|
Message-ID: <9b808b6d273b88bb2db281f8bea6b6920369242f.camel@powerdns.com>
Date: Tue, 22 Sep 2020 22:34:23 +0200
From: Peter van Dijk <peter.van.dijk@...erdns.com>
To: oss-security@...ts.openwall.com
Subject: [Fwd: [Pdns-announce] security advisories for Authoritative 4.3.1,
4.2.3, 4.1.14]
-------- Forwarded Message --------
From: Peter van Dijk via Pdns-announce <
pdns-announce@...lman.powerdns.com>
Reply-To: Peter van Dijk <peter.van.dijk@...erdns.com>
To: pdns-announce@...lman.powerdns.com, pdns-dev@...lman.powerdns.com,
pdns-users@...lman.powerdns.com
Subject: [Pdns-announce] security advisories for Authoritative 4.3.1,
4.2.3, 4.1.14
Date: Tue, 22 Sep 2020 21:48:04 +0200
Hello,
Today we have released PowerDNS Authoritative Server versions 4.3.1, 4.2.3 and 4.1.14, containing a fix for PowerDNS Security Advisory 2020-05 [1].
Additionally, we are publishing PowerDNS Security Advisory 2020-06 [2] today (‘Various issues have been found in our GSS-TSIG support, where an unauthorized attacker could cause crashes, possibly leak uninitialised memory, and possibly execute arbitrary code.’). Our GSS-TSIG support was never shipped in any packages by us or, to our knowledge, any other distributions. The GSS-TSIG code will be gone in version 4.4.0. We’ve chosen to leave the code intact for older versions, so that users that do rely on it today can keep doing so, keeping in mind the risks detailed in Advisory 2020-06.
Regarding 2020-05: An issue has been found in PowerDNS Authoritative Server where an authorized user with the ability to insert crafted records into a zone might be able to leak the content of uninitialized memory. Such a user could be a customer inserting data via a control panel, or somebody with access to the REST API. Crafted records cannot be inserted via AXFR. This issue is resolved in the versions mentioned above. (4.1.14 changelog [3], 4.2.3 changelog [4])
Version 4.3.2 also contains various other bug fixes and improvements, please see the changelog [5] for all details.
Tarballs and signatures are available at https://downloads.powerdns.com/releases/
Packages for various Linux distributions are available from our repository at https://repo.powerdns.com/
4.0 and older releases are EOL, refer to the documentation for details about our release cycles.
Please send us all feedback and issues you might have via the mailing list or our IRC channel, or in case of a bug, via GitHub.
1: https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html
2: https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-06.html
3: https://doc.powerdns.com/authoritative/changelog/4.1.html#change-4.1.14
4: https://doc.powerdns.com/authoritative/changelog/4.2.html#change-4.2.3
5: https://doc.powerdns.com/authoritative/changelog/4.2.html#change-4.3.1
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
_______________________________________________
Pdns-announce mailing list
Pdns-announce@...lman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-announce
Download attachment "signature.asc" of type "application/pgp-signature" (915 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.