Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp1942780lqo; Mon, 13 May 2024 03:18:29 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWRwFN1FTHH/3GSQUFLaMKLIvDrz1NNTJ51OVvbJ6COl/0o4joGK6G0FBUpKQM+0kAQfD6BrsviTPX15i/xYSRdB41yqWsH1BLdIjsGtw== X-Google-Smtp-Source: AGHT+IFFArMDmMggUwYCPUrtSfU8lkA4hKv+0/VkaxcQj3R03y55yv9tRPqKsMWIg+awu73r5SVl X-Received: by 2002:a17:906:560d:b0:a5a:250d:de57 with SMTP id a640c23a62f3a-a5a2d57a3ddmr589145266b.19.1715595509194; Mon, 13 May 2024 03:18:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1715595509; cv=none; d=google.com; s=arc-20160816; b=vXYmW88AvrxjQ1d5cq6Lv+tOxu73CqcHOvpGzbDfmOKXKo9qInw2UnwgNzCGsoZrPV EfZwGQVTAO56PCIh+A4gJVtfYd2j2vsEMDevjKqxrpa2tUUzqFzH+Uf+oekzAOjbsmQG KMjKZZCj8JjucpKC1GVMJzJINo9EeREH3Tnnq1Sz8MMfA2gTIEzkoeIYSBd9j/Hed81F DvCKHGM+uW23uFa6QE4rJs7pBNlGDd+thCFxiXgEfB+8LtoBA2sTwPV1IvklmQV0IGpZ u6LLYYb4kCA7LMuiZQpCBJLsc8CbcNVId6KWUZJGCpm+/uZe0xP3a/Xry1QA0GHgUxCt LfoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:autocrypt:from:to:content-language:user-agent:mime-version :date:message-id:dkim-signature:delivered-to:reply-to:list-id :list-subscribe:list-unsubscribe:list-help:list-post:precedence :mailing-list; bh=UJSeX8tFmP5fw66P57YduGsXFITIXBs9U73+8WRFuYM=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=K8EpMv9sHMZ0q4XHgujKtedYUc6mt+j+GcVmzIrxT3fS4czSVLSmLgbY5Rc4AjmeG5 +35TUgaAfW+4YBhjbxXDT1dAfu358OvLxN7qrIsVLEeA2pFZ0bFJcH3dpmANpA5wOrUS WjlfJGc10UOLYhSgPLffxJP0S5p5t/MZD6CkiKUnlJtPoJNWbH9ZQXqsprpUnqOsAmhP p69nxsw3IvCvMCTKuZ7dWWJK4g28+z1/VRUEOfTIzzooniaZOSv5QkqICAsynMX+Z5xB +PbJsApCnRdtdoRBr9/ashwQVTa7KMQycXScg3+j3Gv7p+rwjRAWIcvf70mbhQ8DHKqm 78mw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@powerdns.com header.s=202306 header.b=i2mk2YtC; spf=pass (google.com: domain of oss-security-return-30146-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30146-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=powerdns.com Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id a640c23a62f3a-a5a17c2cd4fsi505699566b.1051.2024.05.13.03.18.29 for ; Mon, 13 May 2024 03:18:29 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30146-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@powerdns.com