From 4814d9069e47463e124b0d1b7fa93194b07f509b Mon Sep 17 00:00:00 2001 From: Otto Moerbeek Date: Thu, 5 Feb 2026 13:02:24 +0100 Subject: [PATCH] Prep for 20260209 Recursor security release Signed-off-by: Otto Moerbeek --- .github/actions/spell-check/expect.txt | 5 +++ docs/secpoll.zone | 17 ++++---- pdns/recursordist/docs/changelog/5.1.rst | 10 +++++ pdns/recursordist/docs/changelog/5.2.rst | 10 +++++ pdns/recursordist/docs/changelog/5.3.rst | 10 +++++ .../powerdns-advisory-2026-01.rst | 40 +++++++++++++++++++ pdns/recursordist/docs/upgrade.rst | 9 +++++ 7 files changed, 94 insertions(+), 7 deletions(-) create mode 100644 pdns/recursordist/docs/security-advisories/powerdns-advisory-2026-01.rst diff --git a/.github/actions/spell-check/expect.txt b/.github/actions/spell-check/expect.txt index 33ebb16ec3..8cf187b457 100644 --- a/.github/actions/spell-check/expect.txt +++ b/.github/actions/spell-check/expect.txt @@ -156,6 +156,7 @@ bulc bulletinc burstable byteslimit +bytesperq bzero caa cachekey @@ -534,6 +535,7 @@ gss gssapi gtld guilabel +Guo gutenberg Gyselinck Haixin @@ -632,6 +634,7 @@ Jelte Jermar Jeroen jessie +Jian joaotavora jonathaneen Jong @@ -1264,6 +1267,7 @@ shinsterneck shnya showdetails showflags +Shuhan Shukla sidebarbgcolor sidebarbtncolor @@ -1600,6 +1604,7 @@ yourdomain yourorganization yoursecret yubikey +Yufan Yunyi Yuxiao YYYYMMD diff --git a/docs/secpoll.zone b/docs/secpoll.zone index c1d8dd157b..543448bd97 100644 --- a/docs/secpoll.zone +++ b/docs/secpoll.zone @@ -1,4 +1,4 @@ -@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2026012901 10800 3600 604800 10800 +@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2026020901 10800 3600 604800 10800 @ 3600 IN NS pdns-public-ns1.powerdns.com. @ 3600 IN NS pdns-public-ns2.powerdns.com. @@ -423,7 +423,8 @@ recursor-5.1.5.security-status 60 IN TXT "3 Upgrade now recursor-5.1.6.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html" recursor-5.1.7.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html" recursor-5.1.8.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html" -recursor-5.1.9.security-status 60 IN TXT "1 OK" +recursor-5.1.9.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-01.html" +recursor-5.1.10.security-status 60 IN TXT "1 OK" recursor-5.2.0-alpha1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" recursor-5.2.0-beta1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" @@ -435,7 +436,8 @@ recursor-5.2.3.security-status 60 IN TXT "3 Upgrade now recursor-5.2.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html" recursor-5.2.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html" recursor-5.2.6.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html" -recursor-5.2.7.security-status 60 IN TXT "1 OK" +recursor-5.2.7.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-01.html" +recursor-5.2.8.security-status 60 IN TXT "1 OK" recursor-5.3.0-alpha1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" recursor-5.3.0-alpha2.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" @@ -444,10 +446,11 @@ recursor-5.3.0-rc1.security-status 60 IN TXT "3 Superseded recursor-5.3.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html" recursor-5.3.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-07.html" recursor-5.3.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html" -recursor-5.3.3.security-status 60 IN TXT "1 OK" -recursor-5.3.4.security-status 60 IN TXT "1 OK" -recursor-5.4.0-alpha1.security-status 60 IN TXT "2 Superseded pre-release" -recursor-5.4.0-beta1.security-status 60 IN TXT "1 Unsupported pre-release" +recursor-5.3.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-01.html" +recursor-5.3.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-01.html" +recursor-5.3.5.security-status 60 IN TXT "1 OK" +recursor-5.4.0-alpha1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" +recursor-5.4.0-beta1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)" ; Recursor Debian recursor-3.6.2-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://docs.powerdns.com/recursor/appendices/EOL.html" diff --git a/pdns/recursordist/docs/changelog/5.1.rst b/pdns/recursordist/docs/changelog/5.1.rst index bcea796f8d..129186d688 100644 --- a/pdns/recursordist/docs/changelog/5.1.rst +++ b/pdns/recursordist/docs/changelog/5.1.rst @@ -3,6 +3,16 @@ Changelogs for 5.1.X Before upgrading, it is advised to read the :doc:`../upgrade`. +.. changelog:: + :version: 