The following patch addresses CVE-2026-42005 for PowerDNS Authoritative
Server.

It applies identically to versions 4.9.15, 5.0.5 and 5.1.1.


commit 93d82adbe0c9f1b83a3037fb8f48f691d0a75464
Author: Miod Vallat <miod.vallat@powerdns.com>
Date:   Mon Apr 27 09:48:05 2026 +0200

    Do not allow chunk size lines to be larger than 100 bytes.
    
    Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

diff --git ext/yahttp/yahttp/reqresp.cpp ext/yahttp/yahttp/reqresp.cpp
index 7df4b4be8..6b927a9b7 100644
--- ext/yahttp/yahttp/reqresp.cpp
+++ ext/yahttp/yahttp/reqresp.cpp
@@ -179,11 +179,16 @@ namespace YaHTTP {
     while(buffer.size() > 0) {
       if (chunked) {
         if (chunk_size == 0) {
           char buf[100];
           // read chunk length
-          if ((pos = buffer.find('\n')) == std::string::npos) return false;
+          if ((pos = buffer.find('\n')) == std::string::npos) {
+            if (buffer.size() > 99) {
+              throw ParseError("Nonsensical chunk_size");
+            }
+            return false;
+          }
           if (pos > 99)
             throw ParseError("Impossible chunk_size");
           buffer.copy(buf, pos);
           buf[pos]=0; // just in case...
           buffer.erase(buffer.begin(), buffer.begin()+pos+1); // remove line from buffer