Prep for rec-4.8.1

diff --git a/docs/secpoll.zone b/docs/secpoll.zone
index c58cccae5067ceecb686ae7364a37ff6503b7d26..f677a617a38893bacda608a526027af3c02dfb2a 100644 (file)
--- a/docs/secpoll.zone
+++ b/docs/secpoll.zone
@@ -1,4 +1,4 @@
-@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2022121200 10800 3600 604800 10800
+@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2023012001 10800 3600 604800 10800
 @       3600    IN  NS  pdns-public-ns1.powerdns.com.
 @       3600    IN  NS  pdns-public-ns2.powerdns.com.
 
@@ -334,11 +334,12 @@ recursor-4.7.1.security-status                          60 IN TXT "3 Upgrade now
 recursor-4.7.2.security-status                          60 IN TXT "1 OK"
 recursor-4.7.3.security-status                          60 IN TXT "1 OK"
 recursor-4.7.4.security-status                          60 IN TXT "1 OK"
-recursor-4.8.0-alpha1.security-status                   60 IN TXT "2 Unsupported pre-release"
-recursor-4.8.0-beta1.security-status                    60 IN TXT "2 Unsupported pre-release"
-recursor-4.8.0-beta2.security-status                    60 IN TXT "2 Unsupported pre-release"
-recursor-4.8.0-rc1.security-status                      60 IN TXT "2 Unsupported pre-release"
-recursor-4.8.0.security-status                          60 IN TXT "1 OK"
+recursor-4.8.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-4.8.0-beta1.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-4.8.0-beta2.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-4.8.0-rc1.security-status                      60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-4.8.0.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-01.html"
+recursor-4.8.1.security-status                          60 IN TXT "1 OK"
 
 ; Recursor Debian
 recursor-3.6.2-2.debian.security-status                 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"

diff --git a/pdns/recursordist/docs/changelog/4.8.rst b/pdns/recursordist/docs/changelog/4.8.rst
index c70cdffa9493ed7a4aa401b1b3a4f84372e78ea0..493542825af2fded93b8a9025d50f10cd524167d 100644 (file)
--- a/pdns/recursordist/docs/changelog/4.8.rst
+++ b/pdns/recursordist/docs/changelog/4.8.rst
@@ -1,6 +1,16 @@
 Changelogs for 4.8.X
 ====================
 
+.. changelog::
+  :version: 4.8.1
+  :released: 20th of January 2023
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 12442
+
+    Avoid unbounded recursion when retrieving DS records from some misconfigured domains. CVE-2023-22617.
+
 .. changelog::
   :version: 4.8.0
   :released: 12th of December 2022

diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2023-01.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2023-01.rst
new file mode 100644 (file)
index 0000000..d9a743b
--- /dev/null
+++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2023-01.rst
@@ -0,0 +1,16 @@
+PowerDNS Security Advisory 2023-01: unbounded recursion results in program termination
+======================================================================================
+
+- CVE: CVE-2023-22617
+- Date: 20th of January 2023
+- Affects: PowerDNS Recursor 4.8.0
+- Not affected: PowerDNS Recursor < 4.8.0, PowerDNS Recursor 4.8.1
+- Severity: High
+- Impact: Denial of service
+- Exploit: This problem can be triggered by a remote attacker with access to the recursor by querying names from specific mis-configured domains
+- Risk of system compromise: None
+- Solution: Upgrade to patched version
+
+CVSS 3.0 score: 8.2 (High)
+https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:H/RL:U/RC:C
+