Version in base suite: 4.9.14-0+deb13u1 Version in overlay suite: 4.9.15-0+deb13u1 Base version: pdns_4.9.15-0+deb13u1 Target version: pdns_4.9.16-0+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/pdns/pdns_4.9.15-0+deb13u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/pdns/pdns_4.9.16-0+deb13u1.dsc configure | 20 ++++++++++---------- configure.ac | 2 +- debian/changelog | 7 +++++++ docs/calidns.1 | 2 +- docs/dnsbulktest.1 | 2 +- docs/dnsgram.1 | 2 +- docs/dnspcap2calidns.1 | 2 +- docs/dnspcap2protobuf.1 | 2 +- docs/dnsreplay.1 | 2 +- docs/dnsscan.1 | 2 +- docs/dnsscope.1 | 2 +- docs/dnstcpbench.1 | 2 +- docs/dnswasher.1 | 2 +- docs/dumresp.1 | 2 +- docs/ixfrdist.1 | 2 +- docs/ixfrdist.yml.5 | 2 +- docs/ixplore.1 | 2 +- docs/nproxy.1 | 2 +- docs/nsec3dig.1 | 2 +- docs/pdns_control.1 | 2 +- docs/pdns_notify.1 | 2 +- docs/pdns_server.1 | 2 +- docs/pdnsutil.1 | 2 +- docs/saxfr.1 | 2 +- docs/sdig.1 | 2 +- docs/zone2json.1 | 2 +- docs/zone2ldap.1 | 2 +- docs/zone2sql.1 | 2 +- ext/yahttp/yahttp/reqresp.cpp | 7 ++++++- pdns/ednscookies.cc | 42 ++++++++++++++++++++++-------------------- 30 files changed, 71 insertions(+), 57 deletions(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp1usp1q_q/pdns_4.9.15-0+deb13u1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp1usp1q_q/pdns_4.9.16-0+deb13u1.dsc: no acceptable signature found diff -Nru pdns-4.9.15/configure pdns-4.9.16/configure --- pdns-4.9.15/configure 2026-05-11 09:09:13.000000000 +0000 +++ pdns-4.9.16/configure 2026-06-10 12:57:09.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for pdns 4.9.15. +# Generated by GNU Autoconf 2.71 for pdns 4.9.16. # # # Copyright (C) 1992-1996, 1998-2017, 2020-2021 Free Software Foundation, @@ -618,8 +618,8 @@ # Identity of this package. PACKAGE_NAME='pdns' PACKAGE_TARNAME='pdns' -PACKAGE_VERSION='4.9.15' -PACKAGE_STRING='pdns 4.9.15' +PACKAGE_VERSION='4.9.16' +PACKAGE_STRING='pdns 4.9.16' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1698,7 +1698,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures pdns 4.9.15 to adapt to many kinds of systems. +\`configure' configures pdns 4.9.16 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1769,7 +1769,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of pdns 4.9.15:";; + short | recursive ) echo "Configuration of pdns 4.9.16:";; esac cat <<\_ACEOF @@ -2040,7 +2040,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -pdns configure 4.9.15 +pdns configure 4.9.16 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -2529,7 +2529,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by pdns $as_me 4.9.15, which was +It was created by pdns $as_me 4.9.16, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -4027,7 +4027,7 @@ # Define the identity of the package. PACKAGE='pdns' - VERSION='4.9.15' + VERSION='4.9.16' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -32469,7 +32469,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by pdns $as_me 4.9.15, which was +This file was extended by pdns $as_me 4.9.16, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -32537,7 +32537,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -pdns config.status 4.9.15 +pdns config.status 4.9.16 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff -Nru pdns-4.9.15/configure.ac pdns-4.9.16/configure.ac --- pdns-4.9.15/configure.ac 2026-05-11 09:09:03.000000000 +0000 +++ pdns-4.9.16/configure.ac 2026-06-10 12:56:56.000000000 +0000 @@ -1,6 +1,6 @@ AC_PREREQ([2.69]) -AC_INIT([pdns], [4.9.15]) +AC_INIT([pdns], [4.9.16]) AC_CONFIG_AUX_DIR([build-aux]) AM_INIT_AUTOMAKE([foreign dist-bzip2 no-dist-gzip tar-ustar -Wno-portability subdir-objects parallel-tests 1.11]) AM_SILENT_RULES([yes]) diff -Nru pdns-4.9.15/debian/changelog pdns-4.9.16/debian/changelog --- pdns-4.9.15/debian/changelog 2026-05-17 21:31:56.000000000 +0000 +++ pdns-4.9.16/debian/changelog 2026-06-16 21:55:19.000000000 +0000 @@ -1,3 +1,10 @@ +pdns (4.9.16-0+deb13u1) trixie-security; urgency=medium + + * New upstream version 4.9.16, fixing security issue + CVE-2026-42005. + + -- Chris Hofstaedtler Tue, 16 Jun 2026 23:55:19 +0200 + pdns (4.9.15-0+deb13u1) trixie-security; urgency=medium * New upstream version 4.9.15, fixing security issues diff -Nru pdns-4.9.15/docs/calidns.1 pdns-4.9.16/docs/calidns.1 --- pdns-4.9.15/docs/calidns.1 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/calidns.1 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "CALIDNS" "1" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "CALIDNS" "1" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME calidns \- A DNS recursor testing tool .SH SYNOPSIS diff -Nru pdns-4.9.15/docs/dnsbulktest.1 pdns-4.9.16/docs/dnsbulktest.1 --- pdns-4.9.15/docs/dnsbulktest.1 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/dnsbulktest.1 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "DNSBULKTEST" "1" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "DNSBULKTEST" "1" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME dnsbulktest \- A debugging tool for intermittent resolver failures .SH SYNOPSIS diff -Nru pdns-4.9.15/docs/dnsgram.1 pdns-4.9.16/docs/dnsgram.1 --- pdns-4.9.15/docs/dnsgram.1 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/dnsgram.1 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "DNSGRAM" "1" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "DNSGRAM" "1" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME dnsgram \- A debugging tool for intermittent resolver failures .SH SYNOPSIS diff -Nru pdns-4.9.15/docs/dnspcap2calidns.1 pdns-4.9.16/docs/dnspcap2calidns.1 --- pdns-4.9.15/docs/dnspcap2calidns.1 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/dnspcap2calidns.1 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "DNSPCAP2CALIDNS" "1" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "DNSPCAP2CALIDNS" "1" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME dnspcap2calidns \- A tool to convert PCAPs of DNS traffic to calidns input .SH SYNOPSIS diff -Nru pdns-4.9.15/docs/dnspcap2protobuf.1 pdns-4.9.16/docs/dnspcap2protobuf.1 --- pdns-4.9.15/docs/dnspcap2protobuf.1 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/dnspcap2protobuf.1 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "DNSPCAP2PROTOBUF" "1" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "DNSPCAP2PROTOBUF" "1" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME dnspcap2protobuf \- A tool to convert PCAPs of DNS traffic to PowerDNS Protobuf .SH SYNOPSIS diff -Nru pdns-4.9.15/docs/dnsreplay.1 pdns-4.9.16/docs/dnsreplay.1 --- pdns-4.9.15/docs/dnsreplay.1 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/dnsreplay.1 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "DNSREPLAY" "1" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "DNSREPLAY" "1" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME dnsreplay \- A PowerDNS nameserver debugging tool .SH SYNOPSIS diff -Nru pdns-4.9.15/docs/dnsscan.1 pdns-4.9.16/docs/dnsscan.1 --- pdns-4.9.15/docs/dnsscan.1 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/dnsscan.1 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "DNSSCAN" "1" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "DNSSCAN" "1" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME dnsscan \- List the amount of queries per qtype in a pcap .SH SYNOPSIS diff -Nru pdns-4.9.15/docs/dnsscope.1 pdns-4.9.16/docs/dnsscope.1 --- pdns-4.9.15/docs/dnsscope.1 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/dnsscope.1 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "DNSSCOPE" "1" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "DNSSCOPE" "1" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME dnsscope \- A PowerDNS nameserver debugging tool .SH SYNOPSIS diff -Nru pdns-4.9.15/docs/dnstcpbench.1 pdns-4.9.16/docs/dnstcpbench.1 --- pdns-4.9.15/docs/dnstcpbench.1 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/dnstcpbench.1 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "DNSTCPBENCH" "1" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "DNSTCPBENCH" "1" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME dnstcpbench \- tool to perform TCP benchmarking of nameservers .SH SYNOPSIS diff -Nru pdns-4.9.15/docs/dnswasher.1 pdns-4.9.16/docs/dnswasher.1 --- pdns-4.9.15/docs/dnswasher.1 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/dnswasher.1 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "DNSWASHER" "1" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "DNSWASHER" "1" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME dnswasher \- A PowerDNS nameserver debugging tool .SH SYNOPSIS diff -Nru pdns-4.9.15/docs/dumresp.1 pdns-4.9.16/docs/dumresp.1 --- pdns-4.9.15/docs/dumresp.1 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/dumresp.1 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "DUMRESP" "1" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "DUMRESP" "1" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME dumresp \- A dumb DNS responder .SH SYNOPSIS diff -Nru pdns-4.9.15/docs/ixfrdist.1 pdns-4.9.16/docs/ixfrdist.1 --- pdns-4.9.15/docs/ixfrdist.1 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/ixfrdist.1 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "IXFRDIST" "1" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "IXFRDIST" "1" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME ixfrdist \- An IXFR/AXFR-only server that re-distributes zones .SH SYNOPSIS diff -Nru pdns-4.9.15/docs/ixfrdist.yml.5 pdns-4.9.16/docs/ixfrdist.yml.5 --- pdns-4.9.15/docs/ixfrdist.yml.5 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/ixfrdist.yml.5 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "IXFRDIST.YML" "5" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "IXFRDIST.YML" "5" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME ixfrdist.yml \- The ixfrdist configuration file .SH SYNOPSIS diff -Nru pdns-4.9.15/docs/ixplore.1 pdns-4.9.16/docs/ixplore.1 --- pdns-4.9.15/docs/ixplore.1 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/ixplore.1 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "IXPLORE" "1" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "IXPLORE" "1" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME ixplore \- A tool that provides insights into IXFRs .SH SYNOPSIS diff -Nru pdns-4.9.15/docs/nproxy.1 pdns-4.9.16/docs/nproxy.1 --- pdns-4.9.15/docs/nproxy.1 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/nproxy.1 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "NPROXY" "1" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "NPROXY" "1" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME nproxy \- DNS notification proxy .SH SYNOPSIS diff -Nru pdns-4.9.15/docs/nsec3dig.1 pdns-4.9.16/docs/nsec3dig.1 --- pdns-4.9.15/docs/nsec3dig.1 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/nsec3dig.1 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "NSEC3DIG" "1" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "NSEC3DIG" "1" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME nsec3dig \- Show and validate NSEC3 proofs .SH SYNOPSIS diff -Nru pdns-4.9.15/docs/pdns_control.1 pdns-4.9.16/docs/pdns_control.1 --- pdns-4.9.15/docs/pdns_control.1 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/pdns_control.1 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "PDNS_CONTROL" "1" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "PDNS_CONTROL" "1" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME pdns_control \- Control the PowerDNS nameserver .SH SYNOPSIS diff -Nru pdns-4.9.15/docs/pdns_notify.1 pdns-4.9.16/docs/pdns_notify.1 --- pdns-4.9.15/docs/pdns_notify.1 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/pdns_notify.1 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "PDNS_NOTIFY" "1" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "PDNS_NOTIFY" "1" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME pdns_notify \- A simple DNS NOTIFY sender .SH SYNOPSIS diff -Nru pdns-4.9.15/docs/pdns_server.1 pdns-4.9.16/docs/pdns_server.1 --- pdns-4.9.15/docs/pdns_server.1 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/pdns_server.1 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "PDNS_SERVER" "1" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "PDNS_SERVER" "1" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME pdns_server \- The PowerDNS Authoritative Nameserver .SH SYNOPSIS diff -Nru pdns-4.9.15/docs/pdnsutil.1 pdns-4.9.16/docs/pdnsutil.1 --- pdns-4.9.15/docs/pdnsutil.1 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/pdnsutil.1 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "PDNSUTIL" "1" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "PDNSUTIL" "1" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME pdnsutil \- PowerDNS record and DNSSEC command and control .SH SYNOPSIS diff -Nru pdns-4.9.15/docs/saxfr.1 pdns-4.9.16/docs/saxfr.1 --- pdns-4.9.15/docs/saxfr.1 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/saxfr.1 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "SAXFR" "1" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "SAXFR" "1" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME saxfr \- Perform AXFRs and show information about it .SH SYNOPSIS diff -Nru pdns-4.9.15/docs/sdig.1 pdns-4.9.16/docs/sdig.1 --- pdns-4.9.15/docs/sdig.1 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/sdig.1 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "SDIG" "1" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "SDIG" "1" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME sdig \- Perform a DNS query and show the