Prep for 2022-01

author Otto Moerbeek <otto.moerbeek@open-xchange.com>

Fri, 25 Mar 2022 08:04:19 +0000 (09:04 +0100)

committer Otto Moerbeek <otto.moerbeek@open-xchange.com>

Fri, 25 Mar 2022 08:28:09 +0000 (09:28 +0100)
author Otto Moerbeek <otto.moerbeek@open-xchange.com>
Fri, 25 Mar 2022 08:04:19 +0000 (09:04 +0100)
committer Otto Moerbeek <otto.moerbeek@open-xchange.com>
Fri, 25 Mar 2022 08:28:09 +0000 (09:28 +0100)
diff --git a/docs/changelog/4.4.rst b/docs/changelog/4.4.rst

index eab80f0e2b30b3e2fe5cb0654d24b9be49cdf322..7cae4f799ef698ff9718d3bb2aceaccd1b9f247e 100644 (file)
--- a/docs/changelog/4.4.rst
+++ b/docs/changelog/4.4.rst
@@ -1,5 +1,17 @@
  Changelogs for 4.4.x
  ====================
+.. changelog::
+  :version: 4.4.3
+  :released: 25th of March 2022
+
+  This is a security fix release for :doc:`PowerDNS Security Advisory 2022-01 <../security-advisories/powerdns-advisory-2022-01>`.
+  Additionally, because CentOS 8 is End Of Life now, we have switched those builds to Oracle Linux 8. The resulting packages are compatible with RHEL and all derivatives.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: XXXXX
+
+    Fix validation of incremental zone transfers (IXFRs).
  
  .. changelog::
    :version: 4.4.2
diff --git a/docs/changelog/4.5.rst b/docs/changelog/4.5.rst

index f25926a02a2056b524a192d250fa3310f17141b8..ec8bdf53528ed14c9f84be67d09dd8bc3cfb0e03 100644 (file)
--- a/docs/changelog/4.5.rst
+++ b/docs/changelog/4.5.rst
@@ -1,6 +1,19 @@
  Changelogs for 4.5.x
  ====================
  
+.. changelog::
+  :version: 4.5.4
+  :released: 25th of March 2022
+
+  This is a security fix release for :doc:`PowerDNS Security Advisory 2022-01 <../security-advisories/powerdns-advisory-2022-01>`.
+  Additionally, because CentOS 8 is End Of Life now, we have switched those builds to Oracle Linux 8. The resulting packages are compatible with RHEL and all derivatives.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: XXXXX
+
+    Fix validation of incremental zone transfers (IXFRs).
+
  .. changelog::
    :version: 4.5.3
    :released: 21th of January 2022
diff --git a/docs/changelog/4.6.rst b/docs/changelog/4.6.rst

index cdb7bffd06b9f2a5375fbe947ad5e70b28d5858b..f55fc4193e82a5e7682d6c839cb2bc59df6b9977 100644 (file)
--- a/docs/changelog/4.6.rst
+++ b/docs/changelog/4.6.rst
@@ -1,6 +1,19 @@
  Changelogs for 4.6.x
  ====================
  
+.. changelog::
+  :version: 4.6.1
+  :released: 25th of March 2022
+
+  This is a security fix release for :doc:`PowerDNS Security Advisory 2022-01 <../security-advisories/powerdns-advisory-2022-01>`.
+  Additionally, because CentOS 8 is End Of Life now, we have switched those builds to Oracle Linux 8. The resulting packages are compatible with RHEL and all derivatives.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: XXXXX
+
+    Fix validation of incremental zone transfers (IXFRs).
+
  .. changelog::
    :version: 4.6.0
    :released: 25th of January 2022
diff --git a/docs/secpoll.zone b/docs/secpoll.zone

index f4306335ba796d2fa3720fbad7ba60bd82453b47..b1fe747104f86d4fcd558f3c1fe0a54ca22c860e 100644 (file)
--- a/docs/secpoll.zone
+++ b/docs/secpoll.zone
@@ -1,4 +1,4 @@
-@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2022022801 10800 3600 604800 10800
+@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2022032507 10800 3600 604800 10800
  @       3600    IN  NS  pdns-public-ns1.powerdns.com.
  @       3600    IN  NS  pdns-public-ns2.powerdns.com.
  
