From 21d7bbe179b68ef82805864445114a9cb2fbccaa Mon Sep 17 00:00:00 2001 From: Otto Moerbeek Date: Mon, 12 Feb 2024 11:19:09 +0100 Subject: [PATCH] Prep for 2024-01 --- .github/actions/spell-check/expect.txt | 8 ++- docs/secpoll.zone | 55 ++++++++++--------- pdns/recursordist/docs/changelog/4.8.rst | 10 ++++ pdns/recursordist/docs/changelog/4.9.rst | 11 ++++ pdns/recursordist/docs/changelog/5.0.rst | 10 ++++ .../powerdns-advisory-2024-01.rst | 33 +++++++++++ pdns/recursordist/docs/upgrade.rst | 18 +++++- 7 files changed, 116 insertions(+), 29 deletions(-) create mode 100644 pdns/recursordist/docs/security-advisories/powerdns-advisory-2024-01.rst diff --git a/.github/actions/spell-check/expect.txt b/.github/actions/spell-check/expect.txt index f05d4de149..9d2ff94ba9 100644 --- a/.github/actions/spell-check/expect.txt +++ b/.github/actions/spell-check/expect.txt @@ -54,6 +54,7 @@ ASEP Ashish associateddomain asyncresolve +ATHENE Atlassian Atomia aton @@ -522,6 +523,7 @@ headfont headlinkcolor headtextcolor healthcheck +Heftrig Heimhilcher Helbekkmo Hendriks @@ -869,6 +871,7 @@ Neuf newcontent nftables nic +Niklas Nilsen nimber Nixu @@ -921,6 +924,7 @@ Nuitari NULs NUMA numreceived +nvd nxd NXDATA nxdomain @@ -1006,10 +1010,10 @@ phishing phonedph pickclosest pickhashed +picknamehashed pickrandom pickrandomsample pickwhashed -picknamehashed pickwrandom piddir pidfile @@ -1188,6 +1192,7 @@ Schlich Scholten Schryver Schueler +Schulmann schwer scopebits scopemask @@ -1469,6 +1474,7 @@ Volker voxel Vranken vulns +Waidner WAITFORONE wal wallclock diff --git a/docs/secpoll.zone b/docs/secpoll.zone index 7b0337d777..8a24551c5d 100644 --- a/docs/secpoll.zone +++ b/docs/secpoll.zone @@ -1,4 +1,4 @@ -@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2024013000 10800 3600 604800 10800 +@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2024021306 10800 3600 604800 10800 @ 3600 IN NS pdns-public-ns1.powerdns.com. @ 3600 IN NS pdns-public-ns2.powerdns.com. @@ -65,7 +65,7 @@ auth-4.1.10.security-status 60 IN TXT "3 Upgrade now auth-4.1.11.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html" auth-4.1.12.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html" auth-4.1.13.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html" -auth-4.1.14.security-status 60 IN TXT "2 Unsupported release (EOL)" +auth-4.1.14.security-status 60 IN TXT "2 Unsupported release (EOL and known vulnerabilities)" auth-4.2.0-alpha1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html" auth-4.2.0-beta1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html" auth-4.2.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" @@ -263,7 +263,7 @@ recursor-4.1.14.security-status 60 IN TXT "3 Upgrade now recursor-4.1.15.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html" recursor-4.1.16.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html" recursor-4.1.17.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html" -recursor-4.1.18.security-status 60 IN TXT "3 Unsupported release (EOL)" +recursor-4.1.18.security-status 60 IN TXT "3 Unsupported release (EOL and known vulnerabilities)" recursor-4.2.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" recursor-4.2.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" @@ -274,7 +274,7 @@ recursor-4.2.1.security-status 60 IN TXT "3 Upgrade now recursor-4.2.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html" recursor-4.2.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html" recursor-4.2.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html" -recursor-4.2.5.security-status 60 IN TXT "3 Unsupported release (EOL)" +recursor-4.2.5.security-status 60 IN TXT "3 Unsupported release (EOL and known vulnerabilities)" recursor-4.3.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" recursor-4.3.0-alpha2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" @@ -304,7 +304,7 @@ recursor-4.4.4.security-status 60 IN TXT "3 Upgrade now recursor-4.4.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html" recursor-4.4.6.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html" recursor-4.4.7.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html" -recursor-4.4.8.security-status 60 IN TXT "3 Unsupported release (EOL)" +recursor-4.4.8.security-status 60 IN TXT "3 Unsupported release (EOL and known vulnerabilities)" recursor-4.5.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" recursor-4.5.0-alpha2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" recursor-4.5.0-alpha3.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" @@ -321,9 +321,9 @@ recursor-4.5.6.security-status 60 IN TXT "3 Upgrade now recursor-4.5.7.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html" recursor-4.5.8.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-02.html" recursor-4.5.9.