From: Peter van Dijk Date: Thu, 20 Jun 2019 10:39:16 +0000 (+0200) Subject: docs+secpoll for 21st June CVE release X-Git-Tag: dnsdist-1.4.0-rc1~109^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fe2b40dad676faf7afd0c3a6679948df873e957d;p=thirdparty%2Fpdns.git docs+secpoll for 21st June CVE release --- diff --git a/docs/changelog/4.0.rst b/docs/changelog/4.0.rst index 5878314570..851e66e3a4 100644 --- a/docs/changelog/4.0.rst +++ b/docs/changelog/4.0.rst @@ -1,6 +1,15 @@ Changelogs for 4.0.x ==================== +PowerDNS Authoritative Server 4.0.8 +----------------------------------- + +Released 21st of June 2019 + +This release fixes PowerDNS Security Advisories +:doc:`2019-04 <../security-advisories/powerdns-advisory-2019-04>` and +:doc:`2019-05 <../security-advisories/powerdns-advisory-2019-05>`. + PowerDNS Authoritative Server 4.0.7 ----------------------------------- diff --git a/docs/changelog/4.1.rst b/docs/changelog/4.1.rst index 937f821b72..23ffe94a64 100644 --- a/docs/changelog/4.1.rst +++ b/docs/changelog/4.1.rst @@ -1,12 +1,40 @@ Changelogs for 4.1.x ==================== +.. changelog:: + :version: 4.1.10 + :released: June 21st 2019 + + This release and 4.1.9 together fix the following security advisories: + + - PowerDNS Security Advisory :doc:`2019-04 <../security-advisories/powerdns-advisory-2019-04>` (CVE-2019-10162) + - PowerDNS Security Advisory :doc:`2019-05 <../security-advisories/powerdns-advisory-2019-05>` (CVE-2019-10163) + + .. change:: + :tags: Bug Fixes + :pullreq: 7964 + + Do not exit on exception parsing names of name servers to notify. + + .. changelog:: :version: 4.1.9 :released: June 19th 2019 .. change:: - :tags: Performance + :tags: Bug Fixes + :pullreq: 7663 + + Do not exit on exception resolving addresses to notify. + + .. change:: + :tags: Bug Fixes + :pullreq: 7829 + + Avoid very busy looping on lots of notifies. + + .. change:: + :tags: New Features :pullreq: 7922 Add an option to disable superslaving. diff --git a/docs/secpoll.zone b/docs/secpoll.zone index 7d9d0c2bdf..c5021f691b 100644 --- a/docs/secpoll.zone +++ b/docs/secpoll.zone @@ -1,4 +1,4 @@ -@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2019061801 10800 3600 604800 10800 +@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2019062101 10800 3600 604800 10800 @ 3600 IN NS pdns-public-ns1.powerdns.com. @ 3600 IN NS pdns-public-ns2.powerdns.com. ; Auth @@ -32,7 +32,8 @@ auth-4.0.4-rc1.security-status 60 IN TXT "3 Upgrade now auth-4.0.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html" auth-4.0.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html" auth-4.0.6.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html" -auth-4.0.7.security-status 60 IN TXT "1 OK" +auth-4.0.7.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html" +auth-4.0.8.security-status 60 IN TXT "1 OK" auth-4.1.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" auth-4.1.0-rc2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" auth-4.1.0-rc3.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" @@ -43,9 +44,10 @@ auth-4.1.3.security-status 60 IN TXT "3 Upgrade now auth-4.1.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html" auth-4.1.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html" auth-4.1.6.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html" -auth-4.1.7.security-status 60 IN TXT "1 OK" -auth-4.1.8.security-status 60 IN TXT "1 OK" -auth-4.1.9.security-status 60 IN TXT "1 OK" +auth-4.1.7.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-05.html" +auth-4.1.8.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-05.html" +auth-4.1.9.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-05.html" +auth-4.1.10.security-status 60 IN TXT "1 OK" auth-4.2.0-alpha1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html" auth-4.2.0-beta1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html" auth-4.2.0-rc1.security-status 60 IN TXT "1 OK" diff --git a/docs/security-advisories/powerdns-advisory-2019-04.rst b/docs/security-advisories/powerdns-advisory-2019-04.rst new file mode 100644 index 0000000000..c25a3be42e --- /dev/null +++ b/docs/security-advisories/powerdns-advisory-2019-04.rst @@ -0,0 +1,30 @@ +PowerDNS Security Advisory 2019-04: Denial of service via crafted zone records +============================================================================== + +- CVE: CVE-2019-10162 +- Date: June 21st 2019 +- Affects: PowerDNS Authoritative up to and including 4.1.9 +- Not affected: 4.1.10, 4.0.8 +- Severity: Medium +- Impact: Denial of Service +- Exploit: This problem can be triggered via crafted records +- Risk of system compromise: No +- Solution: Upgrade to a non-affected version +- Workaround: run the process inside the guardian or inside a supervisor + +An issue has been found in PowerDNS Authoritative Server allowing an +authorized user to cause the server to exit by inserting a crafted +record in a MASTER type zone under their control. The issue is due +to the fact that the Authoritative Server will exit when it runs into a +parsing error while looking up the NS/A/AAAA records it is about to +use for an outgoing notify. + +This issue has been assigned CVE-2019-10162. + +PowerDNS Authoritative up to and including 4.1.9 is affected. +Please note that at the time of writing, PowerDNS Authoritative 3.4 and +below are no longer supported, as described in +https://doc.powerdns.com/authoritative/appendices/EOL.html. + +We would like to thank Gert van Dijk for finding and subsequently +reporting this issue! diff --git a/docs/security-advisories/powerdns-advisory-2019-05.rst b/docs/security-advisories/powerdns-advisory-2019-05.rst new file mode 100644 index 0000000000..476cf5988b --- /dev/null +++ b/docs/security-advisories/powerdns-advisory-2019-05.rst @@ -0,0 +1,29 @@ +PowerDNS Security Advisory 2019-05: Denial of service via NOTIFY packets +======================================================================== + +- CVE: CVE-2019-10163 +- Date: June 21st 2019 +- Affects: PowerDNS Authoritative up to and including 4.1.8 +- Not affected: 4.1.9, 4.0.8 +- Severity: Medium +- Impact: Denial of Service +- Exploit: This problem can be triggered via the sending of NOTIFY + packets from an authorized master +- Risk of system compromise: No +- Solution: Upgrade to a non-affected version + +An issue has been found in PowerDNS Authoritative Server allowing a +remote, authorized master server to cause a high CPU load or +even prevent any further updates to any slave zone by sending a +large number of NOTIFY messages. +Note that only servers configured as slaves are affected by this issue. + +This issue has been assigned CVE-2019-10163. + +PowerDNS Authoritative up to and including 4.1.8 is affected. +Please note that at the time of writing, PowerDNS Authoritative 3.4 and +below are no longer supported, as described in +https://doc.powerdns.com/authoritative/appendices/EOL.html. + +We would like to thank George Asenov for finding and subsequently +reporting this issue!