From: bert hubert Date: Wed, 10 Sep 2014 08:42:24 +0000 (+0200) Subject: docs for 3.6.1 plus security notification X-Git-Tag: auth-3.4.0-rc2~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a8bfeb00e85b21ba2ffedd3d340a2a3ba6ab1554;p=thirdparty%2Fpdns.git docs for 3.6.1 plus security notification --- diff --git a/pdns/docs/pdns.xml b/pdns/docs/pdns.xml index 9374b009e3..a2f240a2bc 100644 --- a/pdns/docs/pdns.xml +++ b/pdns/docs/pdns.xml @@ -93,6 +93,52 @@ Beyond PowerDNS 2.9.20, the Authoritative Server and Recursor are released separately. + PowerDNS Recursor 3.6.1 + + + Version 3.6.1 is a mandatory security upgrade to 3.6.0! Released on the 10th of September 2014. + + + + PowerDNS Recursor 3.6.0 could crash with a specific sequence of packets. For more details, see + . PowerDNS Recursor 3.6.1 was very well tested, and is in full + production already, so it should be a safe upgrade. + + + Downloads: + + + + Official download page + + + + + + In addition to various fixes related to this potential crash, 3.6.1 fixes a few minor issues and adds + a debugging feature: + + + + We could not encode IPv6 AAAA records that mapped to IPv4 addresses in some cases (:ffff.1.2.3.4). + Fixed in gc90fcbd , closing t1663. + + + + + Improve systemd startup timing with respect to network availability (gcf86c6a), thanks to Morten Stevens. + + + + + Realtime telemetry can now be enabled at runtime, for example with 'rec_control carbon-server 82.94.213.34 ourname1234'. + This ties in to our existing carbon-server and carbon-ourname settings, but now at runtime. This specific + invocation will make your stats appear automatically on our public telemetry server. + + + + + PowerDNS Authoritative Server 3.4.0 @@ -11485,7 +11531,7 @@ name IN A 192.0.2.4 - PowerDNS Security Advisory 2008-02: Some PowerDNS Configurations can be forced to restart remotely + PowerDNS Security Advisory 2008-03: Some PowerDNS Configurations can be forced to restart remotely PowerDNS Security Advisory @@ -11916,6 +11962,134 @@ name IN A 192.0.2.4 Aki Tuomi for helping us reproduce the problem. + + PowerDNS Security Advisory 2014-01: PowerDNS Recursor 3.6.1 can be crashed remotely + +
+ PowerDNS Security Advisory + + + + + CVE + + + CVE-2014-3614 + + + + + Date + + + 10th of September 2014 + + + + + Credit + + + Dedicated PowerDNS users willing to study a crash that happens once every few months (thanks) + + + + + Affects + + + Only PowerDNS Recursor version 3.6.0. + + + + + Not affected + + + No other versions of PowerDNS Recursor, no versions of PowerDNS Authoritative Server + + + + + Severity + + + High + + + + + Impact + + + Crash + + + + + Exploit + + + The sequence of packets required is known + + + + + Risk of system compromise + + + No + + + + + Solution + + + Upgrade to PowerDNS Recursor 3.6.1 + + + + + Workaround + + + Restrict service using allow-from, install script that restarts PowerDNS + + + + +
+ + +Recently, we've discovered that PowerDNS Recursor 3.6.0 (but NOT earlier) +can crash when exposed to a specific sequence of malformed packets. This +sequence happened spontaneously with one of our largest deployments, and +the packets did not appear to have a malicious origin. + +Yet, this crash can be triggered remotely, leading to a denial of service +attack. There appears to be no way to use this crash for system compromise +or stack overflow. + + +Upgrading to 3.6.1 solves the issue. + + +In addition, if you want to apply a minimal fix to your own tree, it can be found +here + + +As for workarounds, only clients in allow-from are able to trigger the crash, +so this should be limited to your userbase. Secondly, +this +and +this +can be used to enable Upstart and Systemd to restart the PowerDNS Recursor +automatically. + + + + Acknowledgements PowerDNS is grateful for the help of the following people or institutions: