From: Otto Moerbeek Date: Mon, 7 Apr 2025 11:06:10 +0000 (+0200) Subject: rec: prep for rec-5.2.1 X-Git-Tag: dnsdist-2.0.0-alpha2~94^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=385484f0e632827736f9ff9f59aa5614d13afde2;p=thirdparty%2Fpdns.git rec: prep for rec-5.2.1 --- diff --git a/.github/actions/spell-check/expect.txt b/.github/actions/spell-check/expect.txt index 1af94f28fd..26297ebeaa 100644 --- a/.github/actions/spell-check/expect.txt +++ b/.github/actions/spell-check/expect.txt @@ -588,6 +588,7 @@ ifportup ifurlextup ifurlup ihsinme +Ilyin imenu Imhard incbin @@ -1508,6 +1509,7 @@ Vixie vla Voegeli Volker +Volodymyr voxel Vranken vulns diff --git a/docs/secpoll.zone b/docs/secpoll.zone index fbde2a77cd..4b8d9d1657 100644 --- a/docs/secpoll.zone +++ b/docs/secpoll.zone @@ -1,4 +1,4 @@ -@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2025031801 10800 3600 604800 10800 +@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2025040701 10800 3600 604800 10800 @ 3600 IN NS pdns-public-ns1.powerdns.com. @ 3600 IN NS pdns-public-ns2.powerdns.com. @@ -403,10 +403,11 @@ recursor-5.1.0.security-status 60 IN TXT "3 Upgrade now recursor-5.1.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html" recursor-5.1.2.security-status 60 IN TXT "1 OK" recursor-5.1.3.security-status 60 IN TXT "1 OK" -recursor-5.2.0-alpha1.security-status 60 IN TXT "1 Unsupported pre-release" -recursor-5.2.0-beta1.security-status 60 IN TXT "1 Unsupported pre-release" -recursor-5.2.0-rc1.security-status 60 IN TXT "1 Unsupported pre-release" -recursor-5.2.0.security-status 60 IN TXT "1 OK" +recursor-5.2.0-alpha1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" +recursor-5.2.0-beta1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" +recursor-5.2.0-rc1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" +recursor-5.2.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-01.html" +recursor-5.2.1.security-status 60 IN TXT "1 OK" ; Recursor Debian recursor-3.6.2-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/" diff --git a/pdns/recursordist/docs/changelog/5.2.rst b/pdns/recursordist/docs/changelog/5.2.rst index 4d4a02c165..eeae5347d5 100644 --- a/pdns/recursordist/docs/changelog/5.2.rst +++ b/pdns/recursordist/docs/changelog/5.2.rst @@ -3,6 +3,16 @@ Changelogs for 5.2.X Before upgrading, it is advised to read the :doc:`../upgrade`. +.. changelog:: + :version: 5.2.1 + :released: 7th of April 2025 + + .. change:: + :tags: Bug Fixes + :pullreq: 15396 + + Fix PowerDNS Security Advisory 2025-01 (CVE-2025-30195): A crafted zone can lead to an illegal memory access in the Recursor. + .. changelog:: :version: 5.2.0 :released: 14th of January 2025 diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2025-01.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2025-01.rst new file mode 100644 index 0000000000..d287d5c1ea --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2025-01.rst @@ -0,0 +1,22 @@ +PowerDNS Security Advisory 2025-01: A crafted zone can lead to an illegal memory access in the Recursor +======================================================================================================= + +- CVE: CVE-2025-30195 +- Date: 7th of April 2025. +- Affects: PowerDNS Recursor 5.2.0 +- Not affected: PowerDNS Recursor 5.2.1 and versions before 5.2.0 +- Severity: High +- Impact: Denial of service +- Exploit: This problem can be triggered by an attacker publishing a crafted zone +- Risk of system compromise: None +- Solution: Upgrade to patched version + + +An attacker can publish a zone containing specific Resource Record Sets. Processing and caching results for these sets can lead to an illegal memory accesses and crash of the Recursor, causing a denial of service. + +CVSS Score: 7.5, see +https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1 + +The remedy is: upgrade to the patched 5.2.1 version. + +We would like to thank Volodymyr Ilyin for bringing this issue to our attention.