]> git.ipfire.org Git - thirdparty/pdns.git/commitdiff
projects / thirdparty / pdns.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0da99d1)
Prep for 2024-01 13785/head
authorOtto Moerbeek <otto.moerbeek@open-xchange.com>
Mon, 12 Feb 2024 10:19:09 +0000 (11:19 +0100)
committerOtto Moerbeek <otto.moerbeek@open-xchange.com>
Tue, 13 Feb 2024 12:05:04 +0000 (13:05 +0100)
.github/actions/spell-check/expect.txt patch | blob | blame | history
docs/secpoll.zone patch | blob | blame | history
pdns/recursordist/docs/changelog/4.8.rst patch | blob | blame | history
pdns/recursordist/docs/changelog/4.9.rst patch | blob | blame | history
pdns/recursordist/docs/changelog/5.0.rst patch | blob | blame | history
pdns/recursordist/docs/security-advisories/powerdns-advisory-2024-01.rst [new file with mode: 0644] patch | blob
pdns/recursordist/docs/upgrade.rst patch | blob | blame | history

diff --git a/.github/actions/spell-check/expect.txt b/.github/actions/spell-check/expect.txt
index f05d4de1492850b33bec1c093661109e57829bc4..9d2ff94ba9962dd370d451b03a9006d0613e1413 100644 (file)
--- a/.github/actions/spell-check/expect.txt
+++ b/.github/actions/spell-check/expect.txt
@@ -54,6 +54,7 @@ ASEP
 Ashish
 associateddomain
 asyncresolve
+ATHENE
 Atlassian
 Atomia
 aton
@@ -522,6 +523,7 @@ headfont
 headlinkcolor
 headtextcolor
 healthcheck
+Heftrig
 Heimhilcher
 Helbekkmo
 Hendriks
@@ -869,6 +871,7 @@ Neuf
 newcontent
 nftables
 nic
+Niklas
 Nilsen
 nimber
 Nixu
@@ -921,6 +924,7 @@ Nuitari
 NULs
 NUMA
 numreceived
+nvd
 nxd
 NXDATA
 nxdomain
@@ -1006,10 +1010,10 @@ phishing
 phonedph
 pickclosest
 pickhashed
+picknamehashed
 pickrandom
 pickrandomsample
 pickwhashed
-picknamehashed
 pickwrandom
 piddir
 pidfile
@@ -1188,6 +1192,7 @@ Schlich
 Scholten
 Schryver
 Schueler
+Schulmann
 schwer
 scopebits
 scopemask
@@ -1469,6 +1474,7 @@ Volker
 voxel
 Vranken
 vulns
+Waidner
 WAITFORONE
 wal
 wallclock
diff --git a/docs/secpoll.zone b/docs/secpoll.zone
index 7b0337d777d82cc1df39eb3e2ce6ad7d8ff3ceca..8a24551c5df660b8712d83cb12cff3ce37530589 100644 (file)
--- a/docs/secpoll.zone
+++ b/docs/secpoll.zone
@@ -1,4 +1,4 @@
-@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2024013000 10800 3600 604800 10800
+@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2024021306 10800 3600 604800 10800
 @       3600    IN  NS  pdns-public-ns1.powerdns.com.
 @       3600    IN  NS  pdns-public-ns2.powerdns.com.
 
@@ -65,7 +65,7 @@ auth-4.1.10.security-status                             60 IN TXT "3 Upgrade now
 auth-4.1.11.security-status                             60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html"
 auth-4.1.12.security-status                             60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html"
 auth-4.1.13.security-status                             60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html"
-auth-4.1.14.security-status                             60 IN TXT "2 Unsupported release (EOL)"
+auth-4.1.14.security-status                             60 IN TXT "2 Unsupported release (EOL and known vulnerabilities)"
 auth-4.2.0-alpha1.security-status                       60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html"
 auth-4.2.0-beta1.security-status                        60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html"
 auth-4.2.0-rc1.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
@@ -263,7 +263,7 @@ recursor-4.1.14.security-status                         60 IN TXT "3 Upgrade now
 recursor-4.1.15.security-status                         60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html"
 recursor-4.1.16.security-status                         60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html"
 recursor-4.1.17.security-status                         60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html"
-recursor-4.1.18.security-status                         60 IN TXT "3 Unsupported release (EOL)"
+recursor-4.1.18.security-status                         60 IN TXT "3 Unsupported release (EOL and known vulnerabilities)"
 