header.s=202306 header.b=i2mk2YtC; spf=pass (google.com: domain of oss-security-return-30146-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30146-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=powerdns.com Received: (qmail 7195 invoked by uid 550); 13 May 2024 10:18:09 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Received: (qmail 6138 invoked from network); 13 May 2024 10:18:09 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=powerdns.com; s=202306; t=1715595479; bh=3H/ckgLAHLkjLWv6jJcvw/Wp+Nus/104JIbV+LmCHN0=; h=Date:To:From:Subject:From; b=i2mk2YtCbIHitg6vqWzXFege19Wi0YTHNkW8Dfb4RGq8FNMevzaurDatz23Krg3L+ b98LzziXkoqWDcNG+5r7tiJNELZqzYsj6rNIffKwRf62qZE+bsfEb5hmT9f6H5XwVS WlHDXQ1Fw/LhJ9jh0kO+KmFnCdLkY9vpJs4fxNw618Wn/eVWj/1EEsTg0DB5zgI7Bp 0pPwOnnqQwp2bjgbhJ74/L74nb4zO2Dg1yxnjNXcVFPXBo/c6UFNuERAP6+PZUWqgy e/MCpev9dJb/HftDSiyETWbnjoxzq6MB0cKIFs3uKrqb5O8G6E9iyuLVDa+Zl45HWn iV5Bz67epYgEw== Message-ID: Date: Mon, 13 May 2024 12:17:58 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-GB To: oss-security@lists.openwall.com From: Remi Gacogne Autocrypt: addr=remi.gacogne@powerdns.com; keydata= xsBNBFY4pAcBCACIU5HRkBG3VcBfJaqetxIoKdLRxW3XmeCwruLFt6DN3q8bTtsNuQMJHa8O Y0aKWJoXjOQSbBoKSGVAFKTmpCUfH4vhErt8DWqyglRfio2L3cTe48GZjiObdXLZxnsINAx2 WbcpoCRKTjdWX0MH2Jg/yf5PS6nb+glclRsDQmVGQjt92v23nNdsCp8I9rjP1+bQy5iHB1Ii QuFJ6DBQJhgWQzksT2azZ83aADvc4/+Fg7VFYSzZHkp98NfyzUkiUzYi0I5Oy4KvyoXeS/CX 9WtQGM1vjZAXXiD+ODJ0OvB2EsCUT6t4i9pWWh/+LnNtRWIVn8PJeQbCAO2wJlMxX28BABEB AAHNKFJlbWkgR2Fjb2duZSA8cmVtaS5nYWNvZ25lQHBvd2VyZG5zLmNvbT7CwH0EEwEKACcF AlawcTICGwMFCRLMAwAFCwkIBwQFFQoJCAsFFgIDAQACHgECF4AACgkQogjtT4r1hEZ0zgf+ Iy73sdDPkxOYi/xVJIvBB8o+uuPLDgh51Bx50vrJTBNm+9YgLyycQpQyYyw+NyY+xS9Ibtiz p8PuT0Ga4S8gdVhGtbQtLS7yJD7swlSTyOBR+/gHoJgaxmDeueeB8tAv2ERfJjhp4C+fIa7p iU4Iwe7wvgrw6dO9eFkBv0oHCqpOI5CM/yHqdr493Qon3YfpCZGiv558yE9Xrojs6fMSwcol WwjnZW72KFXraryXKiIThwoJb9OOZWXAKfZD/aZv5BMxzN+D4ZB+kq0f7qHbITh+Kd1MdMBo MFG6Lg7x1LY5SvhgfHGF3UZ8tLb3RgWFDuwrBTcz6EQvArw/lWPA5c7ATQRWOKQHAQgAjr1x EZh1yglszi94+HLNFcgRPgRNktg2vxOGf64dAreJvL5iDrS2lrFMknh5BNuj7nJZ2r40OOS9 