From $URL: CVE: CVE-2020-17482 Date: September 22nd, 2020 Affects: PowerDNS Authoritative 4.3.0 and earlier Not affected: 4.3.1 and up, 4.2.3 and up, 4.1.14 and up Severity: Low Impact: Information leak Exploit: This problem can be triggered via crafted records by an authorized user Risk of system compromise: Low Solution: Upgrade to a fixed version Workaround: Do not take zone data from untrusted users An issue has been found in PowerDNS Authoritative Server before 4.3.1 where an authorized user with the ability to insert crafted records into a zone might be able to leak the content of uninitialized memory. Such a user could be a customer inserting data via a control panel, or somebody with access to the REST API. Crafted records cannot be inserted via AXFR. This issue has been assigned CVE-2020-17482.
Thanks for reporting this. Let us know when in tree.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a10a8c9b9cf7396ae282c36a8c87880aa0952336 commit a10a8c9b9cf7396ae282c36a8c87880aa0952336 Author: Sven Wegener <swegener@gentoo.org> AuthorDate: 2020-09-22 21:22:23 +0000 Commit: Sven Wegener <swegener@gentoo.org> CommitDate: 2020-09-22 21:42:03 +0000 net-dns/pdns: Version bump to 4.3.1, security bug #744160 Bug: https://bugs.gentoo.org/744160 Package-Manager: Portage-3.0.4, Repoman-3.0.1 Signed-off-by: Sven Wegener <swegener@gentoo.org> net-dns/pdns/Manifest | 1 + net-dns/pdns/pdns-4.3.1.ebuild | 170 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 171 insertions(+)
Please let us know when ready to stable.
4.3.1 is ready for stabilization
(In reply to Sven Wegener from comment #4) > 4.3.1 is ready for stabilization Thanks Sven!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c362518144814fec57270cbc2282cc482c6e336d commit c362518144814fec57270cbc2282cc482c6e336d Author: Sven Wegener <swegener@gentoo.org> AuthorDate: 2020-09-30 20:45:42 +0000 Commit: Sven Wegener <swegener@gentoo.org> CommitDate: 2020-09-30 20:45:49 +0000 net-dns/pdns: 4.3.1 stable on amd/x86, security bug #744160 Bug: https://bugs.gentoo.org/744160 Package-Manager: Portage-3.0.4, Repoman-3.0.1 Signed-off-by: Sven Wegener <swegener@gentoo.org> net-dns/pdns/pdns-4.3.1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Thank you! Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6842082c6e057977fed0d94e3d444beb8993205f commit 6842082c6e057977fed0d94e3d444beb8993205f Author: Sven Wegener <swegener@gentoo.org> AuthorDate: 2020-10-03 11:02:48 +0000 Commit: Sven Wegener <swegener@gentoo.org> CommitDate: 2020-10-03 11:03:53 +0000 net-dns/pdns: Cleanup Bug: https://bugs.gentoo.org/744160 Package-Manager: Portage-3.0.4, Repoman-3.0.1 Signed-off-by: Sven Wegener <swegener@gentoo.org> net-dns/pdns/Manifest | 1 - net-dns/pdns/pdns-4.3.0.ebuild | 170 ----------------------------------------- 2 files changed, 171 deletions(-)
GLSA Vote: Yes New GLSA request filed.
This issue was resolved and addressed in GLSA 202012-18 at https://security.gentoo.org/glsa/202012-18 by GLSA coordinator Thomas Deutschmann (whissi).