 recursor-4.2.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.2.0-beta1.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
@@ -274,7 +274,7 @@ recursor-4.2.1.security-status                          60 IN TXT "3 Upgrade now
 recursor-4.2.2.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html"
 recursor-4.2.3.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html"
 recursor-4.2.4.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html"
-recursor-4.2.5.security-status                          60 IN TXT "3 Unsupported release (EOL)"
+recursor-4.2.5.security-status                          60 IN TXT "3 Unsupported release (EOL and known vulnerabilities)"
 
 recursor-4.3.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.3.0-alpha2.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
@@ -304,7 +304,7 @@ recursor-4.4.4.security-status                          60 IN TXT "3 Upgrade now
 recursor-4.4.5.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html"
 recursor-4.4.6.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html"
 recursor-4.4.7.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html"
-recursor-4.4.8.security-status                          60 IN TXT "3 Unsupported release (EOL)"
+recursor-4.4.8.security-status                          60 IN TXT "3 Unsupported release (EOL and known vulnerabilities)"
 recursor-4.5.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.5.0-alpha2.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.5.0-alpha3.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
@@ -321,9 +321,9 @@ recursor-4.5.6.security-status                          60 IN TXT "3 Upgrade now
 recursor-4.5.7.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html"
 recursor-4.5.8.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-02.html"
 recursor-4.5.9.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-02.html"
-recursor-4.5.10.security-status                         60 IN TXT "2 Unsupported release (EOL)"
-recursor-4.5.11.security-status                         60 IN TXT "2 Unsupported release (EOL)"
-recursor-4.5.12.security-status                         60 IN TXT "2 Unsupported release (EOL)"
+recursor-4.5.10.security-status                         60 IN TXT "3 Unsupported release (EOL and known vulnerabilities)"
+recursor-4.5.11.security-status                         60 IN TXT "3 Unsupported release (EOL and known vulnerabilities)"
+recursor-4.5.12.security-status                         60 IN TXT "3 Unsupported release (EOL and known vulnerabilities)"
 recursor-4.6.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.6.0-alpha2.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.6.0-beta1.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
@@ -335,7 +335,7 @@ recursor-4.6.2.security-status                          60 IN TXT "3 Upgrade now
 recursor-4.6.3.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html"
 recursor-4.6.4.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html"
 recursor-4.6.5.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html"
-recursor-4.6.6.security-status                          60 IN TXT "2 Unsupported release (EOL)"
+recursor-4.6.6.security-status                          60 IN TXT "3 Unsupported release (EOL and known vulnerabilities)"
 recursor-4.7.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.7.0-beta1.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.7.0-rc1.security-status                      60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
@@ -344,8 +344,8 @@ recursor-4.7.1.security-status                          60 IN TXT "3 Upgrade now
 recursor-4.7.2.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html"
 recursor-4.7.3.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html"
 recursor-4.7.4.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html"
-recursor-4.7.5.security-status                          60 IN TXT "2 Unsupported release (EOL)"
-recursor-4.7.6.security-status                          60 IN TXT "2 Unsupported release (EOL)"
+recursor-4.7.5.security-status                          60 IN TXT "3 Unsupported release (EOL and known vulnerabilities)"
+recursor-4.7.6.security-status                          60 IN TXT "3 Unsupported release (EOL and known vulnerabilities)"
 recursor-4.8.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.8.0-beta1.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.8.0-beta2.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
@@ -354,21 +354,24 @@ recursor-4.8.0.security-status                          60 IN TXT "3 Upgrade now
 recursor-4.8.1.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html"
 recursor-4.8.2.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html"
 recursor-4.8.3.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html"
-recursor-4.8.4.security-status                          60 IN TXT "1 OK"
-recursor-4.8.5.security-status                          60 IN TXT "1 OK"
-recursor-4.9.0-alpha1.security-status                   60 IN TXT "2 Unsupported pre-release"
-recursor-4.9.0-beta1.security-status                    60 IN TXT "2 Unsupported pre-release"
-recursor-4.9.0-rc1.security-status                      60 IN TXT "2 Unsupported pre-release"
-recursor-4.9.0.security-status                          60 IN TXT "1 OK"
-recursor-4.9.1.security-status                          60 IN TXT "1 OK"
-recursor-4.9.2.security-status                          60 IN TXT "1 OK"
-recursor-5.0.0-alpha1.security-status                   60 IN TXT "2 Unsupported pre-release"
-recursor-5.0.0-alpha2.security-status                   60 IN TXT "2 Unsupported pre-release"
-recursor-5.0.0-beta1.security-status                    60 IN TXT "2 Unsupported pre-release"
-recursor-5.0.0-rc1.security-status                      60 IN TXT "2 Unsupported pre-release"
-recursor-5.0.0-rc2.security-status                      60 IN TXT "2 Unsupported pre-release"
-recursor-5.0.0.security-status                          60 IN TXT "2 Unsupported pre-release"
-recursor-5.0.1.security-status                          60 IN TXT "1 OK"
+recursor-4.8.4.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
+recursor-4.8.5.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
+recursor-4.8.6.security-status                          60 IN TXT "1 OK"
+recursor-4.9.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-4.9.0-beta1.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-4.9.0-rc1.security-status                      60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-4.9.0.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
+recursor-4.9.1.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
+recursor-4.9.2.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
+recursor-4.9.3.security-status                          60 IN TXT "1 OK"
+recursor-5.0.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-5.0.0-alpha2.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-5.0.0-beta1.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-5.0.0-rc1.security-status                      60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-5.0.0-rc2.security-status                      60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-5.0.0.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-5.0.1.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
+recursor-5.0.2.security-status                          60 IN TXT "1 OK"
 