1oH1qkVk+v9Cyo/3xwCpCOPQCkhzHpuQWXoMGMw/3/0tG6zTxnYdC999faCH0lLA8oDwHCHl ZSHgsH9+qSNyjaJXvS+HVoGYzyuanU6OTM7EM5c7RCPhNjT9JzHLISnwaxgDpwi7Ez6yudcr g6DqS/uUwkyNtWyesx1DF9y2VJUNwa4NKIJkSH+niEoxK9NBfBAmAKc4o5+KPs6BvpvpiYY9 gTKaaLypPHNcveQTDFv/26XHyzrCZmwuGlcYBjboH/BWzKbhuQARAQABwsBxBBgBAgAbBQJW OKQHAhsMBAsJCAcGFQgCCQoLBQkSzAMAAAoJEKII7U+K9YRGXJQH/3PtQG0AkrXOpkOMXFLT KdCEViNNHN94VIaceVn60zbmXzxhYeKz7K345/EqATi3P3/yDHcht7j3uYPhvaMjy3smN6vE wX7Ue40PbFDWmm8mHpLdlOfPXF0SRUD8KTSD6+W2VJfEcDI6DDfUmCx9yYZ1U5u+O8Aj+1l2 gdQbgAioPnQgqzf43qgnRcsfNmsVsXg7EbHspRpJOR1XyXl/9KrDP7p6kjwWTQ1NoRjCw0qa X93odLeKIpd2riShlB7GteUTps0IfuiL94CA58PV2YvZapN1KmwDohHU8rndN7zte7jbCyv1 Vv9tP6Ns0TvycBAqlOZYdgabrT+Pccb4jCc= Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------LHXC0qm7YErCfZq52bEsrAkZ" Subject: [oss-security] PowerDNS Security Advisory 2024-03: Transfer requests received over DoH can lead to a denial of service in DNSdist --------------LHXC0qm7YErCfZq52bEsrAkZ Content-Type: multipart/mixed; boundary="------------3wSqcNArESS8xg1ak4gfxhZh"; protected-headers="v1" From: Remi Gacogne To: oss-security@lists.openwall.com Message-ID: Subject: PowerDNS Security Advisory 2024-03: Transfer requests received over DoH can lead to a denial of service in DNSdist --------------3wSqcNArESS8xg1ak4gfxhZh Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64 SGkgYWxsLA0KDQpXZSByZWxlYXNlZCBQb3dlckROUyBETlNkaXN0IDEuOS40IHRvZGF5LiBU aGlzIHJlbGVhc2UgZml4ZXMgDQpDVkUtMjAyNC0yNTU4MSwgYSBkZW5pYWwgb2Ygc2Vydmlj ZSBzZWN1cml0eSBpc3N1ZSBhZmZlY3RpbmcgdmVyc2lvbnMgDQoxLjkuMCwgMS45LjEsIDEu OS4yIGFuZCAxLjkuMyBvbmx5LiBFYXJsaWVyIHZlcnNpb25zIGFyZSBub3QgYWZmZWN0ZWQu DQoNCldoZW4gaW5jb21pbmcgRE5TIG92ZXIgSFRUUFMgc3VwcG9ydCBpcyBlbmFibGVkIHVz aW5nIHRoZSBuZ2h0dHAyIA0KcHJvdmlkZXIsIGFuZCBxdWVyaWVzIGFyZSByb3V0ZWQgdG8g YSB0Y3Atb25seSBvciBETlMgb3ZlciBUTFMgYmFja2VuZCwgDQphbiBhdHRhY2tlciBjYW4g dHJpZ2dlciBhbiBhc3NlcnRpb24gZmFpbHVyZSBpbiBETlNkaXN0IGJ5IHNlbmRpbmcgYSAN CnJlcXVlc3QgZm9yIGEgem9uZSB0cmFuc2ZlciAoQVhGUiBvciBJWEZSKSBvdmVyIEROUyBv dmVyIEhUVFBTLCBjYXVzaW5nIA0KdGhlIHByb2Nlc3MgdG8gc3RvcCBhbmQgdGh1cyBsZWFk aW5nIHRvIGEgRGVuaWFsIG9mIFNlcnZpY2UuDQoNCkROUyBvdmVyIEhUVFBTIGlzIG5vdCBl