From 0c69c5a5ee1a802508775a3befb32fb8a4513630 Mon Sep 17 00:00:00 2001 From: Otto Moerbeek Date: Thu, 17 Jul 2025 10:44:03 +0200 Subject: [PATCH] Prep for rec 20250721 releases Signed-off-by: Otto Moerbeek --- .github/actions/spell-check/expect.txt | 2 ++ docs/secpoll.zone | 26 +++++++++++------- pdns/recursordist/docs/changelog/5.0.rst | 14 ++++++++++ pdns/recursordist/docs/changelog/5.1.rst | 14 ++++++++++ pdns/recursordist/docs/changelog/5.2.rst | 14 ++++++++++ .../powerdns-advisory-2025-04.rst | 27 +++++++++++++++++++ pdns/recursordist/rec-rust-lib/table.py | 2 +- 7 files changed, 88 insertions(+), 11 deletions(-) create mode 100644 pdns/recursordist/docs/security-advisories/powerdns-advisory-2025-04.rst diff --git a/.github/actions/spell-check/expect.txt b/.github/actions/spell-check/expect.txt index 31bad63c43..a2b53c85f2 100644 --- a/.github/actions/spell-check/expect.txt +++ b/.github/actions/spell-check/expect.txt @@ -37,6 +37,7 @@ anothertype ansible ANSSI Antoin +AOSP apikey apizones AQAB @@ -841,6 +842,7 @@ myuser mywebapp namedroppers nameserving +Nankai naptr Nauck Navarrete diff --git a/docs/secpoll.zone b/docs/secpoll.zone index bc2126be2f..a6137e8933 100644 --- a/docs/secpoll.zone +++ b/docs/secpoll.zone @@ -1,4 +1,4 @@ -@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2025071701 10800 3600 604800 10800 +@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2025072103 10800 3600 604800 10800 @ 3600 IN NS pdns-public-ns1.powerdns.com. @ 3600 IN NS pdns-public-ns2.powerdns.com. @@ -398,24 +398,30 @@ recursor-5.0.5.security-status 60 IN TXT "3 Upgrade now recursor-5.0.6.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html" recursor-5.0.7.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html" recursor-5.0.8.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html" -recursor-5.0.9.security-status 60 IN TXT "1 OK" -recursor-5.0.10.security-status 60 IN TXT "1 OK" +recursor-5.0.9.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html" +recursor-5.0.10.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html" +recursor-5.0.11.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html" +recursor-5.0.12.security-status 60 IN TXT "1 OK" recursor-5.1.0-alpha1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" recursor-5.1.0-beta1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" recursor-5.1.0-rc1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" recursor-5.1.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html" recursor-5.1.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html" -recursor-5.1.2.security-status 60 IN TXT "1 OK" -recursor-5.1.3.security-status 60 IN TXT "1 OK" -recursor-5.1.4.security-status 60 IN TXT "1 OK" +recursor-5.1.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html" +recursor-5.1.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html" +recursor-5.1.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html" +recursor-5.1.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html" +recursor-5.1.6.security-status 60 IN TXT "1 OK" recursor-5.2.0-alpha1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" recursor-5.2.0-beta1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" recursor-5.2.0-rc1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" recursor-5.2.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-01.html" -recursor-5.2.1.security-status 60 IN TXT "1 OK" -recursor-5.2.2.security-status 60 IN TXT "1 OK" -recursor-5.3.0-alpha1.security-status 60 IN TXT "2 Superseded pre-release" -recursor-5.3.0-alpha2.security-status 60 IN TXT "1 OK" +recursor-5.2.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html" +recursor-5.2.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html" +recursor-5.2.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html" +recursor-5.2.4.security-status 60 IN TXT "1 OK" +recursor-5.3.0-alpha1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" +recursor-5.3.0-alpha2.