From: Miod Vallat Date: Wed, 20 May 2026 08:15:30 +0000 (+0200) Subject: documentation and secpoll update for auth 4.9.15 and 5.0.5 X-Git-Tag: auth-5.1.0~35^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=62e40c9bdfd669798cf3524d7eb24dcf5965f916;p=thirdparty%2Fpdns.git documentation and secpoll update for auth 4.9.15 and 5.0.5 Signed-off-by: Miod Vallat --- diff --git a/docs/changelog/4.9.rst b/docs/changelog/4.9.rst index 716ed9fbe3..95cdb06b4b 100644 --- a/docs/changelog/4.9.rst +++ b/docs/changelog/4.9.rst @@ -1,6 +1,98 @@ Changelogs for 4.9.x ==================== +.. changelog:: + :version: 4.9.15 + :released: 20th of May 2026 + + This is release 4.9.15 of the Authoritative Server. + It contains bug fixes and security fixes. + + Please review the :doc:`Upgrade Notes <../upgrading>` before upgrading from versions < 4.9.x. + + .. change:: + :tags: Bug Fixes + :pullreq: 17444 + + Fix PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server: Multiple Issues + + .. change:: + :tags: Bug Fixes + :pullreq: 17295 + :tickets: 17284 + + use less inefficient code in web server + + .. change:: + :tags: Bug Fixes + :pullreq: 17293 + :tickets: 17240 + + harden xfr*BitInt writers + + .. change:: + :tags: Bug Fixes + :pullreq: 17260 + :tickets: 16636 + + perform axfr immediately when creating an autosecondary domain + + .. change:: + :tags: Bug Fixes + :pullreq: 17262 + :tickets: 16731 + + web: stricter control of statistics rings changes + + .. change:: + :tags: Bug Fixes + :pullreq: 17265 + :tickets: 16831 + + stricter handing of the Lua DNS update policy + + .. change:: + :tags: Bug Fixes + :pullreq: 17267 + :tickets: 17000 + + correctly delete ENT records from the API + + .. change:: + :tags: Bug Fixes + :pullreq: 17269 + :tickets: 17126 + + lua: one more bad case of createForward + + .. change:: + :tags: Bug Fixes + :pullreq: 17271 + :tickets: 17130 + + minor pdns_control bugfixes + + .. change:: + :tags: Bug Fixes + :pullreq: 17272 + :tickets: 17149 + + webserver: correctly split the basic authorization cookie + + .. change:: + :tags: Bug Fixes + :pullreq: 17274 + :tickets: 17152 + + fixes to AXFR in Bind backend + + .. change:: + :tags: Bug Fixes + :pullreq: 17276 + :tickets: 17155 + + dnsupdate handling buglet + .. changelog:: :version: 4.9.14 :released: 22th of April 2026 diff --git a/docs/changelog/5.0.rst b/docs/changelog/5.0.rst index ad7b1260de..fb49065026 100644 --- a/docs/changelog/5.0.rst +++ b/docs/changelog/5.0.rst @@ -1,6 +1,105 @@ Changelogs for 5.0.x ==================== +.. changelog:: + :version: 5.0.5 + :released: 20th of May 2026 + + This is release 5.0.5 of the Authoritative Server. + It contains bug fixes and security fixes. + + Please review the :doc:`Upgrade Notes <../upgrading>` before upgrading from versions < 4.9.x. + + .. change:: + :tags: Bug Fixes + :pullreq: 17443 + + Fix PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server: Multiple Issues + + .. change:: + :tags: Bug Fixes + :pullreq: 17296 + :tickets: 17284 + + use less inefficient code in web server + + .. change:: + :tags: Bug Fixes + :pullreq: 17294 + :tickets: 17240 + + harden xfr*BitInt writers + + .. change:: + :tags: Bug Fixes + :pullreq: 17259 + :tickets: 16636 + + perform axfr immediately when creating an autosecondary domain + + .. change:: + :tags: Bug Fixes + :pullreq: 17261 + :tickets: 16671 + + Actually install binaries when building with meson + + .. change:: + :tags: Bug Fixes + :pullreq: 17263 + :tickets: 16731 + + web: stricter control of statistics rings changes + + .. change:: + :tags: Bug Fixes + :pullreq: 17264 + :tickets: 16831 + + stricter handing of the Lua DNS update policy + + .. change:: + :tags: Bug Fixes + :pullreq: 17266 + :tickets: 17000 + + correctly delete ENT records from the API + + .. change:: + :tags: Bug Fixes + :pullreq: 17268 + :tickets: 17126 + + lua: one more bad case of createForward + + .. change:: + :tags: Bug Fixes + :pullreq: 17270 + :tickets: 17130 + + minor pdns_control bugfixes + + .. change:: + :tags: Bug Fixes + :pullreq: 17273 + :tickets: 17149 + + webserver: correctly split the basic authorization cookie + + .. change:: + :tags: Bug Fixes + :pullreq: 17275 + :tickets: 17152 + + fixes to AXFR in Bind backend + + .. change:: + :tags: Bug Fixes + :pullreq: 17277 + :tickets: 17155 + + dnsupdate handling buglet + .. changelog:: :version: 5.0.4 :released: 22th of April 2026 diff --git a/docs/secpoll.zone b/docs/secpoll.zone index 57c05d1fde..6c4cbbf5a4 100644 --- a/docs/secpoll.zone +++ b/docs/secpoll.zone @@ -1,4 +1,4 @@ -@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2026042901 10800 3600 604800 10800 +@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2026052001 10800 3600 604800 10800 @ 3600 IN NS pdns-public-ns1.powerdns.com. @ 3600 IN NS pdns-public-ns2.powerdns.com. @@ -142,16 +142,18 @@ auth-4.9.10.security-status 60 IN TXT "3 Upgrade now auth-4.9.11.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html" auth-4.9.12.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html" auth-4.9.13.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html" -auth-4.9.14.security-status 60 IN TXT "1 OK" +auth-4.9.14.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-06.html" +auth-4.9.15.security-status 60 IN TXT "1 OK" auth-5.0.0-alpha1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html" auth-5.0.0-beta1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html" auth-5.0.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html" auth-5.0.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html" auth-5.0.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html" auth-5.0.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html" -auth-5.0.4.security-status 60 IN TXT "1 OK" +auth-5.0.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-06.html" +auth-5.0.5.security-status 60 IN TXT "1 OK" auth-5.1.0-alpha1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" -auth-5.1.0-beta1.security-status 60 IN TXT "1 Unsupported pre-release (no known vulnerabilities)" +auth-5.1.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" ; Auth Debian auth-3.4.1-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://docs.powerdns.com/authoritative/appendices/EOL.html" diff --git a/docs/security-advisories/powerdns-advisory-2026-06.rst b/docs/security-advisories/powerdns-advisory-2026-06.rst new file mode 100644 index 0000000000..30ab88c40a --- /dev/null +++ b/docs/security-advisories/powerdns-advisory-2026-06.rst @@ -0,0 +1,119 @@ +PowerDNS Security Advisory 2026-06: Multiple Issues +=================================================== + +Concurrency and locking defects in GSS-TSIG +------------------------------------------- + +- CVE: CVE-2026-42002 +- Date: 2026-05-06T00:00:00+00:00 +- Affects: PowerDNS Authoritative Server 4.7.0 up to and including 4.9.14 and 5.0.4 +- Not affected: PowerDNS Authoritative Server 4.9.15, 5.0.5 +- Severity: Medium +- Impact: Denial of service +- Exploit: Concurrent TKEY queries for the same key may accidentally share the same GSS-TSIG data structures and cause memory corruption or unexpected server exit. +- Risk of system compromise: None +- Solution: Upgrade to patched version or disable gss-tsig support in server configuration +- CWE: CWE-364 +- CVSS: 3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H +- Last affected: 4.9.14,5.0.4 +- First fixed: 4.9.15,5.0.5 +- Internal ID: 381 + +Multiple concurrency and locking defects in the GSS-TSIG code can lead to +memory corruption due to accidental data structure sharing, which can in turn +lead to a program crash. + +Moreover, the lack of bounds on the number of in-flight GSS-TSIG contexts can +lead to unbounded memory consumption in case of