bmFibGVkIGJ5IGRlZmF1bHQsIGFuZCBiYWNrZW5kcyBhcmUgdXNpbmcgcGxhaW4gDQpETlMg KERvNTMpIGJ5IGRlZmF1bHQuDQoNClR3byB3b3JrLWFyb3VuZHMgYXJlIGF2YWlsYWJsZToN Ci0gcmVmdXNlIGluY29taW5nIFhGUiByZXF1ZXN0cyB2aWEgYSBETlNkaXN0IHJ1bGU6IA0K YWRkQWN0aW9uKE9yUnVsZSh7UVR5cGVSdWxlKEROU1FUeXBlLkFYRlIpLCBRVHlwZVJ1bGUo RE5TUVR5cGUuSVhGUil9KSwgDQpSQ29kZUFjdGlvbihETlNSQ29kZS5SRUZVU0VEKSkNCi0g c3dpdGNoIHRvIHRoZSBsZWdhY3kgaDJvIHByb3ZpZGVyIGJ5IHNldHRpbmcgbGlicmFyeT0n aDJvJyBpbiB0aGUgDQphZGRET0hMb2NhbCBkaXJlY3RpdmUNCg0KV2Ugd291bGQgbGlrZSB0 byB0aGFuayBEYW5pZWwgU3Rpcm5pbWFubiBmcm9tIFN3aXRjaCBmb3IgZmluZGluZyBhbmQg DQpzdWJzZXF1ZW50bHkgcmVwb3J0aW5nIHRoaXMgaXNzdWUuDQoNClRoZSBmdWxsIHNlY3Vy aXR5IGFkdmlzb3J5IGlzIHByb3ZpZGVkIGJlbG93LCBhbmQgY2FuIGFsc28gYmUNCmZvdW5k IGF0DQpodHRwczovL2Ruc2Rpc3Qub3JnL3NlY3VyaXR5LWFkdmlzb3JpZXMvcG93ZXJkbnMt YWR2aXNvcnktZm9yLWRuc2Rpc3QtMjAyNC0wMy5odG1sDQoNCkEgbWluaW1hbCBwYXRjaCBj YW4gYWxzbyBiZSBmb3VuZCBoZXJlOg0KaHR0cHM6Ly9kb3dubG9hZHMucG93ZXJkbnMuY29t L3BhdGNoZXMvMjAyNC0wMy8NCg0KUGxlYXNlIGZlZWwgZnJlZSB0byBjb250YWN0IG1lIGRp cmVjdGx5IGlmIHlvdSBoYXZlIGFueSBxdWVzdGlvbi4NCg0KQmVzdCByZWdhcmRzLA0KDQot LSANClJlbWkgR2Fjb2duZQ0KUG93ZXJETlMuQ09NIEJWIC0gaHR0cHM6Ly93d3cucG93ZXJk bnMuY29tLw0KDQpQb3dlckROUyBTZWN1cml0eSBBZHZpc29yeSAyMDI0LTAzOiBUcmFuc2Zl ciByZXF1ZXN0cyByZWNlaXZlZCBvdmVyIERvSCANCmNhbiBsZWFkIHRvIGEgZGVuaWFsIG9m IHNlcnZpY2UgaW4gRE5TZGlzdA0KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09DQoNCi0gQ1ZFOiBDVkUtMjAyNC0yNTU4MQ0K LSBEYXRlOiBNYXkgMTN0aCAyMDI0DQotIEFmZmVjdHM6IFBvd2VyRE5TIEROU2Rpc3QgMS45 LjAsIDEuOS4xLCAxLjkuMiBhbmQgMS45LjMsIGVhcmxpZXIgDQp2ZXJzaW9ucyBhcmUgbm90 IGFmZmVjdGVkDQotIE5vdCBhZmZlY3RlZDogUG93ZXJETlMgRE5TZGlzdCAxLjkuNA0KLSBT ZXZlcml0eTogSGlnaCAob25seSBpbiBzcGVjaWZpYyBjb25maWd1cmF0aW9ucywgc2VlIGJl bG93KQ0KLSBJbXBhY3Q6IERlbmlhbCBvZiBzZXJ2aWNlDQotIEV4cGxvaXQ6IFRoaXMgcHJv YmxlbSBjYW4gYmUgdHJpZ2dlcmVkIGJ5IGEgcmVtb3RlLCB1bmF1dGhlbnRpY2F0ZWQgDQph dHRhY2tlciBzZW5kaW5nIGEgRE5TIHF1ZXJ5DQotIFJpc2sgb2Ygc3lzdGVtIGNvbXByb21p c2U6IE5vbmUNCi0gU29sdXRpb246IFVwZ3JhZGUgdG8gcGF0Y2hlZCB2ZXJzaW9uIG9yIGFw cGx5IHRoZSB3b3JrYXJvdW5kIGRlc2NyaWJlZCANCmJlbG93DQoNCldoZW4gaW5jb21pbmcg RE5TIG92ZXIgSFRUUFMgc3VwcG9ydCBpcyBlbmFibGVkIHVzaW5nIHRoZSBuZ2h0dHAyIA0K