From: Erik Winkels Date: Mon, 5 Nov 2018 14:17:39 +0000 (+0100) Subject: Update changelog, secpoll and advisories. X-Git-Tag: dnsdist-1.3.3~6^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=27e947924e9d918f6ea113334cd83994b74ec418;p=thirdparty%2Fpdns.git Update changelog, secpoll and advisories. Update changelog, secpoll and advisories for auth-4.0.6, auth-4.1.5, rec-4.0.9 and rec-4.1.5 releases (cherry picked from commit 8b749001f6962f2d3efcfaa74624b6df2385085f) --- diff --git a/docs/changelog/4.0.rst b/docs/changelog/4.0.rst index bcee287d65..f594b181f3 100644 --- a/docs/changelog/4.0.rst +++ b/docs/changelog/4.0.rst @@ -1,6 +1,27 @@ Changelogs for 4.0.x ==================== +PowerDNS Authoritative Server 4.0.6 +----------------------------------- + +Released 6th of November 2018 + +This release fixes PowerDNS Security Advisory +:doc:`2018-03 <../security-advisories/powerdns-advisory-2018-03>`: Crafted zone record can cause a denial of service (CVE-2018-10851) + +Bug fixes +~~~~~~~~~ + +- `#XXXX `__: Crafted zone record can cause a denial of service (CVE-2018-10851) +- `#6013 `__: Skip v6-dependent test when pdns_test_no_ipv6 is set in environment +- `#7135 `__: Fix el6 builds + +Improvements +~~~~~~~~~~~~ + +- `#6315 `__: Prevent cname + other data with dnsupdate +- `#7119 `__: Switch to devtoolset 7 for el6 + PowerDNS Authoritative Server 4.0.5 ----------------------------------- diff --git a/docs/changelog/4.1.rst b/docs/changelog/4.1.rst index 1839862147..8229d89ff0 100644 --- a/docs/changelog/4.1.rst +++ b/docs/changelog/4.1.rst @@ -1,6 +1,61 @@ Changelogs for 4.1.x ==================== +.. changelog:: + :version: 4.1.5 + :released: November 6th 2018 + + This release fixes the following security advisories: + + - PowerDNS Security Advisory :doc:`2018-03 <../security-advisories/powerdns-advisory-2018-03>` (CVE-2018-10851) + - PowerDNS Security Advisory :doc:`2018-05 <../security-advisories/powerdns-advisory-2018-05>` (CVE-2018-14626) + + .. change:: + :tags: Bug Fixes + :pullreq: XXXX + + Crafted zone record can cause a denial of service (CVE-2018-10851, PowerDNS Security Advisory :doc:`2018-03 <../security-advisories/powerdns-advisory-2018-03>`) + + .. change:: + :tags: Bug Fixes + :pullreq: XXXX + + Packet cache pollution via crafted query (CVE-2018-14626, PowerDNS Security Advisory :doc:`2018-05 <../security-advisories/powerdns-advisory-2018-05>`) + + Additionally there are some other minor fixes and improvements listed below. + + .. change:: + :tags: Improvements, Internals + :pullreq: 6976 + + Apply alias scopemask after chasing + + .. change:: + :tags: Improvements, Internals + :pullreq: 6917 + + Release memory in case of error in the openssl ecdsa constructor + + .. change:: + :tags: Bug Fixes, Internals + :pullreq: 6948 + :tickets: 6943 + + Fix compilation with libressl 2.7.0+ + + .. change:: + :tags: Bug Fixes, Internals + :pullreq: 6913 + + Actually truncate truncated responses + + .. change:: + :tags: Improvements, Internals + :pullreq: 7118 + :tickets: 7040 + + Switch to devtoolset 7 for el6 + .. changelog:: :version: 4.1.4 :released: August 29th 2018 diff --git a/docs/secpoll.zone b/docs/secpoll.zone index 4166a52b06..684206d99d 100644 --- a/docs/secpoll.zone +++ b/docs/secpoll.zone @@ -1,4 +1,4 @@ -@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2018083101 10800 3600 604800 10800 +@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2018110601 10800 3600 604800 10800 @ 3600 IN NS pdns-public-ns1.powerdns.com. @ 3600 IN NS pdns-public-ns2.powerdns.com. ; Auth @@ -30,15 +30,17 @@ auth-4.0.2.security-status 60 IN TXT "3 Upgrade now auth-4.0.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html" auth-4.0.4-rc1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html" auth-4.0.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html" -auth-4.0.5.security-status 60 IN TXT "1 OK" +auth-4.0.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html" +auth-4.0.6.security-status 60 IN TXT "1 OK" auth-4.1.