I received the information and will be doing the bump on Tuesday.
Information is public at
PowerDNS Security Advisory 2020-07: Cache pollution
Date: 13th of October 2020
Affects: PowerDNS Recursor up to and including 4.3.4, 4.2.4 and 4.1.17
Not affected: 4.3.5, 4.2.5, 4.1.18
Impact: Denial of service
Exploit: This problem can be triggered by sending DNS queries
Risk of system compromise: No
Solution: Upgrade to a non-affected version
Workaround: Filter ANY queries to prevent them from reaching the recursor.
An issue has been found in PowerDNS Recursor where a remote attacker can cause the cached records for a given name to be updated to the ‘Bogus’ DNSSEC validation state, instead of their actual DNSSEC ‘Secure’ state, via a DNS ANY query. This results in a denial of service for installations that always validate (dnssec=validate) and for clients requesting validation when on-demand validation is enabled (dnssec=process).
I've committed 4.3.5 to the tree, but the automated bug reference from the commit message didn't make it here due to the access restriction.
Maintainer(s), please cleanup.
Security, please vote.
The bug has been referenced in the following commit(s):
Author: Sven Wegener <firstname.lastname@example.org>
AuthorDate: 2020-10-17 09:23:09 +0000
Commit: Sven Wegener <email@example.com>
CommitDate: 2020-10-17 09:23:29 +0000
Package-Manager: Portage-3.0.8, Repoman-3.0.1
Signed-off-by: Sven Wegener <firstname.lastname@example.org>
net-dns/pdns-recursor/Manifest | 2 -
.../files/pdns-recursor-4.3.1-boost-1.73.0.patch | 89 ----------------------
net-dns/pdns-recursor/pdns-recursor-4.3.3.ebuild | 85 ---------------------
net-dns/pdns-recursor/pdns-recursor-4.3.4.ebuild | 85 ---------------------
4 files changed, 261 deletions(-)
GLSA Vote: Yes
New GLSA request filed.
This issue was resolved and addressed in
GLSA 202012-19 at https://security.gentoo.org/glsa/202012-19
by GLSA coordinator Thomas Deutschmann (whissi).