rec: Prep for SA-2026-03

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

diff --git a/.github/actions/spell-check/expect.txt b/.github/actions/spell-check/expect.txt
index 09d8dee47ce82aa6d5affc8995d2731f40993906..738df3efc79798d814c63326f8fcc0dd66b3d6a2 100644 (file)
--- a/.github/actions/spell-check/expect.txt
+++ b/.github/actions/spell-check/expect.txt
@@ -424,6 +424,7 @@ epel
 Eriksson
 errlog
 errorlevels
+Ethicxz
 EUips
 evanjones
 evildomain
@@ -544,6 +545,7 @@ Haixin
 Hakulinen
 Hannu
 Harker
+Haruto
 Hausberger
 headbgcolor
 headerline
@@ -790,6 +792,7 @@ mbed
 mbedtls
 MBOXFW
 mbytes
+Medjahed
 Meerwald
 Mekking
 melpa
@@ -1285,6 +1288,7 @@ Signingpiper
 signpipe
 signttl
 signzone
+Simonovich
 singlethreaded
 Sipek
 siphash
@@ -1449,6 +1453,7 @@ Toshifumi
 totms
 traceid
 traceparent
+transitioning
 Travaille
 treemacs
 tribool
@@ -1519,6 +1524,7 @@ Verschuren
 Viala
 viewcode
 visitedlinkcolor
+Vitaly
 Vixie
 vla
 Voegeli
@@ -1598,6 +1604,7 @@ Yehuda
 yeswehack
 Yiu
 Ylitalo
+ylwango
 YMMV
 Yogesh
 yourcompany

diff --git a/docs/secpoll.zone b/docs/secpoll.zone
index 1e7d7bea0f2baa8633da9073ee6c723c83b72d16..2cef72195845caed4339807166e9df6adf515cb3 100644 (file)
--- a/docs/secpoll.zone
+++ b/docs/secpoll.zone
@@ -1,4 +1,4 @@
-@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2026033100 10800 3600 604800 10800
+@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2026042201 10800 3600 604800 10800
 @       3600    IN  NS  pdns-public-ns1.powerdns.com.
 @       3600    IN  NS  pdns-public-ns2.powerdns.com.
 
@@ -427,7 +427,7 @@ recursor-5.1.6.security-status                          60 IN TXT "3 Upgrade now
 recursor-5.1.7.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html"
 recursor-5.1.8.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html"
 recursor-5.1.9.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-01.html"
-recursor-5.1.10.security-status                         60 IN TXT "1 OK"
+recursor-5.1.10.security-status                         60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-03.html"
 
 recursor-5.2.0-alpha1.security-status                   60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
 recursor-5.2.0-beta1.security-status                    60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
@@ -440,7 +440,8 @@ recursor-5.2.4.security-status                          60 IN TXT "3 Upgrade now
 recursor-5.2.5.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html"
 recursor-5.2.6.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html"
 recursor-5.2.7.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-01.html"
-recursor-5.2.8.security-status                          60 IN TXT "1 OK"
+recursor-5.2.8.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-03.html"
+recursor-5.2.9.security-status                          60 IN TXT "1 OK"
 
 recursor-5.3.0-alpha1.security-status                   60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
 recursor-5.3.0-alpha2.security-status                   60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
@@ -451,11 +452,13 @@ recursor-5.3.1.security-status                          60 IN TXT "3 Upgrade now
 recursor-5.3.2.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html"
 recursor-5.3.3.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-01.html"
 recursor-5.3.4.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-01.html"
-recursor-5.3.5.security-status                          60 IN TXT "1 OK"
+recursor-5.3.5.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-03.html"
+recursor-5.3.6.security-status                          60 IN TXT "1 OK"
 recursor-5.4.0-alpha1.security-status                   60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
 recursor-5.4.0-beta1.security-status                    60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
-recursor-5.4.0-rc1.security-status                      60 IN TXT "2 Superseded pre-release"
-recursor-5.4.0.security-status                          60 IN TXT "1 OK"
+recursor-5.4.0-rc1.security-status                      60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
+recursor-5.4.0.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-03.html"
+recursor-5.4.1.security-status                          60 IN TXT "1 OK"
 
 ; Recursor Debian
 recursor-3.6.2-2.debian.security-status                 60 IN TXT "3 Upgrade now, see https://docs.powerdns.com/recursor/appendices/EOL.html"

diff --git a/pdns/recursordist/docs/changelog/5.2.rst b/pdns/recursordist/docs/changelog/5.2.rst
index 68c60f54f53172a434de305dea7b4f89a01dcd87..a3261b1436f114881e5c87047918b4f4d82891c4 100644 (file)
--- a/pdns/recursordist/docs/changelog/5.2.rst
+++ b/pdns/recursordist/docs/changelog/5.2.rst
@@ -3,6 +3,16 @@ Changelogs for 5.2.X
 
 Before upgrading, it is advised to read the :doc:`../upgrade`.
 
+.. changelog::
+  :version: 5.2.9
+  :released: 22th of April 2026
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: TBD
+
+    Fix PowerDNS Security Advisory 2026-03 for PowerDNS Recursor: Multiple Issues
+
 .. changelog::
   :version: 5.2.8
   :released: 9th of February 2026

diff --git a/pdns/recursordist/docs/changelog/5.3.rst b/pdns/recursordist/docs/changelog/5.3.rst
index 36ad65b75787ade1d36738bd261ad05a91aada81..b5bc786ab8034463453e5554f982b25a1539866f 100644 (file)
--- a/pdns/recursordist/docs/changelog/5.3.rst
+++ b/pdns/recursordist/docs/changelog/5.3.rst
@@ -3,6 +3,16 @@ Changelogs for 5.3.X
 
 Before upgrading, it is advised to read the :doc:`../upgrade`.
 
+.. changelog::
+  :version: 5.3.5
+  :released: 22th of April 2026
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: TBD
+
+    Fix PowerDNS Security Advisory 2026-03 for PowerDNS Recursor: Multiple Issues
+
 .. changelog::
   :version: 5.3.5
   :released: 9th of February 2026

diff --git a/pdns/recursordist/docs/changelog/5.4.rst b/pdns/recursordist/docs/changelog/5.4.rst
index e87fce71dd9a481e0f7087f870e044809ff0cd52..fba29c6e3b8c67744da1d22608f0f8f1f45db289 100644 (file)
--- a/pdns/recursordist/docs/changelog/5.4.rst
+++ b/pdns/recursordist/docs/changelog/5.4.rst
@@ -3,6 +3,16 @@ Changelogs for 5.4.X
 
 Before upgrading, it is advised to read the :doc:`../upgrade`.
 
+.. changelog::
+  :version: 5.4.1
+  :released: 22th of April 2026
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: TBD
+
+    Fix PowerDNS Security Advisory 2026-03 for PowerDNS Recursor: Multiple Issues
+
 .. changelog::
   :version: 5.4.0
   :released: 9th of March 2026 with no changes since 5.4.0-rc1 except the version.

diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2026-03.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2026-03.rst
new file mode 100644 (file)
index 0000000..58234ce
--- /dev/null
+++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2026-03.rst
@@ -0,0 +1,263 @@
+PowerDNS Security Advisory 2026-03 for PowerDNS Recursor: Multiple issues
+========================================================================
+
+CVE-2026-33256: Unbounded memory allocation by internal web server
+-----------------------------------------------------------------
+
+- CVE: CVE-2026-33256
+- Date: 2026-04-22T00:00:00+01:00
+- Discovery date:  2026-02-17T00:00:00+01:00
+- Affects: PowerDNS Recursor from 5.3.0 up to and including 5.4.0
+- Not affected: PowerDNS Recursor 5.3.6, 5.4.1
+- Severity: Medium
+- Impact: Denial of service
+- Exploit: This problem can be triggered by an attacker sending crafted http requests, but only if the internal webserver is enabled.
+- Risk of system compromise: None
+- Solution: Upgrade to patched version or disallow network access to web server
+- CWE: CWE-770
+- CVSS: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+- Last affected: 5.3.5,5.4.0
+- First fixed: 5.3.6,5.4.1
+- Internal ID: 365
+
+An attacker can send a web request that causes unlimited memory allocation in the internal web
+server, leading to a denial of service. The internal web server is disabled by default.
+
+`CVSS Score: 5.3 <https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>`__
+
+The remedy is: upgrade to a patched version, or prevent network access to the internal webserver. In
+general for defense in-depth reasons we recommend making the internal web server only accessible to
+trusted clients.
+
+We would like to thank Ap4sh - Samy Medjahed and Ethicxz - Eliott Laurie Ap4sh / Ethicxz for
+bringing this issue to our attention.
+
+CVE-2026-33257: Insufficient input validation of internal web server
+--------------------------------------------------------------------
+
+- CVE: CVE-2026-33257
+- Date: 2026-04-22T00:00:00+01:00
+- Discovery date:  2026-02-16T00:00:00+01:00
+- Affects: PowerDNS Recursor up to and including 5.2.8
+- Not affected: PowerDNS Recursor 5.2.9
+- Severity: Medium
+- Impact: Denial of service
+- Exploit: This problem can be triggered by an attacker sending crafted http requests, but only if the internal webserver is enabled.
+- Risk of system compromise: None
+- Solution: Upgrade to patched version or disallow network access to web server
+- CWE: CWE-770
+- CVSS: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+- Last affected: 5.2.8
+- First fixed: 5.2.9
+- Internal ID: 368
+
+An attacker can send a web request that causes unlimited memory allocation in the internal web
+server, leading to a denial of service. The internal web server is disabled by default.
+
+`CVSS Score: 5.3 <https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>`__
+
+The remedy is: upgrade to a patched version, or prevent network access to the internal webserver. In
+general for defense in-depth reasons we recommend making the internal web server only accessible to
+trusted clients.
+
+We would like to thank Vitaly Simonovich for bringing this issue to our attention.
+
+CVE-2026-33258: Crafted zones can cause increased resource usage
+----------------------------------------------------------------
+
+- CVE: CVE-2026-33258
+- Date: 2026-04-22T00:00:00+01:00
+- Discovery date:  2026-02-28T00:00:00+01:00
+- Affects: PowerDNS Recursor up to and including 5.2.8, 5.3.5, 5.4.0
+- Not affected: PowerDNS Recursor 5.2.9, 5.3.6, 5.4.1
+- Severity: Medium
+- Impact: Denial of service
+- Exploit: This problem can be triggered by an attacker sending crafted DNS responses
+- Risk of system compromise: None
+- Solution: Upgrade to patched version
+- CWE: CWE-770
+- CVSS: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+- Last affected: 5.2.8, 5.3.5, 5.4.0
+- First fixed: 5.2.9, 5.3.6, 5.4.1
+- Internal ID: 369
+
+By publishing and querying a crafted zone an attacker can cause allocation of large entries in the
+negative and aggressive NSEC(3) caches.
+
+`CVSS Score: 5.3 <https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>`__
+
+The remedy is: upgrade to a patched version.
+
+We would like to thank Haruto Kimura (Stella) for bringing this issue to our attention.
+
+CVE-2026-33259: Concurrent modification of RPZ data can lead to denial of service
+---------------------------------------------------------------------------------
+
+- CVE: CVE-2026-33259
+- Date: 2026-04-22T00:00:00+01:00
+- Discovery date: 2026-02-28T00:00:00+01:00
+- Affects: PowerDNS Recursor up to and including 5.2.8, 5.3.5, 5.4.0
+- Not affected: PowerDNS Recursor 5.2.9, 5.3.6, 5.4.1
+- Severity: Medium
+- Impact: Denial of service
+- Exploit: This problem can be triggered by having many concurrent transfers of the same RPZ
+- Risk of system compromise: None
+- Solution: Upgrade to patched version
+- CWE: CWE-416
+- CVSS: 3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H
+- Last affected: 5.2.8, 5.3.5, 5.4.0
+- First fixed: 5.2.9, 5.3.6, 5.4.1
+- Internal ID: 370
+
+Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free
+and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur
+with a malfunctioning RPZ provider.
+
+`CVSS Score: 5.0 <https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H>`__
+
+The remedy is: upgrade to a patched version.
+
+We would like to thank Haruto Kimura (Stella) for bringing this issue to our attention.
+
+CVE-2026-33260: Insufficient input validation of internal web server
+--------------------------------------------------------------------
