Changelogs for 4.5.x
====================
+.. changelog::
+ :version: 4.5.1
+ :released: 26th of July 2021
+
+ This is release 4.5.1 of the Authoritative Server.
+ It is strictly a security fix release for :doc:`Advisory 2021-01 <../security-advisories/powerdns-advisory-2021-01>`.
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: X
+
+ auth: correct upper bounds on d_qtypecounters
+
.. changelog::
:version: 4.5.0
:released: 13th of July 2021
-@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2021071300 10800 3600 604800 10800
+@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2021072600 10800 3600 604800 10800
@ 3600 IN NS pdns-public-ns1.powerdns.com.
@ 3600 IN NS pdns-public-ns2.powerdns.com.
auth-4.4.0-rc1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
auth-4.4.0.security-status 60 IN TXT "1 OK"
auth-4.4.1.security-status 60 IN TXT "1 OK"
-auth-4.5.0-alpha1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-auth-4.5.0-beta1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-auth-4.5.0-rc1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-auth-4.5.0-rc2.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-auth-4.5.0.security-status 60 IN TXT "1 OK"
+auth-4.5.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+auth-4.5.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+auth-4.5.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+auth-4.5.0-rc2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+auth-4.5.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2021-01.html"
+auth-4.5.1.security-status 60 IN TXT "1 OK"
; Auth Debian
auth-3.4.1-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2015-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-05/"
--- /dev/null
+PowerDNS Security Advisory 2021-01: Specific query crashes Authoritative Server
+===============================================================================
+
+- CVE: CVE-2021-36754
+- Date: July 26th, 2021
+- Affects: PowerDNS Authoritative version 4.5.0
+- Not affected: 4.4.x and below, 4.5.1
+- Severity: High
+- Impact: Denial of service
+- Exploit: This problem can be triggered via a specific query packet
+- Risk of system compromise: None
+- Solution: Upgrade to 4.5.1, or filter queries in ``dnsdist``
+
+PowerDNS Authoritative Server 4.5.0 (and the alpha/beta/rc1/rc2 prereleases that came before it) will crash with an uncaught out of bounds exception if it receives a query with QTYPE 65535. The offending code was not present in earlier versions, and they are not affected.
+
+Users that cannot upgrade immediately, but do have dnsdist in place, can use dnsdist to filter such queries before they do harm, with something like ``addAction(QTypeRule(65535), RCodeAction(DNSRCode.REFUSED))``.
+
+When the PowerDNS Authoritative Server is run inside a supervisor like supervisord or systemd, an uncaught exception crash will lead to an automatic restart, limiting the impact to a somewhat degraded service.
+
+We would like to thank Reinier Schoof and Robin Geuze of TransIP for noticing crashes in production, immediately letting us know, and helping us figure out what was happening.
projects / thirdparty / pdns.git / commitdiff