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" auth-4.1.0-rc2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" auth-4.1.0-rc3.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" -auth-4.1.0.security-status 60 IN TXT "1 OK" -auth-4.1.1.security-status 60 IN TXT "1 OK" -auth-4.1.2.security-status 60 IN TXT "1 OK" -auth-4.1.3.security-status 60 IN TXT "1 OK" -auth-4.1.4.security-status 60 IN TXT "1 OK" +auth-4.1.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html" +auth-4.1.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html" +auth-4.1.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html" +auth-4.1.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html" +auth-4.1.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html" +auth-4.1.5.security-status 60 IN TXT "1 OK" ; Auth Debian auth-3.4.1-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2015-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-05/" @@ -149,16 +151,18 @@ recursor-4.0.5-rc2.security-status 60 IN TXT "3 Upgrade now recursor-4.0.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-07.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-08.html" recursor-4.0.6.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-07.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-08.html" recursor-4.0.7.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-08.html" -recursor-4.0.8.security-status 60 IN TXT "1 OK" +recursor-4.0.8.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-04.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-06.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-07.html" +recursor-4.0.9.security-status 60 IN TXT "1 OK" recursor-4.1.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (final release is out)" recursor-4.1.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (final release is out)" recursor-4.1.0-rc2.security-status 60 IN TXT "3 Unsupported pre-release (final release is out)" recursor-4.1.0-rc3.security-status 60 IN TXT "3 Unsupported pre-release (final release is out)" recursor-4.1.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html" -recursor-4.1.1.security-status 60 IN TXT "1 OK" -recursor-4.1.2.security-status 60 IN TXT "1 OK" -recursor-4.1.3.security-status 60 IN TXT "1 OK" -recursor-4.1.4.security-status 60 IN TXT "1 OK" +recursor-4.1.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-04.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-06.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-07.html" +recursor-4.1.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-04.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-06.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-07.html" +recursor-4.1.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-04.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-06.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-07.html" +recursor-4.1.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-04.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-06.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-07.html" +recursor-4.1.5.security-status 60 IN TXT "1 OK" ; Recursor Debian recursor-3.6.2-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/" diff --git a/docs/security-advisories/powerdns-advisory-2018-03.rst b/docs/security-advisories/powerdns-advisory-2018-03.rst new file mode 100644 index 0000000000..44204739aa --- /dev/null +++ b/docs/security-advisories/powerdns-advisory-2018-03.rst @@ -0,0 +1,32 @@ +PowerDNS Security Advisory 2018-03: Crafted zone record can cause a denial of service +===================================================================================== + +- CVE: CVE-2018-10851 +- Date: November 6th 2018 +- Affects: PowerDNS Authoritative from 3.3.0 up to and including 4.1.4 +- Not affected: 4.1.5, 4.0.6 +- Severity: Medium +- Impact: Denial of service +- Exploit: This problem can be triggered via crafted records +- Risk of system compromise: No +- Solution: Upgrade to a non-affected version +- Workaround: run the process inside the guardian or inside a + supervisor + +An issue has been found in PowerDNS Authoritative Server allowing an +authorized user to cause a memory leak by inserting a specially crafted +record in a zone under their control, then sending a DNS query for that +record. +The issue is due to the fact that some memory is allocated before the +parsing and is not always properly released if the record is malformed. + +This issue has been assigned CVE-2018-10851. + +When the PowerDNS Authoritative Server is run inside the guardian +(``--guardian``), or inside a supervisor like supervisord or systemd, +an out-of-memory crash will lead to an automatic restart, limiting the +impact to a somewhat degraded service. + +PowerDNS Authoritative from 3.3.0 up to and including 4.1.4 is affected. +Please note that at the time of writing, PowerDNS Authoritative 3.4 and +below are no longer supported, as described in :doc:`../appendices/EOL`. diff --git a/docs/security-advisories/powerdns-advisory-2018-05.rst b/docs/security-advisories/powerdns-advisory-2018-05.rst new file mode 100644 index 0000000000..d932681989 --- /dev/null +++ b/docs/security-advisories/powerdns-advisory-2018-05.rst @@ -0,0 +1,28 @@ +PowerDNS Security Advisory 2018-05: Packet cache pollution via crafted query +============================================================================ + +- CVE: CVE-2018-14626 +- Date: November 6th 2018 +- Affects: PowerDNS Authoritative from 4.1.0 up to and including 4.1.4 +- Not affected: 4.1.5, 4.0.x +- Severity: Medium +- Impact: Denial of service +- Exploit: This problem can be triggered via crafted queries +- Risk of system compromise: No +- Solution: Upgrade to a non-affected version + +An issue has been found in PowerDNS Authoritative Server allowing a +remote user to craft a DNS query that will cause an answer without DNSSEC +records to be inserted into the packet cache and be returned to clients +asking for DNSSEC records, thus hiding the presence of DNSSEC signatures +for a specific qname and qtype. +For a DNSSEC-signed domain, this means that DNSSEC validating clients +will consider the answer to be bogus until it expires from the packet +cache, leading to a denial of service. + +This issue has been assigned CVE-2018-14626. + +PowerDNS Authoritative from 4.1.0 up to and including 4.1.4 is affected. + +We would like to thank Kees Monshouwer for finding and subsequently reporting +this issue. diff --git a/pdns/recursordist/docs/changelog/4.0.rst b/pdns/recursordist/docs/changelog/4.0.rst index fd4b32e5ed..e059a6001f 100644 --- a/pdns/recursordist/docs/changelog/4.0.rst +++ b/pdns/recursordist/docs/changelog/4.0.rst @@ -3,6 +3,24 @@ Changelogs for 4.0.x This page has all the changelogs for the PowerDNS Recursor 4.0 release train. +PowerDNS Recursor 4.0.9 +----------------------- + +Released 6th of November 2018 + +This release fixes the following security advisories: + +- PowerDNS Security Advisory :doc:`2018-04 <../security-advisories/powerdns-advisory-2018-04>`: Crafted answer can cause a denial of service (CVE-2018-10851) +- PowerDNS Security Advisory :doc:`2018-06 <../security-advisories/powerdns-advisory-2018-06>`: Packet cache pollution via crafted query (CVE-2018-14626) +- PowerDNS Security Advisory :doc:`2018-07 <../security-advisories/powerdns-advisory-2018-07>`: Crafted query for meta-types can cause a denial of service (CVE-2018-14644) + +Bug fixes +^^^^^^^^^ + +- `#XXXX `__: Crafted answer can cause a denial of service (CVE-2018-10851) +- `#XXXX `__: Packet cache pollution via crafted query (CVE-2018-14626) +- `#XXXX `__: Crafted query for meta-types can cause a denial of service (CVE-2018-14644) + PowerDNS Recursor 4.0.8 ----------------------- diff --git a/pdns/recursordist/docs/changelog/4.1.rst b/pdns/recursordist/docs/changelog/4.1.rst index 474041a1cc..db0ec5d186 100644 --- a/pdns/recursordist/docs/changelog/4.1.rst +++ b/pdns/recursordist/docs/changelog/4.1.rst @@ -1,6 +1,138 @@ Changelogs for 4.1.x ==================== +.. changelog:: + :version: 4.1.5 + :released: 6th of November 2018 + + This release fixes the following security advisories: + + - PowerDNS Security Advisory :doc:`2018-04 <../security-advisories/powerdns-advisory-2018-04>` (CVE-2018-10851) + - PowerDNS Security Advisory :doc:`2018-06 <../security-advisories/powerdns-advisory-2018-06>` (CVE-2018-14626) + - PowerDNS Security Advisory :doc:`2018-07 <../security-advisories/powerdns-advisory-2018-07>` (CVE-2018-14644) + + .. change:: + :tags: Bug Fixes + :pullreq: XXXX + + Crafted answer can cause a denial of service (CVE-2018-10851, PowerDNS Security Advisory :doc:`2018-04 <../security-advisories/powerdns-advisory-2018-04>`) + + .. change:: + :tags: Bug Fixes + :pullreq: XXXX + + Packet cache pollution via crafted query (CVE-2018-14626, PowerDNS Security Advisory :doc:`2018-06 <../security-advisories/powerdns-advisory-2018-06>`) + + .. change:: + :tags: Bug Fixes + :pullreq: XXXX + + Crafted query for meta-types can cause a denial of service (CVE-2018-14644, PowerDNS Security Advisory :doc:`2018-07 <../security-advisories/powerdns-advisory-2018-07>`) + + Additionally there are some other minor fixes and improvements listed below. + + .. change:: + :tags: Improvements, Lua + :pullreq: 6919 + :tickets: 6848 + + Add pdnslog to lua configuration scripts (Chris Hofstaedtler) + + .. change:: + :tags: Bug Fixes + :pullreq: 6961 + :tickets: 6960 + + Cleanup the netmask trees used for the ecs index on removals + + .. change:: + :tags: Bug Fixes + :pullreq: 6963 + :tickets: 6605 + + Make sure that the ECS scope from the auth is < to the source + + .. change:: + :tags: Bug Fixes, RPZ, Internals + :pullreq: 6984 + :tickets: 6792 + + Delay the creation of rpz threads until we have dropped privileges + + .. change:: + :tags: Bug Fixes + :pullreq: 6980 + :tickets: 6979 + + Authority records in aa=1 cname answer are authoritative + + .. change:: + :tags: Bug Fixes, Internals + :pullreq: 7073 + + Avoid a memory leak in catch-all exception handler + + .. change:: + :tags: Bug Fixes + :pullreq: 6741 + :tickets: 6340 + + Don't require authoritative answers for forward-recurse zones + + .. change:: + :tags: Improvements + :pullreq: 6948 + :tickets: 6943 + + Fix compilation with libressl 2.7.0+ + + .. change:: + :tags: Bug Fixes, Internals + :pullreq: 6917 + + Release memory in case of error in the openssl ecdsa constructor + + .. change:: + :tags: Bug Fixes + :pullreq: 6925 + :tickets: 6924 + + Convert a few uses to toLogString to print DNSName's that may be empty in a safer manner + + .. change:: + :tags: Bug Fixes, Internals + :pullreq: 6945 + + Avoid a crash on DEC Alpha systems + + .. change:: + :tags: Bug Fixes, Internals + :pullreq: 6951 + :tickets: 6949 + + Clear all caches on (N)TA changes + + .. change:: + :tags: Improvements + :pullreq: 7004 + :tickets: 6989, 6991 + + Export outgoing ECS value and server ID in protobuf (if any) + + .. change:: + :tags: Improvements, Internals + :pullreq: 7122 + :tickets: 7040 + + Switch to devtoolset 7 for el6 + + .. change:: + :tags: Improvements + :pullreq: 7125 + :tickets: 7081 + + Allow the signature inception to be off by a number of seconds. (Kees Monshouwer) + .. changelog:: :version: 4.1.4 :released: 31st of August 2018 diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2018-04.