From: Peter van Dijk Date: Thu, 3 Sep 2020 13:46:51 +0000 (+0200) Subject: auth 22 sept 2020: advisories, changelogs, docs X-Git-Tag: auth-4.4.0-alpha1~20^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F9511%2Fhead;p=thirdparty%2Fpdns.git auth 22 sept 2020: advisories, changelogs, docs --- diff --git a/docs/changelog/4.1.rst b/docs/changelog/4.1.rst index 262486268e..fa23a403d9 100644 --- a/docs/changelog/4.1.rst +++ b/docs/changelog/4.1.rst @@ -1,6 +1,18 @@ Changelogs for 4.1.x ==================== +.. changelog:: + :version: 4.1.14 + :released: September 2nd 2020 + + This release contains the fix for :doc:`PowerDNS Security Advisory 2020-05 <../security-advisories/powerdns-advisory-2020-05>` (CVE-2020-17482) + + .. change:: + :tags: Bug Fixes + :pullreq: 9500 + + Raise an exception on invalid hex content in unknown records. + .. changelog:: :version: 4.1.13 :released: August 9th 2019 diff --git a/docs/changelog/4.2.rst b/docs/changelog/4.2.rst index 7212a97ee7..731c8adf2c 100644 --- a/docs/changelog/4.2.rst +++ b/docs/changelog/4.2.rst @@ -1,11 +1,29 @@ Changelogs for 4.2.x ==================== +.. changelog:: + :version: 4.2.3 + :released: September 2nd 2020 + + This release contains the fix for :doc:`PowerDNS Security Advisory 2020-05 <../security-advisories/powerdns-advisory-2020-05>` (CVE-2020-17482) + + .. change:: + :tags: Bug Fixes + :pullreq: 9499 + + Raise an exception on invalid hex content in unknown records. + + .. change:: + :tags: Bug Fixes + :pullreq: 9191 + :tickets: 9181 + + mydns: add SOA to list() output + .. changelog:: :version: 4.2.2 :released: 9th of April 2020 - .. change:: :tags: Bug Fixes :pullreq: 9010 diff --git a/docs/changelog/4.3.rst b/docs/changelog/4.3.rst index 7e2f586ff6..6d0ce6f534 100644 --- a/docs/changelog/4.3.rst +++ b/docs/changelog/4.3.rst @@ -1,6 +1,74 @@ Changelogs for 4.3.x ==================== +.. changelog:: + :version: 4.3.1 + :released: 22nd of September 2020 + + This is version 4.3.1 of the Authoritative Server. + This release contains the fix for :doc:`PowerDNS Security Advisory 2020-05 <../security-advisories/powerdns-advisory-2020-05>` (CVE-2020-17482). + It also contains several other fixes and improvements: + + .. change:: + :tags: Bug Fixes + :pullreq: 9498 + + Raise an exception on invalid hex content in unknown records. + + .. change:: + :tags: Bug Fixes + :pullreq: 9444 + + Handle the extra single-row result set of MySQL stored procedures (Chris Hofstaedtler) + + .. change:: + :tags: Improvements + :pullreq: 9036 + + EL8 pkgs: Build mysql backend against mariadb-connector-c-devel + + .. change:: + :tags: Improvements + :pullreq: 9219 + + gpgsql: Reintroduce prepared statements (Chris Hofstaedtler) + + .. change:: + :tags: Improvements + :pullreq: 9233 + + gsqlite3backend: add missing indexes (Kees Monshouwer) + + .. change:: + :tags: Improvements + :pullreq: 9224 + + use real remote for supermaster createSlaveDomain() (Kees Monshouwer) + + .. change:: + :tags: Improvements + :pullreq: 9176 + + Optimize IXFR-to-AXFR fallback path (Chris Hofstaedtler) + + .. change:: + :tags: Improvements + :pullreq: 9013 + + Install bind SQL schema files as part of bindbackend (Chris Hofstaedtler) + + .. change:: + :tags: New Features + :pullreq: 9083 + + add ubuntu focal target + + .. change: + :tags: Improvements + :pullreq: 9480 + + Do not send out of zone lookups to the backends (Kees Monshouwer) + .. changelog:: :version: 4.3.0 :released: 7th of April 2020 diff --git a/docs/secpoll.zone b/docs/secpoll.zone index 0cd79ac0ea..04b261ff6b 100644 --- a/docs/secpoll.zone +++ b/docs/secpoll.zone @@ -1,4 +1,4 @@ -@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2020092100 10800 3600 604800 10800 +@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2020092201 10800 3600 604800 10800 @ 3600 IN NS pdns-public-ns1.powerdns.com. @ 3600 IN NS pdns-public-ns2.powerdns.com. @@ -49,24 +49,27 @@ auth-4.1.6.security-status 60 IN TXT "3 Upgrade now auth-4.1.7.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-05.html" auth-4.1.8.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-05.html" auth-4.1.9.