From: Otto Moerbeek Date: Wed, 7 Oct 2020 10:36:15 +0000 (+0200) Subject: Prep for rec Oct 13th 2020 security releases X-Git-Tag: auth-4.4.0-alpha2~38^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F9606%2Fhead;p=thirdparty%2Fpdns.git Prep for rec Oct 13th 2020 security releases --- diff --git a/.github/actions/spell-check/expect.txt b/.github/actions/spell-check/expect.txt index 06bb794a62..6199044115 100644 --- a/.github/actions/spell-check/expect.txt +++ b/.github/actions/spell-check/expect.txt @@ -744,6 +744,7 @@ getaddrinfo getaddrs getalldomainmetadata getbeforeandafternamesabsolute +getcarbonhostname getdomaininfo getdomainkeys getdomainmetadata diff --git a/docs/secpoll.zone b/docs/secpoll.zone index ad2726aa1a..d9afd3e7bf 100644 --- a/docs/secpoll.zone +++ b/docs/secpoll.zone @@ -1,4 +1,4 @@ -@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2020100600 10800 3600 604800 10800 +@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2020101300 10800 3600 604800 10800 @ 3600 IN NS pdns-public-ns1.powerdns.com. @ 3600 IN NS pdns-public-ns2.powerdns.com. @@ -185,7 +185,7 @@ recursor-4.0.5.security-status 60 IN TXT "3 Upgrade now recursor-4.0.6.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-07.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-08.html" recursor-4.0.7.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-08.html" recursor-4.0.8.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-04.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-06.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-07.html" -recursor-4.0.9.security-status 60 IN TXT "2 Unsupported release (EOL)" +recursor-4.0.9.security-status 60 IN TXT "3 Unsupported release (EOL and known vulnerabilities)" recursor-4.1.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html" recursor-4.1.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html" recursor-4.1.0-rc2.security-status 60 IN TXT "3 Unsupported pre-release, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html" @@ -207,7 +207,9 @@ recursor-4.1.13.security-status 60 IN TXT "3 Upgrade now recursor-4.1.14.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html" recursor-4.1.15.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html" recursor-4.1.16.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html" -recursor-4.1.17.security-status 60 IN TXT "1 OK" +recursor-4.1.17.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html" +recursor-4.1.18.security-status 60 IN TXT "1 OK" + recursor-4.2.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" recursor-4.2.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" recursor-4.2.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" @@ -215,8 +217,10 @@ recursor-4.2.0-rc2.security-status 60 IN TXT "3 Unsupported recursor-4.2.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html" recursor-4.2.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html" recursor-4.2.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html" -recursor-4.2.3.security-status 60 IN TXT "1 OK" -recursor-4.2.4.security-status 60 IN TXT "1 OK" +recursor-4.2.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html" +recursor-4.2.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html" +recursor-4.2.5.security-status 60 IN TXT "1 OK" + recursor-4.3.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" recursor-4.3.0-alpha2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" recursor-4.3.0-alpha3.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" @@ -226,9 +230,10 @@ recursor-4.3.0-rc1.security-status 60 IN TXT "3 Unsupported recursor-4.3.0-rc2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" recursor-4.3.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html" recursor-4.3.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html" -recursor-4.3.2.security-status 60 IN TXT "1 OK" -recursor-4.3.3.security-status 60 IN TXT "1 OK" -recursor-4.3.4.security-status 60 IN TXT "1 OK" +recursor-4.3.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html" +recursor-4.3.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html" +recursor-4.3.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html" +recursor-4.3.5.security-status 60 IN TXT "1 OK" recursor-4.4.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" recursor-4.4.0-alpha2.security-status 60 IN TXT "3 Unsupported pre-release" recursor-4.4.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release" diff --git a/pdns/recursordist/docs/changelog/4.1.rst b/pdns/recursordist/docs/changelog/4.1.rst index 67a25ac7a6..8d4318908c 100644 --- a/pdns/recursordist/docs/changelog/4.1.rst +++ b/pdns/recursordist/docs/changelog/4.1.rst @@ -1,6 +1,16 @@ Changelogs for 4.1.x ==================== +.. changelog:: + :version: 4.1.18 + :released: 13th of October 2020 + + .. change:: + :tags: Bug Fixes + :pullreq: 9601 + + Backport of CVE-2020-25829: Cache pollution. + .. changelog:: :version: 4.1.17 :released: 1st of July 2020 diff --git a/pdns/recursordist/docs/changelog/4.2.rst b/pdns/recursordist/docs/changelog/4.2.rst index 1da98268fb..edd7f1cc1a 100644 --- a/pdns/recursordist/docs/changelog/4.2.rst +++ b/pdns/recursordist/docs/changelog/4.2.rst @@ -1,5 +1,43 @@ Changelogs for 4.2.x ==================== + +.. changelog:: + :version: 4.2.5 + :released: 13th of October 2020 + + .. change:: + :tags: Bug Fixes + :pullreq: 9603 + + Backport of CVE-2020-25829: Cache pollution. + + .. change:: + :tags: Bug Fixes + :pullreq: 9508 + :tickets: 9497 + + Raise an exception on invalid content in unknown records. + + .. change:: + :tags: Bug Fixes + :pullreq: 9502 + :tickets: 9070 + + Boost 1.73 moved boost::bind placeholders to the placeholders namespace. + + .. change:: + :tags: Bug Fixes + :pullreq: 9456 + :tickets: 9454 + + Fix the parsing of `dont-throttle-netmasks` in the presence of `dont-throttle-names`. + + .. change:: + :tags: Bug Fixes + :pullreq: 9368 + + Resize hostname to final size in getcarbonhostname(). + .. changelog:: :version: 4.2.4 :released: 17th of July 2020 diff --git a/pdns/recursordist/docs/changelog/4.3.rst b/pdns/recursordist/docs/changelog/4.3.rst index d5ed14ae2e..b2f3de1dfd 100644 --- a/pdns/recursordist/docs/changelog/4.3.rst +++ b/pdns/recursordist/docs/changelog/4.3.rst @@ -1,6 +1,50 @@ Changelogs for 4.3.x ==================== +.. changelog:: + :version: 4.3.5 + :released: 13th of October 2020 + + .. change:: + :tags: Bug Fixes + :pullreq: 9604 + + Backport of CVE-2020-25829: Cache pollution. + + .. change:: + :tags: Improvements + :pullreq: 9527 + + Log when going Bogus because of a missing SOA in authority. + + .. change:: + :tags: Bug Fixes + :pullreq: 9525 + :tickets: 9495 + + Watch the descriptor again after an out-of-order read timeout. + + .. change:: + :tags: Bug Fixes + :pullreq: 9507 + :tickets: 9497 + + Raise an exception on invalid content in unknown records. + + .. change:: + :tags: Bug Fixes + :pullreq: 9501 + :tickets: 9070 + + Boost 1.73 moved boost::bind placeholders to the placeholders namespace.x + + .. change:: + :tags: Bug Fixes + :pullreq: 9457 + :tickets: 9454 + + Fix the parsing of `dont-throttle-netmasks` in the presence of `dont-throttle-names`. + .. changelog:: :version: 4.3.4 :released: 8th of September 2020 diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2020-07.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2020-07.rst new file mode 100644 index 0000000000..b1e6f29b40 --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2020-07.rst @@ -0,0 +1,22 @@ +PowerDNS Security Advisory 2020-07: Cache pollution +=================================================== + +- CVE: CVE-2020-25829 +- Date: 13th of October 2020 +- Affects: PowerDNS Recursor up to and including 4.3.4, 4.2.4 and 4.1.17 +- Not affected: 4.3.5, 4.2.5, 4.1.18 +- Severity: High +- Impact: Denial of service +- Exploit: This problem can be triggered by sending DNS queries +- Risk of system compromise: No +- Solution: Upgrade to a non-affected version +- Workaround: Filter ANY queries to prevent them from reaching the + recursor. + +An issue has been found in PowerDNS Recursor where a remote attacker +can cause the cached records for a given name to be updated to the +'Bogus' DNSSEC validation state, instead of their actual DNSSEC +'Secure' state, via a DNS ANY query. This results in a denial of +service for installations that always validate (dnssec=validate) +and for clients requesting validation when on-demand validation is +enabled (dnssec=process).