Debian Linux Security Advisory 5331-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service or spoofing.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5331-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
January 28, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openjdk-11  
CVE ID         : CVE-2022-21619 CVE-2022-21624 CVE-2022-21626 CVE-2022-21628   
                 CVE-2022-39399 CVE-2023-21835 CVE-2023-21843

Several vulnerabilities have been discovered in the OpenJDK Java runtime,  
which may result in denial of service or spoofing.

For the stable distribution (bullseye), these problems have been fixed in  
version 11.0.18+10-1~deb11u1.

We recommend that you upgrade your openjdk-11 packages.

For the detailed security status of openjdk-11 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/openjdk-11

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPVXJgACgkQEMKTtsN8  
TjaDFA//fTs6b0krISKRClpErRG2nD2pvTm4uvGwYuRD6hZ+IZS+IXd6/sneGnTE  
KwmYRpzdgX8Kowx036816UXyBY62iQDy/sX7hD76MGh7dI4xKhZzsbLxGlaQICIC  
HEuV3i7SSeZ8Qlgzo0s1S+MYaiEU3Uj7w/hgPdw840NGgMJnrl5Xl9R2ftTDES/h  
uXErDccwvmi+zYY64mH44Utrp1aU7VTWYBK33kkGDgIC12qRk5Vtw1BcPTFHZ37g  
98rVHDZ9XikCBC+SrBDLC3wVB+Fj+YFhgAR3GYgmkMxcTDU6Awh10tpJc2d2XpQS  
QbQYNVFYk9y85wZnyvJ8r8BUIr1UPgp04RjjMyrpmnMMkAp0cXXw07gmllqzWB98  
A/3GpXwlUtvZl8BSdwD3hawCfGUfUeISZO3NeLr0NjDfj4GQuVFmhsI13TGJV8ip  
BdzAaREG3UwxS1DmQH3dHQkZ/tOaouHYrSczympUfjVTwsCaSqHBdtlYesC0t1By  
I5F3FLBqdLy2Gs9KLn8ef8BN2ecc3bMTz4wrhuKYuqa0qsKmyRLl58XyJ+8NsFSf  
JUxXn8B+6kI+OiDJSITUr87+YGGOdsY/WvcVOeL+fXcQpSV/3S0KrTRkZ/xhUjhJ  
lngIcYUBe4/65INSpXCFb4LSKC6N5JKH3ro7iUN589gaOSvRPE0=  
=HU+A  
-----END PGP SIGNATURE-----

Debian Security Advisory 5331-1

Debian Linux Security Advisory 5330-1 - Two vulnerabilities were discovered in Curl, an easy-to-use client-side URL transfer library, which could result in denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5330-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJanuary 27, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : curlCVE ID         : CVE-2022-32221 CVE-2022-43552Two vulnerabilities were discovered in Curl, an easy-to-use client-sideURL transfer library, which could result in denial of service orinformation disclosure.For the stable distribution (bullseye), these problems have been fixed inversion 7.74.0-1.3+deb11u5. This update also revises the fix forCVE-2022-27774 released in DSA-5197-1.We recommend that you upgrade your curl packages.For the detailed security status of curl please refer toits security tracker page at:https://security-tracker.debian.org/tracker/curlFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPUCUkACgkQEMKTtsN8TjaA3g/8DBSNCu0gAsoqGfSGx42C4GDMKJBZKiW92bIVKuuJ+1Pq1VQ6msVdmOgCL/i1YFwFaxqPPQWnQQWBDNXn1oYpkVXop+Yq3ETsiX6bpF0+TCXBZRY9KsuSYyzniky7f1ueJAFjqTHWdJ/J5nfSrYSdQ/UIDNKsO2dFTD3uq1W5+qStVAdxnSOh9pMY5XgMh27urtZttTdyL+no+lRkK2jS2Ru8SgMCCmGsfUn7gFtxHn8Aqd2WEQQ9AsmgJkBjvZI2hhHqTBc96ZiTYCH6gjQHyGnRrRaZe0nZWyeSFJ8N8mblD1xequma5nPlWy5t0kKcOMVr6HvaNDbHLd51WoO9e0htjBmZXdmeEeudvkGKg00d1cPlwWmihegeuaiMHYUR/aCW1wko6FNsJ2yOZDY5iGjNNZHydrokcfB8DV/QGlFLFRXusUdX51bfylMCx1vddLTB5NQeQ7q0+eB2Rq5kM0KqdX1gsuq9id5NGSeZR/yjNPPEHbJKu2RFRridvY1H6kn2mB7YGYDGLjT/hYkoEXrBcrzPXEpBwKzsu4ih1C9eFW8DhK+iPD/U765dRV/UWIyk8uJHFmqfd4OqvG0ssVxYW5SraeOCVhToiA/vyB1mIOhYMWAitssG5xQ/DH8+4NQkGAc2Rmh4aQ6hB7QZst1+Ztqgpkcr1fods9de51k==EDu7-----END PGP SIGNATURE-----

