'[oss-security] Security Advisory 2023-01 for PowerDNS Recursor 4.8.0 (CVE-2023-22617)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Security Advisory 2023-01 for PowerDNS Recursor 4.8.0 (CVE-2023-22617)
From:       Otto Moerbeek <otto.moerbeek () powerdns ! com>
Date:       2023-01-20 12:19:43
Message-ID: 1295588158.7348.1674217183817 () appsuite-guard ! open-xchange ! com
[Download RAW message or body]


Hello,

   Today we have released PowerDNS Recursor 4.8.1 due to a high severity
   issue found.

   Please find the full text of the advisory below.

   The [1]changelog is available.

   The [2]tarball ([3]signature) is available from our download [4]server.
   Patches are available at [5]patches. Packages for various distributions
   are available from our [6]repository.

   Note that PowerDNS Recursor 4.5.x and older releases are End of Life.
   Consult the [7]EOL policy for more details.
      __________________________________________________________________

PowerDNS Security Advisory 2023-01: unbounded recursion results in program
termination

     * CVE: CVE-2023-22617
     * Date: 20th of January 2023
     * Affects: PowerDNS Recursor 4.8.0
     * Not affected: PowerDNS Recursor < 4.8.0, PowerDNS Recursor 4.8.1
     * Severity: High
     * Impact: Denial of service
     * Exploit: This problem can be triggered by a remote attacker with
       access to the recursor by querying names from specific
       mis-configured domains
     * Risk of system compromise: None
     * Solution: Upgrade to patched version

   CVSS 3.0 score: 8.2 (High)
   https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/
    S:U/C:N/I:L/A:H/E:H/RL:U/RC:C

   Thanks to applied-privacy.net for reporting this issue and their assistance in diagnosing it.

References

   1. https://docs.powerdns.com/recursor/changelog/4.8.html#change-4.8.1
   2. https://downloads.powerdns.com/releases/pdns-recursor-4.8.1.tar.bz2
   3. https://downloads.powerdns.com/releases/pdns-recursor-4.8.1.tar.bz2.sig
   4. https://downloads.powerdns.com/releases/
   5. https://downloads.powerdns.com/patches/2023-01/
   6. https://repo.powerdns.com/
   7. https://docs.powerdns.com/recursor/appendices/EOL.html



-- 

kind regards,
Otto Moerbeek
PowerDNS Developer 


 
Email: otto.moerbeek@open-xchange.com


-------------------------------------------------------------------------------------
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 95366 
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin 
Chairman of the Board: Richard Seibt 
 
PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-------------------------------------------------------------------------------------

[Attachment #3 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic