ArchLinux: 201903-13: powerdns: insufficient validation

    Date22 Mar 2019
    CategoryArchLinux
    432
    Posted ByLinuxSecurity Advisories
    The package powerdns before version 4.1.7-1 is vulnerable to insufficient validation.
    Arch Linux Security Advisory ASA-201903-13
    ==========================================
    
    Severity: High
    Date    : 2019-03-22
    CVE-ID  : CVE-2019-3871
    Package : powerdns
    Type    : insufficient validation
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-927
    
    Summary
    =======
    
    The package powerdns before version 4.1.7-1 is vulnerable to
    insufficient validation.
    
    Resolution
    ==========
    
    Upgrade to 4.1.7-1.
    
    # pacman -Syu "powerdns>=4.1.7-1"
    
    The problem has been fixed upstream in version 4.1.7.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    An issue has been found in PowerDNS Authoritative Server before 4.1.7,
    when the HTTP remote backend is used in RESTful mode (without post=1
    set), allowing a remote user to cause the HTTP backend to connect to an
    attacker-specified host instead of the configured one, via a crafted
    DNS query. This can be used to cause a denial of service by preventing
    the remote backend from getting a response, content spoofing if the
    attacker can time its own query so that subsequent queries will use an
    attacker-controlled HTTP server instead of the configured one, and
    possibly information disclosure if the Authoritative Server has access
    to internal servers.
    
    Impact
    ======
    
    A remote user can cause a denial of service by preventing the remote
    backend from getting a response, content spoofing if the attacker can
    time its own query so that subsequent queries will use an attacker-
    controlled HTTP server instead of the configured one, and possibly
    information disclosure if the Authoritative Server has access to
    internal servers.
    
    References
    ==========
    
    https://seclists.org/oss-sec/2019/q1/185
    https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html
    https://github.com/PowerDNS/pdns/issues/7573
    https://github.com/PowerDNS/pdns/pull/7577
    https://security.archlinux.org/CVE-2019-3871
    
    
    You are not authorised to post comments.

    LinuxSecurity Poll

    Do you reuse passwords across multiple accounts?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    13
    radio
    [{"id":"55","title":"Yes","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"56","title":"No","votes":"0","type":"x","order":"2","pct":0,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.