@@ -74,36 +74,39 @@ auth-4.2.0-rc3.security-status                          60 IN TXT "3 Unsupported
  auth-4.2.0.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html"
  auth-4.2.1.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html"
  auth-4.2.2.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html"
-auth-4.2.3.security-status                              60 IN TXT "1 OK"
+auth-4.2.3.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html""
  auth-4.3.0-alpha1.security-status                       60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
  auth-4.3.0-beta1.security-status                        60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
  auth-4.3.0-beta2.security-status                        60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
  auth-4.3.0-rc1.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
  auth-4.3.0-rc2.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
  auth-4.3.0.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html"
-auth-4.3.1.security-status                              60 IN TXT "1 OK"
-auth-4.3.2.security-status                              60 IN TXT "1 OK"
-auth-4.4.0-alpha1.security-status                       60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-auth-4.4.0-alpha2.security-status                       60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-auth-4.4.0-alpha3.security-status                       60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-auth-4.4.0-beta1.security-status                        60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-auth-4.4.0-rc1.security-status                          60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-auth-4.4.0.security-status                              60 IN TXT "1 OK"
-auth-4.4.1.security-status                              60 IN TXT "1 OK"
-auth-4.4.2.security-status                              60 IN TXT "1 OK"
+auth-4.3.1.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html""
+auth-4.3.2.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html""
+auth-4.4.0-alpha1.security-status                       60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+auth-4.4.0-alpha2.security-status                       60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+auth-4.4.0-alpha3.security-status                       60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+auth-4.4.0-beta1.security-status                        60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+auth-4.4.0-rc1.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+auth-4.4.0.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html""
+auth-4.4.1.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html""
+auth-4.4.2.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html""
+auth-4.4.3.security-status                              60 IN TXT "1 OK"
  auth-4.5.0-alpha1.security-status                       60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
  auth-4.5.0-beta1.security-status                        60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
  auth-4.5.0-rc1.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
  auth-4.5.0-rc2.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
  auth-4.5.0.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2021-01.html"
-auth-4.5.1.security-status                              60 IN TXT "1 OK"
-auth-4.5.2.security-status                              60 IN TXT "1 OK"
-auth-4.5.3.security-status                              60 IN TXT "1 OK"
-auth-4.6.0-alpha1.security-status                       60 IN TXT "2 Unsupported pre-release, superseded by 4.6.0"
-auth-4.6.0-beta1.security-status                        60 IN TXT "2 Unsupported pre-release, superseded by 4.6.0"
-auth-4.6.0-rc1.security-status                          60 IN TXT "2 Unsupported pre-release, superseded by 4.6.0"
-auth-4.6.0.security-status                              60 IN TXT "1 OK"
-auth-4.7.0-alpha1.security-status                       60 IN TXT "1 Unsupported pre-release"
+auth-4.5.1.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html""
+auth-4.5.2.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html""
+auth-4.5.3.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html""
+auth-4.5.4.security-status                              60 IN TXT "1 OK"
+auth-4.6.0-alpha1.security-status                       60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+auth-4.6.0-beta1.security-status                        60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+auth-4.6.0-rc1.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+auth-4.6.0.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html""
+auth-4.6.1.security-status                              60 IN TXT "1 OK"
+auth-4.7.0-alpha1.security-status                       60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
  
