rpm package
opensuse/pdns-recursor&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/pdns-recursor&distro=openSUSE%20Tumbleweed
Vulnerabilities (30)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-30192 | Hig | 7.5 | < 5.2.5-1.1 | 5.2.5-1.1 | Jul 21, 2025 | An attacker spoofing answers to ECS enabled requests sent out by the Recursor has a chance of success higher than non-ECS enabled queries. The updated version include various mitigations against spoofing attempts of ECS enabled queries by chaining ECS enabled requests and enforc | |
| CVE-2024-25590 | Hig | 7.5 | < 5.1.2-1.1 | 5.1.2-1.1 | Oct 3, 2024 | An attacker can publish a zone containing specific Resource Record Sets. Repeatedly processing and caching results for these sets can lead to a denial of service. | |
| CVE-2024-25583 | Hig | 7.5 | < 5.0.4-1.1 | 5.0.4-1.1 | Apr 25, 2024 | A crafted response from an upstream server the recursor has been configured to forward-recurse to can cause a Denial of Service in the Recursor. The default configuration of the Recursor does not use recursive forwarding and is not affected. | |
| CVE-2023-50387 | — | < 5.0.2-1.1 | 5.0.2-1.1 | Feb 14, 2024 | Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with man | ||
| CVE-2023-26437 | — | < 4.8.4-1.1 | 4.8.4-1.1 | Apr 4, 2023 | Denial of service vulnerability in PowerDNS Recursor allows authoritative servers to be marked unavailable.This issue affects Recursor: through 4.6.5, through 4.7.4 , through 4.8.3. | ||
| CVE-2023-22617 | — | < 4.8.1-1.1 | 4.8.1-1.1 | Jan 21, 2023 | A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS query that retrieves DS records for a misconfigured domain, because QName minimization is used in QM fallback mode. This is fixed in 4.8.1. | ||
| CVE-2022-37428 | — | < 4.7.2-1.1 | 4.7.2-1.1 | Aug 23, 2022 | PowerDNS Recursor up to and including 4.5.9, 4.6.2 and 4.7.1, when protobuf logging is enabled, has Improper Cleanup upon a Thrown Exception, leading to a denial of service (daemon crash) via a DNS query that leads to an answer with specific properties. | ||
| CVE-2022-27227 | — | < 4.6.1-1.1 | 4.6.1-1.1 | Mar 25, 2022 | In PowerDNS Authoritative Server before 4.4.3, 4.5.x before 4.5.4, and 4.6.x before 4.6.1 and PowerDNS Recursor before 4.4.8, 4.5.x before 4.5.8, and 4.6.x before 4.6.1, insufficient validation of an IXFR end condition causes incomplete zone transfers to be handled as successful | ||
| CVE-2020-25829 | — | < 4.5.5-1.3 | 4.5.5-1.3 | Oct 16, 2020 | An issue has been found in PowerDNS Recursor before 4.1.18, 4.2.x before 4.2.5, and 4.3.x before 4.3.5. A remote attacker can cause the cached records for a given name to be updated to the Bogus DNSSEC validation state, instead of their actual DNSSEC Secure state, via a DNS ANY q | ||
| CVE-2020-14196 | — | < 4.5.5-1.3 | 4.5.5-1.3 | Jul 1, 2020 | In PowerDNS Recursor versions up to and including 4.3.1, 4.2.2 and 4.1.16, the ACL restricting access to the internal web server is not properly enforced. | ||
| CVE-2020-10995 | — | < 4.5.5-1.3 | 4.5.5-1.3 | May 19, 2020 | PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not sufficiently defend against amplification attacks. An issue in the DNS protocol has been found that allow malicious parties to use recursive DNS services to attack third party authoritative name servers. The attack u | ||
| CVE-2020-10030 | — | < 4.5.5-1.3 | 4.5.5-1.3 | May 19, 2020 | An issue has been found in PowerDNS Recursor 4.1.0 up to and including 4.3.0. It allows an attacker (with enough privileges to change the system's hostname) to cause disclosure of uninitialized memory content via a stack-based out-of-bounds read. It only occurs on systems where g | ||
| CVE-2020-12244 | — | < 4.5.5-1.3 | 4.5.5-1.3 | May 19, 2020 | An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section of a NXDOMAIN response lacking an SOA were not properly validated in SyncRes::processAnswer, allowing an attacker to bypass DNSSEC validation. | ||
