From: Erik Winkels Date: Mon, 22 Jan 2018 12:45:13 +0000 (+0100) Subject: Update changelog and secpoll for rec-4.1.1. X-Git-Tag: dnsdist-1.3.0~142^2~1 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f754ca9c3c34ea7ae0884c7b8174af2a725075a6;p=pdns Update changelog and secpoll for rec-4.1.1. Add security advisory 2018-01. --- diff --git a/docs/secpoll.zone b/docs/secpoll.zone index 00a822d0f..c95617e40 100644 --- a/docs/secpoll.zone +++ b/docs/secpoll.zone @@ -1,4 +1,4 @@ -@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2017121101 10800 3600 604800 10800 +@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2018012201 10800 3600 604800 10800 @ 3600 IN NS pdns-public-ns1.powerdns.com. @ 3600 IN NS pdns-public-ns2.powerdns.com. ; Auth @@ -148,7 +148,8 @@ recursor-4.1.0-alpha1.security-status 60 IN TXT "3 Unsupported recursor-4.1.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (final release is out)" recursor-4.1.0-rc2.security-status 60 IN TXT "3 Unsupported pre-release (final release is out)" recursor-4.1.0-rc3.security-status 60 IN TXT "3 Unsupported pre-release (final release is out)" -recursor-4.1.0.security-status 60 IN TXT "1 OK" +recursor-4.1.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html" +recursor-4.1.1.security-status 60 IN TXT "1 OK" ; Recursor Debian recursor-3.6.2-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/" diff --git a/pdns/recursordist/docs/changelog/4.1.rst b/pdns/recursordist/docs/changelog/4.1.rst index 396572b4f..2b3d9d100 100644 --- a/pdns/recursordist/docs/changelog/4.1.rst +++ b/pdns/recursordist/docs/changelog/4.1.rst @@ -1,6 +1,75 @@ Changelogs for 4.1.x ==================== +.. changelog:: + :version: 4.1.1 + :released: 22nd of January 2018 + + This is the second release in the 4.1 train. + + This release fixes PowerDNS Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2018-01>`. + + The full release notes can be read `on the blog `_. + + This is a release on the stable branch and contains a fix for the + abovementioned security issue and several bug fixes from the + development branch. + + .. change:: + :tags: DNSSEC, Bug Fixes + :pullreq: 6215 + + Correctly handle ancestor delegation NSEC{,3} for children. Fixes + the DNSSEC validation issue found in Knot Resolver, where a NSEC{3} + ancestor delegation is wrongly use to prove the non-existence of a + RR below the delegation. + We already had the correct check for the exact owner name, but not + for RRs below the delegation. + (Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2018-01>`) + + .. change:: + :tags: Internals, Bug Fixes + :pullreq: 6209 + :tickets: 6212 + + Fix to make ``primeHints`` threadsafe, otherwise there's a small + chance on startup that the root-server IPs will be incorrect. + + .. change:: + :tags: Internals, Improvements + :pullreq: 6085 + :tickets: 6198 + + Don't process records for another class than IN. We don't use + records of another class than IN, but we used to store some of them + in the cache which is useless. Just skip them. + + .. change:: + :tags: DNSSEC, Bug Fixes + :pullreq: 6092 + :tickets: 6199 + + Fix the computation of the closest encloser for positive + answers. When the positive answer is expanded from a wildcard with + NSEC3, the closest encloser is not always parent of the qname, + depending on the number of labels in the initial wildcard. + + .. change:: + :tags: DNSSEC, Bug Fixes + :pullreq: 6095 + :tickets: 6200 + + Pass the correct buffer size to ``arecvfrom()``. The incorrect size + could possibly cause DNSSEC failures. + + .. change:: + :tags: Bug Fixes + :pullreq: 6137 + :tickets: 6201 + + Don't validate signature for "glue" CNAME, since anything else than + the initial CNAME can't be considered authoritative. + .. changelog:: :version: 4.1.0 :released: 4th of December 2017 diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2018-01.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2018-01.rst new file mode 100644 index 000000000..d7de6b4b6 --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2018-01.rst @@ -0,0 +1,28 @@ +PowerDNS Security Advisory 2018-01: Insufficient validation of DNSSEC signatures +================================================================================ + +- CVE: CVE-2018-1000003 +- Date: January 22nd 2018 +- Credit: CZ.NIC +- Affects: PowerDNS Recursor 4.1.0 +- Not affected: PowerDNS Recursor < 4.1.0, 4.1.1 +- Severity: Low +- Impact: Denial of existence spoofing +- Exploit: This problem can be triggered by an attacker in position of + man-in-the-middle +- Risk of system compromise: No +- Solution: Upgrade to a non-affected version + +An issue has been found in the DNSSEC validation component of PowerDNS Recursor, +allowing an ancestor delegation NSEC or NSEC3 record to be used to wrongfully +prove the non-existence of a RR below the owner name of that record. This would +allow an attacker in position of man-in-the-middle to send a NXDOMAIN answer +for a name that does exist. This issue has been assigned TBD. + +PowerDNS Recursor 4.1.0 is affected. + +For those unable to upgrade to a new version, a minimal patch is +`available `__ + +We would like to thank CZ.NIC for finding and subsequently reporting this +issue.