Prep for rec Oct 13th 2020 security releases

diff --git a/.github/actions/spell-check/expect.txt b/.github/actions/spell-check/expect.txt
index 06bb794a6213db690b544787857f40a0a1f0f559..6199044115f1bd58adf33d0eb2fc37ac4af92d18 100644 (file)
--- a/.github/actions/spell-check/expect.txt
+++ b/.github/actions/spell-check/expect.txt
@@ -744,6 +744,7 @@ getaddrinfo
 getaddrs
 getalldomainmetadata
 getbeforeandafternamesabsolute
+getcarbonhostname
 getdomaininfo
 getdomainkeys
 getdomainmetadata

diff --git a/docs/secpoll.zone b/docs/secpoll.zone
index ad2726aa1ab3b874c77a5fd0218b3f1f1bd746bb..d9afd3e7bf492b28ce2a8e1622936287be189855 100644 (file)
--- a/docs/secpoll.zone
+++ b/docs/secpoll.zone
@@ -1,4 +1,4 @@
-@       86400   IN  SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2020100600 10800 3600 604800 10800
+@       86400   IN  SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2020101300 10800 3600 604800 10800
 @       3600    IN  NS  pdns-public-ns1.powerdns.com.
 @       3600    IN  NS  pdns-public-ns2.powerdns.com.
 
@@ -185,7 +185,7 @@ recursor-4.0.5.security-status                          60 IN TXT "3 Upgrade now
 recursor-4.0.6.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-07.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-08.html"
 recursor-4.0.7.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-08.html"
 recursor-4.0.8.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-04.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-06.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-07.html"
-recursor-4.0.9.security-status                          60 IN TXT "2 Unsupported release (EOL)"
+recursor-4.0.9.security-status                          60 IN TXT "3 Unsupported release (EOL and known vulnerabilities)"
 recursor-4.1.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html"
 recursor-4.1.0-rc1.security-status                      60 IN TXT "3 Unsupported pre-release, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html"
 recursor-4.1.0-rc2.security-status                      60 IN TXT "3 Unsupported pre-release, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html"
@@ -207,7 +207,9 @@ recursor-4.1.13.security-status                         60 IN TXT "3 Upgrade now
 recursor-4.1.14.security-status                         60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html"
 recursor-4.1.15.security-status                         60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html"
 recursor-4.1.16.security-status                         60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html"
-recursor-4.1.17.security-status                         60 IN TXT "1 OK"
+recursor-4.1.17.security-status                         60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html"
+recursor-4.1.18.security-status                         60 IN TXT "1 OK"
+
 recursor-4.2.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.2.0-beta1.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.2.0-rc1.security-status                      60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
@@ -215,8 +217,10 @@ recursor-4.2.0-rc2.security-status                      60 IN TXT "3 Unsupported
 recursor-4.2.0.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html"
 recursor-4.2.1.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html"
 recursor-4.2.2.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html"
-recursor-4.2.3.security-status                          60 IN TXT "1 OK"
-recursor-4.2.4.security-status                          60 IN TXT "1 OK"
+recursor-4.2.3.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html"
+recursor-4.2.4.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html"
+recursor-4.2.5.security-status                          60 IN TXT "1 OK"
+
 recursor-4.3.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.3.0-alpha2.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.3.0-alpha3.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
@@ -226,9 +230,10 @@ recursor-4.3.0-rc1.security-status                      60 IN TXT "3 Unsupported
 recursor-4.3.0-rc2.security-status                      60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.3.0.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html"
 recursor-4.3.1.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html"
-recursor-4.3.2.security-status                          60 IN TXT "1 OK"
-recursor-4.3.3.security-status                          60 IN TXT "1 OK"
-recursor-4.3.4.security-status                          60 IN TXT "1 OK"
+recursor-4.3.2.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html"
+recursor-4.3.3.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html"
+recursor-4.3.4.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html"
+recursor-4.3.5.security-status                          60 IN TXT "1 OK"
 recursor-4.4.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.4.0-alpha2.security-status                   60 IN TXT "3 Unsupported pre-release"
 recursor-4.4.0-beta1.security-status                    60 IN TXT "3 Unsupported pre-release"

diff --git a/pdns/recursordist/docs/changelog/4.1.rst b/pdns/recursordist/docs/changelog/4.1.rst
index 67a25ac7a64cc4119676952d173084a81ca1c6a2..8d4318908c8846045cc7b233fb30acacd857ee18 100644 (file)
--- a/pdns/recursordist/docs/changelog/4.1.rst
+++ b/pdns/recursordist/docs/changelog/4.1.rst
@@ -1,6 +1,16 @@
 Changelogs for 4.1.x
 ====================
 
