From miod.vallat at powerdns.com Wed May 20 13:08:12 2026 From: miod.vallat at powerdns.com (Miod Vallat) Date: Wed, 20 May 2026 15:08:12 +0200 Subject: [Pdns-announce] PowerDNS Authoritative Server 4.9.15 and 5.0.5 Message-ID: <02c72b0a-023d-4b6b-89e4-bdc90d3b326d@powerdns.com> Today, we are releasing two new versions of the PowerDNS Authoritative Server. These 4.9.15 and 5.0.5 versions provide fixes for the following PowerDNS Security Advisory: * [1]PowerDNS Security Advisory 2026-06: Multiple Issues The security issues being fixed with these releases are low or medium-severity, and most of them involve specific backends and/or configurations. They are: * CVE-2026-41999 (only concerns 5.0.x) When using views, queries sent using TCP Proxy Protocol will select the view according to the address of the proxy, rather than the address of the initial query. This can lead to wrong data being returned. * CVE-2026-42000 Missing escaping of special characters (such as $ or @) in DNS names received during an AXFR operation can lead to an incorrect (non-parseable) Bind backend configuration to be written, causing this backend to fail until manual operation is performed to fix the configuration. * CVE-2026-42001 Missing sanity checks of the answer to the initial SOA query, when running in autosecondary mode and receiving a notification for an not-yet-known domain may cause the server to crash. * CVE-2026-42002 Multiple concurrency and locking defects in the GSS-TSIG code can lead to memory corruption due to accidental data structure sharing, which can in turn lead to a program crash. Moreover, the lack of bounds on the number of in-flight GSS-TSIG contexts can lead to unbounded memory consumption in case of an excessive number of requests at a given time. A limit of 1000 contexts is now enforced, and can be modified with the ?gss-max-contexts? parameter in server configuration. * CVE-2026-42396 Missing proper escaping of double-quote characters when computing labels will cause AXFR of a catalog zone with a member whose producer group option contains such a character to fail. Please make sure to read the [2]Upgrade Notes before upgrading. The tarballs ([3]4.9.15, [4]5.0.5) and their signatures ([5]4.9.15, [6]5.0.5) are available at [7]downloads.powerdns.com. Packages for various distributions are available from [8]repo.powerdns.com. Please send us all feedback and issues you might have via the [9]mailing list, or in case of a bug, via [10]GitHub. References 1. https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-06.html 2. https://doc.powerdns.com/authoritative/upgrading.html 3. https://downloads.powerdns.com/releases/pdns-4.9.15.tar.bz2 4. https://downloads.powerdns.com/releases/pdns-5.0.5.tar.bz2 5. https://downloads.powerdns.com/releases/pdns-4.9.15.tar.bz2.sig 6. https://downloads.powerdns.com/releases/pdns-5.0.5.tar.bz2.sig 7. https://downloads.powerdns.com/releases/ 8. https://repo.powerdns.com/ 9. https://mailman.powerdns.com/mailman/listinfo/pdns-users 10. https://github.com/PowerDNS/pdns/issues/new/choose From remi.gacogne at powerdns.com Thu May 21 11:45:26 2026 From: remi.gacogne at powerdns.com (Remi Gacogne) Date: Thu, 21 May 2026 13:45:26 +0200 Subject: [Pdns-announce] PowerDNS DNSdist 2.0.6 Released Message-ID: <1901ad61-5867-4459-8204-dedda1d1d55e@powerdns.com> Hi, Today we released DNSdist 2.0.6, fixing several issues. The notable ones are: - the feature that was introduced in 2.0.0 to limit the rate of new TCP or QUIC connections that a given client can open per second has a serious bug, coming from a confusion over the interval, which is set in minutes, and the rate, which is set in seconds, causing clients to be blocked a lot sooner than they should have been - there was a data race in the CDB Key-Value store implementation. This was fixed by preventing threads from accessing the same CDB object concurrently, which might have a performance impact for users that rely heavily on CDB. Please reach out to us if you experience such a performance impact - the BPFFilter::addRangeRule feature was not working properly - configured buffer sizes for UDP sockets were only applied to incoming sockets, not outgoing ones - AF_XDP/XSK could not be enabled from YAML - the TLS session cache for outgoing connections to backends was not properly cleaned up - the computation of the "Top N" metrics for suffix-based dynamic block counters was wrong - DownstreamState::setHealthCheckParams was sometimes overwriting the wrong value - a memory leak was found in the SNMP metrics implementation - the maximum size of a DNS over QUIC query was slightly off, which might have been a problem for very large queries Please see the DNSdist website [1] for the more complete changelog [2] and the current documentation. The upgrade guide is also available there [3]. Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub [4]. The release tarball [5] and its signature [6] are available on the downloads website, and packages for several distributions are available from our repository [7]. [1]: https://dnsdist.org [2]: https://dnsdist.org/changelog.html#change-2.0.6 [3]: https://dnsdist.org/upgrade_guide.html [4]: https://github.com/PowerDNS/pdns/issues/new/choose [5]: https://downloads.powerdns.com/releases/dnsdist-2.0.6.tar.xz [6]: https://downloads.powerdns.com/releases/dnsdist-2.0.6.tar.xz.sig [7]: https://repo.powerdns.com Best regards, - Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: