[Git][security-tracker-team/security-tracker][master] Add new pdns issues

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7458329c by Salvatore Bonaccorso at 2026-04-23T07:28:51+02:00
Add new pdns issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -337,13 +337,17 @@ CVE-2026-34414 (Xerte Online Toolkits versions 3.15 and earlier contain a relati
 CVE-2026-34413 (Xerte Online Toolkits versions 3.15 and earlier contain a missing auth ...)
 	NOT-FOR-US: Xerte Online Toolkits
 CVE-2026-33611 (An operator allowed to use the REST API can cause the Authoritative se ...)
-	TODO: check
+	- pdns <unfixed>
+	NOTE: https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html#insufficient-validation-of-https-and-svcb-records
 CVE-2026-33610 (A rogue primary server may cause file descriptor exhaustion and eventu ...)
-	TODO: check
+	- pdns <unfixed>
+	NOTE: https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html#possible-file-descriptor-exhaustion-in-forward-dnsupdate
 CVE-2026-33609 (Incomplete escaping of LDAP queries when running with 8bit-dns enabled ...)
-	TODO: check
+	- pdns <unfixed>
+	NOTE: https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html#ldap-dn-injection
 CVE-2026-33608 (An attacker can send a notify request that causes a new secondary doma ...)
-	TODO: check
+	- pdns <unfixed>
+	NOTE: https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html#incomplete-domain-name-sanitization-during-bind-autosecondary-zone-transfer
 CVE-2026-33601 (If you use the zoneToCache function with a malicious authoritative ser ...)
 	- pdns-recursor 5.4.1-1
 	[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
@@ -902,10 +906,12 @@ CVE-2026-33257 (An attacker can send a web request that causes unlimited memory
 	- pdns-recursor 5.3.0-1
 	[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
 	[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
+	- pdns <unfixed>
 	NOTE: https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html#cve-2026-33257-insufficient-input-validation-of-internal-webserver
 	NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-03.html#cve-2026-33257-insufficient-input-validation-of-internal-web-server
 	NOTE: According to the advisory affects only PowerDNS Recursor up to and including 5.2.8,
 	NOTE: Mark the first version in unstable after 5.2.9 as the ixed version.
+	NOTE: https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html#insufficient-input-validation-of-internal-webserver
 CVE-2026-33260 (An attacker can send a web request that causes unlimited memory alloca ...)
 	- dnsdist 2.0.4-1
 	[bookworm] - dnsdist <end-of-life> (See #1119290)
@@ -913,10 +919,12 @@ CVE-2026-33260 (An attacker can send a web request that causes unlimited memory
 	- pdns-recursor 5.3.0-1
 	[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
 	[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
+	- pdns <unfixed>
 	NOTE: https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html#cve-2026-33260-insufficient-input-validation-of-internal-webserver
 	NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-03.html#cve-2026-33260-insufficient-input-validation-of-internal-web-server
 	NOTE: According to the advisory affects only PowerDNS Recursor up to and including 5.2.8,
 	NOTE: Mark the first version in unstable after 5.2.9 as the ixed version.
+	NOTE: https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html
 CVE-2026-33593 (A client can trigger a divide by zero error leading to crash by sendin ...)
 	- dnsdist 2.0.4-1
 	[bookworm] - dnsdist <end-of-life> (See #1119290)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7458329c7d277b3acb8dcf64cd0eaef3b8fa9eb6

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7458329c7d277b3acb8dcf64cd0eaef3b8fa9eb6
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260423/60533966/attachment.htm>