oss-sec mailing list archives
[Fwd: [Pdns-announce] security advisories for Authoritative 4.3.1, 4.2.3, 4.1.14]
From: Peter van Dijk <peter.van.dijk () powerdns com>
Date: Tue, 22 Sep 2020 22:34:23 +0200
-------- Forwarded Message -------- From: Peter van Dijk via Pdns-announce < pdns-announce () mailman powerdns com> Reply-To: Peter van Dijk <peter.van.dijk () powerdns com> To: pdns-announce () mailman powerdns com, pdns-dev () mailman powerdns com, pdns-users () mailman powerdns com Subject: [Pdns-announce] security advisories for Authoritative 4.3.1, 4.2.3, 4.1.14 Date: Tue, 22 Sep 2020 21:48:04 +0200 Hello, Today we have released PowerDNS Authoritative Server versions 4.3.1, 4.2.3 and 4.1.14, containing a fix for PowerDNS Security Advisory 2020-05 [1]. Additionally, we are publishing PowerDNS Security Advisory 2020-06 [2] today (‘Various issues have been found in our GSS-TSIG support, where an unauthorized attacker could cause crashes, possibly leak uninitialised memory, and possibly execute arbitrary code.’). Our GSS-TSIG support was never shipped in any packages by us or, to our knowledge, any other distributions. The GSS-TSIG code will be gone in version 4.4.0. We’ve chosen to leave the code intact for older versions, so that users that do rely on it today can keep doing so, keeping in mind the risks detailed in Advisory 2020-06. Regarding 2020-05: An issue has been found in PowerDNS Authoritative Server where an authorized user with the ability to insert crafted records into a zone might be able to leak the content of uninitialized memory. Such a user could be a customer inserting data via a control panel, or somebody with access to the REST API. Crafted records cannot be inserted via AXFR. This issue is resolved in the versions mentioned above. (4.1.14 changelog [3], 4.2.3 changelog [4]) Version 4.3.2 also contains various other bug fixes and improvements, please see the changelog [5] for all details. Tarballs and signatures are available at https://downloads.powerdns.com/releases/ Packages for various Linux distributions are available from our repository at https://repo.powerdns.com/ 4.0 and older releases are EOL, refer to the documentation for details about our release cycles. Please send us all feedback and issues you might have via the mailing list or our IRC channel, or in case of a bug, via GitHub. 1: https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html 2: https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-06.html 3: https://doc.powerdns.com/authoritative/changelog/4.1.html#change-4.1.14 4: https://doc.powerdns.com/authoritative/changelog/4.2.html#change-4.2.3 5: https://doc.powerdns.com/authoritative/changelog/4.2.html#change-4.3.1 Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ Pdns-announce mailing list Pdns-announce () mailman powerdns com https://mailman.powerdns.com/mailman/listinfo/pdns-announce
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- [Fwd: [Pdns-announce] security advisories for Authoritative 4.3.1, 4.2.3, 4.1.14] Peter van Dijk (Sep 22)