Prep for Security Release 2025-06

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

diff --git a/.github/actions/spell-check/expect.txt b/.github/actions/spell-check/expect.txt
index 15db653a67556fa4218468e62edbf24cef8a9e5a..37246347ab69c32f483097b8bd2c3e330150b7cb 100644 (file)
--- a/.github/actions/spell-check/expect.txt
+++ b/.github/actions/spell-check/expect.txt
@@ -95,6 +95,7 @@ bagbug
 Bakhos
 Bakker
 Baltus
+Baojun
 basedn
 basepath
 Bastiaan
@@ -529,6 +530,7 @@ gtld
 guilabel
 gutenberg
 Gyselinck
+Haixin
 Hakulinen
 Hannu
 Harker
@@ -1244,6 +1246,7 @@ setvariable
 Shabanov
 Shafir
 shantikulkarni
+Shiming
 shinsterneck
 shnya
 showdetails
@@ -1584,6 +1587,8 @@ yourdomain
 yourorganization
 yoursecret
 yubikey
+Yunyi
+Yuxiao
 YYYYMMD
 YYYYMMDDSS
 Zash

diff --git a/docs/secpoll.zone b/docs/secpoll.zone
index 4deb65ac2720d3e9c07c4f127eb1b30cd3d83699..b4b97ba74202e89479e406bcfb715b7cc3c0e995 100644 (file)
--- a/docs/secpoll.zone
+++ b/docs/secpoll.zone
@@ -1,4 +1,4 @@
-@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2025101500 10800 3600 604800 10800
+@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2025102201 10800 3600 604800 10800
 @       3600    IN  NS  pdns-public-ns1.powerdns.com.
 @       3600    IN  NS  pdns-public-ns2.powerdns.com.
 
@@ -407,7 +407,7 @@ recursor-5.0.8.security-status                          60 IN TXT "3 Upgrade now
 recursor-5.0.9.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html"
 recursor-5.0.10.security-status                         60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html"
 recursor-5.0.11.security-status                         60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html"
-recursor-5.0.12.security-status                         60 IN TXT "2 Unsupported release (EOL)"
+recursor-5.0.12.security-status                         60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html"
 recursor-5.1.0-alpha1.security-status                   60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
 recursor-5.1.0-beta1.security-status                    60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
 recursor-5.1.0-rc1.security-status                      60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
@@ -417,8 +417,10 @@ recursor-5.1.2.security-status                          60 IN TXT "3 Upgrade now
 recursor-5.1.3.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html"
 recursor-5.1.4.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html"
 recursor-5.1.5.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html"
-recursor-5.1.6.security-status                          60 IN TXT "1 OK"
-recursor-5.1.7.security-status                          60 IN TXT "1 OK"
+recursor-5.1.6.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html"
+recursor-5.1.7.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html"
+recursor-5.1.8.security-status                          60 IN TXT "1 OK"
+
 recursor-5.2.0-alpha1.security-status                   60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
 recursor-5.2.0-beta1.security-status                    60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
 recursor-5.2.0-rc1.security-status                      60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
@@ -426,13 +428,16 @@ recursor-5.2.0.security-status                          60 IN TXT "3 Upgrade now
 recursor-5.2.1.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html"
 recursor-5.2.2.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html"
 recursor-5.2.3.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html"
-recursor-5.2.4.security-status                          60 IN TXT "1 OK"
-recursor-5.2.5.security-status                          60 IN TXT "1 OK"
+recursor-5.2.4.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html"
+recursor-5.2.5.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html"
+recursor-5.2.6.security-status                          60 IN TXT "1 OK"
+
 recursor-5.3.0-alpha1.security-status                   60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
 recursor-5.3.0-alpha2.security-status                   60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
-recursor-5.3.0-beta1.security-status                    60 IN TXT "2 Superseded pre-release"
-recursor-5.3.0-rc1.security-status                      60 IN TXT "2 Superseded pre-release"
-recursor-5.3.0.security-status                          60 IN TXT "1 OK"
+recursor-5.3.0-beta1.security-status                    60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
+recursor-5.3.0-rc1.security-status                      60 IN TXT "3 Superseded pre-release (known vulnerabilities"
+recursor-5.3.0.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html"
+recursor-5.3.1.security-status                          60 IN TXT "1 OK"
 
 ; Recursor Debian
 recursor-3.6.2-2.debian.security-status                 60 IN TXT "3 Upgrade now, see https://docs.powerdns.com/recursor/appendices/EOL.html"

diff --git a/pdns/recursordist/docs/changelog/5.1.rst b/pdns/recursordist/docs/changelog/5.1.rst
index e98ed07d232713b0aecd4715ff48955f2daaa5e5..40f79413c2ffefb2bb7b8b9084e1e5f39adc3aaf 100644 (file)
--- a/pdns/recursordist/docs/changelog/5.1.rst
+++ b/pdns/recursordist/docs/changelog/5.1.rst
@@ -3,6 +3,16 @@ Changelogs for 5.1.X
 
 Before upgrading, it is advised to read the :doc:`../upgrade`.
 
