Update changelog and secpoll for rec-4.1.1.

Add security advisory 2018-01.

diff --git a/docs/secpoll.zone b/docs/secpoll.zone
index 00a822d0f36faf1ac5816fec602c9b04ce45c2fc..c95617e402d0710d107de7b980f9e529c93ca9b0 100644 (file)
--- a/docs/secpoll.zone
+++ b/docs/secpoll.zone
@@ -1,4 +1,4 @@
-@       86400   IN  SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2017121101 10800 3600 604800 10800
+@       86400   IN  SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2018012201 10800 3600 604800 10800
 @       3600    IN  NS  pdns-public-ns1.powerdns.com.
 @       3600    IN  NS  pdns-public-ns2.powerdns.com.
 ; Auth
@@ -148,7 +148,8 @@ recursor-4.1.0-alpha1.security-status                   60 IN TXT "3 Unsupported
 recursor-4.1.0-rc1.security-status                      60 IN TXT "3 Unsupported pre-release (final release is out)"
 recursor-4.1.0-rc2.security-status                      60 IN TXT "3 Unsupported pre-release (final release is out)"
 recursor-4.1.0-rc3.security-status                      60 IN TXT "3 Unsupported pre-release (final release is out)"
-recursor-4.1.0.security-status                          60 IN TXT "1 OK"
+recursor-4.1.0.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html"
+recursor-4.1.1.security-status                          60 IN TXT "1 OK"
 
 ; Recursor Debian
 recursor-3.6.2-2.debian.security-status                 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"

diff --git a/pdns/recursordist/docs/changelog/4.1.rst b/pdns/recursordist/docs/changelog/4.1.rst
index 396572b4f25aa9eff7cfc6a8ca443925eb8ed5da..2b3d9d100f37cd93007239ddf0a29fd6ea226ac5 100644 (file)
--- a/pdns/recursordist/docs/changelog/4.1.rst
+++ b/pdns/recursordist/docs/changelog/4.1.rst
@@ -1,6 +1,75 @@
 Changelogs for 4.1.x
 ====================
 
+.. changelog::
+  :version: 4.1.1
+  :released: 22nd of January 2018
+
+  This is the second release in the 4.1 train.
+
+  This release fixes PowerDNS Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2018-01>`.
+
+  The full release notes can be read `on the blog <https://blog.powerdns.com/2018/01/22/powerdns-recursor-4-1-1/>`_.
+
+  This is a release on the stable branch and contains a fix for the
+  abovementioned security issue and several bug fixes from the
+  development branch.
+
+  .. change::
+    :tags: DNSSEC, Bug Fixes
+    :pullreq: 6215
+
+    Correctly handle ancestor delegation NSEC{,3} for children. Fixes
+    the DNSSEC validation issue found in Knot Resolver, where a NSEC{3}
+    ancestor delegation is wrongly use to prove the non-existence of a
+    RR below the delegation.
+    We already had the correct check for the exact owner name, but not
+    for RRs below the delegation.
+    (Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2018-01>`)
+
+  .. change::
+    :tags: Internals, Bug Fixes
+    :pullreq: 6209
+    :tickets: 6212
+
+    Fix to make ``primeHints`` threadsafe, otherwise there's a small
+    chance on startup that the root-server IPs will be incorrect.
+
+  .. change::
+    :tags: Internals, Improvements
+    :pullreq: 6085
+    :tickets: 6198
+
+    Don't process records for another class than IN. We don't use
+    records of another class than IN, but we used to store some of them
+    in the cache which is useless. Just skip them.
+
+  .. change::
+    :tags: DNSSEC, Bug Fixes
+    :pullreq: 6092
+    :tickets: 6199
+
+    Fix the computation of the closest encloser for positive
+    answers. When the positive answer is expanded from a wildcard with
+    NSEC3, the closest encloser is not always parent of the qname,
+    depending on the number of labels in the initial wildcard.
+
+  .. change::
+    :tags: DNSSEC, Bug Fixes
+    :pullreq: 6095
+    :tickets: 6200
+
+    Pass the correct buffer size to ``arecvfrom()``. The incorrect size
+    could possibly cause DNSSEC failures.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 6137
+    :tickets: 6201
+
+    Don't validate signature for "glue" CNAME, since anything else than
+    the initial CNAME can't be considered authoritative.
+
 .. changelog::
   :version: 4.1.0
   :released: 4th of December 2017

diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2018-01.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2018-01.rst
new file mode 100644 (file)
index 0000000..d7de6b4
--- /dev/null
+++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2018-01.rst
@@ -0,0 +1,28 @@
+PowerDNS Security Advisory 2018-01: Insufficient validation of DNSSEC signatures
+================================================================================
+
+-  CVE: CVE-2018-1000003
+-  Date: January 22nd 2018
+-  Credit: CZ.NIC
+-  Affects: PowerDNS Recursor 4.1.0
+-  Not affected: PowerDNS Recursor < 4.1.0, 4.1.1
+-  Severity: Low
+-  Impact: Denial of existence spoofing
+-  Exploit: This problem can be triggered by an attacker in position of
+   man-in-the-middle
+-  Risk of system compromise: No
+-  Solution: Upgrade to a non-affected version
+
+An issue has been found in the DNSSEC validation component of PowerDNS Recursor,
+allowing an ancestor delegation NSEC or NSEC3 record to be used to wrongfully
+prove the non-existence of a RR below the owner name of that record. This would
+allow an attacker in position of man-in-the-middle to send a NXDOMAIN answer
+for a name that does exist. This issue has been assigned TBD.
+
+PowerDNS Recursor 4.1.0 is affected.
+
+For those unable to upgrade to a new version, a minimal patch is
+`available <https://downloads.powerdns.com/patches/2018-01>`__
+
+We would like to thank CZ.NIC for finding and subsequently reporting this
+issue.