We remind PowerDNS users that under the terms of the GNU General Public License, PowerDNS comes with ABSOLUTELY NO WARRANTY. This license is included in this documentation.
-As of the 9th of September 2016, no actual security problems with PowerDNS Authoritative Server 3.4.10, Recursor 3.6.3, Recursor 3.7.2, or later are known about. This page will be updated with all bugs which are deemed to be security problems, or could conceivably lead to those. Any such notifications will also be sent to all PowerDNS mailing lists.
+We also remind you that the best supported and most secure version is the latest version of PowerDNS.
-Version 3.4.9 and earlier of the PowerDNS Authoritative Server can be made to cause unexpected backend load, see [PowerDNS Security Advisory 2016-01](powerdns-advisory-2016-01.md) for more information.
+## Security Advisories
-PowerDNS Authoritative Server 3.4.0 through 3.4.5 can have their threads crashed with a malformed packet, see [PowerDNS Security Advisory 2015-02](powerdns-advisory-2015-02.md) for more information.
-
-All recent Recursor versions up to and including 3.6.2 and 3.7.1, and all recent Authoritative servers up to and including version 3.4.3, can in specific situations be crashed with a malformed packet. For more detail, see [PowerDNS Security Advisory 2015-01](powerdns-advisory-2015-01.md)
-
-All Recursor versions up to and including 3.6.1 can be made to provide degraded service. For more detail, see [PowerDNS Security Advisory 2014-02](powerdns-advisory-2014-02.md)
-
-Version 3.6.0 of the Recursor (but not 3.5.x) can be crashed remotely with a specific packet sequence. For more detail, see [PowerDNS Security Advisory 2014-01](powerdns-advisory-2014-01.md)
-
-Versions 2.9.22 and lower and 3.0 of the PowerDNS Authoritative Server were vulnerable to a temporary denial of service attack. For more detail, see [PowerDNS Security Advisory 2012-01](powerdns-advisory-2012-01.md).
-
-Version 3.1.7.1 and earlier of the PowerDNS Recursor were vulnerable to a probably exploitable buffer overflow and a spoofing attack. For more detail, see [PowerDNS Security Advisory 2010-01](powerdns-advisory-2010-01.md "PowerDNS Security Advisory 2010-01: PowerDNS Recursor up to and including 3.1.7.1 can be brought down and probably exploited") and [PowerDNS Security Advisory 2010-02](powerdns-advisory-2010-02.md "PowerDNS Recursor up to and including 3.1.7.1 can be spoofed into accepting bogus data").
-
-Version 3.1.4 and earlier of the PowerDNS recursor were vulnerable to a spoofing attack. For more detail, see [PowerDNS Security Advisory 2008-01](powerdns-advisory-2008-01.md "System random generator can be predicted, leading to the potential to 'spoof' PowerDNS Recursor").
-
-Version 3.1.3 and earlier of the PowerDNS recursor contain two security issues, both of which can lead to a denial of service, both of which can be triggered by remote users. One of the issues might be exploited and ead to a system compromise. For more detail, see [PowerDNS Security Advisory 2006-01](powerdns-advisory-2006-01.md "Malformed TCP queries can lead to a buffer overflow which might be exploitable") and [PowerDNS Security Advisory 2006-02](powerdns-advisory-2006-02.md "Zero second CNAME TTLs can make PowerDNS exhaust allocated stack space, and crash").
-
-Version 3.0 of the PowerDNS recursor contains a denial of service bug which can be exploited remotely. This bug, which we believe to only lead to a crash, has been fixed in 3.0.1. There are no guarantees however, so an upgrade from 3.0 is highly recommended.
-
-All versions of PowerDNS before 2.9.21.1 do not respond to certain queries. This in itself is not a problem, but since the discovery by Dan Kaminsky of a new spoofing technique, this silence for queries PowerDNS considers invalid, within a valid domain, allows attackers more chances to feed *other* resolvers bad data.
-
-All versions of PowerDNS before 2.9.18 contain the following two bugs, which only apply to installations running with the LDAP backend, or installations providing recursion to a limited range of IP addresses. If any of these apply to you, an upgrade is highly advised:
-
- * The LDAP backend did not properly escape all queries, allowing it to fail and not answer questions. We have not investigated further risks involved, but we advise LDAP users to update as quickly as possible (Norbert Sendetzky, Jan de Groot)
-
- * Questions from clients denied recursion could blank out answers to clients who are allowed recursion services, temporarily. Reported by Wilco Baan. This would've made it possible for outsiders to blank out a domain temporarily to your users. Luckily PowerDNS would send out SERVFAIL or Refused, and not a denial of a domain's existence.
-
-All versions of PowerDNS before 2.9.17 are known to suffer from remote denial of service problems which can disrupt operation. Please upgrade to 2.9.17 as this page will only contain detailed security information from 2.9.17 onwards.
