We are pleased to announce the release of the PowerDNS Authoritative Server 4.0.2. This release fixes several security issues reported to us in the last few months, as well a memory leak in the Postgresql backend.
The following security issues were fixed:
* 2016-02: Crafted queries can cause abnormal CPU usage
* 2016-03: Denial of service via the web server
* 2016-04: Insufficient validation of TSIG signatures
* 2016-05: Crafted zone record can cause a denial of service
For those who cannot update, minimal patches are available[5,6,7,8]
The full changelog is available online and reproduced here:
* Don't parse spurious RRs in queries when we don't need them (Security Advisory 2016-02)
* Don't exit if the webserver can't accept a connection (Security Advisory 2016-03)
* Check TSIG signature on IXFR (Security Advisory 2016-04)
* Correctly check unknown record content size (Security Advisory 2016-05)
* ODBC backend: actually prepare statements
* Fix incorrect length check in `DNSName` when extracting qtype or qclass
* Fix a possible memory leak in the webserver
* Fix a stack-based off-by-one write in the HTTP remote backend
* Better handling of invalid serial
* Limit size of mysql cell to 128 kilobytes
* Overload fix: make overload-queue-length work as intended again, add test for it.
* Improve root-zone performance
* pipe: SERVFAIL when needed
* Make sure mariadb (mysql on centos/rhel) is started before pdns (42wim)
* ComboAddress: don't allow invalid ports
* Plug memory leak in postgresql backend (Christian Hofstaedtler)
* auth: Fix a stack-based off-by-one write in the HTTP remote backend
* calidns: Don't crash if we don't have enough 'unknown' queries remaining
* disable negative getSOA caching if the negcache_ttl is 0 (Kees Monshouwer)
* Improve PacketCache cleaning (Kees Monshouwer)
* Strip trailing dot in PTR content (Kees Monshouwer)
* contrib: simple bash completion for pdnsutil (j0ju)
* Bind backend: update status message on reload, keep the existing zone on failure
* report DHCID type (Kees Monshouwer)
* Fix build with LibreSSL, for which OPENSSL_VERSION_NUMBER is irrelevant
* Speedup DNSName creation
* fix TSIG for single thread distributor (Kees Monshouwer)
* change default for any-to-tcp to yes (Kees Monshouwer)
* Don't look up the packet cache for TSIG-enabled queries
* (auth) Fix build with OpenSSL 1.1.0 final (Christian Hofstaedtler)
* geoipbackend: Fix minor naming issue (Aki Tuomi)
* pdnsutil: create-slave-zone accept multiple masters (Hannu Ylitalo)
* API: search should not return ENTs (Christian Hofstaedtler)
* In `Bind2Backend::lookup()`, use the `zoneId` when we have it
We highly recommend all users to update to the latest version.
The tarball is on the releases page, as well as signatures.
Packages for Debian Stable, Ubuntu Trusty, Xenial and Wily and CentOS 6 and 7 are available form our repositories.
The PowerDNS team.
1 - https://doc.powerdns.com/md/security/powerdns-advisory-2016-02
2 - https://doc.powerdns.com/md/security/powerdns-advisory-2016-03
3 - https://doc.powerdns.com/md/security/powerdns-advisory-2016-04
4 - https://doc.powerdns.com/md/security/powerdns-advisory-2016-05
5 - https://downloads.powerdns.com/patches/2016-02
6 - https://downloads.powerdns.com/patches/2016-03
7 - https://downloads.powerdns.com/patches/2016-04
8 - https://downloads.powerdns.com/patches/2016-05
9 - https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-402
10 - https://downloads.powerdns.com/releases/pdns-4.0.2.tar.bz2
11 - https://downloads.powerdns.com/releases/pdns-4.0.2.tar.bz2.sig
12 - https://repo.powerdns.com
I just committed pdns-recursor-4.0.4 to the tree.
*** Bug 605590 has been marked as a duplicate of this bug. ***
please test and mark stable: =net-dns/pdns-4.0.2
Maintainer(s), please cleanup.
Security, please vote.
GLSA Vote: No.
@ Maintainer(s): Please cleanup and drop <net-dns/pdns-4.0.2.
tree is clean.