Prep for upcoming 4.1.17, 4.2.3, and 4.3.2 release

diff --git a/docs/secpoll.zone b/docs/secpoll.zone
index 979b8cfff1e01d6c794c6e2dd0096c047b147ded..164d8017c289e9e237244cd903d5d5789a59fa36 100644 (file)
--- a/docs/secpoll.zone
+++ b/docs/secpoll.zone
@@ -1,4 +1,4 @@
-@       86400   IN  SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2020061801 10800 3600 604800 10800
+@       86400   IN  SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2020070101 10800 3600 604800 10800
 @       3600    IN  NS  pdns-public-ns1.powerdns.com.
 @       3600    IN  NS  pdns-public-ns2.powerdns.com.
 
@@ -202,14 +202,16 @@ recursor-4.1.12.security-status                         60 IN TXT "3 Upgrade now
 recursor-4.1.13.security-status                         60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html"
 recursor-4.1.14.security-status                         60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html"
 recursor-4.1.15.security-status                         60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html"
-recursor-4.1.16.security-status                         60 IN TXT "1 OK"
+recursor-4.1.16.security-status                         60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html"
+recursor-4.1.17.security-status                         60 IN TXT "1 OK"
 recursor-4.2.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.2.0-beta1.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.2.0-rc1.security-status                      60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.2.0-rc2.security-status                      60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.2.0.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html"
 recursor-4.2.1.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html"
-recursor-4.2.2.security-status                          60 IN TXT "1 OK"
+recursor-4.2.2.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html"
+recursor-4.2.3.security-status                          60 IN TXT "1 OK"
 recursor-4.3.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.3.0-alpha2.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.3.0-alpha3.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
@@ -218,7 +220,8 @@ recursor-4.3.0-beta2.security-status                    60 IN TXT "3 Unsupported
 recursor-4.3.0-rc1.security-status                      60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.3.0-rc2.security-status                      60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.3.0.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html"
-recursor-4.3.1.security-status                          60 IN TXT "1 OK"
+recursor-4.3.1.security-status                          60 IN TXT "3 "Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html"
+recursor-4.3.2.security-status                          60 IN TXT "1 OK"
 recursor-4.4.0-alpha1.security-status                   60 IN TXT "1 OK"
 
 ; Recursor Debian

diff --git a/pdns/recursordist/docs/changelog/4.1.rst b/pdns/recursordist/docs/changelog/4.1.rst
index 94b031fdac9a872a102ae666e0a9cb1a43eda327..20787e306dab1982f7b5e4e3c6419b19327faed6 100644 (file)
--- a/pdns/recursordist/docs/changelog/4.1.rst
+++ b/pdns/recursordist/docs/changelog/4.1.rst
@@ -1,6 +1,24 @@
 Changelogs for 4.1.x
 ====================
 
+.. changelog::
+  :version: 4.1.17
+  :released: 1st of July 2020
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 
+
+    Backport of CVE-2020-14196: Enforce webserver ACL.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9129
+    :tickets: 9127, 8640
+
+    Fix compilation on systems that do not define HOST_NAME_MAX.
+
+
 .. changelog::
   :version: 4.1.16
   :released: 19th of May 2020

diff --git a/pdns/recursordist/docs/changelog/4.2.rst b/pdns/recursordist/docs/changelog/4.2.rst
index 58aad41fa2869b1b53d9b0150ad41913ed07b095..bb9b8cc283c327e60b734cb5175b31e4d99d80f9 100644 (file)
--- a/pdns/recursordist/docs/changelog/4.2.rst
+++ b/pdns/recursordist/docs/changelog/4.2.rst
@@ -1,5 +1,35 @@
 Changelogs for 4.2.x
 ====================
+.. changelog::
+  :version: 4.2.3
+  :released: 1st of July 2020
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 
+
+    Backport of CVE-2020-14196: Enforce webserver ACL.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9261
+    :tickets: 9251
+
+    Copy the negative cache entry before validating it.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9133
+    :tickets: 9127
+
+    Fix compilation on systems that do not define HOST_NAME_MAX.
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 9123
+    :tickets: 8640
+
+    Fix build with gcc-10
 
 .. changelog::
   :version: 4.2.2

diff --git a/pdns/recursordist/docs/changelog/4.3.rst b/pdns/recursordist/docs/changelog/4.3.rst
index 06f4a768d4194cd45a5c29f6ae7a4406ebeec5c8..fe6e05563563bb90f29c9e78c072b548aba73cdb 100644 (file)
--- a/pdns/recursordist/docs/changelog/4.3.rst
+++ b/pdns/recursordist/docs/changelog/4.3.rst
@@ -1,5 +1,85 @@
 Changelogs for 4.3.x
 ====================
+.. changelog::
+  :version: 4.3.2
+  :released: 1st of July 2020
+
+   .. change::
+     :tags: Bug Fixes
+     :pullreq:
+
+     Backport of CVE-2020-14196: Enforce webserver ACL.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9262
+    :tickets: 9251
+
+    Copy the negative cache entry before validating it.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9242
+    :tickets: 9031
+
+    Fix compilation of the ports event multiplexer.
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 9243
+    :tickets: 9142
+
+    Defer the NOD lookup until after the response has been sent.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9245
+    :tickets: 9151
+
+    Fix the handling of DS queries for the root.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9246
+    :tickets: 9172
+
+    Fix RPZ removals when an update has several deltas.
+
+  .. change::
+    :tags: Bug Fixes.
+    :pullreq: 9247
+    :tickets: 9192, 9184
+
+    Correct depth increments.
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 9248
+    :tickets: 9194, 9202, 9216
+
+    CNAME loop detection.
+
+  .. change::
+    :tags: Bug Fixes.
+    :pullreq: 9249
+    :tickets: 9205
+
+    Limit the TTL of RRSIG records as well
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9128
+    :tickets: 9127
+
+    Fix compilation on systems that do not define HOST_NAME_MAX.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9122
+    :tickets: 8640
+
+    Fix build with gcc-10.
+
 .. changelog::
   :version: 4.3.1
   :released: 19th of May 2020

diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2020-04.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2020-04.rst
new file mode 100644 (file)
index 0000000..5f99c01
--- /dev/null
+++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2020-04.rst
@@ -0,0 +1,27 @@
+PowerDNS Security Advisory 2020-04: Access restriction bypass
+=============================================================
+
+-  CVE: CVE-2020-14196
+-  Date: July 1st 2020
+-  Affects: PowerDNS Recursor up to and including 4.3.1, 4.2.2 and 4.1.16
+-  Not affected: 4.3.2, 4.2.3, 4.1.17
+-  Severity: Low
+-  Impact: Access restriction bypass
+-  Exploit: This problem can be triggered by sending HTTP queries
+-  Risk of system compromise: No
+-  Solution: Upgrade to a non-affected version 
+-  Workaround: Disable the webserver, set a password or an API key.
+   Additionally, restrict the binding address using the
+   `webserver-address` setting to local addresses only and/or use a
+   firewall to disallow web requests from untrusted sources reaching the
+   webserver listening address.
+
+An issue has been found in PowerDNS Recursor where the ACL applied to
+the internal web server via `webserver-allow-from` is not properly
+enforced, allowing a remote attacker to send HTTP queries to the
+internal web server, bypassing the restriction.
+ 
+In the default configuration the API webserver is not enabled. Only
+installations using a non-default value for `webserver` and
+`webserver-address` are affected.
+