Debian Security Advisory 5330-1

Debian Linux Security Advisory 5328-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5328-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJanuary 26, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-0471 CVE-2023-0472 CVE-2023-0473 CVE-2023-0474Debian Bug     : 1011346Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), these problems have been fixed inversion 109.0.5414.119-1~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPSxfAACgkQEMKTtsN8TjZlkQ/+PGr18MyY4Su8U78MrneB965DP5Q/faHnU/AIERZ99dkb9XkuKR7icqaUh3AdyK7fN1wz/cG/sAFa2MoFsL/tcGS0SmpZsNRdbQy6mbpYO/5yQrqW2+msvpmT/uNMCpMn9+8K2L0+yuuDCkL9KhuHZRg3UrN8T3xfkU2rebxRslvQixy9a5M8cQ+wAP4TrsKiyIRaBBrJNPE4BjKGOFYQmZn9Ov8iRMaApXgSzO7RV9ocMKbtWz5n7m6cTfpq4vOuLkugnYa/J3Xn5PozT1O8qTcru3i6CFOow/v/YEHjw2DYd42NmA+Ojon0nBPPwShPbZndJrNvloeYyrcHHf7Em330b71gtip3ri9QfenPAaJgfdJ4mIpdyDJ/rZiH4oNbkilZrlgLM4Sw/JUh2jQ8tDK2udVWyH10uYS3teGDSq/EIU3ZInKGzlez7j7ZzQuAgwTwHwwlezD4Ppr02Zuu5lvVvOSfkjE5IQnyUNb/VWGd28oN6PKq4OgMYAOPVJFPy6dvs+YR2zCJKkZBCtfeJM8lO8Ncq/gs80SKtWDibmD/lRVbVotoGoNCebFVPeoeNXgWjGb3WC6PLDBoLc/GCxqFPoNxU8y1gKi5SdcMEqLTUIjH1f8BX28c9ZZmWgpZdctavsRH5mdRgsz6kb78bWbMQYqj1sVPPufZjOF5AfQ==PFa0-----END PGP SIGNATURE-----

Debian Security Advisory 5328-1

Debian Linux Security Advisory 5329-1 - Several vulnerabilities were discovered in BIND, a DNS server implementation, which may result in denial of service against named.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5329-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJanuary 26, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : bind9CVE ID         : CVE-2022-3094 CVE-2022-3736 CVE-2022-3924Several vulnerabilities were discovered in BIND, a DNS serverimplementation, which may result in denial of service against named.For the stable distribution (bullseye), these problems have been fixed inversion 1:9.16.37-1~deb11u1.We recommend that you upgrade your bind9 packages.For the detailed security status of bind9 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/bind9Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPSxg4ACgkQEMKTtsN8TjaEyw//bjGBSD6QFX5xfkXzm4fHKEBnl3/yg0z+p6ml3xGQQJaBzwljn4J2McGxxtCsgOVTyyvy/uocUsK4X1LZk8kGfbbiGN+63o2PoADX76bPhbv69CiRxd1NRnprSMLsJyBHaiB8TFPFBnPz//Q7KY9KvhzUbv/g4ocIYmlrxUZiZmmyJB8kJ3lzFJIBzThlcmnCLHjs4IDF516BJMywxYnsnSRc0G73jB1zlcmBB0loYpD3U434C+pUCMKkrpYPeBFZHGikpYs7x+lJ95WmggYtoNjz0iPwpK1hd2vvM1rxr93jARKMTlKh5OMtljIK67NQeKfyojd4Uva49SAVYuo38MCLO2H4NEPPoEh+OGUJBgCagvwgye+GPOM+c++Ii9LNqNdwEThG2WVVP4f/Hore27l4lswGICLk9662lSJsAnZtdTQUSvFbeI8k8ne/2bvYrkZbCWDv8gPhLlCa6c80zag+ZzhOAvghBfj7AbRch/7feqe+RYAJ4qPuHmEokpxGL9gboa/4y3YJeCSKv13xXbz13FJyPMpsfiLVCp6ajhE1iVL3Trkr4rUGGmQVXClsBrDibeIu5YQvqnBtTZckrt8WoKo7GedrZxu/vrAqtwQVsL+7UrNUQbZLcTTLwZRc/RRegsHBqptYu/+joV+8ndQ9G2wX/35ss8hd+uQ2wvE==/JXy-----END PGP SIGNATURE-----

Debian Security Advisory 5329-1

An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.

CVE-2022-38775: Security issues

man-db before 2.8.5 on Gentoo allows local users (with access to the man user account) to gain root privileges because /usr/bin/mandb is executed by root but not owned by root. (Also, the owner can strip the setuid and setgid bits.)

Description Michael Orlitzky  2018-07-29 20:42:23 UTC

Our sys-apps/man-db package installs the /usr/bin/mandb program setuid and setgid with owner/group "man". We also install a daily cron job from ${FILESDIR}/man-db.cron that runs as root and executes,

  exec nice mandb --quiet

This can be exploited by the "man" user to gain root privileges. For example, the "man" user can simply strip off the setuid/setgid bits:

  # su man -s /bin/sh -c 'chmod 755 /usr/bin/mandb'

Now when "mandb" is run in the cron job, it will run with root privileges. But the owner of /usr/bin/mandb has not changed, so the "man" user can write to it because he owns it:

  # su man -s /bin/sh -c 'cat < bad-script.sh > /usr/bin/mandb'

Whenever the cron job runs again, the "man" user gains root.

Comment 1 Thomas Deutschmann (RETIRED)  2018-07-29 22:25:48 UTC

Mh, this sounds like bug 602588...

Comment 2 Michael Orlitzky  2018-07-29 23:06:50 UTC

(In reply to Thomas Deutschmann from comment #1)
\> Mh, this sounds like bug 602588...

I saw that, but the gist of this one is more "the executable shouldn't be owned by 'man' to begin with." The fact that the cron job makes it easy to exploit is only adding insult to injury. If root (or another privileged user) was ever going to run /usr/bin/mandb for any reason, then the "man" user could swap out its contents beforehand.

Comment 4 Colin Watson 2018-09-17 13:00:04 UTC

I don't think those commits are especially related, except perhaps insofar as they describe existing practice.

This sort of thing is indeed a problem with having setuid-to-non-root executables that might be run as root: such a setup inherently means that root has to trust the user that owns the executable.  I can see a few non-exclusive options:

 1) Make mandb setuid root instead, and add code at the start of main() (or maybe in init\_security() or something) to drop to MAN\_OWNER if necessary.
 2) Mitigate the bug by making the cron job run as the man user rather than root; at least then it isn't \*guaranteed\* that mandb will be run as root.  (Note that Debian's cron jobs have run as the man user for at least 17 years.)
 3) Stop installing mandb setuid by default.

Option 1 might be a good idea, and is probably the only way to preserve the setuid setup while immunising against this bug.  On the other hand, it adds a bit more attack surface and would have to be done carefully.

