Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Details of issue NIXPKGS-2025-0007

NIXPKGS-2025-0007
published 8 months, 1 week ago
Permalink CVE-2025-30192
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 8 months, 1 week ago by @Erethon Activity log
  • Created suggestion 10 months, 1 week ago
  • @Erethon accepted 10 months ago
  • @Erethon deleted maintainer @rnhmjoj 8 months, 1 week ago maintainer.delete
  • @Erethon added maintainer @Erethon 8 months, 1 week ago maintainer.add
  • @Erethon published on GitHub 8 months, 1 week ago
A Recursor configured to send out ECS enabled queries can be sensitive to spoofing attempts

An attacker spoofing answers to ECS enabled requests sent out by the Recursor has a chance of success higher than non-ECS enabled queries. The updated version include various mitigations against spoofing attempts of ECS enabled queries by chaining ECS enabled requests and enforcing stricter validation of the received answers. The most strict mitigation done when the new setting outgoing.edns_subnet_harden (old style name edns-subnet-harden) is enabled.

Affected products

pdns-recursor
  • ==5.1.6
  • ==5.0.12
  • ==5.2.4

Matching in nixpkgs

Package maintainers

Ignored maintainers (1)

Additional maintainers