Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN730
_____________________________________________________________________

DATE                : 24/10/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running PowerDNS Recursor versions prior
                                 to 5.1.8, 5.2.6, 5.3.1.

=====================================================================
https://blog.powerdns.com/powerdns-security-advisory-2025-06-2025-10-22
_____________________________________________________________________


PowerDNS Security Advisory 2025-06
Oct 22, 2025 2:09:49 PM

Today we have released PowerDNS Recursor 5.1.8, 5.2.6 and 5.3.1.

These releases fix PowerDNS Security Advisory 2025-06: Crafted
delegations or IP fragments can poison cached delegations in
Recursor:

PowerDNS Security Advisory 2025-06: Crafted delegations or IP
fragments can poison cached delegations in Recursor


CVE: CVE-2025-59023 
Date: 15th October 2025
Affects: PowerDNS Recursor up to and including 5.1.7, 5.2.5 and 
           5.3.0
Not affected: PowerDNS Recursor 5.1.8, 5.2.6 and 5.3.1
Severity: High
Impact: Cache pollution
Exploit: This problem can be triggered by an attacker spoofing
          crafted delegations
Risk of system compromise: None
Solution: Upgrade to patched version

CVSS Score: 8.2, see
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L&version=3.1

CVE: CVE-2025-59024 
Date: 15th October 2025
Affects: PowerDNS Recursor up to and including 5.1.7, 5.2.5 and
          5.3.0
Not affected: PowerDNS Recursor 5.1.8, 5.2.6 and 5.3.1
Severity: Medium
Impact: Cache pollution
Exploit: This problem can be triggered by an attacker using a
          UDP IP fragments attack
Risk of system compromise: None
Solution: Upgrade to patched version

CVSS Score: 6.5 see
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L&version=3.1

It has been brought to our attention that the Recursor does not
apply strict enough validation of received delegation
information. The malicious delegation information can be sent
by an attacker spoofing packets.

The updated versions of the Recursor apply strict validation of
the received delegation information from authoritative servers.
In versions 5.2.6 and 5.3.1 the already existing validations
are tightened further, while version 5.1.8 contains a full
backport of the strict validations. Note that other vendors
will release updated software to fix similar issues as well.

Please refer to the changelogs  (5.1.8, 5.2.6 and 5.3.1) for
additional details

Please send us all feedback and issues you might have via the
mailing list, or in case of a bug, via GitHub.

The tarballs (5.1.8, 5.2.6, 5.3.1) (with signature files 5.1.8,
5.2.6, 5.3.1) are available from our download server and
packages for several distributions are available from our
repository.

Recently we made changes to our Open Source End of Life policy.
Older release trains are now supported for one year after the
following major release. Consult the EOL policy for more
details.

We are grateful to the PowerDNS community for the reporting of
bugs, issues, feature requests, and especially to the
submitters of fixes and implementations of features.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================