Option 2 seems to have no obvious downsides.  Assuming it works in the Gentoo setup, you surely ought to do this even if it isn't a complete fix for this bug.

Option 3 is almost certainly the right long-term fix.

Comment 6 Lars Wendler (Polynomial-C) (RETIRED)  2019-01-06 15:13:23 UTC

Michael, please check if this attempt is sufficient to get rid of this root escalation issue.

Comment 7 Michael Orlitzky  2019-01-06 16:09:49 UTC

(In reply to Lars Wendler (Polynomial-C) from comment #6)
\> Michael, please check if this attempt is sufficient to get rid of this root
> escalation issue.

In the past, I'm almost certain that portage would not change the owner or group of a file that already exists during merge. So, I was expecting /usr/bin/mandb to still be "man:man" after an upgrade.

Good news: it isn't!

Bad news: I don't know why, or if we can rely on that happening. I'm going to ask around to see if something changed in portage to make this reliable.


But the fix generally looks good to me. In the future you might want to create /var/cache/man in src\_install, so that you don't have to do it in both the cron job and pkg\_preinst, and you don't have to chown/chmod it every time (this can also be dangerous if /var/cache isn't owned by root).

Then, instead of the shell script cron job that we have now, you could put something simpler in /etc/cron.d:

  <minute> <hour> \* \* \* man mandb --quiet

Comment 8 Michael Orlitzky  2019-01-07 16:04:57 UTC

(In reply to Michael Orlitzky from comment #7)
\> 
> In the past, I'm almost certain that portage would not change the owner or
> group of a file that already exists during merge. So, I was expecting
> /usr/bin/mandb to still be "man:man" after an upgrade.
> 

This still happens for directories but not for files. I tested back to portage-2.3.6, so we'd best assume the simplest explanation: I'm remembering wrong, and the ownership of \*files\* will be updated.

Comment 9 Lars Wendler (Polynomial-C) (RETIRED)  2019-01-11 09:02:34 UTC

(In reply to Michael Orlitzky from comment #7)
\> 
> But the fix generally looks good to me. In the future you might want to
> create /var/cache/man in src\_install, so that you don't have to do it in
> both the cron job and pkg\_preinst, and you don't have to chown/chmod it
> every time (this can also be dangerous if /var/cache isn't owned by root).

No can do as this would put the content of /var/cache/man into the package's content which we wanna avoid (by doing it in pkg\_preinst).
 
\> Then, instead of the shell script cron job that we have now, you could put
> something simpler in /etc/cron.d:
> 
>   <minute> <hour> \* \* \* man mandb --quiet

That sounds like a good idea. Care to file a separate bug for that?

CVE-2018-25078: root privilege escalation through setuid executable and cron job

Debian Linux Security Advisory 5327-1 - Sebastien Meriot discovered that the S3 API of Swift, a distributed virtual object store, was susceptible to information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5327-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJanuary 24, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : swiftCVE ID         : CVE-2022-47950Debian Bug     : 1029200Sebastien Meriot discovered that the S3 API of Swift, a distributedvirtual object store, was susceptible to information disclosure.For the stable distribution (bullseye), this problem has been fixed inversion 2.26.0-10+deb11u1.We recommend that you upgrade your swift packages.For the detailed security status of swift please refer toits security tracker page at:https://security-tracker.debian.org/tracker/swiftFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPQNhQACgkQEMKTtsN8TjY5qw//YHxQJWvmsTZRDzYbyllUh4hfXkfNDKDbMOYv53ebgTSci77Q3di54rXok6OLR02mJaFsiccYVH8O9oWoEZveVkGhgB3fO5QcGhmHP218nXXknHtBWpfMrjzWIWQJLhU6lczlZtCuDxp4FGs1L/dw3HWDjRDC4/O6X4LDV11GGmM8v4OSEFicM5KMih/kNYt/DLHl2J3vb1cOLxNZCPAQoHhknpoE4NXdWnBZju8ufT1E0+OqhAnOTS3SXTZ7LuBmtArY0XwK+rKLeXg65RiJchpNIS7uOi0x+ZgvMbmaad5gKm5hA6ZRDdvsGrw0hUu9Atj40QShghCWhjKVRxXu+jMgFZhew/3drqYERv1sdQr94frmagjLdTlId6QYZCznfGEJTCL2cH+tlW4jBolL5cvS3UcrWHeFh6WNEb3fayeLr3811dJ0D+/bNXoiUTVPIBp37ycVg26Xehz4axrLPyHTDqXTqy5aEn1jee1810F1OeNfZODju8BxXgRxLCQaR7VoWtux+0ZQBhBziii2D2BPSZBzIP14llkqyYdxgMVBI67zDOu1VUXMy2gqJRvlzclimpmWbXXVV16gB3I6Kxt8MQKdMZpinUIYUjdp4Dm7p5pgTU8Jk8qJmdOu43mRnAgMOavLO7/1GeyOvDFnnW0gDsBbGLWRM7VbHGmB+7M=QW6t-----END PGP SIGNATURE-----

