PowerDNS Recursor 3.1.4 release notes

Hi,

We've released version 3.1.4 earlier, but delayed the
release notes until
the formal security notifications had gone out. Here are the
release notes,
please upgrade as soon as possible.

Source:
 http://downloads.powerdns.com/releases/pdns-re
cursor-3.1.4.tar.bz2

DEBs:
 http://downloads.powerdns.com/releases
/deb/pdns-recursor_3.1.4-1_amd64.deb
 http://downloads.powerdns.com/releases/
deb/pdns-recursor_3.1.4-1_i386.deb

RPMs:
 http://downloads.powerdns.com/release
s/rpm/pdns-recursor-3.1.4-1.x86_64.rpm
 http://downloads.powerdns.com/releases/
rpm/pdns-recursor-3.1.4-1.i386.rpm

 Released the 13th of November 2006.
 (html, with links, http://doc.powerdns.com/changelog.html#CHANGELOG-
RECURSOR-3-1-4 )

 This release contains almost no new features, but consists
mostly of minor
 and major bug fixes. It also addresses two major security
issues, which
 makes this release a highly recommended upgrade.

 Security issues:

   * Large TCP questions followed by garbage could cause the
recursor to
     crash. This critical security issue has been assigned
CVE-2006-4251,
     and is fixed in commit 915. More information can be
found in Section
     1.5.

   * CNAME loops with zero second TTLs could cause crashes
in some
     conditions. These loops could be constructed by
malicious parties,
     making this issue a potential denial of service attack.
This security
     issue has been assigned CVE-2006-4252 and is fixed by
commit 919. More
     information can be found in Section 1.6. Many thanks to
David Gavarret
     for helping pin down this problem.

 Bugs:

   * On certain error conditions, PowerDNS would neglect to
close a socket,
     which might therefore eventually run out. Spotted by
Stefan Schmidt,
     fixed in commits 892, 897, 899.

   * Some nameservers (including PowerDNS in rare
circumstances) emit a SOA
     record in the authority section. The recursor
mistakenly interpreted
     this as an authoritative "NXRRSET". Spotted
by Bryan Seitz, fixed in
     commit 893.

   * In some circumstances, PowerDNS could end up with a
useless (not
     working, or no longer working) set of nameserver
records for a domain.
     This release contains logic to invalidate such broken
NSSETs, without
     overloading authoritative servers. This problem had
previously been
     spotted by Bryan Seitz, 'Cerb' and Darren Gamble.
Invalidations of
     NSSETs can be plotted using the
"nsset-invalidations" metric,
     available through rec_control get. Implemented in
commit 896 and
     commit 901.

   * PowerDNS could crash while dumping the cache using
rec_control
     dump-cache. Reported by Wouter of WideXS and Stefan
Schmidt and many
     others, fixed in commit 900.

   * Under rare circumstances (depleted TCP buffers),
PowerDNS might send
     out incomplete questions to remote servers.
Additionally, on
     big-endian systems (non-Intel and non-AMD generally),
sending out
     large TCP answers questions would not work at all, and
possibly crash.
     Brought to our attention by David Gavarret, fixed in
commit 903.

   * The recursor contained the potential for a dead-lock
processing an
     invalid domain name. It is not known how this might be
triggered, but
     it has been observed by 'Cerb' on #powerdns. Several
dead-locks where
     PowerDNS consumed all CPU, but did not answer
questions, have been
     reported in the past few months. These might be fixed
by commit 904.

   * IPv6 'allow-from' matching had problems with the least
significant
     bits, sometimes allowing disallowed addresses, but
mostly disallowing
     allowed addresses. Spotted by Wouter from WideXS, fixed
in commit 916.

 Improvements:

   * PowerDNS has support to drop answers from so called
'delegation only'
     zones. A statistic ("dlg-only-drops") is now
available to plot how
     often this happens. Implemented in commit 890.

   * Hint-file parameter was mistakenly named
"hints-file" in the
     documentation. Spotted by my Marco Davids, fixed in
commit 898.

   * rec_control quit should be near instantaneous now, as
it no longer
     meticulously cleans up memory before exiting. Problem
spotted by
     Darren Gamble, fixed in commit 914, closing ticket 84.

   * init.d script no longer refers to the Recursor as the
Authoritative
     Server. Spotted by Wouter of WideXS, fixed in commit
913.

   * A potentially serious warning for users of the GNU C
Library version
     2.5 was fixed. Spotted by Marcus Rueckert, fixed in
commit 920.

-- 
http://www.PowerDNS.com  
   Open source, database driven DNS Software 
http://netherlabs.nl     
        Open and Closed source services
_______________________________________________
Pdns-announce mailing list
Pdns-announcemailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-anno
unce