Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 746923 (CVE-2020-25829) - <net-dns/pdns-recursor-4.3.5: cache pollution (CVE-2020-25829)
Summary: <net-dns/pdns-recursor-4.3.5: cache pollution (CVE-2020-25829)
Status: RESOLVED FIXED
Alias: CVE-2020-25829
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://docs.powerdns.com/recursor/se...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on: 749146
Blocks:
  Show dependency tree
 
Reported: 2020-10-06 15:09 UTC by Thomas Deutschmann
Modified: 2020-12-23 20:22 UTC (History)
1 user (show)

See Also:
Package list:
net-dns/pdns-recursor-4.3.5
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2020-10-06 15:09:01 UTC
Incoming details.
Comment 1 Sven Wegener gentoo-dev 2020-10-08 20:49:21 UTC
I received the information and will be doing the bump on Tuesday.
Comment 3 Thomas Deutschmann gentoo-dev Security 2020-10-13 11:52:08 UTC
PowerDNS Security Advisory 2020-07: Cache pollution
===================================================
CVE: CVE-2020-25829

Date: 13th of October 2020

Affects: PowerDNS Recursor up to and including 4.3.4, 4.2.4 and 4.1.17

Not affected: 4.3.5, 4.2.5, 4.1.18

Severity: High

Impact: Denial of service

Exploit: This problem can be triggered by sending DNS queries

Risk of system compromise: No

Solution: Upgrade to a non-affected version

Workaround: Filter ANY queries to prevent them from reaching the recursor.

An issue has been found in PowerDNS Recursor where a remote attacker can cause the cached records for a given name to be updated to the ‘Bogus’ DNSSEC validation state, instead of their actual DNSSEC ‘Secure’ state, via a DNS ANY query. This results in a denial of service for installations that always validate (dnssec=validate) and for clients requesting validation when on-demand validation is enabled (dnssec=process).
Comment 4 Sven Wegener gentoo-dev 2020-10-13 13:32:53 UTC
I've committed 4.3.5 to the tree, but the automated bug reference from the commit message didn't make it here due to the access restriction.
Comment 6 Agostino Sarubbo gentoo-dev 2020-10-14 19:08:59 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-10-14 19:23:09 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Larry the Git Cow gentoo-dev 2020-10-17 09:23:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=edf1122e56fa58755f0da35606bbac283bf1bd30

commit edf1122e56fa58755f0da35606bbac283bf1bd30
Author:     Sven Wegener <swegener@gentoo.org>
AuthorDate: 2020-10-17 09:23:09 +0000
Commit:     Sven Wegener <swegener@gentoo.org>
CommitDate: 2020-10-17 09:23:29 +0000

    net-dns/pdns-recursor: Cleanup
    
    Bug: https://bugs.gentoo.org/746923
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Sven Wegener <swegener@gentoo.org>

 net-dns/pdns-recursor/Manifest                     |  2 -
 .../files/pdns-recursor-4.3.1-boost-1.73.0.patch   | 89 ----------------------
 net-dns/pdns-recursor/pdns-recursor-4.3.3.ebuild   | 85 ---------------------
 net-dns/pdns-recursor/pdns-recursor-4.3.4.ebuild   | 85 ---------------------
 4 files changed, 261 deletions(-)
Comment 9 Sam James archtester gentoo-dev Security 2020-10-17 09:38:24 UTC
Thanks!
Comment 10 Thomas Deutschmann gentoo-dev Security 2020-12-23 16:59:04 UTC
GLSA Vote: Yes

New GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2020-12-23 20:22:03 UTC
This issue was resolved and addressed in
 GLSA 202012-19 at https://security.gentoo.org/glsa/202012-19
by GLSA coordinator Thomas Deutschmann (whissi).