  ; Auth Debian
  auth-3.4.1-2.debian.security-status                     60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2015-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-05/"
@@ -266,43 +269,46 @@ recursor-4.3.1.security-status                          60 IN TXT "3 Upgrade now
  recursor-4.3.2.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html"
  recursor-4.3.3.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html"
  recursor-4.3.4.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html"
-recursor-4.3.5.security-status                          60 IN TXT "1 OK"
-recursor-4.3.6.security-status                          60 IN TXT "1 OK"
-recursor-4.3.7.security-status                          60 IN TXT "1 OK"
+recursor-4.3.5.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html"
+recursor-4.3.6.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html"
+recursor-4.3.7.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html"
  recursor-4.4.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
-recursor-4.4.0-alpha2.security-status                   60 IN TXT "3 Unsupported pre-release"
-recursor-4.4.0-beta1.security-status                    60 IN TXT "3 Unsupported pre-release"
-recursor-4.4.0-rc1.security-status                      60 IN TXT "3 Unsupported pre-release"
-recursor-4.4.0-rc2.security-status                      60 IN TXT "3 Unsupported pre-release"
-recursor-4.4.0.security-status                          60 IN TXT "1 OK"
-recursor-4.4.1.security-status                          60 IN TXT "1 OK"
-recursor-4.4.2.security-status                          60 IN TXT "1 OK"
-recursor-4.4.3.security-status                          60 IN TXT "1 OK"
-recursor-4.4.4.security-status                          60 IN TXT "1 OK"
-recursor-4.4.5.security-status                          60 IN TXT "1 OK"
-recursor-4.4.6.security-status                          60 IN TXT "1 OK"
-recursor-4.4.7.security-status                          60 IN TXT "1 OK"
-recursor-4.5.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release"
-recursor-4.5.0-alpha2.security-status                   60 IN TXT "3 Unsupported pre-release"
-recursor-4.5.0-alpha3.security-status                   60 IN TXT "3 Unsupported pre-release"
-recursor-4.5.0-beta1.security-status                    60 IN TXT "3 Unsupported pre-release"
-recursor-4.5.0-beta2.security-status                    60 IN TXT "3 Unsupported pre-release"
-recursor-4.5.0-rc1.security-status                      60 IN TXT "3 Unsupported pre-release"
-recursor-4.5.0.security-status                          60 IN TXT "2 Unsupported pre-release"
-recursor-4.5.1.security-status                          60 IN TXT "1 OK"
-recursor-4.5.2.security-status                          60 IN TXT "1 OK"
-recursor-4.5.3.security-status                          60 IN TXT "2 Unsupported pre-release"
-recursor-4.5.4.security-status                          60 IN TXT "1 OK"
-recursor-4.5.5.security-status                          60 IN TXT "1 OK"
-recursor-4.5.6.security-status                          60 IN TXT "1 OK"
-recursor-4.5.7.security-status                          60 IN TXT "1 OK"
-recursor-4.6.0-alpha1.security-status                   60 IN TXT "2 Unsupported pre-release"
-recursor-4.6.0-alpha2.security-status                   60 IN TXT "2 Unsupported pre-release"
-recursor-4.6.0-beta1.security-status                    60 IN TXT "2 Unsupported pre-release"
-recursor-4.6.0-beta2.security-status                    60 IN TXT "2 Unsupported pre-release"
-recursor-4.6.0-rc1.security-status                      60 IN TXT "2 Unsupported pre-release"
-recursor-4.6.0.security-status                          60 IN TXT "1 OK"
-recursor-4.7.0-alpha1.security-status                   60 IN TXT "1 Unsupported pre-release"
+recursor-4.4.0-alpha2.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-4.4.0-beta1.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-4.4.0-rc1.security-status                      60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-4.4.0-rc2.security-status                      60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-4.4.0.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html"
+recursor-4.4.1.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html"
+recursor-4.4.2.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html"
+recursor-4.4.3.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html"
+recursor-4.4.4.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html"
+recursor-4.4.5.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html"
+recursor-4.4.6.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html"
+recursor-4.4.7.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html"
+recursor-4.4.8.security-status                          60 IN TXT "1 OK"
+recursor-4.5.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-4.5.0-alpha2.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-4.5.0-alpha3.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-4.5.0-beta1.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-4.5.0-beta2.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-4.5.0-rc1.security-status                      60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-4.5.0.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-4.5.1.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html"
+recursor-4.5.2.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html"
+recursor-4.5.3.security-status                          60 IN TXT "3 Unsupported pre-release" (known vulnerabilities)
+recursor-4.5.4.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html"
+recursor-4.5.5.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html"
+recursor-4.5.6.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html"
+recursor-4.5.7.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html"
+recursor-4.5.8.security-status                          60 IN TXT "1 OK"
+recursor-4.6.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-4.6.0-alpha2.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-4.6.0-beta1.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-4.6.0-beta2.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-4.6.0-rc1.security-status                      60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+recursor-4.6.0.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html"
+recursor-4.6.1.security-status                          60 IN TXT "1 OK"
+recursor-4.7.0-alpha1.security-status                   60 IN TXT "1 Unsupported pre-release (known vulnerabilities)"
  
  ; Recursor Debian
  recursor-3.6.2-2.debian.security-status                 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"
diff --git a/docs/security-advisories/powerdns-advisory-2022-01.rst b/docs/security-advisories/powerdns-advisory-2022-01.rst

new file mode 100644 (file)

index 0000000..2a3cda2
--- /dev/null
+++ b/docs/security-advisories/powerdns-advisory-2022-01.rst
@@ -0,0 +1,22 @@
+PowerDNS Security Advisory 2022-01: incomplete validation of incoming IXFR transfer in Authoritative Server and Recursor
+========================================================================================================================
+
+- CVE: CVE-2022-27227
+- Date: 25th of March 2022.
+- Affects: PowerDNS Authoritative version 4.4.2, 4.5.3, 4.6.0 and PowerDNS Recursor 4.4.7, 4.5.7 and 4.6.0
+- Not affected: PowerDNS Authoritative Server 4.4.3, 4.5.4, 4.6.1 and PowerDNS Recursor 4.4.8, 4.5.8 and 4.6.1
+- Severity: Low
+- Impact: Denial of service
+- Exploit: This problem can be triggered by an attacker controlling the network path for IXFR transfers
+- Risk of system compromise: None
+- Solution: Upgrade to patched version, do not use IXFR in Authoritative Server
+
+- In the Authoritative server this issue only applies to secondary zones for which IXFR transfers have been enabled and the network path to the primary server is not trusted. Note that IXFR transfers are not enabled by default.
+-  In the Recursor it applies to setups retrieving one or more RPZ zones from a remote server if the network path to the server is not trusted.
+
+IXFR usually exchanges only the modifications between two versions of a zone, but sometimes needs to fall back to a full transfer of the current version.
+When IXFR falls back to a full zone transfer, an attacker in position of man-in-the-middle can cause the transfer to be prematurely interrupted. This interrupted transfer is mistakenly interpreted as a complete transfer, causing an incomplete zone to be processed.
+For the Authoritative Server, IXFR transfers are not enabled by default.
+The Recursor only uses IXFR for retrieving RPZ zones. An incomplete RPZ transfer results in missing policy entries, potentially causing some DNS names and IP addresses to not be properly intercepted.
+
+We would like to thank Nicolas Dehaine and Dmitry Shabanov from ThreatSTOP for reporting and initial analysis of this issue.
diff --git a/pdns/recursordist/docs/changelog/4.4.rst b/pdns/recursordist/docs/changelog/4.4.rst

index 2b729a3e75a46f074fd1e21a86b47ec659ed3b59..f19928ac32bcbba48b21671d6ee5348f388784e0 100644 (file)
--- a/pdns/recursordist/docs/changelog/4.4.rst
+++ b/pdns/recursordist/docs/changelog/4.4.rst
@@ -1,6 +1,19 @@
  Changelogs for 4.4.x
  ====================
  
+.. changelog::
+  :version: 4.4.8
+  :released: 25th of March 2022
+
+  This is a security fix release for :doc:`PowerDNS Security Advisory 2022-01 <../security-advisories/powerdns-advisory-2022-01>`.
+  Additionally, because CentOS 8 is End Of Life now, we have switched those builds to Oracle Linux 8. The resulting packages are compatible with RHEL and all derivatives.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: XXXXX
+
+    Fix validation of incremental zone transfers (IXFRs). 
+
  .. changelog::
    :version: 4.4.7
    :released: 5th of November 2021
diff --git a/pdns/recursordist/docs/changelog/4.5.rst b/pdns/recursordist/docs/changelog/4.5.rst

index 371f9c5bdbf5a03d0440e5d69e3eadb70727ff7d..9d1646fd6bcfd3a89694976684f619097e8c590d 100644 (file)
--- a/pdns/recursordist/docs/changelog/4.5.rst
+++ b/pdns/recursordist/docs/changelog/4.5.rst
@@ -1,5 +1,19 @@
  Changelogs for 4.5.X
  ====================
+
+.. changelog::
+  :version: 4.5.8
+  :released: 25th of March 2022
+
+  This is a security fix release for :doc:`PowerDNS Security Advisory 2022-01 <../security-advisories/powerdns-advisory-2022-01>`.
+  Additionally, because CentOS 8 is End Of Life now, we have switched those builds to Oracle Linux 8. The resulting packages are compatible with RHEL and all derivatives.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: XXXXX
+
+    Fix validation of incremental zone transfers (IXFRs).
+
  .. changelog::
    :version: 4.5.7
    :released: 5th of November 2021
diff --git a/pdns/recursordist/docs/changelog/4.6.rst b/pdns/recursordist/docs/changelog/4.6.rst

index b8caa6c7fa3451e875f6be8742e59482f445373b..9740d8b7d3484256683e2acd4b774ea9dc1d1efc 100644 (file)
--- a/pdns/recursordist/docs/changelog/4.6.rst
+++ b/pdns/recursordist/docs/changelog/4.6.rst
@@ -1,6 +1,19 @@
  Changelogs for 4.6.X
  ====================
  