an excessive number of requests +at a given time. A limit of 1000 contexts is now enforced, and can be modified +with the "gss-max-contexts" parameter in server configuration. + +Insufficient Validation of Autoprimary SOA Queries +-------------------------------------------------- + +- CVE: CVE-2026-42001 +- Date: 2026-05-06T00:00:00+00:00 +- Affects: PowerDNS Authoritative Server 4.1.0 up to and including 4.9.14 and 5.0.4 +- Not affected: PowerDNS Authoritative Server 4.9.15, 5.0.5 +- Severity: High +- Impact: Denial of service +- Exploit: Ill-formed answer to SOA query from server operating in autosecondary mode +- Risk of system compromise: None +- Solution: Upgrade to patched version, or disable autosecondary operation +- CWE: CWE-400 +- CVSS: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H +- Last affected: 4.9.14,5.0.4 +- First fixed: 4.9.15,5.0.5 +- Internal ID: 467 + +Missing sanity checks of the answer to the initial SOA query, when running in +autosecondary mode and receiving a notification for a not-yet-known domain +may cause the server to crash. + +Insufficient Validation of Names During AXFR +-------------------------------------------- + +- CVE: CVE-2026-42000 +- Date: 2026-05-06T00:00:00+00:00 +- Affects: PowerDNS Authoritative Server up to and including 4.9.14 and 5.0.4 +- Not affected: PowerDNS Authoritative Server 4.9.15, 5.0.5 +- Severity: Medium +- Impact: Denial of service +- Exploit: AXFR of zone with specific contents to Bind backend +- Risk of system compromise: None +- Solution: Upgrade to patched version +- CWE: CWE-77 +- CVSS: 3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N +- Last affected: 4.9.14,5.0.4 +- First fixed: 4.9.15,5.0.5 +- Internal ID: 474 + +Missing escaping of special characters (such as $ or @) in DNS names received +during an AXFR operation can lead to an incorrect (non-parsable) Bind backend +configuration to be written, causing this backend to fail until manual +operation is performed to fix the configuration. + +Incorrect Behaviour of Views with TCP PROXY Requests +---------------------------------------------------- + +- CVE: CVE-2026-41999 +- Date: 2026-05-06T00:00:00+00:00 +- Affects: PowerDNS Authoritative Server 5.0.0 up to and including 5.0.4 +- Not affected: PowerDNS Authoritative Server 5.0.5 +- Severity: Medium +- Impact: Information Disclosure +- Exploit: TCP query using PROXY Protocol +- Risk of system compromise: None +- Solution: Upgrade to patched version or disable views feature +- CWE: CWE-284 +- CVSS: 3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N +- Last affected: 5.0.4 +- First fixed: 5.0.5 +- Internal ID: 482 + +When using views, queries sent using TCP Proxy Protocol will select the view +according to the address of the proxy, rather than the address of the initial +query. This can lead to wrong data being returned. + +Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail +----------------------------------------------------------------------------------- + +- CVE: CVE-2026-42396 +- Date: 2026-05-06T00:00:00+00:00 +- Affects: PowerDNS Authoritative Server 4.7.0 up to and including 4.9.14 and 5.0.4 +- Not affected: PowerDNS Authoritative Server 4.9.15, 5.0.5 +- Severity: Medium +- Impact: Denial of service +- Exploit: AXFR of catalog zone with a member whose producer group option +contains a double-quote character +- Risk of system compromise: None +- Solution: Upgrade to patched version, or remove all double-quote characters from producer group names. +- CWE: CWE-94 +- CVSS: 3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H +- Last affected: 4.9.14,5.0.4 +- First fixed: 4.9.15,5.0.5 +- Internal ID: 483 + +Missing proper escaping of double-quote characters when computing labels will +cause AXFR of a catalog zone with a member whose producer group option contains +such a character to fail.