We are happy to announce the release of the PowerDNS Recursor version 4.0.4. This release fixes 2 security issues and adds several improvements to the DNSSEC validation code. The following PowerDNS Security Advisories are fixed: * 2016-02: Crafted queries can cause abnormal CPU usage[1] * 2016-04: Insufficient validation of TSIG signatures[2] Minimal patches are available for those unable to fully upgrade[3,4] The full changelog is available online[5] and reproduced here: * Check TSIG signature on IXFR (Security Advisory 2016-04) * Don't parse spurious RRs in queries when we don't need them (Security Advisory 2016-02) * Fix incorrect length check in `DNSName` when extracting qtype or qclass * Wait until after daemonizing to start the RPZ and protobuf threads * On (re-)priming, fetch the root NS records * Fix src/dest inversion in the protobuf message for TCP queries * On RPZ customPolicy, follow the resulting CNAME * Add requestorId and some comments to the protobuf definition file * Make the negcache forwarded zones aware * Cache records for zones that were delegated to from a forwarded zone * Add `getRecursorThreadId()` to Lua, identifying the current thread * Add support for boost::context >= 1.61 * DNSSEC: Implement keysearch based on zone-cuts * DNSSEC: don't go bogus on zero configured DSs * DNSSEC: NSEC3 optout and Bogus insecure forward fixes * DNSSEC: Handle CNAMEs at the apex of secure zones to other secure zones We urge all users of the Recursor to upgrade to this version. Tarballs with sources are available (with signatures)[6,7]. Packages for Debian Stable, Ubuntu Trusty, Xenial and Wily and CentOS 6 and 7 are available from our repositories[8]. 1 - https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ 2 - https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ 3 - https://downloads.powerdns.com/patches/2016-02 4 - https://downloads.powerdns.com/patches/2016-04 5 - https://doc.powerdns.com/md/changelog/#powerdns-recursor-404 6 - https://downloads.powerdns.com/releases/pdns-recursor-4.0.4.tar.bz2 7 - https://downloads.powerdns.com/releases/pdns-recursor-4.0.4.tar.bz2.sig 8 - https://repo.powerdns.com/
I just committed pdns-4.0.2 to the tree.
*** This bug has been marked as a duplicate of bug 605588 ***
My bad.
@ Arches, please test and mark stable: =net-dns/pdns-recursor-4.0.4
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
GLSA Vote: No @ Maintainer(s): Please cleanup and drop <net-dns/pdns-recursor-4.0.4!
tree is clean.
