thel
thelog
ther
+Thessalonikefs
Thfrt
THg
Thiago
-@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2018121401 10800 3600 604800 10800
+@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2019012101 10800 3600 604800 10800
@ 3600 IN NS pdns-public-ns1.powerdns.com.
@ 3600 IN NS pdns-public-ns2.powerdns.com.
; Auth
recursor-4.1.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-09.html"
recursor-4.1.6.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-09.html"
recursor-4.1.7.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-09.html"
-recursor-4.1.8.security-status 60 IN TXT "1 OK"
+recursor-4.1.8.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2019-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2019-02.html"
+recursor-4.1.9.security-status 60 IN TXT "1 OK"
; Recursor Debian
recursor-3.6.2-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"
Changelogs for 4.1.x
====================
+.. changelog::
+ :version: 4.1.9
+ :released: 21st of January 2019
+
+ This release fixes :doc:`Security Advisory 2019-01 <../security-advisories/powerdns-advisory-2019-01>` and :doc:`Security Advisory 2019-02 <../security-advisories/powerdns-advisory-2019-02>` that were recently discovered, affecting PowerDNS Recursor:
+ - CVE-2019-3806, 2019-01: from 4.1.4 up to and including 4.1.8 ;
+ - CVE-2019-3807, 2019-02: from 4.1.0 up to and including 4.1.8.
+
+ The issues are:
+ - CVE-2019-3806, 2019-01: Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly bypassing security policies enforced using Lua ;
+ - CVE-2019-3807, 2019-02: records in the answer section of responses received from authoritative servers with the AA flag not set were not properly validated, allowing an attacker to bypass DNSSEC validation.
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 7397
+
+ Properly apply Lua hooks to TCP queries, even with pdns-distributes-queries set (CVE-2019-3806, PowerDNS Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2019-01>`). Validates records in the answer section of responses with AA=0 (CVE-2019-3807, PowerDNS Security Advisory :doc:`2019-02 <../security-advisories/powerdns-advisory-2019-02>`).
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 7377
+ :tickets: 7383
+
+ Try another worker before failing if the first pipe was full
+
.. changelog::
:version: 4.1.8
:released: 26th of November 2018
--- /dev/null
+PowerDNS Security Advisory 2019-01: Lua hooks are not applied in certain configurations
+=======================================================================================
+
+- CVE: CVE-2019-3806
+- Date: 21st of January 2019
+- Affects: PowerDNS Recursor from 4.1.4 up to and including 4.1.8
+- Not affected: 4.0.x, 4.1.0 up to and including 4.1.3, 4.1.9
+- Severity: Low
+- Impact: Access restriction bypass
+- Exploit: This problem can be triggered via TCP queries
+- Risk of system compromise: No
+- Solution: Upgrade to a non-affected version
+- Workaround: Switch to pdns-distributes-queries=no
+
+An issue has been found in PowerDNS Recursor where Lua hooks are not properly
+applied to queries received over TCP in some specific combination of settings,
+possibly bypassing security policies enforced using Lua.
+
+When the recursor is configured to run with more than one thread (threads=X)
+and to do the distribution of incoming queries to the worker threads itself
+(pdns-distributes-queries=yes), the Lua script is not properly loaded in
+the thread handling incoming TCP queries, causing the Lua hooks to not be
+properly applied.
+
+This issue has been assigned CVE-2019-3806 by Red Hat.
+
+PowerDNS Recursor from 4.1.4 up to and including 4.1.8 is affected.
--- /dev/null
+PowerDNS Security Advisory 2019-02: Insufficient validation of DNSSEC signatures
+================================================================================
+
+- CVE: CVE-2019-3807
+- Date: 21st of January 2019
+- Affects: PowerDNS Recursor from 4.1.0 up to and including 4.1.8
+- Not affected: 4.0.x, 4.1.9
+- Severity: Medium
+- Impact: Insufficient validation
+- Exploit: This problem can be triggered via crafted responses
+- Risk of system compromise: No
+- Solution: Upgrade to a non-affected version
+
+An issue has been found in PowerDNS Recursor where records in the answer
+section of responses received from authoritative servers with the AA flag
+not set were not properly validated, allowing an attacker to bypass DNSSEC
+validation.
+
+This issue has been assigned CVE-2019-3807 by Red Hat.
+
+PowerDNS Recursor from 4.1.0 up to and including 4.1.8 is affected.
+
+We would like to thank Ralph Dolmans and George Thessalonikefs of NLNetLabs
+for finding and subsequently reporting this issue!