results .SH SYNOPSIS diff -Nru pdns-4.9.15/docs/zone2json.1 pdns-4.9.16/docs/zone2json.1 --- pdns-4.9.15/docs/zone2json.1 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/zone2json.1 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "ZONE2JSON" "1" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "ZONE2JSON" "1" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME zone2json \- convert BIND zones to JSON .SH SYNOPSIS diff -Nru pdns-4.9.15/docs/zone2ldap.1 pdns-4.9.16/docs/zone2ldap.1 --- pdns-4.9.15/docs/zone2ldap.1 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/zone2ldap.1 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "ZONE2LDAP" "1" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "ZONE2LDAP" "1" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME zone2ldap \- convert zonefiles to ldif .SH SYNOPSIS diff -Nru pdns-4.9.15/docs/zone2sql.1 pdns-4.9.16/docs/zone2sql.1 --- pdns-4.9.15/docs/zone2sql.1 2026-05-11 09:10:38.000000000 +0000 +++ pdns-4.9.16/docs/zone2sql.1 2026-06-10 12:58:16.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "ZONE2SQL" "1" "May 11, 2026" "" "PowerDNS Authoritative Server" +.TH "ZONE2SQL" "1" "Jun 10, 2026" "" "PowerDNS Authoritative Server" .SH NAME zone2sql \- convert BIND zones to SQL .SH SYNOPSIS diff -Nru pdns-4.9.15/ext/yahttp/yahttp/reqresp.cpp pdns-4.9.16/ext/yahttp/yahttp/reqresp.cpp --- pdns-4.9.15/ext/yahttp/yahttp/reqresp.cpp 2026-05-11 09:08:45.000000000 +0000 +++ pdns-4.9.16/ext/yahttp/yahttp/reqresp.cpp 2026-06-10 12:56:41.000000000 +0000 @@ -181,7 +181,12 @@ if (chunk_size == 0) { char buf[100]; // read chunk length - if ((pos = buffer.find('\n')) == std::string::npos) return false; + if ((pos = buffer.find('\n')) == std::string::npos) { + if (buffer.size() > 99) { + throw ParseError("Nonsensical chunk_size"); + } + return false; + } if (pos > 99) throw ParseError("Impossible chunk_size"); buffer.copy(buf, pos); diff -Nru pdns-4.9.15/pdns/ednscookies.cc pdns-4.9.16/pdns/ednscookies.cc --- pdns-4.9.15/pdns/ednscookies.cc 2026-05-11 09:08:45.000000000 +0000 +++ pdns-4.9.16/pdns/ednscookies.cc 2026-06-10 12:56:41.000000000 +0000 @@ -74,6 +74,16 @@ } } +static bool cookieTSIsValid(uint32_t timestamp, uint32_t now) +{ + // RFC 9018 section 4.3: + // The DNS server + // SHOULD allow cookies within a 1-hour period in the past and a + // 5-minute period into the future + // valid: now - 3600 < timestamp < now + 300 + return rfc1982LessThan(now - 3600, timestamp) && rfc1982LessThan(timestamp, now + 300); +} + bool EDNSCookiesOpt::isValid([[maybe_unused]] const string& secret, [[maybe_unused]] const ComboAddress& source) const { #ifdef HAVE_CRYPTO_SHORTHASH @@ -84,16 +94,12 @@ // Version is not 1, can't verify return false; } - uint32_t ts; - memcpy(&ts, &server[4], sizeof(ts)); - ts = ntohl(ts); + uint32_t timestamp; + memcpy(×tamp, &server[4], sizeof(timestamp)); + timestamp = ntohl(timestamp); // coverity[store_truncates_time_t] - uint32_t now = static_cast(time(nullptr)); - // RFC 9018 section 4.3: - // The DNS server - // SHOULD allow cookies within a 1-hour period in the past and a - // 5-minute period into the future - if (rfc1982LessThan(now + 300, ts) && rfc1982LessThan(ts + 3600, now)) { + auto now = static_cast(time(nullptr)); + if (!cookieTSIsValid(timestamp, now)) { return false; } if (secret.length() != crypto_shorthash_KEYBYTES) { @@ -119,24 +125,20 @@ if (server.size() < 16) { return true; } - uint32_t ts; - memcpy(&ts, &server[4], sizeof(ts)); - ts = ntohl(ts); + uint32_t timestamp; + memcpy(×tamp, &server[4], sizeof(timestamp)); + timestamp = ntohl(timestamp); // coverity[store_truncates_time_t] - uint32_t now = static_cast(time(nullptr)); - // RFC 9018 section 4.3: - // The DNS server - // SHOULD allow cookies within a 1-hour period in the past and a - // 5-minute period into the future - // If this is not the case, we need to refresh - if (rfc1982LessThan(now + 300, ts) && rfc1982LessThan(ts + 3600, now)) { + auto now = static_cast(time(nullptr)); + // If the cookie is not within acceptable time bounds, we need to refresh + if (!cookieTSIsValid(timestamp, now)) { return true; } // RFC 9018 section 4.3: // The DNS server SHOULD generate a new Server Cookie at least if the // received Server Cookie from the client is more than half an hour old - return rfc1982LessThan(ts + 1800, now); + return rfc1982LessThan(timestamp + 1800, now); } bool EDNSCookiesOpt::makeServerCookie([[maybe_unused]] const string& secret, [[maybe_unused]] const ComboAddress& source)