From: Otto Moerbeek Date: Tue, 21 Apr 2026 08:30:34 +0000 (+0200) Subject: rec: Prep for SA-2026-03 X-Git-Tag: auth-5.1.0-beta1~40^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1676b43202faee280377f0385298461dfc819bd7;p=thirdparty%2Fpdns.git rec: Prep for SA-2026-03 Signed-off-by: Otto Moerbeek --- diff --git a/.github/actions/spell-check/expect.txt b/.github/actions/spell-check/expect.txt index 09d8dee47c..738df3efc7 100644 --- a/.github/actions/spell-check/expect.txt +++ b/.github/actions/spell-check/expect.txt @@ -424,6 +424,7 @@ epel Eriksson errlog errorlevels +Ethicxz EUips evanjones evildomain @@ -544,6 +545,7 @@ Haixin Hakulinen Hannu Harker +Haruto Hausberger headbgcolor headerline @@ -790,6 +792,7 @@ mbed mbedtls MBOXFW mbytes +Medjahed Meerwald Mekking melpa @@ -1285,6 +1288,7 @@ Signingpiper signpipe signttl signzone +Simonovich singlethreaded Sipek siphash @@ -1449,6 +1453,7 @@ Toshifumi totms traceid traceparent +transitioning Travaille treemacs tribool @@ -1519,6 +1524,7 @@ Verschuren Viala viewcode visitedlinkcolor +Vitaly Vixie vla Voegeli @@ -1598,6 +1604,7 @@ Yehuda yeswehack Yiu Ylitalo +ylwango YMMV Yogesh yourcompany diff --git a/docs/secpoll.zone b/docs/secpoll.zone index 1e7d7bea0f..2cef721958 100644 --- a/docs/secpoll.zone +++ b/docs/secpoll.zone @@ -1,4 +1,4 @@ -@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2026033100 10800 3600 604800 10800 +@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2026042201 10800 3600 604800 10800 @ 3600 IN NS pdns-public-ns1.powerdns.com. @ 3600 IN NS pdns-public-ns2.powerdns.com. @@ -427,7 +427,7 @@ recursor-5.1.6.security-status 60 IN TXT "3 Upgrade now recursor-5.1.7.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html" recursor-5.1.8.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html" recursor-5.1.9.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-01.html" -recursor-5.1.10.security-status 60 IN TXT "1 OK" +recursor-5.1.10.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-03.html" recursor-5.2.0-alpha1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" recursor-5.2.0-beta1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" @@ -440,7 +440,8 @@ recursor-5.2.4.security-status 60 IN TXT "3 Upgrade now recursor-5.2.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html" recursor-5.2.6.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html" recursor-5.2.7.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-01.html" -recursor-5.2.8.security-status 60 IN TXT "1 OK" +recursor-5.2.8.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-03.html" +recursor-5.2.9.security-status 60 IN TXT "1 OK" recursor-5.3.0-alpha1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" recursor-5.3.0-alpha2.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" @@ -451,11 +452,13 @@ recursor-5.3.1.security-status 60 IN TXT "3 Upgrade now recursor-5.3.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html" recursor-5.3.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-01.html" recursor-5.3.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-01.html" -recursor-5.3.5.security-status 60 IN TXT "1 OK" +recursor-5.3.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-03.html" +recursor-5.3.6.security-status 60 IN TXT "1 OK" recursor-5.4.0-alpha1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" recursor-5.4.0-beta1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" -recursor-5.4.0-rc1.security-status 60 IN TXT "2 Superseded pre-release" -recursor-5.4.0.security-status 60 IN TXT "1 OK" +recursor-5.4.0-rc1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" +recursor-5.4.