-@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2025120200 10800 3600 604800 10800
+@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2025120801 10800 3600 604800 10800
@ 3600 IN NS pdns-public-ns1.powerdns.com.
@ 3600 IN NS pdns-public-ns2.powerdns.com.
recursor-5.1.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html"
recursor-5.1.6.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html"
recursor-5.1.7.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html"
-recursor-5.1.8.security-status 60 IN TXT "1 OK"
+recursor-5.1.8.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html"
+recursor-5.1.9.security-status 60 IN TXT "1 OK"
recursor-5.2.0-alpha1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
recursor-5.2.0-beta1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
recursor-5.2.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html"
recursor-5.2.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html"
recursor-5.2.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html"
-recursor-5.2.6.security-status 60 IN TXT "1 OK"
+recursor-5.2.6.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html"
+recursor-5.2.7.security-status 60 IN TXT "1 OK"
recursor-5.3.0-alpha1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
recursor-5.3.0-alpha2.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
recursor-5.3.0-beta1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
recursor-5.3.0-rc1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities"
recursor-5.3.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html"
-recursor-5.3.1.security-status 60 IN TXT "1 OK"
+recursor-5.3.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-07.html"
+recursor-5.3.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html"
+recursor-5.3.3.security-status 60 IN TXT "1 OK"
; Recursor Debian
recursor-3.6.2-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://docs.powerdns.com/recursor/appendices/EOL.html"
Before upgrading, it is advised to read the :doc:`../upgrade`.
+.. changelog::
+ :version: 5.1.9
+ :released: 8th of December 2025
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 16616
+
+ Fix PowerDNS Security Advisory 2025-08: Insufficient validation of incoming notifies over TCP can lead to a denial of service in Recursor.
+
.. changelog::
:version: 5.1.8
:released: 22nd of October 2025
:tags: Bug Fixes
:pullreq: 16341
- Fix PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor.
+ Fix PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor.
.. changelog::
:version: 5.1.7
Before upgrading, it is advised to read the :doc:`../upgrade`.
+.. changelog::
+ :version: 5.2.7
+ :released: 8th of December 2025
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 16617
+
+ Fix PowerDNS Security Advisory 2025-08: Insufficient validation of incoming notifies over TCP can lead to a denial of service in Recursor.
+
.. changelog::
:version: 5.2.6
:released: 22nd of October 2025
:tags: Bug Fixes
:pullreq: 16340
- Fix PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor.
+ Fix PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor.
.. changelog::
:version: 5.2.5
Before upgrading, it is advised to read the :doc:`../upgrade`.
+.. changelog::
+ :version: 5.3.3
+ :released: 8th of December 2025
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 16618
+
+ Fix PowerDNS Security Advisory 2025-08: Insufficient validation of incoming notifies over TCP can lead to a denial of service in Recursor.
+
+.. changelog::
+ :version: 5.3.2
+ :released: Never released publicly
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 16618
+
+ Fix PowerDNS Security Advisory 2025-07: Internal logic flaw in cache management can lead to a denial of service in Recursor
+
.. changelog::
:version: 5.3.1
:released: 22nd of October 2025
:tags: Bug Fixes
:pullreq: 16339
- Fix PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor.
+ Fix PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor.
.. changelog::
:version: 5.3.0
--- /dev/null
+PowerDNS Security Advisory 2025-07: Internal logic flaw in cache management can lead to a denial of service in Recursor
+=======================================================================================================================
+
+- CVE: CVE-2025-59029
+- Date: 8th December 2025
+- Affects: PowerDNS Recursor 5.3.0 and 5.3.1
+- Not affected: PowerDNS Recursor 5.1.x, 5.2.x and 5.3.2
+- Severity: Medium
+- Impact: Denial of Service
+- Exploit: This problem can be triggered by specific cache contents and a query with qtype ANY
+- Risk of system compromise: None
+- Solution: Upgrade to patched version or prevent requests with qtype ANY
+
+CVSS Score: 5.6, see
+https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1
+
+The remedy is: upgrade to a patched version or prevent requests with qtype ANY.
+
+Version 5.3.2 of PowerDNS Recursor was never released publicly, upgrade to version 5.3.3 or newer.
+
--- /dev/null
+PowerDNS Security Advisory 2025-08: Insufficient validation of incoming notifies over TCP can lead to a denial of service in Recursor
+=====================================================================================================================================
+
+- CVE: CVE-2025-59030
+- Date: 8th December 2025
+- Affects: PowerDNS Recursor up to and including 5.3.2, 5.2.6 and 5.1.8
+- Not affected: PowerDNS Recursor 5.3.3, 5.2.7 and 5.1.9
+- Severity: High
+- Impact: Denial of Service
+- Exploit: This problem can be triggered by a notify arriving over TCP and allows clearing caches
+- Risk of system compromise: None
+- Solution: Upgrade to patched version or prevent incoming notifies over TCP
+
+CVSS Score: 7.5, see
+https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1
+
+The remedy is: upgrade to patched version or prevent incoming notifies over TCP.
projects / thirdparty / pdns.git / commitdiff
