rec: prep 2024-04 releases

diff --git a/docs/secpoll.zone b/docs/secpoll.zone
index f305862d2484af7f057eb2f661496955a6ce407e..8905906820931090e112b474ade244ef2a06874d 100644 (file)
--- a/docs/secpoll.zone
+++ b/docs/secpoll.zone
@@ -1,4 +1,4 @@
-@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2024100101 10800 3600 604800 10800
+@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2024100301 10800 3600 604800 10800
 @       3600    IN  NS  pdns-public-ns1.powerdns.com.
 @       3600    IN  NS  pdns-public-ns2.powerdns.com.
 
@@ -360,22 +360,23 @@ recursor-4.8.2.security-status                          60 IN TXT "3 Upgrade now
 recursor-4.8.3.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html"
 recursor-4.8.4.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
 recursor-4.8.5.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
-recursor-4.8.6.security-status                          60 IN TXT "1 OK"
+recursor-4.8.6.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
 recursor-4.8.7.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-02.html"
-recursor-4.8.8.security-status                          60 IN TXT "1 OK"
-recursor-4.8.9.security-status                          60 IN TXT "1 OK"
+recursor-4.8.8.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
+recursor-4.8.9.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
 recursor-4.9.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.9.0-beta1.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.9.0-rc1.security-status                      60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.9.0.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
 recursor-4.9.1.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
 recursor-4.9.2.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
-recursor-4.9.3.security-status                          60 IN TXT "1 OK"
+recursor-4.9.3.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
 recursor-4.9.4.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-02.html"
-recursor-4.9.5.security-status                          60 IN TXT "1 OK"
-recursor-4.9.6.security-status                          60 IN TXT "1 OK"
-recursor-4.9.7.security-status                          60 IN TXT "1 OK"
-recursor-4.9.8.security-status                          60 IN TXT "1 OK"
+recursor-4.9.5.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
+recursor-4.9.6.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
+recursor-4.9.7.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
+recursor-4.9.8.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
+recursor-4.9.9.security-status                          60 IN TXT "1 OK"
 recursor-5.0.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-5.0.0-alpha2.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-5.0.0-beta1.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
@@ -383,18 +384,20 @@ recursor-5.0.0-rc1.security-status                      60 IN TXT "3 Unsupported
 recursor-5.0.0-rc2.security-status                      60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-5.0.0.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-5.0.1.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
-recursor-5.0.2.security-status                          60 IN TXT "1 OK"
+recursor-5.0.2.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
 recursor-5.0.3.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-02.html"
-recursor-5.0.4.security-status                          60 IN TXT "1 OK"
-recursor-5.0.5.security-status                          60 IN TXT "1 OK"
-recursor-5.0.6.security-status                          60 IN TXT "1 OK"
-recursor-5.0.7.security-status                          60 IN TXT "1 OK"
-recursor-5.0.8.security-status                          60 IN TXT "1 OK"
-recursor-5.1.0-alpha1.security-status                   60 IN TXT "2 Superseded pre-release"
-recursor-5.1.0-beta1.security-status                    60 IN TXT "2 Superseded pre-release"
-recursor-5.1.0-rc1.security-status                      60 IN TXT "2 Superseded pre-release"
-recursor-5.1.0.security-status                          60 IN TXT "1 OK"
-recursor-5.1.1.security-status                          60 IN TXT "1 OK"
+recursor-5.0.4.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
+recursor-5.0.5.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
+recursor-5.0.6.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
+recursor-5.0.7.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
+recursor-5.0.8.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
+recursor-5.0.9.security-status                          60 IN TXT "1 OK"
+recursor-5.1.0-alpha1.security-status                   60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
+recursor-5.1.0-beta1.security-status                    60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
+recursor-5.1.0-rc1.security-status                      60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
+recursor-5.1.0.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
+recursor-5.1.1.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
+recursor-5.1.2.security-status                          60 IN TXT "1 OK"
 
 ; Recursor Debian
 recursor-3.6.2-2.debian.security-status                 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"

diff --git a/pdns/recursordist/docs/changelog/4.9.rst b/pdns/recursordist/docs/changelog/4.9.rst
index 7516aa84f42aac29c534e4c07ab9b10fdeb09c0a..a7fc4aa556d95a526d62c2f359fbdef4d205d916 100644 (file)
--- a/pdns/recursordist/docs/changelog/4.9.rst
+++ b/pdns/recursordist/docs/changelog/4.9.rst
@@ -1,6 +1,16 @@
 Changelogs for 4.9.X
 ====================
 