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-03.html" +recursor-5.4.1.security-status 60 IN TXT "1 OK" ; Recursor Debian recursor-3.6.2-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://docs.powerdns.com/recursor/appendices/EOL.html" diff --git a/pdns/recursordist/docs/changelog/5.2.rst b/pdns/recursordist/docs/changelog/5.2.rst index 68c60f54f5..a3261b1436 100644 --- a/pdns/recursordist/docs/changelog/5.2.rst +++ b/pdns/recursordist/docs/changelog/5.2.rst @@ -3,6 +3,16 @@ Changelogs for 5.2.X Before upgrading, it is advised to read the :doc:`../upgrade`. +.. changelog:: + :version: 5.2.9 + :released: 22th of April 2026 + + .. change:: + :tags: Bug Fixes + :pullreq: TBD + + Fix PowerDNS Security Advisory 2026-03 for PowerDNS Recursor: Multiple Issues + .. changelog:: :version: 5.2.8 :released: 9th of February 2026 diff --git a/pdns/recursordist/docs/changelog/5.3.rst b/pdns/recursordist/docs/changelog/5.3.rst index 36ad65b757..b5bc786ab8 100644 --- a/pdns/recursordist/docs/changelog/5.3.rst +++ b/pdns/recursordist/docs/changelog/5.3.rst @@ -3,6 +3,16 @@ Changelogs for 5.3.X Before upgrading, it is advised to read the :doc:`../upgrade`. +.. changelog:: + :version: 5.3.5 + :released: 22th of April 2026 + + .. change:: + :tags: Bug Fixes + :pullreq: TBD + + Fix PowerDNS Security Advisory 2026-03 for PowerDNS Recursor: Multiple Issues + .. changelog:: :version: 5.3.5 :released: 9th of February 2026 diff --git a/pdns/recursordist/docs/changelog/5.4.rst b/pdns/recursordist/docs/changelog/5.4.rst index e87fce71dd..fba29c6e3b 100644 --- a/pdns/recursordist/docs/changelog/5.4.rst +++ b/pdns/recursordist/docs/changelog/5.4.rst @@ -3,6 +3,16 @@ Changelogs for 5.4.X Before upgrading, it is advised to read the :doc:`../upgrade`. +.. changelog:: + :version: 5.4.1 + :released: 22th of April 2026 + + .. change:: + :tags: Bug Fixes + :pullreq: TBD + + Fix PowerDNS Security Advisory 2026-03 for PowerDNS Recursor: Multiple Issues + .. changelog:: :version: 5.4.0 :released: 9th of March 2026 with no changes since 5.4.0-rc1 except the version. diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2026-03.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2026-03.rst new file mode 100644 index 0000000000..58234ce460 --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2026-03.rst @@ -0,0 +1,263 @@ +PowerDNS Security Advisory 2026-03 for PowerDNS Recursor: Multiple issues +======================================================================== + +CVE-2026-33256: Unbounded memory allocation by internal web server +----------------------------------------------------------------- + +- CVE: CVE-2026-33256 +- Date: 2026-04-22T00:00:00+01:00 +- Discovery date: 2026-02-17T00:00:00+01:00 +- Affects: PowerDNS Recursor from 5.3.0 up to and including 5.4.0 +- Not affected: PowerDNS Recursor 5.3.6, 5.4.1 +- Severity: Medium +- Impact: Denial of service +- Exploit: This problem can be triggered by an attacker sending crafted http requests, but only if the internal webserver is enabled. +- Risk of system compromise: None +- Solution: Upgrade to patched version or disallow network access to web server +- CWE: CWE-770 +- CVSS: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L +- Last affected: 5.3.5,5.4.0 +- First fixed: 5.3.6,5.4.1 +- Internal ID: 365 + +An attacker can send a web request that causes unlimited memory allocation in the internal web +server, leading to a denial of service. The internal web server is disabled by default. + +`CVSS Score: 5.3 `__ + +The remedy is: upgrade to a patched version, or prevent network access to the internal webserver. In +general for defense in-depth reasons we recommend making the internal web server only accessible to +trusted clients. + +We would like to thank Ap4sh - Samy Medjahed and Ethicxz - Eliott Laurie Ap4sh / Ethicxz for +bringing this issue to our attention. + +CVE-2026-33257: Insufficient input validation of internal web server +-------------------------------------------------------------------- + +- CVE: CVE-2026-33257 +- Date: 2026-04-22T00:00:00+01:00 +- Discovery date: 2026-02-16T00:00:00+01:00 +- Affects: PowerDNS Recursor up to and including 5.2.8 +- Not affected: PowerDNS Recursor 5.2.9 +- Severity: Medium +- Impact: Denial of service +- Exploit: This problem can be triggered by an attacker sending crafted http requests, but only if the internal webserver is enabled. +- Risk of system compromise: None +- Solution: Upgrade to patched version or disallow network access to web server +- CWE: CWE-770 +- CVSS: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L +- Last affected: 5.2.8 +- First fixed: 5.2.9 +- Internal ID: 368 + +An attacker can send a web request that causes unlimited memory allocation in the internal web +server, leading to a denial of service. The internal web server is disabled by default. + +`CVSS Score: 5.3 `__ + +The remedy is: upgrade to a patched version, or prevent network access to the internal webserver. In +general for defense in-depth reasons we recommend making the internal web server only accessible to +trusted clients. + +We would like to thank Vitaly Simonovich for bringing this issue to our attention. + +CVE-2026-33258: Crafted zones can cause increased resource usage +---------------------------------------------------------------- + +- CVE: CVE-2026-33258 +- Date: 2026-04-22T00:00:00+01:00 +- Discovery date: 2026-02-28T00:00:00+01:00 +- Affects: PowerDNS Recursor up to and including 5.2.8, 5.3.5, 5.4.0 +- Not affected: PowerDNS Recursor 5.2.9, 5.3.6, 5.4.1 +- Severity: Medium +- Impact: Denial of service +- Exploit: This problem can be triggered by an attacker sending crafted DNS responses +- Risk of system compromise: None +- Solution: Upgrade to patched version +- CWE: CWE-770 +- CVSS: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L +- Last affected: 5.2.8, 5.3.5, 5.4.0 +- First fixed: 5.2.9, 5.3.6, 5.4.1 +- Internal ID: 369 + +By publishing and querying a crafted zone an attacker can cause allocation of large entries in the +negative and aggressive NSEC(3) caches. + +`CVSS Score: 5.3 `__ + +The remedy is: upgrade to a patched version. + +We would like to thank Haruto Kimura (Stella) for bringing this issue to our attention. + +CVE-2026-33259: Concurrent modification of RPZ data can lead to denial of service +--------------------------------------------------------------------------------- + +- CVE: CVE-2026-33259 +- Date: 2026-04-22T00:00:00+01:00 +- Discovery date: 2026-02-28T00:00:00+01:00 +- Affects: PowerDNS Recursor up to and including 5.2.8, 5.3.5, 5.4.0 +- Not affected: PowerDNS Recursor 5.2.9, 5.3.6, 5.4.1 +- Severity: Medium +- Impact: Denial of service +- Exploit: This problem can be triggered by having many concurrent transfers of the same RPZ +- Risk of system compromise: None +- Solution: Upgrade to patched version +- CWE: CWE-416 +- CVSS: 3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H +- Last affected: 5.2.8, 5.3.5, 5.4.0 +- First fixed: 5.2.9, 5.3.6, 5.4.1 +- Internal ID: 370 + +Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free +and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur +with a malfunctioning RPZ provider. + +`CVSS Score: 5.0 `__ + +The remedy is: upgrade to a patched version. + +We would like to thank Haruto Kimura (Stella) for bringing this issue to our attention. + +CVE-2026-33260: Insufficient input validation of internal web server +-------------------------------------------------------------------- + +- CVE: CVE-2026-33260 +- Date: 2026-04-22T00:00:00+01:00 +- Discovery date: 2026-02-20T00:00:00+01:00 +- Affects: PowerDNS Recursor up to and including 5.2.8 +- Not affected: PowerDNS Recursor 5.2.9 +- Severity: Medium +- Impact: Denial of service +- Exploit: This problem can be triggered by an attacker sending crafted http requests, but only if the internal webserver is enabled. +- Risk of system compromise: None +- Solution: Upgrade to patched version or disallow network access to web server +- CWE: CWE-770 +- CVSS: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L +- Last affected: 5.2.8 +- First fixed: 5.2.9 +- Internal ID: 374 + +An attacker can send a web request that causes unlimited memory allocation in the internal web +server, leading to a denial of service. The internal web server is disabled by default. + +`CVSS Score: 5.3 `__ + +The remedy is: upgrade to a patched version, or prevent network access to the internal webserver. In +general for defense in-depth reasons we recommend making the internal web server only accessible to +trusted clients. + +We would like to thank Cavid for bringing this issue to our attention. + +CVE-2026-33261: Null pointer access in aggressive NSEC(3) cache +--------------------------------------------------------------- + +- CVE: CVE-2026-33261 +- Date: 2026-04-22T00:00:00+01:00 +- Discovery date: 2026-03-13T00:00:00+01:00 +- Affects: PowerDNS Recursor up to and including 5.2.8, 5.3.5, 5.4.0 +- Not affected: PowerDNS Recursor 5.2.9, 5.3.6, 5.4.1 +- Severity: Medium +- Impact: Denial of service +- Exploit: This problem can be triggered by a zone transitioning from NSEC to NSEC3 +- Risk of system compromise: None +- Solution: Upgrade to patched version +- CWE: CWE-353 +- CVSS: 3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H +- Last affected: 5.2.8, 5.3.5, 5.4.0 +- First fixed: 5.2.9, 5.3.6, 5.4.1 +- Internal ID: 382 + +A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of +service. + +`CVSS Score: 5.9 `__ + +The remedy is: upgrade to a patched version. + +We would like to thank ylwango613 for bringing this issue to our attention. + +CVE-2026-33262: Insufficient validation of cookie reply +------------------------------------------------------- + +- CVE: CVE-2026-33262 +- Date: 2026-04-22T00:00:00+01:00 +- Discovery date: 2026-03-12T00:00:00+01:00 +- Affects: PowerDNS Recursor 5.4.0 +- Not affected: PowerDNS Recursor 5.4.1 +- Severity: Medium +- Impact: Denial of service +- Exploit: This problem can be triggered by an attacker sending crafted DNS responses, but ony if cookies are enabled +- Risk of system compromise: None +- Solution: Upgrade to patched version +- CWE: CWE-476 +- CVSS: 3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H +- Last affected: 5.4.0 +- First fixed: 5.4.1 +- Internal ID: 386 + +An attacker can send replies that result in a null pointer dereference, caused by a missing +consistency check and leading to a denial of service. Cookies are disabled by default. + +`CVSS Score: 5.9 `__ + +The remedy is: upgrade to a patched version. + +We would like to thank ylwango613 for bringing this issue to our attention. + +CVE-2026-33601: Insufficient validation of ZONEMD record +-------------------------------------------------------- + +- CVE: CVE-2026-33601 +- Date: 2026-04-22T00:00:00+01:00 +- Discovery date: 2026-03-25T00:00:00+01:00 +- Affects: PowerDNS Recursor up to and including 5.2.8, 5.3.5, 5.4.0 +- Not affected: PowerDNS Recursor 5.2.9, 5.3.6, 5.4.1 +- Severity: Medium +- Impact: Denial of service +- Exploit: This problem can be triggered by an attacker sending crafted zonemd record (only if zoneToCache is configured) +- Risk of system compromise: None +- Solution: Upgrade to patched version +- CWE: CWE-476 +- CVSS: 3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H +- Last affected: 5.2.8, 5.3.5, 5.4.0 +- First fixed: 5.2.9, 5.3.6, 5.4.1 +- Internal ID: 386 + +If you use the zoneToCache function with a malicious authoritative server, an attacker can send a +zone that result in a null pointer dereference, caused by a missing consistency check and leading to +a denial of service. + +`CVSS Score: 4.4 `__ + +The remedy is: upgrade to a patched version. + +We would like to thank ylwango613 for bringing this issue to our attention. + +CVE-2026-33600: Null pointer dereference in RPZ transfer +-------------------------------------------------------- + +- CVE: CVE-2026-33600 +- Date: 2026-04-22T00:00:00+01:00 +- Discovery date: 2026-03-27T00:00:00+01:00 +- Affects: PowerDNS Recursor up to and including 5.2.8, 5.3.5, 5.4.0 +- Not affected: PowerDNS Recursor 5.2.9, 5.3.6, 5.4.1 +- Severity: Medium +- Impact: Denial of service +- Exploit: This problem can be triggered by an attacker sending a crafted RPZ +- Risk of system compromise: None +- Solution: Upgrade to patched version +- CWE: CWE-476 +- CVSS: 3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H +- Last affected: 5.2.8, 5.3.5, 5.4.0 +- First fixed: 5.2.9, 5.3.6, 5.4.1 +- Internal ID: 432 + +An RPZ sent by a malicious authoritative server can result in a null pointer dereference, caused by +a missing consistency check and leading to a denial of service. + +`CVSS Score: 4.4 `__ + +The remedy is: upgrade to a patched version. + +We would like to thank ylwango613 for bringing this issue to our attention.