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-05.html" -auth-4.1.10.security-status 60 IN TXT "1 OK" -auth-4.1.11.security-status 60 IN TXT "1 OK" -auth-4.1.12.security-status 60 IN TXT "1 OK" -auth-4.1.13.security-status 60 IN TXT "1 OK" +auth-4.1.10.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html" +auth-4.1.11.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html" +auth-4.1.12.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html" +auth-4.1.13.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html" +auth-4.1.14.security-status 60 IN TXT "1 OK" auth-4.2.0-alpha1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html" auth-4.2.0-beta1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html" auth-4.2.0-rc1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" auth-4.2.0-rc2.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" auth-4.2.0-rc3.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" -auth-4.2.0.security-status 60 IN TXT "1 OK" -auth-4.2.1.security-status 60 IN TXT "1 OK" -auth-4.2.2.security-status 60 IN TXT "1 OK" +auth-4.2.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html" +auth-4.2.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html" +auth-4.2.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html" +auth-4.2.3.security-status 60 IN TXT "1 OK" auth-4.3.0-alpha1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" auth-4.3.0-beta1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" auth-4.3.0-beta2.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" auth-4.3.0-rc1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" auth-4.3.0-rc2.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" -auth-4.3.0.security-status 60 IN TXT "1 OK" +auth-4.3.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html" +auth-4.3.1.security-status 60 IN TXT "1 OK" ; Auth Debian auth-3.4.1-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2015-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-05/" diff --git a/docs/security-advisories/powerdns-advisory-2020-05.rst b/docs/security-advisories/powerdns-advisory-2020-05.rst new file mode 100644 index 0000000000..e9a9124f85 --- /dev/null +++ b/docs/security-advisories/powerdns-advisory-2020-05.rst @@ -0,0 +1,25 @@ +PowerDNS Security Advisory 2020-05: Leaking uninitialised memory through crafted zone records +============================================================================================= + +- CVE: CVE-2020-17482 +- Date: September 22nd, 2020 +- Affects: PowerDNS Authoritative 4.3.0 and earlier +- Not affected: 4.3.1 and up, 4.2.3 and up, 4.1.14 and up +- Severity: Low +- Impact: Information leak +- Exploit: This problem can be triggered via crafted records by an authorized user +- Risk of system compromise: Low +- Solution: Upgrade to a fixed version +- Workaround: Do not take zone data from untrusted users + +An issue has been found in PowerDNS Authoritative Server before 4.3.1 where an authorized user with the ability to insert crafted records into a zone might be able to leak the content of uninitialized memory. +Such a user could be a customer inserting data via a control panel, or somebody with access to the REST API. +Crafted records cannot be inserted via AXFR. + +This issue has been assigned CVE-2020-17482. + +PowerDNS Authoritative up to and including version 4.3.0 are affected. +Please note that at the time of writing, PowerDNS Authoritative 4.0 and below are no longer supported, as described in +https://doc.powerdns.com/authoritative/appendices/EOL.html. + +We would like to thank Nathaniel Ferguson for finding and subsequently reporting this issue! diff --git a/docs/security-advisories/powerdns-advisory-2020-06.rst b/docs/security-advisories/powerdns-advisory-2020-06.rst new file mode 100644 index 0000000000..74e4eb8ae9 --- /dev/null +++ b/docs/security-advisories/powerdns-advisory-2020-06.rst @@ -0,0 +1,28 @@ +PowerDNS Security Advisory 2020-06: Various issues in our GSS-TSIG support +========================================================================== + +- CVE: CVE-2020-24696, CVE-2020-24697, CVE-2020-24698 +- Date: September 22nd, 2020 +- Affects: PowerDNS Authoritative versions before 4.4.0, when compiled with --enable-experimental-gss-tsig +- Not affected: 4.4.0 and up, and any version compiled without GSS-TSIG support +- Severity: Low +- Impact: Crashes, Information Leaks, Possible code execution +- Exploit: This problem can be triggered via crafted packets +- Risk of system compromise: Low +- Solution: Do not use software built with GSS-TSIG support + +Various issues have been found in our GSS-TSIG support, where an unauthorized attacker could cause crashes, possibly leak uninitialised memory, and possibly execute arbitrary code. + +These issues have been assigned: + +* CVE-2020-24696: A remote, unauthenticated attacker can trigger a race condition leading to a crash, or possibly arbitrary code execution, by sending crafted queries with a GSS-TSIG signature. +* CVE-2020-24697: A remote, unauthenticated attacker can cause a denial of service by sending crafted queries with a GSS-TSIG signature. +* CVE-2020-24698: A remote, unauthenticated attacker might be able to cause a double-free, leading to a crash or possibly arbitrary code execution by sending crafted queries with a GSS-TSIG signature. + +All PowerDNS Authoritative versions are affected, but *only* if they have been compiled with ``--enable-experimental-gss-tsig``. +We have never published packages with the feature enabled. + +Because of the various issues with the feature (including a complete lack of testing code around it), and no reports of production usage of GSS-TSIG, we have decided to remove the relevant code completely in PowerDNS Authoritative 4.4.0. +Users of earlier versions that rely on the feature can keep doing so until they upgrade to 4.4.0, but need to be aware of these issues. + +We would like to thank Nathaniel Ferguson for finding and subsequently reporting these issues! diff --git a/docs/upgrading.rst b/docs/upgrading.rst index 38bfbf99dd..a6c5a53de9 100644 --- a/docs/upgrading.rst +++ b/docs/upgrading.rst @@ -24,6 +24,8 @@ On RHEL/CentOS 8, the gmysql backend now uses ``mariadb-connector-c`` instead of This change was made because the default MySQL implementation for RHEL8 is MariaDB, and MariaDB and MySQL cannot be installed in parallel due to conflicting RPM packages. The mariadb client lib will connect to your existing MySQL servers without trouble. +Unknown record encoding (`RFC 3597 `__) has become more strict as a result of the fixes for :doc:`PowerDNS Security Advisory 2020-05 <../security-advisories/powerdns-advisory-2020-05>`. Please use ``pdnsutil check-all-zones`` to review your zone contents. + 4.2.x to 4.3.0 -------------- @@ -93,6 +95,11 @@ A bug in PowerDNS versions before 4.2.2/4.3.0 would cause wrong deletion or addi If you have zones which use inbound IXFR (in other words, the ``IXFR`` metadata item for that zone is set to ``1``), we strongly suggest triggering a completely fresh transfer. You could accomplish that by deleting all records in the zone with an SQL query and waiting for a fresh transfer, or (1) disabling IXFR (2) forcing a fresh transfer using ``pdns_control retrieve example.com`` (3) enabling IXFR again. +4.2.X to 4.2.3 +-------------- + +Unknown record encoding (`RFC 3597 `__) has become more strict as a result of the fixes for :doc:`PowerDNS Security Advisory 2020-05 <../security-advisories/powerdns-advisory-2020-05>`. Please use ``pdnsutil check-all-zones`` to review your zone contents. + 4.X.X to 4.2.2 -------------- @@ -114,6 +121,11 @@ You could accomplish that by deleting all records in the zone with an SQL query - Autoserial support has been removed. The ``change_date`` column has been removed from the ``records`` table in all gsql backends, but leaving it in is harmless. - The :doc:`Generic PostgreSQL backend ` schema has changed: the ``notified_serial`` column type in the ``domains`` table has been changed from ``INT DEFAULT NULL`` to ``BIGINT DEFAULT NULL``: ``ALTER TABLE domains ALTER notified_serial TYPE bigint USING CASE WHEN notified_serial >= 0 THEN notified_serial::bigint END;`` +4.1.X to 4.1.14 +--------------- + +Unknown record encoding (`RFC 3597 `__) has become more strict as a result of the fixes for :doc:`PowerDNS Security Advisory 2020-05 <../security-advisories/powerdns-advisory-2020-05>`. Please use ``pdnsutil check-all-zones`` to review your zone contents. + 4.1.0 to 4.1.1 --------------