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-02.html" -recursor-4.5.10.security-status 60 IN TXT "2 Unsupported release (EOL)" -recursor-4.5.11.security-status 60 IN TXT "2 Unsupported release (EOL)" -recursor-4.5.12.security-status 60 IN TXT "2 Unsupported release (EOL)" +recursor-4.5.10.security-status 60 IN TXT "3 Unsupported release (EOL and known vulnerabilities)" +recursor-4.5.11.security-status 60 IN TXT "3 Unsupported release (EOL and known vulnerabilities)" +recursor-4.5.12.security-status 60 IN TXT "3 Unsupported release (EOL and known vulnerabilities)" recursor-4.6.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" recursor-4.6.0-alpha2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" recursor-4.6.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" @@ -335,7 +335,7 @@ recursor-4.6.2.security-status 60 IN TXT "3 Upgrade now recursor-4.6.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html" recursor-4.6.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html" recursor-4.6.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html" -recursor-4.6.6.security-status 60 IN TXT "2 Unsupported release (EOL)" +recursor-4.6.6.security-status 60 IN TXT "3 Unsupported release (EOL and known vulnerabilities)" recursor-4.7.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" recursor-4.7.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" recursor-4.7.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" @@ -344,8 +344,8 @@ recursor-4.7.1.security-status 60 IN TXT "3 Upgrade now recursor-4.7.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html" recursor-4.7.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html" recursor-4.7.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html" -recursor-4.7.5.security-status 60 IN TXT "2 Unsupported release (EOL)" -recursor-4.7.6.security-status 60 IN TXT "2 Unsupported release (EOL)" +recursor-4.7.5.security-status 60 IN TXT "3 Unsupported release (EOL and known vulnerabilities)" +recursor-4.7.6.security-status 60 IN TXT "3 Unsupported release (EOL and known vulnerabilities)" recursor-4.8.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" recursor-4.8.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" recursor-4.8.0-beta2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" @@ -354,21 +354,24 @@ recursor-4.8.0.security-status 60 IN TXT "3 Upgrade now recursor-4.8.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html" recursor-4.8.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html" recursor-4.8.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html" -recursor-4.8.4.security-status 60 IN TXT "1 OK" -recursor-4.8.5.security-status 60 IN TXT "1 OK" -recursor-4.9.0-alpha1.security-status 60 IN TXT "2 Unsupported pre-release" -recursor-4.9.0-beta1.security-status 60 IN TXT "2 Unsupported pre-release" -recursor-4.9.0-rc1.security-status 60 IN TXT "2 Unsupported pre-release" -recursor-4.9.0.security-status 60 IN TXT "1 OK" -recursor-4.9.1.security-status 60 IN TXT "1 OK" -recursor-4.9.2.security-status 60 IN TXT "1 OK" -recursor-5.0.0-alpha1.security-status 60 IN TXT "2 Unsupported pre-release" -recursor-5.0.0-alpha2.security-status 60 IN TXT "2 Unsupported pre-release" -recursor-5.0.0-beta1.security-status 60 IN TXT "2 Unsupported pre-release" -recursor-5.0.0-rc1.security-status 60 IN TXT "2 Unsupported pre-release" -recursor-5.0.0-rc2.security-status 60 IN TXT "2 Unsupported pre-release" -recursor-5.0.0.security-status 60 IN TXT "2 Unsupported pre-release" -recursor-5.0.1.security-status 60 IN TXT "1 OK" +recursor-4.8.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" +recursor-4.8.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" +recursor-4.8.6.security-status 60 IN TXT "1 OK" +recursor-4.9.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-4.9.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-4.9.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-4.9.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" +recursor-4.9.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" +recursor-4.9.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" +recursor-4.9.3.security-status 60 IN TXT "1 OK" +recursor-5.0.0-alpha1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-5.0.0-alpha2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-5.0.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-5.0.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-5.0.0-rc2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-5.0.0.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" +recursor-5.0.