Update Info


Security update for pdns

Type: security
Severity: moderate
Issued: 2022-04-07
This update for pdns brings the following changes:

Update to 4.6.1:

* fixes incomplete validation of incoming IXFR transfer for
  secondary zones for which IXFR transfers have been enabled and
  the network path to the primary server is not trusted. Note that
  IXFR transfers are not enabled by default.
  (CVE-2022-27227, bsc#1197525)

Update to 4.6.0:

  * New Features
    - support for incoming PROXY headers
    - support for EDNS cookies
    - autoprimary management via pdnsutil and the API
  * Improvements
    - add zone removal to the zone cache (Kees Monshouwer)
    - docker images: Remove capability requirements
  * Bug Fixes
    - pdnsutil edit-zone: fix n and e behaviour on increase-serial prompt
    - lmdb: check if the lookup name is part of the zone (Kees Monshouwer)
    - lmdb: fix records removal in deleteDomain(); improve tcp exception handling

Update to 4.5.3:

  * Improvements

    - 2136: improve some log messages

  * Bug Fixes

    - lmdb, check if the lookup name is part of the zone
    - pdnsutil edit-zone: fix n and e behaviour on increase-serial prompt
    - improve tcp exception handling
    - lmdb: fix records removal in deleteDomain()
    - 2136: apply new TTL to whole RRset, not only to the added record

Update to 4.5.2 with bug fixes:

  * bindbackend: skip rejected zones during list and search PR#10968
  * make the zone cache more robust for bad data and save some SOA queries for DNSSEC zones PR#10964
  * api, check SOA location PR#10962
  * improve dnsname exception handling for SOA records PR#10952
  * improve SOA parse exception handling PR#10792
  * try to reload rejected zones in bind-backend once every bind-check-interval PR#10778

Update to 4.5.1

  * Fixes a remote DoS when server receives query with QTYPE 65535
    (bsc#1188495, CVE-2021-36754)

Update to 4.5.0

  * With version 4.5.0, support for platforms with a time_t type smaller
    than 64 bits is dropped.
  * The ‘zone cache’, which allows PowerDNS to keep a list of zones in
    memory, updated periodically.
  * Priority ordering in the AXFR queue in PowerDNS running as a secondary.
  * Small improvements and fixes.

Update to 4.4.1

  * Improvements

    - debian packaging update #9965
    - dockerfiles: do not claim equivs-dummy is built from the pdns source package #9953
    - Fix missing #include for gcc-11#9952
    - lmdb: Do a mdb_readers_check to clean up stale readers on database load #9946

  * Bug Fixes

    - fix TCP answer counters #10008
    - run deleteDomain() inside a transaction #10039
    - lmdb: do not reuse backend that has seen corrupted data #9985
    - lmdb: serialise LMDBBackend construction to ensure only a single schema upgrade is attempted #9949
    - backport some asan/ubsan fixes #9923
    - pdnsutil edit-zone: do not exit on ZoneParser exception #9912

Update to 4.4.0

  * the LMDB backend now supports long record content, making it
    production ready for everybody
  * the SVCB and HTTPS record types are supported, with limited
    additional processing
  * transaction handling in the 2136 handler and the HTTP API was again
    improved a lot, avoiding various spurious issues users may have noticed
    if they do a lot of changes
  * a new setting (consistent-backends) offers a roughly 30% speedup,
    subject to conditions
  * we finally emit Prometheus metrics!

- Drop GSS-TSIG support in the spec file as it's a removed from the
  upcoming 4.4.0 version due to security issues and lack of testing

Update to 4.3.1 especially a security fix for

  PowerDNS Security Advisory 2020-05 (CVE-2020-17482, bsc#1176535)

Other improvements and bug fixes include,

  * gpgsql: Reintroduce prepared statements
  * Handle the extra single-row result set of MySQL stored procedures
  For details, see

Update to 4.3.0: 

  A lot of internals have been reworked, with some visible changes
  for users. If you read the upgrade notes for a beta or RC, please
  read them again!

  A notable new feature in 4.3 is support for hiding DNSSEC keys,
  which makes it possible to do algorithm rollovers. This feature
  was contributed by Robin Geuze of TransIP, thanks! Another
  interesting new feature is support for automatically publishing
  CDS/CDNSKEY records with a single pdns.conf setting.

  Please note that 4.3.0 comes with a mandatory database schema


Update to 4.2.1:

  New features

  * Add SLAVE-RENOTIFY zone metadata support
  * Add configurable timeout for inbound
  * for gmysql backend, add an option to send the SSL capability flag


  * Register a few known RR types
  * bindbackend: use metadata for also-notifies as well
  * pdnsutil increase-serial: under SOA-EDIT=INCEPTION-EPOCH,
    bump as if it is EPOCH
  * API: optionally do not return dnssec info in domain list

  Bug Fixes

  * LUA view: do not crash on empty IP list
  * API: Accept headers without spaces
  * Avoid database state-related SERVFAILs after a LUA error
  * Fix broken edit-zone and other features with the LMDB backend
  * rfc2136, pdnsutil: somewhat improve duplicate record handling

Update to 4.2.0:

  - New features:

    * Lua records
    * ixfrdist
    * a new LMDB backend

  - Important functional changes:

    * the default UDP response size limit has been changed from 1680 to 1232
    * the autoserial feature has been removed

Update to 4.1.13:

  * #8157: gpgsqlbackend: add missing schema file to Makefile
  * #8162: stop using select() in places where FDs can be >1023



  • pdns-4.6.1-2.1