Arch Linux: 201901-13 Medium: Powerdns-Recursor Access Issues

The package powerdns-recursor before version 4.1.9-1 is vulnerable to multiple issues including insufficient validation and access restriction bypass.

Arch Linux Security Advisory ASA-201901-13
=========================================
Severity: Medium
Date    : 2019-01-24
CVE-ID  : CVE-2019-3806 CVE-2019-3807
Package : powerdns-recursor
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-856

Summary
======
The package powerdns-recursor before version 4.1.9-1 is vulnerable to
multiple issues including insufficient validation and access
restriction bypass.

Resolution
=========
Upgrade to 4.1.9-1.

# pacman -Syu "powerdns-recursor>=4.1.9-1"

The problems have been fixed upstream in version 4.1.9.

Workaround
=========
None.

Description
==========
- CVE-2019-3806 (access restriction bypass)

An issue has been found in PowerDNS Recursor before 4.1.9 where Lua
hooks are not properly applied to queries received over TCP in some
specific combination of settings, possibly bypassing security policies
enforced using Lua.

- CVE-2019-3807 (insufficient validation)

An issue has been found in PowerDNS Recursor before 4.1.9 where records
in the answer section of responses received from authoritative serverswith the AA flag not set were not properly validated, allowing an
attacker to bypass DNSSEC validation.

Impact
=====
A remote attacker can bypass access restrictions by doing a TCP query
or bypass DNSSEC validation for records where the AA flag was not set.

References
=========
https://blog.powerdns.com/2019/01/21/powerdns-recursor-4-1-9-released
https://security.archlinux.org/CVE-2019-3806
https://security.archlinux.org/CVE-2019-3807