 ; Recursor Debian
 recursor-3.6.2-2.debian.security-status                 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"
diff --git a/pdns/recursordist/docs/changelog/4.8.rst b/pdns/recursordist/docs/changelog/4.8.rst
index 4a2b20af91a850cecc1550dda218914ba1668c2c..dfc66fd6342b6406c11b4bbd4282979eba78160f 100644 (file)
--- a/pdns/recursordist/docs/changelog/4.8.rst
+++ b/pdns/recursordist/docs/changelog/4.8.rst
@@ -1,6 +1,16 @@
 Changelogs for 4.8.X
 ====================
 
+.. changelog::
+  :version: 4.8.6
+  :released: 13th of February 2024
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 13784
+
+   `Security advisory 2024-01 <https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html>`__: CVE-2023-50387 and CVE-2023-50868
+
 .. changelog::
   :version: 4.8.5
   :released: 25th of August 2023
diff --git a/pdns/recursordist/docs/changelog/4.9.rst b/pdns/recursordist/docs/changelog/4.9.rst
index 19e2bbb12c54869b64cc0dd343fce34d6cdc84a9..40d819f987f5e135d886d9ec35c14127f5ac1f4f 100644 (file)
--- a/pdns/recursordist/docs/changelog/4.9.rst
+++ b/pdns/recursordist/docs/changelog/4.9.rst
@@ -1,5 +1,16 @@
 Changelogs for 4.9.X
 ====================
+
+.. changelog::
+  :version: 4.9.3
+  :released: 13th of February 2024
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 13783
+
+   `Security advisory 2024-01 <https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html>`__: CVE-2023-50387 and CVE-2023-50868
+
 .. changelog::
   :version: 4.9.2
   :released: 8th of November 2023
diff --git a/pdns/recursordist/docs/changelog/5.0.rst b/pdns/recursordist/docs/changelog/5.0.rst
index b6bc57c34c7090882be04246520f594ed841f3d7..000d37e9a5e6e35d50434b694f1890b94968056e 100644 (file)
--- a/pdns/recursordist/docs/changelog/5.0.rst
+++ b/pdns/recursordist/docs/changelog/5.0.rst
@@ -3,6 +3,16 @@ Changelogs for 5.0.X
 
 Before upgrading, it is advised to read the :doc:`../upgrade`.
 
