Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 903549 (CVE-2023-26437) - <net-pdns/pdns-recursor-4.8.4: Denial of service
Summary: <net-pdns/pdns-recursor-4.8.4: Denial of service
Alias: CVE-2023-26437
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa?]
Depends on:
Reported: 2023-03-29 18:18 UTC by Sven Wegener
Modified: 2023-04-20 04:01 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sven Wegener gentoo-dev 2023-03-29 18:18:18 UTC
From $URL:

PowerDNS Security Advisory 2023-02: Deterred spoofing attempts can lead to authoritative servers being marked unavailable
CVE: CVE-2023-26437
Date: 29th of March 2023
Affects: PowerDNS Recursor up to and including 4.6.5, 4.7.4 and 4.8.3
Not affected: PowerDNS Recursor 4.6.6, 4.7.5 and 4.8.4
Severity: Low
Impact: Denial of service
Exploit: Successful spoofing may lead to authoritative servers being marked unavailable
Risk of system compromise: None
Solution: Upgrade to patched version
When the recursor detects and deters a spoofing attempt or receives certain malformed DNS packets,
it throttles the server that was the target of the impersonation attempt so that other authoritative
servers for the same zone will be more likely to be used in the future, in case the attacker
controls the path to one server only. Unfortunately this mechanism can be used by an attacker with
the ability to send queries to the recursor, guess the correct source port of the corresponding
outgoing query and inject packets with a spoofed IP address to force the recursor to mark specific
authoritative servers as not available, leading a denial of service for the zones served by those

CVSS 3.0 score: 3.7 (Low)

Thanks to Xiang Li from Network and Information Security Laboratory, Tsinghua University for reporting this issue.
Comment 1 Sven Wegener gentoo-dev 2023-03-29 18:21:00 UTC
There is a fixed version for 4.7.x available, but I'm targeting 4.8.4 for stabilization, which has just been committed to the tree.
Comment 2 Larry the Git Cow gentoo-dev 2023-03-30 21:09:30 UTC
The bug has been referenced in the following commit(s):

commit dbeb403d5f2fcb01f273321c1fe6f0adb6432a52
Author:     Sven Wegener <>
AuthorDate: 2023-03-30 20:16:58 +0000
Commit:     Sven Wegener <>
CommitDate: 2023-03-30 21:09:03 +0000

    net-dns/pdns-recursor: stabilize 4.8.4 for amd64, x86, security bug #903549
    Signed-off-by: Sven Wegener <>

 net-dns/pdns-recursor/pdns-recursor-4.8.4.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 3 Larry the Git Cow gentoo-dev 2023-04-02 19:07:35 UTC
The bug has been referenced in the following commit(s):

commit dc798cb5def157236a1ca88c669db26ba8f11316
Author:     Sven Wegener <>
AuthorDate: 2023-04-02 19:06:36 +0000
Commit:     Sven Wegener <>
CommitDate: 2023-04-02 19:07:20 +0000

    net-dns/pdns-recursor: drop 4.7.4
    Signed-off-by: Sven Wegener <>

 net-dns/pdns-recursor/Manifest                     |  1 -
 .../files/pdns-recursor-4.7.4-gcc-13.patch         | 18 -----
 net-dns/pdns-recursor/pdns-recursor-4.7.4.ebuild   | 92 ----------------------
 3 files changed, 111 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-20 04:01:26 UTC