From: Peter van Dijk <peter.van.dijk@netherlabs.nl>
Date: Wed, 22 Apr 2015 13:00:00 +0000 (+0200)
Subject: advisory 2015-01; release notes for the 3 related releases
X-Git-Tag: dnsdist-1.0.0-alpha1~248^2~98^2~7
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=00cb867d38cc203503ab03ae4b1262409e7dc0c3;p=pdns

advisory 2015-01; release notes for the 3 related releases
---

diff --git a/docs/markdown/changelog.md.raw b/docs/markdown/changelog.md.raw
index e6583ef76..60e7e60d1 100644
--- a/docs/markdown/changelog.md.raw
+++ b/docs/markdown/changelog.md.raw
@@ -2,10 +2,14 @@
 
 # PowerDNS Recursor 3.7.2
 
-UNRELEASED
+Released 23rd of April, 2015
+
+Among other bug fixes and improvements (as listed below), this release incorporates a fix for 
+CVE-2015-1868, as detailed in [PowerDNS Security Advisory 2015-01](security/powerdns-advisory-2015-01.md)
 
 Bug fixes:
 
+- [commit adb10be](https://github.com/PowerDNS/pdns/commit/adb10be) [commit 3ec3e0f](https://github.com/PowerDNS/pdns/commit/3ec3e0f) [commit dc02ebf](https://github.com/PowerDNS/pdns/commit/dc02ebf) Fix handling of forward references in label compressed packets; fixes CVE-2015-1868
 - [commit a7be3f1](https://github.com/PowerDNS/pdns/commit/a7be3f1): make sure
 we never call sendmsg with msg_control!=NULL && msg_controllen>0. Fixes
 [ticket #2227](https://github.com/PowerDNS/pdns/issues/2227)
@@ -14,23 +18,28 @@ robustness of root-nx-trust.
 
 Improvements:
 
-- [commit bcca91e](https://github.com/PowerDNS/pdns/commit/bcca91e): move
-recursor-git build script from jenkins config into git
 - [commit 99c595b](https://github.com/PowerDNS/pdns/commit/99c595b): Silence
 warnings that always occur on FreeBSD (Ruben Kerkhof)
-- [commit c085978](https://github.com/PowerDNS/pdns/commit/c085978): Start
-pdns-recursor before nss-lookup.target (Ruben Kerkhof)
-- [commit 7a18b45](https://github.com/PowerDNS/pdns/commit/7a18b45): remove
-the parts that are wrong from this readme, add some stuff that is right
+
+# PowerDNS Recursor 3.6.3
+
+Released 23rd of April, 2015
+
+The only difference between Recursor 3.6.2 and 3.6.3 is a fix for CVE-2015-1868, as detailed in [PowerDNS Security Advisory 2015-01](security/powerdns-advisory-2015-01.md)
 
 # PowerDNS Authoritative Server 3.4.4
 
+Released 23rd of April, 2015
+
 **Warning**: Version 3.4.4 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to the [Upgrade documentation](authoritative/upgrading.md) for important information on correct and stable operation, as well as notes on performance and memory use.
 
-UNRELEASED
+Among other bug fixes and improvements (as listed below), this release incorporates a fix for 
+CVE-2015-1868, as detailed in [PowerDNS Security Advisory 2015-01](security/powerdns-advisory-2015-01.md)
 
 Bug fixes:
 
+- [commit ac3ae09](https://github.com/PowerDNS/pdns/commit/ac3ae09): fix rectify-(all)-zones for mixed case domain names
+- [commit 2dea55e](https://github.com/PowerDNS/pdns/commit/2dea55e), [commit 032d565](https://github.com/PowerDNS/pdns/commit/032d565), [commit 55f2dbf](https://github.com/PowerDNS/pdns/commit/55f2dbf): fix CVE-2015-1868
 - [commit 21cdbe5](https://github.com/PowerDNS/pdns/commit/21cdbe5): Blocking
 IO in busy-wait for remote backend (Wieger Opmeer)
 - [commit cc7b2ac](https://github.com/PowerDNS/pdns/commit/cc7b2ac): fix
@@ -43,6 +52,7 @@ segfault in zone2lmdb (Ruben Kerkhof)
 
 New Features:
 
+- [commit 5ae212e](https://github.com/PowerDNS/pdns/commit/5ae212e): pdnssec: warn for insecure wildcards in opt-out zones
 - commits [cd3f21c](https://github.com/PowerDNS/pdns/commit/cd3f21c),
 [8b582f6](https://github.com/PowerDNS/pdns/commit/8b582f6),
 [0b7e766](https://github.com/PowerDNS/pdns/commit/0b7e766),
@@ -73,10 +83,11 @@ xfrBlobNoSpaces and use them for TSIG (Aki Tuomi)
 
 Improvements:
 
