Merge pull request #13350 from rgacogne/ddist-182-secpoll-changelog

dnsdist: Prepare ChangeLog and secpoll for DNSdist 1.8.2 and 1.7.5
PowerDNS · Oct 11, 2023 · a55dca5 · a55dca5
2 parents a68b083 + 0a69a42
commit a55dca5
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 40 deletions.
diff --git a/.github/actions/spell-check/expect.txt b/.github/actions/spell-check/expect.txt
@@ -269,6 +269,7 @@ dbr
 DBX
 dcobject
 ddns
+ddos
 deactivatedomainkey
 debian
 deboynepollard

diff --git a/docs/secpoll.zone b/docs/secpoll.zone
@@ -1,4 +1,4 @@
-@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2023100501 10800 3600 604800 10800
+@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2023101103 10800 3600 604800 10800
 @       3600    IN  NS  pdns-public-ns1.powerdns.com.
 @       3600    IN  NS  pdns-public-ns2.powerdns.com.
 
@@ -479,42 +479,44 @@ recursor-4.0.0_beta1-1pdns.jessie.raspbian.security-status 60 IN TXT "3 Upgrade
 ; dnsdist
 dnsdist-1.3.3.security-status                              60 IN TXT "1 OK"
 dnsdist-1.4.0-alpha1.security-status                       60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-dnsdist-1.4.0-alpha2.security-status                       60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-dnsdist-1.4.0-beta1.security-status                        60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-dnsdist-1.4.0-rc1.security-status                          60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-dnsdist-1.4.0-rc2.security-status                          60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-dnsdist-1.4.0-rc3.security-status                          60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-dnsdist-1.4.0-rc4.security-status                          60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-dnsdist-1.4.0-rc5.security-status                          60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-dnsdist-1.4.0.security-status                              60 IN TXT "1 OK"
-dnsdist-1.5.0-alpha1.security-status                       60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-dnsdist-1.5.0-rc1.security-status                          60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-dnsdist-1.5.0-rc2.security-status                          60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-dnsdist-1.5.0-rc3.security-status                          60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-dnsdist-1.5.0-rc4.security-status                          60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-dnsdist-1.5.0.security-status                              60 IN TXT "1 OK"
-dnsdist-1.5.1.security-status                              60 IN TXT "1 OK"
-dnsdist-1.5.2.security-status                              60 IN TXT "1 OK"
-dnsdist-1.6.0-alpha1.security-status                       60 IN TXT "3 Unsupported pre-release (no known vulnerabilities)"
-dnsdist-1.6.0-alpha2.security-status                       60 IN TXT "3 Unsupported pre-release (no known vulnerabilities)"
-dnsdist-1.6.0-alpha3.security-status                       60 IN TXT "3 Unsupported pre-release (no known vulnerabilities)"
-dnsdist-1.6.0-rc1.security-status                          60 IN TXT "3 Unsupported pre-release"
-dnsdist-1.6.0-rc2.security-status                          60 IN TXT "3 Unsupported pre-release"
-dnsdist-1.6.0.security-status                              60 IN TXT "1 OK"
-dnsdist-1.6.1.security-status                              60 IN TXT "1 OK"
-dnsdist-1.7.0-alpha1.security-status                       60 IN TXT "3 Unsupported pre-release"
-dnsdist-1.7.0-alpha2.security-status                       60 IN TXT "3 Unsupported pre-release"
-dnsdist-1.7.0-beta1.security-status                        60 IN TXT "3 Unsupported pre-release"
-dnsdist-1.7.0-beta2.security-status                        60 IN TXT "3 Unsupported pre-release"
-dnsdist-1.7.0-rc1.security-status                          60 IN TXT "3 Unsupported pre-release"
-dnsdist-1.7.0.security-status                              60 IN TXT "1 OK"
-dnsdist-1.7.1.security-status                              60 IN TXT "1 OK"
-dnsdist-1.7.2.security-status                              60 IN TXT "1 OK"
-dnsdist-1.7.3.security-status                              60 IN TXT "1 OK"
-dnsdist-1.7.4.security-status                              60 IN TXT "1 OK"
-dnsdist-1.8.0-rc1.security-status                          60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-dnsdist-1.8.0-rc2.security-status                          60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-dnsdist-1.8.0-rc3.security-status                          60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-dnsdist-1.8.0.security-status                              60 IN TXT "1 OK"
-dnsdist-1.8.1.security-status                              60 IN TXT "1 OK"
-dnsdist-1.9.0-alpha1.security-status                       60 IN TXT "1 Unsupported pre-release (no known vulnerabilities)"
+dnsdist-1.4.0-alpha2.security-status                       60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.4.0-beta1.security-status                        60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.4.0-rc1.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.4.0-rc2.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.4.0-rc3.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.4.0-rc4.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.4.0-rc5.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.4.0.security-status                              60 IN TXT "3 Upgrade now, see https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
+dnsdist-1.5.0-alpha1.security-status                       60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.5.0-rc1.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.5.0-rc2.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.5.0-rc3.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.5.0-rc4.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.5.0.security-status                              60 IN TXT "3 Upgrade now, see https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
+dnsdist-1.5.1.security-status                              60 IN TXT "3 Upgrade now, see https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
+dnsdist-1.5.2.security-status                              60 IN TXT "3 Upgrade now, see https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
+dnsdist-1.6.0-alpha1.security-status                       60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.6.0-alpha2.security-status                       60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.6.0-alpha3.security-status                       60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.6.0-rc1.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.6.0-rc2.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.6.0.security-status                              60 IN TXT "3 Upgrade now, see https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
+dnsdist-1.6.1.security-status                              60 IN TXT "3 Upgrade now, see https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
+dnsdist-1.7.0-alpha1.security-status                       60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.7.0-alpha2.security-status                       60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.7.0-beta1.security-status                        60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.7.0-beta2.security-status                        60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.7.0-rc1.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.7.0.security-status                              60 IN TXT "3 Upgrade now, see https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
+dnsdist-1.7.1.security-status                              60 IN TXT "3 Upgrade now, see https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
+dnsdist-1.7.2.security-status                              60 IN TXT "3 Upgrade now, see https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
+dnsdist-1.7.3.security-status                              60 IN TXT "3 Upgrade now, see https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
+dnsdist-1.7.4.security-status                              60 IN TXT "3 Upgrade now, see https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
+dnsdist-1.7.5.security-status                              60 IN TXT "1 OK"
+dnsdist-1.8.0-rc1.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.8.0-rc2.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.8.0-rc3.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
+dnsdist-1.8.0.security-status                              60 IN TXT "3 Upgrade now, see https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
+dnsdist-1.8.1.security-status                              60 IN TXT "3 Upgrade now, see https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
+dnsdist-1.8.2.security-status                              60 IN TXT "1 OK"
+dnsdist-1.9.0-alpha1.security-status                       60 IN TXT "1 Unsupported pre-release (known vulnerabilities)"
diff --git a/pdns/dnsdistdist/docs/changelog.rst b/pdns/dnsdistdist/docs/changelog.rst
@@ -1,6 +1,38 @@
 Changelog
 =========
 
