From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Wed, 2 Oct 2024 08:27:53 +0000 (+0200)
Subject: rec: prep 2024-04 releases
X-Git-Tag: rec-5.2.0-alpha1~52^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5477f8c61e00007f0b87145a538c57041110a39c;p=thirdparty%2Fpdns.git

rec: prep 2024-04 releases
---

diff --git a/docs/secpoll.zone b/docs/secpoll.zone
index f305862d24..8905906820 100644
--- a/docs/secpoll.zone
+++ b/docs/secpoll.zone
@@ -1,4 +1,4 @@
-@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2024100101 10800 3600 604800 10800
+@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2024100301 10800 3600 604800 10800
 @       3600    IN  NS  pdns-public-ns1.powerdns.com.
 @       3600    IN  NS  pdns-public-ns2.powerdns.com.
 
@@ -360,22 +360,23 @@ recursor-4.8.2.security-status                          60 IN TXT "3 Upgrade now
 recursor-4.8.3.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html"
 recursor-4.8.4.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
 recursor-4.8.5.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
-recursor-4.8.6.security-status                          60 IN TXT "1 OK"
+recursor-4.8.6.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
 recursor-4.8.7.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-02.html"
-recursor-4.8.8.security-status                          60 IN TXT "1 OK"
-recursor-4.8.9.security-status                          60 IN TXT "1 OK"
+recursor-4.8.8.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
+recursor-4.8.9.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
 recursor-4.9.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.9.0-beta1.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.9.0-rc1.security-status                      60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.9.0.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
 recursor-4.9.1.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
 recursor-4.9.2.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
-recursor-4.9.3.security-status                          60 IN TXT "1 OK"
+recursor-4.9.3.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
 recursor-4.9.4.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-02.html"
-recursor-4.9.5.security-status                          60 IN TXT "1 OK"
-recursor-4.9.6.security-status                          60 IN TXT "1 OK"
-recursor-4.9.7.security-status                          60 IN TXT "1 OK"
-recursor-4.9.8.security-status                          60 IN TXT "1 OK"
+recursor-4.9.5.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
+recursor-4.9.6.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
+recursor-4.9.7.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
+recursor-4.9.8.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
+recursor-4.9.9.security-status                          60 IN TXT "1 OK"
 recursor-5.0.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-5.0.0-alpha2.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-5.0.0-beta1.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
@@ -383,18 +384,20 @@ recursor-5.0.0-rc1.security-status                      60 IN TXT "3 Unsupported
 recursor-5.0.0-rc2.security-status                      60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-5.0.0.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-5.0.1.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
-recursor-5.0.2.security-status                          60 IN TXT "1 OK"
+recursor-5.0.2.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
 recursor-5.0.3.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-02.html"
-recursor-5.0.4.security-status                          60 IN TXT "1 OK"
-recursor-5.0.5.security-status                          60 IN TXT "1 OK"
-recursor-5.0.6.security-status                          60 IN TXT "1 OK"
-recursor-5.0.7.security-status                          60 IN TXT "1 OK"
-recursor-5.0.8.security-status                          60 IN TXT "1 OK"
-recursor-5.1.0-alpha1.security-status                   60 IN TXT "2 Superseded pre-release"
-recursor-5.1.0-beta1.security-status                    60 IN TXT "2 Superseded pre-release"
-recursor-5.1.0-rc1.security-status                      60 IN TXT "2 Superseded pre-release"
-recursor-5.1.0.security-status                          60 IN TXT "1 OK"
-recursor-5.1.1.security-status                          60 IN TXT "1 OK"
+recursor-5.0.4.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
+recursor-5.0.5.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
+recursor-5.0.6.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
+recursor-5.0.7.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
+recursor-5.0.8.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
+recursor-5.0.9.security-status                          60 IN TXT "1 OK"
+recursor-5.1.0-alpha1.security-status                   60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
+recursor-5.1.0-beta1.security-status                    60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
+recursor-5.1.0-rc1.security-status                      60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
+recursor-5.1.0.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
+recursor-5.1.1.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html"
+recursor-5.1.2.security-status                          60 IN TXT "1 OK"
 
 ; Recursor Debian
 recursor-3.6.2-2.debian.security-status                 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"
diff --git a/pdns/recursordist/docs/changelog/4.9.rst b/pdns/recursordist/docs/changelog/4.9.rst
index 7516aa84f4..a7fc4aa556 100644
--- a/pdns/recursordist/docs/changelog/4.9.rst
+++ b/pdns/recursordist/docs/changelog/4.9.rst
@@ -1,6 +1,16 @@
 Changelogs for 4.9.X
 ====================
 