Debian Security Advisory 5327-1

Debian Linux Security Advisory 5326-1 - Multiple vulnerabilities were discovered in Node.js, which could result in HTTP request smuggling, bypass of host IP address validation and weak randomness setup.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5326-1                   security@debian.orghttps://www.debian.org/security/                                  Aron XuJanuary 24, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : nodejsCVE ID         : CVE-2022-32212 CVE-2022-32213 CVE-2022-32214 CVE-2022-32215                 CVE-2022-35255 CVE-2022-35256 CVE-2022-43548Multiple vulnerabilities were discovered in Node.js, which could resultin HTTP request smuggling, bypass of host IP address validation and weakrandomness setup.For the stable distribution (bullseye), these problems have been fixed inversion 12.22.12~dfsg-1~deb11u3.We recommend that you upgrade your nodejs packages.For the detailed security status of nodejs please refer toits security tracker page at:https://security-tracker.debian.org/tracker/nodejsFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPQNhIACgkQEMKTtsN8TjaRmA/+KDFkQcd2sE/eAAx9cVikICNkfu7uIVKHpeDH9o5oq5M2nj4zHJCeAArpWblguyZwEtqzAOO2WesbrmwfXLmglhrNZwRMOrsbu63JxSnecp7qcMwR8A4JWdmdTxb4aZr6Prmwq6fT0G3K6oV8Hw+OeqYA/RZKenxtkBf/jdzVahGJHJ/NrFKKWVQWxbqHwCkP7uUlm+5UR5XzNrodTRCQYHJvUmDUrjEOjM6x+sqYirKWiERN0A14kVn90Ufrw6+Z2tKhdKFZfU1BtDthhlH/nybz0h3aHsk+E5/vx20WAURiCEDVi7nf8+RfEtbCxaqV+/xVoPmXStHY/ogCo8CgRVsyYUIemgi4q5LwVx/Oqjm2CJ/xCwOKh0E2idXLJfLSpxxBe598MUn9iKbnFFCN9DQZXf7BYs3djtn8ALFVBSHZSF1QXFoFQ86wY9xGhBQzfEgCoEW7H4S30ZQ+Gz+ZnOMCSH+MKIMtSpqbc7wLtrKf839DO6Uux7B7u0WR3lZlsihi92QKq9X/VRkyy8ZiA2TYy3IE+KDKlXDHKls9FR9BUClYe9L8RiRuboP8KPFUHUsSVaTzkufMStdKkcXCqgj/6KhJL6E9ZunTBpTmqx1Ty7/N2qktLFnHujrffzV3rCE6eIg7ps8OdZbjCfqUqmQk9/pV6ZDjymqjZ1LKZDsþRn-----END PGP SIGNATURE-----

