Incoming details.
PowerDNS Security Advisory for dnsdist 2018-08: Record smuggling when adding ECS or XPF - CVE: CVE-2018-14663 - Date: November 8th 2018 - Affects: PowerDNS DNSDist up to and including 1.3.2 - Not affected: 1.3.3 - Severity: Low - Impact: Insufficient validation - Exploit: This problem can be triggered via crafted queries - Risk of system compromise: No - Solution: Upgrade to a non-affected version An issue has been found in PowerDNS DNSDist allowing a remote attacker to craft a DNS query with trailing data such that the addition of a record by dnsdist, for example an OPT record when adding EDNS Client Subnet, might result in the trailing data being smuggled to the backend as a valid record while not seen by dnsdist. This is an issue when dnsdist is deployed as a DNS Firewall and used to filter some records that should not be received by the backend. This issue occurs only when either the ‘useClientSubnet’ or the experimental ‘addXPF’ parameters are used when declaring a new backend.
Package has not been updated in over a year... no RDEPS
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aed3205ce2d745c4bcfadde828a074b661c3e478 commit aed3205ce2d745c4bcfadde828a074b661c3e478 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-03-13 17:08:31 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-03-13 17:09:24 +0000 package.mask: Last rite vulnerable net-dns/dnsdist Bug: https://bugs.gentoo.org/670214 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 6 ++++++ 1 file changed, 6 insertions(+)
How I can help? I have a repository with version 1.3.3: https://github.com/ingeniovirtual/gentoo-portage-overlay/tree/master/net-dns/dnsdist
(In reply to Martin Andres Gomez Gimenez from comment #4) > How I can help? I have a repository with version 1.3.3: > > https://github.com/ingeniovirtual/gentoo-portage-overlay/tree/master/net-dns/ > dnsdist This package is being depreciated because no one is maintaining it. If you would like to assist in maintaining it please see proxy maintainers: https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers
As I use the package in production, I'll adopt it. I will bump it to the newest version and add a few useflags in the upcoming days.
I took over as maintainer now. The package got bumped to the latest version, the vulnerable one got deleted. I also removed it from package.mask.
(In reply to Andreas Schürch from comment #7) > I took over as maintainer now. > The package got bumped to the latest version, the vulnerable one got deleted. > I also removed it from package.mask. Thank you, Andreas!
