From: Otto Moerbeek <otto@drijf.net>
Date: Mon, 22 Apr 2024 10:03:29 +0000 (+0200)
Subject: Prep for Security Advisory 2024-02
X-Git-Tag: rec-5.1.0-alpha1~33^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ca71ea84d387207ff3578d14353b9db429f9f753;p=thirdparty%2Fpdns.git

Prep for Security Advisory 2024-02
---

diff --git a/docs/secpoll.zone b/docs/secpoll.zone
index 3e393b5d49..a7d230c669 100644
--- a/docs/secpoll.zone
+++ b/docs/secpoll.zone
@@ -1,4 +1,4 @@
-@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2024040501 10800 3600 604800 10800
+@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2024042401 10800 3600 604800 10800
 @       3600    IN  NS  pdns-public-ns1.powerdns.com.
 @       3600    IN  NS  pdns-public-ns2.powerdns.com.
 
@@ -359,7 +359,8 @@ recursor-4.8.3.security-status                          60 IN TXT "3 Upgrade now
 recursor-4.8.4.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
 recursor-4.8.5.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
 recursor-4.8.6.security-status                          60 IN TXT "1 OK"
-recursor-4.8.7.security-status                          60 IN TXT "1 OK"
+recursor-4.8.7.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-02.html"
+recursor-4.8.8.security-status                          60 IN TXT "1 OK"
 recursor-4.9.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.9.0-beta1.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.9.0-rc1.security-status                      60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
@@ -367,7 +368,8 @@ recursor-4.9.0.security-status                          60 IN TXT "3 Upgrade now
 recursor-4.9.1.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
 recursor-4.9.2.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
 recursor-4.9.3.security-status                          60 IN TXT "1 OK"
-recursor-4.9.4.security-status                          60 IN TXT "1 OK"
+recursor-4.9.4.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-02.html"
+recursor-4.9.5.security-status                          60 IN TXT "1 OK"
 recursor-5.0.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-5.0.0-alpha2.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-5.0.0-beta1.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
@@ -376,7 +378,8 @@ recursor-5.0.0-rc2.security-status                      60 IN TXT "3 Unsupported
 recursor-5.0.0.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-5.0.1.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
 recursor-5.0.2.security-status                          60 IN TXT "1 OK"
-recursor-5.0.3.security-status                          60 IN TXT "1 OK"
+recursor-5.0.3.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-02.html"
+recursor-5.0.4.security-status                          60 IN TXT "1 OK"
 
 ; Recursor Debian
 recursor-3.6.2-2.debian.security-status                 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"
diff --git a/pdns/recursordist/docs/changelog/4.8.rst b/pdns/recursordist/docs/changelog/4.8.rst
index a09aab1680..2db6b78bcb 100644
--- a/pdns/recursordist/docs/changelog/4.8.rst
+++ b/pdns/recursordist/docs/changelog/4.8.rst
@@ -1,5 +1,16 @@
 Changelogs for 4.8.X
 ====================
+
+.. changelog::
+   :version: 4.8.8
+  :released: 24th of April 2024
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq:
+
+    `Security advisory 2024-02 <https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-02.html>`__: CVE-2024-25583
+
 .. changelog::
   :version: 4.8.7
   :released: 7th of March 2024
diff --git a/pdns/recursordist/docs/changelog/4.9.rst b/pdns/recursordist/docs/changelog/4.9.rst
index ac93382f90..f5cd47d859 100644
--- a/pdns/recursordist/docs/changelog/4.9.rst
+++ b/pdns/recursordist/docs/changelog/4.9.rst
@@ -1,6 +1,16 @@
 Changelogs for 4.9.X
 ====================
 
+.. changelog::
+   :version: 4.9.5
+  :released: 24th of April 2024
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq:
+
+    `Security advisory 2024-02 <https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-02.html>`__: CVE-2024-25583
+
 .. changelog::
   :version: 4.9.4
   :released: 7th of March 2024
diff --git a/pdns/recursordist/docs/changelog/5.0.rst b/pdns/recursordist/docs/changelog/5.0.rst
index 7b495c8a65..c4081578a4 100644
--- a/pdns/recursordist/docs/changelog/5.0.rst
+++ b/pdns/recursordist/docs/changelog/5.0.rst
@@ -3,6 +3,16 @@ Changelogs for 5.0.X
 
 Before upgrading, it is advised to read the :doc:`../upgrade`.
 
+.. changelog::
+   :version: 5.0.4
+  :released: 24th of April 2024
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq:
+
+    `Security advisory 2024-02 <https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-02.html>`__: CVE-2024-25583
+
 .. changelog::
   :version: 5.0.3
   :released: 7th of March 2024
diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2024-02.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2024-02.rst
new file mode 100644
index 0000000000..14c8b719f5
--- /dev/null
+++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2024-02.rst
@@ -0,0 +1,21 @@
+PowerDNS Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor
+========================================================================================================================================
+
+    CVE: CVE-2024-25583
+    Date: 24th of April 2024.
+    Affects: PowerDNS Recursor 4.8.7, 4.9.4 and 5.0.3, earlier versions are not affected
+    Not affected: PowerDNS Recursor 4.8.8, 4.9.5 and 5.0.4
+    Severity: High (only when using recursive forwarding)
+    Impact: Denial of service
+    Exploit: This problem can be triggered by an attacker publishing a crafted zone
+    Risk of system compromise: None
+    Solution: Upgrade to patched version
+
+When using recursive forwarding, a crafted response from an upstream server can cause a Denial of
+Service in the Recursor. The default configuration of the Recursor does not use recursive forwarding
+and is not affected.
+
+CVSS Score: 7.5, only for configurations using recursive forwarding, see
+https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1
+
+The remedy is to update to a patched version.