Arch Linux Security Advisory ASA-202107-73 ========================================== Severity: Medium Date : 2021-07-27 CVE-ID : CVE-2021-36754 Package : powerdns Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-2222 Summary ======= The package powerdns before version 4.5.1-1 is vulnerable to denial of service. Resolution ========== Upgrade to 4.5.1-1. # pacman -Syu "powerdns>=4.5.1-1" The problem has been fixed upstream in version 4.5.1. Workaround ========== Users that cannot upgrade immediately, but do have dnsdist in place, can use dnsdist to filter such queries before they do harm, with something like addAction(QTypeRule(65535), RCodeAction(DNSRCode.REFUSED)). Description =========== PowerDNS Authoritative Server 4.5.0 will crash with an uncaught out of bounds exception if it receives a query with QTYPE 65535. The offending code was not present in earlier versions, and they are not affected. Users that cannot upgrade immediately, but do have dnsdist in place, can use dnsdist to filter such queries before they do harm, with something like addAction(QTypeRule(65535), RCodeAction(DNSRCode.REFUSED)). When the PowerDNS Authoritative Server is run inside a supervisor like supervisord or systemd, an uncaught exception crash will lead to an automatic restart, limiting the impact to a somewhat degraded service. Impact ====== A remote attacker could crash the DNS server with a crafted query. References ========== https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory... https://downloads.powerdns.com/patches/2021-01/pdns-4.5.0-2021-01.patch https://github.com/PowerDNS/pdns/commit/96cae2fd21054b383a16c569a363a50f7180... https://security.archlinux.org/CVE-2021-36754