From: Remi Gacogne Date: Mon, 21 Jan 2019 08:27:05 +0000 (+0100) Subject: rec: Add ChangeLog, advisories and secpoll update for the 4.1.9 release X-Git-Tag: rec-4.2.0-alpha1~13^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F7399%2Fhead;p=thirdparty%2Fpdns.git rec: Add ChangeLog, advisories and secpoll update for the 4.1.9 release --- diff --git a/build-scripts/jsoref-spellchecker/whitelist.words b/build-scripts/jsoref-spellchecker/whitelist.words index 4a073226d2..60c0e86f2e 100644 --- a/build-scripts/jsoref-spellchecker/whitelist.words +++ b/build-scripts/jsoref-spellchecker/whitelist.words @@ -8237,6 +8237,7 @@ theirserial thel thelog ther +Thessalonikefs Thfrt THg Thiago diff --git a/docs/secpoll.zone b/docs/secpoll.zone index 7f0e805360..70c87e65aa 100644 --- a/docs/secpoll.zone +++ b/docs/secpoll.zone @@ -1,4 +1,4 @@ -@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2018121401 10800 3600 604800 10800 +@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2019012101 10800 3600 604800 10800 @ 3600 IN NS pdns-public-ns1.powerdns.com. @ 3600 IN NS pdns-public-ns2.powerdns.com. ; Auth @@ -170,7 +170,8 @@ recursor-4.1.4.security-status 60 IN TXT "3 Upgrade now recursor-4.1.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-09.html" recursor-4.1.6.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-09.html" recursor-4.1.7.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-09.html" -recursor-4.1.8.security-status 60 IN TXT "1 OK" +recursor-4.1.8.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2019-01.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2019-02.html" +recursor-4.1.9.security-status 60 IN TXT "1 OK" ; Recursor Debian recursor-3.6.2-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/" diff --git a/pdns/recursordist/docs/changelog/4.1.rst b/pdns/recursordist/docs/changelog/4.1.rst index e7e3abfd3c..217b7d279b 100644 --- a/pdns/recursordist/docs/changelog/4.1.rst +++ b/pdns/recursordist/docs/changelog/4.1.rst @@ -1,6 +1,31 @@ Changelogs for 4.1.x ==================== +.. changelog:: + :version: 4.1.9 + :released: 21st of January 2019 + + This release fixes :doc:`Security Advisory 2019-01 <../security-advisories/powerdns-advisory-2019-01>` and :doc:`Security Advisory 2019-02 <../security-advisories/powerdns-advisory-2019-02>` that were recently discovered, affecting PowerDNS Recursor: + - CVE-2019-3806, 2019-01: from 4.1.4 up to and including 4.1.8 ; + - CVE-2019-3807, 2019-02: from 4.1.0 up to and including 4.1.8. + + The issues are: + - CVE-2019-3806, 2019-01: Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly bypassing security policies enforced using Lua ; + - CVE-2019-3807, 2019-02: records in the answer section of responses received from authoritative servers with the AA flag not set were not properly validated, allowing an attacker to bypass DNSSEC validation. + + .. change:: + :tags: Bug Fixes + :pullreq: 7397 + + Properly apply Lua hooks to TCP queries, even with pdns-distributes-queries set (CVE-2019-3806, PowerDNS Security Advisory :doc:`2018-01 <../security-advisories/powerdns-advisory-2019-01>`). Validates records in the answer section of responses with AA=0 (CVE-2019-3807, PowerDNS Security Advisory :doc:`2019-02 <../security-advisories/powerdns-advisory-2019-02>`). + + .. change:: + :tags: Improvements + :pullreq: 7377 + :tickets: 7383 + + Try another worker before failing if the first pipe was full + .. changelog:: :version: 4.1.8 :released: 26th of November 2018 diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2019-01.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2019-01.rst new file mode 100644 index 0000000000..f7e885e9b7 --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2019-01.rst @@ -0,0 +1,27 @@ +PowerDNS Security Advisory 2019-01: Lua hooks are not applied in certain configurations +======================================================================================= + +- CVE: CVE-2019-3806 +- Date: 21st of January 2019 +- Affects: PowerDNS Recursor from 4.1.4 up to and including 4.1.8 +- Not affected: 4.0.x, 4.1.0 up to and including 4.1.3, 4.1.9 +- Severity: Low +- Impact: Access restriction bypass +- Exploit: This problem can be triggered via TCP queries +- Risk of system compromise: No +- Solution: Upgrade to a non-affected version +- Workaround: Switch to pdns-distributes-queries=no + +An issue has been found in PowerDNS Recursor where Lua hooks are not properly +applied to queries received over TCP in some specific combination of settings, +possibly bypassing security policies enforced using Lua. + +When the recursor is configured to run with more than one thread (threads=X) +and to do the distribution of incoming queries to the worker threads itself +(pdns-distributes-queries=yes), the Lua script is not properly loaded in +the thread handling incoming TCP queries, causing the Lua hooks to not be +properly applied. + +This issue has been assigned CVE-2019-3806 by Red Hat. + +PowerDNS Recursor from 4.1.4 up to and including 4.1.8 is affected. diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2019-02.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2019-02.rst new file mode 100644 index 0000000000..a5ccb993ed --- /dev/null +++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2019-02.rst @@ -0,0 +1,24 @@ +PowerDNS Security Advisory 2019-02: Insufficient validation of DNSSEC signatures +================================================================================ + +- CVE: CVE-2019-3807 +- Date: 21st of January 2019 +- Affects: PowerDNS Recursor from 4.1.0 up to and including 4.1.8 +- Not affected: 4.0.x, 4.1.9 +- Severity: Medium +- Impact: Insufficient validation +- Exploit: This problem can be triggered via crafted responses +- Risk of system compromise: No +- Solution: Upgrade to a non-affected version + +An issue has been found in PowerDNS Recursor where records in the answer +section of responses received from authoritative servers with the AA flag +not set were not properly validated, allowing an attacker to bypass DNSSEC +validation. + +This issue has been assigned CVE-2019-3807 by Red Hat. + +PowerDNS Recursor from 4.1.0 up to and including 4.1.8 is affected. + +We would like to thank Ralph Dolmans and George Thessalonikefs of NLNetLabs +for finding and subsequently reporting this issue!