-@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2025040900 10800 3600 604800 10800
+@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2025042900 10800 3600 604800 10800
@ 3600 IN NS pdns-public-ns1.powerdns.com.
@ 3600 IN NS pdns-public-ns2.powerdns.com.
dnsdist-1.9.1.security-status 60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2024-03.html"
dnsdist-1.9.2.security-status 60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2024-03.html"
dnsdist-1.9.3.security-status 60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2024-03.html"
-dnsdist-1.9.4.security-status 60 IN TXT "1 OK"
-dnsdist-1.9.5.security-status 60 IN TXT "1 OK"
-dnsdist-1.9.6.security-status 60 IN TXT "1 OK"
-dnsdist-1.9.7.security-status 60 IN TXT "1 OK"
-dnsdist-1.9.8.security-status 60 IN TXT "1 OK"
+dnsdist-1.9.4.security-status 60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-02.html"
+dnsdist-1.9.5.security-status 60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-02.html"
+dnsdist-1.9.6.security-status 60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-02.html"
+dnsdist-1.9.7.security-status 60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-02.html"
+dnsdist-1.9.8.security-status 60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-02.html"
+dnsdist-1.9.9.security-status 60 IN TXT "1 OK"
dnsdist-2.0.0-alpha1.security-status 60 IN TXT "1 Unsupported pre-release (no known vulnerabilities)"
--- /dev/null
+PowerDNS Security Advisory 2025-02 for DNSdist: Denial of service via crafted DoH exchange
+
+CVE: CVE-2025-30194
+Date: 2025-04-29T12:00:00+02:00
+Discovery date: 2025-04-25T21:55:00+02:00
+Affects: PowerDNS DNSdist from 1.9.0 up to 1.9.8
+Not affected: PowerDNS DNSdist 1.9.9 and versions before 1.9.0
+Severity: High
+Impact: Denial of service
+Exploit: This problem can be triggered by an attacker crafting a DoH exchange
+Risk of system compromise: None
+Solution: Upgrade to patched version or temporarily switch to the h2o provider
+CWE: CWE-416
+CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+Last affected: 1.9.8
+First fixed: 1.9.9
+Internal ID: 297
+
+When DNSdist is configured to provide DoH via the nghttp2 provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access (double-free) and crash of DNSdist, causing a denial of service.
+
+CVSS Score: 7.5, see https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1
+
+The remedy is: upgrade to the patched 1.9.9 version.
+
+A work-around is to temporarily switch to the h2o provider until DNSdist has been upgraded to a fixed version.
+
+We would like to thank Charles Howes for bringing this issue to our attention.
Changelog
=========
+.. changelog::
+ :version: 1.9.9
+ :released: 29th of April 2025
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 15118
+
+ Handle Quiche >= 0.23.0 since the API changed
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 15137
+
+ Fix compatibility with `boost::lockfree` >= 1.87.0
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 15164
+
+ Update Rust to 1.84.1 for our packages
+
+ .. change::
+ :tags: Security, Bug Fixes, DNS over HTTPS
+ :pullreq: 15482
+ :tickets: 15475
+
+ Fix a crash when processing timeouts for incoming DoH queries
+
+ .. change::
+ :tags: Bug Fixes, DNS over HTTPS
+ :pullreq: 15485
+
+ Gracefully handle timeout/response for a closed HTTP stream
+
.. changelog::
:version: 2.0.0-alpha1
:released: 18th of March 2025
projects / thirdparty / pdns.git / commitdiff
