From https://www.openwall.com/lists/oss-security/2020/07/01/1 : Hello!, Today we are releasing PowerDNS Recursor 4.3.2, 4.2.3. and 4.1.17, containing a security fix for CVE-2020-14196: Access restriction bypass[0]. An issue has been found in PowerDNS Recursor where the ACL applied to the internal web server via `webserver-allow-from` is not properly enforced, allowing a remote attacker to send HTTP queries to the internal web server, bypassing the restriction. Note that the web server is not enabled by default. Only installations using a non-default value for `webserver` and `webserver-address` are affected. Workarounds are: disable the webserver or set a password or an API key. Additionally, restrict the binding address using the `webserver-address` setting to local addresses only and/or use a firewall to disallow web requests from untrusted sources reaching the webserver listening address. As usual, there were also other smaller enhancements and bugfixes. In particular, the 4.3.2 release contains fixes that allow long CNAME chains to resolve properly, where previously they could fail if qname minimization is enabled. Please refer to the 4.3.2 changelog[1], 4.2.3 changelog[2] and 4.1.17 changelog[3] for details. The 4.3.2 tarball[4] (signature[5]), 4.2.3 tarball[6] (signature[7]) and 4.1.17 tarball[8] (signature[9]) are available from our download site[10] and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from our repository[11]. 4.0 and older releases are EOL, refer to the documentation[12] for details about our release cycles. Please send us all feedback and issues you might have via the mailing list[13], or in case of a bug, via GitHub[14]. [0] https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html [1] https://doc.powerdns.com/recursor/changelog/4.3.html#change-4.3.2 [2] https://doc.powerdns.com/recursor/changelog/4.2.html#change-4.2.3 [3] https://doc.powerdns.com/recursor/changelog/4.1.html#change-4.1.17 [4] https://downloads.powerdns.com/releases/pdns-recursor-4.3.2.tar.bz2 [5] https://downloads.powerdns.com/releases/pdns-recursor-4.3.2.tar.bz2.sig [6] https://downloads.powerdns.com/releases/pdns-recursor-4.2.3.tar.bz2 [7] https://downloads.powerdns.com/releases/pdns-recursor-4.2.3.tar.bz2.sig [8] https://downloads.powerdns.com/releases/pdns-recursor-4.1.17.tar.bz2 [9] https://downloads.powerdns.com/releases/pdns-recursor-4.1.17.tar.bz2.sig [10] https://downloads.powerdns.com/releases/ [11] https://repo.powerdns.com/ [12] https://docs.powerdns.com/recursor/appendices/EOL.html [13] https://mailman.powerdns.com/mailman/listinfo/pdns-users [14] https://github.com/PowerDNS/pdns/issues/new/choose @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=67de87a7318cfb8fd5b838bbd7ab7c9a237f269f commit 67de87a7318cfb8fd5b838bbd7ab7c9a237f269f Author: Sven Wegener <swegener@gentoo.org> AuthorDate: 2020-07-01 21:52:25 +0000 Commit: Sven Wegener <swegener@gentoo.org> CommitDate: 2020-07-01 21:52:45 +0000 net-dns/pdns-recursor: Version bump, security bug #730362 Bug: https://bugs.gentoo.org/730362 Package-Manager: Portage-2.3.99, Repoman-2.3.23 Signed-off-by: Sven Wegener <swegener@gentoo.org> net-dns/pdns-recursor/Manifest | 1 + net-dns/pdns-recursor/pdns-recursor-4.3.2.ebuild | 81 ++++++++++++++++++++++++ 2 files changed, 82 insertions(+)
I don't know if it will be reproducible on at/stable but I got bug 730430 from tinderbox
4.3.2 should be ready to go stable
(In reply to Sven Wegener from comment #3) > 4.3.2 should be ready to go stable Thanks!
x86 stable
amd64 stable. Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e431db86a3509b26293116c304cac99aa65f0cef commit e431db86a3509b26293116c304cac99aa65f0cef Author: Sven Wegener <swegener@gentoo.org> AuthorDate: 2020-07-22 19:37:26 +0000 Commit: Sven Wegener <swegener@gentoo.org> CommitDate: 2020-07-22 19:38:01 +0000 net-dns/pdns-recursor: Cleanup Bug: https://bugs.gentoo.org/730362 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Sven Wegener <swegener@gentoo.org> net-dns/pdns-recursor/Manifest | 1 - .../files/pdns-recursor-4.3.1-gcc-10.patch | 61 --------------- .../pdns-recursor/pdns-recursor-4.3.1-r1.ebuild | 86 ---------------------- net-dns/pdns-recursor/pdns-recursor-4.3.1.ebuild | 83 --------------------- 4 files changed, 231 deletions(-)
NOTE: "In the default configuration the API webserver is not enabled. Only installations using a non-default value for webserver and webserver-address are affected." GLSA vote: no. Closing.