[Git][security-tracker-team/security-tracker][master] Update references for pdns-recursor

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c2c6df1a by Salvatore Bonaccorso at 2026-04-23T07:24:34+02:00
Update references for pdns-recursor

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -348,30 +348,37 @@ CVE-2026-33601 (If you use the zoneToCache function with a malicious authoritati
 	- pdns-recursor 5.4.1-1
 	[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
 	[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
+	NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-03.html#cve-2026-33600-null-pointer-dereference-in-rpz-transfer
 CVE-2026-33600 (An RPZ sent by a malicious authoritative server can result in a null p ...)
 	- pdns-recursor 5.4.1-1
 	[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
 	[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
+	NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-03.html#cve-2026-33601-insufficient-validation-of-zonemd-record
 CVE-2026-33262 (An attacker can send replies that result in a null pointer dereference ...)
 	- pdns-recursor 5.4.1-1
 	[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
 	[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
+	NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-03.html#cve-2026-33262-insufficient-validation-of-cookie-reply
 CVE-2026-33261 (A zone transition from NSEC to NSEC3 might trigger an internal inconsi ...)
 	- pdns-recursor 5.4.1-1
 	[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
 	[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
+	NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-03.html#cve-2026-33261-null-pointer-access-in-aggressive-nsec-3-cache
 CVE-2026-33259 (Having many concurrent transfers of the same RPZ can lead to inconsist ...)
 	- pdns-recursor 5.4.1-1
 	[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
 	[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
+	NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-03.html#cve-2026-33259-concurrent-modification-of-rpz-data-can-lead-to-denial-of-service
 CVE-2026-33258 (By publishing and querying a crafted zone an attacker can cause alloca ...)
 	- pdns-recursor 5.4.1-1
 	[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
 	[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
+	NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-03.html#cve-2026-33258-crafted-zones-can-cause-increased-resource-usage
 CVE-2026-33256 (An attacker can send a web request that causes unlimited memory alloca ...)
 	- pdns-recursor 5.4.1-1
 	[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
 	[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
+	NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-03.html#cve-2026-33256-unbounded-memory-allocation-by-internal-web-server
 CVE-2026-32885 (DDEV is an open-source tool for running local web development environm ...)
 	TODO: check
 CVE-2026-31530 (In the Linux kernel, the following vulnerability has been resolved:  c ...)
@@ -892,18 +899,24 @@ CVE-2026-33257 (An attacker can send a web request that causes unlimited memory
 	- dnsdist 2.0.4-1
 	[bookworm] - dnsdist <end-of-life> (See #1119290)
 	[bullseye] - dnsdist <end-of-life> (see #1119290)
-	- pdns-recursor 5.4.1-1
+	- pdns-recursor 5.3.0-1
 	[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
 	[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
 	NOTE: https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html#cve-2026-33257-insufficient-input-validation-of-internal-webserver
+	NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-03.html#cve-2026-33257-insufficient-input-validation-of-internal-web-server
+	NOTE: According to the advisory affects only PowerDNS Recursor up to and including 5.2.8,
+	NOTE: Mark the first version in unstable after 5.2.9 as the ixed version.
 CVE-2026-33260 (An attacker can send a web request that causes unlimited memory alloca ...)
 	- dnsdist 2.0.4-1
 	[bookworm] - dnsdist <end-of-life> (See #1119290)
 	[bullseye] - dnsdist <end-of-life> (see #1119290)
-	- pdns-recursor 5.4.1-1
+	- pdns-recursor 5.3.0-1
 	[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
 	[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
 	NOTE: https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html#cve-2026-33260-insufficient-input-validation-of-internal-webserver
+	NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-03.html#cve-2026-33260-insufficient-input-validation-of-internal-web-server
+	NOTE: According to the advisory affects only PowerDNS Recursor up to and including 5.2.8,
+	NOTE: Mark the first version in unstable after 5.2.9 as the ixed version.
 CVE-2026-33593 (A client can trigger a divide by zero error leading to crash by sendin ...)
 	- dnsdist 2.0.4-1
 	[bookworm] - dnsdist <end-of-life> (See #1119290)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2c6df1acf2a66249dc65e002cfdfe1582fbbd9f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2c6df1acf2a66249dc65e002cfdfe1582fbbd9f
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260423/cbab0fe7/attachment-0001.htm>