Comment 1 Thomas Deutschmann (RETIRED) 2018-11-08 18:36:35 UTC

PowerDNS Security Advisory for dnsdist 2018-08: Record smuggling when adding ECS or XPF

    - CVE: CVE-2018-14663
    - Date: November 8th 2018
    - Affects: PowerDNS DNSDist up to and including 1.3.2
    - Not affected: 1.3.3
    - Severity: Low
    - Impact: Insufficient validation
    - Exploit: This problem can be triggered via crafted queries
    - Risk of system compromise: No
    - Solution: Upgrade to a non-affected version

An issue has been found in PowerDNS DNSDist allowing a remote attacker to craft a DNS query with trailing data such that the addition of a record by dnsdist, for example an OPT record when adding EDNS Client Subnet, might result in the trailing data being smuggled to the backend as a valid record while not seen by dnsdist. This is an issue when dnsdist is deployed as a DNS Firewall and used to filter some records that should not be received by the backend. This issue occurs only when either the ‘useClientSubnet’ or the experimental ‘addXPF’ parameters are used when declaring a new backend.

Comment 2 Aaron Bauman (RETIRED) 2018-12-02 23:56:49 UTC

Package has not been updated in over a year... no RDEPS

Comment 3 Larry the Git Cow 2019-03-13 17:09:29 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aed3205ce2d745c4bcfadde828a074b661c3e478

commit aed3205ce2d745c4bcfadde828a074b661c3e478
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-03-13 17:08:31 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-03-13 17:09:24 +0000

    package.mask: Last rite vulnerable net-dns/dnsdist
    
    Bug: https://bugs.gentoo.org/670214
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)

How I can help? I have a repository with version 1.3.3:

https://github.com/ingeniovirtual/gentoo-portage-overlay/tree/master/net-dns/dnsdist

Comment 5 Yury German 2019-03-14 14:32:03 UTC

(In reply to Martin Andres Gomez Gimenez from comment #4)
> How I can help? I have a repository with version 1.3.3:
> 
> https://github.com/ingeniovirtual/gentoo-portage-overlay/tree/master/net-dns/
> dnsdist


This package is being depreciated because no one is maintaining it. If you would like to assist in maintaining it please see proxy maintainers: 
https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers

Comment 6 Andreas Schürch 2019-03-26 16:42:38 UTC

As I use the package in production, I'll adopt it.
I will bump it to the newest version and add a few useflags in the upcoming days.

Comment 7 Andreas Schürch 2019-03-28 20:56:00 UTC

I took over as maintainer now.
The package got bumped to the latest version, the vulnerable one got deleted.
I also removed it from package.mask.

Comment 8 Aaron Bauman (RETIRED) 2019-03-28 21:02:56 UTC

(In reply to Andreas Schürch from comment #7)
> I took over as maintainer now.
> The package got bumped to the latest version, the vulnerable one got deleted.
> I also removed it from package.mask.

Thank you, Andreas!