+All PowerDNS security advisories are available in the most recent version of the documentation: [Authoritative Server](/authoritative/security-advisories/index.html), [Recursor](/recursor/security-advisories/index.html)
+++ /dev/null
-## PowerDNS Security Advisory 2006-01: Malformed TCP queries can lead to a buffer overflow which might be exploitable
-
-
- * CVE: CVE-2006-4251
- * Date: 13th of November 2006
- * Affects: PowerDNS Recursor versions 3.1.3 and earlier, on all operating systems.
- * Not affected: No versions of the PowerDNS Authoritative Server ('pdns\_server') are affected.
- * Severity: Critical
- * Impact: Potential remote system compromise.
- * Exploit: As far as we know, no exploit is available as of 11th of November 2006.
- * Solution: Upgrade to PowerDNS Recursor 3.1.4, or apply the patches referred below and recompile
- * Workaround: Disable TCP access to the Recursor. This will have slight operational impact, but it is likely that this will not lead to meaningful degradation of service. Disabling access is best performed at packet level, either by configuring a firewall, or instructing the host operating system to drop TCP connections to port 53. Additionally, exposure can be limited by configuring the `allow-from` setting so only trusted users can query your nameserver.
-
-PowerDNS Recursor 3.1.3 and previous miscalculate the length of incoming TCP DNS queries, and will attempt to read up to 4 gigabytes of query into a 65535 byte buffer.
-
-We have not verified if this problem might actually lead to a system compromise, but are acting on the assumption that it might.
-
-For distributors, a minimal patch is available on [the PowerDNS wiki](http://wiki.powerdns.com/cgi-bin/trac.fcgi/changeset/915). Additionally, those shipping very old versions of the PowerDNS Recursor might benefit from this [patch](http://ds9a.nl/tmp/cve-2006-4251.patch).
-
-The impact of these and other security problems can be lessened by considering the advice in FIXME: security-settings.
+++ /dev/null
-## PowerDNS Security Advisory 2006-02: Zero second CNAME TTLs can make PowerDNS exhaust allocated stack space, and crash
-
- * CVE: CVE-2006-4252
- * Date: 13th of November 2006
- * Affects: PowerDNS Recursor versions 3.1.3 and earlier, on all operating systems.
- * Not affected: No versions of the PowerDNS Authoritative Server ('pdns\_server') are affected.
- * Severity: Moderate
- * Impact: Denial of service
- * Exploit: This problem can be triggered by sending queries for specifically configured domains
- * Solution: Upgrade to PowerDNS Recursor 3.1.4, or apply [commit 919](http://wiki.powerdns.com/projects/trac/changeset/919).
- * Workaround: None known. Exposure can be limited by configuring the **allow-from** setting so only trusted users can query your nameserver.
-
-PowerDNS would recurse endlessly on encountering a CNAME loop consisting entirely of zero second CNAME records, eventually exceeding resources and crashing.
+++ /dev/null
-## PowerDNS Security Advisory 2008-01: System random generator can be predicted, leading to the potential to 'spoof' PowerDNS Recursor
-
- * CVE: Not yet assigned
- * Date: 31st of March 2008
- * Affects: PowerDNS Recursor versions 3.1.4 and earlier, on most operating systems
- * Not affected: No versions of the PowerDNS Authoritative Server ('pdns\_server') are affected.
- * Severity:Moderate
- * Impact: Data manipulation; client redirection
- * Exploit: This problem can be triggered by sending queries for specifically configured domains, sending spoofed answer packets immediately afterwards.
- * Solution: Upgrade to PowerDNS Recursor 3.1.5, or apply changesets [1159](http://wiki.powerdns.com/projects/trac/changeset/1159), [1160](http://wiki.powerdns.com/projects/trac/changeset/1160) and [1164](http://wiki.powerdns.com/projects/trac/changeset/1164).
- * Workaround: None known. Exposure can be limited by configuring the **allow-from** setting so only trusted users can query your nameserver.
-
-We would like to thank Amit Klein of Trusteer for bringing a serious vulnerability to our attention which would enable a smart attacker to 'spoof' previous versions of the PowerDNS Recursor into accepting possibly malicious data.
-
-Details can be found on [this Trusteer page](http://www.trusteer.com/docs/powerdnsrecursor.html).
-
-This security problem was announced in [this email message](http://mailman.powerdns.com/pipermail/pdns-users/2008-March/005279.html).
-
-It is recommended that all users of the PowerDNS Recursor upgrade to 3.1.5 as soon as practicable, while we simultaneously note that busy servers are less susceptible to the attack, but not immune.
