Received: by 2002:a89:48b:0:b0:1f5:f2ab:c469 with SMTP id a11csp347953lqd; Wed, 24 Apr 2024 04:29:32 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWEB94j0L01NvEcn1quKnikS8SHbxHRs4yDSs0k2AO7DDu/7dPqxEWVUXlmqD1fgOtyPdA22tpogZvv1Due5RZjqivu7VPnwl+PUHoP1Q== X-Google-Smtp-Source: AGHT+IF9E/ndjmawDRlGqJTPJOP7mcZ8C7zc8TRPuOljfLV2yoEqtkpA5bUfvE8Y6c2CX3PuAIVK X-Received: by 2002:a17:906:26cc:b0:a58:7ce0:8ebd with SMTP id u12-20020a17090626cc00b00a587ce08ebdmr1436804ejc.19.1713958172531; Wed, 24 Apr 2024 04:29:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713958172; cv=none; d=google.com; s=arc-20160816; b=FvM3/02wCS+TSfHabShqgieBETRExXoEs1yRaIwRtW8XijsKpsyEICPsq+XsLoiWxV wrufjO9NxgJPfdc4hK4D7pcftj12PpMBH5yjXvGzy9rg2GdRKqOQp410Lr5i2srEzb25 WCeuQ/th0DYvBEJ+6bFewSX5qy5YoYXZ3SGbGnl6M6srvJjGpgPqaZvjviSmXkmatqEW B6plfMvFnhZK+oyZ+V+4UuLySmmmFgf4KWlit0eqwusMdaFM9IVO68xs/cuQyC/5Aygi 185WJb7ST/kgHsC7xmM2vcvO2EbNyfImONk5XXWtYYWZMbDee1c3b3VKoX6EZmNBLICU 1qdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:mime-version:user-agent:date:to:from:message-id :dkim-signature:delivered-to:delivered-to:reply-to:list-id :list-subscribe:list-unsubscribe:list-help:list-post:precedence :mailing-list; bh=snKZeiTECjFuziYkdMbbc2JnD8EChNCWahRH1+wj6n4=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=J9IHedFC0y3qXdtv3i1b06jQAQ+LdLvFqitQ5wnBA9keSG65CShqhaHBIS4OcULIY9 3rlGkvgcknjaJUU+jGvBsDi5jDlh14ukXORaToIuuzGDy0lcSWxJzl0qwojVJdGrxReX nnY0Gc6nucDsfKgTI486GmzJInYFEM8oopc5W9Mtwij7yZFdrB46ZyV6DWGrI5pTPAI1 UHSVbuYmhKJWxzw/+pWQPkpNl06T+/WfYCGTRAbh3dtUrsVMent8nYgUqRA4t1QQ50Lo xBnpu7TAXiki9VYqS4XMeAG4siBs8gZWLVmzNilW9GycJPCVBjf5tLOiIvNPo6WrtrZo b6rw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@powerdns.com header.s=202306 header.b=Tm87H2M2; spf=pass (google.com: domain of oss-security-return-30079-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30079-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=powerdns.com Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id l7-20020a170906a40700b00a588e0adc08si953311ejz.592.2024.04.24.04.29.32 for ; Wed, 24 Apr 2024 04:29:32 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30079-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@powerdns.com header.s=202306 header.b=Tm87H2M2; spf=pass (google.com: domain of oss-security-return-30079-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30079-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=powerdns.com Received: (qmail 22292 invoked by uid 550); 24 Apr 2024 11:29:14 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 4038 invoked from network); 24 Apr 2024 10:38:06 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=powerdns.com; s=202306; t=1713955076; bh=trM1tPDMmEASpKww4pl6ZPWkzlfgCkzNjA6lKxITE70=; h=Subject:From:To:Date:From; b=Tm87H2M2Be68kjC5BOU6RLB1YcW4gSUfrhqvvkkxEC5oNfty+T0nRA9iz/IASrECB +X5jTm6xRaEnvj0kAkKa1DSAcGUpgJP9FNRyWnUQmgAvvWtCL2zP8nzgXIT/VwzwYS zbKMnQpi3SyEGXZHqCuVOxdBEyUdTC5JJ5rOd59TMQ3+YOp68XgWlaO7GOH8klc+Dq wmgh9ePg4fq2H7f1Q/oxIaaWcPpexKwoSkgWNG+QH121isImtWMwfi+zmXEPjFXEkj Htw8w3xrgwd/YQY1Mqfku/06ABpt7+o5ygx+f2STtiJcSoHIg9KX6KSwhPPnckxIXX CfvJVqLMwGbnA== Message-ID: <6fc5f0dc8f6d868e9dcf4fc2d3bc535ef8907c3c.camel@powerdns.com> From: Peter van Dijk To: oss-security@lists.openwall.com Date: Wed, 24 Apr 2024 12:37:56 +0200 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-axEDZ8KxoBj71vXMtte9" User-Agent: Evolution 3.46.4-2 MIME-Version: 1.0 Subject: [oss-security] PowerDNS Recursor Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor --=-axEDZ8KxoBj71vXMtte9 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Dear user, Please find below a security advisory, relating to PowerDNS Recursor 4.8.7, 4.9.4 and 5.0.3 only. When using recursive forwarding, a crafted response from an upstream server can cause a Denial of Service in the Recursor. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D PowerDNS Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor CVE: CVE-2024-25583 Date: 24th of April 2024. Affects: PowerDNS Recursor 4.8.7, 4.9.4 and 5.0.3, earlier versions are not affected Not affected: PowerDNS Recursor 4.8.8, 4.9.5 and 5.0.4 Severity: High (only when using recursive forwarding) Impact: Denial of service Exploit: This problem can be triggered by an attacker publishing a craf= ted zone Risk of system compromise: None Solution: Upgrade to patched version When using recursive forwarding, a crafted response from an upstream server can cause a Denial of Service in the Recursor. The default configuration of the Recursor does not use recursive forwarding and is not affected. CVSS Score: 7.5, only for configurations using recursive forwarding, see https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=3DAV:N/AC:L/PR:= N/UI:N/S:U/C:N/I:N/A:H&version=3D3.1 The remedy is to update to a patched version. --=-axEDZ8KxoBj71vXMtte9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQJQBAABCgA6FiEE+64DI4IcdwalyhUb3PUT+n7tGfMFAmYo4QQcHHBldGVyLnZh bi5kaWprQHBvd2VyZG5zLmNvbQAKCRDc9RP6fu0Z83BjD/0ayfUjOPvTgvdqUA52 QapQ2cS2ZpI11qZm7s7M8ARJJdbb3WEnjc+67pPHNQ1WnnlsthUYsGUYwmkt3suq CVEuXrhosT4EiMUjEz+eW1wp2n+6plmRFYArhqR9EUkpj37G6lTHkXSxy6tqWyM/ Rym/GUHQwSlyqm/cHTGFGI2GEncBFMSYclWuGHP+WKZKMY+jzUdTzorGKX5Hs2P1 rv/hNMENZhwWE64AVmm9gpCvfNTfeqem72SXjnuGjFfo3HeC3oJTJDFl7zvey8FE 8ROzGWTzWAj2+HhfFr9lheSjgCM07eH/0u5AuO+7lVkWS+VSkqD0HIYGZagWzUmQ 1MyRJC0yxWjn8+aYfNYXBrOB8C4p/gI4bC6cYj+YVf5FGbeskGgSD/iR9nT+PIdM sXl98dgf4MDKubU8/KLU/vOM5qNDp0gtXTq/pOZG/yFf5q/C1jbwvpkZ+EkLnbYZ N5pqzwhloSslLeZeV9OzyJEheA3CTelkey/p2+vctbXBUkVbBbI4fL0EwJWjR29M D7MhfSNNclaOW3UEu2UJZ7KUEgbh2InY+g8Vy3wD9J/W0bQf2OyvNxQVDclE8wgH gEEwarxomxHbFTIZvUmvDcuVgGdNjqh2OdUpSEyE5dMW07N9YCQuAizWxKBz2c00 lM68XBw0UUoaErJcnnv5RiULoQ== =yUwy -----END PGP SIGNATURE----- --=-axEDZ8KxoBj71vXMtte9--