Adsons

    ArchLinux: 201901-13: powerdns-recursor: multiple issues

    Date27 Jan 2019
    CategoryArchLinux
    561
    Posted ByAnthony Pell
    The package powerdns-recursor before version 4.1.9-1 is vulnerable to multiple issues including insufficient validation and access restriction bypass.
    Arch Linux Security Advisory ASA-201901-13
    ==========================================
    
    Severity: Medium
    Date    : 2019-01-24
    CVE-ID  : CVE-2019-3806 CVE-2019-3807
    Package : powerdns-recursor
    Type    : multiple issues
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-856
    
    Summary
    =======
    
    The package powerdns-recursor before version 4.1.9-1 is vulnerable to
    multiple issues including insufficient validation and access
    restriction bypass.
    
    Resolution
    ==========
    
    Upgrade to 4.1.9-1.
    
    # pacman -Syu "powerdns-recursor>=4.1.9-1"
    
    The problems have been fixed upstream in version 4.1.9.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    - CVE-2019-3806 (access restriction bypass)
    
    An issue has been found in PowerDNS Recursor before 4.1.9 where Lua
    hooks are not properly applied to queries received over TCP in some
    specific combination of settings, possibly bypassing security policies
    enforced using Lua.
    
    - CVE-2019-3807 (insufficient validation)
    
    An issue has been found in PowerDNS Recursor before 4.1.9 where records
    in the answer section of responses received from authoritative servers
    with the AA flag not set were not properly validated, allowing an
    attacker to bypass DNSSEC validation.
    
    Impact
    ======
    
    A remote attacker can bypass access restrictions by doing a TCP query
    or bypass DNSSEC validation for records where the AA flag was not set.
    
    References
    ==========
    
    https://blog.powerdns.com/2019/01/21/powerdns-recursor-4-1-9-released/
    https://security.archlinux.org/CVE-2019-3806
    https://security.archlinux.org/CVE-2019-3807
    

    Comments powered by CComment

    Sidebar Ad

    LinuxSecurity Poll

    What type of mobile phone do you have?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /component/communitypolls/?task=poll.vote
    4
    radio
    [{"id":"16","title":"iPhone","votes":"8","type":"x","order":"1","pct":24.24,"resources":[]},{"id":"17","title":"Android","votes":"22","type":"x","order":"2","pct":66.67,"resources":[]},{"id":"18","title":"Other","votes":"3","type":"x","order":"3","pct":9.09,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    Advisories