From: Otto Moerbeek Date: Mon, 22 Aug 2022 12:00:15 +0000 (+0200) Subject: Add 2022-02 PSA X-Git-Tag: rec-4.8.0-alpha1~50^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c4c210ea1ab802672751b2998d70d3ab976ce44a;p=thirdparty%2Fpdns.git Add 2022-02 PSA --- diff --git a/docs/secpoll.zone b/docs/secpoll.zone index 9ab5d0e16e..dae49360f4 100644 --- a/docs/secpoll.zone +++ b/docs/secpoll.zone @@ -1,4 +1,4 @@ -@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2022082209 10800 3600 604800 10800 +@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2022082302 10800 3600 604800 10800 @ 3600 IN NS pdns-public-ns1.powerdns.com. @ 3600 IN NS pdns-public-ns2.powerdns.com. diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2022-02.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2022-02.rst new file mode 100644 index 0000000000..55f03aa46d --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2022-02.rst @@ -0,0 +1,22 @@ +PowerDNS Security Advisory 2022-02: incomplete exception handling related to protobuf message generation +======================================================================================================== + +- CVE: CVE-2022-37428 +- Date: 23th of August 2022. +- Affects: PowerDNS Recursor up to and including 4.5.9, 4.6.2 and 4.7.1 +- Not affected: PowerDNS Recursor 4.5.10, 4.6.3 and 4.7.2 +- Severity: Medium +- Impact: Denial of service +- Exploit: This problem can be triggered by a remote attacker with access to the recursor if protobuf logging is enabled +- Risk of system compromise: None +- Solution: Upgrade to patched version, disable protobuf logging of responses + +This issue only affects recursors which have protobuf logging enabled using the + + protobufServer function with logResponses=true or + + outgoingProtobufServer function with logResponses=true + +If either of these functions is used without specifying logResponses, its value is true. +An attacker needs to have access to the recursor, i.e. the remote IP must be in the access control list. +If an attacker queries a name that leads to an answer with specific properties, a protobuf message might be generated that causes an exception. The code does not handle this exception correctly, causing a denial of service.