-
-The vulnerability is present on all operating systems where the behaviour of the libc random() function can be predicted based on its past output. This includes at least all known versions of Linux, as well as Microsoft Windows, and probably FreeBSD and Solaris.
-
-The magnitude of this vulnerability depends on internal details of the system random() generator. For Linux, the mathematics of the random generator are complex, but well understood and Amit Klein has written and published a proof of concept that can successfully predict its output after uninterrupted observation of 40-50 DNS queries.
-
-Because the observation needs to be uninterrupted, busy PowerDNS Recursor instances are harder to subvert - other data is highly likely to be interleaved with traffic generated by an attacker.
-
-Nevertheless, operators are urged to update at their earliest convenience.
+++ /dev/null
-## PowerDNS Security Advisory 2008-02: By not responding to certain queries, domains become easier to spoof
-
- * CVE: CVE-2008-3337
- * Date: 6th of August 2008
- * Affects: PowerDNS Authoritative Server 2.9.21 and earlier
- * Not affected: No versions of the PowerDNS Recursor ('pdns\_recursor') are affected.
- * Severity: Moderate
- * Impact: Data manipulation; client redirection
- * Exploit: Domains with servers that drop certain queries can be spoofed using simpler measures than would usually be required
- * Solution: Upgrade to PowerDNS Authoritative Server 2.9.21.1, or apply [commit 1239](http://wiki.powerdns.com/projects/trac/changeset/1239).
- * Workaround: None known.
-
-Brian J. Dowling of Simplicity Communications has discovered a security implication of the previous PowerDNS behaviour to drop queries it considers malformed. We are grateful that Brian notified us quickly about this problem.
-
-The implication is that while the PowerDNS Authoritative server itself does not face a security risk because of dropping these malformed queries, other resolving nameservers run a higher risk of accepting spoofed answers for domains being hosted by PowerDNS Authoritative Servers before 2.9.21.1.
-
-While the dropping of queries does not aid sophisticated spoofing attempts, it does facilitate simpler attacks.
+++ /dev/null
-## PowerDNS Security Advisory 2008-03: Some PowerDNS Configurations can be forced to restart remotely
-
- * CVE: Not yet assigned
- * Date: 18th of November 2008
- * Affects: PowerDNS Authoritative Server 2.9.21.1 and earlier
- * Not affected: No versions of the PowerDNS Recursor (`pdns_recursor`) are affected. Versions not running in single threaded mode (`distributor-threads=1`) are probably not affected.
- * Severity: Moderate
- * Impact: Denial of Service
- * Exploit: Send PowerDNS an CH HINFO query.
- * Solution: Upgrade to PowerDNS Authoritative Server 2.9.21.2, or wait for 2.9.22.
- * Workaround: Remove `distributor-threads=1` if this is set.
-
-Daniel Drown discovered that his PowerDNS 2.9.21.1 installation crashed on receiving a HINFO CH query. In his enthusiasm, he shared his discovery with the world, forcing a rapid over the weekend release cycle.
-
-While we thank Daniel for his discovery, please study our security policy as outlined in ["Security"](#security) before making vulnerabilities public.
-
-It is believed that this issue only impacts PowerDNS Authoritative Servers operating with `distributor-threads=1`, but even on other configurations a database reconnect occurs on receiving a CH HINFO query.
+++ /dev/null
-## PowerDNS Security Advisory 2010-01: PowerDNS Recursor up to and including 3.1.7.1 can be brought down and probably exploited
-
- * CVE: CVE-2009-4009
- * Date: 6th of January 2010
- * Affects: PowerDNS Recursor 3.1.7.1 and earlier
- * Not affected: No versions of the PowerDNS Authoritative ('pdns\_server') are affected.
- * Severity: Critical
- * Impact: Denial of Service, possible full system compromise
- * Exploit: Withheld
- * Solution: Upgrade to PowerDNS Recursor 3.1.7.2 or higher
- * Workaround: None. The risk of exploitation or denial of service can be decreased slightly by using the `allow-from` setting to only provide service to known users. The risk of a full system compromise can be reduced by running with a suitable reduced privilege user and group settings, and possibly chroot environment.
-
-Using specially crafted packets, it is possible to force a buffer overflow in the PowerDNS Recursor, leading to a crash.
-
-This vulnerability was discovered by a third party that (for now) prefers not to be named. PowerDNS is very grateful however for their help in improving PowerDNS security.
+++ /dev/null
-## PowerDNS Security Advisory 2010-02: PowerDNS Recursor up to and including 3.1.7.1 can be spoofed into accepting bogus data
-
- * CVE: CVE-2009-4010
- * Date: 6th of January 2010
- * Affects: PowerDNS Recursor 3.1.7.1 and earlier
- * Not affected: No versions of the PowerDNS Authoritative ('pdns\_server') are affected.
