-@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2025082802 10800 3600 604800 10800
+@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2025091800 10800 3600 604800 10800
@ 3600 IN NS pdns-public-ns1.powerdns.com.
@ 3600 IN NS pdns-public-ns2.powerdns.com.
dnsdist-1.9.7.security-status 60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-02.html"
dnsdist-1.9.8.security-status 60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-02.html"
dnsdist-1.9.9.security-status 60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-03.html"
-dnsdist-1.9.10.security-status 60 IN TXT "1 OK"
+dnsdist-1.9.10.security-status 60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-05.html"
+dnsdist-1.9.11.security-status 60 IN TXT "1 OK"
dnsdist-2.0.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
-dnsdist-2.0.0-alpha2.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-dnsdist-2.0.0-beta1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-dnsdist-2.0.0-rc1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-dnsdist-2.0.0-rc2.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-dnsdist-2.0.0.security-status 60 IN TXT "1 OK"
+dnsdist-2.0.0-alpha2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-2.0.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-2.0.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-2.0.0-rc2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-2.0.0.security-status 60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-05.html"
+dnsdist-2.0.1.security-status 60 IN TXT "1 OK"
Changelog
=========
+.. changelog::
+ :version: 2.0.1
+ :released: 18th of September 2025
+
+ .. change::
+ :tags: Bug Fixes, Security, DNS over QUIC, DNS over HTTP3
+ :pullreq: 15920, 16003
+
+ Upgrade Cloudflare's Quiche to 0.24.5 in our packages (CVE-2025-4820, CVE-2025-4821, CVE-2025-7054)
+
+ .. change::
+ :tags: Improvements, Performance
+ :pullreq: 15925
+
+ Update rings' atomic counter without holding the lock
+
+ .. change::
+ :tags: Improvements, Performance
+ :pullreq: 15926
+
+ Return early when a rule chain is empty
+
+ .. change::
+ :tags: Improvements, Performance
+ :pullreq: 15927
+
+ Update a cache's atomic counter without holding the lock
+
+ .. change::
+ :tags: Bug Fixes, YAML
+ :pullreq: 16017
+
+ Fix QType rate dynamic block with YAML
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 16018
+
+ Fix systemd template unit and restricted network families when building with meson
+
+ .. change::
+ :tags: Bug Fixes, Performance
+ :pullreq: 16019
+
+ Clean up incoming TCP connections counters once per minute
+
+ .. change::
+ :tags: Improvements, Performance
+ :pullreq: 16020
+
+ Speed up response content matching
+
+ .. change::
+ :tags: Improvements, YAML
+ :pullreq: 16029
+
+ ``dnsdist --version``: report yaml support
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 16031
+
+ Switch Docker images to Debian Trixie
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 16032
+
+ Support mnemonics for the ``Opcode`` selector
+
+ .. change::
+ :tags: Bug Fixes, Security, DNS over HTTPS
+ :pullreq: 16045
+
+ Add mitigations for the HTTP/2 MadeYouReset attack (CVE-2025-8671), fix a possible DoS in incoming DoH with ``nghttp2`` (CVE-2025-30187)
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 16048
+
+ Add missing generated files to the dist tarball
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 16049
+
+ Don't increment in a potential macro argument
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 16052
+
+ Allow building with gcc8, which needs ``-lstdc++fs`` as link argument
+
+ .. change::
+ :tags: Improvements, Performance
+ :pullreq: 16053
+
+ Only check the freshness of the configuration when needed
+
+ .. change::
+ :tags: Bug Fixes, DNS over HTTPS
+ :pullreq: 16080
+
+ Don't call ``nghttp2_session_send`` from a callback
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 16081
+
+ Properly handle truncation for UDP responses sent via ``sendmmsg``
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 16093
+
+ dnsdist-resolver: Fix a bug when we get new IPs for a server
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 16095
+
+ Fix access to frontends while in client mode
+
+ .. change::
+ :tags: Bug Fixes, DNS over HTTPS
+ :pullreq: 16096
+
+ Fix the IO reentry guard in outgoing DoH
+
+.. changelog::
+ :version: 1.9.11
+ :released: 18th of September 2025
+
+ .. change::
+ :tags: New Features
+ :pullreq: 15635
+ :tickets: 15610
+
+ Add SetEDNSOptionResponseAction (Samir Aguiar)
+
+ .. change::
+ :tags: Bug Fixes, Security, DNS over QUIC, DNS over HTTP3
+ :pullreq: 15921, 16004
+
+ Upgrade Cloudflare's Quiche to 0.24.5 in our packages (CVE-2025-4820, CVE-2025-4821, CVE-2025-7054)
+
+ .. change::
+ :tags: Bug Fixes, Security, DNS over HTTPS
+ :pullreq: 16036
+
+ Upgrade h2o to 2.2.6-pdns3 in our packages (CVE-2025-8671)
+
+ .. change::
+ :tags: Bug Fixes, Security, DNS over HTTPS
+ :pullreq: 16047
+
+ Add mitigations for the HTTP/2 MadeYouReset attack (CVE-2025-8671), fix a possible DoS in incoming DoH with ``nghttp2`` (CVE-2025-30187)
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 16051
+
+ Don't increment in a potential macro argument
+
+ .. change::
+ :tags: Bug Fixes, DNS over HTTPS
+ :pullreq: 16086
+ :tickets: 16015
+
+ Don't call ``nghttp2_session_send`` from a callback
+
+ .. change::
+ :tags: Bug Fixes, DNS over HTTPS
+ :pullreq: 16097
+
+ Fix the IO reentry guard in outgoing DoH
+
.. changelog::
:version: 2.0.0
:released: 21st of July 2025
--- /dev/null
+PowerDNS Security Advisory 2025-05 for DNSdist: Denial of service via crafted DoH exchange
+==========================================================================================
+
+- CVE: CVE-2025-30187
+- Date: 2025-09-18T12:00:00+02:00
+- Discovery date: 2025-08-26T00:00:00+02:00
+- Affects: PowerDNS DNSdist from 1.9.0 to 1.9.10, 2.0.0
+- Not affected: PowerDNS DNSdist 1.9.11, 2.0.1
+- Severity: Low
+- Impact: Denial of service
+- Exploit: This problem can be triggered by an attacker crafting a DoH exchange
+- Risk of system compromise: None
+- Solution: Upgrade to patched version or use the h2o provider
+- CWE: CWE-835
+- CVSS: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
+- Last affected: 2.0.0
+- First fixed: 2.0.1
+- Internal ID: 308
+
+In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an unexpected consumption of CPU resources.
+
+`CVSS Score: 3.7 <https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1>`__
+
+The remedy is: upgrade to the patched version, or switch to the h2o provider.
projects / thirdparty / pdns.git / commitdiff