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" ; Recursor Debian recursor-3.6.2-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://docs.powerdns.com/recursor/appendices/EOL.html" diff --git a/pdns/recursordist/docs/changelog/5.0.rst b/pdns/recursordist/docs/changelog/5.0.rst index b5a3e7d9fe..05a7222acc 100644 --- a/pdns/recursordist/docs/changelog/5.0.rst +++ b/pdns/recursordist/docs/changelog/5.0.rst @@ -3,6 +3,20 @@ Changelogs for 5.0.X Before upgrading, it is advised to read the :doc:`../upgrade`. +.. changelog:: + :version: 5.0.12 + :released: 21st of July 2025 + + .. change:: + :tags: Bug Fixes + :pullreq: 15853 + + Fix PowerDNS Security Advisory 2025-04: A Recursor configured to send out ECS enabled queries can be sensitive to spoofing attempts. + +.. changelog:: + :version: 5.0.11 + :released: This version was never made available publicly. + .. changelog:: :version: 5.0.10 :released: 9th of April 2025 diff --git a/pdns/recursordist/docs/changelog/5.1.rst b/pdns/recursordist/docs/changelog/5.1.rst index 5663b4543b..bb6447e574 100644 --- a/pdns/recursordist/docs/changelog/5.1.rst +++ b/pdns/recursordist/docs/changelog/5.1.rst @@ -3,6 +3,20 @@ Changelogs for 5.1.X Before upgrading, it is advised to read the :doc:`../upgrade`. +.. changelog:: + :version: 5.1.6 + :released: 21st of July 2025 + + .. change:: + :tags: Bug Fixes + :pullreq: 15852 + + Fix PowerDNS Security Advisory 2025-04: A Recursor configured to send out ECS enabled queries can be sensitive to spoofing attempts. + +.. changelog:: + :version: 5.1.5 + :released: This version was never made available publicly. + .. changelog:: :version: 5.1.4 :released: 9th of April 2025 diff --git a/pdns/recursordist/docs/changelog/5.2.rst b/pdns/recursordist/docs/changelog/5.2.rst index 843a687c76..ad2faf9cae 100644 --- a/pdns/recursordist/docs/changelog/5.2.rst +++ b/pdns/recursordist/docs/changelog/5.2.rst @@ -3,6 +3,20 @@ Changelogs for 5.2.X Before upgrading, it is advised to read the :doc:`../upgrade`. +.. changelog:: + :version: 5.2.4 + :released: 21st of July 2025 + + .. change:: + :tags: Bug Fixes + :pullreq: 15851 + + Fix PowerDNS Security Advisory 2025-04: A Recursor configured to send out ECS enabled queries can be sensitive to spoofing attempts. + +.. changelog:: + :version: 5.2.3 + :released: This version was never made available publicly. + .. changelog:: :version: 5.2.2 :released: 9th of April 2025 diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2025-04.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2025-04.rst new file mode 100644 index 0000000000..d6320f3536 --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2025-04.rst @@ -0,0 +1,27 @@ +PowerDNS Security Advisory 2025-04: A Recursor configured to send out ECS enabled queries can be sensitive to spoofing attempts +=============================================================================================================================== + +- CVE: CVE-2025-30192 +- Date: 21st July 2025 +- Affects: PowerDNS Recursor up to and including 5.0.10, 5.1.4 and 5.2.2, but only if outgoing ECS is enabled +- Not affected: PowerDNS Recursor 5.0.12, 5.1.6 and 5.2.4 (5.0.11, 5.1.5 and 5.2.3 were not released publicly) +- Severity: High (only if outgoing ECS is enabled) +- Impact: Cache pollution +- Exploit: This problem can be triggered by an attacker sending spoofed replies to an ECS enabled Recursor +- Risk of system compromise: None +- Solution: Upgrade to patched version, disable outgoing ECS (the default is disabled) + +An attacker spoofing answers to ECS enabled requests sent out by the Recursor has a chance +of success higher than non-ECS enabled queries. +The updated version include various mitigations against spoofing attempts of ECS enabled +queries by chaining ECS enabled requests and enforcing stricter validation of the received +answers. +The most strict mitigation done when the new setting outgoing.edns_subnet_harden (old +style name edns-subnet-harden) is enabled. + +CVSS Score: 7.5, see +https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1 + +The remedy is: upgrade to a patched version or disable outgoing ECS enabled queries, which is the default. + +We would like to thank Xiang Li of AOSP Lab Nankai University for bringing this issue to our attention. diff --git a/pdns/recursordist/rec-rust-lib/table.py b/pdns/recursordist/rec-rust-lib/table.py index 3be6609cbb..a1994c8236 100644 --- a/pdns/recursordist/rec-rust-lib/table.py +++ b/pdns/recursordist/rec-rust-lib/table.py @@ -961,7 +961,7 @@ By default, this option is empty, meaning no EDNS Client Subnet information is s Do more strict checking or EDNS Client Subnet information returned by authoritative servers. Answers missing ECS information will be ignored and followed up by an ECS-less query. ''', - 'versionadded': ['5.2.x', '5.1.x', '5.0.x'] + 'versionadded': ['5.2.4', '5.1.6', '5.0.12'] }, { 'name' : 'enable_old_settings', -- 2.47.2