- * Severity: High
- * Impact: Using smart techniques, it is possible to fool the PowerDNS Recursor into accepting unauthorized data
- * Exploit: Withheld
- * Solution: Upgrade to PowerDNS Recursor 3.1.7.2 or higher
- * Workaround: None.
-
-Using specially crafted zones, it is possible to fool the PowerDNS Recursor into accepting bogus data. This data might be harmful to your users. An attacker would be able to divert data from, say, bigbank.com to an IP address of his choosing.
-
-This vulnerability was discovered by a third party that (for now) prefers not to be named. PowerDNS is very grateful however for their help in improving PowerDNS security.
+++ /dev/null
-## PowerDNS Security Advisory 2012-01: PowerDNS Authoritative Server can be caused to generate a traffic loop
-
-
- * CVE: CVE-2012-0206
- * Date: 10th of January 2012
- * Credit: Ray Morris of [BetterCGI.com](http://BetterCGI.com/).
- * Affects: Most PowerDNS Authoritative Server versions < 3.0.1 (with the exception of 2.9.22.5 and 2.9.22.6)
- * Not affected: No versions of the PowerDNS Recursor ('pdns\_recursor') are affected.
- * Severity: High
- * Impact: Using well crafted UDP packets, one or more PowerDNS servers could be made to enter a tight packet loop, causing temporary denial of service
- * Exploit: Proof of concept
- * Risk of system compromise: No
- * Solution: Upgrade to PowerDNS Authoritative Server 2.9.22.5 or 3.0.1
- * Workaround: Several, the easiest is setting: `cache-ttl=0`, which does have a performance impact. Please see below.
-
-Affected versions of the PowerDNS Authoritative Server can be made to respond to DNS responses, thus enabling an attacker to setup a packet loop between two PowerDNS servers, perpetually answering each other's answers. In some scenarios, a server could also be made to talk to itself, achieving the same effect.
-
-If enough bouncing traffic is generated, this will overwhelm the server or network and disrupt service.
-
-As a workaround, if upgrading to a non-affected version is not possible, several options are available. The issue is caused by the packet-cache, which can be disabled by setting 'cache-ttl=0', although this does incur a performance penalty. This can be partially addressed by raising the query-cache-ttl to a (far) higher value.
-
-Alternatively, on Linux systems with a working iptables setup, 'responses' sent to the PowerDNS Authoritative Server 'question' address can be blocked by issuing:
-
-```
- iptables -I INPUT -p udp --dst $AUTHIP --dport 53 \! -f -m u32 --u32 "0>>22&0x3C@8>>15&0x01=1" -j DROP
-
-```
-
-If this command is used on a router or firewall, substitute FORWARD for INPUT.
-
-To solve this issue, we recommend upgrading to the latest packages available for your system. Tarballs and new static builds (32/64bit, RPM/DEB) of 2.9.22.5 and 3.0.1 have been uploaded to [our download site](http://www.powerdns.com/content/downloads.html). Kees Monshouwer has provided updated CentOS/RHEL packages in [his repository](http://www.monshouwer.eu/download/3th_party/). Debian, Fedora and SuSE should have packages available shortly after this announcement.
-
-For those running custom PowerDNS versions, just applying this patch may be easier:
-
-```
---- pdns/common_startup.cc (revision 2326)
-+++ pdns/common_startup.cc (working copy)
-@@ -253,7 +253,9 @@
- numreceived4++;
- else
- numreceived6++;
--
-+ if(P->d.qr)
-+ continue;
-+
- S.ringAccount("queries", P->qdomain+"/"+P->qtype.getName());
- S.ringAccount("remotes",P->getRemote());
- if(logDNSQueries) {
-```
-
-It should apply cleanly to 3.0 and with little trouble to several older releases, including 2.9.22 and 2.9.21.
-
-This bug resurfaced because over time, the check for 'not responding to responses' moved to the wrong place, allowing certain responses to be processed anyhow.
-
-We would like to thank Ray Morris of [BetterCGI.com](http://BetterCGI.com/) for bringing this issue to our attention and Aki Tuomi for helping us reproduce the problem.
+++ /dev/null
-## PowerDNS Security Advisory 2014-01: PowerDNS Recursor 3.6.0 can be crashed remotely
-
-* CVE: CVE-2014-3614
-* Date: 10th of September 2014
-* Credit: Dedicated PowerDNS users willing to study a crash that happens once every few months (thanks)
-* Affects: Only PowerDNS Recursor version 3.6.0.