+.. changelog::
+  :version: 4.1.18
+  :released: 13th of October 2020
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9601
+
+    Backport of CVE-2020-25829: Cache pollution.
+
 .. changelog::
   :version: 4.1.17
   :released: 1st of July 2020

diff --git a/pdns/recursordist/docs/changelog/4.2.rst b/pdns/recursordist/docs/changelog/4.2.rst
index 1da98268fb2a4a96893f6eb0ef5d34fb118ef18b..edd7f1cc1adb0a8c3ed7a195e6938cf481574585 100644 (file)
--- a/pdns/recursordist/docs/changelog/4.2.rst
+++ b/pdns/recursordist/docs/changelog/4.2.rst
@@ -1,5 +1,43 @@
 Changelogs for 4.2.x
 ====================
+
+.. changelog::
+  :version: 4.2.5
+  :released: 13th of October 2020
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9603
+
+    Backport of CVE-2020-25829: Cache pollution.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9508
+    :tickets: 9497
+
+    Raise an exception on invalid content in unknown records.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9502
+    :tickets: 9070
+
+    Boost 1.73 moved boost::bind placeholders to the placeholders namespace.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9456
+    :tickets: 9454
+
+    Fix the parsing of `dont-throttle-netmasks` in the presence of `dont-throttle-names`.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9368
+
+    Resize hostname to final size in getcarbonhostname().
+
 .. changelog::
   :version: 4.2.4
   :released: 17th of July 2020

diff --git a/pdns/recursordist/docs/changelog/4.3.rst b/pdns/recursordist/docs/changelog/4.3.rst
index d5ed14ae2e8c55b1a4a97fc8128d8f8b63e43c7e..b2f3de1dfd3f0011e1e4255a9a468aba28641a10 100644 (file)
--- a/pdns/recursordist/docs/changelog/4.3.rst
+++ b/pdns/recursordist/docs/changelog/4.3.rst
@@ -1,6 +1,50 @@
 Changelogs for 4.3.x
 ====================
 
+.. changelog::
+  :version: 4.3.5
+  :released: 13th of October 2020
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9604
+
+    Backport of CVE-2020-25829: Cache pollution.
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 9527
+
+    Log when going Bogus because of a missing SOA in authority.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9525
+    :tickets: 9495
+
+    Watch the descriptor again after an out-of-order read timeout.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9507
+    :tickets: 9497
+
+    Raise an exception on invalid content in unknown records.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9501
+    :tickets: 9070
+
+    Boost 1.73 moved boost::bind placeholders to the placeholders namespace.x
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 9457
+    :tickets: 9454
+
+    Fix the parsing of `dont-throttle-netmasks` in the presence of `dont-throttle-names`.
+
 .. changelog::
   :version: 4.3.4
   :released: 8th of September 2020

diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2020-07.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2020-07.rst
new file mode 100644 (file)
index 0000000..b1e6f29
--- /dev/null
+++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2020-07.rst
@@ -0,0 +1,22 @@
+PowerDNS Security Advisory 2020-07: Cache pollution
+===================================================
+
+-  CVE: CVE-2020-25829
+-  Date: 13th of October 2020
+-  Affects: PowerDNS Recursor up to and including 4.3.4, 4.2.4 and 4.1.17
+-  Not affected: 4.3.5, 4.2.5, 4.1.18
+-  Severity: High
+-  Impact: Denial of service
+-  Exploit: This problem can be triggered by sending DNS queries
+-  Risk of system compromise: No
+-  Solution: Upgrade to a non-affected version
+-  Workaround: Filter ANY queries to prevent them from reaching the
+   recursor.
+
+An issue has been found in PowerDNS Recursor where a remote attacker
+can cause the cached records for a given name to be updated to the
+'Bogus' DNSSEC validation state, instead of their actual DNSSEC
+'Secure' state, via a DNS ANY query. This results in a denial of
+service for installations that always validate (dnssec=validate)
+and for clients requesting validation when on-demand validation is
+enabled (dnssec=process).