From: Remi Gacogne Date: Tue, 9 Sep 2025 08:53:18 +0000 (+0200) Subject: dnsdist: Update security polling and changelog for 1.9.11, 2.0.1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aff30ba816f515382d33d78b0fa9bd84192806c4;p=thirdparty%2Fpdns.git dnsdist: Update security polling and changelog for 1.9.11, 2.0.1 Signed-off-by: Remi Gacogne --- diff --git a/docs/secpoll.zone b/docs/secpoll.zone index 697906d854..b76a18282f 100644 --- a/docs/secpoll.zone +++ b/docs/secpoll.zone @@ -1,4 +1,4 @@ -@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2025082802 10800 3600 604800 10800 +@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2025091800 10800 3600 604800 10800 @ 3600 IN NS pdns-public-ns1.powerdns.com. @ 3600 IN NS pdns-public-ns2.powerdns.com. @@ -606,10 +606,12 @@ dnsdist-1.9.6.security-status 60 IN TXT "3 Upgrade dnsdist-1.9.7.security-status 60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-02.html" dnsdist-1.9.8.security-status 60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-02.html" dnsdist-1.9.9.security-status 60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-03.html" -dnsdist-1.9.10.security-status 60 IN TXT "1 OK" +dnsdist-1.9.10.security-status 60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-05.html" +dnsdist-1.9.11.security-status 60 IN TXT "1 OK" dnsdist-2.0.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" -dnsdist-2.0.0-alpha2.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" -dnsdist-2.0.0-beta1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" -dnsdist-2.0.0-rc1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" -dnsdist-2.0.0-rc2.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" -dnsdist-2.0.0.security-status 60 IN TXT "1 OK" +dnsdist-2.0.0-alpha2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +dnsdist-2.0.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +dnsdist-2.0.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +dnsdist-2.0.0-rc2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +dnsdist-2.0.0.security-status 60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-05.html" +dnsdist-2.0.1.security-status 60 IN TXT "1 OK" diff --git a/pdns/dnsdistdist/docs/changelog.rst b/pdns/dnsdistdist/docs/changelog.rst index d0badfb2e1..6baa4217f7 100644 --- a/pdns/dnsdistdist/docs/changelog.rst +++ b/pdns/dnsdistdist/docs/changelog.rst @@ -1,6 +1,184 @@ Changelog ========= +.. changelog:: + :version: 2.0.1 + :released: 18th of September 2025 + + .. change:: + :tags: Bug Fixes, Security, DNS over QUIC, DNS over HTTP3 + :pullreq: 15920, 16003 + + Upgrade Cloudflare's Quiche to 0.24.5 in our packages (CVE-2025-4820, CVE-2025-4821, CVE-2025-7054) + + .. change:: + :tags: Improvements, Performance + :pullreq: 15925 + + Update rings' atomic counter without holding the lock + + .. change:: + :tags: Improvements, Performance + :pullreq: 15926 + + Return early when a rule chain is empty + + .. change:: + :tags: Improvements, Performance + :pullreq: 15927 + + Update a cache's atomic counter without holding the lock + + .. change:: + :tags: Bug Fixes, YAML + :pullreq: 16017 + + Fix QType rate dynamic block with YAML + + .. change:: + :tags: Bug Fixes + :pullreq: 16018 + + Fix systemd template unit and restricted network families when building with meson + + .. change:: + :tags: Bug Fixes, Performance + :pullreq: 16019 + + Clean up incoming TCP connections counters once per minute + + .. change:: + :tags: Improvements, Performance + :pullreq: 16020 + + Speed up response content matching + + .. change:: + :tags: Improvements, YAML + :pullreq: 16029 + + ``dnsdist --version``: report yaml support + + .. change:: + :tags: Improvements + :pullreq: 16031 + + Switch Docker images to Debian Trixie + + .. change:: + :tags: Improvements + :pullreq: 16032 + + Support mnemonics for the ``Opcode`` selector + + .. change:: + :tags: Bug Fixes, Security, DNS over HTTPS + :pullreq: 16045 + + Add mitigations for the HTTP/2 MadeYouReset attack (CVE-2025-8671), fix a possible DoS in incoming DoH with ``nghttp2`` (CVE-2025-30187) + + .. change:: + :tags: Bug Fixes + :pullreq: 16048 + + Add missing generated files to the dist tarball + + .. change:: + :tags: Bug Fixes + :pullreq: 16049 + + Don't increment in a potential macro argument + + .. change:: + :tags: Bug Fixes + :pullreq: 16052 + + Allow building with gcc8, which needs ``-lstdc++fs`` as link argument + + .. change:: + :tags: Improvements, Performance + :pullreq: 16053 + + Only check the freshness of the configuration when needed + + .. change:: + :tags: Bug Fixes, DNS over HTTPS + :pullreq: 16080 + + Don't call ``nghttp2_session_send`` from a callback + + .. change:: + :tags: Bug Fixes + :pullreq: 16081 + + Properly handle truncation for UDP responses sent via ``sendmmsg`` + + .. change:: + :tags: Bug Fixes + :pullreq: 16093 + + dnsdist-resolver: Fix a bug when we get new IPs for a server + + .. change:: + :tags: Bug Fixes + :pullreq: 16095 + + Fix access to frontends while in client mode + + .. change:: + :tags: Bug Fixes, DNS over HTTPS + :pullreq: 16096 + + Fix the IO reentry guard in outgoing DoH + +.. changelog:: + :version: 1.9.11 + :released: 18th of September 2025 + + .. change:: + :tags: New Features + :pullreq: 15635 + :tickets: 15610 + + Add SetEDNSOptionResponseAction (Samir Aguiar) + + .. change:: + :tags: Bug Fixes, Security, DNS over QUIC, DNS over HTTP3 + :pullreq: 15921, 16004 + + Upgrade Cloudflare's Quiche to 0.24.5 in our packages (CVE-2025-4820, CVE-2025-4821, CVE-2025-7054) + + .. change:: + :tags: Bug Fixes, Security, DNS over HTTPS + :pullreq: 16036 + + Upgrade h2o to 2.2.6-pdns3 in our packages (CVE-2025-8671) + + .. change:: + :tags: Bug Fixes, Security, DNS over HTTPS + :pullreq: 16047 + + Add mitigations for the HTTP/2 MadeYouReset attack (CVE-2025-8671), fix a possible DoS in incoming DoH with ``nghttp2`` (CVE-2025-30187) + + .. change:: + :tags: Bug Fixes + :pullreq: 16051 + + Don't increment in a potential macro argument + + .. change:: + :tags: Bug Fixes, DNS over HTTPS + :pullreq: 16086 + :tickets: 16015 + + Don't call ``nghttp2_session_send`` from a callback + + .. change:: + :tags: Bug Fixes, DNS over HTTPS + :pullreq: 16097 + + Fix the IO reentry guard in outgoing DoH + .. changelog:: :version: 2.0.0 :released: 21st of July 2025 diff --git a/pdns/dnsdistdist/docs/security-advisories/powerdns-advisory-for-dnsdist-2025-05.rst b/pdns/dnsdistdist/docs/security-advisories/powerdns-advisory-for-dnsdist-2025-05.rst new file mode 100644 index 0000000000..f7304b1d2e --- /dev/null +++ b/pdns/dnsdistdist/docs/security-advisories/powerdns-advisory-for-dnsdist-2025-05.rst @@ -0,0 +1,24 @@ +PowerDNS Security Advisory 2025-05 for DNSdist: Denial of service via crafted DoH exchange +========================================================================================== + +- CVE: CVE-2025-30187 +- Date: 2025-09-18T12:00:00+02:00 +- Discovery date: 2025-08-26T00:00:00+02:00 +- Affects: PowerDNS DNSdist from 1.9.0 to 1.9.10, 2.0.0 +- Not affected: PowerDNS DNSdist 1.9.11, 2.0.1 +- Severity: Low +- Impact: Denial of service +- Exploit: This problem can be triggered by an attacker crafting a DoH exchange +- Risk of system compromise: None +- Solution: Upgrade to patched version or use the h2o provider +- CWE: CWE-835 +- CVSS: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L +- Last affected: 2.0.0 +- First fixed: 2.0.1 +- Internal ID: 308 + +In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an unexpected consumption of CPU resources. + +`CVSS Score: 3.7 `__ + +The remedy is: upgrade to the patched version, or switch to the h2o provider.