+.. changelog::
+  :version: 1.8.2
+  :released: 11th of October 2023
+
+  This release fixes the HTTP2 rapid reset attack for the packages we provide.
+  If you are compiling DNSdist yourself or using the packages provided by your distribution,
+  please check that the h2o library has been patched to mitigate this vulnerability.
+
+  Please review the :doc:`Upgrade Guide <../upgrade_guide>` before upgrading from versions < 1.8.x.
+
+  .. change::
+    :tags: Bug Fixes, Security
+    :pullreq: #13349
+
+    Switch to our fork of h2o to mitigate the HTTP2 rapid reset attack
+
+.. changelog::
+  :version: 1.7.5
+  :released: 11th of October 2023
+
+  This release fixes the HTTP2 rapid reset attack for the packages we provide.
+  If you are compiling DNSdist yourself or using the packages provided by your distribution,
+  please check that the h2o library has been patched to mitigate this vulnerability.
+
+  Please review the :doc:`Upgrade Guide <../upgrade_guide>` before upgrading from versions < 1.7.x.
+
+  .. change::
+    :tags: Bug Fixes, Security
+    :pullreq: #13351
+
+    Switch to our fork of h2o to mitigate the HTTP2 rapid reset attack
+
 .. changelog::
   :version: 1.9.0-alpha1
   :released: 18th of September 2023