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2018-04.rst new file mode 100644 index 0000000000..b0520cebe1 --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2018-04.rst @@ -0,0 +1,29 @@ +PowerDNS Security Advisory 2018-04: Crafted answer can cause a denial of service +================================================================================ + +- CVE: CVE-2018-10851 +- Date: November 6th 2018 +- Affects: PowerDNS Recursor from 3.2 up to and including 4.1.4 +- Not affected: 4.1.5, 4.0.9 +- Severity: Medium +- Impact: Denial of service +- Exploit: This problem can be triggered by an authoritative server +- Risk of system compromise: No +- Solution: Upgrade to a non-affected version +- Workaround: run the process inside a supervisor + +An issue has been found in PowerDNS Recursor allowing a malicious +authoritative server to cause a memory leak by sending specially crafted +records. +The issue is due to the fact that some memory is allocated before the +parsing and is not always properly released if the record is malformed. + +This issue has been assigned CVE-2018-10851. + +When the PowerDNS Recursor is run inside a supervisor like supervisord +or systemd, an out-of-memory crash will lead to an automatic restart, limiting +the impact to a somewhat degraded service. + +PowerDNS Recursor from 3.2 up to and including 4.1.4 is affected. Please +note that at the time of writing, PowerDNS Recursor 3.7 and below are no +longer supported, as described in :doc:`../appendices/EOL`. diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2018-06.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2018-06.rst new file mode 100644 index 0000000000..4f4cf26c18 --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2018-06.rst @@ -0,0 +1,27 @@ +PowerDNS Security Advisory 2018-06: Packet cache pollution via crafted query +============================================================================ + +- CVE: CVE-2018-14626 +- Date: November 6th 2018 +- Affects: PowerDNS Recursor from 4.0.0 up to and including 4.1.4 +- Not affected: 4.1.5, 4.0.9 +- Severity: Medium +- Impact: Denial of service +- Exploit: This problem can be triggered via crafted queries +- Risk of system compromise: No +- Solution: Upgrade to a non-affected version + +An issue has been found in PowerDNS Recursor allowing a remote user to craft +a DNS query that will cause an answer without DNSSEC records to be inserted +into the packet cache and be returned to clients asking for DNSSEC records, +thus hiding the presence of DNSSEC signatures for a specific qname and qtype. +For a DNSSEC-signed domain, this means that clients performing DNSSEC validation +by themselves might consider the answer to be bogus until it expires from the packet +cache, leading to a denial of service. + +This issue has been assigned CVE-2018-14626. + +PowerDNS Recursor from 4.0.0 up to and including 4.1.4 is affected. + +We would like to thank Kees Monshouwer for finding and subsequently reporting +this issue. diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2018-07.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2018-07.rst new file mode 100644 index 0000000000..325a018027 --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2018-07.rst @@ -0,0 +1,27 @@ +PowerDNS Security Advisory 2018-07: Crafted query for meta-types can cause a denial of service +============================================================================================== + +- CVE: CVE-2018-14644 +- Date: November 6th 2018 +- Affects: PowerDNS Recursor from 4.0.0 up to and including 4.1.4 +- Not affected: 4.0.9, 4.1.5 +- Severity: Medium +- Impact: Denial of service +- Exploit: This problem can be triggered via crafted queries for some domains +- Risk of system compromise: No +- Solution: Upgrade to a non-affected version + +An issue has been found in PowerDNS Recursor where a remote attacker sending +a DNS query for a meta-type like OPT can lead to a zone being wrongly cached +as failing DNSSEC validation. It only arises if the parent zone is signed, +and all the authoritative servers for that parent zone answer with FORMERR to +a query for at least one of the meta-types. +As a result, subsequent queries from clients requesting DNSSEC validation +will be answered with a ServFail. + +This issue has been assigned CVE-2018-14644 by Red Hat. + +PowerDNS Recursor from 4.0.0 up to and including 4.1.4 is affected. + +We would like to thank Toshifumi Sakaguchi for finding and subsequently +reporting this issue.