+.. changelog::
+  :version: 4.6.1
+  :released: 25th of March 2022
+
+  This is a security fix release for :doc:`PowerDNS Security Advisory 2022-01 <../security-advisories/powerdns-advisory-2022-01>`.
+  Additionally, because CentOS 8 is End Of Life now, we have switched those builds to Oracle Linux 8. The resulting packages are compatible with RHEL and all derivatives.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: XXXXX
+
+    Fix validation of incremental zone transfers (IXFRs).
+
  .. changelog::
    :version: 4.6.0
    :released: 17th of December 2021
diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2022-01.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2022-01.rst

new file mode 100644 (file)

index 0000000..2a3cda2
--- /dev/null
+++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2022-01.rst
@@ -0,0 +1,22 @@
+PowerDNS Security Advisory 2022-01: incomplete validation of incoming IXFR transfer in Authoritative Server and Recursor
+========================================================================================================================
+
+- CVE: CVE-2022-27227
+- Date: 25th of March 2022.
+- Affects: PowerDNS Authoritative version 4.4.2, 4.5.3, 4.6.0 and PowerDNS Recursor 4.4.7, 4.5.7 and 4.6.0
+- Not affected: PowerDNS Authoritative Server 4.4.3, 4.5.4, 4.6.1 and PowerDNS Recursor 4.4.8, 4.5.8 and 4.6.1
+- Severity: Low
+- Impact: Denial of service
+- Exploit: This problem can be triggered by an attacker controlling the network path for IXFR transfers
+- Risk of system compromise: None
+- Solution: Upgrade to patched version, do not use IXFR in Authoritative Server
+
+- In the Authoritative server this issue only applies to secondary zones for which IXFR transfers have been enabled and the network path to the primary server is not trusted. Note that IXFR transfers are not enabled by default.
+-  In the Recursor it applies to setups retrieving one or more RPZ zones from a remote server if the network path to the server is not trusted.
+
+IXFR usually exchanges only the modifications between two versions of a zone, but sometimes needs to fall back to a full transfer of the current version.
+When IXFR falls back to a full zone transfer, an attacker in position of man-in-the-middle can cause the transfer to be prematurely interrupted. This interrupted transfer is mistakenly interpreted as a complete transfer, causing an incomplete zone to be processed.
+For the Authoritative Server, IXFR transfers are not enabled by default.
+The Recursor only uses IXFR for retrieving RPZ zones. An incomplete RPZ transfer results in missing policy entries, potentially causing some DNS names and IP addresses to not be properly intercepted.
+
+We would like to thank Nicolas Dehaine and Dmitry Shabanov from ThreatSTOP for reporting and initial analysis of this issue.
author	Otto Moerbeek <otto.moerbeek@open-xchange.com>
	Fri, 25 Mar 2022 08:04:19 +0000 (09:04 +0100)
committer	Otto Moerbeek <otto.moerbeek@open-xchange.com>
	Fri, 25 Mar 2022 08:28:09 +0000 (09:28 +0100)
docs/changelog/4.4.rst		patch \| blob \| blame \| history
docs/changelog/4.5.rst		patch \| blob \| blame \| history
docs/changelog/4.6.rst		patch \| blob \| blame \| history
docs/secpoll.zone		patch \| blob \| blame \| history
docs/security-advisories/powerdns-advisory-2022-01.rst	[new file with mode: 0644]	patch \| blob
pdns/recursordist/docs/changelog/4.4.rst		patch \| blob \| blame \| history
pdns/recursordist/docs/changelog/4.5.rst		patch \| blob \| blame \| history
pdns/recursordist/docs/changelog/4.6.rst		patch \| blob \| blame \| history
pdns/recursordist/docs/security-advisories/powerdns-advisory-2022-01.rst	[new file with mode: 0644]	patch \| blob