Kiterepo · pull · May 20, 2026 · May 20, 2026 · May 20, 2026 · May 20, 2026
diff --git a/docs/changelog/4.9.rst b/docs/changelog/4.9.rst
@@ -1,6 +1,98 @@
 Changelogs for 4.9.x
 ====================
 
+.. changelog::
+  :version: 4.9.15
+  :released: 20th of May 2026
+
+  This is release 4.9.15 of the Authoritative Server.
+  It contains bug fixes and security fixes.
+
+  Please review the :doc:`Upgrade Notes <../upgrading>` before upgrading from versions < 4.9.x.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17444
+
+    Fix PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server: Multiple Issues
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17295
+    :tickets: 17284
+
+    use less inefficient code in web server
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17293
+    :tickets: 17240
+
+    harden xfr*BitInt writers
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17260
+    :tickets: 16636
+
+    perform axfr immediately when creating an autosecondary domain
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17262
+    :tickets: 16731
+
+    web: stricter control of statistics rings changes
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17265
+    :tickets: 16831
+
+    stricter handing of the Lua DNS update policy
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17267
+    :tickets: 17000
+
+    correctly delete ENT records from the API
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17269
+    :tickets: 17126
+
+    lua: one more bad case of createForward
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17271
+    :tickets: 17130
+
+    minor pdns_control bugfixes
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17272
+    :tickets: 17149
+
+    webserver: correctly split the basic authorization cookie
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17274
+    :tickets: 17152
+
+    fixes to AXFR in Bind backend
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17276
+    :tickets: 17155
+
+    dnsupdate handling buglet
+
 .. changelog::
   :version: 4.9.14
   :released: 22th of April 2026

diff --git a/docs/changelog/5.0.rst b/docs/changelog/5.0.rst
@@ -1,6 +1,105 @@
 Changelogs for 5.0.x
 ====================
 
+.. changelog::
+  :version: 5.0.5
+  :released: 20th of May 2026
+
+  This is release 5.0.5 of the Authoritative Server.
+  It contains bug fixes and security fixes.
+
+  Please review the :doc:`Upgrade Notes <../upgrading>` before upgrading from versions < 4.9.x.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17443
+
+    Fix PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server: Multiple Issues
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17296
+    :tickets: 17284
+
+    use less inefficient code in web server
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17294
+    :tickets: 17240
+
+    harden xfr*BitInt writers
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17259
+    :tickets: 16636
+
+    perform axfr immediately when creating an autosecondary domain
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17261
+    :tickets: 16671
+
+    Actually install binaries when building with meson
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17263
+    :tickets: 16731
+
+    web: stricter control of statistics rings changes
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17264
+    :tickets: 16831
+
+    stricter handing of the Lua DNS update policy
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17266
+    :tickets: 17000
+
+    correctly delete ENT records from the API
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17268
+    :tickets: 17126
+
+    lua: one more bad case of createForward
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17270
+    :tickets: 17130
+
+    minor pdns_control bugfixes
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17273
+    :tickets: 17149
+
+    webserver: correctly split the basic authorization cookie
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17275
+    :tickets: 17152
+
+    fixes to AXFR in Bind backend
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 17277
+    :tickets: 17155
+
+    dnsupdate handling buglet
+
 .. changelog::
   :version: 5.0.4
   :released: 22th of April 2026

diff --git a/docs/secpoll.zone b/docs/secpoll.zone
@@ -1,4 +1,4 @@
-@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2026042901 10800 3600 604800 10800
+@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2026052001 10800 3600 604800 10800
 @       3600    IN  NS  pdns-public-ns1.powerdns.com.
 @       3600    IN  NS  pdns-public-ns2.powerdns.com.
 
@@ -142,16 +142,18 @@ auth-4.9.10.security-status                             60 IN TXT "3 Upgrade now
 auth-4.9.11.security-status                             60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html"
 auth-4.9.12.security-status                             60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html"
 auth-4.9.13.security-status                             60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html"
-auth-4.9.14.security-status                             60 IN TXT "1 OK"
+auth-4.9.14.security-status                             60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-06.html"
+auth-4.9.15.security-status                             60 IN TXT "1 OK"
 auth-5.0.0-alpha1.security-status                       60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html"
 auth-5.0.0-beta1.security-status                        60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html"
 auth-5.0.0.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html"
 auth-5.0.1.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html"
 auth-5.0.2.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html"
 auth-5.0.3.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html"
-auth-5.0.4.security-status                              60 IN TXT "1 OK"
+auth-5.0.4.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-06.html"
+auth-5.0.5.security-status                              60 IN TXT "1 OK"
 auth-5.1.0-alpha1.security-status                       60 IN TXT "3 Superseded pre-release (known vulnerabilities)"
-auth-5.1.0-beta1.security-status                        60 IN TXT "1 Unsupported pre-release (no known vulnerabilities)"
+auth-5.1.0-beta1.security-status                        60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 
 ; Auth Debian
 auth-3.4.1-2.debian.security-status                     60 IN TXT "3 Upgrade now, see https://docs.powerdns.com/authoritative/appendices/EOL.html"

