Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN534
_____________________________________________________________________

DATE                : 21/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running PowerDNS Authoritative Server
                           versions prior to 4.9.15, 5.0.5.

=====================================================================
https://blog.powerdns.com/2026/05/20/powerdns-security-advisory-2026-06-for-powerdns-authoritative-server
_____________________________________________________________________

PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server
May 20, 2026 3:02:52 PM

Today, we are releasing two new versions of the PowerDNS Authoritative
Server.

These 4.9.15 and 5.0.5 versions provide fixes for the following
PowerDNS Security Advisory: PowerDNS Security Advisory 2026-06:
Multiple Issues

The security issues being fixed with these releases are low or
medium-severity, and most of them involve specific back-ends
and/or configurations. They are:

    CVE-2026-41999 (only concerns 5.0.x)
    When using views, queries sent using TCP Proxy Protocol
will select the view according to the address of the proxy,
rather than the address of the initial query. This can lead
to wrong data being returned.

    CVE-2026-42000
    Missing escaping of special characters (such as $ or @)
in DNS names received during an AXFR operation can lead to
an incorrect (non-parseable) Bind backend configuration to
be written, causing this backend to fail until manual
operation is performed to fix the configuration.

    CVE-2026-42001
    Missing sanity checks of the answer to the initial
SOA query, when running in auto-secondary mode and receiving
a notification for an not-yet-known domain may cause the
server to crash.

    CVE-2026-42002
    Multiple concurrency and locking defects in the
GSS-TSIG code can lead to memory corruption due to accidental
data structure sharing, which can in turn lead to a program
crash.
    Moreover, the lack of bounds on the number of in-flight
GSS-TSIG contexts can lead to unbounded memory consumption
in case of an excessive number of requests at a given time.
A limit of 1000 contexts is now enforced, and can be modified
with the "gss-max-contexts" parameter in server configuration.

    CVE-2026-42396
    Missing proper escaping of double-quote characters when
computing labels will cause AXFR of a catalog zone with a
member whose producer group option contains such a character
to fail.

A detailed list of changes can be found in the Changelogs
(4.9.15, 5.0.5).

Please make sure to read the Upgrade Notes before upgrading.

The tarballs (4.9.15, 5.0.5) and their signatures (4.9.15,
5.0.5) are available at downloads.powerdns.com. Packages for
various distributions are available from repo.powerdns.com.

Please send us all feedback and issues you might have via
the mailing list, or in case of a bug, via GitHub.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================