Changelogs for 4.0.x
====================
+PowerDNS Authoritative Server 4.0.6
+-----------------------------------
+
+Released 6th of November 2018
+
+This release fixes PowerDNS Security Advisory
+:doc:`2018-03 <../security-advisories/powerdns-advisory-2018-03>`: Crafted zone record can cause a denial of service (CVE-2018-10851)
+
+Bug fixes
+~~~~~~~~~
+
+- `#XXXX <https://github.com/PowerDNS/pdns/pull/XXXX>`__: Crafted zone record can cause a denial of service (CVE-2018-10851)
+- `#6013 <https://github.com/PowerDNS/pdns/pull/6013>`__: Skip v6-dependent test when pdns_test_no_ipv6 is set in environment
+- `#7135 <https://github.com/PowerDNS/pdns/pull/7135>`__: Fix el6 builds
+
+Improvements
+~~~~~~~~~~~~
+
+- `#6315 <https://github.com/PowerDNS/pdns/pull/6315>`__: Prevent cname + other data with dnsupdate
+- `#7119 <https://github.com/PowerDNS/pdns/pull/7119>`__: Switch to devtoolset 7 for el6
+
PowerDNS Authoritative Server 4.0.5
-----------------------------------
Changelogs for 4.1.x
====================
+.. changelog::
+ :version: 4.1.5
+ :released: November 6th 2018
+
+ This release fixes the following security advisories:
+
+ - PowerDNS Security Advisory :doc:`2018-03 <../security-advisories/powerdns-advisory-2018-03>` (CVE-2018-10851)
+ - PowerDNS Security Advisory :doc:`2018-05 <../security-advisories/powerdns-advisory-2018-05>` (CVE-2018-14626)
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: XXXX
+
+ Crafted zone record can cause a denial of service (CVE-2018-10851, PowerDNS Security Advisory :doc:`2018-03 <../security-advisories/powerdns-advisory-2018-03>`)
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: XXXX
+
+ Packet cache pollution via crafted query (CVE-2018-14626, PowerDNS Security Advisory :doc:`2018-05 <../security-advisories/powerdns-advisory-2018-05>`)
+
+ Additionally there are some other minor fixes and improvements listed below.
+
+ .. change::
+ :tags: Improvements, Internals
+ :pullreq: 6976
+
+ Apply alias scopemask after chasing
+
+ .. change::
+ :tags: Improvements, Internals
+ :pullreq: 6917
+
+ Release memory in case of error in the openssl ecdsa constructor
+
+ .. change::
+ :tags: Bug Fixes, Internals
+ :pullreq: 6948
+ :tickets: 6943
+
+ Fix compilation with libressl 2.7.0+
+
+ .. change::
+ :tags: Bug Fixes, Internals
+ :pullreq: 6913
+
+ Actually truncate truncated responses
+
+ .. change::
+ :tags: Improvements, Internals
+ :pullreq: 7118
+ :tickets: 7040
+
+ Switch to devtoolset 7 for el6
+
.. changelog::
:version: 4.1.4
:released: August 29th 2018
-@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2018083101 10800 3600 604800 10800
+@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2018110601 10800 3600 604800 10800
@ 3600 IN NS pdns-public-ns1.powerdns.com.
@ 3600 IN NS pdns-public-ns2.powerdns.com.
