Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <848110348.5557.1661251259917@appsuite-guard.open-xchange.com>
Date: Tue, 23 Aug 2022 12:40:59 +0200 (CEST)
From: Otto Moerbeek <otto.moerbeek@...n-xchange.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Security Advisory 2022-02 for PowerDNS Recursor up to and including
 4.5.9, 4.6.2, 4.7.1

Hello,

   Today we have released PowerDNS Recursor 4.5.10, 4.6.3 and 4.7.2 due to
   a medium severity issue found. The security advisory only applies to
   Recursors running with protobuf logging enabled.

   Please find the full text of the advisory below.

   The changelogs are available at [1]4.5.10, [2]4.6.3, [3]4.7.2.

   The source tarballs ([4]4.5.10, [5]4.6.3, [6]4.7.2) and signatures
   ([7]4.5.10, [8]4.6.3, [9]4.7.2) are available from our download
   [10]server. Patches are available at [11]patches. Packages for various
   distributions are available from our [12]repository.

   Note that PowerDNS Recursor 4.4.x and older releases are End of Life.
   Consult the [13]EOL policy for more details.
     __________________________________________________________________

   PowerDNS Security Advisory 2022-02: incomplete exception handling
   related to protobuf message generation

   CVE: CVE-2022-37428
   Date: 23th of August 2022.
   Affects: PowerDNS Recursor up to and including 4.5.9, 4.6.2 and 4.7.1
   Not affected: PowerDNS Recursor 4.5.10, 4.6.3 and 4.7.2
   Severity: Medium
   Impact: Denial of service
   Exploit: This problem can be triggered by a remote attacker with
   access to the recursor if protobuf logging is enabled
   Risk of system compromise: None
   Solution: Upgrade to patched version, disable protobuf logging of responses

   This issue only affects recursors which have protobuf logging enabled
   using the
     * protobufServer function with logResponses=true or
     * outgoingProtobufServer function with logResponses=true

   If either of these functions is used without specifying logResponses,
   its value is true.
   An attacker needs to have access to the recursor, i.e. the remote IP
   must be in the access control list.
   If an attacker queries a name that leads to an answer with specific
   properties, a protobuf message might be generated that causes an
   exception. The code does not handle this exception correctly, causing a
   denial of service.

References

   1. https://docs.powerdns.com/recursor/changelog/4.5.html#change-4.5.10
   2. https://docs.powerdns.com/recursor/changelog/4.6.html#change-4.6.3
   3. https://docs.powerdns.com/recursor/changelog/4.7.html#change-4.7.2
   4. https://downloads.powerdns.com/releases/pdns-recursor-4.5.10.tar.bz2
   5. https://downloads.powerdns.com/releases/pdns-recursor-4.6.3.tar.bz2
   6. https://downloads.powerdns.com/releases/pdns-recursor-4.7.2.tar.bz2
   7. https://downloads.powerdns.com/releases/pdns-recursor-4.5.10.tar.bz2.sig
   8. https://downloads.powerdns.com/releases/pdns-recursor-4.6.3.tar.bz2.sig
   9. https://downloads.powerdns.com/releases/pdns-recursor-4.7.2.tar.bz2.sig
  10. https://downloads.powerdns.com/releases/
  11. https://downloads.powerdns.com/patches/2022-02/
  12. https://repo.powerdns.com/
  13. https://docs.powerdns.com/recursor/appendices/EOL.html




--

kind regards,
Otto Moerbeek
PowerDNS Developer



Email: otto.moerbeek@...n-xchange.com


-------------------------------------------------------------------------------------
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-------------------------------------------------------------------------------------

Download attachment "signature.asc" of type "application/pgp-signature" (476 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.