[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Security Advisory 2023-01 for PowerDNS Recursor 4.8.0 (CVE-2023-22617)
From: Otto Moerbeek <otto.moerbeek () powerdns ! com>
Date: 2023-01-20 12:19:43
Message-ID: 1295588158.7348.1674217183817 () appsuite-guard ! open-xchange ! com
[Download RAW message or body]
Hello,
Today we have released PowerDNS Recursor 4.8.1 due to a high severity
issue found.
Please find the full text of the advisory below.
The [1]changelog is available.
The [2]tarball ([3]signature) is available from our download [4]server.
Patches are available at [5]patches. Packages for various distributions
are available from our [6]repository.
Note that PowerDNS Recursor 4.5.x and older releases are End of Life.
Consult the [7]EOL policy for more details.
__________________________________________________________________
PowerDNS Security Advisory 2023-01: unbounded recursion results in program
termination
* CVE: CVE-2023-22617
* Date: 20th of January 2023
* Affects: PowerDNS Recursor 4.8.0
* Not affected: PowerDNS Recursor < 4.8.0, PowerDNS Recursor 4.8.1
* Severity: High
* Impact: Denial of service
* Exploit: This problem can be triggered by a remote attacker with
access to the recursor by querying names from specific
mis-configured domains
* Risk of system compromise: None
* Solution: Upgrade to patched version
CVSS 3.0 score: 8.2 (High)
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/
S:U/C:N/I:L/A:H/E:H/RL:U/RC:C
Thanks to applied-privacy.net for reporting this issue and their assistance in diagnosing it.
References
1. https://docs.powerdns.com/recursor/changelog/4.8.html#change-4.8.1
2. https://downloads.powerdns.com/releases/pdns-recursor-4.8.1.tar.bz2
3. https://downloads.powerdns.com/releases/pdns-recursor-4.8.1.tar.bz2.sig
4. https://downloads.powerdns.com/releases/
5. https://downloads.powerdns.com/patches/2023-01/
6. https://repo.powerdns.com/
7. https://docs.powerdns.com/recursor/appendices/EOL.html
--
kind regards,
Otto Moerbeek
PowerDNS Developer
Email: otto.moerbeek@open-xchange.com
-------------------------------------------------------------------------------------
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt
PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-------------------------------------------------------------------------------------
[Attachment #3 (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic