From: Peter van Dijk Date: Fri, 23 Jul 2021 10:35:25 +0000 (+0200) Subject: auth-4.5.1: advisory, changelog, secpoll X-Git-Tag: dnsdist-1.7.0-alpha1~86^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F10612%2Fhead;p=thirdparty%2Fpdns.git auth-4.5.1: advisory, changelog, secpoll --- diff --git a/docs/changelog/4.5.rst b/docs/changelog/4.5.rst index 52be9a80c9..4bb960a091 100644 --- a/docs/changelog/4.5.rst +++ b/docs/changelog/4.5.rst @@ -1,6 +1,19 @@ Changelogs for 4.5.x ==================== +.. changelog:: + :version: 4.5.1 + :released: 26th of July 2021 + + This is release 4.5.1 of the Authoritative Server. + It is strictly a security fix release for :doc:`Advisory 2021-01 <../security-advisories/powerdns-advisory-2021-01>`. + + .. change:: + :tags: Bug Fixes + :pullreq: X + + auth: correct upper bounds on d_qtypecounters + .. changelog:: :version: 4.5.0 :released: 13th of July 2021 diff --git a/docs/secpoll.zone b/docs/secpoll.zone index c5f253d159..4f77db771b 100644 --- a/docs/secpoll.zone +++ b/docs/secpoll.zone @@ -1,4 +1,4 @@ -@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2021071300 10800 3600 604800 10800 +@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2021072600 10800 3600 604800 10800 @ 3600 IN NS pdns-public-ns1.powerdns.com. @ 3600 IN NS pdns-public-ns2.powerdns.com. @@ -78,11 +78,12 @@ auth-4.4.0-beta1.security-status 60 IN TXT "2 Unsupported auth-4.4.0-rc1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" auth-4.4.0.security-status 60 IN TXT "1 OK" auth-4.4.1.security-status 60 IN TXT "1 OK" -auth-4.5.0-alpha1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" -auth-4.5.0-beta1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" -auth-4.5.0-rc1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" -auth-4.5.0-rc2.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" -auth-4.5.0.security-status 60 IN TXT "1 OK" +auth-4.5.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +auth-4.5.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +auth-4.5.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +auth-4.5.0-rc2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +auth-4.5.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2021-01.html" +auth-4.5.1.security-status 60 IN TXT "1 OK" ; Auth Debian auth-3.4.1-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2015-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-05/" diff --git a/docs/security-advisories/powerdns-advisory-2021-01.rst b/docs/security-advisories/powerdns-advisory-2021-01.rst new file mode 100644 index 0000000000..a70265e194 --- /dev/null +++ b/docs/security-advisories/powerdns-advisory-2021-01.rst @@ -0,0 +1,20 @@ +PowerDNS Security Advisory 2021-01: Specific query crashes Authoritative Server +=============================================================================== + +- CVE: CVE-2021-36754 +- Date: July 26th, 2021 +- Affects: PowerDNS Authoritative version 4.5.0 +- Not affected: 4.4.x and below, 4.5.1 +- Severity: High +- Impact: Denial of service +- Exploit: This problem can be triggered via a specific query packet +- Risk of system compromise: None +- Solution: Upgrade to 4.5.1, or filter queries in ``dnsdist`` + +PowerDNS Authoritative Server 4.5.0 (and the alpha/beta/rc1/rc2 prereleases that came before it) will crash with an uncaught out of bounds exception if it receives a query with QTYPE 65535. The offending code was not present in earlier versions, and they are not affected. + +Users that cannot upgrade immediately, but do have dnsdist in place, can use dnsdist to filter such queries before they do harm, with something like ``addAction(QTypeRule(65535), RCodeAction(DNSRCode.REFUSED))``. + +When the PowerDNS Authoritative Server is run inside a supervisor like supervisord or systemd, an uncaught exception crash will lead to an automatic restart, limiting the impact to a somewhat degraded service. + +We would like to thank Reinier Schoof and Robin Geuze of TransIP for noticing crashes in production, immediately letting us know, and helping us figure out what was happening.