Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 638566 (CVE-2017-15091) - <net-dns/pdns-{4.0.5,4.1.0_rc3-r1}: Missing check on API operations
Summary: <net-dns/pdns-{4.0.5,4.1.0_rc3-r1}: Missing check on API operations
Alias: CVE-2017-15091
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
: 638982 (view as bug list)
Depends on:
Reported: 2017-11-23 13:54 UTC by Thomas Deutschmann (RETIRED)
Modified: 2018-01-15 15:44 UTC (History)
2 users (show)

See Also:
Package list:
=net-dns/pdns-4.0.5 =dev-libs/botan-2.3.0
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-23 13:54:09 UTC
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-27 16:20:58 UTC
CVE: CVE-2017-15091

Date: November 27th 2017

Credit: everyman

Affects: PowerDNS Authoritative up to and including 4.0.4, 3.4.11

Not affected: PowerDNS Authoritative 4.0.5

Severity: Low

Impact: Denial of service

Exploit: This problem can be triggered by an attacker with valid API

Risk of system compromise: No

Solution: Upgrade to a non-affected version

An issue has been found in the API component of PowerDNS Authoritative, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only via the api-readonly keyword. This missing check allows an attacker with valid API credentials could flush the cache, trigger a zone transfer or send a NOTIFY. This issue has been assigned CVE-2017-15091.

PowerDNS Authoritative up to and including 4.0.4 and 3.4.11 are affected.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-27 16:21:19 UTC
*** Bug 638982 has been marked as a duplicate of this bug. ***
Comment 3 Sven Wegener gentoo-dev 2017-11-27 19:12:20 UTC
I've committed pdns-recursor-4.0.6-r1 to the tree, including the supplied patches.
I've also bumped to the new official release pdns-4.0.7. I'm pretty confident in going for 4.0.7.

I'm currently checking with upstream if the issues also applies to 4.1.0_rc, which looks to me to be the case and is unmentioned in the advisories.
Comment 4 Sven Wegener gentoo-dev 2017-11-29 00:10:41 UTC
I've bumped 4.1.0_rc3 to -r1 with the fixes.

The stabilization candidate to replace 4.0.4 is 4.0.5.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-29 00:15:47 UTC
@ Arches,

please test and mark stable: =net-dns/pdns-4.0.5
Comment 6 Stabilization helper bot gentoo-dev 2017-11-29 01:01:32 UTC
An automated check of this bug failed - repoman reported dependency errors (41 lines truncated): 

> dependency.bad net-dns/pdns/pdns-4.0.5.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['dev-libs/botan:2=']
> dependency.bad net-dns/pdns/pdns-4.0.5.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['dev-libs/botan:2=']
> dependency.bad net-dns/pdns/pdns-4.0.5.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['dev-libs/botan:2=']
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-29 18:54:51 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-12-01 11:21:06 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2018-01-15 15:44:54 UTC
GLSA Vote: No

Tree is clean.