ArchLinux: 201901-13: powerdns-recursor: multiple issues

    Date27 Jan 2019
    CategoryArchLinux
    658
    Posted ByAnthony Pell
    The package powerdns-recursor before version 4.1.9-1 is vulnerable to multiple issues including insufficient validation and access restriction bypass.
    Arch Linux Security Advisory ASA-201901-13
    ==========================================
    
    Severity: Medium
    Date    : 2019-01-24
    CVE-ID  : CVE-2019-3806 CVE-2019-3807
    Package : powerdns-recursor
    Type    : multiple issues
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-856
    
    Summary
    =======
    
    The package powerdns-recursor before version 4.1.9-1 is vulnerable to
    multiple issues including insufficient validation and access
    restriction bypass.
    
    Resolution
    ==========
    
    Upgrade to 4.1.9-1.
    
    # pacman -Syu "powerdns-recursor>=4.1.9-1"
    
    The problems have been fixed upstream in version 4.1.9.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    - CVE-2019-3806 (access restriction bypass)
    
    An issue has been found in PowerDNS Recursor before 4.1.9 where Lua
    hooks are not properly applied to queries received over TCP in some
    specific combination of settings, possibly bypassing security policies
    enforced using Lua.
    
    - CVE-2019-3807 (insufficient validation)
    
    An issue has been found in PowerDNS Recursor before 4.1.9 where records
    in the answer section of responses received from authoritative servers
    with the AA flag not set were not properly validated, allowing an
    attacker to bypass DNSSEC validation.
    
    Impact
    ======
    
    A remote attacker can bypass access restrictions by doing a TCP query
    or bypass DNSSEC validation for records where the AA flag was not set.
    
    References
    ==========
    
    https://blog.powerdns.com/2019/01/21/powerdns-recursor-4-1-9-released/
    https://security.archlinux.org/CVE-2019-3806
    https://security.archlinux.org/CVE-2019-3807
    
    You are not authorised to post comments.

    LinuxSecurity Poll

    Do you reuse passwords across multiple accounts?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    13
    radio
    [{"id":"55","title":"Yes","votes":"2","type":"x","order":"1","pct":100,"resources":[]},{"id":"56","title":"No","votes":"0","type":"x","order":"2","pct":0,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.