diff --git a/docs/security-advisories/powerdns-advisory-2026-06.rst b/docs/security-advisories/powerdns-advisory-2026-06.rst
@@ -0,0 +1,119 @@
+PowerDNS Security Advisory 2026-06: Multiple Issues
+===================================================
+
+Concurrency and locking defects in GSS-TSIG
+-------------------------------------------
+
+- CVE: CVE-2026-42002
+- Date: 2026-05-06T00:00:00+00:00
+- Affects: PowerDNS Authoritative Server 4.7.0 up to and including 4.9.14 and 5.0.4
+- Not affected: PowerDNS Authoritative Server 4.9.15, 5.0.5
+- Severity: Medium
+- Impact: Denial of service
+- Exploit: Concurrent TKEY queries for the same key may accidentally share the same GSS-TSIG data structures and cause memory corruption or unexpected server exit.
+- Risk of system compromise: None
+- Solution: Upgrade to patched version or disable gss-tsig support in server configuration
+- CWE: CWE-364
+- CVSS: 3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
+- Last affected: 4.9.14,5.0.4
+- First fixed: 4.9.15,5.0.5
+- Internal ID: 381
+
+Multiple concurrency and locking defects in the GSS-TSIG code can lead to
+memory corruption due to accidental data structure sharing, which can in turn
+lead to a program crash.
+
+Moreover, the lack of bounds on the number of in-flight GSS-TSIG contexts can
+lead to unbounded memory consumption in case of an excessive number of requests
+at a given time. A limit of 1000 contexts is now enforced, and can be modified
+with the "gss-max-contexts" parameter in server configuration.
+
+Insufficient Validation of Autoprimary SOA Queries
+--------------------------------------------------
+
+- CVE: CVE-2026-42001
+- Date: 2026-05-06T00:00:00+00:00
+- Affects: PowerDNS Authoritative Server 4.1.0 up to and including 4.9.14 and 5.0.4
+- Not affected: PowerDNS Authoritative Server 4.9.15, 5.0.5
+- Severity: High
+- Impact: Denial of service
+- Exploit: Ill-formed answer to SOA query from server operating in autosecondary mode
+- Risk of system compromise: None
+- Solution: Upgrade to patched version, or disable autosecondary operation
+- CWE: CWE-400
+- CVSS: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+- Last affected: 4.9.14,5.0.4
+- First fixed: 4.9.15,5.0.5
+- Internal ID: 467
+
+Missing sanity checks of the answer to the initial SOA query, when running in
+autosecondary mode and receiving a notification for a not-yet-known domain
+may cause the server to crash.
+
+Insufficient Validation of Names During AXFR
+--------------------------------------------
+
+- CVE: CVE-2026-42000
+- Date: 2026-05-06T00:00:00+00:00
+- Affects: PowerDNS Authoritative Server up to and including 4.9.14 and 5.0.4
+- Not affected: PowerDNS Authoritative Server 4.9.15, 5.0.5
+- Severity: Medium
+- Impact: Denial of service
+- Exploit: AXFR of zone with specific contents to Bind backend
+- Risk of system compromise: None
+- Solution: Upgrade to patched version
+- CWE: CWE-77
+- CVSS: 3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
+- Last affected: 4.9.14,5.0.4
+- First fixed: 4.9.15,5.0.5
+- Internal ID: 474
+
+Missing escaping of special characters (such as $ or @) in DNS names received
+during an AXFR operation can lead to an incorrect (non-parsable) Bind backend
+configuration to be written, causing this backend to fail until manual
+operation is performed to fix the configuration.
+
+Incorrect Behaviour of Views with TCP PROXY Requests
+----------------------------------------------------
+
+- CVE: CVE-2026-41999
+- Date: 2026-05-06T00:00:00+00:00
+- Affects: PowerDNS Authoritative Server 5.0.0 up to and including 5.0.4
+- Not affected: PowerDNS Authoritative Server 5.0.5
+- Severity: Medium
+- Impact: Information Disclosure
+- Exploit: TCP query using PROXY Protocol
+- Risk of system compromise: None
+- Solution: Upgrade to patched version or disable views feature
+- CWE: CWE-284
+- CVSS: 3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
+- Last affected: 5.0.4
+- First fixed: 5.0.5
+- Internal ID: 482
+
+When using views, queries sent using TCP Proxy Protocol will select the view
+according to the address of the proxy, rather than the address of the initial
+query. This can lead to wrong data being returned.
+
+Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail
+-----------------------------------------------------------------------------------
+
+- CVE: CVE-2026-42396
+- Date: 2026-05-06T00:00:00+00:00
+- Affects: PowerDNS Authoritative Server 4.7.0 up to and including 4.9.14 and 5.0.4
+- Not affected: PowerDNS Authoritative Server 4.9.15, 5.0.5
+- Severity: Medium
+- Impact: Denial of service
+- Exploit: AXFR of catalog zone with a member whose producer group option
+contains a double-quote character
+- Risk of system compromise: None
+- Solution: Upgrade to patched version, or remove all double-quote characters from producer group names.
+- CWE: CWE-94
+- CVSS: 3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
+- Last affected: 4.9.14,5.0.4
+- First fixed: 4.9.15,5.0.5
+- Internal ID: 483
+
+Missing proper escaping of double-quote characters when computing labels will
+cause AXFR of a catalog zone with a member whose producer group option contains
+such a character to fail.