+- [commit e4f48ab](https://github.com/PowerDNS/pdns/commit/e4f48ab): allow "pdnssec set-nsec3 ZONE" for insecure zones; this saves on one rectify when securing a NSEC3 zone
 - commits [cce95b9](https://github.com/PowerDNS/pdns/commit/cce95b9),
 [e2e9243](https://github.com/PowerDNS/pdns/commit/e2e9243) and
 [e82da97](https://github.com/PowerDNS/pdns/commit/e82da97): Improvements
-to the config-file parsing (Aki Tumomi)
+to the config-file parsing (Aki Tuomi)
 - [commit 2180e21](https://github.com/PowerDNS/pdns/commit/2180e21):
 postgresql check should not touch LDFLAGS (Ruben Kerkhof)
 - [commit 0481021](https://github.com/PowerDNS/pdns/commit/0481021): Log error
@@ -100,6 +111,7 @@ we send servfail on error (Aki Tuomi)
 lmdb-example.pl in tarball (Ruben Kerkhof)
 - [commit 9e6b24f](https://github.com/PowerDNS/pdns/commit/9e6b24f): Allocate
 TCP buffer dynamically, decreasing stack usage
+- [commit 267fdde](https://github.com/PowerDNS/pdns/commit/267fdde): throw if getSOA gets non-SOA record
 
 # PowerDNS Authoritative Server 3.4.3
 
diff --git a/docs/markdown/security/index.md b/docs/markdown/security/index.md
index f91e60bac..d702cb663 100644
--- a/docs/markdown/security/index.md
+++ b/docs/markdown/security/index.md
@@ -4,7 +4,9 @@ If you have a security problem to report, please email us at both `<security@net
 
 We remind PowerDNS users that under the terms of the GNU General Public License, PowerDNS comes with ABSOLUTELY NO WARRANTY. This license is included in this documentation.
 
-As of the 8th of December 2014, no actual security problems with PowerDNS Authoritative Server 2.9.22.5, 3.0.1, Recursor 3.6.2, or later are known about. This page will be updated with all bugs which are deemed to be security problems, or could conceivably lead to those. Any such notifications will also be sent to all PowerDNS mailing lists.
+As of the 23rd of April 2015, no actual security problems with PowerDNS Authoritative Server 3.4.4, Recursor 3.6.3, Recursor 3.7.2, or later are known about. This page will be updated with all bugs which are deemed to be security problems, or could conceivably lead to those. Any such notifications will also be sent to all PowerDNS mailing lists.
+
+All recent Recursor versions up to and including 3.6.2 and 3.7.1, and all recent Authoritative servers up to and including version 3.4.3, can in specific situations be crashed with a malformed packet. For more detail, see [PowerDNS Security Advisory 2015-01](powerdns-advisory-2015-01.md)
 
 All Recursor versions up to and including 3.6.1 can be made to provide degraded service. For more detail, see [PowerDNS Security Advisory 2014-02](powerdns-advisory-2014-02.md)
 
diff --git a/docs/markdown/security/powerdns-advisory-2015-01.md b/docs/markdown/security/powerdns-advisory-2015-01.md
new file mode 100644
index 000000000..95dcf6140
--- /dev/null
+++ b/docs/markdown/security/powerdns-advisory-2015-01.md
@@ -0,0 +1,40 @@
+## PowerDNS Security Advisory 2015-01: Label decompression bug can cause crashes on specific platforms
+
+* CVE: CVE-2015-1868
+* Date: 23rd of April 2015
+* Credit: Aki Tuomi
+* Affects: PowerDNS Recursor versions 3.5 and up; Authoritative Server 3.2 and up
+* Not affected: Recursor 3.6.3; Recursor 3.7.2; Auth 3.4.4
+* Severity: High
+* Impact: Degraded service
+* Exploit: This problem can be triggered by sending queries for specifically configured domains
+* Risk of system compromise: No
+* Solution: Upgrade to any of the non-affected versions
+* Workaround: Run your Recursor under a supervisor. Exposure can be limited by
+  configuring the [`allow-from`](../recursor/settings.md#allow-from) setting so
+  only trusted users can query your nameserver.
+
+A bug was discovered in our label decompression code, making it possible for
+names to refer to themselves, thus causing a loop during decompression. This
+loop is capped at a 1000 iterations by a failsafe, making the issue harmless
+on most platforms.
+
+However, on specific platforms (so far, we are only aware of this happening on
+RHEL5/CentOS5), the recursion involved in these 1000 steps causes memory
+corruption leading to a quick crash, presumably because the default stack is
+too small.
+
+We recommend that all users upgrade to a corrected version if at all possible.
+Alternatively, if you want to apply a minimal fix to your own tree, please
+[find patches here](https://downloads.powerdns.com/patches/2015-01/).
+
+These should be trivial to backport to older versions by hand.
+
+As for workarounds, only clients in allow-from are able to trigger the
+degraded service, so this should be limited to your userbase; further,  we
+recommend running your critical services under supervision such as systemd,
+supervisord, daemontools, etc.
+
+We want to thank Aki Tuomi for noticing this in production, and then digging
+until he got to the absolute bottom of what at the time appeared to be a
+random and spurious failure.
\ No newline at end of file
diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml
index 688a95d06..2f6d6d19c 100644
--- a/docs/mkdocs.yml
+++ b/docs/mkdocs.yml
@@ -53,6 +53,7 @@ pages:
   - [recursor/internals.md, 'Recursor', 'Internals']
   - [recursor/settings.md, 'Recursor', 'List of Settings']
   - [security/index.md, 'Security', 'Security Policy']
+  - [security/powerdns-advisory-2015-01.md, 'Security', 'Advisory 2015-01']
   - [security/powerdns-advisory-2014-02.md, 'Security', 'Advisory 2014-02']
   - [security/powerdns-advisory-2014-01.md, 'Security', 'Advisory 2014-01']
   - [security/powerdns-advisory-2012-01.md, 'Security', 'Advisory 2012-01']