From: Otto Moerbeek Date: Tue, 23 Aug 2022 11:36:02 +0000 (+0200) Subject: PSA 2022-02 tweaks and add PR#'s X-Git-Tag: rec-4.8.0-alpha1~48^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F11878%2Fhead;p=thirdparty%2Fpdns.git PSA 2022-02 tweaks and add PR#'s --- diff --git a/pdns/recursordist/docs/changelog/4.5.rst b/pdns/recursordist/docs/changelog/4.5.rst index 424bb3e31e..6beac348cf 100644 --- a/pdns/recursordist/docs/changelog/4.5.rst +++ b/pdns/recursordist/docs/changelog/4.5.rst @@ -7,7 +7,7 @@ Changelogs for 4.5.X .. change:: :tags: Bug Fixes - :pullreq: TBD + :pullreq: 11875,11874 PowerDNS Security Advisory 2022-02: incomplete exception handling related to protobuf message generation. diff --git a/pdns/recursordist/docs/changelog/4.6.rst b/pdns/recursordist/docs/changelog/4.6.rst index 36a04a19e4..aab18814ad 100644 --- a/pdns/recursordist/docs/changelog/4.6.rst +++ b/pdns/recursordist/docs/changelog/4.6.rst @@ -7,7 +7,7 @@ Changelogs for 4.6.X .. change:: :tags: Bug Fixes - :pullreq: TBD + :pullreq: 11876,11874 PowerDNS Security Advisory 2022-02: incomplete exception handling related to protobuf message generation. diff --git a/pdns/recursordist/docs/changelog/4.7.rst b/pdns/recursordist/docs/changelog/4.7.rst index 7b0f19b674..f7553d78dd 100644 --- a/pdns/recursordist/docs/changelog/4.7.rst +++ b/pdns/recursordist/docs/changelog/4.7.rst @@ -6,7 +6,7 @@ Changelogs for 4.7.X .. change:: :tags: Bug Fixes - :pullreq: TBD + :pullreq: 11877,11874 PowerDNS Security Advisory 2022-02: incomplete exception handling related to protobuf message generation. diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2022-02.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2022-02.rst index 55f03aa46d..0564d1dfe7 100644 --- a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2022-02.rst +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2022-02.rst @@ -13,10 +13,9 @@ PowerDNS Security Advisory 2022-02: incomplete exception handling related to pro This issue only affects recursors which have protobuf logging enabled using the - protobufServer function with logResponses=true or - - outgoingProtobufServer function with logResponses=true +- ``protobufServer`` function with ``logResponses=true`` or +- ``outgoingProtobufServer`` function with ``logResponses=true`` -If either of these functions is used without specifying logResponses, its value is true. +If either of these functions is used without specifying ``logResponses``, its value is ``true``. An attacker needs to have access to the recursor, i.e. the remote IP must be in the access control list. If an attacker queries a name that leads to an answer with specific properties, a protobuf message might be generated that causes an exception. The code does not handle this exception correctly, causing a denial of service.