Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 638568 (CVE-2017-15090, CVE-2017-15092, CVE-2017-15093, CVE-2017-15094) - <net-dns/pdns-recursor-{4.0.7,4.1.0_rc3-r1}: Multiple vulnerabilities
Summary: <net-dns/pdns-recursor-{4.0.7,4.1.0_rc3-r1}: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-15090, CVE-2017-15092, CVE-2017-15093, CVE-2017-15094
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-23 13:57 UTC by Thomas Deutschmann (RETIRED)
Modified: 2018-01-15 15:47 UTC (History)
1 user (show)

See Also:
Package list:
net-dns/pdns-recursor-4.0.7
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-23 13:57:30 UTC
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-27 16:26:23 UTC
PowerDNS Security Advisory 2017-03: Insufficient validation of DNSSEC signatures

CVE: CVE-2017-15090

Date: November 27th 2017

Credit: Kees Monshouwer

Affects: PowerDNS Recursor from 4.0.0 and up to and including 4.0.6

Not affected: PowerDNS Recursor < 4.0.0, 4.0.7

Severity: Medium

Impact: Records manipulation

Exploit: This problem can be triggered by an attacker in position of
         man-in-the-middle

Risk of system compromise: No

Solution: Upgrade to a non-affected version

An issue has been found in the DNSSEC validation component of PowerDNS Recursor, where the signatures might have been accepted as valid even if the signed data was not in bailiwick of the DNSKEY used to sign it. This allows an attacker in position of man-in-the-middle to alter the content of records by issuing a valid signature for the crafted records. This issue has been assigned CVE-2017-15090.

PowerDNS Recursor from 4.0.0 up to and including 4.0.6 are affected.



PowerDNS Security Advisory 2017-05: Cross-Site Scripting in the web interface

CVE: CVE-2017-15092

Date: November 27th 2017

Credit: Nixu, Chris Navarrete of Fortinet’s Fortiguard Labs

Affects: PowerDNS Recursor from 4.0.0 up to and including 4.0.6

Not affected: PowerDNS Recursor 4.0.7, 3.7.x

Severity: Medium

Impact: Alteration and denial of service of the web interface

Exploit: This problem can be triggered by an attacker sending DNS
         queries to the server

Risk of system compromise: No

Solution: Upgrade to a non-affected version

An issue has been found in the web interface of PowerDNS Recursor, where the qname of DNS queries was displayed without any escaping, allowing a remote attacker to inject HTML and Javascript code into the web interface, altering the content. This issue has been assigned CVE-2017-15092.

PowerDNS Recursor from 4.0.0 up to and including 4.0.6 are affected.



PowerDNS Security Advisory 2017-06: Configuration file injection in the API

CVE: CVE-2017-15093

Date: November 27th 2017

Credit: Nixu

Affects: PowerDNS Recursor up to and including 4.0.6, 3.7.4

Not affected: PowerDNS Recursor 4.0.7

Severity: Medium

Impact: Alteration of configuration by an API user

Exploit: This problem can be triggered by an attacker with
         valid API credentials

Risk of system compromise: No

Solution: Upgrade to a non-affected version

Workaround: Disable the ability to alter the configuration via the API by setting api-config-dir to an empty value (default), or set the API read-only via the api-readonly setting.

An issue has been found in the API of PowerDNS Recursor during a source code audit by Nixu. When api-config-dir is set to a non-empty value, which is not the case by default, the API allows an authorized user to update the Recursor’s ACL by adding and removing netmasks, and to configure forward zones. It was discovered that the new netmask and IP addresses of forwarded zones were not sufficiently validated, allowing an authenticated user to inject new configuration directives into the Recursor’s configuration. This issue has been assigned CVE-2017-15093.

PowerDNS Recursor up to and including 4.0.6 and 3.7.4 are affected.



PowerDNS Security Advisory 2017-07: Memory leak in DNSSEC parsing

CVE: CVE-2017-15094

Date: November 27th 2017

Credit: Nixu

Affects: PowerDNS Recursor from 4.0.0 up to and including 4.0.6

Not affected: PowerDNS Recursor 4.0.7

Severity: Medium

Impact: Denial of service

Exploit: This problem can be triggered by an authoritative server
         sending crafted ECDSA DNSSEC keys to the Recursor.

Risk of system compromise: No

Solution: Upgrade to a non-affected version

Workaround: Disable DNSSEC validation by setting the dnssec parameter to off or process-no-validate (default).

An issue has been found in the DNSSEC parsing code of PowerDNS Recursor during a code audit by Nixu, leading to a memory leak when parsing specially crafted DNSSEC ECDSA keys. These keys are only parsed when validation is enabled by setting dnssec to a value other than off or process-no-validate (default). This issue has been assigned CVE-2017-15094.

PowerDNS Recursor from 4.0.0 up to and including 4.0.6 are affected.
Comment 2 Sven Wegener gentoo-dev 2017-11-27 19:10:30 UTC
I've committed pdns-4.0.4-r1 to the tree, including the supplied patches.
I've also bumped to the new official release pdns-4.0.5, which requires botan-2 to be unmasked. I'd go for 4.0.4-r1 in this case.

I'm currently checking with upstream if the issues also applies to 4.1.0_rc, which looks to me to be the case and is unmentioned in the advisories.
Comment 3 Sven Wegener gentoo-dev 2017-11-29 00:10:23 UTC
I've bumped 4.1.0_rc3 to -r1 with the fixes.

The stabilization candidate to replace 4.0.6 is 4.0.7.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-29 00:13:42 UTC
@ Arches,

please test and mark stable: =net-dns/pdns-recursor-4.0.7
Comment 5 Agostino Sarubbo gentoo-dev 2017-11-29 11:19:38 UTC
amd64 stable
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-29 18:55:00 UTC
x86 stable

@ Maintainer(s): Please cleanup an drop <net-dns/pdns-recursor-4.0.7!
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2018-01-15 15:47:14 UTC
GLSA Vote: No.

Tree is clean.