Changelogs for 5.0.x
====================
+.. changelog::
+ :version: 5.0.5
+ :released: 20th of May 2026
+
+ This is release 5.0.5 of the Authoritative Server.
+ It contains bug fixes and security fixes.
+
+ Please review the :doc:`Upgrade Notes <../upgrading>` before upgrading from versions < 4.9.x.
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 17443
+
+ Fix PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server: Multiple Issues
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 17296
+ :tickets: 17284
+
+ use less inefficient code in web server
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 17294
+ :tickets: 17240
+
+ harden xfr*BitInt writers
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 17259
+ :tickets: 16636
+
+ perform axfr immediately when creating an autosecondary domain
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 17261
+ :tickets: 16671
+
+ Actually install binaries when building with meson
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 17263
+ :tickets: 16731
+
+ web: stricter control of statistics rings changes
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 17264
+ :tickets: 16831
+
+ stricter handing of the Lua DNS update policy
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 17266
+ :tickets: 17000
+
+ correctly delete ENT records from the API
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 17268
+ :tickets: 17126
+
+ lua: one more bad case of createForward
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 17270
+ :tickets: 17130
+
+ minor pdns_control bugfixes
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 17273
+ :tickets: 17149
+
+ webserver: correctly split the basic authorization cookie
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 17275
+ :tickets: 17152
+
+ fixes to AXFR in Bind backend
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 17277
+ :tickets: 17155
+
+ dnsupdate handling buglet
+
.. changelog::
:version: 5.0.4
:released: 22th of April 2026
-@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2026042901 10800 3600 604800 10800
+@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2026052001 10800 3600 604800 10800
@ 3600 IN NS pdns-public-ns1.powerdns.com.
@ 3600 IN NS pdns-public-ns2.powerdns.com.
auth-4.9.11.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html"
auth-4.9.12.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html"
auth-4.9.13.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html"
-auth-4.9.14.security-status 60 IN TXT "1 OK"
+auth-4.9.14.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-06.html"
+auth-4.9.15.security-status 60 IN TXT "1 OK"
auth-5.0.0-alpha1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html"
auth-5.0.0-beta1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html"
auth-5.0.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html"
auth-5.0.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html"
auth-5.0.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html"
auth-5.0.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html"
-auth-5.0.4.security-status 60 IN TXT "1 OK"
+auth-5.0.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-06.html"
+auth-5.0.5.security-status 60 IN TXT "1 OK"
auth-5.1.0-alpha1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
-auth-5.1.0-beta1.security-status 60 IN TXT "1 Unsupported pre-release (no known vulnerabilities)"
+auth-5.1.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
; Auth Debian
auth-3.4.1-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://docs.powerdns.com/authoritative/appendices/EOL.html"
--- /dev/null
+PowerDNS Security Advisory 2026-06: Multiple Issues
+===================================================
+
+Concurrency and locking defects in GSS-TSIG
+-------------------------------------------
+
+- CVE: CVE-2026-42002
+- Date: 2026-05-06T00:00:00+00:00
+- Affects: PowerDNS Authoritative Server 4.7.0 up to and including 4.9.14 and 5.0.4
+- Not affected: PowerDNS Authoritative Server 4.9.15, 5.0.5
+- Severity: Medium
+- Impact: Denial of service
+- Exploit: Concurrent TKEY queries for the same key may accidentally share the same GSS-TSIG data structures and cause memory corruption or unexpected server exit.
+- Risk of system compromise: None
+- Solution: Upgrade to patched version or disable gss-tsig support in server configuration
+- CWE: CWE-364
+- CVSS: 3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
+- Last affected: 4.9.14,5.0.4
+- First fixed: 4.9.15,5.0.5
+- Internal ID: 381
+
+Multiple concurrency and locking defects in the GSS-TSIG code can lead to
+memory corruption due to accidental data structure sharing, which can in turn
+lead to a program crash.
