From $URL: PowerDNS Security Advisory 2023-02: Deterred spoofing attempts can lead to authoritative servers being marked unavailable CVE: CVE-2023-26437 Date: 29th of March 2023 Affects: PowerDNS Recursor up to and including 4.6.5, 4.7.4 and 4.8.3 Not affected: PowerDNS Recursor 4.6.6, 4.7.5 and 4.8.4 Severity: Low Impact: Denial of service Exploit: Successful spoofing may lead to authoritative servers being marked unavailable Risk of system compromise: None Solution: Upgrade to patched version When the recursor detects and deters a spoofing attempt or receives certain malformed DNS packets, it throttles the server that was the target of the impersonation attempt so that other authoritative servers for the same zone will be more likely to be used in the future, in case the attacker controls the path to one server only. Unfortunately this mechanism can be used by an attacker with the ability to send queries to the recursor, guess the correct source port of the corresponding outgoing query and inject packets with a spoofed IP address to force the recursor to mark specific authoritative servers as not available, leading a denial of service for the zones served by those servers. CVSS 3.0 score: 3.7 (Low) https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L Thanks to Xiang Li from Network and Information Security Laboratory, Tsinghua University for reporting this issue.
There is a fixed version for 4.7.x available, but I'm targeting 4.8.4 for stabilization, which has just been committed to the tree.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dbeb403d5f2fcb01f273321c1fe6f0adb6432a52 commit dbeb403d5f2fcb01f273321c1fe6f0adb6432a52 Author: Sven Wegener <swegener@gentoo.org> AuthorDate: 2023-03-30 20:16:58 +0000 Commit: Sven Wegener <swegener@gentoo.org> CommitDate: 2023-03-30 21:09:03 +0000 net-dns/pdns-recursor: stabilize 4.8.4 for amd64, x86, security bug #903549 Bug: https://bugs.gentoo.org/903549 Signed-off-by: Sven Wegener <swegener@gentoo.org> net-dns/pdns-recursor/pdns-recursor-4.8.4.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dc798cb5def157236a1ca88c669db26ba8f11316 commit dc798cb5def157236a1ca88c669db26ba8f11316 Author: Sven Wegener <swegener@gentoo.org> AuthorDate: 2023-04-02 19:06:36 +0000 Commit: Sven Wegener <swegener@gentoo.org> CommitDate: 2023-04-02 19:07:20 +0000 net-dns/pdns-recursor: drop 4.7.4 Bug: https://bugs.gentoo.org/903549 Signed-off-by: Sven Wegener <swegener@gentoo.org> net-dns/pdns-recursor/Manifest | 1 - .../files/pdns-recursor-4.7.4-gcc-13.patch | 18 ----- net-dns/pdns-recursor/pdns-recursor-4.7.4.ebuild | 92 ---------------------- 3 files changed, 111 deletions(-)
Thanks!