Today we have released PowerDNS Recursor 5.1.9, 5.2.7 and 5.3.3. These releases fix two PowerDNS Security Advisories:
* 2025-07: Internal logic flaw in cache management can lead to a
denial of service in Recursor
* 2025-08: Insufficient validation of incoming notifies over TCP can
lead to a denial of service in Recursor.
__________________________________________________________________
PowerDNS Security Advisory 2025-07: Internal logic flaw in cache management
can lead to a denial of service in Recursor
* CVE: CVE-2025-59029
* Date: 8th December 2025
* Affects: PowerDNS Recursor 5.3.0 and 5.3.1
* Not affected: PowerDNS Recursor 5.1.x, 5.2.x and 5.3.2
* Severity: Medium
* Impact: Denial of Service
* Exploit: This problem can be triggered by specific cache contents
and a query with qtype ANY
* Risk of system compromise: None
* Solution: Upgrade to patched version or prevent requests with qtype
ANY
CVSS Score: 5.6, see
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/P
R:N/UI:N/S:U/C:N/I:N/A:L&version=3.1[1]
The remedy is: upgrade to a patched version or prevent requests with
qtype ANY.
Version 5.3.2 of PowerDNS Recursor was never released publicly, upgrade
to version 5.3.3.
__________________________________________________________________
PowerDNS Security Advisory 2025-08: Insufficient validation of incoming
notifies over TCP can lead to a denial of service in Recursor
* CVE: CVE-2025-59030
* Date: 8th December 2025
* Affects: PowerDNS Recursor up to and including 5.3.2, 5.2.6 and
5.1.8
* Not affected: PowerDNS Recursor 5.3.3, 5.2.7 and 5.1.9
* Severity: High
* Impact: Denial of Service
* Exploit: This problem can be triggered by a notify arriving over
TCP and allows clearing caches
* Risk of system compromise: None
* Solution: Upgrade to patched version or prevent incoming notifies
over TCP
CVSS Score: 7.5, see
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/P
R:N/UI:N/S:U/C:N/I:N/A:H&version=3.1[2]
The remedy is: upgrade to patched version or prevent incoming notifies
over TCP.
__________________________________________________________________
Please refer to the changelogs (5.1.9[3], 5.2.7[4] and 5.3.3[5]) for
additional details
Please send us all feedback and issues you might have via the mailing
list[6], or in case of a bug, via GitHub[7].
The tarballs (5.1.9[8], 5.2.7[9], 5.3.3[10]) (with signature files
5.1.9[11], 5.2.7[12], 5.3.3[13]) are available from our
download server[14] and packages for several distributions are
available from our repository[15].
Recently we made changes to our Open Source End of Life policy. Older
release trains are now supported for one year after the following major
release. Consult the EOL policy[16] for more details.
We are grateful to the PowerDNS community for the reporting of bugs,
issues, feature requests, and especially to the submitters of fixes and
implementations of features.
References
1.
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1
2.
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1
3. https://doc.powerdns.com/recursor/changelog/5.1.html#change-5.1.9
4. https://doc.powerdns.com/recursor/changelog/5.2.html#change-5.2.7
5. https://doc.powerdns.com/recursor/changelog/5.3.html#change-5.3.3
6. https://mailman.powerdns.com/mailman/listinfo/pdns-users
7. https://github.com/PowerDNS/pdns/issues/new/choose
8. https://downloads.powerdns.com/releases/pdns-recursor-5.1.9.tar.bz2
9. https://downloads.powerdns.com/releases/pdns-recursor-5.2.7.tar.bz2
10. https://downloads.powerdns.com/releases/pdns-recursor-5.3.3.tar.xz
11. https://downloads.powerdns.com/releases/pdns-recursor-5.1.9.tar.bz2.sig
12. https://downloads.powerdns.com/releases/pdns-recursor-5.2.7.tar.bz2.sig
13. https://downloads.powerdns.com/releases/pdns-recursor-5.3.3.tar.xz.sig
14. https://downloads.powerdns.com/releases/
15. https://repo.powerdns.com/
16. https://docs.powerdns.com/recursor/appendices/EOL.html
signature.asc
Description: PGP signature
_______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