+
+Moreover, the lack of bounds on the number of in-flight GSS-TSIG contexts can
+lead to unbounded memory consumption in case of an excessive number of requests
+at a given time. A limit of 1000 contexts is now enforced, and can be modified
+with the "gss-max-contexts" parameter in server configuration.
+
+Insufficient Validation of Autoprimary SOA Queries
+--------------------------------------------------
+
+- CVE: CVE-2026-42001
+- Date: 2026-05-06T00:00:00+00:00
+- Affects: PowerDNS Authoritative Server 4.1.0 up to and including 4.9.14 and 5.0.4
+- Not affected: PowerDNS Authoritative Server 4.9.15, 5.0.5
+- Severity: High
+- Impact: Denial of service
+- Exploit: Ill-formed answer to SOA query from server operating in autosecondary mode
+- Risk of system compromise: None
+- Solution: Upgrade to patched version, or disable autosecondary operation
+- CWE: CWE-400
+- CVSS: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+- Last affected: 4.9.14,5.0.4
+- First fixed: 4.9.15,5.0.5
+- Internal ID: 467
+
+Missing sanity checks of the answer to the initial SOA query, when running in
+autosecondary mode and receiving a notification for a not-yet-known domain
+may cause the server to crash.
+
+Insufficient Validation of Names During AXFR
+--------------------------------------------
+
+- CVE: CVE-2026-42000
+- Date: 2026-05-06T00:00:00+00:00
+- Affects: PowerDNS Authoritative Server up to and including 4.9.14 and 5.0.4
+- Not affected: PowerDNS Authoritative Server 4.9.15, 5.0.5
+- Severity: Medium
+- Impact: Denial of service
+- Exploit: AXFR of zone with specific contents to Bind backend
+- Risk of system compromise: None
+- Solution: Upgrade to patched version
+- CWE: CWE-77
+- CVSS: 3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
+- Last affected: 4.9.14,5.0.4
+- First fixed: 4.9.15,5.0.5
+- Internal ID: 474
+
+Missing escaping of special characters (such as $ or @) in DNS names received
+during an AXFR operation can lead to an incorrect (non-parsable) Bind backend
+configuration to be written, causing this backend to fail until manual
+operation is performed to fix the configuration.
+
+Incorrect Behaviour of Views with TCP PROXY Requests
+----------------------------------------------------
+
+- CVE: CVE-2026-41999
+- Date: 2026-05-06T00:00:00+00:00
+- Affects: PowerDNS Authoritative Server 5.0.0 up to and including 5.0.4
+- Not affected: PowerDNS Authoritative Server 5.0.5
+- Severity: Medium
+- Impact: Information Disclosure
+- Exploit: TCP query using PROXY Protocol
+- Risk of system compromise: None
+- Solution: Upgrade to patched version or disable views feature
+- CWE: CWE-284
+- CVSS: 3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
+- Last affected: 5.0.4
+- First fixed: 5.0.5
+- Internal ID: 482
+
+When using views, queries sent using TCP Proxy Protocol will select the view
+according to the address of the proxy, rather than the address of the initial
+query. This can lead to wrong data being returned.
+
+Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail
+-----------------------------------------------------------------------------------
+
+- CVE: CVE-2026-42396
+- Date: 2026-05-06T00:00:00+00:00
+- Affects: PowerDNS Authoritative Server 4.7.0 up to and including 4.9.14 and 5.0.4
+- Not affected: PowerDNS Authoritative Server 4.9.15, 5.0.5
+- Severity: Medium
+- Impact: Denial of service
+- Exploit: AXFR of catalog zone with a member whose producer group option
+contains a double-quote character
+- Risk of system compromise: None
+- Solution: Upgrade to patched version, or remove all double-quote characters from producer group names.
+- CWE: CWE-94
+- CVSS: 3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
+- Last affected: 4.9.14,5.0.4
+- First fixed: 4.9.15,5.0.5
+- Internal ID: 483
+
+Missing proper escaping of double-quote characters when computing labels will
+cause AXFR of a catalog zone with a member whose producer group option contains
+such a character to fail.
projects / thirdparty / pdns.git / commitdiff
