Date: November 27th 2017
Affects: PowerDNS Authoritative up to and including 4.0.4, 3.4.11
Not affected: PowerDNS Authoritative 4.0.5
Impact: Denial of service
Exploit: This problem can be triggered by an attacker with valid API
Risk of system compromise: No
Solution: Upgrade to a non-affected version
An issue has been found in the API component of PowerDNS Authoritative, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only via the api-readonly keyword. This missing check allows an attacker with valid API credentials could flush the cache, trigger a zone transfer or send a NOTIFY. This issue has been assigned CVE-2017-15091.
PowerDNS Authoritative up to and including 4.0.4 and 3.4.11 are affected.
*** Bug 638982 has been marked as a duplicate of this bug. ***
I've committed pdns-recursor-4.0.6-r1 to the tree, including the supplied patches.
I've also bumped to the new official release pdns-4.0.7. I'm pretty confident in going for 4.0.7.
I'm currently checking with upstream if the issues also applies to 4.1.0_rc, which looks to me to be the case and is unmentioned in the advisories.
I've bumped 4.1.0_rc3 to -r1 with the fixes.
The stabilization candidate to replace 4.0.4 is 4.0.5.
please test and mark stable: =net-dns/pdns-4.0.5
An automated check of this bug failed - repoman reported dependency errors (41 lines truncated):
> dependency.bad net-dns/pdns/pdns-4.0.5.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['dev-libs/botan:2=']
> dependency.bad net-dns/pdns/pdns-4.0.5.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['dev-libs/botan:2=']
> dependency.bad net-dns/pdns/pdns-4.0.5.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['dev-libs/botan:2=']
Maintainer(s), please cleanup.
Security, please vote.
GLSA Vote: No
Tree is clean.