Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4b16a206-f0eb-47d8-a793-50878f9c66c8@powerdns.com>
Date: Wed, 20 May 2026 15:10:26 +0200
From: Miod Vallat <miod.vallat@...erdns.com>
To: oss-security@...ts.openwall.com
Subject: PowerDNS Security Advisory 2026-06: Multiple Issues

Today, we are releasing two new versions of the PowerDNS Authoritative
Server. These 4.9.15 and 5.0.5 versions provide fixes for the following
PowerDNS Security Advisory:
   * [1]PowerDNS Security Advisory 2026-06: Multiple Issues

The security issues being fixed with these releases are low or
medium-severity, and most of them involve specific backends and/or
configurations. They are:
   * CVE-2026-41999 (only concerns 5.0.x) When using views, queries sent
     using TCP Proxy Protocol will select the view according to the
     address of the proxy, rather than the address of the initial query.
     This can lead to wrong data being returned.
   * CVE-2026-42000 Missing escaping of special characters (such as $ or
     @) in DNS names received during an AXFR operation can lead to an
     incorrect (non-parseable) Bind backend configuration to be written,
     causing this backend to fail until manual operation is performed to
     fix the configuration.
   * CVE-2026-42001 Missing sanity checks of the answer to the initial
     SOA query, when running in autosecondary mode and receiving a
     notification for an not-yet-known domain may cause the server to
     crash.
   * CVE-2026-42002 Multiple concurrency and locking defects in the
     GSS-TSIG code can lead to memory corruption due to accidental data
     structure sharing, which can in turn lead to a program crash.
     Moreover, the lack of bounds on the number of in-flight GSS-TSIG
     contexts can lead to unbounded memory consumption in case of an
     excessive number of requests at a given time. A limit of 1000
     contexts is now enforced, and can be modified with the
     “gss-max-contexts” parameter in server configuration.
   * CVE-2026-42396 Missing proper escaping of double-quote characters
     when computing labels will cause AXFR of a catalog zone with a
     member whose producer group option contains such a character to
     fail.

Please make sure to read the [2]Upgrade Notes before upgrading.

The tarballs ([3]4.9.15, [4]5.0.5) and their signatures ([5]4.9.15,
[6]5.0.5) are available at [7]downloads.powerdns.com. Packages for
various distributions are available from [8]repo.powerdns.com.

Please send us all feedback and issues you might have via the
[9]mailing list, or in case of a bug, via [10]GitHub.

References

1. 
https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-06.html
2. https://doc.powerdns.com/authoritative/upgrading.html
3. https://downloads.powerdns.com/releases/pdns-4.9.15.tar.bz2
4. https://downloads.powerdns.com/releases/pdns-5.0.5.tar.bz2
5. https://downloads.powerdns.com/releases/pdns-4.9.15.tar.bz2.sig
6. https://downloads.powerdns.com/releases/pdns-5.0.5.tar.bz2.sig
7. https://downloads.powerdns.com/releases/
8. https://repo.powerdns.com/
9. https://mailman.powerdns.com/mailman/listinfo/pdns-users
10. https://github.com/PowerDNS/pdns/issues/new/choose

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.