause abnormal CPU usage[1] * 2016-03: Denial of service via the web server[2] * 2016-04: Insufficient validation of TSIG signatures[3] * 2016-05: Crafted zone record can cause a denial of service[4] For those who cannot update, minimal patches are available[5,6,7,8] The full changelog is available online[5] and reproduced here: * Don't parse spurious RRs in queries when we don't need them (Security Advisory 2016-02) * Don't exit if the webserver can't accept a connection (Security Advisory 2016-03) * Check TSIG signature on IXFR (Security Advisory 2016-04) * Correctly check unknown record content size (Security Advisory 2016-05) * ODBC backend: actually prepare statements * Fix incorrect length check in `DNSName` when extracting qtype or qclass * Fix a possible memory leak in the webserver * Fix a stack-based off-by-one write in the HTTP remote backend * Better handling of invalid serial * Limit size of mysql cell to 128 kilobytes * Overload fix: make overload-queue-length work as intended again, add test for it. * Improve root-zone performance * pipe: SERVFAIL when needed * Make sure mariadb (mysql on centos/rhel) is started before pdns (42wim) * ComboAddress: don't allow invalid ports * Plug memory leak in postgresql backend (Christian Hofstaedtler) * auth: Fix a stack-based off-by-one write in the HTTP remote backend * calidns: Don't crash if we don't have enough 'unknown' queries remaining * disable negative getSOA caching if the negcache_ttl is 0 (Kees Monshouwer) * Improve PacketCache cleaning (Kees Monshouwer) * Strip trailing dot in PTR content (Kees Monshouwer) * contrib: simple bash completion for pdnsutil (j0ju) * Bind backend: update status message on reload, keep the existing zone on failure * report DHCID type (Kees Monshouwer) * Fix build with LibreSSL, for which OPENSSL_VERSION_NUMBER is irrelevant * Speedup DNSName creation * fix TSIG for single thread distributor (Kees Monshouwer) * change default for any-to-tcp to yes (Kees Monshouwer) * Don't look up the packet cache for TSIG-enabled queries * (auth) Fix build with OpenSSL 1.1.0 final (Christian Hofstaedtler) * geoipbackend: Fix minor naming issue (Aki Tuomi) * pdnsutil: create-slave-zone accept multiple masters (Hannu Ylitalo) * API: search should not return ENTs (Christian Hofstaedtler) * In `Bind2Backend::lookup()`, use the `zoneId` when we have it We highly recommend all users to update to the latest version. The tarball is on the releases page[10], as well as signatures[11]. Packages for Debian Stable, Ubuntu Trusty, Xenial and Wily and CentOS 6 and 7 are available form our repositories[12]. Best regards, The PowerDNS team. 1 - https://doc.powerdns.com/md/security/powerdns-advisory-2016-02 2 - https://doc.powerdns.com/md/security/powerdns-advisory-2016-03 3 - https://doc.powerdns.com/md/security/powerdns-advisory-2016-04 4 - https://doc.powerdns.com/md/security/powerdns-advisory-2016-05 5 - https://downloads.powerdns.com/patches/2016-02 6 - https://downloads.powerdns.com/patches/2016-03 7 - https://downloads.powerdns.com/patches/2016-04 8 - https://downloads.powerdns.com/patches/2016-05 9 - https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-402 10 - https://downloads.powerdns.com/releases/pdns-4.0.2.tar.bz2 11 - https://downloads.powerdns.com/releases/pdns-4.0.2.tar.bz2.sig 12 - https://repo.powerdns.com
I just committed pdns-recursor-4.0.4 to the tree.
*** Bug 605590 has been marked as a duplicate of this bug. ***
@ Arches, please test and mark stable: =net-dns/pdns-4.0.2
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
GLSA Vote: No. @ Maintainer(s): Please cleanup and drop <net-dns/pdns-4.0.2.
tree is clean.
