Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN679
_____________________________________________________________________

DATE                : 26/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running NSD versions prior to 4.14.3.
 
=====================================================================
https://community.nlnetlabs.nl/t/nsd-4-14-3-security-release/3419
_____________________________________________________________________


NSD 4.14.3 security release
NSD
release
wtoorop June 25, 2026, 5:21am 1

Dear all.

NSD 4.14.3 is available:

https://nlnetlabs.nl/downloads/nsd/nsd-4.14.3.tar.gz

sha256 9629ad64d9c1b019bbe22296d5148d7ae65f588ce265a6424750740f052bb12b
pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.14.3.tar.gz.asc

The release is signed with the OpenPGP software signing key that is
in use since Jan 1st 2026:

User ID: NLnet Labs releases signing key G2 <releases@nlnetlabs.nl>
Key ID: A144 323D EAAC DF45
Fingerprint: 2310 1869 0C4D 903E F419  146A A144 323D EAAC DF45

The key is available from NLnet Labs - Software Signing Keys

BUG FIXES:

    Fix for CVE-2026-12244: A specially crafted SVCB RR can cause a heap
    overflow of up to 65509 attacker controlled bytes.
    Thanks to Qifan Zhang, Palo Alto Networks for the report
    https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12244.txt
    Fix for CVE-2026-12245: If NSD is configured with DNS over TLS, a
    client that performs a TLS action, closing the connection early,
    causes a crash and restart of the server process. An attacker can
    keep all children in a crash-restart loop denying DoT service.
    Thanks to Qifan Zhang, Palo Alto Networks for the report.
    https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12245.txt
    Fix for CVE-2026-12246: The RR type APL rdata address, if too large,
    causes out of bounds write on the stack, when the zonefile is written
    out. Thanks to Qifan Zhang from Palo Alto Networks, Haruki Oyama from
    Waseda University and zhangph for the report.
    https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12246.txt
    Fix for CVE-2026-12490: Secondaries authenticated by a client
    certificate to transfer a zone over TLS, can bypass verification by
    transferring over TCP.
    Thanks to Qifan Zhang, Palo Alto Networks for the report.
    https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12490.txt



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================