From: Otto Moerbeek Date: Fri, 25 Mar 2022 08:04:19 +0000 (+0100) Subject: Prep for 2022-01 X-Git-Tag: rec-4.7.0-beta1~38^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F11452%2Fhead;p=thirdparty%2Fpdns.git Prep for 2022-01 --- diff --git a/docs/changelog/4.4.rst b/docs/changelog/4.4.rst index eab80f0e2b..7cae4f799e 100644 --- a/docs/changelog/4.4.rst +++ b/docs/changelog/4.4.rst @@ -1,5 +1,17 @@ Changelogs for 4.4.x ==================== +.. changelog:: + :version: 4.4.3 + :released: 25th of March 2022 + + This is a security fix release for :doc:`PowerDNS Security Advisory 2022-01 <../security-advisories/powerdns-advisory-2022-01>`. + Additionally, because CentOS 8 is End Of Life now, we have switched those builds to Oracle Linux 8. The resulting packages are compatible with RHEL and all derivatives. + + .. change:: + :tags: Bug Fixes + :pullreq: XXXXX + + Fix validation of incremental zone transfers (IXFRs). .. changelog:: :version: 4.4.2 diff --git a/docs/changelog/4.5.rst b/docs/changelog/4.5.rst index f25926a02a..ec8bdf5352 100644 --- a/docs/changelog/4.5.rst +++ b/docs/changelog/4.5.rst @@ -1,6 +1,19 @@ Changelogs for 4.5.x ==================== +.. changelog:: + :version: 4.5.4 + :released: 25th of March 2022 + + This is a security fix release for :doc:`PowerDNS Security Advisory 2022-01 <../security-advisories/powerdns-advisory-2022-01>`. + Additionally, because CentOS 8 is End Of Life now, we have switched those builds to Oracle Linux 8. The resulting packages are compatible with RHEL and all derivatives. + + .. change:: + :tags: Bug Fixes + :pullreq: XXXXX + + Fix validation of incremental zone transfers (IXFRs). + .. changelog:: :version: 4.5.3 :released: 21th of January 2022 diff --git a/docs/changelog/4.6.rst b/docs/changelog/4.6.rst index cdb7bffd06..f55fc4193e 100644 --- a/docs/changelog/4.6.rst +++ b/docs/changelog/4.6.rst @@ -1,6 +1,19 @@ Changelogs for 4.6.x ==================== +.. changelog:: + :version: 4.6.1 + :released: 25th of March 2022 + + This is a security fix release for :doc:`PowerDNS Security Advisory 2022-01 <../security-advisories/powerdns-advisory-2022-01>`. + Additionally, because CentOS 8 is End Of Life now, we have switched those builds to Oracle Linux 8. The resulting packages are compatible with RHEL and all derivatives. + + .. change:: + :tags: Bug Fixes + :pullreq: XXXXX + + Fix validation of incremental zone transfers (IXFRs). + .. changelog:: :version: 4.6.0 :released: 25th of January 2022 diff --git a/docs/secpoll.zone b/docs/secpoll.zone index f4306335ba..b1fe747104 100644 --- a/docs/secpoll.zone +++ b/docs/secpoll.zone @@ -1,4 +1,4 @@ -@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2022022801 10800 3600 604800 10800 +@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2022032507 10800 3600 604800 10800 @ 3600 IN NS pdns-public-ns1.powerdns.com. @ 3600 IN NS pdns-public-ns2.powerdns.com. @@ -74,36 +74,39 @@ auth-4.2.0-rc3.security-status 60 IN TXT "3 Unsupported auth-4.2.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html" auth-4.2.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html" auth-4.2.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html" -auth-4.2.3.security-status 60 IN TXT "1 OK" +auth-4.2.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html"" auth-4.3.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" auth-4.3.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" auth-4.3.0-beta2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" auth-4.3.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" auth-4.3.0-rc2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" auth-4.3.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html" -auth-4.3.1.security-status 60 IN TXT "1 OK" -auth-4.3.2.security-status 60 IN TXT "1 OK" -auth-4.4.0-alpha1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" -auth-4.4.0-alpha2.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" -auth-4.4.0-alpha3.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" -auth-4.4.0-beta1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" -auth-4.4.0-rc1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" -auth-4.4.0.security-status 60 IN TXT "1 OK" -auth-4.4.1.security-status 60 IN TXT "1 OK" -auth-4.4.2.security-status 60 IN TXT "1 OK" +auth-4.3.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html"" +auth-4.3.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html"" +auth-4.4.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +auth-4.4.0-alpha2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +auth-4.4.0-alpha3.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +auth-4.4.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +auth-4.4.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +auth-4.4.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html"" +auth-4.4.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html"" +auth-4.4.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html"" +auth-4.4.3.security-status 60 IN TXT "1 OK" auth-4.5.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" auth-4.5.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" auth-4.5.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" auth-4.5.0-rc2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" auth-4.5.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2021-01.html" -auth-4.5.1.security-status 60 IN TXT "1 OK" -auth-4.5.2.security-status 60 IN TXT "1 OK" -auth-4.5.3.security-status 60 IN TXT "1 OK" -auth-4.6.0-alpha1.security-status 60 IN TXT "2 Unsupported pre-release, superseded by 4.6.0" -auth-4.6.0-beta1.security-status 60 IN TXT "2 Unsupported pre-release, superseded by 4.6.0" -auth-4.6.0-rc1.security-status 60 IN TXT "2 Unsupported pre-release, superseded by 4.6.0" -auth-4.6.0.security-status 60 IN TXT "1 OK" -auth-4.7.0-alpha1.security-status 60 IN TXT "1 Unsupported pre-release" +auth-4.5.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html"" +auth-4.5.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html"" +auth-4.5.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html"" +auth-4.5.4.security-status 60 IN TXT "1 OK" +auth-4.6.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +auth-4.6.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +auth-4.6.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +auth-4.6.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html"" +auth-4.6.1.security-status 60 IN TXT "1 OK" +auth-4.7.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" ; Auth Debian auth-3.4.1-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2015-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-05/" @@ -266,43 +269,46 @@ recursor-4.3.1.security-status 60 IN TXT "3 Upgrade now recursor-4.3.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html" recursor-4.3.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html" recursor-4.3.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html" -recursor-4.3.5.security-status 60 IN TXT "1 OK" -recursor-4.3.6.security-status 60 IN TXT "1 OK" -recursor-4.3.7.security-status 60 IN TXT "1 OK" +recursor-4.3.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html" +recursor-4.3.6.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html" +recursor-4.3.7.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html" recursor-4.4.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" -recursor-4.4.0-alpha2.security-status 60 IN TXT "3 Unsupported pre-release" -recursor-4.4.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release" -recursor-4.4.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release" -recursor-4.4.0-rc2.security-status 60 IN TXT "3 Unsupported pre-release" -recursor-4.4.0.security-status 60 IN TXT "1 OK" -recursor-4.4.1.security-status 60 IN TXT "1 OK" -recursor-4.4.2.security-status 60 IN TXT "1 OK" -recursor-4.4.3.security-status 60 IN TXT "1 OK" -recursor-4.4.4.security-status 60 IN TXT "1 OK" -recursor-4.4.5.security-status 60 IN TXT "1 OK" -recursor-4.4.6.security-status 60 IN TXT "1 OK" -recursor-4.4.7.security-status 60 IN TXT "1 OK" -recursor-4.5.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release" -recursor-4.5.0-alpha2.security-status 60 IN TXT "3 Unsupported pre-release" -recursor-4.5.0-alpha3.security-status 60 IN TXT "3 Unsupported pre-release" -recursor-4.5.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release" -recursor-4.5.0-beta2.security-status 60 IN TXT "3 Unsupported pre-release" -recursor-4.5.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release" -recursor-4.5.0.security-status 60 IN TXT "2 Unsupported pre-release" -recursor-4.5.1.security-status 60 IN TXT "1 OK" -recursor-4.5.2.security-status 60 IN TXT "1 OK" -recursor-4.5.3.security-status 60 IN TXT "2 Unsupported pre-release" -recursor-4.5.4.security-status 60 IN TXT "1 OK" -recursor-4.5.5.security-status 60 IN TXT "1 OK" -recursor-4.5.6.security-status 60 IN TXT "1 OK" -recursor-4.5.7.security-status 60 IN TXT "1 OK" -recursor-4.6.0-alpha1.security-status 60 IN TXT "2 Unsupported pre-release" -recursor-4.6.0-alpha2.security-status 60 IN TXT "2 Unsupported pre-release" -recursor-4.6.0-beta1.security-status 60 IN TXT "2 Unsupported pre-release" -recursor-4.6.0-beta2.security-status 60 IN TXT "2 Unsupported pre-release" -recursor-4.6.0-rc1.security-status 60 IN TXT "2 Unsupported pre-release" -recursor-4.6.0.security-status 60 IN TXT "1 OK" -recursor-4.7.0-alpha1.security-status 60 IN TXT "1 Unsupported pre-release" +recursor-4.4.0-alpha2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-4.4.