| CVE-2019-3807 | — | < 4.5.5-1.3 | 4.5.5-1.3 | Jan 29, 2019 | An issue has been found in PowerDNS Recursor versions 4.1.x before 4.1.9 where records in the answer section of responses received from authoritative servers with the AA flag not set were not properly validated, allowing an attacker to bypass DNSSEC validation. | ||
| CVE-2019-3806 | — | < 4.5.5-1.3 | 4.5.5-1.3 | Jan 29, 2019 | An issue has been found in PowerDNS Recursor versions after 4.1.3 before 4.1.9 where Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly bypassing security policies enforced using Lua. | ||
| CVE-2018-16855 | — | < 4.5.5-1.3 | 4.5.5-1.3 | Dec 3, 2018 | An issue has been found in PowerDNS Recursor before version 4.1.8 where a remote attacker sending a DNS query can trigger an out-of-bounds memory read while computing the hash of the query for a packet cache lookup, possibly leading to a crash. | ||
| CVE-2018-14626 | — | < 4.5.5-1.3 | 4.5.5-1.3 | Nov 29, 2018 | PowerDNS Authoritative Server 4.1.0 up to 4.1.4 inclusive and PowerDNS Recursor 4.0.0 up to 4.1.4 inclusive are vulnerable to a packet cache pollution via crafted query that can lead to denial of service. | ||
| CVE-2018-10851 | — | < 4.5.5-1.3 | 4.5.5-1.3 | Nov 29, 2018 | PowerDNS Authoritative Server 3.3.0 up to 4.1.4 excluding 4.1.5 and 4.0.6, and PowerDNS Recursor 3.2 up to 4.1.4 excluding 4.1.5 and 4.0.9, are vulnerable to a memory leak while parsing malformed records that can lead to remote denial of service. | ||
| CVE-2018-14644 | — | < 4.5.5-1.3 | 4.5.5-1.3 | Nov 9, 2018 | An issue has been found in PowerDNS Recursor from 4.0.0 up to and including 4.1.4. A remote attacker sending a DNS query for a meta-type like OPT can lead to a zone being wrongly cached as failing DNSSEC validation. It only arises if the parent zone is signed, and all the authori | ||
| CVE-2016-2120 | — | < 4.5.5-1.3 | 4.5.5-1.3 | Nov 1, 2018 | An issue has been found in PowerDNS Authoritative Server versions up to and including 3.4.10, 4.0.1 allowing an authorized user to crash the server by inserting a specially crafted record in a zone under their control then sending a DNS query for that record. The issue is due to |
- affected < 5.2.5-1.1fixed 5.2.5-1.1
An attacker spoofing answers to ECS enabled requests sent out by the Recursor has a chance of success higher than non-ECS enabled queries. The updated version include various mitigations against spoofing attempts of ECS enabled queries by chaining ECS enabled requests and enforc
- affected < 5.1.2-1.1fixed 5.1.2-1.1
An attacker can publish a zone containing specific Resource Record Sets. Repeatedly processing and caching results for these sets can lead to a denial of service.
- affected < 5.0.4-1.1fixed 5.0.4-1.1
A crafted response from an upstream server the recursor has been configured to forward-recurse to can cause a Denial of Service in the Recursor. The default configuration of the Recursor does not use recursive forwarding and is not affected.
- CVE-2023-50387Feb 14, 2024affected < 5.0.2-1.1fixed 5.0.2-1.1
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with man
- CVE-2023-26437Apr 4, 2023affected < 4.8.4-1.1fixed 4.8.4-1.1
Denial of service vulnerability in PowerDNS Recursor allows authoritative servers to be marked unavailable.This issue affects Recursor: through 4.6.5, through 4.7.4 , through 4.8.3.
- CVE-2023-22617Jan 21, 2023affected < 4.8.1-1.1fixed 4.8.1-1.1
A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS query that retrieves DS records for a misconfigured domain, because QName minimization is used in QM fallback mode. This is fixed in 4.8.1.
- CVE-2022-37428Aug 23, 2022affected < 4.7.2-1.1fixed 4.7.2-1.1
PowerDNS Recursor up to and including 4.5.9, 4.6.2 and 4.7.1, when protobuf logging is enabled, has Improper Cleanup upon a Thrown Exception, leading to a denial of service (daemon crash) via a DNS query that leads to an answer with specific properties.
- CVE-2022-27227Mar 25, 2022affected < 4.6.1-1.1fixed 4.6.1-1.1
In PowerDNS Authoritative Server before 4.4.3, 4.5.x before 4.5.4, and 4.6.x before 4.6.1 and PowerDNS Recursor before 4.4.8, 4.5.x before 4.5.8, and 4.6.x before 4.6.1, insufficient validation of an IXFR end condition causes incomplete zone transfers to be handled as successful
- CVE-2020-25829Oct 16, 2020affected < 4.5.5-1.3fixed 4.5.5-1.3
An issue has been found in PowerDNS Recursor before 4.1.18, 4.2.x before 4.2.5, and 4.3.x before 4.3.5. A remote attacker can cause the cached records for a given name to be updated to the Bogus DNSSEC validation state, instead of their actual DNSSEC Secure state, via a DNS ANY q
- CVE-2020-14196Jul 1, 2020affected < 4.5.5-1.3fixed 4.5.5-1.3
In PowerDNS Recursor versions up to and including 4.3.1, 4.2.2 and 4.1.16, the ACL restricting access to the internal web server is not properly enforced.
- CVE-2020-10995May 19, 2020affected < 4.5.5-1.3fixed 4.5.5-1.3
PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not sufficiently defend against amplification attacks. An issue in the DNS protocol has been found that allow malicious parties to use recursive DNS services to attack third party authoritative name servers. The attack u
- CVE-2020-10030May 19, 2020affected < 4.5.5-1.3fixed 4.5.5-1.3
An issue has been found in PowerDNS Recursor 4.1.0 up to and including 4.3.0. It allows an attacker (with enough privileges to change the system's hostname) to cause disclosure of uninitialized memory content via a stack-based out-of-bounds read. It only occurs on systems where g
- CVE-2020-12244May 19, 2020affected < 4.5.5-1.3fixed 4.5.5-1.3
An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section of a NXDOMAIN response lacking an SOA were not properly validated in SyncRes::processAnswer, allowing an attacker to bypass DNSSEC validation.
- CVE-2019-3807Jan 29, 2019affected < 4.5.5-1.3fixed 4.5.5-1.3
An issue has been found in PowerDNS Recursor versions 4.1.x before 4.1.9 where records in the answer section of responses received from authoritative servers with the AA flag not set were not properly validated, allowing an attacker to bypass DNSSEC validation.
- CVE-2019-3806Jan 29, 2019affected < 4.5.5-1.3fixed 4.5.5-1.3
An issue has been found in PowerDNS Recursor versions after 4.1.3 before 4.1.9 where Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly bypassing security policies enforced using Lua.
- CVE-2018-16855Dec 3, 2018affected < 4.5.5-1.3fixed 4.5.5-1.3
An issue has been found in PowerDNS Recursor before version 4.1.8 where a remote attacker sending a DNS query can trigger an out-of-bounds memory read while computing the hash of the query for a packet cache lookup, possibly leading to a crash.
- CVE-2018-14626Nov 29, 2018affected < 4.5.5-1.3fixed 4.5.5-1.3
PowerDNS Authoritative Server 4.1.0 up to 4.1.4 inclusive and PowerDNS Recursor 4.0.0 up to 4.1.4 inclusive are vulnerable to a packet cache pollution via crafted query that can lead to denial of service.
- CVE-2018-10851Nov 29, 2018affected < 4.5.5-1.3fixed 4.5.5-1.3
PowerDNS Authoritative Server 3.3.0 up to 4.1.4 excluding 4.1.5 and 4.0.6, and PowerDNS Recursor 3.2 up to 4.1.4 excluding 4.1.5 and 4.0.9, are vulnerable to a memory leak while parsing malformed records that can lead to remote denial of service.
- CVE-2018-14644Nov 9, 2018affected < 4.5.5-1.3fixed 4.5.5-1.3
An issue has been found in PowerDNS Recursor from 4.0.0 up to and including 4.1.4. A remote attacker sending a DNS query for a meta-type like OPT can lead to a zone being wrongly cached as failing DNSSEC validation. It only arises if the parent zone is signed, and all the authori
- CVE-2016-2120Nov 1, 2018affected < 4.5.5-1.3fixed 4.5.5-1.3
An issue has been found in PowerDNS Authoritative Server versions up to and including 3.4.10, 4.0.1 allowing an authorized user to crash the server by inserting a specially crafted record in a zone under their control then sending a DNS query for that record. The issue is due to
Page 1 of 2