ArchLinux: 201901-13: powerdns-recursor: multiple issues
Summary
- CVE-2019-3806 (access restriction bypass)
An issue has been found in PowerDNS Recursor before 4.1.9 where Lua
hooks are not properly applied to queries received over TCP in some
specific combination of settings, possibly bypassing security policies
enforced using Lua.
- CVE-2019-3807 (insufficient validation)
An issue has been found in PowerDNS Recursor before 4.1.9 where records
in the answer section of responses received from authoritative serverswith the AA flag not set were not properly validated, allowing an
attacker to bypass DNSSEC validation.
Resolution
Upgrade to 4.1.9-1.
# pacman -Syu "powerdns-recursor>=4.1.9-1"
The problems have been fixed upstream in version 4.1.9.
References
https://blog.powerdns.com/2019/01/21/powerdns-recursor-4-1-9-released https://security.archlinux.org/CVE-2019-3806 https://security.archlinux.org/CVE-2019-3807
Workaround
None.