5.1.10 + :released: 9th of February 2026 + + .. change:: + :tags: Bug Fixes + :pullreq: TBD + + Fix PowerDNS Security Advisory 2026-01: Crafted zones can lead to increased resource usage in Recursor. + .. changelog:: :version: 5.1.9 :released: 8th of December 2025 diff --git a/pdns/recursordist/docs/changelog/5.2.rst b/pdns/recursordist/docs/changelog/5.2.rst index 8e82c6ff53..a492256bde 100644 --- a/pdns/recursordist/docs/changelog/5.2.rst +++ b/pdns/recursordist/docs/changelog/5.2.rst @@ -3,6 +3,16 @@ Changelogs for 5.2.X Before upgrading, it is advised to read the :doc:`../upgrade`. +.. changelog:: + :version: 5.2.8 + :released: 9th of February 2026 + + .. change:: + :tags: Bug Fixes + :pullreq: TBD + + Fix PowerDNS Security Advisory 2026-01: Crafted zones can lead to increased resource usage in Recursor. + .. changelog:: :version: 5.2.7 :released: 8th of December 2025 diff --git a/pdns/recursordist/docs/changelog/5.3.rst b/pdns/recursordist/docs/changelog/5.3.rst index 29f3d0c8bf..01920f906f 100644 --- a/pdns/recursordist/docs/changelog/5.3.rst +++ b/pdns/recursordist/docs/changelog/5.3.rst @@ -3,6 +3,16 @@ Changelogs for 5.3.X Before upgrading, it is advised to read the :doc:`../upgrade`. +.. changelog:: + :version: 5.3.5 + :released: 9th of February 2026 + + .. change:: + :tags: Bug Fixes + :pullreq: TBD + + Fix PowerDNS Security Advisory 2026-01: Crafted zones can lead to increased resource usage in Recursor. + .. changelog:: :version: 5.3.4 :released: 14th of January 2026 diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2026-01.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2026-01.rst new file mode 100644 index 0000000000..ac6821067b --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2026-01.rst @@ -0,0 +1,40 @@ +PowerDNS Security Advisory 2026-01: Crafted zones can lead to increased resource usage in Recursor +================================================================================================== + +- CVE: CVE-2026-24027 +- Date: 9th February 2026 +- Affects: PowerDNS Recursor up and including to 5.1.9, 5.2.7 and 5.3.4 +- Not affected: PowerDNS Recursor 5.1.10, 5.2.8 and 5.3.5 +- Severity: Medium +- Impact: Denial of Service +- Exploit: This problem can be triggered by publishing and querying a crafted zone that causes increased incoming network traffic. +- Risk of system compromise: None +- Solution: Upgrade to patched version + +CVSS Score: 5.3, see +https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1 + +The remedy is: upgrade to a patched version. + +We would like to thank Shuhan Zhang from Tsinghua University for bringing this issue to our attention. + +- CVE: CVE-2026-0398 +- Date: 9th February 2026 +- Affects: PowerDNS Recursor up and including to 5.1.9, 5.2.7 and 5.3.4 +- Not affected: PowerDNS Recursor 5.1.10, 5.2.8 and 5.3.5 +- Severity: Medium +- Impact: Denial of Service +- Exploit: This problem can be triggered by publishing and querying a crafted zone that causes large memory usage. +- Risk of system compromise: None +- Solution: Upgrade to patched version + +CVSS Score: 5.3, see +https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1 + +The remedy is: upgrade to a patched version. + +We would like to thank Yufan You from Tsinghua University for bringing this issue to our attention. + +We would also like to thank TaoFei Guo from Peking University and Yang Luo, JianJun Chen from +Tsinghua University for bringing an issue of caching irrelevant records related to CNAME chains to +our attention. diff --git a/pdns/recursordist/docs/upgrade.rst b/pdns/recursordist/docs/upgrade.rst index 081e2a799b..39e5217261 100644 --- a/pdns/recursordist/docs/upgrade.rst +++ b/pdns/recursordist/docs/upgrade.rst @@ -4,6 +4,15 @@ Upgrade Guide Before upgrading, it is advised to read the :doc:`changelog/index`. When upgrading several versions, please read **all** notes applying to the upgrade. +5.1.10, 5.2.8 and 5.3.5 +----------------------- + +New settings +^^^^^^^^^^^^ +- The :ref:`setting-yaml-outgoing.max_bytesperq` setting has been introduced to limit the amount of incoming bytes per client query. +- The :ref:`setting-yaml-recordcache.max_entry_size` setting has been introduced to limit the maximum size of a stored record set. +- The :ref:`setting-yaml-packetcache.max_entry_size` setting has been introduced to limit the maximum size of a packet cache entry. + 5.3.0 to master --------------- -- 2.47.3