Date: Tue, 19 May 2020 11:00:44 +0200 From: Otto Moerbeek <otto.moerbeek@...n-xchange.com> To: oss-security@...ts.openwall.com Subject: PowerDNS Recursor 4.3.1, 4.2.2. and 4.1.16 released fixing multiple vulnerabilities Hello!, Today we are releasing PowerDNS Recursor 4.3.1, 4.2.2. and 4.1.16, containing security fixes for three CVEs: - CVE-2020-10995 - CVE-2020-12244 - CVE-2020-10030 The issues are: CVE-2020-10995: An issue in the DNS protocol has been found that allows malicious parties to use recursive DNS services to attack third party authoritative name servers. Severity is medium. We would like to thank Lior Shafir, Yehuda Afek and Anat Bremler-Barr for finding and subsequently reporting this issue! CVE-2020-12244: Records in the answer section of a NXDOMAIN response lacking an SOA were not properly validated. Severity is medium. We would like to thank Matt Nordhoff for finding and subsequently reporting this issue! CVE-2020-10030: An attacker with enough privileges to change the hostname might be able to disclose uninitialized memory. This issue also affects the Authoritative Server and dnsdist; since the attack requires very high privileges and the issue does not affect Linux, we will not be releasing new versions for those just for this issue. Severity is low. As usual, there were also other smaller enhancements and bugfixes. Please refer to the 4.3.1 changelog, 4.2.2 changelog and 4.1.16 changelog for details. The 4.3.1 tarball (signature), 4.2.2 tarball (signature) and 4.1.16 tarball (signature) are available at our download site and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from our repository Note that the 4.1 packages will be published later today. 4.0 and older releases are EOL, refer to the documentation for details about our release cycles. Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.  https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html  https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html  https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html  https://doc.powerdns.com/recursor/changelog/4.3.html#change-4.3.1  https://doc.powerdns.com/recursor/changelog/4.2.html#change-4.2.2  https://doc.powerdns.com/recursor/changelog/4.1.html#change-4.1.16  https://downloads.powerdns.com/releases/pdns-recursor-4.3.1.tar.bz2  https://downloads.powerdns.com/releases/pdns-recursor-4.3.1.tar.bz2.sig  https://downloads.powerdns.com/releases/pdns-recursor-4.2.2.tar.bz2  https://downloads.powerdns.com/releases/pdns-recursor-4.2.2.tar.bz2.sig  https://downloads.powerdns.com/releases/pdns-recursor-4.1.16.tar.bz2  https://downloads.powerdns.com/releases/pdns-recursor-4.1.16.tar.bz2.sig  https://downloads.powerdns.com/releases  https://repo.powerdns.com/  https://docs.powerdns.com/recursor/appendices/EOL.html  https://mailman.powerdns.com/mailman/listinfo/pdns-users  https://github.com/PowerDNS/pdns/issues/new/choose -- kind regards, Otto Moerbeek Senior PowerDNS Developer Email: otto.moerbeek@...n-xchange.com Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.