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" +recursor-5.0.2.security-status 60 IN TXT "1 OK" ; Recursor Debian recursor-3.6.2-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/" diff --git a/pdns/recursordist/docs/changelog/4.8.rst b/pdns/recursordist/docs/changelog/4.8.rst index 4a2b20af91..dfc66fd634 100644 --- a/pdns/recursordist/docs/changelog/4.8.rst +++ b/pdns/recursordist/docs/changelog/4.8.rst @@ -1,6 +1,16 @@ Changelogs for 4.8.X ==================== +.. changelog:: + :version: 4.8.6 + :released: 13th of February 2024 + + .. change:: + :tags: Bug Fixes + :pullreq: 13784 + + `Security advisory 2024-01 `__: CVE-2023-50387 and CVE-2023-50868 + .. changelog:: :version: 4.8.5 :released: 25th of August 2023 diff --git a/pdns/recursordist/docs/changelog/4.9.rst b/pdns/recursordist/docs/changelog/4.9.rst index 19e2bbb12c..40d819f987 100644 --- a/pdns/recursordist/docs/changelog/4.9.rst +++ b/pdns/recursordist/docs/changelog/4.9.rst @@ -1,5 +1,16 @@ Changelogs for 4.9.X ==================== + +.. changelog:: + :version: 4.9.3 + :released: 13th of February 2024 + + .. change:: + :tags: Bug Fixes + :pullreq: 13783 + + `Security advisory 2024-01 `__: CVE-2023-50387 and CVE-2023-50868 + .. changelog:: :version: 4.9.2 :released: 8th of November 2023 diff --git a/pdns/recursordist/docs/changelog/5.0.rst b/pdns/recursordist/docs/changelog/5.0.rst index b6bc57c34c..000d37e9a5 100644 --- a/pdns/recursordist/docs/changelog/5.0.rst +++ b/pdns/recursordist/docs/changelog/5.0.rst @@ -3,6 +3,16 @@ Changelogs for 5.0.X Before upgrading, it is advised to read the :doc:`../upgrade`. +.. changelog:: + :version: 5.0.2 + :released: 13th of February 2024 + + .. change:: + :tags: Bug Fixes + :pullreq: 13782 + + `Security advisory 2024-01 `__: CVE-2023-50387 and CVE-2023-50868 + .. changelog:: :version: 5.0.1 :released: 10th of January 2024, with no changes compared to the second release candidate. Version 5.0.0 was never released publicly. diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2024-01.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2024-01.rst new file mode 100644 index 0000000000..07a53e25e2 --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2024-01.rst @@ -0,0 +1,33 @@ +PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor +================================================================================================================ + +- CVE: CVE-2023-50387 and CVE-2023-50868 +- Date: 13th of February 2024. +- Affects: PowerDNS Recursor up to and including 4.8.5, 4.9.2 and 5.0.1 +- Not affected: PowerDNS Recursor 4.8.6, 4.9.3 and 5.0.2 +- Severity: High +- Impact: Denial of service +- Exploit: This problem can be triggered by an attacker publishing a crafted zone +- Risk of system compromise: None +- Solution: Upgrade to patched version or disable DNSSEC validation + +An attacker can publish a zone that contains crafted DNSSEC related records. While validating +results from queries to that zone using the RFC mandated algorithms, the Recursor's resource usage +can become so high that processing of other queries is impacted, resulting in a denial of +service. Note that any resolver following the RFCs can be impacted, this is not a problem of this +particular implementation. + +CVSS Score: 7.5, see +https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1 + +The remedies are one of: + +- upgrade to a patched version +- disable DNSSEC validation by setting ``dnssec=off`` or ``process-no-validate``; when using YAML settings: + ``dnssec.validate: off`` or ``process-no-validate``. Note that this will affect clients depending on + DNSSEC validation. + +We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner from the +German National Research Center for Applied Cybersecurity ATHENE for bringing this issue to the +attention of the DNS community and especially Niklas Vogel for his assistance in validating the +patches. diff --git a/pdns/recursordist/docs/upgrade.rst b/pdns/recursordist/docs/upgrade.rst index cb49847418..da559a483f 100644 --- a/pdns/recursordist/docs/upgrade.rst +++ b/pdns/recursordist/docs/upgrade.rst @@ -4,8 +4,22 @@ Upgrade Guide Before upgrading, it is advised to read the :doc:`changelog/index`. When upgrading several versions, please read **all** notes applying to the upgrade. -4.9.0 to 5.0.0 and master --------------------------- +5.0.1 to 5.0.2 and master, 4.9.2 to 4.9.3 and 4.8.5 to 4.8.6 +------------------------------------------------------------ + +Known Issues +^^^^^^^^^^^^ +The :func:`zoneToCache` function fails to perform DNSSEC validation if the zone has more than :ref:`setting-max-rrsigs-per-record` RRSIG records at its apex. +There are two workarounds: either increase the :ref:`setting-max-rrsigs-per-record` to the number of RRSIGs in the zone's apex, or tell :func:`zoneToCache` to skip DNSSEC validation. by adding ``dnssec="ignore"``, e.g.:: + + zoneToCache(".", "url", "https://www.internic.net/domain/root.zone", {dnssec="ignore"}) + +New settings +^^^^^^^^^^^^ +- The :ref:`setting-max-rrsigs-per-record`, :ref:`setting-max-nsec3s-per-record`, :ref:`setting-max-signature-validations-per-query`, :ref:`setting-max-nsec3-hash-computations-per-query`, :ref:`setting-aggressive-cache-max-nsec3-hash-cost`, :ref:`setting-max-ds-per-zone` and :ref:`setting-max-dnskeys` settings have been introduced to limit the amount of work done for DNSSEC validation. + +4.9.0 to 5.0.0 +-------------- YAML settings ^^^^^^^^^^^^^ -- 2.47.2