Debian Security Advisory 5326-1

Debian Linux Security Advisory 5325-1 - It was discovered that SPIP, a website engine for publishing, would allow a malicious user to SQL injection attacks, or bypass authorization access.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5325-1                   security@debian.orghttps://www.debian.org/security/                       Sebastien DelafondJanuary 24, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : spipIt was discovered that SPIP, a website engine for publishing, wouldallow a malicious user to SQL injection attacks, or bypassauthorization access.For the stable distribution (bullseye), this problem has been fixed inversion 3.2.11-3+deb11u6.We recommend that you upgrade your spip packages.For the detailed security status of spip please refer toits security tracker page at:https://security-tracker.debian.org/tracker/spipFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmPPpdYACgkQEL6Jg/PVnWT7GQgAgemz9C/cvulSLwEuV38WAaZwy8RFC3CGw3DirFLf2tVeC6KDI+tGs/u4XSY7M45xEr4y1TR3NMfovrnX6iR/JgPU/3ZJsFquq8O5Z9WCeZFe2YCkmuqP9hQvtxXfOoL4c9b1hfgtv4nVcqLyCFFJhfqLiAy8Eb18vzuggjLVYKa1kioa8wAGk/YBB9rvoKNN1bBfow7A7704Gk2bJMfcxIC9P4anHm6u0OZ4HgC0GYpVYZXegfrFICs7fylqgcg6Ub+HH+6e3wEDN1oqnj0IQDy09lFj4kCT5xQjhQM8oMZChExndWdmRRI2iEmUN/gg7RVhdUfNvv8VTy1lo+wd4g==XA3L-----END PGP SIGNATURE-----

Debian Security Advisory 5325-1

A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS query that retrieves DS records for a misconfigured domain, because QName minimization is used in QM fallback mode. This is fixed in 4.8.1.

**4.8.1¶**

Released: 20th of January 2023

**Bug Fixes¶**

*   Avoid unbounded recursion when retrieving DS records from some misconfigured domains. CVE-2023-22617.¶
    
    References: pull request 12442
    

**4.8.0-beta2¶**

Released: 7th of November 2022

**Improvements¶**

*   Only replace protobuf logger config objects if the reload changed them.¶
    
    References: #12063, pull request 12146
    
*   Be more lenient replacing auth by non-auth records in cache.¶
    
    References: #12140, pull request 12150
    

**Bug Fixes¶**

*   Fix SNMP OID numbers for rcode stats.¶
    
    References: #12155, pull request 12163
    
*   Implement output operator for QTypes, avoids numeric qtypes in trace logs.¶
    
    References: #12122, pull request 12162
    
*   Handle IXFR connect and transfer timeouts.¶
    
    References: #12125, pull request 12161
    
*   Log invalid RPZ content when obtained via IXFR.¶
    
    References: #12081, pull request 12145
    
*   Detect invalid bytes in makeBytesFromHex().¶
    
    References: #12066, pull request 12147
    

**4.8.0-beta1¶**

Released: 5th of October 2022

**Improvements¶**

*   Add support for NOD/UDR notifications using dnstap.¶
    
    References: pull request 12047
    
*   Protobuf and dnstap metrics, including rec\_control subcommand to show them.¶
    
    References: #11841, pull request 11903, pull request 12049
    
*   Provide metrics for rcode received from authoritative servers.¶
    
    References: #7164, pull request 11949
    
*   Proxymapping metrics, including rec\_control subcommand to show them.¶
    
    References: #11648, pull request 11866
    
*   Add querytime attribute to Lua DNSQuestion object, to see the time a query was received.¶
    
    References: pull request 11909
    
*   Enable include-dir by default in RPM builds, to be in line with DEB builds (Frank Louwers).¶
    
    References: #11766, pull request 11768
    
*   Improve error message when invalid values for local-address are provided in recursor config file.¶
    
    References: pull request 11989
    
*   Enable SNMP support for debian and ubuntu builds.¶
    
    References: #11999, pull request 12011
    
*   Warn if snmp-agent is set but SNMP support is not available.¶
    
    References: #11998, pull request 12009
    
*   A few tweaks to structured logging calls.¶
    
    References: pull request 11959
    

**Bug Fixes¶**

*   Fix –config (should be equal to –config=default), followup to #11907.¶
    
    References: pull request 12048
    
*   Fix compilation of the event ports multiplexer.¶
    
    References: #12044, pull request 12046
    
*   When an expired NSEC3 entry is seen move it to the front of the expiry queue.¶
    