; Auth
auth-4.0.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html"
auth-4.0.4-rc1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html"
auth-4.0.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html"
-auth-4.0.5.security-status 60 IN TXT "1 OK"
+auth-4.0.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html"
+auth-4.0.6.security-status 60 IN TXT "1 OK"
auth-4.1.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
auth-4.1.0-rc2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
auth-4.1.0-rc3.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
-auth-4.1.0.security-status 60 IN TXT "1 OK"
-auth-4.1.1.security-status 60 IN TXT "1 OK"
-auth-4.1.2.security-status 60 IN TXT "1 OK"
-auth-4.1.3.security-status 60 IN TXT "1 OK"
-auth-4.1.4.security-status 60 IN TXT "1 OK"
+auth-4.1.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html"
+auth-4.1.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html"
+auth-4.1.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html"
+auth-4.1.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html"
+auth-4.1.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html"
+auth-4.1.5.security-status 60 IN TXT "1 OK"
; Auth Debian
auth-3.4.1-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2015-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-05/"
recursor-4.0.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-07.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-08.html"
recursor-4.0.6.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-07.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-08.html"
recursor-4.0.7.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-08.html"
-recursor-4.0.8.security-status 60 IN TXT "1 OK"
+recursor-4.0.8.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-04.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-06.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-07.html"
+recursor-4.0.9.security-status 60 IN TXT "1 OK"
recursor-4.1.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (final release is out)"
recursor-4.1.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (final release is out)"
recursor-4.1.0-rc2.security-status 60 IN TXT "3 Unsupported pre-release (final release is out)"
recursor-4.1.0-rc3.security-status 60 IN TXT "3 Unsupported pre-release (final release is out)"
recursor-4.1.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html"
-recursor-4.1.1.security-status 60 IN TXT "1 OK"
-recursor-4.1.2.security-status 60 IN TXT "1 OK"
-recursor-4.1.3.security-status 60 IN TXT "1 OK"
-recursor-4.1.4.security-status 60 IN TXT "1 OK"
+recursor-4.1.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-04.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-06.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-07.html"
+recursor-4.1.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-04.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-06.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-07.html"
+recursor-4.1.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-04.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-06.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-07.html"
+recursor-4.1.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-04.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-06.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-07.html"
+recursor-4.1.5.security-status 60 IN TXT "1 OK"
; Recursor Debian
recursor-3.6.2-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"
--- /dev/null
+PowerDNS Security Advisory 2018-03: Crafted zone record can cause a denial of service
+=====================================================================================
+
+- CVE: CVE-2018-10851
+- Date: November 6th 2018
+- Affects: PowerDNS Authoritative from 3.3.0 up to and including 4.1.4
+- Not affected: 4.1.5, 4.0.6
+- Severity: Medium
+- Impact: Denial of service
+- Exploit: This problem can be triggered via crafted records
+- Risk of system compromise: No
+- Solution: Upgrade to a non-affected version
+- Workaround: run the process inside the guardian or inside a
+ supervisor
+
+An issue has been found in PowerDNS Authoritative Server allowing an
+authorized user to cause a memory leak by inserting a specially crafted
+record in a zone under their control, then sending a DNS query for that
+record.
+The issue is due to the fact that some memory is allocated before the
+parsing and is not always properly released if the record is malformed.
+
+This issue has been assigned CVE-2018-10851.
+
+When the PowerDNS Authoritative Server is run inside the guardian
+(``--guardian``), or inside a supervisor like supervisord or systemd,
+an out-of-memory crash will lead to an automatic restart, limiting the
+impact to a somewhat degraded service.
+
+PowerDNS Authoritative from 3.3.0 up to and including 4.1.4 is affected.
+Please note that at the time of writing, PowerDNS Authoritative 3.4 and
+below are no longer supported, as described in :doc:`../appendices/EOL`.
--- /dev/null
+PowerDNS Security Advisory 2018-05: Packet cache pollution via crafted query
+============================================================================
+
+- CVE: CVE-2018-14626
+- Date: November 6th 2018
+- Affects: PowerDNS Authoritative from 4.1.0 up to and including 4.1.4
+- Not affected: 4.1.5, 4.0.x
+- Severity: Medium
+- Impact: Denial of service
+- Exploit: This problem can be triggered via crafted queries
+- Risk of system compromise: No
+- Solution: Upgrade to a non-affected version
+
+An issue has been found in PowerDNS Authoritative Server allowing a
+remote user to craft a DNS query that will cause an answer without DNSSEC
+records to be inserted into the packet cache and be returned to clients
+asking for DNSSEC records, thus hiding the presence of DNSSEC signatures
+for a specific qname and qtype.
+For a DNSSEC-signed domain, this means that DNSSEC validating clients
+will consider the answer to be bogus until it expires from the packet
+cache, leading to a denial of service.
+
+This issue has been assigned CVE-2018-14626.
+
+PowerDNS Authoritative from 4.1.0 up to and including 4.1.4 is affected.
+
+We would like to thank Kees Monshouwer for finding and subsequently reporting
+this issue.
This page has all the changelogs for the PowerDNS Recursor 4.0 release train.