+
+- CVE: CVE-2026-33260
+- Date: 2026-04-22T00:00:00+01:00
+- Discovery date:  2026-02-20T00:00:00+01:00
+- Affects: PowerDNS Recursor up to and including 5.2.8
+- Not affected: PowerDNS Recursor 5.2.9
+- Severity: Medium
+- Impact: Denial of service
+- Exploit: This problem can be triggered by an attacker sending crafted http requests, but only if the internal webserver is enabled.
+- Risk of system compromise: None
+- Solution: Upgrade to patched version or disallow network access to web server
+- CWE: CWE-770
+- CVSS: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+- Last affected: 5.2.8
+- First fixed: 5.2.9
+- Internal ID: 374
+
+An attacker can send a web request that causes unlimited memory allocation in the internal web
+server, leading to a denial of service. The internal web server is disabled by default.
+
+`CVSS Score: 5.3 <https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>`__
+
+The remedy is: upgrade to a patched version, or prevent network access to the internal webserver. In
+general for defense in-depth reasons we recommend making the internal web server only accessible to
+trusted clients.
+
+We would like to thank Cavid for bringing this issue to our attention.
+
+CVE-2026-33261: Null pointer access in aggressive NSEC(3) cache
+---------------------------------------------------------------
+
+- CVE: CVE-2026-33261
+- Date: 2026-04-22T00:00:00+01:00
+- Discovery date: 2026-03-13T00:00:00+01:00
+- Affects: PowerDNS Recursor up to and including 5.2.8, 5.3.5, 5.4.0
+- Not affected: PowerDNS Recursor 5.2.9, 5.3.6, 5.4.1
+- Severity: Medium
+- Impact: Denial of service
+- Exploit: This problem can be triggered by a zone transitioning from NSEC to NSEC3
+- Risk of system compromise: None
+- Solution: Upgrade to patched version
+- CWE: CWE-353
+- CVSS: 3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
+- Last affected: 5.2.8, 5.3.5, 5.4.0
+- First fixed: 5.2.9, 5.3.6, 5.4.1
+- Internal ID: 382
+
+A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of
+service.
+
+`CVSS Score: 5.9 <https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H>`__
+
+The remedy is: upgrade to a patched version.
+
+We would like to thank ylwango613 for bringing this issue to our attention.
+
+CVE-2026-33262: Insufficient validation of cookie reply
+-------------------------------------------------------
+
+- CVE: CVE-2026-33262
+- Date: 2026-04-22T00:00:00+01:00
+- Discovery date: 2026-03-12T00:00:00+01:00
+- Affects: PowerDNS Recursor 5.4.0
+- Not affected: PowerDNS Recursor 5.4.1
+- Severity: Medium
+- Impact: Denial of service
+- Exploit: This problem can be triggered by an attacker sending crafted DNS responses, but ony if cookies are enabled
+- Risk of system compromise: None
+- Solution: Upgrade to patched version
+- CWE: CWE-476
+- CVSS: 3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
+- Last affected: 5.4.0
+- First fixed: 5.4.1
+- Internal ID: 386
+
+An attacker can send replies that result in a null pointer dereference, caused by a missing
+consistency check and leading to a denial of service. Cookies are disabled by default.
+
+`CVSS Score: 5.9 <https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H>`__
+
+The remedy is: upgrade to a patched version.
+
+We would like to thank ylwango613 for bringing this issue to our attention.
+
+CVE-2026-33601: Insufficient validation of ZONEMD record
+--------------------------------------------------------
+
+- CVE: CVE-2026-33601
+- Date: 2026-04-22T00:00:00+01:00
+- Discovery date: 2026-03-25T00:00:00+01:00
+- Affects: PowerDNS Recursor up to and including 5.2.8, 5.3.5, 5.4.0
+- Not affected: PowerDNS Recursor 5.2.9, 5.3.6, 5.4.1
+- Severity: Medium
+- Impact: Denial of service
+- Exploit: This problem can be triggered by an attacker sending crafted zonemd record (only if zoneToCache is configured)
+- Risk of system compromise: None
+- Solution: Upgrade to patched version
+- CWE: CWE-476
+- CVSS: 3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
+- Last affected: 5.2.8, 5.3.5, 5.4.0
+- First fixed: 5.2.9, 5.3.6, 5.4.1
+- Internal ID: 386
+
+If you use the zoneToCache function with a malicious authoritative server, an attacker can send a
+zone that result in a null pointer dereference, caused by a missing consistency check and leading to
+a denial of service.
+
+`CVSS Score: 4.4 <https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H&version=3.1>`__
+
+The remedy is: upgrade to a patched version.
+
+We would like to thank ylwango613 for bringing this issue to our attention.
+
+CVE-2026-33600: Null pointer dereference in RPZ transfer
+--------------------------------------------------------
+
+- CVE: CVE-2026-33600
+- Date: 2026-04-22T00:00:00+01:00
+- Discovery date: 2026-03-27T00:00:00+01:00
+- Affects: PowerDNS Recursor up to and including 5.2.8, 5.3.5, 5.4.0
+- Not affected: PowerDNS Recursor 5.2.9, 5.3.6, 5.4.1
+- Severity: Medium
+- Impact: Denial of service
+- Exploit: This problem can be triggered by an attacker sending a crafted RPZ
+- Risk of system compromise: None
+- Solution: Upgrade to patched version
+- CWE: CWE-476
+- CVSS: 3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
+- Last affected: 5.2.8, 5.3.5, 5.4.0
+- First fixed: 5.2.9, 5.3.6, 5.4.1
+- Internal ID: 432
+
+An RPZ sent by a malicious authoritative server can result in a null pointer dereference, caused by
+a missing consistency check and leading to a denial of service.
+
+`CVSS Score: 4.4 <https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H&version=3.1>`__
+
+The remedy is: upgrade to a patched version.
+
+We would like to thank ylwango613 for bringing this issue to our attention.