-* Not affected: No other versions of PowerDNS Recursor, no versions of PowerDNS Authoritative Server
-* Severity: High
-* Impact: Crash
-* Exploit: The sequence of packets required is known
-* Risk of system compromise: No
-* Solution: Upgrade to PowerDNS Recursor 3.6.1
-* Workaround: Restrict service using [`allow-from`](../recursor/settings.md#allow-from), install script that restarts PowerDNS
-
-Recently, we've discovered that PowerDNS Recursor 3.6.0 (but NOT earlier) can crash when exposed to a specific sequence of malformed packets. This sequence happened spontaneously with one of our largest deployments, and the packets did not appear to have a malicious origin.
-
-Yet, this crash can be triggered remotely, leading to a denial of service attack. There appears to be no way to use this crash for system compromise or stack overflow.
-
-Upgrading to 3.6.1 solves the issue.
-
-In addition, if you want to apply a minimal fix to your own tree, it can be found [here](https://xs.powerdns.com/tmp/minipatch-3.6.1)
-
-As for workarounds, only clients in allow-from are able to trigger the crash, so this should be limited to your userbase. Secondly, [this](https://github.com/PowerDNS/pdns/blob/master/contrib/upstart-recursor.conf) and [this](https://github.com/PowerDNS/pdns/blob/master/contrib/systemd-pdns-recursor.service) can be used to enable Upstart and Systemd to restart the PowerDNS Recursor automatically.
+++ /dev/null
-## PowerDNS Security Advisory 2014-02: PowerDNS Recursor 3.6.1 and earlier can be made to provide bad service
-
-* CVE: CVE-2014-8601
-* Date: 8th of December 2014
-* Credit: Florian Maury ([ANSSI](http://www.ssi.gouv.fr/en/))
-* Affects: PowerDNS Recursor versions 3.6.1 and earlier
-* Not affected: PowerDNS Recursor 3.6.2; no versions of PowerDNS Authoritative Server
-* Severity: High
-* Impact: Degraded service
-* Exploit: This problem can be triggered by sending queries for specifically configured domains
-* Risk of system compromise: No
-* Solution: Upgrade to PowerDNS Recursor 3.6.2
-* Workaround: None known. Exposure can be limited by configuring the **allow-from** setting so only trusted users can query your nameserver.
-
-Recently we released PowerDNS Recursor 3.6.2 with a new feature that
-strictly limits the amount of work we'll perform to resolve a single query.
-This feature was inspired by performance degradations noted when resolving
-domains hosted by 'ezdns.it', which can require thousands of queries to
-resolve.
-
-During the 3.6.2 release process, we were contacted by a government security
-agency with news that they had found that all major caching nameservers,
-including PowerDNS, could be negatively impacted by specially configured,
-hard to resolve domain names. With their permission, we continued the 3.6.2
-release process with the fix for the issue already in there.
-
-We recommend that all users upgrade to 3.6.2 if at all possible. Alternatively,
-if you want to apply a minimal fix to your own tree, it can be found
-[here](https://downloads.powerdns.com/patches/2014-02/), including patches for older versions.
-
-As for workarounds, only clients in allow-from are able to trigger the
-degraded service, so this should be limited to your userbase.
+++ /dev/null
-## PowerDNS Security Advisory 2015-01: Label decompression bug can cause crashes or CPU spikes
-
-* CVE: CVE-2015-1868 (original), CVE-2015-5470 (update)
-* Date: 23rd of April 2015, updated 7th of July 2015
-* Credit: Aki Tuomi, Toshifumi Sakaguchi
-* Affects: PowerDNS Recursor versions 3.5 and up; Authoritative Server 3.2 and up
-* Not affected: Recursor 3.6.4; Recursor 3.7.3; Auth 3.3.3; Auth 3.4.5
-* Severity: High
-* Impact: Degraded service
-* Exploit: This problem can be triggered by sending queries for specifically configured domains, or by sending specially crafted query packets
-* Risk of system compromise: No
-* Solution: Upgrade to any of the non-affected versions
-* Workaround: Run your Recursor under a supervisor. Exposure can be limited by
- configuring the [`allow-from`](../recursor/settings.md#allow-from) setting so
- only trusted users can query your nameserver. There is no workaround for the
- Authoritative server.
-
-A bug was discovered in our label decompression code, making it possible for
-names to refer to themselves, thus causing a loop during decompression. On
-some platforms, this bug can be abused to cause crashes. On all platforms,
-this bug can be abused to cause service-affecting CPU spikes.
-
-We recommend that all users upgrade to a corrected version if at all possible.
-Alternatively, if you want to apply a minimal fix to your own tree, please
-[find patches here](https://downloads.powerdns.com/patches/2015-01/).
-
-As for workarounds, for the Recursor: only clients in allow-from are able to
-trigger the degraded service, so this should be limited to your userbase;
-further, we recommend running your critical services under supervision such
-as systemd, supervisord, daemontools, etc.
-
-There is no workaround for the Authoritative Server.
