vulnerability
Arch Linux: Denial of service (CVE-2021-36754)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:N/I:N/A:P) | Jul 27, 2021 | Jul 11, 2025 | Nov 27, 2025 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Published
Jul 27, 2021
Added
Jul 11, 2025
Modified
Nov 27, 2025
Description
PowerDNS Authoritative Server 4.5.0 will crash with an uncaught out of bounds exception if it receives a query with QTYPE 65535. The offending code was not present in earlier versions, and they are not affected.
Users that cannot upgrade immediately, but do have dnsdist in place, can use dnsdist to filter such queries before they do harm, with something like addAction(QTypeRule(65535), RCodeAction(DNSRCode.REFUSED)).
When the PowerDNS Authoritative Server is run inside a supervisor like supervisord or systemd, an uncaught exception crash will lead to an automatic restart, limiting the impact to a somewhat degraded service.
Users that cannot upgrade immediately, but do have dnsdist in place, can use dnsdist to filter such queries before they do harm, with something like addAction(QTypeRule(65535), RCodeAction(DNSRCode.REFUSED)).
When the PowerDNS Authoritative Server is run inside a supervisor like supervisord or systemd, an uncaught exception crash will lead to an automatic restart, limiting the impact to a somewhat degraded service.
Solution
arch-linux-upgrade-latest
References
- CVE-2021-36754
- https://attackerkb.com/topics/CVE-2021-36754
- URL-http://www.openwall.com/lists/oss-security/2021/07/26/2
- URL-https://doc.powerdns.com/authoritative/security-advisories/index.html
- URL-https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2021-01.html
- URL-https://security.archlinux.org/ASA-202107-73
- CWE-119
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.