-@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2020051501 10800 3600 604800 10800
+@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2020051903 10800 3600 604800 10800
@ 3600 IN NS pdns-public-ns1.powerdns.com.
@ 3600 IN NS pdns-public-ns2.powerdns.com.
recursor-4.2.0-beta1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
recursor-4.2.0-rc1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
recursor-4.2.0-rc2.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-recursor-4.2.0.security-status 60 IN TXT "1 OK"
-recursor-4.2.1.security-status 60 IN TXT "1 OK"
+recursor-4.2.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html"
+recursor-4.2.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html"
+recursor-4.2.2.security-status 60 IN TXT "1 OK"
recursor-4.3.0-alpha1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
recursor-4.3.0-alpha2.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
recursor-4.3.0-alpha3.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
recursor-4.3.0-beta2.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
recursor-4.3.0-rc1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
recursor-4.3.0-rc2.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-recursor-4.3.0.security-status 60 IN TXT "1 OK"
+recursor-4.3.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html"
+recursor-4.3.1.security-status 60 IN TXT "1 OK"
recursor-4.4.0-alpha1.security-status 60 IN TXT "1 OK"
; Recursor Debian
====================
.. changelog::
- :version: 4.1.15
+ :version: 4.1.16
+ :released: 19th of May 2020
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq:
+
+ Backport of security fixes for CVE-2020-10995, CVE-2020-12244 and
+ CVE-2020-10030, plus avoid a crash when loading an invalid RPZ.
+
+ .. change::
+ :tags: Internals
+ :pullreq: 8809
+
+ Update python dependencies for docs generation.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 8868
+
+ Only log qname parsing errors when 'log-common-errors' is set.
+
+ .. change::
+ :tags: Internals
+ :pullreq: 8753
+
+ Update boost.m4.
+
+.. changelog::
+ :version: 4.1.15
:released: 6th of December 2019
.. change::
Changelogs for 4.2.x
====================
+.. changelog::
+ :version: 4.2.2
+ :released: 19th of May 2020
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq:
+
+ Backport of security fixes for CVE-2020-10995, CVE-2020-12244 and
+ CVE-2020-10030, plus avoid a crash when loading an invalid RPZ.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 9081
+
+ Add ubuntu focal target.
+
+ .. change::
+ :tags: Internals
+ :pullreq: 8988
+
+ Update gen-version to use latest tag for version number.
+
+ .. change::
+ :tags:
+ :pullreq: 8964, 8752
+ :tickets: 8875
+
+ Update boost.m4.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 8869
+
+ Only log qname parsing errors when 'log-common-errors' is set.
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 8832
+
+ Refuse NSEC records with a bitmap length > 32.
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 8802
+
+ Avoid startup race by setting the state of a tread before starting it.
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 8696
+
+ Better detection of Bogus zone cuts for DNSSEC validation.
+
+ .. change::
+ :tags: Bug Fixes.
+ :pullreq: 8674
+
+ Debian postinst / do not fail on user creation if it already exists.
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 8686
+
+ Fix parsing `dont-throttle-names` and `dont-throttle-netmasks` as comma separated lists.
+
.. changelog::
:version: 4.2.1
:released: 9th of December 2019
Changelogs for 4.3.x
====================
+.. changelog::
+ :version: 4.3.1
+ :released: 19th of May 2020
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq:
+
+ Backport of security fixes for CVE-2020-10995, CVE-2020-12244 and
+ CVE-2020-10030, plus avoid a crash when loading an invalid RPZ.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 9082
+
+ Add ubuntu focal target.
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 9048
+ :tickets: 8778
+
+ RPZ dumpFile/seedFile: store/get SOA refresh on dump/load.
+
+ .. change::
+ :tags: Internals
+ :pullreq: 8963
+ :tickets: 8875
+
+ Update boost.m4.
