Dear all.
NSD 4.14.3 is available:
https://nlnetlabs.nl/downloads/nsd/nsd-4.14.3.tar.gz
sha256 9629ad64d9c1b019bbe22296d5148d7ae65f588ce265a6424750740f052bb12b
pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.14.3.tar.gz.asc
The release is signed with the OpenPGP software signing key that is in use since Jan 1st 2026:
User ID: NLnet Labs releases signing key G2 <releases@nlnetlabs.nl>
Key ID: A144 323D EAAC DF45
Fingerprint: 2310 1869 0C4D 903E F419 146A A144 323D EAAC DF45
The key is available from https://nlnetlabs.nl/signing-keys
BUG FIXES:
- Fix for CVE-2026-12244: A specially crafted SVCB RR can cause a heap
overflow of up to 65509 attacker controlled bytes.
Thanks to Qifan Zhang, Palo Alto Networks for the report
https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12244.txt - Fix for CVE-2026-12245: If NSD is configured with DNS over TLS, a
client that performs a TLS action, closing the connection early,
causes a crash and restart of the server process. An attacker can
keep all children in a crash-restart loop denying DoT service.
Thanks to Qifan Zhang, Palo Alto Networks for the report.
https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12245.txt - Fix for CVE-2026-12246: The RR type APL rdata address, if too large,
causes out of bounds write on the stack, when the zonefile is written
out. Thanks to Qifan Zhang from Palo Alto Networks, Haruki Oyama from
Waseda University and zhangph for the report.
https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12246.txt - Fix for CVE-2026-12490: Secondaries authenticated by a client
certificate to transfer a zone over TLS, can bypass verification by
transferring over TCP.
Thanks to Qifan Zhang, Palo Alto Networks for the report.
https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12490.txt