+.. changelog::
+  :version: 5.0.2
+  :released: 13th of February 2024
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 13782
+
+   `Security advisory 2024-01 <https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html>`__: CVE-2023-50387 and CVE-2023-50868
+
 .. changelog::
   :version: 5.0.1
   :released: 10th of January 2024, with no changes compared to the second release candidate. Version 5.0.0 was never released publicly.
diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2024-01.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2024-01.rst
new file mode 100644 (file)
index 0000000..07a53e2
--- /dev/null
+++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2024-01.rst
@@ -0,0 +1,33 @@
+PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor
+================================================================================================================
+
+- CVE: CVE-2023-50387 and CVE-2023-50868
+- Date: 13th of February 2024.
+- Affects: PowerDNS Recursor up to and including 4.8.5, 4.9.2 and 5.0.1
+- Not affected: PowerDNS Recursor 4.8.6, 4.9.3 and 5.0.2
+- Severity: High
+- Impact: Denial of service
+- Exploit: This problem can be triggered by an attacker publishing a crafted zone
+- Risk of system compromise: None
+- Solution: Upgrade to patched version or disable DNSSEC validation
+
+An attacker can publish a zone that contains crafted DNSSEC related records. While validating
+results from queries to that zone using the RFC mandated algorithms, the Recursor's resource usage
+can become so high that processing of other queries is impacted, resulting in a denial of
+service. Note that any resolver following the RFCs can be impacted, this is not a problem of this
+particular implementation.
+
+CVSS Score: 7.5, see
+https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1
+
+The remedies are one of:
+
+- upgrade to a patched version
+- disable DNSSEC validation by setting ``dnssec=off`` or ``process-no-validate``; when using YAML settings:
+  ``dnssec.validate: off`` or ``process-no-validate``.  Note that this will affect clients depending on
+  DNSSEC validation.
+
+We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner from the
+German National Research Center for Applied Cybersecurity ATHENE for bringing this issue to the
+attention of the DNS community and especially Niklas Vogel for his assistance in validating the
+patches.
diff --git a/pdns/recursordist/docs/upgrade.rst b/pdns/recursordist/docs/upgrade.rst
index cb49847418c508e6764bae2fe73f23498b668a0f..da559a483fe9bdd365e1b2d28b97722d09152f96 100644 (file)
--- a/pdns/recursordist/docs/upgrade.rst
+++ b/pdns/recursordist/docs/upgrade.rst
@@ -4,8 +4,22 @@ Upgrade Guide
 Before upgrading, it is advised to read the :doc:`changelog/index`.
 When upgrading several versions, please read **all** notes applying to the upgrade.
 
-4.9.0 to 5.0.0 and master
---------------------------
+5.0.1 to 5.0.2 and master, 4.9.2 to 4.9.3 and 4.8.5 to 4.8.6
+------------------------------------------------------------
+
+Known Issues
+^^^^^^^^^^^^
+The :func:`zoneToCache` function fails to perform DNSSEC validation if the zone has more than :ref:`setting-max-rrsigs-per-record` RRSIG records at its apex.
+There are two workarounds: either increase the :ref:`setting-max-rrsigs-per-record` to the number of RRSIGs in the zone's apex, or tell :func:`zoneToCache` to skip DNSSEC validation. by adding ``dnssec="ignore"``, e.g.::
+
+  zoneToCache(".", "url", "https://www.internic.net/domain/root.zone", {dnssec="ignore"})
+
+New settings
+^^^^^^^^^^^^
+- The :ref:`setting-max-rrsigs-per-record`, :ref:`setting-max-nsec3s-per-record`, :ref:`setting-max-signature-validations-per-query`, :ref:`setting-max-nsec3-hash-computations-per-query`, :ref:`setting-aggressive-cache-max-nsec3-hash-cost`, :ref:`setting-max-ds-per-zone` and :ref:`setting-max-dnskeys` settings have been introduced to limit the amount of work done for DNSSEC validation.
+
+4.9.0 to 5.0.0
+--------------
 
 YAML settings
 ^^^^^^^^^^^^^
Unnamed repository; edit this file 'description' to name the repository.