From: Otto Moerbeek Date: Wed, 13 May 2020 11:21:50 +0000 (+0200) Subject: rec: prep for May 2020 security releases X-Git-Tag: dnsdist-1.5.0-rc3~51^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d28ad21000eadc19aad7aaa7682251790f570b19;p=thirdparty%2Fpdns.git rec: prep for May 2020 security releases --- diff --git a/docs/secpoll.zone b/docs/secpoll.zone index 05509c9fc5..768c38ddc2 100644 --- a/docs/secpoll.zone +++ b/docs/secpoll.zone @@ -1,4 +1,4 @@ -@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2020051501 10800 3600 604800 10800 +@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2020051903 10800 3600 604800 10800 @ 3600 IN NS pdns-public-ns1.powerdns.com. @ 3600 IN NS pdns-public-ns2.powerdns.com. @@ -206,8 +206,9 @@ recursor-4.2.0-alpha1.security-status 60 IN TXT "2 Unsupported recursor-4.2.0-beta1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" recursor-4.2.0-rc1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" recursor-4.2.0-rc2.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" -recursor-4.2.0.security-status 60 IN TXT "1 OK" -recursor-4.2.1.security-status 60 IN TXT "1 OK" +recursor-4.2.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html" +recursor-4.2.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html" +recursor-4.2.2.security-status 60 IN TXT "1 OK" recursor-4.3.0-alpha1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" recursor-4.3.0-alpha2.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" recursor-4.3.0-alpha3.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" @@ -215,7 +216,8 @@ recursor-4.3.0-beta1.security-status 60 IN TXT "2 Unsupported recursor-4.3.0-beta2.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" recursor-4.3.0-rc1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" recursor-4.3.0-rc2.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)" -recursor-4.3.0.security-status 60 IN TXT "1 OK" +recursor-4.3.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html" +recursor-4.3.1.security-status 60 IN TXT "1 OK" recursor-4.4.0-alpha1.security-status 60 IN TXT "1 OK" ; Recursor Debian diff --git a/pdns/recursordist/docs/changelog/4.1.rst b/pdns/recursordist/docs/changelog/4.1.rst index 46812a9671..94b031fdac 100644 --- a/pdns/recursordist/docs/changelog/4.1.rst +++ b/pdns/recursordist/docs/changelog/4.1.rst @@ -2,7 +2,36 @@ Changelogs for 4.1.x ==================== .. changelog:: - :version: 4.1.15 + :version: 4.1.16 + :released: 19th of May 2020 + + .. change:: + :tags: Bug Fixes + :pullreq: + + Backport of security fixes for CVE-2020-10995, CVE-2020-12244 and + CVE-2020-10030, plus avoid a crash when loading an invalid RPZ. + + .. change:: + :tags: Internals + :pullreq: 8809 + + Update python dependencies for docs generation. + + .. change:: + :tags: Improvements + :pullreq: 8868 + + Only log qname parsing errors when 'log-common-errors' is set. + + .. change:: + :tags: Internals + :pullreq: 8753 + + Update boost.m4. + +.. changelog:: + :version: 4.1.15 :released: 6th of December 2019 .. change:: diff --git a/pdns/recursordist/docs/changelog/4.2.rst b/pdns/recursordist/docs/changelog/4.2.rst index 7eaf680945..58aad41fa2 100644 --- a/pdns/recursordist/docs/changelog/4.2.rst +++ b/pdns/recursordist/docs/changelog/4.2.rst @@ -1,6 +1,72 @@ Changelogs for 4.2.x ==================== +.. changelog:: + :version: 4.2.2 + :released: 19th of May 2020 + + .. change:: + :tags: Bug Fixes + :pullreq: + + Backport of security fixes for CVE-2020-10995, CVE-2020-12244 and + CVE-2020-10030, plus avoid a crash when loading an invalid RPZ. + + .. change:: + :tags: Improvements + :pullreq: 9081 + + Add ubuntu focal target. + + .. change:: + :tags: Internals + :pullreq: 8988 + + Update gen-version to use latest tag for version number. + + .. change:: + :tags: + :pullreq: 8964, 8752 + :tickets: 8875 + + Update boost.m4. + + .. change:: + :tags: Improvements + :pullreq: 8869 + + Only log qname parsing errors when 'log-common-errors' is set. + + .. change:: + :tags: Bug Fixes + :pullreq: 8832 + + Refuse NSEC records with a bitmap length > 32. + + .. change:: + :tags: Bug Fixes + :pullreq: 8802 + + Avoid startup race by setting the state of a tread before starting it. + + .. change:: + :tags: Bug Fixes + :pullreq: 8696 + + Better detection of Bogus zone cuts for DNSSEC validation. + + .. change:: + :tags: Bug Fixes. + :pullreq: 8674 + + Debian postinst / do not fail on user creation if it already exists. + + .. change:: + :tags: Bug Fixes + :pullreq: 8686 + + Fix parsing `dont-throttle-names` and `dont-throttle-netmasks` as comma separated lists. + .. changelog:: :version: 4.2.1 :released: 9th of December 2019 diff --git a/pdns/recursordist/docs/changelog/4.3.rst b/pdns/recursordist/docs/changelog/4.3.rst index af7afb7701..06f4a768d4 100644 --- a/pdns/recursordist/docs/changelog/4.3.rst +++ b/pdns/recursordist/docs/changelog/4.3.rst @@ -1,5 +1,35 @@ Changelogs for 4.3.x ==================== +.. changelog:: + :version: 4.3.1 + :released: 19th of May 2020 + + .. change:: + :tags: Bug Fixes + :pullreq: + + Backport of security fixes for CVE-2020-10995, CVE-2020-12244 and + CVE-2020-10030, plus avoid a crash when loading an invalid RPZ. + + .. change:: + :tags: Improvements + :pullreq: 9082 + + Add ubuntu focal target. + + .. change:: + :tags: Bug Fixes + :pullreq: 9048 + :tickets: 8778 + + RPZ dumpFile/seedFile: store/get SOA refresh on dump/load. + + .. change:: + :tags: Internals + :pullreq: 8963 + :tickets: 8875 + + Update boost.m4. .. changelog:: :version: 4.3.0 diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2020-01.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2020-01.rst new file mode 100644 index 0000000000..050436faf4 --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2020-01.rst @@ -0,0 +1,33 @@ +PowerDNS Security Advisory 2020-01: Denial of Service +===================================================== + +- CVE: CVE-2020-10995 +- Date: May 19th 2020 +- Affects: PowerDNS Recursor from 4.1.0 up to and including 4.3.0 +- Not affected: 4.1.16, 4.2.2, 4.3.1 +- Severity: Medium +- Impact: Degraded Service +- Exploit: This problem can be triggered via a crafted reply +- Risk of system compromise: No +- Solution: Upgrade to a non-affected version +- Workaround: None + +An issue in the DNS protocol has been found that allow malicious +parties to use recursive DNS services to attack third party +authoritative name servers. The attack uses a crafted reply by an +authoritative name server to amplify the resulting traffic between the +recursive and other authoritative name servers. Both types of service +can suffer degraded performance as an effect. + +This issue has been assigned CVE-2020-10995. + +PowerDNS Recursor from 4.1.0 up to and including 4.3.0 is +affected. PowerDNS Recursor 4.1.16, 4.2.2 and 4.3.1 contain a +mitigation to limit the impact of this DNS protocol issue. + +Please note that at the time of writing, PowerDNS Recursor 4.0 and +below are no longer supported, as described in +https://doc.powerdns.com/recursor/appendices/EOL.html. + +We would like to thank Lior Shafir, Yehuda Afek and Anat Bremler-Barr +for finding and subsequently reporting this issue! diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2020-02.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2020-02.rst new file mode 100644 index 0000000000..2c38e71fb3 --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2020-02.rst @@ -0,0 +1,32 @@ +PowerDNS Security Advisory 2020-002: Insufficient validation of DNSSEC signatures +================================================================================= + +- CVE: CVE-2020-12244 +- Date: May 19th 2020 +- Affects: PowerDNS Recursor from 4.1.0 up to and including 4.3.0 +- Not affected: 4.3.1, 4.2.2, 4.1.16 +- Severity: Medium +- Impact: Denial of existence spoofing +- Exploit: This problem can be triggered by an attacker in position + of man-in-the-middle +- Risk of system compromise: No +- Solution: Upgrade to a non-affected version +- Workaround: None + +An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where +records in the answer section of a NXDOMAIN response lacking an SOA +were not properly validated in SyncRes::processAnswer. This would +allow an attacker in position of man-in-the-middle to send a NXDOMAIN +answer for a name that does exist, bypassing DNSSEC validation. + +This issue has been assigned CVE-2020-12244. + +PowerDNS Recursor from 4.1.0 up to and including 4.3.0 is affected. + +Please note that at the time of writing, PowerDNS Authoritative 4.0 and +below are no longer supported, as described in +https://doc.powerdns.com/authoritative/appendices/EOL.html. + +We would like to thank Matt Nordhoff for finding and subsequently +reporting this issue! + diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2020-03.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2020-03.rst new file mode 100644 index 0000000000..279d9a92d1 --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2020-03.rst @@ -0,0 +1,38 @@ +PowerDNS Security Advisory 2020-03: Information disclosure +========================================================== + +- CVE: CVE-2020-10030 +- Date: May 19th 2020 +- Affects: PowerDNS Recursor from 4.1.0 up to and including 4.3.0 +- Not affected: 4.3.1, 4.2.2, 4.1.16 +- Severity: Low +- Impact: Information Disclosure, Denial of Service +- Exploit: This problem can be triggered via a crafted hostname +- Risk of system compromise: No +- Solution: Upgrade to a non-affected version +- Workaround: None + +An issue has been found in PowerDNS Authoritative Server allowing an +attacker with enough privileges to change the system's hostname to +cause disclosure of uninitialized memory content via a stack-based +out-of-bounds read. +It only occurs on systems where gethostname() does not null-terminate +the returned string if the hostname is larger than the supplied buffer. +Linux systems are not affected because the buffer is always large enough. +OpenBSD systems are not affected because the returned hostname is always +null-terminated. +Under some conditions this issue can lead to the writing of one null-byte +out-of-bounds on the stack, causing a denial of service or possibly +arbitrary code execution. + +This issue has been assigned CVE-2020-10030. + +PowPowerDNS Recursor from 4.1.0 up to and including 4.3.0 is affected. + +Please note that at the time of writing, PowerDNS Authoritative 4.0 and +below are no longer supported, as described in +https://doc.powerdns.com/authoritative/appendices/EOL.html. + +We would like to thank Valеntei Sergey for finding and subsequently +reporting this issue! +