-
-We want to thank Aki Tuomi for noticing this in production, and then digging
-until he got to the absolute bottom of what at the time appeared to be a
-random and spurious failure.
-
-We want to thank Toshifumi Sakaguchi for further investigation into the issue
-after the initial announcement, and for demonstrating to us quite clearly the
-CPU spike issues.
-
-Update 7th of July 2015: Toshifumi Sakaguchi discovered that the original fix
-was insufficient in some cases. Updated versions of the Authoritative Server and
-Recursor [were released](../changelog.md#powerdns-recursor-364) on the 9th of June.
-Minimal patches are [available](http://downloads.powerdns.com/patches/2015-01/).
-The insufficient fix was assigned CVE-2015-5470.
+++ /dev/null
-## PowerDNS Security Advisory 2015-02: Packet parsing bug can cause thread or process abortion
-
-* CVE: CVE-2015-5230
-* Date: 2nd of September 2015
-* Credit: Pyry Hakulinen and Ashish Shukla at Automattic
-* Affects: PowerDNS Authoritative Server 3.4.0 through 3.4.5
-* Not affected: PowerDNS Authoritative Server 3.4.6
-* Severity: High
-* Impact: Degraded service or Denial of service
-* Exploit: This problem can be triggered by sending specially crafted query packets
-* Risk of system compromise: No
-* Solution: Upgrade to a non-affected version
-* Workaround: Run the Authoritative Server inside a supervisor when
- `distributor-threads` is set to `1` to prevent Denial of Service.
- No workaround for the degraded service exists
-
-A bug was found in our DNS packet parsing/generation code, which, when exploited,
-can cause individual threads (disabling service) or whole processes (allowing a
-supervisor to restart them) to crash with just one or a few query packets.
-
-PowerDNS Authoritative Server 3.4.0-3.4.5 are affected. No other versions are
-affected. The PowerDNS Recursor is not affected.
-
-[PowerDNS Authoritative Server 3.4.6](../changelog.md#powerdns-authoritative-server-346)
-contains a fix to this issue. A minimal patch is [available here](https://downloads.powerdns.com/patches/2015-02/).
-
-This issue is entirely unrelated to [Security Advisory 2015-01](powerdns-advisory-2015-01.md)/CVE-2015-1868.
-
-We'd like to thank Pyry Hakulinen and Ashish Shukla at Automattic for finding and
-subsequently reporting this bug.
+++ /dev/null
-## PowerDNS Security Advisory 2015-03: Packet parsing bug can lead to crashes
-
-* CVE: CVE-2015-5311
-* Date: November 9th 2015
-* Credit: Christian Hofstaedtler of Deduktiva GmbH
-* Affects: PowerDNS Authoritative Server 3.4.4 through 3.4.6
-* Not affected: PowerDNS Authoritative Server 3.3.x and 3.4.7 and up
-* Severity: High
-* Impact: Degraded service or Denial of service
-* Exploit: This problem can be triggered by sending specially crafted query packets
-* Risk of system compromise: No
-* Solution: Upgrade to a non-affected version
-* Workaround: run the process inside the guardian or inside a supervisor
-
-A bug was found using `afl-fuzz` in our packet parsing code. This bug, when
-exploited, causes an assertion error and consequent termination of the the
-`pdns_server` process, causing a Denial of Service.
-
-When the PowerDNS Authoritative Server is run inside the guardian (`--guardian`),
-or inside a supervisor like supervisord or systemd, it will be automatically
-restarted, limiting the impact to a somewhat degraded service.
-
-PowerDNS Authoritative Server 3.4.4 - 3.4.6 are affected. No other versions are
-affected. The PowerDNS Recursor is not affected.
-
-[PowerDNS Authoritative Server 3.4.7](../changelog.md#powerdns-authoritative-server-347)
-contains a fix to this issue. A minimal patch is [available here](https://downloads.powerdns.com/patches/2015-03/).
-
-This issue is unrelated to the issues in our previous two Security Announcements
-([2015-01](powerdns-advisory-2015-01.md) and [2015-02](powerdns-advisory-2015-02.md)).
-
-We'd like to thank Christian Hofstaedtler of Deduktiva GmbH for finding and reporting this issue.
+++ /dev/null
-## PowerDNS Security Advisory 2016-01: Crafted queries can cause unexpected backend load
-
-* CVE: CVE-2016-5426, CVE-2016-5427
-* Date: 9th of September 2016
-* Credit: Florian Heinz and Martin Kluge
-* Affects: PowerDNS Authoritative Server up to and including 3.4.9
-* Not affected: PowerDNS Authoritative Server 3.4.10, 4.x
-* Severity: Medium
-* Impact: Degraded service or Denial of service
-* Exploit: This problem can be triggered by sending specially crafted query packets
-* Risk of system compromise: No
-* Solution: Upgrade to a non-affected version
-* Workaround: Run dnsdist with the rules provided below in front of potentially affected servers, or dimension the backend capacity so that it can handle the increased load.
