From: Otto Moerbeek Date: Tue, 21 Oct 2025 08:22:26 +0000 (+0200) Subject: Prep for Security Release 2025-06 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6ec0747ea2303ee678095df32569c8bc90cc5fbe;p=thirdparty%2Fpdns.git Prep for Security Release 2025-06 Signed-off-by: Otto Moerbeek --- diff --git a/.github/actions/spell-check/expect.txt b/.github/actions/spell-check/expect.txt index 15db653a67..37246347ab 100644 --- a/.github/actions/spell-check/expect.txt +++ b/.github/actions/spell-check/expect.txt @@ -95,6 +95,7 @@ bagbug Bakhos Bakker Baltus +Baojun basedn basepath Bastiaan @@ -529,6 +530,7 @@ gtld guilabel gutenberg Gyselinck +Haixin Hakulinen Hannu Harker @@ -1244,6 +1246,7 @@ setvariable Shabanov Shafir shantikulkarni +Shiming shinsterneck shnya showdetails @@ -1584,6 +1587,8 @@ yourdomain yourorganization yoursecret yubikey +Yunyi +Yuxiao YYYYMMD YYYYMMDDSS Zash diff --git a/docs/secpoll.zone b/docs/secpoll.zone index 4deb65ac27..b4b97ba742 100644 --- a/docs/secpoll.zone +++ b/docs/secpoll.zone @@ -1,4 +1,4 @@ -@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2025101500 10800 3600 604800 10800 +@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2025102201 10800 3600 604800 10800 @ 3600 IN NS pdns-public-ns1.powerdns.com. @ 3600 IN NS pdns-public-ns2.powerdns.com. @@ -407,7 +407,7 @@ recursor-5.0.8.security-status 60 IN TXT "3 Upgrade now recursor-5.0.9.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html" recursor-5.0.10.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html" recursor-5.0.11.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html" -recursor-5.0.12.security-status 60 IN TXT "2 Unsupported release (EOL)" +recursor-5.0.12.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html" recursor-5.1.0-alpha1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" recursor-5.1.0-beta1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" recursor-5.1.0-rc1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" @@ -417,8 +417,10 @@ recursor-5.1.2.security-status 60 IN TXT "3 Upgrade now recursor-5.1.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html" recursor-5.1.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html" recursor-5.1.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html" -recursor-5.1.6.security-status 60 IN TXT "1 OK" -recursor-5.1.7.security-status 60 IN TXT "1 OK" +recursor-5.1.6.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html" +recursor-5.1.7.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html" +recursor-5.1.8.security-status 60 IN TXT "1 OK" + recursor-5.2.0-alpha1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" recursor-5.2.0-beta1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" recursor-5.2.0-rc1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" @@ -426,13 +428,16 @@ recursor-5.2.0.security-status 60 IN TXT "3 Upgrade now recursor-5.2.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html" recursor-5.2.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html" recursor-5.2.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html" -recursor-5.2.4.security-status 60 IN TXT "1 OK" -recursor-5.2.5.security-status 60 IN TXT "1 OK" +recursor-5.2.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html" +recursor-5.2.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html" +recursor-5.2.6.security-status 60 IN TXT "1 OK" + recursor-5.3.0-alpha1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" recursor-5.3.0-alpha2.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" -recursor-5.3.0-beta1.security-status 60 IN TXT "2 Superseded pre-release" -recursor-5.3.0-rc1.security-status 60 IN TXT "2 Superseded pre-release" -recursor-5.3.0.security-status 60 IN TXT "1 OK" +recursor-5.3.0-beta1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities)" +recursor-5.3.0-rc1.security-status 60 IN TXT "3 Superseded pre-release (known vulnerabilities" +recursor-5.3.