From: Otto Moerbeek Date: Mon, 29 Jun 2020 10:11:57 +0000 (+0200) Subject: Prep for upcoming 4.1.17, 4.2.3, and 4.3.2 release X-Git-Tag: dnsdist-1.5.0-rc4~4^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2a250050fea1d5c19e0a7a39518a4dda4287c3ec;p=thirdparty%2Fpdns.git Prep for upcoming 4.1.17, 4.2.3, and 4.3.2 release --- diff --git a/docs/secpoll.zone b/docs/secpoll.zone index 979b8cfff1..164d8017c2 100644 --- a/docs/secpoll.zone +++ b/docs/secpoll.zone @@ -1,4 +1,4 @@ -@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2020061801 10800 3600 604800 10800 +@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2020070101 10800 3600 604800 10800 @ 3600 IN NS pdns-public-ns1.powerdns.com. @ 3600 IN NS pdns-public-ns2.powerdns.com. @@ -202,14 +202,16 @@ recursor-4.1.12.security-status 60 IN TXT "3 Upgrade now recursor-4.1.13.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html" recursor-4.1.14.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html" recursor-4.1.15.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html" -recursor-4.1.16.security-status 60 IN TXT "1 OK" +recursor-4.1.16.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html" +recursor-4.1.17.security-status 60 IN TXT "1 OK" recursor-4.2.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" recursor-4.2.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" recursor-4.2.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" recursor-4.2.0-rc2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" recursor-4.2.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html" recursor-4.2.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html" -recursor-4.2.2.security-status 60 IN TXT "1 OK" +recursor-4.2.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html" +recursor-4.2.3.security-status 60 IN TXT "1 OK" recursor-4.3.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" recursor-4.3.0-alpha2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" recursor-4.3.0-alpha3.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" @@ -218,7 +220,8 @@ recursor-4.3.0-beta2.security-status 60 IN TXT "3 Unsupported recursor-4.3.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" recursor-4.3.0-rc2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" recursor-4.3.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html" -recursor-4.3.1.security-status 60 IN TXT "1 OK" +recursor-4.3.1.security-status 60 IN TXT "3 "Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html" +recursor-4.3.2.security-status 60 IN TXT "1 OK" recursor-4.4.0-alpha1.security-status 60 IN TXT "1 OK" ; Recursor Debian diff --git a/pdns/recursordist/docs/changelog/4.1.rst b/pdns/recursordist/docs/changelog/4.1.rst index 94b031fdac..20787e306d 100644 --- a/pdns/recursordist/docs/changelog/4.1.rst +++ b/pdns/recursordist/docs/changelog/4.1.rst @@ -1,6 +1,24 @@ Changelogs for 4.1.x ==================== +.. changelog:: + :version: 4.1.17 + :released: 1st of July 2020 + + .. change:: + :tags: Bug Fixes + :pullreq: + + Backport of CVE-2020-14196: Enforce webserver ACL. + + .. change:: + :tags: Bug Fixes + :pullreq: 9129 + :tickets: 9127, 8640 + + Fix compilation on systems that do not define HOST_NAME_MAX. + + .. changelog:: :version: 4.1.16 :released: 19th of May 2020 diff --git a/pdns/recursordist/docs/changelog/4.2.rst b/pdns/recursordist/docs/changelog/4.2.rst index 58aad41fa2..bb9b8cc283 100644 --- a/pdns/recursordist/docs/changelog/4.2.rst +++ b/pdns/recursordist/docs/changelog/4.2.rst @@ -1,5 +1,35 @@ Changelogs for 4.2.x ==================== +.. changelog:: + :version: 4.2.3 + :released: 1st of July 2020 + + .. change:: + :tags: Bug Fixes + :pullreq: + + Backport of CVE-2020-14196: Enforce webserver ACL. + + .. change:: + :tags: Bug Fixes + :pullreq: 9261 + :tickets: 9251 + + Copy the negative cache entry before validating it. + + .. change:: + :tags: Bug Fixes + :pullreq: 9133 + :tickets: 9127 + + Fix compilation on systems that do not define HOST_NAME_MAX. + + .. change:: + :tags: Improvements + :pullreq: 9123 + :tickets: 8640 + + Fix build with gcc-10 .. changelog:: :version: 4.2.2 diff --git a/pdns/recursordist/docs/changelog/4.3.rst b/pdns/recursordist/docs/changelog/4.3.rst index 06f4a768d4..fe6e055635 100644 --- a/pdns/recursordist/docs/changelog/4.3.rst +++ b/pdns/recursordist/docs/changelog/4.3.rst @@ -1,5 +1,85 @@ Changelogs for 4.3.x ==================== +.. changelog:: + :version: 4.3.2 + :released: 1st of July 2020 + + .. change:: + :tags: Bug Fixes + :pullreq: + + Backport of CVE-2020-14196: Enforce webserver ACL. + + .. change:: + :tags: Bug Fixes + :pullreq: 9262 + :tickets: 9251 + + Copy the negative cache entry before validating it. + + .. change:: + :tags: Bug Fixes + :pullreq: 9242 + :tickets: 9031 + + Fix compilation of the ports event multiplexer. + + .. change:: + :tags: Improvements + :pullreq: 9243 + :tickets: 9142 + + Defer the NOD lookup until after the response has been sent. + + .. change:: + :tags: Bug Fixes + :pullreq: 9245 + :tickets: 9151 + + Fix the handling of DS queries for the root. + + .. change:: + :tags: Bug Fixes + :pullreq: 9246 + :tickets: 9172 + + Fix RPZ removals when an update has several deltas. + + .. change:: + :tags: Bug Fixes. + :pullreq: 9247 + :tickets: 9192, 9184 + + Correct depth increments. + + .. change:: + :tags: Improvements + :pullreq: 9248 + :tickets: 9194, 9202, 9216 + + CNAME loop detection. + + .. change:: + :tags: Bug Fixes. + :pullreq: 9249 + :tickets: 9205 + + Limit the TTL of RRSIG records as well + + .. change:: + :tags: Bug Fixes + :pullreq: 9128 + :tickets: 9127 + + Fix compilation on systems that do not define HOST_NAME_MAX. + + .. change:: + :tags: Bug Fixes + :pullreq: 9122 + :tickets: 8640 + + Fix build with gcc-10. + .. changelog:: :version: 4.3.1 :released: 19th of May 2020 diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2020-04.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2020-04.rst new file mode 100644 index 0000000000..5f99c0120f --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2020-04.rst @@ -0,0 +1,27 @@ +PowerDNS Security Advisory 2020-04: Access restriction bypass +============================================================= + +- CVE: CVE-2020-14196 +- Date: July 1st 2020 +- Affects: PowerDNS Recursor up to and including 4.3.1, 4.2.2 and 4.1.16 +- Not affected: 4.3.2, 4.2.3, 4.1.17 +- Severity: Low +- Impact: Access restriction bypass +- Exploit: This problem can be triggered by sending HTTP queries +- Risk of system compromise: No +- Solution: Upgrade to a non-affected version +- Workaround: Disable the webserver, set a password or an API key. + Additionally, restrict the binding address using the + `webserver-address` setting to local addresses only and/or use a + firewall to disallow web requests from untrusted sources reaching the + webserver listening address. + +An issue has been found in PowerDNS Recursor where the ACL applied to +the internal web server via `webserver-allow-from` is not properly +enforced, allowing a remote attacker to send HTTP queries to the +internal web server, bypassing the restriction. + +In the default configuration the API webserver is not enabled. Only +installations using a non-default value for `webserver` and +`webserver-address` are affected. +