From $URL: An issue has been found in dnsdist 1.1.0, in the API authentication mechanism. API methods should only be available to a user authenticated via an X-API-Key HTTP header, and not to a user authenticated on the webserver via Basic Authentication, but it was discovered by Nixu during a source code audit that dnsdist 1.1.0 allows access to all API methods to both kind of users. In the default configuration, the API does not provide access to more information than the webserver does, and therefore this issue has no security implication. However if the API is allowed to make configuration changes, via the setAPIWritable(true) option, this allows a remote unauthenticated user to trick an authenticated user into editing dnsdist’s ACLs by making him visit a crafted website containing a Cross-Site Request Forgery. Reference: https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2017-02.html
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1c50a5d191b47143338b15a86ce6e36fd1b7abca commit 1c50a5d191b47143338b15a86ce6e36fd1b7abca Author: bgo <bgo@9dt.de> AuthorDate: 2017-09-02 16:44:59 +0000 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: 2017-10-28 09:52:07 +0000 net-dns/dnsdist: version bump to 1.2.0. Bug: https://bugs.gentoo.org/628534 Bug: https://bugs.gentoo.org/628578 Package-Manager: Portage-2.3.8, Repoman-2.3.3 net-dns/dnsdist/Manifest | 2 +- net-dns/dnsdist/dnsdist-1.2.0.ebuild | 86 ++++++++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e40b9b455b925425198ed2d250fc997b3bc56b94 commit e40b9b455b925425198ed2d250fc997b3bc56b94 Author: bgo <bgo@9dt.de> AuthorDate: 2017-09-02 16:43:53 +0000 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: 2017-10-28 09:51:50 +0000 net-dns/dnsdist: remove vulnerable version. CVE-2016-7069 CVE-2017-7557 Bug: https://bugs.gentoo.org/628534 Bug: https://bugs.gentoo.org/628578 Closes: https://github.com/gentoo/gentoo/pull/5596 net-dns/dnsdist/dnsdist-1.1.0-r1.ebuild | 84 --------------------------------- 1 file changed, 84 deletions(-)}
Stabilisation takes place in bug 628534. Security team, Please vote.