From: Peter van Dijk <peter.van.dijk@netherlabs.nl>
Date: Mon, 8 Dec 2014 09:48:53 +0000 (+0000)
Subject: PowerDNS Security Advisory 2014-02
X-Git-Tag: rec-3.7.0-rc1~135
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a73076549b8fb4c1fc42d4239647fd61a918f4ca;p=pdns

PowerDNS Security Advisory 2014-02
---

diff --git a/pdns/docs/markdown/changelog.md b/pdns/docs/markdown/changelog.md
index 64828e102..423e45788 100644
--- a/pdns/docs/markdown/changelog.md
+++ b/pdns/docs/markdown/changelog.md
@@ -7,7 +7,7 @@
 [Official download page](https://www.powerdns.com/downloads.html)
 
 A list of changes since 3.6.1 follows.
--   [commit ab14b4f](https://github.com/PowerDNS/pdns/commit/ab14b4f): expedite servfail generation for ezdns-like failures (fully abort query resolving if we hit more than 50 outqueries)
+-   [commit ab14b4f](https://github.com/PowerDNS/pdns/commit/ab14b4f): expedite servfail generation for ezdns-like failures (fully abort query resolving if we hit more than 50 outqueries). This also prevents the issue documented in [PowerDNS Security Advisory 2014-02](security/powerdns-advisory-2014-02/) (CVE-2014-8601)
 -   [commit 42025be](https://github.com/PowerDNS/pdns/commit/42025be): PowerDNS now polls the security status of a release at startup and periodically. More detail on this feature, and how to turn it off, can be found in [Security polling](common/security.md#security-polling).
 -   [commit 5027429](https://github.com/PowerDNS/pdns/commit/5027429): We did not transmit the right 'local' socket address to Lua for TCP/IP queries in the recursor. In addition, we would attempt to lookup a filedescriptor that wasn't there in an unlocked map which could conceivably lead to crashes. Closes [ticket 1828](https://github.com/PowerDNS/pdns/issues/1828), thanks Winfried for reporting
 -   [commit 752756c](https://github.com/PowerDNS/pdns/commit/752756c): Sync embedded yahttp copy. API: Replace HTTP Basic auth with static key in custom header
diff --git a/pdns/docs/markdown/security/index.md b/pdns/docs/markdown/security/index.md
index ec25cdb3d..f91e60bac 100644
--- a/pdns/docs/markdown/security/index.md
+++ b/pdns/docs/markdown/security/index.md
@@ -4,7 +4,9 @@ If you have a security problem to report, please email us at both `<security@net
 
 We remind PowerDNS users that under the terms of the GNU General Public License, PowerDNS comes with ABSOLUTELY NO WARRANTY. This license is included in this documentation.
 
-As of the 25th of September 2012, no actual security problems with PowerDNS 2.9.22.5, 3.0.1, Recursor 3.1.7.2, or later are known about, with the exception of Recursor 3.6.0 specifically. This page will be updated with all bugs which are deemed to be security problems, or could conceivably lead to those. Any such notifications will also be sent to all PowerDNS mailing lists.
+As of the 8th of December 2014, no actual security problems with PowerDNS Authoritative Server 2.9.22.5, 3.0.1, Recursor 3.6.2, or later are known about. This page will be updated with all bugs which are deemed to be security problems, or could conceivably lead to those. Any such notifications will also be sent to all PowerDNS mailing lists.
+
+All Recursor versions up to and including 3.6.1 can be made to provide degraded service. For more detail, see [PowerDNS Security Advisory 2014-02](powerdns-advisory-2014-02.md)
 
 Version 3.6.0 of the Recursor (but not 3.5.x) can be crashed remotely with a specific packet sequence. For more detail, see [PowerDNS Security Advisory 2014-01](powerdns-advisory-2014-01.md)
 
diff --git a/pdns/docs/markdown/security/powerdns-advisory-2014-02.md b/pdns/docs/markdown/security/powerdns-advisory-2014-02.md
new file mode 100644
index 000000000..9c79c069d
--- /dev/null
+++ b/pdns/docs/markdown/security/powerdns-advisory-2014-02.md
@@ -0,0 +1,32 @@
+## PowerDNS Security Advisory 2014-02: PowerDNS Recursor 3.6.1 and earlier can be made to provide bad service
+
+* CVE: CVE-2014-8601
+* Date: 8th of December 2014
+* Credit: Florian Maury ([ANSSI](http://www.ssi.gouv.fr/en/))
+* Affects: PowerDNS Recursor versions 3.6.1 and earlier
+* Not affected: PowerDNS Recursor 3.6.2; no versions of PowerDNS Authoritative Server
+* Severity: High
+* Impact: Degraded service
+* Exploit: This problem can be triggered by sending queries for specifically configured domains
+* Risk of system compromise: No
+* Solution: Upgrade to PowerDNS Recursor 3.6.2
+* Workaround: None known. Exposure can be limited by configuring the **allow-from** setting so only trusted users can query your nameserver.
+
+Recently we released PowerDNS Recursor 3.6.2 with a new feature that
+strictly limits the amount of work we'll perform to resolve a single query.
+This feature was inspired by performance degradations noted when resolving
+domains hosted by 'ezdns.it', which can require thousands of queries to
+resolve.
+
+During the 3.6.2 release process, we were contacted by a government security
+agency with news that they had found that all major caching nameservers,
+including PowerDNS, could be negatively impacted by specially configured,
+hard to resolve domain names. With their permission, we continued the 3.6.2
+release process with the fix for the issue already in there.
+
+We recommend that all users upgrade to 3.6.2 if at all possible. Alternatively,
+if you want to apply a minimal fix to your own tree, it can be found
+[here](https://downloads.powerdns.com/patches/2014-02/), including patches for older versions.
+
+As for workarounds, only clients in allow-from are able to trigger the
+degraded service, so this should be limited to your userbase.
diff --git a/pdns/docs/mkdocs.yml b/pdns/docs/mkdocs.yml
index e5f93a2b5..0f0beab0c 100644
--- a/pdns/docs/mkdocs.yml
+++ b/pdns/docs/mkdocs.yml
@@ -51,6 +51,7 @@ pages:
   - [recursor/internals.md, 'Recursor', 'Internals']
   - [recursor/settings.md, 'Recursor', 'List of Settings']
   - [security/index.md, 'Security', 'Security Policy']
+  - [security/powerdns-advisory-2014-02.md, 'Security', 'Advisory 2014-02']
   - [security/powerdns-advisory-2014-01.md, 'Security', 'Advisory 2014-01']
   - [security/powerdns-advisory-2012-01.md, 'Security', 'Advisory 2012-01']
   - [security/powerdns-advisory-2010-02.md, 'Security', 'Advisory 2010-02']