+PowerDNS Recursor 4.0.9
+-----------------------
+
+Released 6th of November 2018
+
+This release fixes the following security advisories:
+
+- PowerDNS Security Advisory :doc:`2018-04 <../security-advisories/powerdns-advisory-2018-04>`: Crafted answer can cause a denial of service (CVE-2018-10851)
+- PowerDNS Security Advisory :doc:`2018-06 <../security-advisories/powerdns-advisory-2018-06>`: Packet cache pollution via crafted query (CVE-2018-14626)
+- PowerDNS Security Advisory :doc:`2018-07 <../security-advisories/powerdns-advisory-2018-07>`: Crafted query for meta-types can cause a denial of service (CVE-2018-14644)
+
+Bug fixes
+^^^^^^^^^
+
+- `#XXXX <https://github.com/PowerDNS/pdns/pull/XXXX>`__: Crafted answer can cause a denial of service (CVE-2018-10851)
+- `#XXXX <https://github.com/PowerDNS/pdns/pull/XXXX>`__: Packet cache pollution via crafted query (CVE-2018-14626)
+- `#XXXX <https://github.com/PowerDNS/pdns/pull/XXXX>`__: Crafted query for meta-types can cause a denial of service (CVE-2018-14644)
+
PowerDNS Recursor 4.0.8
-----------------------
Changelogs for 4.1.x
====================
+.. changelog::
+ :version: 4.1.5
+ :released: 6th of November 2018
+
+ This release fixes the following security advisories:
+
+ - PowerDNS Security Advisory :doc:`2018-04 <../security-advisories/powerdns-advisory-2018-04>` (CVE-2018-10851)
+ - PowerDNS Security Advisory :doc:`2018-06 <../security-advisories/powerdns-advisory-2018-06>` (CVE-2018-14626)
+ - PowerDNS Security Advisory :doc:`2018-07 <../security-advisories/powerdns-advisory-2018-07>` (CVE-2018-14644)
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: XXXX
+
+ Crafted answer can cause a denial of service (CVE-2018-10851, PowerDNS Security Advisory :doc:`2018-04 <../security-advisories/powerdns-advisory-2018-04>`)
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: XXXX
+
+ Packet cache pollution via crafted query (CVE-2018-14626, PowerDNS Security Advisory :doc:`2018-06 <../security-advisories/powerdns-advisory-2018-06>`)
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: XXXX
+
+ Crafted query for meta-types can cause a denial of service (CVE-2018-14644, PowerDNS Security Advisory :doc:`2018-07 <../security-advisories/powerdns-advisory-2018-07>`)
+
+ Additionally there are some other minor fixes and improvements listed below.
+
+ .. change::
+ :tags: Improvements, Lua
+ :pullreq: 6919
+ :tickets: 6848
+
+ Add pdnslog to lua configuration scripts (Chris Hofstaedtler)
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 6961
+ :tickets: 6960
+
+ Cleanup the netmask trees used for the ecs index on removals
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 6963
+ :tickets: 6605
+
+ Make sure that the ECS scope from the auth is < to the source
+
+ .. change::
+ :tags: Bug Fixes, RPZ, Internals
+ :pullreq: 6984
+ :tickets: 6792
+
+ Delay the creation of rpz threads until we have dropped privileges
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 6980
+ :tickets: 6979
+
+ Authority records in aa=1 cname answer are authoritative
+
+ .. change::
+ :tags: Bug Fixes, Internals
+ :pullreq: 7073
+
+ Avoid a memory leak in catch-all exception handler
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 6741
+ :tickets: 6340
+
+ Don't require authoritative answers for forward-recurse zones
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 6948
+ :tickets: 6943
+
+ Fix compilation with libressl 2.7.0+
+
+ .. change::
+ :tags: Bug Fixes, Internals
+ :pullreq: 6917
+
+ Release memory in case of error in the openssl ecdsa constructor
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 6925
+ :tickets: 6924
+
+ Convert a few uses to toLogString to print DNSName's that may be empty in a safer manner
+
+ .. change::
+ :tags: Bug Fixes, Internals
+ :pullreq: 6945
+
+ Avoid a crash on DEC Alpha systems
+
+ .. change::
+ :tags: Bug Fixes, Internals
+ :pullreq: 6951
+ :tickets: 6949
+
+ Clear all caches on (N)TA changes
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 7004
+ :tickets: 6989, 6991
+
+ Export outgoing ECS value and server ID in protobuf (if any)
+
+ .. change::
+ :tags: Improvements, Internals
+ :pullreq: 7122
+ :tickets: 7040
+
+ Switch to devtoolset 7 for el6
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 7125
+ :tickets: 7081
+
+ Allow the signature inception to be off by a number of seconds. (Kees Monshouwer)
+
.. changelog::
:version: 4.1.4
:released: 31st of August 2018
--- /dev/null
+PowerDNS Security Advisory 2018-04: Crafted answer can cause a denial of service
+================================================================================
+
+- CVE: CVE-2018-10851
+- Date: November 6th 2018
+- Affects: PowerDNS Recursor from 3.2 up to and including 4.1.4
+- Not affected: 4.1.5, 4.0.9
+- Severity: Medium
+- Impact: Denial of service
+- Exploit: This problem can be triggered by an authoritative server
+- Risk of system compromise: No
+- Solution: Upgrade to a non-affected version
+- Workaround: run the process inside a supervisor
+
+An issue has been found in PowerDNS Recursor allowing a malicious
+authoritative server to cause a memory leak by sending specially crafted
+records.