-
-Two issues have been found in PowerDNS Authoritative Server allowing a remote, unauthenticated attacker to cause an abnormal load on the PowerDNS backend by sending crafted DNS queries, which might result in a partial denial of service if the backend becomes overloaded. SQL backends for example are particularly vulnerable to this kind of unexpected load if they have not been dimensioned for it.
-The first issue is based on the fact that PowerDNS Authoritative Server accepts queries with a qname's length larger than 255 bytes. This issue has been assigned CVE-2016-5426.
-The second issue is based on the fact that PowerDNS Authoritative Server does not properly handle dot inside labels. This issue has been assigned CVE-2016-5427.
-Both issues have been addressed by this [commit](https://github.com/PowerDNS/pdns/commit/881b5b03a590198d03008e4200dd00cc537712f3).
-
-PowerDNS Authoritative Server up to and including 3.4.9 is affected. No other versions are affected. The PowerDNS Recursor is not affected.
-
-dnsdist can be used to block crafted queries, using QNameWireLengthRule() to block queries with a qname larger than 255 bytes and QNameLabelsCountRule() to block queries with a very large amount of labels. Please note that restricting the number of labels in a query might lead to unexpected issues, especially with DNSSEC-enabled domains.
-
-We'd like to thank Florian Heinz and Martin Kluge for finding and subsequently reporting this issue.
+++ /dev/null
-# PowerDNS Security Advisory 2016-02: Crafted queries can cause abnormal CPU usage
-
- * CVE: CVE-2016-7068
- * Date: December 15th 2016
- * Credit: Florian Heinz and Martin Kluge
- * Affects: PowerDNS Authoritative Server up to and including 3.4.10, 4.0.1, PowerDNS Recursor up to and including 3.7.3, 4.0.3
- * Not affected: PowerDNS Authoritative Server 3.4.11, 4.0.2 and PowerDNS Recursor 3.7.4, 4.0.4
- * Severity: Medium
- * Impact: Degraded service or Denial of service
- * Exploit: This issue can be triggered by sending specially crafted query packets
- * Risk of system compromise: No
- * Solution: Upgrade to a non-affected version
- * Workaround: Run dnsdist with the rules provided below in front of potentially affected servers.
-
-An issue has been found in PowerDNS allowing a remote, unauthenticated attacker to cause an abnormal CPU usage load on the PowerDNS server by sending crafted DNS queries, which might result in a partial denial of service if the system becomes overloaded. This issue is based on the fact that the PowerDNS server parses all records present in a query regardless of whether they are needed or even legitimate. A specially crafted query containing a large number of records can be used to take advantage of that behaviour. This issue has been assigned CVE-2016-7068.
-
-PowerDNS Authoritative Server up to and including 3.4.10 and 4.0.1 are affected. PowerDNS Recursor up to and including 3.7.3 and 4.0.3 are affected.
-
-dnsdist can be used to block crafted queries, using `RecordsCountRule()` and `RecordsTypeCountRule()` to block queries with crafted records.
-
-For those unable to upgrade to a new version, a minimal patch is [available](https://downloads.powerdns.com/patches/2016-02)
-
-We would like to thank Florian Heinz and Martin Kluge for finding and subsequently reporting this issue.
+++ /dev/null
-# PowerDNS Security Advisory 2016-03: Denial of service via the web server
-
- * CVE: CVE-2016-7072
- * Date: December 15th 2016
- * Credit: Mongo
- * Affects: PowerDNS Authoritative Server up to and including 3.4.10, 4.0.1
- * Not affected: PowerDNS Authoritative Server 3.4.11, 4.0.2
- * Severity: Medium
- * Impact: Degraded service or Denial of service
- * Exploit: This issue can be triggered by opening a large number of simultaneous connections to the web server
- * Risk of system compromise: No
- * Solution: Upgrade to a non-affected version
- * Workaround: Disable the web server, or restrict access to it via a firewall.
-
-An issue has been found in PowerDNS Authoritative Server allowing a remote, unauthenticated attacker to cause a denial of service by opening a large number of TCP connections to the web server. If the web server runs out of file descriptors, it triggers an exception and terminates the whole PowerDNS process.
-While it's more complicated for an unauthorized attacker to make the web server run out of file descriptors since its connection will be closed just after being accepted, it might still be possible.
-This issue has been assigned CVE-2016-7072.
-
-PowerDNS Authoritative Server up to and including 3.4.10 and 4.0.1 are affected. The PowerDNS Recursor is not affected.
