oss-sec mailing list archives
Security Advisory 2023-01 for PowerDNS Recursor 4.8.0 (CVE-2023-22617)
From: Otto Moerbeek <otto.moerbeek () powerdns com>
Date: Fri, 20 Jan 2023 13:19:43 +0100 (CET)
Hello, Today we have released PowerDNS Recursor 4.8.1 due to a high severity issue found. Please find the full text of the advisory below. The [1]changelog is available. The [2]tarball ([3]signature) is available from our download [4]server. Patches are available at [5]patches. Packages for various distributions are available from our [6]repository. Note that PowerDNS Recursor 4.5.x and older releases are End of Life. Consult the [7]EOL policy for more details. __________________________________________________________________ PowerDNS Security Advisory 2023-01: unbounded recursion results in program termination * CVE: CVE-2023-22617 * Date: 20th of January 2023 * Affects: PowerDNS Recursor 4.8.0 * Not affected: PowerDNS Recursor < 4.8.0, PowerDNS Recursor 4.8.1 * Severity: High * Impact: Denial of service * Exploit: This problem can be triggered by a remote attacker with access to the recursor by querying names from specific mis-configured domains * Risk of system compromise: None * Solution: Upgrade to patched version CVSS 3.0 score: 8.2 (High) https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/ S:U/C:N/I:L/A:H/E:H/RL:U/RC:C Thanks to applied-privacy.net for reporting this issue and their assistance in diagnosing it. References 1. https://docs.powerdns.com/recursor/changelog/4.8.html#change-4.8.1 2. https://downloads.powerdns.com/releases/pdns-recursor-4.8.1.tar.bz2 3. https://downloads.powerdns.com/releases/pdns-recursor-4.8.1.tar.bz2.sig 4. https://downloads.powerdns.com/releases/ 5. https://downloads.powerdns.com/patches/2023-01/ 6. https://repo.powerdns.com/ 7. https://docs.powerdns.com/recursor/appendices/EOL.html -- kind regards, Otto Moerbeek PowerDNS Developer Email: otto.moerbeek () open-xchange com ------------------------------------------------------------------------------------- Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 95366 Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin Chairman of the Board: Richard Seibt PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands Managing Director: Robert Brandt, Maxim Letski -------------------------------------------------------------------------------------
Attachment:
signature.asc
Description:
Current thread:
- Security Advisory 2023-01 for PowerDNS Recursor 4.8.0 (CVE-2023-22617) Otto Moerbeek (Jan 20)