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html" +recursor-5.3.1.security-status 60 IN TXT "1 OK" ; Recursor Debian recursor-3.6.2-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://docs.powerdns.com/recursor/appendices/EOL.html" diff --git a/pdns/recursordist/docs/changelog/5.1.rst b/pdns/recursordist/docs/changelog/5.1.rst index e98ed07d23..40f79413c2 100644 --- a/pdns/recursordist/docs/changelog/5.1.rst +++ b/pdns/recursordist/docs/changelog/5.1.rst @@ -3,6 +3,16 @@ Changelogs for 5.1.X Before upgrading, it is advised to read the :doc:`../upgrade`. +.. changelog:: + :version: 5.1.8 + :released: 22nd of October 2025 + + .. change:: + :tags: Bug Fixes + :pullreq: 16341 + + Fix PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor. + .. changelog:: :version: 5.1.7 :released: 29th of July 2025 diff --git a/pdns/recursordist/docs/changelog/5.2.rst b/pdns/recursordist/docs/changelog/5.2.rst index 962af1ec38..22801e882e 100644 --- a/pdns/recursordist/docs/changelog/5.2.rst +++ b/pdns/recursordist/docs/changelog/5.2.rst @@ -3,6 +3,16 @@ Changelogs for 5.2.X Before upgrading, it is advised to read the :doc:`../upgrade`. +.. changelog:: + :version: 5.2.6 + :released: 22nd of October 2025 + + .. change:: + :tags: Bug Fixes + :pullreq: 16340 + + Fix PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor. + .. changelog:: :version: 5.2.5 :released: 29th of July 2025 diff --git a/pdns/recursordist/docs/changelog/5.3.rst b/pdns/recursordist/docs/changelog/5.3.rst index a4ba1197f6..6a75762b83 100644 --- a/pdns/recursordist/docs/changelog/5.3.rst +++ b/pdns/recursordist/docs/changelog/5.3.rst @@ -3,6 +3,16 @@ Changelogs for 5.3.X Before upgrading, it is advised to read the :doc:`../upgrade`. +.. changelog:: + :version: 5.3.1 + :released: 22nd of October 2025 + + .. change:: + :tags: Bug Fixes + :pullreq: 16339 + + Fix PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor. + .. changelog:: :version: 5.3.0 :released: 28th of August 2025 diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2025-06.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2025-06.rst new file mode 100644 index 0000000000..3fdaf780e8 --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2025-06.rst @@ -0,0 +1,39 @@ +PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor +================================================================================================================= + +- CVE: CVE-2025-59023 +- Date: 15th October 2025 +- Affects: PowerDNS Recursor up to and including 5.1.7, 5.2.5 and 5.3.0 +- Not affected: PowerDNS Recursor 5.1.8, 5.2.6 and 5.3.1 +- Severity: High +- Impact: Cache pollution +- Exploit: This problem can be triggered by an attacker spoofing crafted delegations +- Risk of system compromise: None +- Solution: Upgrade to patched version + +CVSS Score: 8.2, see +https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L&version=3.1 + +- CVE: CVE-2025-59024 +- Date: 15th October 2025 +- Affects: PowerDNS Recursor up to and including 5.1.7, 5.2.5 and 5.3.0 +- Not affected: PowerDNS Recursor 5.1.8, 5.2.6 and 5.3.1 +- Severity: Medium +- Impact: Cache pollution +- Exploit: This problem can be triggered by an attacker using an UDP IP fragments attack +- Risk of system compromise: None +- Solution: Upgrade to patched version + +CVSS Score: 6.5 see +https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L&version=3.1 + +It has been brought to our attention that the Recursor does not apply strict enough validation of received delegation information. +The malicious delegation information can be sent by an attacker spoofing packets. +The patched versions of the Recursor apply strict validation of the received delegation information from authoritative servers. +In versions 5.2.6 and 5.3.1 the already existing validations are tightened further, while version 5.1.8 contains a full backport of the strict validations. +Note that other vendors will release updated software to fix similar issues as well. + +The remedy is: upgrade to a patched version. + +We would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin Duan from Tsinghua University and +Shiming Liu from Network and Information Security Lab, also Tsinghua University for bringing these issues to our attention.