+The issue is due to the fact that some memory is allocated before the
+parsing and is not always properly released if the record is malformed.
+
+This issue has been assigned CVE-2018-10851.
+
+When the PowerDNS Recursor is run inside a supervisor like supervisord
+or systemd, an out-of-memory crash will lead to an automatic restart, limiting
+the impact to a somewhat degraded service.
+
+PowerDNS Recursor from 3.2 up to and including 4.1.4 is affected. Please
+note that at the time of writing, PowerDNS Recursor 3.7 and below are no
+longer supported, as described in :doc:`../appendices/EOL`.
--- /dev/null
+PowerDNS Security Advisory 2018-06: Packet cache pollution via crafted query
+============================================================================
+
+- CVE: CVE-2018-14626
+- Date: November 6th 2018
+- Affects: PowerDNS Recursor from 4.0.0 up to and including 4.1.4
+- Not affected: 4.1.5, 4.0.9
+- Severity: Medium
+- Impact: Denial of service
+- Exploit: This problem can be triggered via crafted queries
+- Risk of system compromise: No
+- Solution: Upgrade to a non-affected version
+
+An issue has been found in PowerDNS Recursor allowing a remote user to craft
+a DNS query that will cause an answer without DNSSEC records to be inserted
+into the packet cache and be returned to clients asking for DNSSEC records,
+thus hiding the presence of DNSSEC signatures for a specific qname and qtype.
+For a DNSSEC-signed domain, this means that clients performing DNSSEC validation
+by themselves might consider the answer to be bogus until it expires from the packet
+cache, leading to a denial of service.
+
+This issue has been assigned CVE-2018-14626.
+
+PowerDNS Recursor from 4.0.0 up to and including 4.1.4 is affected.
+
+We would like to thank Kees Monshouwer for finding and subsequently reporting
+this issue.
--- /dev/null
+PowerDNS Security Advisory 2018-07: Crafted query for meta-types can cause a denial of service
+==============================================================================================
+
+- CVE: CVE-2018-14644
+- Date: November 6th 2018
+- Affects: PowerDNS Recursor from 4.0.0 up to and including 4.1.4
+- Not affected: 4.0.9, 4.1.5
+- Severity: Medium
+- Impact: Denial of service
+- Exploit: This problem can be triggered via crafted queries for some domains
+- Risk of system compromise: No
+- Solution: Upgrade to a non-affected version
+
+An issue has been found in PowerDNS Recursor where a remote attacker sending
+a DNS query for a meta-type like OPT can lead to a zone being wrongly cached
+as failing DNSSEC validation. It only arises if the parent zone is signed,
+and all the authoritative servers for that parent zone answer with FORMERR to
+a query for at least one of the meta-types.
+As a result, subsequent queries from clients requesting DNSSEC validation
+will be answered with a ServFail.
+
+This issue has been assigned CVE-2018-14644 by Red Hat.
+
+PowerDNS Recursor from 4.0.0 up to and including 4.1.4 is affected.
+
+We would like to thank Toshifumi Sakaguchi for finding and subsequently
+reporting this issue.
projects / thirdparty / pdns.git / commitdiff