+.. changelog::
+  :version: 4.9.9
+  :released: 3rd of October 2024
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 14745
+
+    `Security advisory 2024-04 <https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html>`__: CVE-2024-25590
+
 .. changelog::
   :version: 4.9.8
   :released: 23rd of July 2024

diff --git a/pdns/recursordist/docs/changelog/5.0.rst b/pdns/recursordist/docs/changelog/5.0.rst
index fb59557cf5e936f3b2bb58218f3bc3c93e27ee50..f60ec23a87cdf8986b845ecd9ad439232d8062fe 100644 (file)
--- a/pdns/recursordist/docs/changelog/5.0.rst
+++ b/pdns/recursordist/docs/changelog/5.0.rst
@@ -3,6 +3,16 @@ Changelogs for 5.0.X
 
 Before upgrading, it is advised to read the :doc:`../upgrade`.
 
+.. changelog::
+  :version: 5.0.9
+  :released: 3rd of October 2024
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 14744
+
+    `Security advisory 2024-04 <https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html>`__: CVE-2024-25590
+
 .. changelog::
    :version: 5.0.8
    :released: 23rd of July 2024

diff --git a/pdns/recursordist/docs/changelog/5.1.rst b/pdns/recursordist/docs/changelog/5.1.rst
index 6ed78884fbc38290c794557e8031d4932d731f79..520f6da3184fa71df6c2d0b1c6bef3c25f6241d8 100644 (file)
--- a/pdns/recursordist/docs/changelog/5.1.rst
+++ b/pdns/recursordist/docs/changelog/5.1.rst
@@ -3,6 +3,16 @@ Changelogs for 5.1.X
 
 Before upgrading, it is advised to read the :doc:`../upgrade`.
 
+.. changelog::
+  :version: 5.1.2
+  :released: 3rd of October 2024
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 14743
+
+    `Security advisory 2024-04 <https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html>`__: CVE-2024-25590
+
 .. changelog::
    :version: 5.1.1
    :released: 23rd of July 2024

diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2024-04.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2024-04.rst
new file mode 100644 (file)
index 0000000..8ee3207
--- /dev/null
+++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2024-04.rst
@@ -0,0 +1,21 @@
+PowerDNS Security Advisory 2024-04: Crafted responses can lead to a denial of service due to cache inefficiencies in the Recursor
+=================================================================================================================================
+
+- CVE: CVE-2024-25590
+- Date: 3rd of October 2024.
+- Affects: PowerDNS Recursor up to and including 4.9.8, 5.0.8 and 5.1.1
+- Not affected: PowerDNS Recursor 4.9.9, 5.0.9 and 5.1.2
+- Severity: High
+- Impact: Denial of service
+- Exploit: This problem can be triggered by an attacker publishing a crafted zone
+- Risk of system compromise: None
+- Solution: Upgrade to patched version
+
+An attacker can publish a zone containing specific Resource Record Sets. Repeatedly processing and caching results for these sets can lead to a denial of service.
+
+CVSS Score: 7.5, see
+https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1
+
+The remedy is: upgrade to a patched version
+
+We would like to thank Toshifumi Sakaguchi for bringing this issue to our attention and assisting in validating the patches.

diff --git a/pdns/recursordist/docs/upgrade.rst b/pdns/recursordist/docs/upgrade.rst
index 70c33f53e808879ae41fd0e768c94b4c1e30c1e0..5d74e6fea898f90e2c01e1b5baafe7e5be3e8ad6 100644 (file)
--- a/pdns/recursordist/docs/upgrade.rst
+++ b/pdns/recursordist/docs/upgrade.rst
@@ -4,11 +4,19 @@ Upgrade Guide
 Before upgrading, it is advised to read the :doc:`changelog/index`.
 When upgrading several versions, please read **all** notes applying to the upgrade.
 
+5.1.1 to 5.1.2, 5.0.8 to 5.0.9 and 4.9.8 to 4.9.9
+-------------------------------------------------
+
+New settings
+^^^^^^^^^^^^
+- The :ref:`setting-yaml-recordcache.max_rrset_size` setting has been introduced to limit the number of records in a result set.
+- The :ref:`setting-yaml-recordcache.limit_qtype_any` setting has been introduced to limit the number of records in answers to ANY queries.
+
 5.1.0 to master
 ----------------
 
 Changed behaviour
------------------
+^^^^^^^^^^^^^^^^^
 The way :ref:`setting-yaml-incoming.max_tcp_clients` is enforced has changed.
 If there are too many incoming TCP connections, new connections will be accepted but then closed immediately.
 Previously, excess connections would linger in the OS listen queue until timeout or until processing of incoming TCP connections resumed due to the number of connections being processed dropping below the limit.