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-4.4.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-4.4.0-rc2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-4.4.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html" +recursor-4.4.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html" +recursor-4.4.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html" +recursor-4.4.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html" +recursor-4.4.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html" +recursor-4.4.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html" +recursor-4.4.6.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html" +recursor-4.4.7.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html" +recursor-4.4.8.security-status 60 IN TXT "1 OK" +recursor-4.5.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-4.5.0-alpha2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-4.5.0-alpha3.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-4.5.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-4.5.0-beta2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-4.5.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-4.5.0.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-4.5.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html" +recursor-4.5.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html" +recursor-4.5.3.security-status 60 IN TXT "3 Unsupported pre-release" (known vulnerabilities) +recursor-4.5.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html" +recursor-4.5.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html" +recursor-4.5.6.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html" +recursor-4.5.7.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html" +recursor-4.5.8.security-status 60 IN TXT "1 OK" +recursor-4.6.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-4.6.0-alpha2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-4.6.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-4.6.0-beta2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-4.6.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-4.6.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html" +recursor-4.6.1.security-status 60 IN TXT "1 OK" +recursor-4.7.0-alpha1.security-status 60 IN TXT "1 Unsupported pre-release (known vulnerabilities)" ; Recursor Debian recursor-3.6.2-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/" diff --git a/docs/security-advisories/powerdns-advisory-2022-01.rst b/docs/security-advisories/powerdns-advisory-2022-01.rst new file mode 100644 index 0000000000..2a3cda2d47 --- /dev/null +++ b/docs/security-advisories/powerdns-advisory-2022-01.rst @@ -0,0 +1,22 @@ +PowerDNS Security Advisory 2022-01: incomplete validation of incoming IXFR transfer in Authoritative Server and Recursor +======================================================================================================================== + +- CVE: CVE-2022-27227 +- Date: 25th of March 2022. +- Affects: PowerDNS Authoritative version 4.4.2, 4.5.3, 4.6.0 and PowerDNS Recursor 4.4.7, 4.5.7 and 4.6.0 +- Not affected: PowerDNS Authoritative Server 4.4.3, 4.5.4, 4.6.1 and PowerDNS Recursor 4.4.8, 4.5.8 and 4.6.1 +- Severity: Low +- Impact: Denial of service +- Exploit: This problem can be triggered by an attacker controlling the network path for IXFR transfers +- Risk of system compromise: None +- Solution: Upgrade to patched version, do not use IXFR in Authoritative Server + +- In the Authoritative server this issue only applies to secondary zones for which IXFR transfers have been enabled and the network path to the primary server is not trusted. Note that IXFR transfers are not enabled by default. +- In the Recursor it applies to setups retrieving one or more RPZ zones from a remote server if the network path to the server is not trusted. + +IXFR usually exchanges only the modifications between two versions of a zone, but sometimes needs to fall back to a full transfer of the current version. +When IXFR falls back to a full zone transfer, an attacker in position of man-in-the-middle can cause the transfer to be prematurely interrupted. This interrupted transfer is mistakenly interpreted as a complete transfer, causing an incomplete zone to be processed. +For the Authoritative Server, IXFR transfers are not enabled by default. +The Recursor only uses IXFR for retrieving RPZ zones. An incomplete RPZ transfer results in missing policy entries, potentially causing some DNS names and IP addresses to not be properly intercepted. + +We would like to thank Nicolas Dehaine and Dmitry Shabanov from ThreatSTOP for reporting and initial analysis of this issue. diff --git a/pdns/recursordist/docs/changelog/4.4.rst b/pdns/recursordist/docs/changelog/4.4.rst index 2b729a3e75..f19928ac32 100644 --- a/pdns/recursordist/docs/changelog/4.4.rst +++ b/pdns/recursordist/docs/changelog/4.4.rst @@ -1,6 +1,19 @@ Changelogs for 4.4.x ==================== +.. changelog:: + :version: 4.4.8 + :released: 25th of March 2022 + + This is a security fix release for :doc:`PowerDNS Security Advisory 2022-01 <../security-advisories/powerdns-advisory-2022-01>`. + Additionally, because CentOS 8 is End Of Life now, we have switched those builds to Oracle Linux 8. The resulting packages are compatible with RHEL and all derivatives. + + .. change:: + :tags: Bug Fixes + :pullreq: XXXXX + + Fix validation of incremental zone transfers (IXFRs). + .. changelog:: :version: 4.4.7 :released: 5th of November 2021 diff --git a/pdns/recursordist/docs/changelog/4.5.rst b/pdns/recursordist/docs/changelog/4.5.rst index 371f9c5bdb..9d1646fd6b 100644 --- a/pdns/recursordist/docs/changelog/4.5.rst +++ b/pdns/recursordist/docs/changelog/4.5.rst @@ -1,5 +1,19 @@ Changelogs for 4.5.X ==================== + +.. changelog:: + :version: 4.5.8 + :released: 25th of March 2022 + + This is a security fix release for :doc:`PowerDNS Security Advisory 2022-01 <../security-advisories/powerdns-advisory-2022-01>`. + Additionally, because CentOS 8 is End Of Life now, we have switched those builds to Oracle Linux 8. The resulting packages are compatible with RHEL and all derivatives. + + .. change:: + :tags: Bug Fixes + :pullreq: XXXXX + + Fix validation of incremental zone transfers (IXFRs). + .. changelog:: :version: 4.5.7 :released: 5th of November 2021 diff --git a/pdns/recursordist/docs/changelog/4.6.rst b/pdns/recursordist/docs/changelog/4.6.rst index b8caa6c7fa..9740d8b7d3 100644 --- a/pdns/recursordist/docs/changelog/4.6.rst +++ b/pdns/recursordist/docs/changelog/4.6.rst @@ -1,6 +1,19 @@ Changelogs for 4.6.X ==================== +.. changelog:: + :version: 4.6.1 + :released: 25th of March 2022 + + This is a security fix release for :doc:`PowerDNS Security Advisory 2022-01 <../security-advisories/powerdns-advisory-2022-01>`. + Additionally, because CentOS 8 is End Of Life now, we have switched those builds to Oracle Linux 8. The resulting packages are compatible with RHEL and all derivatives. + + .. change:: + :tags: Bug Fixes + :pullreq: XXXXX + + Fix validation of incremental zone transfers (IXFRs). + .. changelog:: :version: 4.6.0 :released: 17th of December 2021 diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2022-01.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2022-01.rst new file mode 100644 index 0000000000..2a3cda2d47 --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2022-01.rst @@ -0,0 +1,22 @@ +PowerDNS Security Advisory 2022-01: incomplete validation of incoming IXFR transfer in Authoritative Server and Recursor +======================================================================================================================== + +- CVE: CVE-2022-27227 +- Date: 25th of March 2022. +- Affects: PowerDNS Authoritative version 4.4.2, 4.5.3, 4.6.0 and PowerDNS Recursor 4.4.7, 4.5.7 and 4.6.0 +- Not affected: PowerDNS Authoritative Server 4.4.3, 4.5.4, 4.6.1 and PowerDNS Recursor 4.4.8, 4.5.8 and 4.6.1 +- Severity: Low +- Impact: Denial of service +- Exploit: This problem can be triggered by an attacker controlling the network path for IXFR transfers +- Risk of system compromise: None +- Solution: Upgrade to patched version, do not use IXFR in Authoritative Server + +- In the Authoritative server this issue only applies to secondary zones for which IXFR transfers have been enabled and the network path to the primary server is not trusted. Note that IXFR transfers are not enabled by default. +- In the Recursor it applies to setups retrieving one or more RPZ zones from a remote server if the network path to the server is not trusted. + +IXFR usually exchanges only the modifications between two versions of a zone, but sometimes needs to fall back to a full transfer of the current version. +When IXFR falls back to a full zone transfer, an attacker in position of man-in-the-middle can cause the transfer to be prematurely interrupted. This interrupted transfer is mistakenly interpreted as a complete transfer, causing an incomplete zone to be processed. +For the Authoritative Server, IXFR transfers are not enabled by default. +The Recursor only uses IXFR for retrieving RPZ zones. An incomplete RPZ transfer results in missing policy entries, potentially causing some DNS names and IP addresses to not be properly intercepted. + +We would like to thank Nicolas Dehaine and Dmitry Shabanov from ThreatSTOP for reporting and initial analysis of this issue.