    References: pull request 12038
    
*   If new data is auth and existing data is not, replace even if cache locking is active.¶
    
    References: #11958, pull request 12027
    

**4.8.0-alpha1¶**

Released: 23rd of September 2022

**Improvements¶**

*   Lock record cache entries if enabled by record-cache-locked-ttl-perc.¶
    
    References: pull request 11958
    
*   Use nullptr in getNSEC3PARAM + init bool at call site (Axel Viala).¶
    
    References: pull request 11957
    
*   Axfr-retriever: abort on chunk with TC set.¶
    
    References: #11804, pull request 11953
    
*   Clarify return codes for the Lua hooks in the Recursor (Frank Louwers).¶
    
    References: pull request 11955
    
*   Recursor: Add --config[=check|=diff|=default].¶
    
    References: pull request 11907
    
*   Implement optional Serve stale functionality, enabled by serve-stale-extensions..¶
    
    References: pull request 11776
    
*   Implement padding of (DoT) messages to authoritative servers, if set by edns-padding-out (default yes).¶
    
    References: pull request 11906
    
*   Log socket directory path if there is a problem.¶
    
    References: pull request 11800
    
*   Handle Lua script loading errors.¶
    
    References: pull request 11823
    
*   Stop sending Server: header (Chris Hofstaedtler).¶
    
    References: #4979, pull request 11813
    
*   Keep time and count metrics when maintenance is called.¶
    
    References: #6981, pull request 11869
    
*   Consider dns64 processing in more cases than Rcode == NoError.¶
    
    References: pull request 11849
    
*   Set rec_control_LDFLAGS, needed for MacOS or any platforms where libcrypto is not in default lib path.¶
    
    References: #11855, pull request 11857
    
*   Replace/remove jQuery (Chris Hofstaedtler)¶
    
    References: pull request 11812
    
*   Remove unused jsrender.js (Chris Hofstaedtler).¶
    
    References: pull request 11811
    
*   Save the last nameserver speed recorded plus output it in rec_control dump-nsspeeds.¶
    
    References: #11736, pull request 11780
    
*   Set TCP_NODELAY on in and outgoing TCP.¶
    
    References: #11734, pull request 11754
    
*   Remove > 5 check on TTL of glue from the cache.¶
    
    References: pull request 11744
    
*   Structured logging for various subsystems.¶
    
    References: pull request 11631, pull request 11642, pull request 11654, pull request 11662, pull request 11681, pull request 11693, pull request 11710, pull request 11714, pull request 11854
    
*   Make edns table a sparse table.¶
    
    References: pull request 11704, pull request 11779
    
*   Shared ednsmap.¶
    
    References: pull request 11601
    
*   Load IPv6 entries from etc-hosts file.¶
    
    References: #2248, pull request 11682
    
*   Use systemd-journal for structured logging if it is available and set by structured-logging-backend.¶
    
    References: #11705, #11706, pull request 11660, pull request 11709
    
*   Fix typos in stats log messages (Matt Nordhoff).¶
    
    References: #11654, #11671, pull request 11671, pull request 11680
    
*   Shared throttle map.¶
    
    References: pull request 11598
    
*   Adaptive root refresh interval, normally at 80% of max-cache-ttl.¶
    
    References: pull request 11381
    

**Bug Fixes¶**

*   Libssl: Properly load ciphers and digests with OpenSSL 3.0.¶
    
    References: #11853, pull request 11862
    
*   rec\_control: test for --version before requiring an argument.¶
    
    References: #11864, pull request 11867
    
*   Make rec zone files with trailing dot (phonedph1).¶
    
    References: pull request 11672
    
*   Handle file related errors initially loading Lua script.¶
    
    References: #10079, #11818, pull request 11820

Tag

#debian