Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 723986 (CVE-2020-10030, CVE-2020-10995, CVE-2020-12244)

Summary: <net-dns/pdns-recursor-4.3.1: multiple vulnerabilities (CVE-2020-{10030,10995,12244})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: alarig, swegener
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://blog.powerdns.com/2020/05/19/powerdns-recursor-4-3-1-4-2-2-and-4-1-16-released/
Whiteboard: B3 [noglsa cve]
Package list:
=net-dns/pdns-recursor-4.3.1
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2020-05-19 15:11:48 UTC
CVE-2020-10030 (https://nvd.nist.gov/vuln/detail/CVE-2020-10030):
  An attacker with enough privileges to change the hostname might be able to
  disclose uninitialized memory.

CVE-2020-12244 (https://nvd.nist.gov/vuln/detail/CVE-2020-12244):
  Records in the answer section of a NXDOMAIN response lacking an SOA were not
  properly validated.

CVE-2020-10995 (https://nvd.nist.gov/vuln/detail/CVE-2020-10995):
  An issue in the DNS protocol has been found that allows malicious parties to
  use recursive DNS services to attack third party authoritative name servers.
Comment 1 Larry the Git Cow gentoo-dev 2020-05-19 22:20:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d2b4d675227f5595d039468111f21c5de183720

commit 1d2b4d675227f5595d039468111f21c5de183720
Author:     Sven Wegener <swegener@gentoo.org>
AuthorDate: 2020-05-19 22:20:10 +0000
Commit:     Sven Wegener <swegener@gentoo.org>
CommitDate: 2020-05-19 22:20:16 +0000

    net-dns/pdns-recursor: Version bump, security bug #723986
    
    Bug: https://bugs.gentoo.org/723986
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Sven Wegener <swegener@gentoo.org>

 net-dns/pdns-recursor/Manifest                   |  1 +
 net-dns/pdns-recursor/pdns-recursor-4.3.1.ebuild | 78 ++++++++++++++++++++++++
 2 files changed, 79 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-19 22:21:34 UTC
@maintainer(s): Thanks! Let us know when ready for stabilisation, please.
Comment 3 Sven Wegener gentoo-dev 2020-05-20 21:55:36 UTC
2.3.1 looks good to me for stabilization.

For completeness: CVE-2020-10030 also affects net-dns/pdns, but based on the conditions it doesn't affect the arches both packages are keyworded on.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-20 23:32:34 UTC
(In reply to Sven Wegener from comment #3)
> 2.3.1 looks good to me for stabilization.
> 
> For completeness: CVE-2020-10030 also affects net-dns/pdns, but based on the
> conditions it doesn't affect the arches both packages are keyworded on.

Thanks! :)
Comment 5 Agostino Sarubbo gentoo-dev 2020-05-21 09:03:18 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-05-21 09:05:18 UTC
x86 stable
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-21 22:55:24 UTC
@maintainer(s), please cleanup
Comment 8 Larry the Git Cow gentoo-dev 2020-05-30 09:53:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=38a9eb2394ab521f7bc044464b59ce840ac5bbf6

commit 38a9eb2394ab521f7bc044464b59ce840ac5bbf6
Author:     Sven Wegener <swegener@gentoo.org>
AuthorDate: 2020-05-30 09:52:24 +0000
Commit:     Sven Wegener <swegener@gentoo.org>
CommitDate: 2020-05-30 09:53:25 +0000

    net-dns/pdns-recursor: Cleanup
    
    Bug: https://bugs.gentoo.org/723986
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Sven Wegener <swegener@gentoo.org>

 net-dns/pdns-recursor/Manifest                     |  5 --
 net-dns/pdns-recursor/files/pdns-recursor-r1       | 37 ----------
 net-dns/pdns-recursor/pdns-recursor-4.1.14.ebuild  | 79 ----------------------
 net-dns/pdns-recursor/pdns-recursor-4.1.15.ebuild  | 79 ----------------------
 net-dns/pdns-recursor/pdns-recursor-4.2.0.ebuild   | 78 ---------------------
 net-dns/pdns-recursor/pdns-recursor-4.2.1.ebuild   | 78 ---------------------
 .../pdns-recursor/pdns-recursor-4.3.0-r1.ebuild    | 78 ---------------------
 7 files changed, 434 deletions(-)
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-18 02:33:07 UTC
Thanks.