680900 – (CVE-2019-3871) <net-dns/pdns-4.1.7: missing input escaping (CVE-2019-3871)

Bug 680900 (CVE-2019-3871) - <net-dns/pdns-4.1.7: missing input escaping (CVE-2019-3871)

Summary: <net-dns/pdns-4.1.7: missing input escaping (CVE-2019-3871)

Status:	RESOLVED FIXED

Alias:	CVE-2019-3871

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://doc.powerdns.com/authoritativ...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2019-03-18 21:39 UTC by Sven Wegener
Modified:	2019-03-20 13:54 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sven Wegener gentoo-dev

2019-03-18 21:39:02 UTC

From $URL:

An issue has been found in PowerDNS Authoritative Server when the HTTP remote backend is used in RESTful mode (without post=1 set), allowing a remote user to cause the HTTP backend to connect to an attacker-specified host instead of the configured one, via a crafted DNS query. This can be used to cause a denial of service by preventing the remote backend from getting a response, content spoofing if the attacker can time its own query so that subsequent queries will use an attacker-controlled HTTP server instead of the configured one, and possibly information disclosure if the Authoritative Server has access to internal servers.

This issue has been assigned CVE-2019-3871.

PowerDNS Authoritative up to and including 4.1.6 is affected.

Comment 1 Larry the Git Cow gentoo-dev

2019-03-18 21:50:29 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1ae1352759b2eb9eb8fb40a99cf4095eeec713b6

commit 1ae1352759b2eb9eb8fb40a99cf4095eeec713b6
Author:     Sven Wegener <swegener@gentoo.org>
AuthorDate: 2019-03-18 21:49:02 +0000
Commit:     Sven Wegener <swegener@gentoo.org>
CommitDate: 2019-03-18 21:49:54 +0000

    net-dns/pdns: Version bump, security bug #680900
    
    Bug: https://bugs.gentoo.org/680900
    Signed-off-by: Sven Wegener <swegener@gentoo.org>
    Package-Manager: Portage-2.3.62, Repoman-2.3.11

 net-dns/pdns/Manifest          |   1 +
 net-dns/pdns/pdns-4.1.7.ebuild | 157 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 158 insertions(+)

Comment 2 Sven Wegener gentoo-dev

2019-03-18 21:52:08 UTC

4.1.7 only contains the security fix over 4.1.6, which is in the tree since the end of january. so 4.1.7 should be ready for stabilization.

Comment 3 Larry the Git Cow gentoo-dev

2019-03-19 11:43:16 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3ea551322689ebe50de119d860dc5a9d9fc0d5e

commit e3ea551322689ebe50de119d860dc5a9d9fc0d5e
Author:     Sven Wegener <swegener@gentoo.org>
AuthorDate: 2019-03-19 11:37:50 +0000
Commit:     Sven Wegener <swegener@gentoo.org>
CommitDate: 2019-03-19 11:38:34 +0000

    net-dns/pdns: Stable on amd64/x86, security bug #680900
    
    Bug: https://bugs.gentoo.org/680900
    Signed-off-by: Sven Wegener <swegener@gentoo.org>
    Package-Manager: Portage-2.3.62, Repoman-2.3.11

 net-dns/pdns/pdns-4.1.7.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)