Date: Wed, 1 Jul 2020 14:10:33 +0200 From: Otto Moerbeek <otto.moerbeek@...n-xchange.com> To: oss-security@...ts.openwall.com Subject: PowerDNS Recursor 4.3.2, 4.2.3. and 4.1.17 released fixing CVE-2020-14196: Access restriction,bypass Hello!, Today we are releasing PowerDNS Recursor 4.3.2, 4.2.3. and 4.1.17, containing a security fix for CVE-2020-14196: Access restriction bypass. An issue has been found in PowerDNS Recursor where the ACL applied to the internal web server via `webserver-allow-from` is not properly enforced, allowing a remote attacker to send HTTP queries to the internal web server, bypassing the restriction. Note that the web server is not enabled by default. Only installations using a non-default value for `webserver` and `webserver-address` are affected. Workarounds are: disable the webserver or set a password or an API key. Additionally, restrict the binding address using the `webserver-address` setting to local addresses only and/or use a firewall to disallow web requests from untrusted sources reaching the webserver listening address. As usual, there were also other smaller enhancements and bugfixes. In particular, the 4.3.2 release contains fixes that allow long CNAME chains to resolve properly, where previously they could fail if qname minimization is enabled. Please refer to the 4.3.2 changelog, 4.2.3 changelog and 4.1.17 changelog for details. The 4.3.2 tarball (signature), 4.2.3 tarball (signature) and 4.1.17 tarball (signature) are available from our download site and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from our repository. 4.0 and older releases are EOL, refer to the documentation for details about our release cycles. Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.  https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html  https://doc.powerdns.com/recursor/changelog/4.3.html#change-4.3.2  https://doc.powerdns.com/recursor/changelog/4.2.html#change-4.2.3  https://doc.powerdns.com/recursor/changelog/4.1.html#change-4.1.17  https://downloads.powerdns.com/releases/pdns-recursor-4.3.2.tar.bz2  https://downloads.powerdns.com/releases/pdns-recursor-4.3.2.tar.bz2.sig  https://downloads.powerdns.com/releases/pdns-recursor-4.2.3.tar.bz2  https://downloads.powerdns.com/releases/pdns-recursor-4.2.3.tar.bz2.sig  https://downloads.powerdns.com/releases/pdns-recursor-4.1.17.tar.bz2  https://downloads.powerdns.com/releases/pdns-recursor-4.1.17.tar.bz2.sig  https://downloads.powerdns.com/releases/  https://repo.powerdns.com/  https://docs.powerdns.com/recursor/appendices/EOL.html  https://mailman.powerdns.com/mailman/listinfo/pdns-users  https://github.com/PowerDNS/pdns/issues/new/choose Regards, Otto and the PowerDNS team -- Otto Moerbeek Senior PowerDNS Developer Email: otto.moerbeek@...n-xchange.com Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.