</itemizedlist>
</para>
</sect2>
+ <sect2 id="changelog-recursor-3-1-7-2"><title>Recursor version 3.1.7.2</title>
+ <para>
+ <warning>
+ <para>
+ Released on the 6th of January 2010.
+ </para>
+ </warning>
+ </para>
+ <para>
+ This release consist of a number of vital security updates. These updates address issues
+ that can in all likelihood lead to a full system compromise. In addition, it is possible for
+ third parties to pollute your cache with dangerous data, exposing your users to possible harm.
+ </para>
+ <para>
+ This version has been well tested, and at the time of this release is already powering millions
+ of internet connections, and should therefore be a risk-free upgrade from 3.1.7.1 or any earlier
+ version of the PowerDNS Recursor.
+ </para>
+ <para>
+ All known versions of the PowerDNS Recursor are impacted to a greater or lesser extent, so an immediate update is advised.
+ </para>
+ <para>
+ These vulnerabilities were discovered by a third party that can't yet be named,
+ but who we thank for their contribution to a more secure PowerDNS Recursor.
+ </para>
+ <para>
+ For more information, see <xref linkend="powerdns-advisory-2010-01"> and <xref linkend="powerdns-advisory-2010-02">.
+ </para>
+ </sect2>
<sect2 id="changelog-recursor-3-1-7-1"><title>Recursor version 3.1.7.1</title>
<para>
</para>
<para>
- As of the 6th of August 2008, no actual security problems with PowerDNS 2.9.21.1, Recursor 3.1.5, or later are known about. This page
+ As of the 6th of January 2010, no actual security problems with PowerDNS 2.9.22, Recursor 3.1.7.2, or later are known about. This page
will be updated with all bugs which are deemed to be security problems, or could conceivably lead to those. Any such notifications
will also be sent to all PowerDNS mailinglists.
</para>
+ <para>
+ Version 3.1.7.1 and earlier of the PowerDNS recursor were vulnerable to a probably exploitable buffer overflow and a spoofing attack.
+ For more detail, see <xref linkend="powerdns-advisory-2010-01"> and
+ <xref linkend="powerdns-advisory-2010-02">.
+ </para>
<para>
Version 3.1.4 and earlier of the PowerDNS recursor were vulnerable to a spoofing attack. For more detail, see <xref linkend="powerdns-advisory-2008-01">.
</para>
occurs on receiving a CH HINFO query.
</para>
</sect1>
+ <sect1 id="powerdns-advisory-2010-01">
+ <title>PowerDNS Security Advisory 2010-01: PowerDNS Recursor up to and including 3.1.7.1 can be brought down and probably exploited</title>
+ <para>
+ <table>
+ <title>PowerDNS Security Advisory</title>
+ <tgroup cols=2>
+ <tbody>
+ <row>
+ <entry>
+ CVE
+ </entry>
+ <entry>
+ CVE-2009-4009
+ </entry>
+ </row>
+ <row>
+ <entry>
+ Date
+ </entry>
+ <entry>
+ 6th of January 2010
+ </entry>
+ </row>
+ <row>
+ <entry>
+ Affects
+ </entry>
+ <entry>
+ PowerDNS Recursor 3.1.7.1 and earlier
+ </entry>
+ </row>
+ <row>
+ <entry>
+ Not affected
+ </entry>
+ <entry>
+ No versions of the PowerDNS Authoritative ('pdns_server') are affected.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ Severity
+ </entry>
+ <entry>
+ Critical
+ </entry>
+ </row>
+ <row>
+ <entry>
+ Impact
+ </entry>
+ <entry>
+ Denial of Service, possible full system compromise
+ </entry>
+ </row>
+ <row>
+ <entry>
+ Exploit
+ </entry>
+ <entry>
+ Withheld
+ </entry>
+ </row>
+ <row>
+ <entry>
+ Solution
+ </entry>
+ <entry>
+ Upgrade to PowerDNS Recursor 3.1.7.2 or higher
+ </entry>
+ </row>
+ <row>
+ <entry>
+ Workaround
+ </entry>
+ <entry>
+ None. The risk of exploitation or denial of service can be decreased slightly by using the 'allow-from' setting to only provide service to known users. The risk of a full system
+ compromise can be reduced by running with a suitable reduced privilege user and group settings, and possibly chroot environment.
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </para>
+ <para>
+ Using specially crafted packets, it is possible to force a buffer overflow in the PowerDNS Recursor, leading to a crash.
+ </para>
+ <para>
+ This vulnerability was discovered by a third party that (for now) prefers not to be named. PowerDNS is very grateful however for their help in
+ improving PowerDNS security.
+ </para>
+ </sect1>
+ <sect1 id="powerdns-advisory-2010-02">
+ <title>PowerDNS Security Advisory 2010-02: PowerDNS Recursor up to and including 3.1.7.1 can be spoofed into accepting bogus data</title>
+ <para>
+ <table>
+ <title>PowerDNS Security Advisory</title>
+ <tgroup cols=2>
+ <tbody>
+ <row>
+ <entry>
+ CVE
+ </entry>
+ <entry>
+ CVE-2009-4010
+ </entry>
+ </row>
+ <row>
+ <entry>
+ Date
+ </entry>
+ <entry>
+ 6th of January 2010
+ </entry>
+ </row>
+ <row>
+ <entry>
+ Affects
+ </entry>
+ <entry>
+ PowerDNS Recursor 3.1.7.1 and earlier
+ </entry>
+ </row>
+ <row>
+ <entry>
+ Not affected
+ </entry>
+ <entry>
+ No versions of the PowerDNS Authoritative ('pdns_server') are affected.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ Severity
+ </entry>
+ <entry>
+ High
+ </entry>
+ </row>
+ <row>
+ <entry>
+ Impact
+ </entry>
+ <entry>
+ Using smart techniques, it is possible to fool the PowerDNS Recursor into accepting unauthorized data
+ </entry>
+ </row>
+ <row>
+ <entry>
+ Exploit
+ </entry>
+ <entry>
+ Withheld
+ </entry>
+ </row>
+ <row>
+ <entry>
+ Solution
+ </entry>
+ <entry>
+ Upgrade to PowerDNS Recursor 3.1.7.2 or higher
+ </entry>
+ </row>
+ <row>
+ <entry>
+ Workaround
+ </entry>
+ <entry>
+ None.
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </para>
+ <para>
+ Using specially crafted zones, it is possible to fool the PowerDNS Recursor into accepting bogus data. This data might be harmful to your users.
+ An attacker would be able to divert data from, say, bigbank.com to an IP address of his choosing.
+ </para>
+ <para>
+ This vulnerability was discovered by a third party that (for now) prefers not to be named. PowerDNS is very grateful however for their help in
+ improving PowerDNS security.
+ </para>
+ </sect1>
<sect1 id="thanks-to"><title>Acknowledgements</title>
<para>
projects / pdns / commitdiff