Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

With package: pdns-recursor

Found 10 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2026-40012
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 2 weeks, 5 days ago Activity log
  • Created suggestion
Information about ECS zero scoped answers might leak to clients that use a specific ECS

ECS zero scoped answers are stored in the packet cache while they should not. This impacts only configurations that have ECS enabled;

Affected products

pdns-recursor
  • <5.4.3
  • <5.2.11
  • <5.3.8

Matching in nixpkgs

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

  • nixos-unstable 1.04
    • nixpkgs-unstable 1.04
    • nixos-unstable-small 1.04
  • nixos-26.05 1.04
    • nixos-26.05-small 1.04
    • nixpkgs-26.05-darwin 1.04

Package maintainers

Untriaged
Permalink CVE-2026-52690
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 2 weeks, 5 days ago Activity log
  • Created suggestion
Spoofed answers can mark an authoritative non-EDNS capable

Spoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail.

Affected products

pdns-recursor
  • <5.4.3
  • <5.2.11
  • <5.3.8

Matching in nixpkgs

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

  • nixos-unstable 1.04
    • nixpkgs-unstable 1.04
    • nixos-unstable-small 1.04
  • nixos-26.05 1.04
    • nixos-26.05-small 1.04
    • nixpkgs-26.05-darwin 1.04

Package maintainers

Untriaged
Permalink CVE-2026-42390
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
created 2 weeks, 5 days ago Activity log
  • Created suggestion
ZONEMD validation can be bypassed

An invalid zone might pass ZONEMD validation while it should not. This is only relevant if ZoneToCache is configured with ZONEMD validation.

Affected products

pdns-recursor
  • <5.4.3

Matching in nixpkgs

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

  • nixos-unstable 1.04
    • nixpkgs-unstable 1.04
    • nixos-unstable-small 1.04
  • nixos-26.05 1.04
    • nixos-26.05-small 1.04
    • nixpkgs-26.05-darwin 1.04

Package maintainers

Untriaged
Permalink CVE-2026-33612
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
created 2 weeks, 5 days ago Activity log
  • Created suggestion
ZoneToCache can poison the cache

A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to cache poisoning.

Affected products

pdns-recursor
  • <5.4.3
  • <5.2.11
  • <5.3.8

Matching in nixpkgs

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

  • nixos-unstable 1.04
    • nixpkgs-unstable 1.04
    • nixos-unstable-small 1.04
  • nixos-26.05 1.04
    • nixos-26.05-small 1.04
    • nixpkgs-26.05-darwin 1.04

Package maintainers

Untriaged
Permalink CVE-2026-42388
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 2 weeks, 5 days ago Activity log
  • Created suggestion
Missing input validation for catalog zones

Incomplete validation of the SOA record present in a catalog zone might lead to a crash.

Affected products

pdns-recursor
  • <5.4.3
  • <5.2.11
  • <5.3.8

Matching in nixpkgs

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

  • nixos-unstable 1.04
    • nixpkgs-unstable 1.04
    • nixos-unstable-small 1.04
  • nixos-26.05 1.04
    • nixos-26.05-small 1.04
    • nixpkgs-26.05-darwin 1.04

Package maintainers

Untriaged
Permalink CVE-2026-42005
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
created 2 weeks, 5 days ago Activity log
  • Created suggestion
Insufficient input validation of internal web server

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

Affected products

pdns
  • <5.1.2
  • <5.0.6
  • <4.9.16

Matching in nixpkgs

pkgs.pdns

Authoritative DNS server

Package maintainers

Untriaged
Permalink CVE-2026-42387
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 2 weeks, 5 days ago Activity log
  • Created suggestion
Insufficient input validation in ZoneToCache

A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to a crash of the Recursor due to insuffcient input validation.

Affected products

pdns-recursor
  • <5.4.3
  • <5.2.11
  • <5.3.8

Matching in nixpkgs

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

  • nixos-unstable 1.04
    • nixpkgs-unstable 1.04
    • nixos-unstable-small 1.04
  • nixos-26.05 1.04
    • nixos-26.05-small 1.04
    • nixpkgs-26.05-darwin 1.04

Package maintainers

Untriaged
Permalink CVE-2026-42389
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
created 2 weeks, 5 days ago Activity log
  • Created suggestion
Reject more queries with invalid header values

This fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers.

Affected products

pdns-recursor
  • <5.4.3

Matching in nixpkgs

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

  • nixos-unstable 1.04
    • nixpkgs-unstable 1.04
    • nixos-unstable-small 1.04
  • nixos-26.05 1.04
    • nixos-26.05-small 1.04
    • nixpkgs-26.05-darwin 1.04

Package maintainers

Published
Permalink CVE-2025-59030
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 7 months ago by @fricklerhandwerk Activity log
  • Created suggestion
  • @fricklerhandwerk accepted
  • @fricklerhandwerk published on GitHub
Insufficient validation of incoming notifies over TCP can lead to a denial of service in Recursor

An attacker can trigger the removal of cached records by sending a NOTIFY query over TCP.

Affected products

pdns-recursor
  • <5.3.3
  • <5.1.9
  • <5.2.7

Matching in nixpkgs

Package maintainers

Published
Permalink CVE-2025-30192
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 9 months, 3 weeks ago by @Erethon Activity log
  • Created suggestion
  • @Erethon accepted
  • @Erethon deleted maintainer @rnhmjoj maintainer.delete
  • @Erethon added maintainer @Erethon maintainer.add
  • @Erethon published on GitHub
A Recursor configured to send out ECS enabled queries can be sensitive to spoofing attempts

An attacker spoofing answers to ECS enabled requests sent out by the Recursor has a chance of success higher than non-ECS enabled queries. The updated version include various mitigations against spoofing attempts of ECS enabled queries by chaining ECS enabled requests and enforcing stricter validation of the received answers. The most strict mitigation done when the new setting outgoing.edns_subnet_harden (old style name edns-subnet-harden) is enabled.

Affected products

pdns-recursor
  • ==5.0.12
  • ==5.2.4
  • ==5.1.6

Matching in nixpkgs

Package maintainers

Ignored maintainers (1)

Additional maintainers