Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 675968 (CVE-2019-3806, CVE-2019-3807) - <net-dns/pdns-recursor-4.1.9: multiple vulnerabilities (CVE-2019-{3806,3807})
Summary: <net-dns/pdns-recursor-4.1.9: multiple vulnerabilities (CVE-2019-{3806,3807})
Status: RESOLVED FIXED
Alias: CVE-2019-3806, CVE-2019-3807
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://doc.powerdns.com/recursor/sec...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-01-21 14:23 UTC by Sven Wegener
Modified: 2019-08-10 21:10 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sven Wegener gentoo-dev 2019-01-21 14:23:50 UTC
From $URL:

CVE-2019-3806

An issue has been found in PowerDNS Recursor where Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly bypassing security policies enforced using Lua.

CVE-2019-3807

An issue has been found in PowerDNS Recursor where records in the answer section of responses received from authoritative servers with the AA flag not set were not properly validated, allowing an attacker to bypass DNSSEC validation.
Comment 1 Sven Wegener gentoo-dev 2019-01-21 14:55:07 UTC
The new version fails to build with USE=-protobuf, I'm waiting for upstream.
Comment 2 Larry the Git Cow gentoo-dev 2019-01-21 15:22:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6fad89dca5912b9f36ea41977987b8e8ef6cc53f

commit 6fad89dca5912b9f36ea41977987b8e8ef6cc53f
Author:     Sven Wegener <swegener@gentoo.org>
AuthorDate: 2019-01-21 15:21:45 +0000
Commit:     Sven Wegener <swegener@gentoo.org>
CommitDate: 2019-01-21 15:22:20 +0000

    net-dns/pdns-recursor: Version bump, security bug #675968
    
    Bug: https://bugs.gentoo.org/675968
    Signed-off-by: Sven Wegener <swegener@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 net-dns/pdns-recursor/Manifest                     |  1 +
 .../files/pdns-recursor-4.1.9-protobuf-fix.patch   | 32 +++++++++
 net-dns/pdns-recursor/pdns-recursor-4.1.9.ebuild   | 82 ++++++++++++++++++++++
 3 files changed, 115 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2019-01-23 08:13:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=21976f093bc676d0b073c93e426c080d78e05f63

commit 21976f093bc676d0b073c93e426c080d78e05f63
Author:     Sven Wegener <swegener@gentoo.org>
AuthorDate: 2019-01-23 07:54:03 +0000
Commit:     Sven Wegener <swegener@gentoo.org>
CommitDate: 2019-01-23 07:54:03 +0000

    net-dns/pdns-recursor: Stable on amd64/x86, bug #675968
    
    Bug: https://bugs.gentoo.org/675968
    Signed-off-by: Sven Wegener <swegener@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 net-dns/pdns-recursor/pdns-recursor-4.1.9.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)