From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 29 Apr 2025 08:20:42 +0000 (+0200)
Subject: dnsdist: Update ChangeLog and secpoll for DNSdist 1.9.9
X-Git-Tag: dnsdist-2.0.0-alpha2~43^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=98844b25aa0fe7d850311ea677dcd1025700699f;p=thirdparty%2Fpdns.git

dnsdist: Update ChangeLog and secpoll for DNSdist 1.9.9
---

diff --git a/docs/secpoll.zone b/docs/secpoll.zone
index 30a5e4d4c0..4525c93a9a 100644
--- a/docs/secpoll.zone
+++ b/docs/secpoll.zone
@@ -1,4 +1,4 @@
-@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2025040900 10800 3600 604800 10800
+@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2025042900 10800 3600 604800 10800
 @       3600    IN  NS  pdns-public-ns1.powerdns.com.
 @       3600    IN  NS  pdns-public-ns2.powerdns.com.
 
@@ -581,9 +581,10 @@ dnsdist-1.9.0.security-status                              60 IN TXT "3 Upgrade
 dnsdist-1.9.1.security-status                              60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2024-03.html"
 dnsdist-1.9.2.security-status                              60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2024-03.html"
 dnsdist-1.9.3.security-status                              60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2024-03.html"
-dnsdist-1.9.4.security-status                              60 IN TXT "1 OK"
-dnsdist-1.9.5.security-status                              60 IN TXT "1 OK"
-dnsdist-1.9.6.security-status                              60 IN TXT "1 OK"
-dnsdist-1.9.7.security-status                              60 IN TXT "1 OK"
-dnsdist-1.9.8.security-status                              60 IN TXT "1 OK"
+dnsdist-1.9.4.security-status                              60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-02.html"
+dnsdist-1.9.5.security-status                              60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-02.html"
+dnsdist-1.9.6.security-status                              60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-02.html"
+dnsdist-1.9.7.security-status                              60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-02.html"
+dnsdist-1.9.8.security-status                              60 IN TXT "3 Upgrade now, see https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-02.html"
+dnsdist-1.9.9.security-status                              60 IN TXT "1 OK"
 dnsdist-2.0.0-alpha1.security-status                       60 IN TXT "1 Unsupported pre-release (no known vulnerabilities)"
diff --git a/docs/security-advisories/powerdns-advisory-2025-02.rst b/docs/security-advisories/powerdns-advisory-2025-02.rst
new file mode 100644
index 0000000000..98e9a2e877
--- /dev/null
+++ b/docs/security-advisories/powerdns-advisory-2025-02.rst
@@ -0,0 +1,27 @@
+PowerDNS Security Advisory 2025-02 for DNSdist: Denial of service via crafted DoH exchange
+
+CVE: CVE-2025-30194
+Date: 2025-04-29T12:00:00+02:00
+Discovery date: 2025-04-25T21:55:00+02:00
+Affects: PowerDNS DNSdist from 1.9.0 up to 1.9.8
+Not affected: PowerDNS DNSdist 1.9.9 and versions before 1.9.0
+Severity: High
+Impact: Denial of service
+Exploit: This problem can be triggered by an attacker crafting a DoH exchange
+Risk of system compromise: None
+Solution: Upgrade to patched version or temporarily switch to the h2o provider
+CWE: CWE-416
+CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+Last affected: 1.9.8
+First fixed: 1.9.9
+Internal ID: 297
+
+When DNSdist is configured to provide DoH via the nghttp2 provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access (double-free) and crash of DNSdist, causing a denial of service.
+
+CVSS Score: 7.5, see https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1
+
+The remedy is: upgrade to the patched 1.9.9 version.
+
+A work-around is to temporarily switch to the h2o provider until DNSdist has been upgraded to a fixed version.
+
+We would like to thank Charles Howes for bringing this issue to our attention.
diff --git a/pdns/dnsdistdist/docs/changelog.rst b/pdns/dnsdistdist/docs/changelog.rst
index c5453d8166..8c570badf3 100644
--- a/pdns/dnsdistdist/docs/changelog.rst
+++ b/pdns/dnsdistdist/docs/changelog.rst
@@ -1,6 +1,41 @@
 Changelog
 =========
 
+.. changelog::
+  :version: 1.9.9
+  :released: 29th of April 2025
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 15118
+
+    Handle Quiche >= 0.23.0 since the API changed
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 15137
+
+    Fix compatibility with `boost::lockfree` >= 1.87.0
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 15164
+
+    Update Rust to 1.84.1 for our packages
+
+  .. change::
+    :tags: Security, Bug Fixes, DNS over HTTPS
+    :pullreq: 15482
+    :tickets: 15475
+
+    Fix a crash when processing timeouts for incoming DoH queries
+
+  .. change::
+    :tags: Bug Fixes, DNS over HTTPS
+    :pullreq: 15485
+
+    Gracefully handle timeout/response for a closed HTTP stream
+
 .. changelog::
   :version: 2.0.0-alpha1
   :released: 18th of March 2025