cHJvdmlkZXIsIGFuZCBxdWVyaWVzIGFyZSByb3V0ZWQgdG8gYSB0Y3Atb25seSBvcg0KRE5T IG92ZXIgVExTIGJhY2tlbmQsIGFuIGF0dGFja2VyIGNhbiB0cmlnZ2VyIGFuIGFzc2VydGlv biBmYWlsdXJlIGluIA0KRE5TZGlzdCBieSBzZW5kaW5nIGEgcmVxdWVzdCBmb3IgYSB6b25l IHRyYW5zZmVyDQooQVhGUiBvciBJWEZSKSBvdmVyIEROUyBvdmVyIEhUVFBTLCBjYXVzaW5n IHRoZSBwcm9jZXNzIHRvIHN0b3AgYW5kIHRodXMgDQpsZWFkaW5nIHRvIGEgRGVuaWFsIG9m IFNlcnZpY2UuDQpETlMgb3ZlciBIVFRQUyBpcyBub3QgZW5hYmxlZCBieSBkZWZhdWx0LCBh bmQgYmFja2VuZHMgYXJlIHVzaW5nIHBsYWluIA0KRE5TIChEbzUzKSBieSBkZWZhdWx0Lg0K DQpgQ1ZTUyBTY29yZTogNy41IA0KPGh0dHBzOi8vbnZkLm5pc3QuZ292L3Z1bG4tbWV0cmlj cy9jdnNzL3YzLWNhbGN1bGF0b3I/dmVjdG9yPUFWOk4vQUM6TC9QUjpOL1VJOk4vUzpVL0M6 Ti9JOk4vQTpIJnZlcnNpb249My4xPmBfXywgDQpvbmx5IGZvciBjb25maWd1cmF0aW9ucyB3 aGVyZSBpbmNvbWluZyBEb0ggaXMgZW5hYmxlZCBhbmQgYSBUQ1Atb25seS9Eb1QgDQpiYWNr ZW5kIGlzIGVuYWJsZWQuDQoNClR3byB3b3JrYXJvdW5kcyBhcmUgYXZhaWxhYmxlOg0KLSBy ZWZ1c2UgaW5jb21pbmcgWEZSIHJlcXVlc3RzIHZpYSBhIEROU2Rpc3QgcnVsZTogDQpgYGFk ZEFjdGlvbihPclJ1bGUoe1FUeXBlUnVsZShETlNRVHlwZS5BWEZSKSwgDQpRVHlwZVJ1bGUo RE5TUVR5cGUuSVhGUil9KSwgUkNvZGVBY3Rpb24oRE5TUkNvZGUuUkVGVVNFRCkpYGANCi0g c3dpdGNoIHRvIHRoZSBsZWdhY3kgaDJvIHByb3ZpZGVyIGJ5IHNldHRpbmcgYGBsaWJyYXJ5 PSdoMm8nYGAgaW4gdGhlIA0KYGBhZGRET0hMb2NhbGBgIGRpcmVjdGl2ZQ0KDQpGb3IgdGhv c2UgdW5hYmxlIHRvIHVwZ3JhZGUgdG8gYSBuZXcgdmVyc2lvbiwgYSBtaW5pbWFsIHBhdGNo IGlzIA0KYGF2YWlsYWJsZSBmb3IgMS45LjMgPGh0dHBzOi8vZG93bmxvYWRzLnBvd2VyZG5z LmNvbS9wYXRjaGVzLzIwMjQtMDM+YF9fDQoNCldlIHdvdWxkIGxpa2UgdG8gdGhhbmsgRGFu aWVsIFN0aXJuaW1hbm4gZnJvbSBTd2l0Y2ggZm9yIGZpbmRpbmcgYW5kIA0Kc3Vic2VxdWVu dGx5IHJlcG9ydGluZyB0aGlzIGlzc3VlLg0K --------------3wSqcNArESS8xg1ak4gfxhZh-- --------------LHXC0qm7YErCfZq52bEsrAkZ Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAmZB6NYACgkQogjtT4r1 hEZEogf9E+E3nE7rPX0k/Mto6cue13UHOD4f7eJz5QLGFf2pBYU0ogQom+Zun5tr 6m0PuBHaPu85OvbuvuMzFOyMBWpS9OtkocJ0mTanI5JL9rsHTgtS9Bj7TW9m0CDL fXJl5URvPI1R8HaFrO3A+czbNcgyU6H/f1A5My7NvgnpAvxAHQGXyyLrUPj2odUh kkPANm+a35DuLpcyzAzD7QrT9LWToSZfF5/zXkfSN9UPwfTdB/i6Ea14fuz/hkHJ J/CC9rp17kjujf2t8598JAH3tmHBHEBPJ2uj95/wzp6o2tSGsThVdYjRHt1lBx0p e9w7X2+pYlCjsTSnCrtqOFdLOAOgJw== =imU0 -----END PGP SIGNATURE----- --------------LHXC0qm7YErCfZq52bEsrAkZ--