From bff057cda9bcefb8d9376efcb06d156551662857 Mon Sep 17 00:00:00 2001 From: Otto Moerbeek Date: Wed, 3 Dec 2025 13:38:54 +0100 Subject: [PATCH] rec: Prep for 20251208 security releases Signed-off-by: Otto Moerbeek --- docs/secpoll.zone | 12 ++++++---- pdns/recursordist/docs/changelog/5.1.rst | 12 +++++++++- pdns/recursordist/docs/changelog/5.2.rst | 12 +++++++++- pdns/recursordist/docs/changelog/5.3.rst | 22 ++++++++++++++++++- .../powerdns-advisory-2025-07.rst | 20 +++++++++++++++++ .../powerdns-advisory-2025-08.rst | 17 ++++++++++++++ 6 files changed, 88 insertions(+), 7 deletions(-) create mode 100644 pdns/recursordist/docs/security-advisories/powerdns-advisory-2025-07.rst create mode 100644 pdns/recursordist/docs/security-advisories/powerdns-advisory-2025-08.rst diff --git a/docs/secpoll.zone b/docs/secpoll.zone index 6aa2ab0b01..6d24bcc235 100644 --- a/docs/secpoll.zone +++ b/docs/secpoll.zone @@ -1,4 +1,4 @@ -@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2025120200 10800 3600 604800 10800 +@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2025120801 10800 3600 604800 10800 @ 3600 IN NS pdns-public-ns1.powerdns.com. @ 3600 IN NS pdns-public-ns2.powerdns.com. @@ -420,7 +420,8 @@ recursor-5.1.4.security-status 60 IN TXT "3 Upgrade now recursor-5.1.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html" recursor-5.1.6.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html" recursor-5.1.7.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html" -recursor-5.1.8.security-status 60 IN TXT "1 OK" +recursor-5.1.8.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html" +recursor-5.1.9.security-status 60 IN TXT "1 OK" recursor-5.2.0-alpha1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" recursor-5.2.0-beta1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" @@ -431,14 +432,17 @@ recursor-5.2.2.security-status 60 IN TXT "3 Upgrade now recursor-5.2.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html" recursor-5.2.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html" recursor-5.2.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html" -recursor-5.2.6.security-status 60 IN TXT "1 OK" +recursor-5.2.6.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html" +recursor-5.2.7.security-status 60 IN TXT "1 OK" recursor-5.3.0-alpha1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" recursor-5.3.0-alpha2.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" recursor-5.3.0-beta1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" recursor-5.3.0-rc1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities" recursor-5.3.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html" -recursor-5.3.1.security-status 60 IN TXT "1 OK" +recursor-5.3.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-07.html" +recursor-5.3.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html" +recursor-5.3.3.security-status 60 IN TXT "1 OK" ; Recursor Debian recursor-3.6.2-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://docs.powerdns.com/recursor/appendices/EOL.html" diff --git a/pdns/recursordist/docs/changelog/5.1.rst b/pdns/recursordist/docs/changelog/5.1.rst index 40f79413c2..bcea796f8d 100644 --- a/pdns/recursordist/docs/changelog/5.1.rst +++ b/pdns/recursordist/docs/changelog/5.1.rst @@ -3,6 +3,16 @@ Changelogs for 5.1.X Before upgrading, it is advised to read the :doc:`../upgrade`. +.. changelog:: + :version: 5.1.9 + :released: 8th of December 2025 + + .. change:: + :tags: Bug Fixes + :pullreq: 16616 + + Fix PowerDNS Security Advisory 2025-08: Insufficient validation of incoming notifies over TCP can lead to a denial of service in Recursor. + .. changelog:: :version: 5.1.8 :released: 22nd of October 2025 @@ -11,7 +21,7 @@ Before upgrading, it is advised to read the :doc:`../upgrade`. :tags: Bug Fixes :pullreq: 16341 - Fix PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor. + Fix PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor. .. changelog:: :version: 5.1.7 diff --git a/pdns/recursordist/docs/changelog/5.2.rst b/pdns/recursordist/docs/changelog/5.2.rst index 22801e882e..8e82c6ff53 100644 --- a/pdns/recursordist/docs/changelog/5.2.rst +++ b/pdns/recursordist/docs/changelog/5.2.rst @@ -3,6 +3,16 @@ Changelogs for 5.2.X Before upgrading, it is advised to read the :doc:`../upgrade`. +.. changelog:: + :version: 5.2.7 + :released: 8th of December 2025 + + .. change:: + :tags: Bug Fixes + :pullreq: 16617 + + Fix PowerDNS Security Advisory 2025-08: Insufficient validation of incoming notifies over TCP can lead to a denial of service in Recursor. + .. changelog:: :version: 5.2.6 :released: 22nd of October 2025 @@ -11,7 +21,7 @@ Before upgrading, it is advised to read the :doc:`../upgrade`. :tags: Bug Fixes :pullreq: 16340 - Fix PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor. + Fix PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor. .. changelog:: :version: 5.2.5 diff --git a/pdns/recursordist/docs/changelog/5.3.rst b/pdns/recursordist/docs/changelog/5.3.rst index 6a75762b83..5458162b5e 100644 --- a/pdns/recursordist/docs/changelog/5.3.rst +++ b/pdns/recursordist/docs/changelog/5.3.rst @@ -3,6 +3,26 @@ Changelogs for 5.3.X Before upgrading, it is advised to read the :doc:`../upgrade`. +.. changelog:: + :version: 5.3.3 + :released: 8th of December 2025 + + .. change:: + :tags: Bug Fixes + :pullreq: 16618 + + Fix PowerDNS Security Advisory 2025-08: Insufficient validation of incoming notifies over TCP can lead to a denial of service in Recursor. + +.. changelog:: + :version: 5.3.2 + :released: Never released publicly + + .. change:: + :tags: Bug Fixes + :pullreq: 16618 + + Fix PowerDNS Security Advisory 2025-07: Internal logic flaw in cache management can lead to a denial of service in Recursor + .. changelog:: :version: 5.3.1 :released: 22nd of October 2025 @@ -11,7 +31,7 @@ Before upgrading, it is advised to read the :doc:`../upgrade`. :tags: Bug Fixes :pullreq: 16339 - Fix PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor. + Fix PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor. .. changelog:: :version: 5.3.0 diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2025-07.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2025-07.rst new file mode 100644 index 0000000000..1c030b839d --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2025-07.rst @@ -0,0 +1,20 @@ +PowerDNS Security Advisory 2025-07: Internal logic flaw in cache management can lead to a denial of service in Recursor +======================================================================================================================= + +- CVE: CVE-2025-59029 +- Date: 8th December 2025 +- Affects: PowerDNS Recursor 5.3.0 and 5.3.1 +- Not affected: PowerDNS Recursor 5.1.x, 5.2.x and 5.3.2 +- Severity: Medium +- Impact: Denial of Service +- Exploit: This problem can be triggered by specific cache contents and a query with qtype ANY +- Risk of system compromise: None +- Solution: Upgrade to patched version or prevent requests with qtype ANY + +CVSS Score: 5.6, see +https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1 + +The remedy is: upgrade to a patched version or prevent requests with qtype ANY. + +Version 5.3.2 of PowerDNS Recursor was never released publicly, upgrade to version 5.3.3 or newer. + diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2025-08.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2025-08.rst new file mode 100644 index 0000000000..533e261682 --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2025-08.rst @@ -0,0 +1,17 @@ +PowerDNS Security Advisory 2025-08: Insufficient validation of incoming notifies over TCP can lead to a denial of service in Recursor +===================================================================================================================================== + +- CVE: CVE-2025-59030 +- Date: 8th December 2025 +- Affects: PowerDNS Recursor up to and including 5.3.2, 5.2.6 and 5.1.8 +- Not affected: PowerDNS Recursor 5.3.3, 5.2.7 and 5.1.9 +- Severity: High +- Impact: Denial of Service +- Exploit: This problem can be triggered by a notify arriving over TCP and allows clearing caches +- Risk of system compromise: None +- Solution: Upgrade to patched version or prevent incoming notifies over TCP + +CVSS Score: 7.5, see +https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1 + +The remedy is: upgrade to patched version or prevent incoming notifies over TCP. -- 2.47.3