+.. changelog::
+  :version: 4.9.9
+  :released: 3rd of October 2024
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 14745
+
+    `Security advisory 2024-04 <https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html>`__: CVE-2024-25590
+
 .. changelog::
   :version: 4.9.8
   :released: 23rd of July 2024
diff --git a/pdns/recursordist/docs/changelog/5.0.rst b/pdns/recursordist/docs/changelog/5.0.rst
index fb59557cf5..f60ec23a87 100644
--- a/pdns/recursordist/docs/changelog/5.0.rst
+++ b/pdns/recursordist/docs/changelog/5.0.rst
@@ -3,6 +3,16 @@ Changelogs for 5.0.X
 
 Before upgrading, it is advised to read the :doc:`../upgrade`.
 
+.. changelog::
+  :version: 5.0.9
+  :released: 3rd of October 2024
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 14744
+
+    `Security advisory 2024-04 <https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html>`__: CVE-2024-25590
+
 .. changelog::
    :version: 5.0.8
    :released: 23rd of July 2024
diff --git a/pdns/recursordist/docs/changelog/5.1.rst b/pdns/recursordist/docs/changelog/5.1.rst
index 6ed78884fb..520f6da318 100644
--- a/pdns/recursordist/docs/changelog/5.1.rst
+++ b/pdns/recursordist/docs/changelog/5.1.rst
@@ -3,6 +3,16 @@ Changelogs for 5.1.X
 
 Before upgrading, it is advised to read the :doc:`../upgrade`.
 
+.. changelog::
+  :version: 5.1.2
+  :released: 3rd of October 2024
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 14743
+
+    `Security advisory 2024-04 <https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html>`__: CVE-2024-25590
+
 .. changelog::
    :version: 5.1.1
    :released: 23rd of July 2024
diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2024-04.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2024-04.rst
new file mode 100644
index 0000000000..8ee3207919
--- /dev/null
+++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2024-04.rst
@@ -0,0 +1,21 @@
+PowerDNS Security Advisory 2024-04: Crafted responses can lead to a denial of service due to cache inefficiencies in the Recursor
+=================================================================================================================================
+
+- CVE: CVE-2024-25590
+- Date: 3rd of October 2024.
+- Affects: PowerDNS Recursor up to and including 4.9.8, 5.0.8 and 5.1.1
+- Not affected: PowerDNS Recursor 4.9.9, 5.0.9 and 5.1.2
+- Severity: High
+- Impact: Denial of service
+- Exploit: This problem can be triggered by an attacker publishing a crafted zone
+- Risk of system compromise: None
+- Solution: Upgrade to patched version
+
+An attacker can publish a zone containing specific Resource Record Sets. Repeatedly processing and caching results for these sets can lead to a denial of service.
+
+CVSS Score: 7.5, see
+https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1
+
+The remedy is: upgrade to a patched version
+
+We would like to thank Toshifumi Sakaguchi for bringing this issue to our attention and assisting in validating the patches.
diff --git a/pdns/recursordist/docs/upgrade.rst b/pdns/recursordist/docs/upgrade.rst
index 70c33f53e8..5d74e6fea8 100644
--- a/pdns/recursordist/docs/upgrade.rst
+++ b/pdns/recursordist/docs/upgrade.rst
@@ -4,11 +4,19 @@ Upgrade Guide
 Before upgrading, it is advised to read the :doc:`changelog/index`.
 When upgrading several versions, please read **all** notes applying to the upgrade.
 
+5.1.1 to 5.1.2, 5.0.8 to 5.0.9 and 4.9.8 to 4.9.9
+-------------------------------------------------
+
+New settings
+^^^^^^^^^^^^
+- The :ref:`setting-yaml-recordcache.max_rrset_size` setting has been introduced to limit the number of records in a result set.
+- The :ref:`setting-yaml-recordcache.limit_qtype_any` setting has been introduced to limit the number of records in answers to ANY queries.
+
 5.1.0 to master
 ----------------
 
 Changed behaviour
------------------
+^^^^^^^^^^^^^^^^^
 The way :ref:`setting-yaml-incoming.max_tcp_clients` is enforced has changed.
 If there are too many incoming TCP connections, new connections will be accepted but then closed immediately.
 Previously, excess connections would linger in the OS listen queue until timeout or until processing of incoming TCP connections resumed due to the number of connections being processed dropping below the limit.