-
-For those unable to upgrade to a new version, a minimal patch is [available](https://downloads.powerdns.com/patches/2016-03)
-
-We would like to thank Mongo for finding and subsequently reporting this issue.
+++ /dev/null
-# PowerDNS Security Advisory 2016-04: Insufficient validation of TSIG signatures
-
- * CVE: CVE-2016-7073 CVE-2016-7074
- * Date: December 15th 2016
- * Credit: Mongo
- * Affects: PowerDNS Authoritative Server up to and including 3.4.10, 4.0.1, PowerDNS Recursor from 4.0.0 and up to and including 4.0.3
- * Not affected: PowerDNS Authoritative Server 3.4.11, 4.0.2, PowerDNS Recursor < 4.0.0, 4.0.4
- * Severity: Medium
- * Impact: Zone content alteration
- * Exploit: This problem can be triggered by an attacker in position of man-in-the-middle
- * Risk of system compromise: No
- * Solution: Upgrade to a non-affected version
-
-Two issues have been found in PowerDNS Authoritative Server allowing an attacker in position of man-in-the-middle to alter the content of an AXFR because of insufficient validation of TSIG signatures.
-The first issue is a missing check of the TSIG time and fudge values in `AXFRRetriever`, leading to a possible replay attack. This issue has been assigned CVE-2016-7073.
-The second issue is a missing check that the TSIG record is the last one, leading to the possibility of parsing records that are not covered by the TSIG signature. This issue has been assigned CVE-2016-7074.
-
-PowerDNS Authoritative Server up to and including 3.4.10 and 4.0.1 are affected. PowerDNS Recursor from 4.0.0 up to and including 4.0.3 are affected.
-
-For those unable to upgrade to a new version, a minimal patch is [available](https://downloads.powerdns.com/patches/2016-04)
-
-We would like to thank Mongo for finding and subsequently reporting this issue.
+++ /dev/null
-# PowerDNS Security Advisory 2016-05: Crafted zone record can cause a denial of service
-
- * CVE: CVE-2016-2120
- * Date: December 15th 2016
- * Credit: Mathieu Lafon
- * Affects: PowerDNS Authoritative Server up to and including 3.4.10, 4.0.1
- * Not affected: PowerDNS Authoritative Server 3.4.11, 4.0.2
- * Severity: Medium
- * Impact: Denial of service
- * Exploit: This issue can be triggered by inserting a specially crafted record in a zone
- * Risk of system compromise: No
- * Solution: Upgrade to a non-affected version
-
-An issue has been found in PowerDNS Authoritative Server allowing an authorized user to crash the server by inserting a specially crafted record in a zone under their control then sending a DNS query for that record.
-The issue is due to an integer overflow when checking if the content of the record matches the expected size, allowing an attacker to cause a read past the buffer boundary. This issue has been assigned CVE-2016-2120.
-
-PowerDNS Authoritative Server up to and including 3.4.10 and 4.0.1 are affected. The PowerDNS Recursor is not affected.
-
-For those unable to upgrade to a new version, a minimal patch is [available](https://downloads.powerdns.com/patches/2016-05)
-
-We would like to thank Mathieu Lafon for finding and subsequently reporting this issue.
- List of Settings: recursor/settings.md
- Security:
- Security Policy: security/index.md
- - Advisory 2016-05: security/powerdns-advisory-2016-05.md
- - Advisory 2016-04: security/powerdns-advisory-2016-04.md
- - Advisory 2016-03: security/powerdns-advisory-2016-03.md
- - Advisory 2016-02: security/powerdns-advisory-2016-02.md
- - Advisory 2016-01: security/powerdns-advisory-2016-01.md
- - Advisory 2015-03: security/powerdns-advisory-2015-03.md
- - Advisory 2015-02: security/powerdns-advisory-2015-02.md
- - Advisory 2015-01: security/powerdns-advisory-2015-01.md
- - Advisory 2014-02: security/powerdns-advisory-2014-02.md
- - Advisory 2014-01: security/powerdns-advisory-2014-01.md
- - Advisory 2012-01: security/powerdns-advisory-2012-01.md
- - Advisory 2010-02: security/powerdns-advisory-2010-02.md
- - Advisory 2010-01: security/powerdns-advisory-2010-01.md
- - Advisory 2008-03: security/powerdns-advisory-2008-03.md
- - Advisory 2008-02: security/powerdns-advisory-2008-02.md
- - Advisory 2008-01: security/powerdns-advisory-2008-01.md
- - Advisory 2006-02: security/powerdns-advisory-2006-02.md
- - Advisory 2006-01: security/powerdns-advisory-2006-01.md
- Tools and Appendices:
- Backend Writer's Guide: appendix/backend-writers-guide.md
- Cryptographic software and export control: appendix/crypto-notes-export.md
projects / thirdparty / pdns.git / commitdiff
