This document is about PowerDNS 4.0. For other versions, please see the documentation index.

PowerDNS Security Advisory 2015-03: Packet parsing bug can lead to crashes

A bug was found using afl-fuzz in our packet parsing code. This bug, when exploited, causes an assertion error and consequent termination of the the pdns_server process, causing a Denial of Service.

When the PowerDNS Authoritative Server is run inside the guardian (--guardian), or inside a supervisor like supervisord or systemd, it will be automatically restarted, limiting the impact to a somewhat degraded service.

PowerDNS Authoritative Server 3.4.4 - 3.4.6 are affected. No other versions are affected. The PowerDNS Recursor is not affected.

PowerDNS Authoritative Server 3.4.7 contains a fix to this issue. A minimal patch is available here.

This issue is unrelated to the issues in our previous two Security Announcements (2015-01 and 2015-02).

We'd like to thank Christian Hofstaedtler of Deduktiva GmbH for finding and reporting this issue.