+.. changelog::
+  :version: 5.1.8
+  :released: 22nd of October 2025
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 16341
+
+   Fix PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor.
+
 .. changelog::
   :version: 5.1.7
   :released: 29th of July 2025

diff --git a/pdns/recursordist/docs/changelog/5.2.rst b/pdns/recursordist/docs/changelog/5.2.rst
index 962af1ec38cdc4e53bf64fc4712a6d3ff63742f6..22801e882eb99e17db04bffbd276a3470ced830e 100644 (file)
--- a/pdns/recursordist/docs/changelog/5.2.rst
+++ b/pdns/recursordist/docs/changelog/5.2.rst
@@ -3,6 +3,16 @@ Changelogs for 5.2.X
 
 Before upgrading, it is advised to read the :doc:`../upgrade`.
 
+.. changelog::
+  :version: 5.2.6
+  :released: 22nd of October 2025
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 16340
+
+   Fix PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor.
+
 .. changelog::
   :version: 5.2.5
   :released: 29th of July 2025

diff --git a/pdns/recursordist/docs/changelog/5.3.rst b/pdns/recursordist/docs/changelog/5.3.rst
index a4ba1197f6d0987ce3cc951f7b775fcbb3194ac3..6a75762b836fb683778ca9e3b7dc5756140fb0b1 100644 (file)
--- a/pdns/recursordist/docs/changelog/5.3.rst
+++ b/pdns/recursordist/docs/changelog/5.3.rst
@@ -3,6 +3,16 @@ Changelogs for 5.3.X
 
 Before upgrading, it is advised to read the :doc:`../upgrade`.
 
+.. changelog::
+  :version: 5.3.1
+  :released: 22nd of October 2025
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 16339
+
+   Fix PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor.
+
 .. changelog::
   :version: 5.3.0
   :released: 28th of August 2025

diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2025-06.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2025-06.rst
new file mode 100644 (file)
index 0000000..3fdaf78
--- /dev/null
+++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2025-06.rst
@@ -0,0 +1,39 @@
+PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor
+=================================================================================================================
+
+- CVE: CVE-2025-59023
+- Date: 15th October 2025
+- Affects: PowerDNS Recursor up to and including 5.1.7, 5.2.5 and 5.3.0
+- Not affected: PowerDNS Recursor 5.1.8, 5.2.6 and 5.3.1
+- Severity: High
+- Impact: Cache pollution
+- Exploit: This problem can be triggered by an attacker spoofing crafted delegations
+- Risk of system compromise: None
+- Solution: Upgrade to patched version
+
+CVSS Score: 8.2, see
+https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L&version=3.1
+
+- CVE: CVE-2025-59024
+- Date: 15th October 2025
+- Affects: PowerDNS Recursor up to and including 5.1.7, 5.2.5 and 5.3.0
+- Not affected: PowerDNS Recursor 5.1.8, 5.2.6 and 5.3.1
+- Severity: Medium
+- Impact: Cache pollution
+- Exploit: This problem can be triggered by an attacker using an UDP IP fragments attack
+- Risk of system compromise: None
+- Solution: Upgrade to patched version
+
+CVSS Score: 6.5 see
+https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L&version=3.1
+
+It has been brought to our attention that the Recursor does not apply strict enough validation of received delegation information.
+The malicious delegation information can be sent by an attacker spoofing packets.
+The patched versions of the Recursor apply strict validation of the received delegation information from authoritative servers.
+In versions 5.2.6 and 5.3.1 the already existing validations are tightened further, while version 5.1.8 contains a full backport of the strict validations.
+Note that other vendors will release updated software to fix similar issues as well.
+
+The remedy is: upgrade to a patched version.
+
+We would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin Duan from Tsinghua University and
+Shiming Liu from Network and Information Security Lab, also Tsinghua University for bringing these issues to our attention.