Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 730362 (CVE-2020-14196) - <net-dns/pdns-recursor-4.3.2: Access restriction bypass (CVE-2020-14196)
Summary: <net-dns/pdns-recursor-4.3.2: Access restriction bypass (CVE-2020-14196)
Status: RESOLVED FIXED
Alias: CVE-2020-14196
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://docs.powerdns.com/recursor/se...
Whiteboard: C3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-01 13:11 UTC by Agostino Sarubbo
Modified: 2020-08-03 07:42 UTC (History)
1 user (show)

See Also:
Package list:
net-dns/pdns-recursor-4.3.2
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2020-07-01 13:11:01 UTC
From https://www.openwall.com/lists/oss-security/2020/07/01/1 :

Hello!,

Today we are releasing PowerDNS Recursor 4.3.2, 4.2.3. and 4.1.17,
containing a security fix for CVE-2020-14196: Access restriction
bypass[0].

An issue has been found in PowerDNS Recursor where the ACL applied to
the internal web server via `webserver-allow-from` is not properly
enforced, allowing a remote attacker to send HTTP queries to the
internal web server, bypassing the restriction.

Note that the web server is not enabled by default. Only installations
using a non-default value for `webserver` and `webserver-address` are
affected.

Workarounds are: disable the webserver or set a password or an API
key. Additionally, restrict the binding address using the
`webserver-address` setting to local addresses only and/or use a
firewall to disallow web requests from untrusted sources reaching the
webserver listening address.

As usual, there were also other smaller enhancements and bugfixes. In
particular, the 4.3.2 release contains fixes that allow long CNAME
chains to resolve properly, where previously they could fail if qname
minimization is enabled.  Please refer to the 4.3.2 changelog[1],
4.2.3 changelog[2] and 4.1.17 changelog[3] for details.

The 4.3.2 tarball[4] (signature[5]), 4.2.3 tarball[6] (signature[7])
and 4.1.17 tarball[8] (signature[9]) are available from our download
site[10] and packages for CentOS 6, 7 and 8, Debian Stretch and
Buster, Ubuntu Xenial and Bionic are available from our
repository[11].

4.0 and older releases are EOL, refer to the documentation[12] for
details about our release cycles.

Please send us all feedback and issues you might have via the mailing
list[13], or in case of a bug, via GitHub[14].

[0] https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html
[1] https://doc.powerdns.com/recursor/changelog/4.3.html#change-4.3.2
[2] https://doc.powerdns.com/recursor/changelog/4.2.html#change-4.2.3
[3] https://doc.powerdns.com/recursor/changelog/4.1.html#change-4.1.17
[4] https://downloads.powerdns.com/releases/pdns-recursor-4.3.2.tar.bz2
[5] https://downloads.powerdns.com/releases/pdns-recursor-4.3.2.tar.bz2.sig
[6] https://downloads.powerdns.com/releases/pdns-recursor-4.2.3.tar.bz2
[7] https://downloads.powerdns.com/releases/pdns-recursor-4.2.3.tar.bz2.sig
[8] https://downloads.powerdns.com/releases/pdns-recursor-4.1.17.tar.bz2
[9] https://downloads.powerdns.com/releases/pdns-recursor-4.1.17.tar.bz2.sig
[10] https://downloads.powerdns.com/releases/
[11] https://repo.powerdns.com/
[12] https://docs.powerdns.com/recursor/appendices/EOL.html
[13] https://mailman.powerdns.com/mailman/listinfo/pdns-users
[14] https://github.com/PowerDNS/pdns/issues/new/choose

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Larry the Git Cow gentoo-dev 2020-07-01 21:52:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=67de87a7318cfb8fd5b838bbd7ab7c9a237f269f

commit 67de87a7318cfb8fd5b838bbd7ab7c9a237f269f
Author:     Sven Wegener <swegener@gentoo.org>
AuthorDate: 2020-07-01 21:52:25 +0000
Commit:     Sven Wegener <swegener@gentoo.org>
CommitDate: 2020-07-01 21:52:45 +0000

    net-dns/pdns-recursor: Version bump, security bug #730362
    
    Bug: https://bugs.gentoo.org/730362
    Package-Manager: Portage-2.3.99, Repoman-2.3.23
    Signed-off-by: Sven Wegener <swegener@gentoo.org>

 net-dns/pdns-recursor/Manifest                   |  1 +
 net-dns/pdns-recursor/pdns-recursor-4.3.2.ebuild | 81 ++++++++++++++++++++++++
 2 files changed, 82 insertions(+)
Comment 2 Agostino Sarubbo gentoo-dev 2020-07-02 06:18:21 UTC
I don't know if it will be reproducible on at/stable but I got bug 730430 from tinderbox
Comment 3 Sven Wegener gentoo-dev 2020-07-07 18:35:10 UTC
4.3.2 should be ready to go stable
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-18 20:51:52 UTC
(In reply to Sven Wegener from comment #3)
> 4.3.2 should be ready to go stable

Thanks!
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-18 22:31:09 UTC
x86 stable
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-19 01:50:09 UTC
amd64 stable. Please cleanup.
Comment 7 Larry the Git Cow gentoo-dev 2020-07-22 19:38:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e431db86a3509b26293116c304cac99aa65f0cef

commit e431db86a3509b26293116c304cac99aa65f0cef
Author:     Sven Wegener <swegener@gentoo.org>
AuthorDate: 2020-07-22 19:37:26 +0000
Commit:     Sven Wegener <swegener@gentoo.org>
CommitDate: 2020-07-22 19:38:01 +0000

    net-dns/pdns-recursor: Cleanup
    
    Bug: https://bugs.gentoo.org/730362
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Sven Wegener <swegener@gentoo.org>

 net-dns/pdns-recursor/Manifest                     |  1 -
 .../files/pdns-recursor-4.3.1-gcc-10.patch         | 61 ---------------
 .../pdns-recursor/pdns-recursor-4.3.1-r1.ebuild    | 86 ----------------------
 net-dns/pdns-recursor/pdns-recursor-4.3.1.ebuild   | 83 ---------------------
 4 files changed, 231 deletions(-)
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-26 15:24:45 UTC
NOTE: "In the default configuration the API webserver is not enabled. Only installations using a non-default value for webserver and webserver-address are affected."

GLSA vote: no. Closing.