draft CVE follows. The referenced patches are pretty easy to backport, and are also present on our rel/rec-3.6.3 branch in a form that should apply directly to 3.6.x. ## PowerDNS Security Advisory 2015-01: Label decompression bug can cause crashes on specific platforms * CVE: CVE-2015-1868 * Date: 23rd of April 2015 * Credit: Aki Tuomi * Affects: PowerDNS Recursor versions 3.5 and up; Authoritative Server 3.2 and up * Not affected: Recursor 3.6.3; Recursor 3.7.2; Auth 3.4.4 * Severity: High * Impact: Degraded service * Exploit: This problem can be triggered by sending queries for specifically configured domains * Risk of system compromise: No * Solution: Upgrade to any of the non-affected versions * Workaround: Run your Recursor under a supervisor. Exposure can be limited by configuring the **allow-from** setting so only trusted users can query your nameserver. A bug was discovered in our label decompression code, making it possible for names to refer to themselves, thus causing a loop during decompression. This loop is capped at a 1000 iterations by a failsafe, making the issue harmless on most platforms. However, on specific platforms (so far, we are only aware of this happening on RHEL5/CentOS5), the recursion involved in these 1000 steps causes memory corruption leading to a quick crash, presumably because the default stack is too small. We recommend that all users upgrade to a corrected version if at all possible. Alternatively, if you want to apply a minimal fix to your own tree, it can be found in three parts [here](https://github.com/PowerDNS/pdns/commit/adb10be102ddd4d2baf7a8adbb5673946fe5e555) and [here](https://github.com/PowerDNS/pdns/commit/3ec3e0fc71bc89ac41c7e6d8cd3f323f25233881) and [here](https://github.com/PowerDNS/pdns/commit/dc02ebf65ab41ba3c84b05d8d7f1505695adcaf7) and These should be trivial to backport to older versions by hand. As for workarounds, only clients in allow-from are able to trigger the degraded service, so this should be limited to your userbase; further, we recommend running your critical services under supervision such as systemd, supervisord, daemontools, etc.
Hi Peter, Thank you for informing us.
Created attachment 1016814 [details] patch for recursor 3.7.1
Created attachment 1016815 [details] patch for ALL affected products (both rec and auth!) excluding rec-3.7.1
Just to clarify: the buggy code is in both auth (3.2 and up) and recursor (3.5 and up). However, we have only seen the actual crash with the recursor on el5. As such, I have not opened bugs for el6 and el7, and for auth on all distributions. I do recommend updating all these packages, however, as we may be missing part of the impact of the bug.
Hi Martin, Could you please remove the private group flag here? It's now public.
pdns-recursor-3.6.3-1.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/pdns-recursor-3.6.3-1.el5
Package pdns-recursor-3.6.3-1.el5: * should fix your issue, * was pushed to the Fedora EPEL 5 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing pdns-recursor-3.6.3-1.el5' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-5952/pdns-recursor-3.6.3-1.el5 then log in and leave karma (feedback).
pdns-recursor-3.6.3-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.