.. changelog::
:version: 4.3.0
--- /dev/null
+PowerDNS Security Advisory 2020-01: Denial of Service
+=====================================================
+
+- CVE: CVE-2020-10995
+- Date: May 19th 2020
+- Affects: PowerDNS Recursor from 4.1.0 up to and including 4.3.0
+- Not affected: 4.1.16, 4.2.2, 4.3.1
+- Severity: Medium
+- Impact: Degraded Service
+- Exploit: This problem can be triggered via a crafted reply
+- Risk of system compromise: No
+- Solution: Upgrade to a non-affected version
+- Workaround: None
+
+An issue in the DNS protocol has been found that allow malicious
+parties to use recursive DNS services to attack third party
+authoritative name servers. The attack uses a crafted reply by an
+authoritative name server to amplify the resulting traffic between the
+recursive and other authoritative name servers. Both types of service
+can suffer degraded performance as an effect.
+
+This issue has been assigned CVE-2020-10995.
+
+PowerDNS Recursor from 4.1.0 up to and including 4.3.0 is
+affected. PowerDNS Recursor 4.1.16, 4.2.2 and 4.3.1 contain a
+mitigation to limit the impact of this DNS protocol issue.
+
+Please note that at the time of writing, PowerDNS Recursor 4.0 and
+below are no longer supported, as described in
+https://doc.powerdns.com/recursor/appendices/EOL.html.
+
+We would like to thank Lior Shafir, Yehuda Afek and Anat Bremler-Barr
+for finding and subsequently reporting this issue!
--- /dev/null
+PowerDNS Security Advisory 2020-002: Insufficient validation of DNSSEC signatures
+=================================================================================
+
+- CVE: CVE-2020-12244
+- Date: May 19th 2020
+- Affects: PowerDNS Recursor from 4.1.0 up to and including 4.3.0
+- Not affected: 4.3.1, 4.2.2, 4.1.16
+- Severity: Medium
+- Impact: Denial of existence spoofing
+- Exploit: This problem can be triggered by an attacker in position
+ of man-in-the-middle
+- Risk of system compromise: No
+- Solution: Upgrade to a non-affected version
+- Workaround: None
+
+An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where
+records in the answer section of a NXDOMAIN response lacking an SOA
+were not properly validated in SyncRes::processAnswer. This would
+allow an attacker in position of man-in-the-middle to send a NXDOMAIN
+answer for a name that does exist, bypassing DNSSEC validation.
+
+This issue has been assigned CVE-2020-12244.
+
+PowerDNS Recursor from 4.1.0 up to and including 4.3.0 is affected.
+
+Please note that at the time of writing, PowerDNS Authoritative 4.0 and
+below are no longer supported, as described in
+https://doc.powerdns.com/authoritative/appendices/EOL.html.
+
+We would like to thank Matt Nordhoff for finding and subsequently
+reporting this issue!
+
--- /dev/null
+PowerDNS Security Advisory 2020-03: Information disclosure
+==========================================================
+
+- CVE: CVE-2020-10030
+- Date: May 19th 2020
+- Affects: PowerDNS Recursor from 4.1.0 up to and including 4.3.0
+- Not affected: 4.3.1, 4.2.2, 4.1.16
+- Severity: Low
+- Impact: Information Disclosure, Denial of Service
+- Exploit: This problem can be triggered via a crafted hostname
+- Risk of system compromise: No
+- Solution: Upgrade to a non-affected version
+- Workaround: None
+
+An issue has been found in PowerDNS Authoritative Server allowing an
+attacker with enough privileges to change the system's hostname to
+cause disclosure of uninitialized memory content via a stack-based
+out-of-bounds read.
+It only occurs on systems where gethostname() does not null-terminate
+the returned string if the hostname is larger than the supplied buffer.
+Linux systems are not affected because the buffer is always large enough.
+OpenBSD systems are not affected because the returned hostname is always
+null-terminated.
+Under some conditions this issue can lead to the writing of one null-byte
+out-of-bounds on the stack, causing a denial of service or possibly
+arbitrary code execution.
+
+This issue has been assigned CVE-2020-10030.
+
+PowPowerDNS Recursor from 4.1.0 up to and including 4.3.0 is affected.
+
+Please note that at the time of writing, PowerDNS Authoritative 4.0 and
+below are no longer supported, as described in
+https://doc.powerdns.com/authoritative/appendices/EOL.html.
+
+We would like to thank ValŠµntei Sergey for finding and subsequently
+reporting this issue!
+